US20040054898A1 - Authenticating and communicating verifiable authorization between disparate network domains - Google Patents

Authenticating and communicating verifiable authorization between disparate network domains Download PDF

Info

Publication number
US20040054898A1
US20040054898A1 US10229693 US22969302A US2004054898A1 US 20040054898 A1 US20040054898 A1 US 20040054898A1 US 10229693 US10229693 US 10229693 US 22969302 A US22969302 A US 22969302A US 2004054898 A1 US2004054898 A1 US 2004054898A1
Authority
US
Grant status
Application
Patent type
Prior art keywords
user
internet site
digitally signed
digital signature
according
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10229693
Inventor
Li-Lung Chao
Brian Goodman
James Kebinger
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/68Special signature format, e.g. XML format

Abstract

Verifiable authentication credentials are provided to foreign systems without passing an id and password to the protected resource. A user wishing to access a secure remote site is prompted for credentials, the credentials are authenticated locally and a digitally signed token is created. The token is redirected to the secure remote site by the user's browser using HTTP redirection. The digitally signature is verified by the secure remote site preferably by a digital signature web service. The remote site establishes communications with the user if the digital signature is valid.

Description

    FIELD OF THE INVENTION
  • The present invention is related to systems, program products and methods for secure computer data sharing, more particularly to authorizing communication with a secure entity in an Internet network. [0001]
  • BACKGROUND OF THE INVENTION
  • FIG. 1 depicts the elements that make up a typical computer for use in presenting and maintaing an application. The computer [0002] 100 consists of a Base Computer 101 which comprises a processor 106, storage media such as a magnetic disk 107 and a high speed volatile main memory 105. An operating system and application programs 111 reside on the storage media 107 and are paged into main memory 105 as needed for computations performed by the processor 106. The Base computer may include optional peripheral devices including a video display 102, a printer or scanner 110, a keyboard 104, a pointing device (mouse) 103 and a connection 108 to a network 109. In a client environment, a user will interact with a (Graphical User Interface) GUI by use of a keyboard 104 and mouse 103 in conjunction with the display of information on the display 102 under control of an application program (application 1) 112. The client application program 112 will then interact with remote users by way of the network 109.
  • In FIG. 2 an example Internet system is shown. A user [0003] 210 at client 1 201 uses applications on his system. This user (user 1 210) at client 1 201 can interact with clients 2-4 202-204 by way of a client server computer 206. Applications 112 may be provided by each client 201-205 and or the client server 206 or some remote server 208 by way of the network 207. The user at client 1 201 can interact with a remote user (user 5 211) at client 5 205 by way of the Internet 207.
  • One way that computers interact via networks such as the Internet is using the HyperText Transfer Protocol (HTTP) open standard designed by the World Wide Web Consortium (W3C) and standardized as Internet Engineering Task Force (IETF) RFC [0004] 2616. It is an intentionally simple and open protocol that is implemented across many heterogeneous computer systems.
  • An “HTTP Redirect” is a mechanism in which an HTTP Server can indicate to the user-agent that further action is needed to fulfill the request. A simple example is a resource moving to a different location. The original server can provide a pointer to the new location of the resource, and can further indicate that the pointer is intended to be permanent or temporary. [0005]
  • “Encoding” is the formatting of data according to a standard format. Base64 encoding (described in IETF RFC [0006] 1521) is a way of representing an arbitrary binary stream as the lower 65 characters in the ASCII alphabet. “URL Encoding” is a way in which strings meant to represent the arbitrary characters to which a given universal resource locator (URL) can be mapped within the bounds of the allowed url-safe subset of the ASCII alphabet.
  • “Encryption” is the act of encoding a file to prevent any person but the intended recipient(s) from reading it. “Hashing” is the act of applying a one way function to generate a fixed length value from an input of arbitrary size. The output of the hash function is useful for determining if content has been altered. “MD5” and “SHA” are some popular example hashing algorithms. “Signing” (also known as “digital signing”) combines encryption with hashing to generate a representation of an object that can be proven to have been generated only by the sender. Digital Signature Standard (DSS) by Federal Information Processing Standards Publication 186 (May 19, 1994) and can be found at www.itl.nist.gov/fipspubs/fip186.htm. [0007]
  • “Extensible Markup Language” (XML) is an open standard from the W3C. XML is a standard way of presenting information such that the content describes itself. It is both human and machine readable. The format of a XML document can be specified externally, and document can be validated against these external specifications. [0008]
  • A “remote procedure call” is a way in which one computer can ask a second computer to perform an operation on some given input on its behalf and return the result. A World Wide Web (web) service is a remote procedure call that is encoded in XML and can be transported over HTTP as well as other mediums. Popular Web service protocols are SOAP and XML-RPC. [0009]
  • In the context of computer security, “authentication” and “authorization” are two different processes. Authentication is the process of establishing the identity of a client. Authorization is the process of taking the confirmed identity of a client and determining if that client is allowed to perform the requested actions. [0010]
  • User authentication and authorization are some of the fundamental security concerns of enterprise computing. Management of user access to resources within an enterprise becomes increasingly difficult as the number of resources grows particularly if the access of users must be managed at the individual resource. The user takes on an increasing burden if he/she must remember a long list of different user identity and password combinations in order to access a large number of resources. Significantly, the longer the list gets, the more chance there is that the user will begin to insecurely store such passwords and inadvertently cause a security breach. [0011]
  • Centralizing the administration of user id and passwords provides an enormous benefit to an enterprise of even a small size. For example when an employee separates from the enterprise, the access formerly granted to that user can be centrally and instantly revoked. A given user can use the same id and password to login at every site that chooses to allow him or her access. In a system like this, when the user attempts to use a given resource, the user is prompted for a user id and password, which is forwarded by the resource to a central user id and password repository which will confirm the validity of the entered user identity and password combination. LDAP and Microsoft Windows networking are examples of such systems. [0012]
  • Having a central ID and password store is a big leap, but there is still a vulnerability in the system. Computers on the network are trusted with the handling of sensitive passwords. A rogue computer could be configured to log or otherwise improperly disseminate the passwords of each user that logs in to that system. Another solution is to have a trusted central authority that will be the only system to handle password related information. The trusted system then needs a way to notify the individual resources of the confirmed identity of a given resource. Microsoft Passport and DCE/kerberos-like systems are examples of this kind of central authentication systems. [0013]
  • The prior descriptions of the various enterprise security schemes are simplified to only encompass authentication. Security systems typically retrieve authorization information along with the authentication information. [0014]
  • SUMMARY OF THE INVENTION
  • The present invention (IIPX) teaches a system for authenticating a user without passing an id and password to the protected server. A client browser presents an authentication prompt to the user. The user provides their credentials. The server processes the authentication request resulting in a digitally signed token. The token is then sent to the target server. The target server receives the token and requests signature verification from the originating client. [0015]
  • It is therefore an object of the present invention to provide user access to a remote secure server wherein a user's credentials are checked at a first server and a digitally signed token is sent to the remote secure server, the remote secure server decodes the digitally signed token to confirm authenticity. [0016]
  • It is a further object of the present invention to provide a method for transmitting an authenticated verifiable identity token, transparently to the user, via HTTP [0017] 301 URL redirection.
  • It is another objective of this present invention to provide a means to communicate across disparate networks using HTTP [0018] 301 URL redirection.
  • It is a further objective of the present invention to provide a method for using digital signatures to maintain URL integrity in a networked environment. [0019]
  • It is still a further objective of the present invention to provide a method for generating and mapping authentication challenges via unique “resource identifying” codes. [0020]
  • It is still a further objective of the present invention to provide a means of expiring digitally signed tokens (XML/Document/Messages). [0021]
