Method for the unique authentication of a user by service providers

US 8,689,306 B2
Filed: 02/25/2008
Issued: 04/01/2014
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-based method for unique authentication of a user by at least one service provider, said method including a preliminary identity federation stage of federating an identity of said user for said service provider and an identity of said user for an identity provider, wherein said preliminary identity federation stage comprises the steps of:

a computing device of the user generating a non-masked user alias for that service provider and sending said identity provider a masked user alias deduced from said user alias;

a computing device of the identity provider associating, using a processor, said masked user alias for that service provider with the identity of the user and sending elements to the user that are based on a message containing the masked user alias;

the computing device of the user unmasking the masked user alias to get the non-masked user alias;

the computing device of the user calculating a signature of a message containing the non-masked user alias and sending the service provider said message with said signature; and

a computing device of the service provider verifying said signature, authenticating the user, and associating said non-masked user alias with the user'"'"'s identity for the service provider;

wherein said elements provided by the identity provider represent a partially blind signature of the message containing said masked user alias and the partially blind signature is masked.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for unique authentication of a user including federating an identity of said user for said service provider and an identity of the user for an identity provider, the federating including the steps of generating a user alias for that service provider and sending said identity provider a masked alias deduced from said alias, the identity provider associating said masked alias for that service provider with the identity of the user for the identity provider and sending the user elements for calculation by the user of a signature of a message containing the non-masked alias calculating said signature and sending the service provider said message with said signature, and the service provider verifying said signature, authenticating the user, and associating said alias with the user'"'"'s identity.

12 Citations

View as Search Results

5 Claims

1. A computer-based method for unique authentication of a user by at least one service provider, said method including a preliminary identity federation stage of federating an identity of said user for said service provider and an identity of said user for an identity provider, wherein said preliminary identity federation stage comprises the steps of:
- a computing device of the user generating a non-masked user alias for that service provider and sending said identity provider a masked user alias deduced from said user alias;
  
  a computing device of the identity provider associating, using a processor, said masked user alias for that service provider with the identity of the user and sending elements to the user that are based on a message containing the masked user alias;
  
  the computing device of the user unmasking the masked user alias to get the non-masked user alias;
  
  the computing device of the user calculating a signature of a message containing the non-masked user alias and sending the service provider said message with said signature; and
  
  a computing device of the service provider verifying said signature, authenticating the user, and associating said non-masked user alias with the user'"'"'s identity for the service provider;
  
  wherein said elements provided by the identity provider represent a partially blind signature of the message containing said masked user alias and the partially blind signature is masked.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method according to claim 1, further comprising, in the event of a request for service to the service provider after said preliminary identity federation stage, an authentication stage including the steps of:
    - the identity provider authenticating the user for said service provider;
      
      the identity provider searching for the masked user alias for said service provider associated with the identity of said user for said identity provider and sending elements to the user;
      
      the user calculating a signature of a message containing the non-masked user alias and sending the service provider said message with said signature; and
      
      the service provider verifying said signature, recovering the user'"'"'s identity for the service provider from the user alias, and providing the service requested by the user.
  - 3. A method according to claim 1, wherein said preliminary identity federation stage comprises the steps of:
    - by a computing device of the user;
      
      receiving from the service provider, received data that is at least one of non-confidential data M and confidential data m*,generating a user alias m of the user for that service provider, and sending said identity provider;
      
      said non-confidential data M, when said received data comprises said non-confidential data M,said user alias m in masked form;
      
      m_masked=m·
      
      g^smod p, where g and p are public elements and s an element chosen by the user, and,said confidential data m*, in masked form, when said received data comprises said confidential data m*;
      
      by a computing device of the identity provider;
      
      associating said masked user alias m_maskedfor this service provider with the identity of the user for the identity provider,calculating the elements m₀=g₁^H¹^(M)·
      
      m_masked·
      
      g₃m₀=g₁^H¹^(M)·
      
      m_masked·
      
      g₃and z₀=m₀^xmod p, where g₁and g₃are public elements, x is a private key of the identity provider associated with the public key h=g^xmod p, and H₁a hashing function,proving interactively with the user that the discrete logarithm of h to base g is equal to that of z₀to base m₀, andsending the user the partially-blind signature of a message msg=M∥
      
      m for non-confidential data, and msg=M∥
      
      m∥
      
      m* for confidential data;
      
      the method further comprising;
      
      by the computing device of the user, unmasking said partially blind signature and sending the service provider the unmasked signature with said message msg; and
      
      by the computing device of the service provider, verifying the signature, extracting the user alias m from the message msg, authenticating the user, and associating said unmasked user alias m with the identity of the user for the service provider.
  - 4. A method according to claim 3, further comprising, in the event of a request for service by the service provider after said preliminary identity federation stage, an authentication stage including the steps of:
    - the user receiving from the service provider at least one of non-confidential data M and confidential data m*, being authenticated by said identity provider for said service provider, and sending the identity provider said non-confidential data M, if present, and said confidential data m*, if present, in masked form;
      
      the identity provider searching for the masked user alias m_maskedfor this service provider associated with the identity of the user for the identity provider, calculating the elements m₀=g₁^H¹^(M)·
      
      m_masked·
      
      g₃and z₀=m₀^xmod p, where g₁and g₃are public elements, x is a private key of the identity provider associated with the public key h=g^xmod p, and H₁a hashing function, proving interactively with the user that the discrete logarithm of h to base g is equal to that of z₀to base m₀, and sending the user the partially-blind signature of a message msg=M∥
      
      m, or, where appropriate, msg=M∥
      
      m∥
      
      m*;
      
      the user unmasking said partially-blind signature and sending the service provider the unmasked signature with said message msg; and
      
      the service provider verifying said signature, recovering the user'"'"'s identity for the service provider from the unmasked user alias m extracted from the message msg, and providing the service requested by the user.
  - 5. A non-transitory computer-readable storage medium having a computer program recorded thereon, the computer program including instructions that cause a data processing device to execute a method according to claim 1 when executed on the data processing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Canard, Sbastien, Malville, Eric, Traore, Jacques, Guilloteau, Stphane
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
DE JESUS LASSAIA, CARLOS MANUEL

Application Number

US12/528,470
Publication Number

US 20100275009A1
Time in Patent Office

2,227 Days
Field of Search

726/4, 726 6- 8
US Class Current

726/8
CPC Class Codes

H04L 2209/04   Masking or blinding

H04L 63/0421   Anonymous communication, i....

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 9/3013   involving the discrete loga...

H04L 9/3257   using blind signatures

Method for the unique authentication of a user by service providers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the unique authentication of a user by service providers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links