Methods for Single Signon (SSO) Using Decentralized Password and Credential Management

US 20130166918A1
Filed: 12/27/2011
Published: 06/27/2013
Est. Priority Date: 12/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method for decentralized single sign-on to a plurality of websites via instructions executed by a user computer browser, the method comprising the steps of:

Establishing a browsing session with a website;

Determining if the user has previously registered with a login server;

If the user has not already registered with the login server;

Causing the browser to establish a secure communication channel with the login server;

Receiving a username and password from the user;

Encrypting the password and providing it to the login server upon registration (to be stored for future validation);

Receiving a password-encrypted one-time random number from the login server;

Obtaining user credentials and other user information entered into the browser;

Locally encrypting the user credentials and other user information on the browser with the password-encrypted one-time random number; and

Sending the encrypted user credential(s) and other information to the login server to be stored by one or more storage locations;

However, if the user has already registered with the login server;

Determining whether the user is currently logged in to the login server;

If the user is not logged in to the login server;

Causing the browser to establish a secure communication channel with the login server;

Acquiring the password from the user;

Locally encrypting the password on the browser upon login;

Requesting validation of the user'"'"'s encrypted password from the login server;

If validated, receiving stored encrypted user credentials and/or other user information from the one or more storage locations;

Decrypting the stored credentials and/or other user information with the password to reveal the one-time random number;

Using the one-time random number to decrypt the user credentials and/or other user information;

Determining whether user information exists for the current website; and

If user information for the current website exists, further decrypting any user credentials related to the website and providing the credentials to the website to automatically log the user into the website;

However, if the user is logged in to the login server;

Determining whether user information exists for the current website; and

If user information exists, further decrypting any user credentials related to the website and providing the credentials to the website to automatically log the user into the website;

Wherein all encryption and decryption of the user'"'"'s password and credentials are performed locally by the browser on the user computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for single sign-on (SSO) that provides decentralized credential management using end-to-end security. Credential (and other personal user information) management is decentralized in that encryption is performed locally on the user'"'"'s computer. The user'"'"'s encrypted credentials may be stored by the login server and/or a plurality of distributed servers/databases (such as a cloud). The login server never has access to the user'"'"'s credentials or other personal information. When the user wants to use single sign-on, he enters his password into his browser and the browser submits the encrypted/hashed password to the login server for validation. Upon validation, the browser receives the user'"'"'s encrypted credentials. The credentials are decrypted by the browser and provided to relevant websites to automatically log the user in.

125 Citations

20 Claims

1. A method for decentralized single sign-on to a plurality of websites via instructions executed by a user computer browser, the method comprising the steps of:
- Establishing a browsing session with a website;
  
  Determining if the user has previously registered with a login server;
  
  If the user has not already registered with the login server;
  
  Causing the browser to establish a secure communication channel with the login server;
  
  Receiving a username and password from the user;
  
  Encrypting the password and providing it to the login server upon registration (to be stored for future validation);
  
  Receiving a password-encrypted one-time random number from the login server;
  
  Obtaining user credentials and other user information entered into the browser;
  
  Locally encrypting the user credentials and other user information on the browser with the password-encrypted one-time random number; and
  
  Sending the encrypted user credential(s) and other information to the login server to be stored by one or more storage locations;
  
  However, if the user has already registered with the login server;
  
  Determining whether the user is currently logged in to the login server;
  
  If the user is not logged in to the login server;
  
  Causing the browser to establish a secure communication channel with the login server;
  
  Acquiring the password from the user;
  
  Locally encrypting the password on the browser upon login;
  
  Requesting validation of the user'"'"'s encrypted password from the login server;
  
  If validated, receiving stored encrypted user credentials and/or other user information from the one or more storage locations;
  
  Decrypting the stored credentials and/or other user information with the password to reveal the one-time random number;
  
  Using the one-time random number to decrypt the user credentials and/or other user information;
  
  Determining whether user information exists for the current website; and
  
  If user information for the current website exists, further decrypting any user credentials related to the website and providing the credentials to the website to automatically log the user into the website;
  
  However, if the user is logged in to the login server;
  
  Determining whether user information exists for the current website; and
  
  If user information exists, further decrypting any user credentials related to the website and providing the credentials to the website to automatically log the user into the website;
  
