Method and system for securely accessing different services based on single sign on

US 9,449,167 B2
Filed: 08/16/2013
Issued: 09/20/2016
Est. Priority Date: 09/12/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method executed by one or more computing devices for securely accessing one or more online services based on a single sign on, the method comprising:

receiving at an authentication server, from a user device, a service request for a service among the one or more online services provided by a service provider server, a user id and a first hash of a first random number r;

retrieving, by the authentication server, the first random number r from a database and computing a second hash of the first random number r;

determining, by the authentication server, that the received first hash of the first random number is equal to the computed second hash of the first random number;

authenticating the user device at the authentication server responsive to the determining that the second hash of the first random number r is equal to the received first hash of the first random number r;

encrypting, by the authentication server, a second random number y with the first random number r;

sending the second random number y encrypted with the first random number r from the authentication server to the user device;

retrieving, by the authentication server, a service provider password, provided by the service provider server, from the database;

encrypting, at the authentication server, the second random number y, the user id, and an element Q using the service provider password;

sending the second random number y, the user id, and the element Q encrypted with the service provider password from the authentication server to the service provider server;

computing, by the user device, a first discrete exponential function Z using the element Q and the second random number y, wherein the first discrete exponential function Z is computed as;

Z=h_n(y)·

Q wherein n is decremented for subsequent calculations of Z;

sending, by the user device, the user id and the computed first discrete exponential function Z to the service provider server;

computing, by the service provider server, a second discrete exponential function Z′

, using the element Q and the second random number y, wherein the second discrete exponential function Z′

is computed as;

Z′

=h_n(y)·

Q wherein n is decremented for subsequent calculations of Z′

;

determining, by the service provider server, whether the first discrete exponential function Z is equal to the second discrete exponential function Z′

; and

responsive to determining that the first discrete exponential function Z is equal to the second discrete exponential function Z′

, granting the user device access to the one or more online services provided by the service provider server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment for securely accessing services of a service provider based on single sign on. The user device is authenticated by an authentication server if the computed hash of the first random number r is same as the received hash of the first random number r sent by a user device. Thereafter, the second random number y, the user id and an element Q are encrypted using a service provider password and send to the service provider. The user device computes a first discrete exponential function Z using the element Q and the second random number y and sends along with the user id to the service provider. The service provider computes a second discrete exponential function Z′ using the element Q and the second random number y received from the authentication server and provides the user device access to the services if Z is equal to Z′.

Citations

15 Claims

1. A computer implemented method executed by one or more computing devices for securely accessing one or more online services based on a single sign on, the method comprising:
- receiving at an authentication server, from a user device, a service request for a service among the one or more online services provided by a service provider server, a user id and a first hash of a first random number r;
  
  retrieving, by the authentication server, the first random number r from a database and computing a second hash of the first random number r;
  
  determining, by the authentication server, that the received first hash of the first random number is equal to the computed second hash of the first random number;
  
  authenticating the user device at the authentication server responsive to the determining that the second hash of the first random number r is equal to the received first hash of the first random number r;
  
  encrypting, by the authentication server, a second random number y with the first random number r;
  
  sending the second random number y encrypted with the first random number r from the authentication server to the user device;
  
  retrieving, by the authentication server, a service provider password, provided by the service provider server, from the database;
  
  encrypting, at the authentication server, the second random number y, the user id, and an element Q using the service provider password;
  
  sending the second random number y, the user id, and the element Q encrypted with the service provider password from the authentication server to the service provider server;
  
  computing, by the user device, a first discrete exponential function Z using the element Q and the second random number y, wherein the first discrete exponential function Z is computed as;
  
  Z=h_n(y)·
  
  Q wherein n is decremented for subsequent calculations of Z;
  
  sending, by the user device, the user id and the computed first discrete exponential function Z to the service provider server;
  
  computing, by the service provider server, a second discrete exponential function Z′
  
  , using the element Q and the second random number y, wherein the second discrete exponential function Z′
  
  is computed as;
  
  Z′
  
  =h_n(y)·
  
  Q wherein n is decremented for subsequent calculations of Z′
  
  ;
  
  determining, by the service provider server, whether the first discrete exponential function Z is equal to the second discrete exponential function Z′
  
  ; and
  
  responsive to determining that the first discrete exponential function Z is equal to the second discrete exponential function Z′
  
