Distributed single sign on technologies including privacy protection and proactive updating

US 9,184,910 B2
Filed: 02/29/2012
Issued: 11/10/2015
Est. Priority Date: 11/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method performed on a computing device that includes at least one processor and memory, the method comprising:

given a unique identifier of a user, a password of the user, and a high-entropy random number, computing, by the computing device for each of a plurality of authentication devices, a high-entropy password based on the unique identifier, the password, the high-entropy random number, and an identifier that uniquely identifies the each of the plurality of authentication devices; and

sending, by the computing device to each of the plurality of authentication devices, the computed high-entropy password corresponding to the each of the plurality of authentication devices;

receiving, by the computing device from each of the plurality of authentication devices, an indication that the sent high-entropy password has been stored and that the user has been registered.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sign-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs.

Citations

20 Claims

1. A method performed on a computing device that includes at least one processor and memory, the method comprising:
- given a unique identifier of a user, a password of the user, and a high-entropy random number, computing, by the computing device for each of a plurality of authentication devices, a high-entropy password based on the unique identifier, the password, the high-entropy random number, and an identifier that uniquely identifies the each of the plurality of authentication devices; and
  
  sending, by the computing device to each of the plurality of authentication devices, the computed high-entropy password corresponding to the each of the plurality of authentication devices;
  
  receiving, by the computing device from each of the plurality of authentication devices, an indication that the sent high-entropy password has been stored and that the user has been registered.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising sending, by the computing device to each of the plurality of authentication devices, the unique identifier of the user along with the computed high-entropy password.
  - 3. The method of claim 1 where the high-entropy random number is not secret but is kept from the plurality of authentication devices.
  - 4. The method of claim 1 where the computing involves a hash function configured for generating the high-entropy passwords.
  - 5. The method of claim 1 further comprising authenticating, after the user has been registered with the each of the plurality of authentication devices, the user to a service coupled to the plurality of authentication devices, where the authentication comprises:
    - providing the password;
      
      providing the unique identifier;
      
      generating, for each of a subset of the plurality of authentication devices, an authentication password based on the provided password, the provided unique identifier, the high-entropy random number, and the identifier that uniquely identifies the each of the subset of the plurality of authentication devices; and
      
      sending each authentication password to its corresponding one of the subset of the plurality of authentication devices.
  - 6. The method of claim 5 further comprising receiving, in response to the sending each authentication password, access to the service in response to the authentication passwords corresponding to the stored high-entropy passwords.
  - 7. The method of claim 5 where the computing device provides a single sign-on experience for the user based on generating the authentication passwords that are based in part on the provided password of the user and the provided unique identifier of the user.

8. At least one computer-readable media storing computer-executable instructions that, when executed by a computing device that includes at least one processor and memory, cause the computing device to perform a method comprising:
- given a unique identifier of a user, a password of the user, and a high-entropy random number, computing, for each of a plurality of authentication devices, a high-entropy password based on the unique identifier, the password, the high-entropy random number, and an identifier that uniquely identifies the each of the plurality of authentication devices; and
  
  sending, to each of the plurality of authentication devices, the computed high-entropy password corresponding to the each of the plurality of authentication devices;
  
  receiving, from each of the plurality of authentication devices, an indication that the sent high-entropy password has been stored and that the user has been registered.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The at least one computer-readable media of claim 8, the method further comprising sending, to each of the plurality of authentication devices, the unique identifier of the user along with the computed high-entropy password.
  - 10. The at least one computer-readable media of claim 8 where the high-entropy random number is not secret but is kept from the plurality of authentication devices.
  - 11. The at least one computer-readable media of claim 8 where the computing involves a hash function configured for generating the high-entropy passwords.
  - 12. The at least one computer-readable media of claim 8, the method further comprising authenticating, after the user has been registered with the each of the plurality of authentication devices, the user to a service coupled to the plurality of authentication devices, where the authentication comprises:
    - providing the password;
      
      providing the unique identifier;
      
      generating, for each of a subset of the plurality of authentication devices, an authentication password based on the provided password, the provided unique identifier, the high-entropy random number, and the identifier that uniquely identifies the each of the subset of the plurality of authentication devices; and
      
      sending each authentication password to its corresponding one of the subset of the plurality of authentication devices.
  - 13. The at least one computer-readable media of claim 12, the method further comprising receiving, in response to the sending each authentication password, access to the service in response to the authentication passwords corresponding to the stored high-entropy passwords.
  - 14. The at least one computer-readable media of claim 12 where the computing device provides a single sign-on experience for the user based on generating the authentication passwords that are based in part on the provided password of the user and the provided unique identifier of the user.

15. A system comprising a computing device and at least one program module that are together configured for performing actions, the computing device that including at least one processor and memory, the actions comprising:
- given a unique identifier of a user, a password of the user, and a high-entropy random number, computing, by the computing device for each of a plurality of authentication devices, a high-entropy password based on the unique identifier, the password, the high-entropy random number, and an identifier that uniquely identifies the each of the plurality of authentication devices; and
  
  sending, by the computing device to each of the plurality of authentication devices, the computed high-entropy password corresponding to the each of the plurality of authentication devices;
  
  receiving, by the computing device from each of the plurality of authentication devices, an indication that the sent high-entropy password has been stored and that the user has been registered.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, the actions comprising sending, by the computing device to each of the plurality of authentication devices, the unique identifier of the user along with the computed high-entropy password.
  - 17. The system of claim 15 where the high-entropy random number is not secret but is kept from the plurality of authentication devices.
  - 18. The system of claim 15 where the computing involves a hash function configured for generating the high-entropy passwords.
  - 19. The system of claim 15, the actions further comprising authenticating, after the user has been registered with the each of the plurality of authentication devices, the user to a service coupled to the plurality of authentication devices, where the authenticating comprises:
    - providing the password;
      
      providing the unique identifier;
      
      generating, for each of a subset of the plurality of authentication devices, an authentication password based on the provided password, the provided unique identifier, the high-entropy random number, and the identifier that uniquely identifies the each of the subset of the plurality of authentication devices; and
      
      sending each authentication password to its corresponding one of the subset of the plurality of authentication devices.
  - 20. The system of claim 19, the actions further comprising receiving, in response to the sending each authentication password, access to the service in response to the authentication passwords corresponding to the stored high-entropy passwords.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Zhu, Bin Benjamin, Feng, Min
Primary Examiner(s)
Chao, Michael
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US13/409,087
Publication Number

US 20120159589A1
Time in Patent Office

1,350 Days
Field of Search

726/8, 726/2, 726/14, 380/44, 713/170
US Class Current

1/1
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3226   using a predetermined code,...

Distributed single sign on technologies including privacy protection and proactive updating

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed single sign on technologies including privacy protection and proactive updating

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links