  Wherein all encryption and decryption of the user'"'"'s password and credentials are performed locally by the browser on the user computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, where the user is validated at least if the encrypted password upon login matches the encrypted password upon registration.
  - 3. The method of claim 1, where the password is encrypted by hashing and salting the password.
  - 4. The method of claim 1, where the user computer browser is further provided with a digital certificate and the user is validated by the login server upon validation of the digital certificate.
  - 5. The method of claim 1, where the user computer browser is further provided with an optical code and the user is validated by the login server upon validation of the optical code.
  - 6. The method of claim 1, where the user'"'"'s encrypted credentials are stored on one or more virtual servers and/or a cloud computing platform.
  - 7. The method of claim 1, where the user'"'"'s encrypted credentials are stored on at least one of the user computer and a removable memory device.
  - 8. The method of claim 1, where one or more beneficiaries are assigned to the user'"'"'s password and the one or more beneficiaries are able to access select portions of the user'"'"'s credentials and/or other information using at least one, or a combination of, one or more beneficiary passwords.
  - 9. The method of claim 1, where the encrypted other user information includes uniform resource indicator(s) associated with the user credential(s).

10. A method for decentralized single sign-on to a plurality of websites via instructions executed by a user computer browser, the method comprising the steps of:
- Establishing a browsing session with a login server website;
  
  Determining if the user has previously registered with the login server;
  
  If the user has not already registered;
  
  Establishing a secure communication channel with the login server website;
  
  Receiving a password from the user and locally encrypting the password on the browser;
  
  Sending the encrypted password to the login server for future validation;
  
  Receiving a one-time random number from the login server encrypted with the encrypted password;
  
  Obtaining user credentials and other user information entered into the browser;
  
  Locally encrypting the user credentials and other user information on the browser with the encrypted one-time random number;
  
  Sending the encrypted user credentials and other user information to one or more storage locations;
  
  However, if the user has already registered with the login server;
  
  Determining whether the user is already logged in to the login server;
  
  If the user is not logged in;
  
  Establishing a secure communication channel with the login server;
  
  Acquiring the password from the user;
  
  Locally encrypting the password on the browser;
  
  Requesting validation of the user'"'"'s encrypted password from the login server;
  
  If validated, obtaining any encrypted user credentials and other user information from the login server;
  
  Locally decrypting the obtained user credentials and other user information on the browser;
  
  Obtaining a website selection from the user;
  
  Determining whether user credentials exist for the selected website; and
  
  If user credentials for the selected website exist, providing the credentials to the website to automatically log the user into the website;
  
  However, if the user is logged in;
  
  Obtaining a website selection from the user;
  
  Determining whether user credentials exist for the selected website; and
  
  If credentials for the selected website exist, providing the information to the website to automatically log the user into the website;
  
  Wherein all encryption and decryption of the user'"'"'s credentials are performed locally by the browser on the user computer.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, where the user is validated at least if the encrypted password upon login matches the encrypted password upon registration.
  - 12. The method of claim 10, where the password is encrypted by hashing and salting the password.
  - 13. The method of claim 10, where the user computer browser is further provided with a digital certificate and the user is validated by the login server upon validation of the digital certificate.
  - 14. The method of claim 10, where the user computer browser is further provided with an optical code and the user is validated by the login server upon validation of the optical code.
  - 15. The method of claim 10, where the user'"'"'s encrypted credentials are stored on one or more virtual servers.
  - 16. The method of claim 10, where the user'"'"'s encrypted credentials are stored on a cloud computing platform.
  - 17. The method of claim 10, where the user'"'"'s encrypted credentials are stored on at least one of the user computer and a removable memory device.
  - 18. The method of claim 10, where one or more beneficiaries are assigned to the user'"'"'s password and the one or more beneficiaries are able to access select portions of the user'"'"'s credentials and/or other information using at least one, or a combination of, one or more beneficiary passwords.
  - 19. The method of claim 10, where the encrypted other user information includes uniform resource indicator(s) associated with the user credential(s).

20. A method for website content management, the method comprising the steps of:
- Establishing a secure communication channel with a login server;
  
  Receiving a request for content from a user;
  
  Validating the user via the login server;
  
  Sending a link to the user; and
  
  Automatically providing authorized content to the user upon selection of the link;
  
  Wherein validating the user via the login server includes at least;
  
  Acquiring a hashed password from the user and comparing the hashed password with a previously received hashed password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mahmood Shahbazi, Majid Shahbazi
Original Assignee
Mahmood Shahbazi, Majid Shahbazi
Inventors
Shahbazi, Majid, Shahbazi, Mahmood

Granted Patent

US 8,819,444 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/183
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 9/0863   involving passwords or one-...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

Methods for Single Signon (SSO) Using Decentralized Password and Credential Management

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Methods for Single Signon (SSO) Using Decentralized Password and Credential Management

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others