Distributed single sign on technologies including privacy protection and proactive updating

US 9,641,514 B2
Filed: 10/07/2015
Issued: 05/02/2017
Est. Priority Date: 11/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method performed on a computing device, the method comprising:

receiving, by the computing device in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider;

sending, by the computing device to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user;

receiving, by the computing device from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value;

computing, by the computing device from the received partial authentication tokens, an authentication token; and

accessing, by the computing device based on the computed authentication token, the service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sign-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs.

36 Citations

20 Claims

1. A method performed on a computing device, the method comprising:
- receiving, by the computing device in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider;
  
  sending, by the computing device to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user;
  
  receiving, by the computing device from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value;
  
  computing, by the computing device from the received partial authentication tokens, an authentication token; and
  
  accessing, by the computing device based on the computed authentication token, the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising second sending, by the computing device to the provider, the computed authentication token and the identifier of the user.
  - 3. The method of claim 2 where the accessing is further based on the provider verifying the sent authentication token using a secret key known only to the provider.
  - 4. The method of claim 2 where the second sending comprises sending, by the computing device to the provider, the second value.
  - 5. The method of claim 1 further comprising creating a session key based on the first value and the second value.
  - 6. The method of claim 5 further comprising establishing, between the computing device and the provider based on the created session key, a secure communication channel.
  - 7. The method of claim 1 where the first value is computed by the provider based on a first random number, or where the second value is computed by the computing device based on a second random number.

8. A computing device comprising:
- at least one processor;
  
  memory coupled to the at least one processor;
  
  a network adapter coupled to the at least one processor and the memory, and via which the computing device receives, in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider;
  
  the network adapter via which the computing device sends, to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user;
  
  the network adapter via which the computing device receives, from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value;
  
  the at least one processor via which the computing device computes, from the received partial authentication tokens, an authentication token; and
  
  the computing device configured to access, based on the computed authentication token, the service.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing device of claim 8, the network adapter via which the computing device second sends, to the provider, the computed authentication token and the identifier of the user.
  - 10. The computing device of claim 9 configured to access the service based further on the provider verifying the sent authentication token using a secret key known only to the provider.
  - 11. The computing device of claim 9 where the computing device further second sends, to the provider, the second value.
  - 12. The computing device of claim 8 further comprising creating a session key based on the first value and the second value.
  - 13. The computing device of claim 12 further configured to establish, between the computing device and the provider based on the created session key, a secure communication channel.
  - 14. The computing device of claim 8 where the first value is computed by the provider based on a first random number, or where the second value is computed by the computing device based on a second random number.

15. At least one computer-readable media that comprises computer-readable instructions that, based on execution by a computing device, configure the computing device to perform actions comprising:
- receiving, by the computing device in response to a request to access a service on behalf of a user, a list of authentication devices, an identifier of a provider of the service, and a first value that corresponds to the provider;
  
  sending, by the computing device to each of the authentication devices, an identifier of the user, the identifier of the provider, the first value, and a second value that corresponds to the user;
  
  receiving, by the computing device from each of the authentication devices, a partial authentication token that is based on the sent identifier of the user, the sent identifier of the provider, the sent first value, and the sent second value;
  
  computing, by the computing device from the received partial authentication tokens, an authentication token; and
  
  accessing, by the computing device based on the computed authentication token, the service.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The at least one computer-readable media of claim 15, the actions further comprising second sending, by the computing device to the provider, the computed authentication token and the identifier of the user.
  - 17. The at least one computer-readable media of claim 16 where the accessing is further based on the provider verifying the sent authentication token using a secret key known only to the provider.
  - 18. The at least one computer-readable media of claim 16 where the second sending comprises sending, by the computing device to the provider, the second value.
  - 19. The at least one computer-readable media of claim 15, the actions further comprising creating a session key based on the first value and the second value.
  - 20. The at least one computer-readable media of claim 19, the actions further comprising establishing, between the computing device and the provider based on the created session key, a secure communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Zhu, Bin Benjamin, Feng, Min
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US14/877,030
Publication Number

US 20160099933A1
Time in Patent Office

573 Days
Field of Search

380 28, 380 44, 726 8, 726 9
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3226   using a predetermined code,...

Distributed single sign on technologies including privacy protection and proactive updating

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed single sign on technologies including privacy protection and proactive updating

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links