System and method for single session sign-on with cryptography

US 7,353,383 B2
Filed: 03/14/2003
Issued: 04/01/2008
Est. Priority Date: 03/18/2002
Status: Active Grant

First Claim

Patent Images

1. In a computer system including a server system, a session authority and a plurality of content servers, a single sign-on method for enabling a client to access the plurality of content servers by single sign-on during a session, comprising:

(a) receiving a request for content contained within one of a plurality of content servers from a browser, acting on behalf of a client;

(b) determining by the content server whether the request comprises a valid session credential; and

(d) transmitting the content to the browser if the request comprises a valid session credential,wherein if the request does not comprise a valid session credential, the method further comprises;

(d) transmitting by the content server to the browser a challenge, the challenge comprising the name of a session authority that is used by the content server and the type of authentication required by the content server;

(e) receiving by the session authority a request for the session credential from the browser, the request comprising a certificate request identification; and

(f) checking by the session authority for a valid session certificate from an authenticating authority in the request for the session credential;

wherein if the request received by the session authority for the session credential comprises a valid session certificate from the authenticating authority, the session authority creates and transmits to the browser for storage in non-persistent memory a session credential,wherein further if the request received by the session authority for the session credential does not comprise a valid session certificate from the authenticating authority, the method further comprises;

(g) generating a second random piece of data by the session authority;

(h) transmitting to the browser the second random piece of data generated by the session authority, a challenge for a session certificate and the name of the authentication authority;

(i) receiving by the session authority from the browser a session certificate generated by the authentication authority, a third random piece of data generated by the browser, a signature created using a private session key that was generated by the browser as part of a public/private session key pair and applied to the second random piece of data and the third random piece of data and a request for a session credential, where the session certificate comprises the public session key, wherein further the public session key was transmitted to the authentication authority by the browser along with a request for the session certificate;

(j) verifying by the session authority that the signature received from the browser is valid by using the public session key included in the session certificate;

(k) extracting the identity of the user of the browser from the session certificate and creating a session credential comprising the user identity and a message authenticity code;

(l) transmitting the session credential from the session authority to the browser;

(m) receiving by the content server from the browser a request for the requested resource;

(n) determining by the content server whether the request comprises a session credential; and

(o) transmitting the content to the browser if the request comprises the session credential,wherein the session credential and session certificate are valid for a predetermined length of time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for single session sign-on across multiple content servers using public/private key cryptography. Session certificates are issued by an authentication authority and stored or held in volatile memory by a browser. Session certificates are used by browsers to obtain session credentials from a session authority and stored or held in volatile memory by the browser. Use of public and private keys supports authentication and non-repudiation, and eliminates some of the disadvantages of permanent certificates and PKI.

646 Citations

18 Claims

1. In a computer system including a server system, a session authority and a plurality of content servers, a single sign-on method for enabling a client to access the plurality of content servers by single sign-on during a session, comprising:
- (a) receiving a request for content contained within one of a plurality of content servers from a browser, acting on behalf of a client;
  
  (b) determining by the content server whether the request comprises a valid session credential; and
  
  (d) transmitting the content to the browser if the request comprises a valid session credential,wherein if the request does not comprise a valid session credential, the method further comprises;
  
  (d) transmitting by the content server to the browser a challenge, the challenge comprising the name of a session authority that is used by the content server and the type of authentication required by the content server;
  
  (e) receiving by the session authority a request for the session credential from the browser, the request comprising a certificate request identification; and
  
  (f) checking by the session authority for a valid session certificate from an authenticating authority in the request for the session credential;
  
  wherein if the request received by the session authority for the session credential comprises a valid session certificate from the authenticating authority, the session authority creates and transmits to the browser for storage in non-persistent memory a session credential,wherein further if the request received by the session authority for the session credential does not comprise a valid session certificate from the authenticating authority, the method further comprises;
  
  (g) generating a second random piece of data by the session authority;
  
  (h) transmitting to the browser the second random piece of data generated by the session authority, a challenge for a session certificate and the name of the authentication authority;
  
  (i) receiving by the session authority from the browser a session certificate generated by the authentication authority, a third random piece of data generated by the browser, a signature created using a private session key that was generated by the browser as part of a public/private session key pair and applied to the second random piece of data and the third random piece of data and a request for a session credential, where the session certificate comprises the public session key, wherein further the public session key was transmitted to the authentication authority by the browser along with a request for the session certificate;
  
  (j) verifying by the session authority that the signature received from the browser is valid by using the public session key included in the session certificate;
  
  (k) extracting the identity of the user of the browser from the session certificate and creating a session credential comprising the user identity and a message authenticity code;
  
