SYSTEM AND METHOD FOR SECURE IDENTITY SERVICE

US 20120311686A1
Filed: 09/02/2011
Published: 12/06/2012
Est. Priority Date: 06/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for managing user identities on a network comprising:

receiving a request to register an identity for a first user, the request including a token uniquely identifying a mobile device of the first user on the network, one or more identification (ID) codes uniquely identifying the first user;

storing an entry for the first user within a registration database, the entry associating the token with the user ID codes;

receiving a query from a second user to communicate with the first user, the query including at least one of the ID codes identifying the first user, the query including at least one ID code of the second user and a token uniquely identifying a mobile device of the second user on the network;

generating a first query signature over one or more of the ID codes and tokens of the first and second users, and a timestamp, the query signature usable by network services to authenticate communication between the first and second users on the network; and

transmitting the first query signature and the first user'"'"'s token to the mobile device of second user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for securely processing identity information. For example, in one embodiment of the invention, a first user is registered on an identity service with one or more identification (ID) codes and a token. In response to a query from a second user to connect with the first user, a query signature is generated using the one or more ID codes and token of the first and second users, and a timestamp. The query signature is usable by network services to authenticate communication between the first and second users on the network over a specified period of time. In another embodiment, user ID codes and tokens are cached on mobile devices and/or a system cache to improve performance. The validity of the cached data is determined by calculating a fingerprint which, in one embodiment, is a hash of the ID code, token and a timestamp.

Citations

31 Claims

1. A method for managing user identities on a network comprising:
- receiving a request to register an identity for a first user, the request including a token uniquely identifying a mobile device of the first user on the network, one or more identification (ID) codes uniquely identifying the first user;
  
  storing an entry for the first user within a registration database, the entry associating the token with the user ID codes;
  
  receiving a query from a second user to communicate with the first user, the query including at least one of the ID codes identifying the first user, the query including at least one ID code of the second user and a token uniquely identifying a mobile device of the second user on the network;
  
  generating a first query signature over one or more of the ID codes and tokens of the first and second users, and a timestamp, the query signature usable by network services to authenticate communication between the first and second users on the network; and
  
  transmitting the first query signature and the first user'"'"'s token to the mobile device of second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as in claim 1 further comprising:
    - receiving a request from the second user at a first application-specific network service to establish a communication channel with the first user;
      
      generating a second query signature at the first application-specific network service using the ID codes and tokens of the first and second users, and a current timestamp;
      
      if the first query signature and the second query signatures match, then allowing communication between the first user and the second user using the application-specific network service.
  - 3. The method as in claim 2 wherein if the first query signature does not match the second query signature, then rejecting the request from the second user at the first application-specific network service to establish a communication channel with the first user.
  - 4. The method as in claim 3 wherein the first application-specific network service comprises an instant messaging service.
  - 5. The method as in claim 1 wherein the request to register the identify of the first user includes application data identifying applications installed on the first user'"'"'s mobile device, the application data being stored in the entry for the first user within the registration database,wherein the request from the second user includes application data identifying applications installed on the second user'"'"'s mobile device, and wherein the response to the second user identifies applications common to both the first user'"'"'s mobile device and the second user'"'"'s mobile device.
  - 6. The method as in claim 5 wherein at least one of the applications comprises a video chat application.
  - 7. The method as in claim 1 wherein the one or more ID codes are received from the first user in a non-canonicalized format, the method further comprising:
    - canonicalizing the one or more ID codes to generate canonicalized ID codes prior to storing the canonicalized ID codes within the registration database; and
      
      transmitting one or more of the canonicalized ID codes to the second user with the first query signature and first user'"'"'s token.
  - 8. The method as in claim 7 wherein one of the ID codes comprises a telephone number associated with the first user.
  - 9. The method as in claim 1 wherein one of the ID codes comprises an email address associated with the first user.
  - 10. The method as in claim 1 further comprising:
    - generating a first certificate for the first user comprising a signature over the token of the first user;
      
      generating a second certificate for the first user comprising a signature over at least one of the ID codes of the first user and a password associated with the first user; and
      
      generating a third certificate for the first user using data extracted from the first certificate and the second certificate, and a timestamp, the third certificate usable by application-specific network services to authenticate the first user on the network.

11. A method comprising:
- receiving a first query from a mobile device of a first user to communicate with a mobile device of a second user;
  
  responsively providing the mobile device of the first user with one or more identities of the second user, a token containing network information for a mobile device of the second user, and a fingerprint generated with the one or more identities of the first user, the token, and a timestamp;
  
  subsequently checking the fingerprint on the mobile device of the first user to determine if the fingerprint is still valid in response to a second query generated from the first user to communicate with the second user, wherein if the fingerprint is still valid then re-using the one or more identities of the second user and the token of the second user provided in response to the first query.
- View Dependent Claims (12, 13, 14, 15, 16, 20, 21, 22, 23, 24, 25)
- - 12. The method as in claim 11 wherein the fingerprint comprises a hash over the one or more identities and the token of the second user.
  - 13. The method as in claim 12 wherein the hash comprises an secure hash algorithm 1 (“
    - SHA-1”
      
