Session key security protocol

US 7,523,490 B2
Filed: 05/15/2002
Issued: 04/21/2009
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method of securing information in a multi-site authentication system, said method comprising:

generating a message having content, said message content including authenticating information provided by a user of a client computer to a first network server, said client computer and said first network server being coupled to a data communication network;

randomly generating, by the first network server, a session key;

encrypting the message content, by the first network server, using the generated session key;

encrypting the generated session key, by the first network server, using a public key associated with a second network server selected by the user, said selected second network server also being coupled to the data communication network;

generating, by the first network server, a signature for the encrypted message content and encrypted generated session key using a private key associated with the first network server, wherein said signature includes address information for the selected second network server;

generating, by the first network server, an authentication ticket only for the selected second network server, said authentication ticket including the encrypted message content, the encrypted generated session key, and the generated signature; and

directing the client computer along with the authentication ticket from the first network server to the selected second network server, wherein the selected second network server decrypts the encrypted generated session key using a private key associated therewith, decrypts the encrypted message content of the ticket using the generated session key, and identifiesits own address information in the generated signature to validate the signature.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security protocol for use in a multi-site authentication system. After authenticating a user, an authentication server generates a ticket including information associated with the user. The authentication server encrypts content of the ticket using a symmetric key shared with an affiliate server. The affiliate server has a public key that the authentication server uses to encrypt the shared key. The authentication server has private key for creating a signature on the ticket. The affiliate server decrypts the shared key with its private key and then decrypts the content of the ticket using the decrypted shared key. The affiliate server validates the signature with the authentication server'"'"'s public key.

113 Citations

View as Search Results

16 Claims

1. A method of securing information in a multi-site authentication system, said method comprising:
- generating a message having content, said message content including authenticating information provided by a user of a client computer to a first network server, said client computer and said first network server being coupled to a data communication network;
  
  randomly generating, by the first network server, a session key;
  
  encrypting the message content, by the first network server, using the generated session key;
  
  encrypting the generated session key, by the first network server, using a public key associated with a second network server selected by the user, said selected second network server also being coupled to the data communication network;
  
  generating, by the first network server, a signature for the encrypted message content and encrypted generated session key using a private key associated with the first network server, wherein said signature includes address information for the selected second network server;
  
  generating, by the first network server, an authentication ticket only for the selected second network server, said authentication ticket including the encrypted message content, the encrypted generated session key, and the generated signature; and
  
  directing the client computer along with the authentication ticket from the first network server to the selected second network server, wherein the selected second network server decrypts the encrypted generated session key using a private key associated therewith, decrypts the encrypted message content of the ticket using the generated session key, and identifiesits own address information in the generated signature to validate the signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising transporting the authentication ticket from the first network server to the selected second network server over a privacy-enhanced protocol.
  - 3. The method of claim 1 wherein the first network server is an authentication server associated with the multi-site user authentication system and further comprising retrieving login information from the user for authenticating the user before generating the authentication ticket.
  - 4. The method of claim 3 wherein the content of the authentication ticket includes the retrieved login information.
  - 5. The method of claim 3 wherein the retrieved login information includes a login ID and a password associated with the login ID.
  - 6. The method of claim 3 further comprising comparing the login information with authentication information stored in a database associated with the authentication server to authenticate the user.
  - 7. The method of claim 1 further comprising receiving a request from the user via a browser of the client computer, said request being for a selected service to be provided by the selected second network server.
  - 8. The method of claim 1 wherein the selected second network server is a portal for providing the user with a gateway to services provided by another network server coupled to the data communication network.
  - 9. The method of claim 1 wherein the network servers are web servers and the data communication network is the Internet.
  - 10. The method of claim 1 wherein one or more computer-readable media have computer-executable instructions for performing the method of claim l.

11. A system of securing information comprising an authentication server and a plurality of affiliate servers associated with a multi-site user authentication system and coupled to a data communication network, said authentication server retrieving login information from a user of a client computer for authenticating the user requesting access to a service being provided by one of the plurality of affiliate servers, said authentication server further generating a message having content, said message content including login information associated with the user of the client computer, said authentication server generating a session key used by the authentication server for encrypting the message content, said requested affiliate server having a public key and said authentication server using the public key to encrypt the generated session key, said authentication server having a private key and said authentication server using the private key to generate a signature for the encrypted message content and the encrypted session key, said signature including address information for the requested affiliate server, said authentication server generating an authentication ticket including the encrypted message content, the encrypted session key, and the generated signature for directing the client computer to the requested affiliate server, and wherein the requested affiliate server has a private key for decrypting the encrypted generated session key, said affiliate server decrypting the content of the ticket using the decrypted generated session key and validating the signature by identifying its own address information in the signature.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11 wherein the generated session key is a randomly generated, single-use session key.
  - 13. The system of claim 11 further comprising a database associated with the authentication server, said database storing login information for comparison with the login information retrieved from the user.
  - 14. The system of claim 11 further comprising a browser of the client computer, said requested affiliate server receiving the request from the user via the browser for the requested service to be provided by the requested affiliate server.
  - 15. The system of claim 11 wherein the requested affiliate server is a portal for providing the user with a gateway to services provided by one or more network servers coupled to the data communication network.
  - 16. The system of claim 11 wherein the plurality of affiliate servers are web servers and the data communication network is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guo, Wei-Quiang Michael, Chan, Kok Wai, Howard, John Hal
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US10/146,686
Publication Number

US 20030217288A1
Time in Patent Office

2,533 Days
Field of Search

713/155, 713168-171, 713/182, 713/189, 726 2- 6, 726/10, 380/281, 380/255, 380/278, 709/217, 709/225
US Class Current

726/10
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 2209/60   Digital content management,...

H04L 63/045   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/0844   with user authentication or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

Session key security protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Session key security protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others