  (l) transmitting the session credential from the session authority to the browser;
  
  (m) receiving by the content server from the browser a request for the requested resource;
  
  (n) determining by the content server whether the request comprises a session credential; and
  
  (o) transmitting the content to the browser if the request comprises the session credential,wherein the session credential and session certificate are valid for a predetermined length of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the public/private session key pair is used for a single session.
  - 3. The method of claim 1, wherein the plurality of content servers transmit the name of the same session authority to a plurality of browsers.
  - 4. The method of claim 3, wherein the plurality of content servers comprise arbitrary groups of service providers.
  - 5. The method of claim 1, wherein either or both of the session credential and session certificate last only for the duration of the session and become invalid upon termination of the browser application.
  - 6. The method of claim 5, wherein either or both of the session credential and session certificate become invalid by ceasing to exist.
  - 7. The method of claim 1, wherein either or both of the session credential and session certificate last only for a limited time and become invalid upon termination of the limited time.
  - 8. The method of claim 7, wherein either or both of the session credential and session certificate become invalid by ceasing to exist.
  - 9. The method of claim 1, wherein either or both of the session credential and session certificate are held only in the RAM of the browser and cease to exist upon termination of a power-down of the client computer.

10. A computer system configured to permit a client to access a plurality of content servers through a single sign-on during a session, comprising:
- a server system in communication with a plurality of content servers;
  
  a plurality of content servers in communication with one or more session authorities; and
  
  one or more session authorities,wherein the server system is configured to receive a request for content contained within one of a plurality of content servers from a browser acting on behalf of a client and to transmit the request to the content server from which the content is requested,wherein each content server is configured to determine whether the request for content comprises a valid session credential and transmit the content to the browser if the request comprises a valid session credential, wherein if the request does not comprise a valid session credential, each content server is configured to transmit a challenge to the browser, the challenge comprising the name of a session authority that is in communication with the content server and die type of authentication required by the content server;
  
  wherein each session authority is configured to receive a request for a session credential from the browser, the request comprising a certificate request identification, and check for a valid session certificate from an authenticating authority in the request for the session credential;
  
  wherein if the request received by the session authority for the session credential comprises a valid session certificate from the authenticating authority, the session authority is configured to create and transmit to the browser for storage in non-persistent memory a session credential that can be transmitted to the content server in a request for access to the content contained in the content server,wherein further if the request received by the session authority for the session credential does not comprise a valid session certificate from the authenticating authority, the session authority is configured to;
  
  generate a second random piece of data;
  
  transmit to the browser the second random piece of data, a challenge for a session certificate and the name of the authentication authority;
  
  receive from the browser a session certificate generated by the authentication authority, a third random piece of data generated by the browser, a signature created using a private session key that was generated by the browser as part of a public/private session key pair and applied to the second random piece of data and the third random piece of data and a request for a session credential, where the session certificate comprises the public session key, wherein further the public session key was transmitted to the authentication authority by the browser along with a request for the session certificate;
  
  verify that the signature received from the browser is valid by using the public session key included in the session certificate;
  
  extract the identity of the user of the browser from the session certificate and creating a session credential comprising the user identity and a message authenticity code; and
  
  transmit the session credential to the browser, wherein the session credential can be transmitted to a content server in a request for access to the content contained in the content server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the public/private session key pair is used for a single session.
  - 12. The system of claim 10, wherein the content servers are further configured to transmit the name of the same session authority to a plurality of browsers.
  - 13. The system of claim 12, wherein the content servers comprise arbitrary groups of service providers.
  - 14. The system of claim 10, wherein either or both of the session credential and session certificate last only for the duration of the session and become invalid upon termination of the browser application.
  - 15. The system of claim 14, wherein either or both of the session credential and session certificate become invalid by ceasing to exist.
  - 16. The system of claim 10, wherein either or both of the session credential and session certificate last only for a limited time and become invalid upon termination of the limited time.
  - 17. The system of claim 16, wherein either or both of the session credential and session certificate become invalid by ceasing to exist.
  - 18. The system of claim 10, wherein either or both of the session credential and session certificate are held only in the RAM of the browser and cease to exist upon termination of a power-down of the client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Skingle, Bruce James
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Sherkat, Arezoo

Application Number

US10/389,526
Publication Number

US 20030177351A1
Time in Patent Office

1,845 Days
Field of Search

726/8
US Class Current

713/156
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 9/3268   using certificate validatio...

System and method for single session sign-on with cryptography

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

646 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for single session sign-on with cryptography

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

646 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links