  • The above as well as additional objectives, features, and advantages of the present invention will become apparent in the following written description.[0022]
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram depicting example components of a computer system; [0023]
  • FIG. 2 is a diagram depicting example components of a client-server network; [0024]
  • FIG. 3 is a diagram depicting example components of the invention; [0025]
  • FIG. 4 depicts an example flow diagram depicting creating a digitally signed token according to the present invention; [0026]
  • FIG. 5 is an example flow diagram depicting verifying the digitally signed token at a secure server; [0027]
  • FIG. 6 is a flow diagram representing major events of the present invention; [0028]
  • FIG. 7 is a flow diagram representing credential authentication; [0029]
  • FIG. 8 is a flow diagram representing digital signature creation; [0030]
  • FIG. 9 is a flow diagram representing verification of the digitally signed token; and [0031]
  • FIG. 10 is a representation of a login display for accessing a remote secure server.[0032]
  • DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • The present invention provides a method for securely accessing a secure remote server (preferably a web server) without passing authentication credentials to the remote server. The example system employing the present invention is herein called “IIPX” or IBM Intranet Password External. [0033]
  • In the preferred embodiment (referring to FIG. 3), IIPX comprises an LDAP directory [0034] 303, authentication/redirection application 302, a client web browser 301, a disparate web site 304 and a digital signature verification service 305.
  • The LDAP directory [0035] 303 provides a means for storing information pertaining to entities in an organization. It is a digital network name and address book. The LDAP directory 303 provides:
  • 1. Ability to store, retrieve, edit, organize entity information in an efficient manner; and [0036]
  • 2. Ability to provide a central store of authentication, such as, user id/password or digital certificates. [0037]
  • The authentication/redirection application [0038] 302 is comprised of a web application (dynamic HTML). The authentication/redirection application runs on a computer system similar to the one shown in FIG. 1 wherein an application resides in storage 105 to be executed in processor 106. The application provides:
  • 1. Authentication checks to the LDAP directory; [0039]
  • 2. XML document creation; and [0040]
  • 3. Digital signing and dynamic URL redirection. [0041]
  • The client web browser [0042] 301, also running in a user's computer as taught in FIG. 1, is an application for viewing web technologies, such as HTML, DHTML, JavaScript, VBScript and Java Applets. The client web browser also provides the ability to submit content to remote servers by way of a network (preferably the Internet 207). The client browser application 301 provides:
  • 1. Submitting authentication credentials; [0043]
  • 2. Connecting to servers securely using SSL; and [0044]
  • 3. Following redirection prompts as provided by web servers. [0045]
  • The disparate web site [0046] 304 is any web site that requires authentication but does not have access the user's authentication server. The disparate web site 304 is a set of applications running on a computer similar to the one shown in FIG. 1 and provides:
  • 1. Protected content or services; [0047]
  • 2. Receives signed token from authentication/redirection application; and [0048]
  • 3. Makes necessary calls to the digital signature validation service to verify tokens. [0049]
  • In the preferred embodiment the signature validation service [0050] 305 is part of the originating entity providing a secure interface for remote systems to request token verification. A secured connection preferably uses SSL encryption to establish trusted connections between two machines.
  • In a preferred embodiment, a web browser client [0051] 301 communicates to the authentication/redirection Server 302 via a secure URL specifying a desired vendor. A secured web site uses SSL encryption to establish trusted connections between two machines. Most web browsers provide this technology transparently to the end user 308. Often a pad-lock icon FIG. 10 1005 indicates when the HTTP communication is secured.
  • The data store [0052] 303, such as a database, flat file or memory is maintained with vendor ids and the specific requirements of the vendor (remote secure server) login. In this case the vendor ID indicates which HTML form to present to the user 308 via the browser 301. In one embodiment, each remote secure website 304 has a unique HTML prompt form which is dynamically presented to the user 308 when he selects a remote secure service 304. In another embodiment, the vendor ID prompts an HTTP 401 challenge (see FIG. 4). The data can be entered in many different ways, however, a web based interface is preferred. This interface provides an HTML form to allow for the creation and association of the vendor code and authentication method.
  • Based on the vendor ID, the authentication/redirection server [0053] 302 supplies an HTML web page to prompt the client 301 for login information. In a preferred embodiment, this authentication prompt is customized based on the vendor ID. The user 308 of the web browser 301 enters their authentication credentials. The user 301 (or optionally the user's organization) in one embodiment, also provides other information to be incorporated into the authentication token. Upon receiving the login request, the authentication/redirection server 302 checker checks the credentials. If the credentials are OK, an authorizer authorizes user access, the authentication redirection server 302 then generates an XML based token (reference example Table 1) which may include personal information such as first name, last name, address or employee number.
    TABLE 1
    Sample XML token.
    <SignonRequest vendor=“ABC123”>
    <Name>
    <LastName>Smith</LastName>
    <FirstName>John Q.</FirstName>
    </Name>
    <EmployeeID>
    <CountryCode>us</CountryCode>
    <SerialNumber>123456</SerialNumber>
    </EmployeeID>
    <EmailAddress>chao@us.ibm.com</EmailAddress>
    <TimeStamp>2002.07.17 15:38:46 GMT</TimeStamp>
    <Expiration>2002.09.11 15:38:46 GMT</Expiration>
    </SignonRequest>
  • The XML token optionally includes a time-to-live field representing the time during which the token is valid. The authentication/authorization application [0054] 302 then uses a signature generator to digitally signs the XML token. The token, reference example token in Table 1, is BASE64 encoded and URL encoded. The result is shown in Table 2. The server then redirects the client web browser transmitter to transmit the resulting request to the remote vendor's server 304 using HTTP URL redirection. The vendor's server 304 receives the token and digital signature as CGI variables. CGI variables are a means for passing name and value pairs to applications running in a web server. The vendor application communicates to a verification service 305 to check the token validity. The verification service 305 checks the originating digital signature against the signature and XML token provided by the remote server 304. It 305 further checks that the token has not been checked before and that the token has not timed out. The verification services 305 returns an indication of the token's validity “YES/NO/ERROR” to the remote vendor server 304.
    TABLE 2
    Sample HTTP 301 for user “John Q. Smith”
    http://ww.remote-server.com/remote-login?SiteID=IBM& msg=
    PFNpZ25vblJ1cXVlc3QgdmVuZG9yPSJBQkMxMjMiPjxOYW1lPjxMYXN0TmFtZT5Z
    ZWFnZXI8L0xh%0D%0Ac3ROYW1lPjxGaXJzdE5hbWU%2BS3JpC3RlbjwvRmlyc3RO
    YW1lPjwvTmFtZT48RW1wbG95ZWVJRD48%0D%0AQ291bnRyeUNvZGU%2BdXM8L0Nv
    dW50cnlDb2RlPjxTZXJpYWxOdW1iZXI%2BQzAwMzk3MzwvU2VyaWFs%0D%0ATnVt
    YmVyPjwvRW1wbG95ZWVJRD48RW1haWxBZGRyZXNzPmtyaXN0ZW4ueWVhZ2VyQGdh
    bGlsZW8u%0D%0AY29tPC9FbWFpbEFkZHJlc3M%2BPFRpbWVTdGFtcD4yMDAyLjA1
    LjE3IDEzOjA5OjU1IEdNVDwvVGlt%0D%0AZVN0YW1wPjxFeHBpcmF0aW9uPjIwMD
    IuMDUuMzEgMTM6MDk6NTUgR01UPC9FeHBpcmF0aW9uPjwv%0D%0AU2lnbm9uUmVx
    dWVzdD4%3D&
    sig=
    ANTy5kFaTOO73uAF9LD%2FvKHl3mWbgtiTMWDu%2B7mGLcbEXhNlyT%2F9zsRHZ2
    mz5ANAtsXcE9Ov0FHL%0D%0A%2B1JlaNwTQyIIILdefVmifYsQCEnaRnncZCBPt6
    lF0ieh%2FnNqEiQoC7YDniGzrMQ4L%2FEj3j6SQNr9%0D%0AXQyGNvnCq%2FoHpR
    hNouk%3D
  • In a preferred embodiment, digital signatures and XML tokens would be represented using Base-64 and URL encoding as exemplified in table 2. [0055]
  • In the example that follows, James is trying to access a travel web site from within his company's intranet. James [0056] 308 begins his web travels using his HTML browser 301. The starting URL is hosted on the corporate secure web site 304.
  • Referring to FIG. 6, James' browser [0057] 301 requests a login web page FIG. 10 for the secure site. At 601, login request is directed to the authentication server 302 which preferably dynamically builds an HTML form, customized for the requested site. At 602, authentication server returns the HTML form to James' browser. The web page begins with some information about the external vendor web site, but also prompts him for his username and password. The login form is customized to the style of the external travel web site. This customization was determined by the vendor code maintained by James' company. It provides the unique design of the travel web site while clearly indicating that James can use his intranet password to login. James will use his common authentication password stored in the corporate LDAP directory.
  • At [0058] 603, James enters his ID 1002 and Password 1003 and hits the “Submit” button 1004. When James presses the submit button on the HTML form, his user name and password are sent at 604 to the authentication/authorization 302 to verify his credentials.
  • When the authentication server [0059] 302 receives his credentials at FIG. 7 701, the authentication server 302 makes a connection to the corporate LDAP directory at 702. The corporate LDAP directory is like a phone book. It stores information about individuals in a organization. Two of the fields it stores is a user's user name and password. The web server requests verification that James has entered the appropriate user name and password for his LDAP entry. If there is an error, James is prompted as such. In this case James has provided the correct credentials and the LDAP check is successful at 703.