      ) hash.
  - 14. The method as in claim 11 wherein subsequently checking the fingerprint comprises re-generating the fingerprint using the one or more identities and token of the second user and a current timestamp and comparing the re-generated fingerprint with the original fingerprint.
  - 15. The method as in claim 12 further comprising:
    - storing the one or more identities, the token of the second user, and the fingerprint in a network cache;
      
      receiving a subsequent query at the network cache for the one or more identities and token of the second user;
      
      transmitting the fingerprint from the network cache to an identity service;
      
      receiving a response from the identity service indicating whether the fingerprint is still valid, wherein if the fingerprint is still valid, transmitting the one or more identities and the token stored in the network cache to the mobile device from which the subsequent query was received.
  - 16. The method as in claim 15 wherein, if the fingerprint is no longer valid, then transmitting one or more identities and the token of the second user and a new fingerprint from the identity service to the network cache, the new fingerprint generated using the one or more identities and the token of the second user and a current timestamp.
  - 20. The machine-readable medium as in claim 16 wherein the request to register the identify of the first user includes application data identifying applications installed on the first user'"'"'s mobile device, the application data being stored in the entry for the first user within the registration database,wherein the request from the second user includes application data identifying applications installed on the second user'"'"'s mobile device, and wherein the response to the second user identifies applications common to both the first user'"'"'s mobile device and the second user'"'"'s mobile device.
  - 21. The machine-readable medium as in claim 20 wherein at least one of the applications comprises a video chat application.
  - 22. The machine-readable medium as in claim 16 wherein the one or more ID codes are received from the first user in a non-canonicalized format, the machine-readable medium further comprising:
    - canonicalizing the one or more ID codes to generate canonicalized ID codes prior to storing the canonicalized ID codes within the registration database; and
      
      transmitting one or more of the canonicalized ID codes to the second user with the first query signature and first user'"'"'s token.
  - 23. The machine-readable medium as in claim 22 wherein one of the ID codes comprises a telephone number associated with the first user.
  - 24. The machine-readable medium as in claim 16 wherein one of the ID codes comprises an email address associated with the first user.
  - 25. The machine-readable medium as in claim 16 comprising additional program code to cause the machines to perform the additional operations of:
    - generating a first certificate for the first user comprising a signature over the token of the first user;
      
      generating a second certificate for the first user comprising a signature over at least one of the ID codes of the first user and a password associated with the first user; and
      
      generating a third certificate for the first user using data extracted from the first certificate and the second certificate, and a timestamp, the third certificate usable by application-specific network services to authenticate the first user on the network.

17. A machine-readable medium having program code stored thereon which, when executed by one or more machines, causes the machines to perform the operations of:
- receiving a request from the second user at a first application-specific network service to establish a communication channel with the first user;
  
  generating a second query signature at the first application-specific network service using the ID codes and tokens of the first and second users, and a current timestamp;
  
  if the first query signature and the second query signatures match, then allowing communication between the first user and the second user using the application-specific network service.
- View Dependent Claims (18, 19)
- - 18. The machine-readable medium as in claim 17 wherein if the first query signature does not match the second query signature, then rejecting the request from the second user at the first application-specific network service to establish a communication channel with the first user.
  - 19. The machine-readable medium as in claim 18 wherein the first application-specific network service comprises an instant messaging service.

26. A machine-readable medium having program code stored thereon which, when executed by one or more machines, causes the machines to perform the operations of:
- receiving a first query from a mobile device of a first user to communicate with a mobile device of a second user;
  
  responsively providing the mobile device of the first user with one or more identities of the second user, a token containing network information for a mobile device of the second user, and a fingerprint generated with the one or more identities of the first user, the token, and a timestamp;
  
  subsequently checking the fingerprint on the mobile device of the first user to determine if the fingerprint is still valid in response to a second query generated from the first user to communicate with the second user, wherein if the fingerprint is still valid then re-using the one or more identities of the second user and the token of the second user provided in response to the first query.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The machine-readable medium as in claim 26 wherein the fingerprint comprises a hash over the one or more identities and the token of the second user.
  - 28. The machine-readable medium as in claim 27 wherein the hash comprises an secure hash algorithm 1 (“
    - SHA-1”
      
      ) hash.
  - 29. The machine-readable medium as in claim 26 wherein subsequently checking the fingerprint comprises re-generating the fingerprint using the one or more identities and token of the second user and a current timestamp and comparing the re-generated fingerprint with the original fingerprint.
  - 30. The machine-readable medium as in claim 26 comprising additional program code to cause the machines to perform the additional operations of:
    - storing the one or more identities, the token of the second user, and the fingerprint in a network cache;
      
      receiving a subsequent query at the network cache for the one or more identities and token of the second user;
      
      transmitting the fingerprint from the network cache to an identity service;
      
      receiving a response from the identity service indicating whether the fingerprint is still valid, wherein if the fingerprint is still valid, transmitting the one or more identities and the token stored in the network cache to the mobile device from which the subsequent query was received.
  - 31. The machine-readable medium as in claim 30 wherein, if the fingerprint is no longer valid, then transmitting one or more identities and the token of the second user and a new fingerprint from the identity service to the network cache, the new fingerprint generated using the one or more identities and the token of the second user and a current timestamp.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Medina, Alexander A., Vyrros, Andrew H., Bleau, Darryl N., Davey, Jeffrey T., Wood, Justin N., Devanneaux, Thomas, Santamaria, Justin E.

Granted Patent

US 9,078,128 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

SYSTEM AND METHOD FOR SECURE IDENTITY SERVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SECURE IDENTITY SERVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links