Secure registration

US 7,356,711 B1
Filed: 05/30/2002
Issued: 04/08/2008
Est. Priority Date: 05/30/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of secure communication between first and second network servers on a data communication network, said method comprising:

receiving a request from a user of a client computer for a selected service to be provided by the second network server, said request being received at the second network server via a browser of the client computer, said client computer and said second network server being coupled to the data communication network;

initiating a transaction between the second network server and the first network server in response to the request, said first network server also being coupled to the data communication network;

said second network server;

defining a data structure associated with the transaction;

generating a digital signature of the data structure;

adding the digital signature to the data structure;

generating an index associated with the transaction, wherein the index corresponds to a value generated as a function of data associated with the transaction, the first network server, and the second network server, said value being unique to the transaction and to the first network server and to the second network server;

adding the index to the data structure; and

directing the client computer from the second network server to the first network server with the data structure and the added digital signature, wherein the first network server stores one or more indices from previous transactions in a memory area, and wherein the first network server compares the index in the data structure received from the client computer against the stored indices to prevent a replay attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure site-to-site transactional communication between at least two network servers coupled to a data communication network, including secure registration by an authentication server associated with a multi-site user authentication system. A network server receives a request via a browser f of a client computer. In response, the network server initiates a transaction with the authentication server and defines a data structure, such as a query string, associated with the transaction. The network server also generates a digital signature of the data structure and then adds it to the data structure before directing the client computer from the network server to the authentication server with the data structure and the added digital signature. The network server also adds an index to the data structure. The index is associated with the transaction and unique, per transaction, to the network server initiating the transaction.

125 Citations

View as Search Results

41 Claims

1. A method of secure communication between first and second network servers on a data communication network, said method comprising:
- receiving a request from a user of a client computer for a selected service to be provided by the second network server, said request being received at the second network server via a browser of the client computer, said client computer and said second network server being coupled to the data communication network;
  
  initiating a transaction between the second network server and the first network server in response to the request, said first network server also being coupled to the data communication network;
  
  said second network server;
  
  defining a data structure associated with the transaction;
  
  generating a digital signature of the data structure;
  
  adding the digital signature to the data structure;
  
  generating an index associated with the transaction, wherein the index corresponds to a value generated as a function of data associated with the transaction, the first network server, and the second network server, said value being unique to the transaction and to the first network server and to the second network server;
  
  adding the index to the data structure; and
  
  directing the client computer from the second network server to the first network server with the data structure and the added digital signature, wherein the first network server stores one or more indices from previous transactions in a memory area, and wherein the first network server compares the index in the data structure received from the client computer against the stored indices to prevent a replay attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the data structure includes a unique identifier and return location associated with the second network server.
  - 3. The method of claim 1 wherein the data structure comprises a query string contained in a uniform resource locator (URL) and wherein the digital signature is added to the query string as a query string parameter.
  - 4. The method of claim 1 wherein the second network server adds the digital signature to the data structure before directing the client computer to the first network server.
  - 5. The method of claim 1 wherein generating the digital signature comprises encrypting the data structure, by the second network server, using a shared key.
  - 6. The method of claim 1 further comprising decrypting the encrypted data structure, by the first network server, and comparing the signature to the decrypted data structure to determine if the signature is valid.
  - 7. The method of claim 6 further comprising aborting the transaction if the signature is not valid.
  - 8. The method of claim 1 wherein the data structure comprises a query string contained in a URL and wherein the index is added to the query string as a query string parameter.
  - 9. The method of claim 1 further comprising recording the transaction and the index in the memory area if the index does not match any of the stored indices in the memory area.
  - 10. The method of claim 1 further comprising aborting the transaction if the index is already present in the memory area.
  - 11. The method of claim 1 wherein the first network server is an authentication server associated with a multi-site user authentication system and wherein the index is representative of login information retrieved from the user for authenticating the user.
  - 12. The method of claim 11 wherein the retrieved login information includes a login ID and a password associated with the login ID.
  - 13. The method of claim 1 wherein the second network server initiates the transaction in response to the request from the user of the client computer.
  - 14. The method of claim 1 wherein the client computer is directed between the first and second network servers according to a hypertext transfer protocol.
  - 15. The method of claim 1 wherein one or more computer storage media have computer-executable instructions for performing the method of claim 1.