  • As with many useful web sites, the external travel web site [0060] 304 needs personal information about James. In the case of his company, they have opted to provide that on James' behalf at 605. The web server queries the LDAP server 704 for James' first name, last name, employee ID and e-mail address. Referring to FIG. 8, 606 the web server builds an XML document at 801 containing this personal information. It adds three more parts, the vendor's ID, a time stamp as to when the packet was created and an expiration time. The expiration time will indicate as to when this XML document is to be treated as invalid.
  • Having created the XML document the web server digitally signs the XML packet at [0061] 802. This process is done through technology, applications and code well known in the art.
  • At [0062] 803, the web server now builds the HTTP 301 URL redirect with the digital signature and XML packet. The XML packet is BASE64 encoded and URL encoded to preserve the content while making it URL compliant (Table 2). The web server sends the redirection URL back to James' HTTP browser at 804.
  • Most common browsers automatically follow URL redirect from web servers [0063] 607. Other browsers simply state that the resource requested has moved please look to the following URL to find it. In this case, James' web browser receives the URL redirect and automatically follows the new URL 607. Because James has configured his browser correctly, the URL redirection seamlessly points him at the external travel web site 304.
  • The external travel web site [0064] 304 has a special URL for employees from James' company. Referring to FIG. 9, at 901 the redirection URL points there. At 902, the travel web site receives James' HTTP request. Name and value pairs are passed via the URL format. As seen in Table 2, the web server is able to identify the digital signature and the XML token. The travel web site now has these two parts but still needs to validate the token.
  • The travel web server first BASE64 decodes the XML packet (Table 2) and looks at the vendor ID to make sure it was intended for them. The travel web server optionally checks to see if the XML packet has already expired via the expiration time stamp. If the packet is still viable then the web site makes a connection back to James' company. [0065]
  • James' company runs a signature verification service [0066] 305. In another embodiment, the validation service is provided by any trusted party. The service validates digital signatures for data that has been previously signed. In this scenario it will be validating digital signatures of XML documents. At 903, the travel web site makes a request for validation.
  • At [0067] 904, the verification service recieves the request form the travel web site. The request contains the digital signature and the XML document. The verification service checks to see that the XML document has not expired at 906. If it has, it returns that result to the travel web site. Otherwise, the verification service keeps a record of each XML token it receives in storage, such as memory, database or hard disk. It removes them from storage after the XML token's expiration time has been reached. By storing previous tokens for a period of time, at 905 the verification system can determine if a requested token has already been processed. One of the ways to further secure the system, the time to store each token is determined based on the expiration of each token. Retaining the token until expiration renders the XML document useless in future requests.
  • Assuming the XML token is still timely it signs the XML document. At [0068] 907, the verification service then compares the signature it created with the signature that the travel web site presented as part of the verification request. If they do not match the result is returned to the travel web site. If they match then a positive result is returned at 908 to the travel web site.
  • As shown at [0069] 609, the external travel web site receives the results from the verification service. If the results are negative then it presents an HTML page to James' HTTP browser to alert him of the condition. If the result is positive the travel web site uses the personal data in the XML token to provide a customized web page to be sent back to James' HTTP browser 301. While there are many steps to this process, James experienced a quick and seamless end-to-end response. As far as James was concerned he logged in from inside his company and was transparently transported to an external web site that had personal information about James for an enhanced user experience.
  • All the network connections in the preferred embodiment use SSL to encrypt transactions. While the external web site verifies authentication and authorization via the digital signature service, it is possible for network communications to be compromised. One way would be to capture the redirect URL and attempt to use it to replay the series of events. If no extra security precautions were taken it would be feasible for an eavesdropper to obtain a URL that was not theirs and therein access web sites as someone else. [0070]
  • Referring to FIG. 3, Firewalls [0071] 306, 307 act as barriers on a network. They often delineate the internal “Intranet” and the external “Internet”. They are often used to keep bad traffic out. Bad traffic is considered unsolicited network connections. However, firewalls 306, 307 also keep network traffic in. Intranets often can access the Internet, but the Internet is usually prevented from accessing the Intranet. Usually these unwanted communications are perpetrated by hackers. Firewalls 306, 307 also regulate what kind of network activity can leave the network. Firewalls 306, 307 provide the management at the network layer defining and enforcing which types of connections are to be permitted. In the preferred embodiment the connection traverses the firewall using HTTP URL redirection. HTTP/HTTPS is a common protocol allowed through most firewalls. URL redirection is a preferred method for indirectly traversing disparate networks.
  • To review the preferred embodiment functionality, refer to FIG. 4. The user [0072] 308 views an HTML page on his browser running on his client machine 301. When the user 308 wishes to go to the secure remote site (customer site) 304, he is presented with an HTML page FIG. 10 1000 prompting him for his Password and ID (his credentials). The browser is pointing to an internal server 402, which is preferably the authentication/redirection server 302. The user enters the information and submits the request as shown in step 1. The authentication server 302 running an intranet password servlet 401 user checker, checks the user's credentials (step 2) against the LDAP directory 303 (the authenticator program retrieves LDAP user credentials). The authentication server 302 creates an XML document (a token generator generates a token message) and digitally signs it (step 3). The authentication server 302 then (step 4) uses a redirection creator to create an “HTTP 302” redirection message and by way of a redirect communicator routine, returns the “HTTP 302” containing generated redirect URL query strings to the browser 301. The browser is redirected at 402 to the customer site 304. In step 5 the signed XML is sent to the customer site 304 over secure socket layer.
  • Referring to FIG. 5, a secure remote server “customer site” [0073] 304 receiver receives the signed request token and the secure site server's signature sender sends an SSL request (step 6) comprising the signed token via network dispatcher 505 to a digital signature verification web service 305. The web service signature validity receiver receives the token and the digital signature verifier verifies the token (step 7) and returns an indicator of the validity (True/False/Error) to the Secure customer site. The Secure site 304 session establisher establishes a session with the user (step 8) if the token verification was successful.
  • While the preferred embodiment has been described comprising a corporate business site servicing many users, it should be apparent to one skilled in the art that other variations exist. For instance, an another embodiment, the digital signature verification service [0074] 305 is a separate entity from the authentication/redirection server 302. In such an environment, groups or individuals acquire digital signature components that are instantiated in the separate digital signature verification service 305. For example, a user wishing to have access to a remote web site 304 opens a security generating web page. The web page comprises HTML code for communicating with the Digital Signature Verification service 305, supplying identifying information and optionally paying fees. The Verification service 305 provides a private key to the user which is used by the user's authentication redirection server to generate a digital signature for the user's token. The digital verification service 305 associates the user's token with a unique private key for digital signature generation and verification.
  • In another embodiment, the digital signature verification service [0075] 305 supports multiple private keys, one or more private keys are associated (preferably by table lookup) with individual remote web sites 304. In another embodiment, multiple private keys are associated with more granular elements such as user ID, subgroup ID (Corporate Department), Project ID (associating a private key with an ID shared by users having similar authority) and the like.
  • While the preferred embodiment of the invention has been illustrated and described herein, it is to be understood that the invention is not limited to the precise construction herein disclosed, and the right is reserved to all changes and modifications coming within the scope of the invention as defined in the appended claims. [0076]