  , granting the user device access to the one or more online services provided by the service provider server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the first discrete exponential function Z is computed as:
    - Z=h_n-x(y)·
      
      Q wherein n is order of hash, x is a predefined number, and n is decremented by x with each subsequent calculation of Z.
  - 3. The method of claim 1, wherein the second discrete exponential function Z′
    - is computed as;
      
      Z′
      
      =h_n-x(y)·
      
      Q wherein n is order of hash, x is a predefined number, and n is decremented by x with each subsequent calculation of Z′
      
      .
  - 4. The method of claim 1, wherein the element Q is an element from a cyclic group G of generator P.
  - 5. The method of claim 1, further comprising:
    - generating the first random number r;
      
      encrypting the first random number r and the element Q with a user password;
      
      sending the encrypted first random number r and the element Q;
      
      decrypting, by the user device, the encrypted first number r and the element Q; and
      
      generating, by the user device, hash of the first random number r.

6. A computer implemented method executed by one or more computing devices for securely giving access for one or more online services hosted by a service provider server to a user device, the method comprising:
- sending a service provider password from the service provider server to an authentication server;
  
  receiving at the service provider server, from the authentication server, a random number y, a user id, and an element Q, wherein the random number y, the user id, and the element Q are encrypted with the service provider password;
  
  decrypting the received random number y, user id, and element Q at the service provider server using the service provider password;
  
  storing the decrypted user id in association with the decrypted element Q and the decrypted random number y at the service provider server;
  
  receiving, at the service provider server, from the user device, the user id and a computed first discrete exponential function Z, wherein Z is computed at the user device using the element Q and the random number y received by the user device from the authentication server, wherein the first discrete exponential function Z is computed as;
  
  Z=h_n(y)·
  
  Q wherein n is order of hash;
  
  responsive to the receiving of the user id and the first discrete exponential function from the user device, looking up the element Q and the random number y at the service provider server;
  
  computing, by the service provider server, a second discrete exponential function Z, using the element Q and the random number y associated with the user id;
  
  determining, by the service provider server, whether the first discrete exponential function Z received from the user device is equal to the second discrete exponential function Z′
  
  computed by the service provider server, wherein the second discrete exponential function Z′
  
  is computed as;
  
  Z′
  
  =h_n(y)·
  
  Q wherein n is order of hash; and
  
  responsive to determining that the first discrete exponential function Z received from the user device is equal to the second discrete exponential function Z′
  
  computed by the service provider server, granting the user device access to the one or more online services hosted by the service provider server.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the first discrete exponential function Z is computed as:
    - Z=h_n-x(y)·
      
      Q wherein n is order of hash, x is a predefined number, and n is decremented by x with each subsequent calculation of Z.
  - 8. The method of claim 6, wherein the second discrete exponential function Z′
    - is computed as;
      
      Z′
      
      =h_n-x(y)·
      
      Q wherein n is order of hash, x is a predefined number, and n is decremented by x with each subsequent calculation of Z′
      
      .
  - 9. The method of claim 6, wherein the element Q is an element from a cyclic group G of generator P.

10. A system securely accessing different online services based on a single sign on, the system comprising:
- a user computing device configured to;
  
  send a service request to an authentication server via a data network for access to an online service hosted by a service provider server which a user wants to access, the service request comprising a user id and a hash of a first random number r,receive, via the data network, a second random number y from the authentication server, wherein the second random number y is encrypted with the first random number r;
  
  decrypt the received second random number y using the first random number r;
  
  compute a first discrete exponential function Z using an element Q and the second random number y received from the authentication server, wherein the first discrete exponential function Z is computed as;
  
  Z=h_n(y)·
  
  Q wherein n is decremented with each subsequent calculation of Z, andsend the user id and the computed first discrete exponential function Z to the service provider server via the data network;
  
  the authentication server configured to;
  
  receive the service request comprising the hash of the first random number r, and the user id, from the user computing device via the data network,retrieve the first random number r from a database and compute a second hash of a first random number r,determine whether the hash of the first random number r received from the user computing device is equal to the second hash of the first random number r,authenticate the user computing device responsive to determining that the second hash of the first random number r is equal to the hash of the first random number r received from the user computing device,retrieve the second random number y from the database,encrypt the second random number y with the first random number r,send the second random number y encrypted with the first random number r to the user computing device via the data network,encrypt the second random number y, the user id, and the element Q using a service provider password received from the service provider server via the data network, andsend the second random number y, the user id, and the element Q encrypted with the service provider password to the service provider server via the data network;
  
