Method and apparatus for providing a conditional single sign on

US 9,917,829 B1
Filed: 09/23/2016
Issued: 03/13/2018
Est. Priority Date: 06/05/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method performed by a connection broker for brokering successive connections between a device and a computer resource comprising:

during a first access sequence;

providing to the device, a first random number;

authenticating a user of the device; and

instantiating the computer resource for the authenticated user;

and during a subsequent access sequence responsive to the first random number retrieved from the device;

receiving encrypted user credentials and an encryption of a second random number forwarded from the device; and

communicating to the computer resource i) the first random number, ii) the encrypted user credentials and iii) the encryption of the second random number,wherein the encrypted user credentials comprise credentials of the user encrypted by a key K, the key K comprising a combination of the first random number with the second random number and wherein the encryption of the second random number comprises the second random number encrypted by a first public key held by the computer resource and the device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for providing a conditional single sign-on, wherein during a first access sequence a connection broker provides a first random number to a device. During a subsequent access period, the device provides encrypted user credentials to the connection broker comprising credentials of a user encrypted by a key K. The key K comprises the first random number combined with a second random number. The device further provides an encryption of the second random number to the connection broker, the second random number encrypted with a first public key held by the computer resource. The connection broker decrypts the first random number and retransmits the encryption of the second random number and the encrypted user credentials to the computing resource.

11 Citations

20 Claims

1. A computer implemented method performed by a connection broker for brokering successive connections between a device and a computer resource comprising:
- during a first access sequence;
  
  providing to the device, a first random number;
  
  authenticating a user of the device; and
  
  instantiating the computer resource for the authenticated user;
  
  and during a subsequent access sequence responsive to the first random number retrieved from the device;
  
  receiving encrypted user credentials and an encryption of a second random number forwarded from the device; and
  
  communicating to the computer resource i) the first random number, ii) the encrypted user credentials and iii) the encryption of the second random number,wherein the encrypted user credentials comprise credentials of the user encrypted by a key K, the key K comprising a combination of the first random number with the second random number and wherein the encryption of the second random number comprises the second random number encrypted by a first public key held by the computer resource and the device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - during the first access sequence, the connection broker providing a second public key to the device for encrypting the first random number; and
      
      retrieving the first random number in the subsequent access sequence by decrypting an encryption of the first random number received from the device.
  - 3. The method of claim 1 wherein the first public key comprises a certificate signed by an authentication system, the authentication system used to authenticate the user during the first access sequence.
  - 4. The method of claim 1 wherein combining the first random number and the second random number comprises one of applying i) an XOR function or ii) a non-reversible hash to the first random number and the second random number.
  - 5. The method of claim 1 wherein combining the first random number and the second random number comprises concatenating the first random number and the second random number.
  - 6. The method of claim 1 wherein the authenticating the user comprises:
    - redirecting the device to an authentication system; and
      
      confirming with the authentication system a token received from the device, the token provided by the authentication system to the device.

7. A method for establishing a connection with a computer resource comprising:
- during a first access sequence;
  
  receiving, at a device, a first random number from a connection broker;
  
  providing, from the device, encrypted user credentials to the connection broker, the encrypted user credentials comprising credentials of a user encrypted by a key K, the key K comprising the first random number combined and a second random number;
  
  purging, by the device, the credentials of the user and the key K;
  
  and during a subsequent access sequence;
  
  receiving, at the device, a first public key held by the computing resource;
  
  encrypting, by the device, the second random number with the first public key;
  
  transmitting, by the device to the connection broker, i) an encryption of the first random number ii) the encryption of the second random number and iii) the encrypted user credentials; and
  
  establishing, by the device, the connection with the computer resource.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7 further comprising during the first access sequence:
    - authenticating the user by the device, by i) redirecting from the device to an authentication system and ii) receiving a token from the authentication system; and
      
      transmitting, by the device, the token to the connection broker.
  - 9. The method of claim 8 wherein the first public key comprises a certificate signed by the authentication system.
  - 10. The method of claim 8 wherein the credentials of the user and the key K are purged by the device prior to the device authenticating the user.
  - 11. The method of claim 7 wherein combining the first random number and the second random number comprises one of applying i) an XOR function or ii) a non-reversible hash to the first random number and the second random number.
  - 12. The method of claim 7 wherein combining the first random number and the second random number comprises concatenating the first random number and the second random number.
  - 13. The method of claim 7 further comprising:
    - receiving, at the device, a second public key from connection broker; and
      
      encrypting, by the device, the first random number using the second public key to generate the encryption of the first random number.
  - 14. The method of claim 7 wherein the second random number generated by the device.
  - 15. The method of claim 7 wherein the credentials of the user and the key K are purged by the device to prevent decryption of the credentials of the user at the device.

16. A system for providing a conditional single sign-on, comprising:
- a connection broker for generating a first random number during a first access sequence;
  
  a computer resource, coupled to the connection broker via a network, for providing a first public key during a second access sequence; and
  
  a device, coupled to the connection broker via the network, for receiving the first random number from the connection broker during the first access sequence and the first public key held by the computer resource during the second access sequence, the device enabled to provide encrypted user credentials to the connection broker, the encrypted user credentials comprising credentials of a user encrypted by a key K, the key K comprising the first random number combined with a second random number,wherein during the second access sequence, the device transmits i) an encryption of the first random number ii) an encryption of the second random number by the first public key and iii) the encrypted user credentials to the connection broker, andwherein, responsive to the connection broker decrypting the first random number, retransmitting the encryption of the second random number and the encrypted user credentials from the connection broker to the computing resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, further comprising:
    - an authentication system, coupled to the connection broker via the network, used to authenticate the user during the first access sequence, and wherein the authentication system signs a certificate which comprises the first public key.
  - 18. The system of claim 16 wherein combining the first random number and the second random number comprises one of applying i) an XOR function or ii) a non-reversible hash to the first random number and the second random number.
  - 19. The system of claim 16 wherein combining the first random number and the second random number comprises concatenating the first random number and the second random number.
  - 20. The system of claim 16 wherein the connection broker authenticates the user by:
    - redirecting the device to an authentication system; and
      
      confirming with the authentication system a token received from the device, the token provided by the authentication system to the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Teradici Corporation (HP Inc.)
Original Assignee
Teradici Corporation (HP Inc.)
Inventors
Dall, William John
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/274,595
Time in Patent Office

536 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

H04L 9/0819   Key transport or distributi...

H04L 9/0863   involving passwords or one-...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for providing a conditional single sign on

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing a conditional single sign on

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links