Claims (30)

    What is claimed is:
  1. 1. A method for a user to access a secure Internet site, the method utilizing user credential data and other user data, the method comprising the steps of:
    checking user credential data according to a first predetermined plan;
    authorizing said user to access a secure Internet site if said user credentials permit;
    creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and
    transmitting said digitally signed request to said secure Internet site.
  2. 2. The method according to claim 1 wherein said Internet site comprises world wide web pages.
  3. 3. The method according to claim 1 comprising the further steps of:
    providing a web page to a client browser, said web page prompting said user for identification information; and
    using said identification information to retrieve user credentials.
  4. 4. The method according to claim 3 wherein the providing step further comprises the step of dynamically generating said web page based on identifying information associated with said secure site.
  5. 5. The method according to claim 4 wherein said dynamically generating step further comprises an authentication prompt.
  6. 6. The method according to claim 1 further comprising the steps of:
    receiving said digitally signed request at said secure Internet site;
    verifying the validity of said digitally signed request; and
    establishing a communication session with said first user if said digitally signed request is valid.
  7. 7. The method according to claim 6 wherein said verifying step comprises the further steps of:
    sending said digital signature to a digital signature verification service at a verification Internet site; and
    receiving an indication of the validity of said digital signature from said verification Internet site.
  8. 8. The method according to claim 1 wherein said checking user credentials step further comprises the steps of:
    checking said user credentials against data in a common directory;
    creating token message;
    creating a redirect URL to the secure Internet site; and
    communicating the redirect URL to a user browser.
  9. 9. The method according to claim 8 wherein said token message comprises any one of XML data, an expiration field or unique user information.
  10. 10. The method according to claim 8 wherein said redirect URL is digitally signed.
  11. 11. A system for a user to access a secure Internet site, the system utilizing user credential data and other user data, the system comprising:
    a checker checking user credential data according to a first predetermined plan;
    an authorizer authorizing said user to access a secure Internet site if said user credentials permit;
    a signature generator creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and
    a transmitter transmitting said digitally signed request to said secure Internet site.
  12. 12. The system according to claim 11 wherein said Internet site comprises world wide web pages.
  13. 13. The system according to claim 11 further comprising:
    a web page provider providing a web page to a client browser, said web page prompting said user for identification information; and
    an authenticator using said identification information to retrieve user credentials.
  14. 14. The system according to claim 13 wherein the web page provider further dynamically generates said web page based on identifying information associated with said secure site.
  15. 15. The system according to claim 14 wherein said web page provider dynamically generates an authentication prompt.
  16. 16. The system according to claim 11 further comprising:
    a receiver receiving said digitally signed request at said secure Internet site;
    a digital signature verifier, verifying the validity of said digitally signed request; and
    a session establisher establishing a communication session with said first user if said digitally signed request is valid.
  17. 17. The system according to claim 16 wherein said digital signature verifier further comprises:
    signature sender sending said digital signature to a digital signature verification service at a verification Internet site; and
    a signature validity receiver receiving an indication of the validity of said digital signature from said verification Internet site.
  18. 18. The system according to claim 11 wherein said checker further comprises:
    a user checker checking said user credentials against data in a common directory;
    a token generator creating token message;
    a redirection creator creating a redirect URL to the secure Internet site; and
    a redirect communicator communicating the redirect URL to a user browser.
  19. 19. The system according to claim 18 wherein said token message comprises any one of XML data, an expiration field or unique user information.
  20. 20. The system according to claim 18 wherein said redirect URL is digitally signed.
  21. 21. A computer program product for a user to access a secure Internet site, the computer program product utilizing user credential data and other user data, the computer program product comprising a computer readable medium having computer readable program code therein, the computer program product comprising:
    computer readable program code for checking user credential data according to a first predetermined plan;
    computer readable program code for authorizing said user to access a secure Internet site if said user credentials permit;
    computer readable program code for creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and
    computer readable program code for transmitting said digitally signed request to said secure Internet site.
  22. 22. The computer program product according to claim 21 wherein said Internet site comprises world wide web pages.
  23. 23. The computer program product according to claim 21 further comprising:
    computer readable program code for providing a web page to a client browser, said web page prompting said user for identification information; and
    computer readable program code for using said identification information to retrieve user credentials.
  24. 24. The computer program product according to claim 23 wherein the web page provider further dynamically generates said web page based on identifying information associated with said secure site.
  25. 25. The computer program product according to claim 24 wherein said web page provider dynamically generates an authentication prompt.
  26. 26. The computer program product according to claim 21 further comprising:
    computer readable program code for receiving said digitally signed request at said secure Internet site;
    a digital signature verifier, verifying the validity of said digitally signed request; and
    computer readable program code for establishing a communication session with said first user if said digitally signed request is valid.
  27. 27. The computer program product according to claim 26 wherein said digital signature verifier further comprises:
    computer readable program code for sending said digital signature to a digital signature verification service at a verification Internet site; and
    computer readable program code for receiving an indication of the validity of said digital signature from said verification Internet site.
  28. 28. The computer program product according to claim 21 wherein said checker further comprises:
    computer readable program code for checking said user credentials against data in a common directory;
    computer readable program code for creating token message;
    a redirection creator creating a redirect URL to the secure Internet site; and
    computer readable program code for communicating the redirect URL to a user browser.
  29. 29. The computer program product according to claim 28 wherein said token message comprises any one of XML data, an expiration field or unique user information.
  30. 30. The computer program product according to claim 28 wherein said redirect URL is digitally signed.
US10229693 2002-08-28 2002-08-28 Authenticating and communicating verifiable authorization between disparate network domains Abandoned US20040054898A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10229693 US20040054898A1 (en) 2002-08-28 2002-08-28 Authenticating and communicating verifiable authorization between disparate network domains

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10229693 US20040054898A1 (en) 2002-08-28 2002-08-28 Authenticating and communicating verifiable authorization between disparate network domains
CN 03155977 CN100369030C (en) 2002-08-28 2003-08-27 Method and system for identifying & transmitting verifiable authorization among complete heteroyeneous network area
US11840684 US8499339B2 (en) 2002-08-28 2007-08-17 Authenticating and communicating verifiable authorization between disparate network domains

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US11840684 Continuation US8499339B2 (en) 2002-08-28 2007-08-17 Authenticating and communicating verifiable authorization between disparate network domains

Publications (1)

Publication Number Publication Date
US20040054898A1 true true US20040054898A1 (en) 2004-03-18

Family

ID=31990371

Family Applications (2)

Application Number Title Priority Date Filing Date
US10229693 Abandoned US20040054898A1 (en) 2002-08-28 2002-08-28 Authenticating and communicating verifiable authorization between disparate network domains
US11840684 Expired - Fee Related US8499339B2 (en) 2002-08-28 2007-08-17 Authenticating and communicating verifiable authorization between disparate network domains

Family Applications After (1)

Application Number Title Priority Date Filing Date
US11840684 Expired - Fee Related US8499339B2 (en) 2002-08-28 2007-08-17 Authenticating and communicating verifiable authorization between disparate network domains

Country Status (2)

Country Link
US (2) US20040054898A1 (en)
CN (1) CN100369030C (en)