  the database configured to;
  
  store the first random number r, the second random number y, and the service provider password; and
  
  the service provider server configured to;
  
  retrieve the service provider password from the database and send the service provider password to the authentication server via the data network,receive the second random number y, the user id, and the element Q encrypted with the service provider password from the authentication server via the data network,decrypt the second random number y, the user id, and the element Q using the service provider password,compute a second discrete exponential function Z′
  
  using the element Q and the second random number y, wherein the second discrete exponential function Z′
  
  is computed as;
  
  Z′
  
  =h_n(y)·
  
  Q wherein n is decremented with each subsequent calculation of Z′
  
  ,receive the user id and the first discrete exponential function Z from the user computing device via the data network,determine whether the first discrete exponential function Z received from the user computing device is equal to the second discrete exponential function Z′
  
  , andgrant the user computing device access to the online service hosted by the service provider server responsive to determining that the first discrete exponential function Z received from the user computing device is equal to the second discrete exponential function Z′
  
  computed by the service provider server.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, wherein the first discrete exponential function Z is computed as:
    - Z=h_n-x(y)·
      
      Q wherein n is order of hash, x is a predefined number, and n is decremented by x with each subsequent calculation of Z.
  - 12. The system of claim 10, wherein the second discrete exponential function Z′
    - is computed as;
      
      Z′
      
      =h_n-x(y)·
      
      Q wherein n is order of hash, x is a predefined number, and n is decremented by x with each subsequent calculation of Z′
      
      .
  - 13. The system of claim 10, wherein the element Q is an element from a cyclic group G of generator P.

14. An authentication system comprising:
- a memory;
  
  one or more processors, at least one of which is operatively coupled to the memory, the one or more processors configured to perform the steps of;
  
  computing, by an authentication server, a first hash of a first random number r and storing the first hash of the random number r in the memory;
  
  receiving, by the authentication server, a second hash of the first random number r from a user device;
  
  retrieving, by the authentication server, the computed first hash of the first random number r from the memory;
  
  authenticating the user device by the authentication server, provided the computed first hash of the first random number r is same as the received second hash of the first random number r;
  
  encrypting, by the authentication server, a second random number y with the first random number r;
  
  sending the second random number y encrypted with the first random number r from the authentication server to the user device;
  
  retrieving, by the authentication server, a service provider password, provided by a service provider server, from the memory;
  
  encrypting, by the authentication server, the second random number y, a user id and an element Q using the service provider password;
  
  sending the second random number y, the user id and the element Q encrypted with the service provider password from the authentication server to the service provider server;
  
  computing, by the user device, a first discrete exponential function Z using the element Q and the second random number y, wherein the first discrete exponential function Z is computed as;
  
  Z=h_n(y)·
  
  Q wherein n is order of hash and n is decremented by a predefined number with each subsequent calculation of Z;
  
  sending, by the user device, the user id and the computed first discrete exponential function Z to the service provider server;
  
  computing, by the service provider server, a second discrete exponential function Z′
  
  , using the element Q and the second random number y, wherein the second discrete exponential function Z′
  
  is computed as;
  
  Z′
  
  =h_n(y)·
  
  Q wherein n is order of hash and n is decremented by a predefined number with each subsequent calculation of Z′
  
  ;
  
  determining, by the service provider server, whether the first discrete exponential function Z received from the user device is equal to the second discrete exponential function Z′
  
  ; and
  
  responsive to determining that the first discrete exponential function Z received from the user device is equal to the second discrete exponential function Z′
  
  , granting the user device access to one or more online services provided by the service provider server.
- View Dependent Claims (15)
- - 15. The authentication server of claim 14, wherein the element Q is an element from a cyclic group G of generator P.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Infosys Limited
Original Assignee
Infosys Limited
Inventors
Varadharajan, Vijayaraghavan, Kuppusamy, Sivakumar, Nallusamy, Rajarathnam
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US13/969,404
Publication Number

US 20140075202A1
Time in Patent Office

1,131 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 9/3236   using cryptographic hash fu...

Method and system for securely accessing different services based on single sign on

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for securely accessing different services based on single sign on

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links