16. A system of secure communication between first and second network servers coupled to a data communication network, said system comprising the second network server, said second network server receiving and responsive to a request from a user of a client computer to provide a selected service, said second network server receiving the request via a browser of the client computer, said second network server initiating a transaction with said first network server in response to the request and defining a data structure associated with the transaction, said second network server further generating a digital signature of the data structure and generating an index associated with the transaction, wherein the index corresponds to a value generated as a function of data associated with the transaction the first network server and the second network server, said value being unique to the transaction and to the first network server and to the second network server, said second network server further adding the digital signature and the index to the data structure whereby the client computer is directed from the second network server to the first network server with the data structure and the added digital signature, wherein the first network server stores one or more indices from previous transactions in a memory area for comparison with the index from the data structure received from the client computer to prevent a replay attack.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The system of claim 16 wherein the data structure includes a unique identifier and return location associated with the second network server.
  - 18. The system of claim 16 wherein the data structure is a query string contained in a uniform resource locator (URL) and wherein the digital signature is added to the query string as a query string parameter.
  - 19. The system of claim 16 wherein the first and second network servers share an encryption key and wherein the second network server generates the digital signature by encrypting the data structure using the shared key.
  - 20. The system of claim 16 wherein the first network server determines if the signature is valid by decrypting the data structure and comparing the signature to the decrypted data structure.
  - 21. The system of claim 20 wherein the first network server aborts the transaction if the signature is not valid.
  - 22. The system of claim 16 wherein the first network server compares the index to the stored indices and records the transaction and the index if the index does not match any of the stored indices in the memory area and aborts the transaction if the index is already present in the memory area.
  - 23. The system of claim 16 wherein the first network server is an authentication server associated with a multi-site user authentication system and wherein the index is representative of login information retrieved from the user for authenticating the user.
  - 24. The system of claim 23 wherein the retrieved login information includes a login ID and a password associated with the login ID.
  - 25. The system of claim 16 wherein the client computer is directed between the first and second network servers according to a hypertext transfer protocol.

26. A method of secure registration by an authentication server associated with a multi-site user authentication system, said method comprising:
- receiving a request from a user of a client computer for access to a network server, said request being received at the network server via a browser of the client computer, said client computer, network server, and authentication server being coupled to a data communication network;
  
  said network server;
  
  initiating a registration transaction between the network server and the authentication server in response to the request for registering the user of the client computer for access to the network server;
  
  defining a query string associated with the registration transaction;
  
  generating a digital signature of the query string;
  
  adding the digital signature to the query string as a query string parameter;
  
  generating an index associated with the transaction, wherein the index corresponds to a value generated as a function of data associated with the transaction, the first network server, and the second network server, said value being unique to the transaction and to the authentication server and to the network server;
  
  adding the index to the data structure; and
  
  directing the client computer from the network server to the authentication server with the query string and the added digital signature, wherein the authentication server stores one or more indices from previous registration transactions in a memory area, and wherein the authentication server compares the index from the data structure received from the client computer against the stored indices to prevent a replay attack.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 27. The method of claim 26 wherein the query string includes a unique identifier and a return uniform resource locator (URL) associated with the network server.
  - 28. The method of claim 26 wherein generating the digital signature comprises encrypting the data structure, by the network server, using an encryption key shared with the authentication server.
  - 29. The method of claim 26 further comprising decrypting the encrypted data structure, by the authentication server, and comparing the signature to the decrypted data structure to determine if the signature is valid.
  - 30. The method of claim 26 further comprising recording the registration transaction and the index in the memory area if the index does not match any of the stored indices in the memory area.
  - 31. The method of claim 26 further comprising aborting the registration transaction if the index is already present in the memory area or the signature is not valid or both.
  - 32. The method of claim 26 wherein the index is representative of login information retrieved from the user for authenticating the user.
  - 33. The method of claim 32 wherein the retrieved login information includes a login ID and a password associated with the login ID.
  - 34. The method of claim 26 wherein the client computer is directed between the network server and the authentication server according to a hypertext transfer protocol.
  - 35. The method of claim 26 wherein one or more computer storage media have computer-executable instructions for performing the method of claim 26.

36. One or more computer storage media having stored thereon a data structure comprising:
- a first data field containing data representing a query string, said query string being associated with a transaction between at least two network servers and a client computer coupled to a data communication network;
  
  a second data field containing data representing a first query string parameter added to the query string, said first query string parameter comprising a digital signature of the query string; and
  
  a third data field containing data representing a second query string parameter added to the query string, said second query string parameter comprising an index associated with the transaction, wherein the index corresponds to a value generated as a function of data associated with both of the network servers and with the transaction, wherein the value is unique to both of the network servers and to the transaction, wherein one of the network servers directs a client computer from said one of the network servers to the other network server with the data structure, wherein said other network server stores one or more indices from previous transactions in a memory area, and wherein said other network server compares the index from the third field in the data structure against the stored indices to prevent a replay attack.
- View Dependent Claims (37, 38, 39, 40, 41)
- - 37. The computer storage media of claim 36 wherein the data structure comprises a uniform resource locator (URL).
  - 38. The computer storage media of claim 37 wherein the query string includes data representing a unique identifier and return URL associated with the network server initiating the transaction.
  - 39. The computer storage media of claim 36 wherein digital signature comprises the query string encrypted by an encryption key shared by the network servers.
  - 40. The computer storage media of claim 36 wherein one of the network servers is an authentication server associated with a multi-site user authentication system and wherein the index includes data representative of login information retrieved from the user for authenticating the user.
  - 41. The computer storage media of claim 40 wherein the retrieved login information includes a login ID and a password associated with the login ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
McQuillan, Gilbert M., Nagvekar, Sanjeev M., Steinbok, Jeff, Jiang, Wei, Guo, Wei-Quiang Michael, Calinov, Iulian D., Peterson, Christopher N., Zhang, Danpo
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Okoronkwo; Chinwendu C

Application Number

US10/158,376
Time in Patent Office

2,140 Days
Field of Search

726/2, 726 4- 6, 726 17- 19, 726/27
US Class Current

713/180
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Secure registration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Secure registration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links