Cited By (69)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040049220A1 (en) * 2002-04-19 2004-03-11 Pelikan Technologies, Inc. Method and apparatus for a multi-use body fluid sampling device with sterility barrier release
US20040170314A1 (en) * 2002-12-20 2004-09-02 Harris Rodney C. Method and apparatus for measuring assembly and alignment errors in sensor assemblies
US20050015591A1 (en) * 2003-06-12 2005-01-20 International Business Machines Corporation Multi-level multi-user web services security system and method
US20050198501A1 (en) * 2004-03-02 2005-09-08 Dmitry Andreev System and method of providing credentials in a network
US20050240864A1 (en) * 2004-04-23 2005-10-27 Kalev Leetaru Method and system for retrieving information using an authentication web page
US20050240869A1 (en) * 2004-04-23 2005-10-27 Kalev Leetaru Method and system for editable web browsing
US20050268100A1 (en) * 2002-05-10 2005-12-01 Gasparini Louis A System and method for authenticating entities to users
US20050277420A1 (en) * 2004-06-10 2005-12-15 Samsung Electronics Co., Ltd. Single-sign-on method based on markup language and system using the method
US20060005234A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Method and apparatus for handling custom token propagation without Java serialization
US20060068799A1 (en) * 2004-09-27 2006-03-30 T-Mobile, Usa, Inc. Open-host wireless access system
WO2006102738A1 (en) * 2005-04-01 2006-10-05 Ve Networks Canada, Inc. Visual and audible indication of secure communication
US20060259767A1 (en) * 2005-05-16 2006-11-16 Mansz Robert P Methods and apparatuses for information authentication and user interface feedback
US20060291700A1 (en) * 2005-06-08 2006-12-28 Ogram Mark E Internet signature verification system
US20070030965A1 (en) * 2005-07-19 2007-02-08 Mansz Robert P Methods and apparatuses for management of entitlement to digital security operations
US20070219573A1 (en) * 2002-04-19 2007-09-20 Dominique Freeman Method and apparatus for penetrating tissue
US20070219462A1 (en) * 2002-04-19 2007-09-20 Barry Briggs Methods and apparatus for lancet actuation
US20070244499A1 (en) * 2002-04-19 2007-10-18 Barry Briggs Methods and apparatus for lancet actuation
KR100875919B1 (en) 2005-12-07 2008-12-26 한국전자통신연구원 Sharing personal information service apparatus and method using a signed message callback yualel
US20090048997A1 (en) * 2007-08-16 2009-02-19 Verizon Data Services India Private Limited Method and apparatus for rule-based masking of data
US20090069716A1 (en) * 2004-06-03 2009-03-12 Dominique Freeman Method and apparatus for a fluid sampling device
US20090292925A1 (en) * 2006-04-13 2009-11-26 Alexander Meisel Method for providing web application security
US20090320119A1 (en) * 2008-06-20 2009-12-24 Wetpaint.Com, Inc. Extensible content service for attributing user-generated content to authored content providers
US7730215B1 (en) * 2005-04-08 2010-06-01 Symantec Corporation Detecting entry-portal-only network connections
US7731729B2 (en) 2002-04-19 2010-06-08 Pelikan Technologies, Inc. Method and apparatus for penetrating tissue
US20100199089A1 (en) * 2009-02-05 2010-08-05 Wwpass Corporation Centralized authentication system with safe private data storage and method
US7780631B2 (en) 1998-03-30 2010-08-24 Pelikan Technologies, Inc. Apparatus and method for penetration with shaft having a sensor for sensing penetration depth
US20100217989A1 (en) * 2005-03-23 2010-08-26 Microsoft Corporation Visualization of trust in an address bar
WO2010096913A1 (en) * 2009-02-27 2010-09-02 Research In Motion Limited Cookie verification methods and apparatus for use in providing application services to communication devices
US7909775B2 (en) 2001-06-12 2011-03-22 Pelikan Technologies, Inc. Method and apparatus for lancet launching device integrated onto a blood-sampling cartridge
US7938787B2 (en) 2002-04-19 2011-05-10 Pelikan Technologies, Inc. Method and apparatus for penetrating tissue
US8156228B1 (en) * 2007-09-28 2012-04-10 Symantec Corporation Method and apparatus to enable confidential browser referrals
US8197421B2 (en) 2002-04-19 2012-06-12 Pelikan Technologies, Inc. Method and apparatus for penetrating tissue
US8206317B2 (en) 2001-06-12 2012-06-26 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US20120174198A1 (en) * 2010-12-30 2012-07-05 Verisign, Inc. Shared Registration Multi-Factor Authentication Tokens
US8230224B2 (en) 2005-03-08 2012-07-24 International Business Machines Corporation Transmitting security data in multipart communications over a network
US8251921B2 (en) 2003-06-06 2012-08-28 Sanofi-Aventis Deutschland Gmbh Method and apparatus for body fluid sampling and analyte sensing
CN102882675A (en) * 2012-10-18 2013-01-16 杭州也要买电子商务有限公司 Password encryption method for social network sites
US8382682B2 (en) 2002-04-19 2013-02-26 Sanofi-Aventis Deutschland Gmbh Method and apparatus for penetrating tissue
CN102984161A (en) * 2012-12-05 2013-03-20 北京奇虎科技有限公司 Identification method and device for reliable website
US8574895B2 (en) 2002-12-30 2013-11-05 Sanofi-Aventis Deutschland Gmbh Method and apparatus using optical techniques to measure analyte levels
US8689099B1 (en) * 2010-12-23 2014-04-01 Amazon Technologies, Inc. Cross-domain communication
US8769651B2 (en) * 2012-09-19 2014-07-01 Secureauth Corporation Mobile multifactor single-sign-on authentication
US20140280883A1 (en) * 2013-03-15 2014-09-18 International Business Machines Corporation Secure URL update for HTTP redirects
CN104123380A (en) * 2014-07-31 2014-10-29 珠海市君天电子科技有限公司 Webpage access method and device
US9027099B1 (en) 2012-07-11 2015-05-05 Microstrategy Incorporated User credentials
US9037963B1 (en) 2011-04-22 2015-05-19 Amazon Technologies, Inc. Secure cross-domain web browser communications
US20150163065A1 (en) * 2013-12-05 2015-06-11 Xiaolai Li Identity authentication method and apparatus and server
US9154303B1 (en) 2013-03-14 2015-10-06 Microstrategy Incorporated Third-party authorization of user credentials
CN104965852A (en) * 2015-04-30 2015-10-07 百度在线网络技术(北京)有限公司 Method for account number access, network device, and user device
US9253175B1 (en) * 2007-04-12 2016-02-02 Marvell International Ltd. Authentication of computing devices using augmented credentials to enable actions-per-group
WO2016065318A1 (en) * 2014-10-24 2016-04-28 Netflix, Inc. Efficient start-up for secured connections and related services
US20160191473A1 (en) * 2014-12-31 2016-06-30 Vasco Data Security, Inc. Method And Apparatus For Securing An Application Using A Measurement Of A Location Dependent Physical Property Of The Environment
WO2016089503A3 (en) * 2014-10-24 2016-07-28 Netflix, Inc. Failure recovery mechanism to re-establish secured communications
US9426152B2 (en) 2014-07-08 2016-08-23 International Business Machines Corporation Secure transfer of web application client persistent state information into a new domain
US9575768B1 (en) 2013-01-08 2017-02-21 Marvell International Ltd. Loading boot code from multiple memories
US9640001B1 (en) 2012-11-30 2017-05-02 Microstrategy Incorporated Time-varying representations of user credentials
US9652249B1 (en) 2008-09-18 2017-05-16 Marvell World Trade Ltd. Preloading an application while an operating system loads
US9736801B1 (en) 2013-05-20 2017-08-15 Marvell International Ltd. Methods and apparatus for synchronizing devices in a wireless data communication system
US9769653B1 (en) 2008-08-20 2017-09-19 Marvell International Ltd. Efficient key establishment for wireless networks
US9795747B2 (en) 2010-06-02 2017-10-24 Sanofi-Aventis Deutschland Gmbh Methods and apparatus for lancet actuation
US9820684B2 (en) 2004-06-03 2017-11-21 Sanofi-Aventis Deutschland Gmbh Method and apparatus for a fluid sampling device
US9832229B2 (en) 2015-12-14 2017-11-28 Bank Of America Corporation Multi-tiered protection platform
US9832200B2 (en) 2015-12-14 2017-11-28 Bank Of America Corporation Multi-tiered protection platform
US9836306B2 (en) 2013-07-31 2017-12-05 Marvell World Trade Ltd. Parallelizing boot operations
US9860862B1 (en) 2013-05-21 2018-01-02 Marvell International Ltd. Methods and apparatus for selecting a device to perform shared functionality in a deterministic and fair manner in a wireless data communication system
US9886569B1 (en) 2012-10-26 2018-02-06 Microstrategy Incorporated Credential tracking
US9887992B1 (en) 2012-07-11 2018-02-06 Microstrategy Incorporated Sight codes for website authentication
US9907502B2 (en) 2002-04-19 2018-03-06 Sanofi-Aventis Deutschland Gmbh Method and apparatus for penetrating tissue
US9992163B2 (en) 2015-12-14 2018-06-05 Bank Of America Corporation Multi-tiered protection platform

