Distributed single sign on technologies including privacy protection and proactive updating
First Claim
Patent Images
1. A method performed on a computing device, the method comprising:
- receiving, by the computing device in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider;
sending, by the computing device to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user;
receiving, by the computing device from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value;
computing, by the computing device from the received partial authentication tokens, an authentication token; and
accessing, by the computing device based on the computed authentication token, the service.
2 Assignments
0 Petitions
Accused Products
Abstract
Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sign-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs.
36 Citations
20 Claims
-
1. A method performed on a computing device, the method comprising:
-
receiving, by the computing device in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider; sending, by the computing device to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user; receiving, by the computing device from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value; computing, by the computing device from the received partial authentication tokens, an authentication token; and accessing, by the computing device based on the computed authentication token, the service. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computing device comprising:
-
at least one processor; memory coupled to the at least one processor; a network adapter coupled to the at least one processor and the memory, and via which the computing device receives, in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider; the network adapter via which the computing device sends, to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user; the network adapter via which the computing device receives, from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value; the at least one processor via which the computing device computes, from the received partial authentication tokens, an authentication token; and the computing device configured to access, based on the computed authentication token, the service. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. At least one computer-readable media that comprises computer-readable instructions that, based on execution by a computing device, configure the computing device to perform actions comprising:
-
receiving, by the computing device in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider; sending, by the computing device to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user; receiving, by the computing device from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value; computing, by the computing device from the received partial authentication tokens, an authentication token; and accessing, by the computing device based on the computed authentication token, the service. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification