METHOD FOR THE UNIQUE AUTHENTICATION OF A USER BY SERVICE PROVIDERS

US 20100275009A1
Filed: 02/25/2008
Published: 10/28/2010
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method for unique authentication of a user by at least one service provider, said method including a preliminary identity federation stage of federating an identity of said user for said service provider and an identity of said user for an identity provider, wherein said preliminary identity federation stage comprises the steps of:

the user generating a non-masked user alias for that service provider and sending said identity provider a masked alias deduced from said alias;

the identity provider associating said masked alias for that service provider with the identity of the user for the identity provider and sending the user elements for calculation by the user of a signature of a message containing the non-masked alias;

the user calculating said signature and sending the service provider said message with said signature; and

the service provider verifying said signature, authenticating the user, and associating said alias with the user'"'"'s identity for the service provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for unique authentication of a user (U) by at least one service provider (SP), said method including a preliminary identity federation stage of federating an identity (user@sp) of said user for said service provider and an identity (user@idp) of the user (U) for an identity provider (IdP). According to the invention, said preliminary identity federation stage includes the steps of: the user (U) generating a user alias ([alias]) for that service provider (SP) and sending said identity provider (IdP) a masked alias ([alias]_masked) deduced from said alias, the identity provider (IdP) associating said masked alias ([alias]_masked) for that service provider (SP) with the identity (user@idp) of the user for the identity provider (IdP) and sending the user (U) elements for calculation by the user of a signature (σ) of a message (msg) containing the non-masked alias ([alias]), the user (U) calculating said signature (σ) and sending the service provider (SP) said message (msg) with said signature (σ), and the service provider (SP) verifying said signature (σ), authenticating the user (U), and associating said alias ([alias]) with the user'"'"'s identity (user@sp) for the service provider (SP).

37 Citations

View as Search Results

9 Claims

1. A method for unique authentication of a user by at least one service provider, said method including a preliminary identity federation stage of federating an identity of said user for said service provider and an identity of said user for an identity provider, wherein said preliminary identity federation stage comprises the steps of:
- the user generating a non-masked user alias for that service provider and sending said identity provider a masked alias deduced from said alias;
  
  the identity provider associating said masked alias for that service provider with the identity of the user for the identity provider and sending the user elements for calculation by the user of a signature of a message containing the non-masked alias;
  
  the user calculating said signature and sending the service provider said message with said signature; and
  
  the service provider verifying said signature, authenticating the user, and associating said alias with the user'"'"'s identity for the service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, further comprising, in the event of a request for service to a service provider after said identity federation stage, an authentication stage including the steps of:
    - the identity provider authenticating the user for said service provider;
      
      the identity provider searching for the masked alias for said service provider associated with the identity of said user for said identity provider and sending the user elements for calculation by the user of a signature of a message containing the non-masked alias;
      
      the user calculating said signature and sending the service provider said message with said signature; and
      
      the service provider verifying said signature, recovering the user'"'"'s identity for the service provider from the alias, and providing the service requested by the user.
  - 3. A method according to claim 1, wherein said elements provided by the identity provider represent a partially blind signature of a message containing said masked alias.
  - 4. A method according to claim 1, wherein said identity federation stage comprises the steps of:
    - the user receiving from the service provider non-confidential data M and, optionally, confidential data m*, then generating an alias m of the user for that service provider, and sending said identity provider said non-confidential data M, said alias m in masked form;
      
      m_masked=m·
      
      g^smod p, where g and p are public elements and s an element chosen by the user, and, where appropriate, said confidential data m*, in masked form;
      
      the identity provider associating said masked alias m_maskedfor this service provider with the identity of the user for the identity provider, calculating the elements m₀=g₁^H¹^(M)·
      
      m_masked·
      
      g₃and z₀=m₀^xmod p, where g₁and g₃are public elements, x a private key of the identity provider associated with the public key h=g^xmod p, and H₁a hashing function, proving interactively with the user that the discrete logarithm of h to base g is equal to that of z₀to base m₀, and sending the user the partially-blind signature of a message msg=M∥
      
      m, or, where appropriate, msg=M∥
      
      m∥
      
      m*;
      
      the user unmasking said partially blind signature and sending the service provider the unmasked signature with said message msg; and
      
      the service provider verifying the signature, extracting the alias m from the message msg, authenticating the user and associating said alias m with the identity of the user for the service provider.
  - 5. A method according to claim 4, further comprising, in the event of a request for service by a service provider after said identity federation stage, an authentication stage including the steps of:
    - the user receiving from the service provider non-confidential data M and, optionally, confidential data m*, being authenticated by said identity provider for said service provider, and sending the identity provider said non-confidential data M and, where appropriate, said confidential data m* in masked form;
      
      the identity provider searching for the masked alias m_maskedfor this service provider associated with the identity of the user for the identity provider, calculating the elements m₀=g₁^H¹^(M)·
      
      m_masked·
      
      g₃and z₀=m₀^xmod p, where g₁and g₃are public elements, x a private key of the identity provider associated with the public key h=g^xmod p, and H₁a hashing function, proving interactively with the user that the discrete logarithm of h to base g is equal to that of z₀to base m₀, and sending the user the partially-blind signature of a message msg=M∥
      
      m, or, where appropriate, msg=M∥
      
      m∥
      
      m*;
      
      the user unmasking said partially-blind signature and sending the service provider the unmasked signature with said message msg; and
      
      the service provider verifying said signature, recovering the user'"'"'s identity for the service provider from the alias m extracted from the message msg, and providing the service requested by the user.
  - 6. Non-removable data storage means containing computer program code instructions for executing the steps of a method according to claim 1.
  - 7. Partially or totally removable data storage means containing computer program code instructions for executing the steps of a method according to claim 1.
  - 8. A computer program including instructions such that, when said program controls a programmable data processing device, said instructions cause said data processing device to execute a method according to claim 1.

9. A federation table accessible to an identity provider and associated with the identity of a user registered with said identity provider, wherein it matches with at least one service provider a respective masked alias obtained by masking an alias associating said identity provider with the identity of said user for said service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Guilloteau, Stéphane, Traore, Jacques, Canard, Sébastien, Malville, Eric

Granted Patent

US 8,689,306 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 2209/04   Masking or blinding

H04L 63/0421   Anonymous communication, i....

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 9/3013   involving the discrete loga...

H04L 9/3257   using blind signatures

METHOD FOR THE UNIQUE AUTHENTICATION OF A USER BY SERVICE PROVIDERS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR THE UNIQUE AUTHENTICATION OF A USER BY SERVICE PROVIDERS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links