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060021018A1 (en) 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for enabling trust infrastructure support for federated user lifecycle management
CN100417066C (en) 2004-12-29 2008-09-03 国际商业机器公司 Multi-territory accessing proxy using in treating safety problem based on browser application
EP1934717A1 (en) * 2005-09-26 2008-06-25 Koninklijke KPN N.V. Method of controlling a browser window
US8590027B2 (en) * 2007-02-05 2013-11-19 Red Hat, Inc. Secure authentication in browser redirection authentication schemes
US8271536B2 (en) * 2008-11-14 2012-09-18 Microsoft Corporation Multi-tenancy using suite of authorization manager components
US8819848B2 (en) 2009-11-24 2014-08-26 Comcast Interactive Media, Llc Method for scalable access control decisions
US9532222B2 (en) 2010-03-03 2016-12-27 Duo Security, Inc. System and method of notifying mobile devices to complete transactions after additional agent verification
US9544143B2 (en) 2010-03-03 2017-01-10 Duo Security, Inc. System and method of notifying mobile devices to complete transactions
US8510820B2 (en) 2010-12-02 2013-08-13 Duo Security, Inc. System and method for embedded authentication
US9282085B2 (en) 2010-12-20 2016-03-08 Duo Security, Inc. System and method for digital user authentication
CN102546579A (en) * 2010-12-31 2012-07-04 北京方正阿帕比技术有限公司 Method, device and system used for providing system resources
US8863248B2 (en) * 2011-04-07 2014-10-14 International Business Machines Corporation Method and apparatus to auto-login to a browser application launched from an authenticated client application
US8892885B2 (en) 2011-08-31 2014-11-18 Duo Security, Inc. System and method for delivering a challenge response in an authentication protocol
US9467463B2 (en) 2011-09-02 2016-10-11 Duo Security, Inc. System and method for assessing vulnerability of a mobile device
US9830435B2 (en) * 2011-10-04 2017-11-28 Salesforce.Com, Inc. Method and system for providing login as a service
US8763077B2 (en) 2011-10-07 2014-06-24 Duo Security, Inc. System and method for enforcing a policy for an authenticator device
US8990898B2 (en) * 2012-02-16 2015-03-24 Citrix Systems, Inc. Connection leasing for hosted services
US8752203B2 (en) * 2012-06-18 2014-06-10 Lars Reinertsen System for managing computer data security through portable data access security tokens
US8819803B1 (en) * 2012-06-29 2014-08-26 Emc Corporation Validating association of client devices with authenticated clients
US9607156B2 (en) * 2013-02-22 2017-03-28 Duo Security, Inc. System and method for patching a device through exploitation
US9338156B2 (en) 2013-02-22 2016-05-10 Duo Security, Inc. System and method for integrating two-factor authentication in a device
US8893230B2 (en) 2013-02-22 2014-11-18 Duo Security, Inc. System and method for proxying federated authentication protocols
US9053310B2 (en) 2013-08-08 2015-06-09 Duo Security, Inc. System and method for verifying status of an authentication device through a biometric profile
US9443073B2 (en) 2013-08-08 2016-09-13 Duo Security, Inc. System and method for verifying status of an authentication device
US9608814B2 (en) 2013-09-10 2017-03-28 Duo Security, Inc. System and method for centralized key distribution
US9092302B2 (en) 2013-09-10 2015-07-28 Duo Security, Inc. System and method for determining component version compatibility across a device ecosystem
US9774448B2 (en) 2013-10-30 2017-09-26 Duo Security, Inc. System and methods for opportunistic cryptographic key management on an electronic device
US9762590B2 (en) 2014-04-17 2017-09-12 Duo Security, Inc. System and method for an integrity focused authentication service
US9979719B2 (en) 2015-01-06 2018-05-22 Duo Security, Inc. System and method for converting one-time passcodes to app-based authentication
US9641341B2 (en) 2015-03-31 2017-05-02 Duo Security, Inc. Method for distributed trust authentication
EP3304336A1 (en) 2015-06-01 2018-04-11 Duo Security, Inc. Method for enforcing endpoint health standards
US9774579B2 (en) 2015-07-27 2017-09-26 Duo Security, Inc. Method for key rotation

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5497421A (en) * 1992-04-28 1996-03-05 Digital Equipment Corporation Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system
US5655077A (en) * 1994-12-13 1997-08-05 Microsoft Corporation Method and system for authenticating access to heterogeneous computing services
US5659616A (en) * 1994-07-19 1997-08-19 Certco, Llc Method for securely using digital signatures in a commercial cryptographic system
US5757920A (en) * 1994-07-18 1998-05-26 Microsoft Corporation Logon certification
US5815574A (en) * 1994-12-15 1998-09-29 International Business Machines Corporation Provision of secure access to external resources from a distributed computing environment
US5815665A (en) * 1996-04-03 1998-09-29 Microsoft Corporation System and method for providing trusted brokering services over a distributed network
US5875296A (en) * 1997-01-28 1999-02-23 International Business Machines Corporation Distributed file system web server user authentication with cookies
US5909492A (en) * 1994-10-24 1999-06-01 Open Market, Incorporated Network sales system
US6055637A (en) * 1996-09-27 2000-04-25 Electronic Data Systems Corporation System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential
US6092196A (en) * 1997-11-25 2000-07-18 Nortel Networks Limited HTTP distributed remote user authentication system
US6128738A (en) * 1998-04-22 2000-10-03 International Business Machines Corporation Certificate based security in SNA data flows
US6131164A (en) * 1998-02-27 2000-10-10 Sprint Communications Company, L.P. Reverse internet protocol lookup
US6226752B1 (en) * 1999-05-11 2001-05-01 Sun Microsystems, Inc. Method and apparatus for authenticating users
US6275944B1 (en) * 1998-04-30 2001-08-14 International Business Machines Corporation Method and system for single sign on using configuration directives with respect to target types
US6403974B1 (en) * 2000-11-13 2002-06-11 Behavior Tech Computer Corporation Test device for horizontal position of an optical disc drive motor
US6725376B1 (en) * 1997-11-13 2004-04-20 Ncr Corporation Method of using an electronic ticket and distributed server computer architecture for the same
US6957334B1 (en) * 1999-06-23 2005-10-18 Mastercard International Incorporated Method and system for secure guaranteed transactions over a computer network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5403974A (en) * 1993-01-08 1995-04-04 Square D Company Interlocking wireway assembly for electrical distribution devices
JP3493141B2 (en) * 1998-06-12 2004-02-03 富士通株式会社 Gateway system and a recording medium
US6304974B1 (en) 1998-11-06 2001-10-16 Oracle Corporation Method and apparatus for managing trusted certificates
US7356711B1 (en) * 2002-05-30 2008-04-08 Microsoft Corporation Secure registration

Patent Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5497421A (en) * 1992-04-28 1996-03-05 Digital Equipment Corporation Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system
US5757920A (en) * 1994-07-18 1998-05-26 Microsoft Corporation Logon certification
US5659616A (en) * 1994-07-19 1997-08-19 Certco, Llc Method for securely using digital signatures in a commercial cryptographic system
US5909492A (en) * 1994-10-24 1999-06-01 Open Market, Incorporated Network sales system
US5655077A (en) * 1994-12-13 1997-08-05 Microsoft Corporation Method and system for authenticating access to heterogeneous computing services
US5815574A (en) * 1994-12-15 1998-09-29 International Business Machines Corporation Provision of secure access to external resources from a distributed computing environment
US5815665A (en) * 1996-04-03 1998-09-29 Microsoft Corporation System and method for providing trusted brokering services over a distributed network
US6055637A (en) * 1996-09-27 2000-04-25 Electronic Data Systems Corporation System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential
US5875296A (en) * 1997-01-28 1999-02-23 International Business Machines Corporation Distributed file system web server user authentication with cookies
US6725376B1 (en) * 1997-11-13 2004-04-20 Ncr Corporation Method of using an electronic ticket and distributed server computer architecture for the same
US6092196A (en) * 1997-11-25 2000-07-18 Nortel Networks Limited HTTP distributed remote user authentication system
US6131164A (en) * 1998-02-27 2000-10-10 Sprint Communications Company, L.P. Reverse internet protocol lookup
US6128738A (en) * 1998-04-22 2000-10-03 International Business Machines Corporation Certificate based security in SNA data flows
US6275944B1 (en) * 1998-04-30 2001-08-14 International Business Machines Corporation Method and system for single sign on using configuration directives with respect to target types
US6226752B1 (en) * 1999-05-11 2001-05-01 Sun Microsystems, Inc. Method and apparatus for authenticating users
US6957334B1 (en) * 1999-06-23 2005-10-18 Mastercard International Incorporated Method and system for secure guaranteed transactions over a computer network
US6403974B1 (en) * 2000-11-13 2002-06-11 Behavior Tech Computer Corporation Test device for horizontal position of an optical disc drive motor

Cited By (119)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7780631B2 (en) 1998-03-30 2010-08-24 Pelikan Technologies, Inc. Apparatus and method for penetration with shaft having a sensor for sensing penetration depth
US9937298B2 (en) 2001-06-12 2018-04-10 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US8679033B2 (en) 2001-06-12 2014-03-25 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US8282577B2 (en) 2001-06-12 2012-10-09 Sanofi-Aventis Deutschland Gmbh Method and apparatus for lancet launching device integrated onto a blood-sampling cartridge
US8216154B2 (en) 2001-06-12 2012-07-10 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US8622930B2 (en) 2001-06-12 2014-01-07 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US8206319B2 (en) 2001-06-12 2012-06-26 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US7909775B2 (en) 2001-06-12 2011-03-22 Pelikan Technologies, Inc. Method and apparatus for lancet launching device integrated onto a blood-sampling cartridge
US8206317B2 (en) 2001-06-12 2012-06-26 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US7909778B2 (en) 2002-04-19 2011-03-22 Pelikan Technologies, Inc. Method and apparatus for penetrating tissue
US7988644B2 (en) 2002-04-19 2011-08-02 Pelikan Technologies, Inc. Method and apparatus for a multi-use body fluid sampling device with sterility barrier release
US7981056B2 (en) 2002-04-19 2011-07-19 Pelikan Technologies, Inc. Methods and apparatus for lancet actuation
US7938787B2 (en) 2002-04-19 2011-05-10 Pelikan Technologies, Inc. Method and apparatus for penetrating tissue
US8197421B2 (en) 2002-04-19 2012-06-12 Pelikan Technologies, Inc. Method and apparatus for penetrating tissue
US8382682B2 (en) 2002-04-19 2013-02-26 Sanofi-Aventis Deutschland Gmbh Method and apparatus for penetrating tissue
US20070167872A1 (en) * 2002-04-19 2007-07-19 Dominique Freeman Method and apparatus for a multi-use body fluid sampling device with sterility barrier release
US20070219573A1 (en) * 2002-04-19 2007-09-20 Dominique Freeman Method and apparatus for penetrating tissue
US20070219462A1 (en) * 2002-04-19 2007-09-20 Barry Briggs Methods and apparatus for lancet actuation
US20070244499A1 (en) * 2002-04-19 2007-10-18 Barry Briggs Methods and apparatus for lancet actuation
US7875047B2 (en) 2002-04-19 2011-01-25 Pelikan Technologies, Inc. Method and apparatus for a multi-use body fluid sampling device with sterility barrier release
US8491500B2 (en) 2002-04-19 2013-07-23 Sanofi-Aventis Deutschland Gmbh Methods and apparatus for lancet actuation
US8496601B2 (en) 2002-04-19 2013-07-30 Sanofi-Aventis Deutschland Gmbh Methods and apparatus for lancet actuation
US8388551B2 (en) 2002-04-19 2013-03-05 Sanofi-Aventis Deutschland Gmbh Method and apparatus for multi-use body fluid sampling device with sterility barrier release
US7731729B2 (en) 2002-04-19 2010-06-08 Pelikan Technologies, Inc. Method and apparatus for penetrating tissue
US9089678B2 (en) 2002-04-19 2015-07-28 Sanofi-Aventis Deutschland Gmbh Method and apparatus for penetrating tissue
US20040049220A1 (en) * 2002-04-19 2004-03-11 Pelikan Technologies, Inc. Method and apparatus for a multi-use body fluid sampling device with sterility barrier release
US9907502B2 (en) 2002-04-19 2018-03-06 Sanofi-Aventis Deutschland Gmbh Method and apparatus for penetrating tissue
US8079960B2 (en) 2002-04-19 2011-12-20 Pelikan Technologies, Inc. Methods and apparatus for lancet actuation
US7562222B2 (en) * 2002-05-10 2009-07-14 Rsa Security Inc. System and method for authenticating entities to users
US20050268100A1 (en) * 2002-05-10 2005-12-01 Gasparini Louis A System and method for authenticating entities to users
US20040170314A1 (en) * 2002-12-20 2004-09-02 Harris Rodney C. Method and apparatus for measuring assembly and alignment errors in sensor assemblies
US8574895B2 (en) 2002-12-30 2013-11-05 Sanofi-Aventis Deutschland Gmbh Method and apparatus using optical techniques to measure analyte levels
US8251921B2 (en) 2003-06-06 2012-08-28 Sanofi-Aventis Deutschland Gmbh Method and apparatus for body fluid sampling and analyte sensing
US20050015591A1 (en) * 2003-06-12 2005-01-20 International Business Machines Corporation Multi-level multi-user web services security system and method
US7299492B2 (en) * 2003-06-12 2007-11-20 International Business Machines Corporation Multi-level multi-user web services security system and method
US20050198501A1 (en) * 2004-03-02 2005-09-08 Dmitry Andreev System and method of providing credentials in a network
US8364957B2 (en) * 2004-03-02 2013-01-29 International Business Machines Corporation System and method of providing credentials in a network
US20050240869A1 (en) * 2004-04-23 2005-10-27 Kalev Leetaru Method and system for editable web browsing
US7716352B2 (en) * 2004-04-23 2010-05-11 The Board Of Trustees Of The University Of Illinois Method and system for retrieving information using an authentication web page
US20050240864A1 (en) * 2004-04-23 2005-10-27 Kalev Leetaru Method and system for retrieving information using an authentication web page
US9820684B2 (en) 2004-06-03 2017-11-21 Sanofi-Aventis Deutschland Gmbh Method and apparatus for a fluid sampling device
US20090069716A1 (en) * 2004-06-03 2009-03-12 Dominique Freeman Method and apparatus for a fluid sampling device
US8108921B2 (en) * 2004-06-10 2012-01-31 Samsung Electronics Co., Ltd. Single-sign-on method based on markup language and system using the method
US20050277420A1 (en) * 2004-06-10 2005-12-15 Samsung Electronics Co., Ltd. Single-sign-on method based on markup language and system using the method
US20060005234A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Method and apparatus for handling custom token propagation without Java serialization
US20090109946A1 (en) * 2004-09-27 2009-04-30 T-Mobile, Usa, Inc. Open-Host Wireless Access System
US20060068799A1 (en) * 2004-09-27 2006-03-30 T-Mobile, Usa, Inc. Open-host wireless access system
US8230224B2 (en) 2005-03-08 2012-07-24 International Business Machines Corporation Transmitting security data in multipart communications over a network
US9444630B2 (en) * 2005-03-23 2016-09-13 Microsoft Technology Licensing, Llc Visualization of trust in an address bar
US20130332740A1 (en) * 2005-03-23 2013-12-12 Microsoft Corporation Visualization of Trust in an Address Bar
US9838380B2 (en) 2005-03-23 2017-12-05 Zhigu Holdings Limited Visualization of trust in an address bar
US20100217989A1 (en) * 2005-03-23 2010-08-26 Microsoft Corporation Visualization of trust in an address bar
US8843749B2 (en) 2005-03-23 2014-09-23 Microsoft Corporation Visualization of trust in an address bar
WO2006102738A1 (en) * 2005-04-01 2006-10-05 Ve Networks Canada, Inc. Visual and audible indication of secure communication
US7506163B2 (en) 2005-04-01 2009-03-17 Ve Networks Methods and apparatuses for security visualization
US20060224888A1 (en) * 2005-04-01 2006-10-05 Mansz Robert P Methods and apparatuses for security visualization
US7730215B1 (en) * 2005-04-08 2010-06-01 Symantec Corporation Detecting entry-portal-only network connections
US20060259767A1 (en) * 2005-05-16 2006-11-16 Mansz Robert P Methods and apparatuses for information authentication and user interface feedback
US20060291700A1 (en) * 2005-06-08 2006-12-28 Ogram Mark E Internet signature verification system
US20070030965A1 (en) * 2005-07-19 2007-02-08 Mansz Robert P Methods and apparatuses for management of entitlement to digital security operations
KR100875919B1 (en) 2005-12-07 2008-12-26 한국전자통신연구원 Sharing personal information service apparatus and method using a signed message callback yualel
US20090292925A1 (en) * 2006-04-13 2009-11-26 Alexander Meisel Method for providing web application security
US9253175B1 (en) * 2007-04-12 2016-02-02 Marvell International Ltd. Authentication of computing devices using augmented credentials to enable actions-per-group
US8341104B2 (en) * 2007-08-16 2012-12-25 Verizon Patent And Licensing Inc. Method and apparatus for rule-based masking of data
US20090048997A1 (en) * 2007-08-16 2009-02-19 Verizon Data Services India Private Limited Method and apparatus for rule-based masking of data
US8156228B1 (en) * 2007-09-28 2012-04-10 Symantec Corporation Method and apparatus to enable confidential browser referrals
US20090320119A1 (en) * 2008-06-20 2009-12-24 Wetpaint.Com, Inc. Extensible content service for attributing user-generated content to authored content providers
US8516366B2 (en) * 2008-06-20 2013-08-20 Wetpaint.Com, Inc. Extensible content service for attributing user-generated content to authored content providers
US9769653B1 (en) 2008-08-20 2017-09-19 Marvell International Ltd. Efficient key establishment for wireless networks
US9652249B1 (en) 2008-09-18 2017-05-16 Marvell World Trade Ltd. Preloading an application while an operating system loads
US20100199089A1 (en) * 2009-02-05 2010-08-05 Wwpass Corporation Centralized authentication system with safe private data storage and method
US8826019B2 (en) 2009-02-05 2014-09-02 Wwpass Corporation Centralized authentication system with safe private data storage and method
US8327141B2 (en) 2009-02-05 2012-12-04 Wwpass Corporation Centralized authentication system with safe private data storage and method
US9059979B2 (en) 2009-02-27 2015-06-16 Blackberry Limited Cookie verification methods and apparatus for use in providing application services to communication devices
US20100223471A1 (en) * 2009-02-27 2010-09-02 Research In Motion Limited Cookie Verification Methods And Apparatus For Use In Providing Application Services To Communication Devices
WO2010096913A1 (en) * 2009-02-27 2010-09-02 Research In Motion Limited Cookie verification methods and apparatus for use in providing application services to communication devices
US9795747B2 (en) 2010-06-02 2017-10-24 Sanofi-Aventis Deutschland Gmbh Methods and apparatus for lancet actuation
US8689099B1 (en) * 2010-12-23 2014-04-01 Amazon Technologies, Inc. Cross-domain communication
US8769655B2 (en) * 2010-12-30 2014-07-01 Verisign, Inc. Shared registration multi-factor authentication tokens
US20120174198A1 (en) * 2010-12-30 2012-07-05 Verisign, Inc. Shared Registration Multi-Factor Authentication Tokens
US9037963B1 (en) 2011-04-22 2015-05-19 Amazon Technologies, Inc. Secure cross-domain web browser communications
US9979723B1 (en) 2012-07-11 2018-05-22 Microstrategy Incorporated User credentials
US9742781B1 (en) 2012-07-11 2017-08-22 Microstrategy Incorporated Generation and validation of user credentials
US9027099B1 (en) 2012-07-11 2015-05-05 Microstrategy Incorporated User credentials
US9269358B1 (en) 2012-07-11 2016-02-23 Microstrategy Incorporated User credentials
US9860246B1 (en) 2012-07-11 2018-01-02 Microstrategy Incorporated Generation and validation of user credentials having multiple representations
US9887992B1 (en) 2012-07-11 2018-02-06 Microstrategy Incorporated Sight codes for website authentication
US9807074B1 (en) * 2012-07-11 2017-10-31 Microstrategy Incorporated User credentials
US9264415B1 (en) 2012-07-11 2016-02-16 Microstrategy Incorporated User credentials
US9369457B2 (en) * 2012-09-19 2016-06-14 Secureauth Corporation Mobile multifactor single-sign-on authentication
US20150007299A1 (en) * 2012-09-19 2015-01-01 Secureauth Corporation Mobile multifactor single-sign-on authentication
US8769651B2 (en) * 2012-09-19 2014-07-01 Secureauth Corporation Mobile multifactor single-sign-on authentication
US20170111351A1 (en) * 2012-09-19 2017-04-20 Secureauth Corporation Mobile multifactor single-sign-on authentication
CN102882675A (en) * 2012-10-18 2013-01-16 杭州也要买电子商务有限公司 Password encryption method for social network sites
US9886569B1 (en) 2012-10-26 2018-02-06 Microstrategy Incorporated Credential tracking
US9640001B1 (en) 2012-11-30 2017-05-02 Microstrategy Incorporated Time-varying representations of user credentials
US10084775B1 (en) 2012-11-30 2018-09-25 Microstrategy Incorporated Time-varying representations of user credentials
CN102984161A (en) * 2012-12-05 2013-03-20 北京奇虎科技有限公司 Identification method and device for reliable website
US9575768B1 (en) 2013-01-08 2017-02-21 Marvell International Ltd. Loading boot code from multiple memories
US9154303B1 (en) 2013-03-14 2015-10-06 Microstrategy Incorporated Third-party authorization of user credentials
US10027680B1 (en) 2013-03-14 2018-07-17 Microstrategy Incorporated Third-party authorization of user credentials
US20140280883A1 (en) * 2013-03-15 2014-09-18 International Business Machines Corporation Secure URL update for HTTP redirects
US9736801B1 (en) 2013-05-20 2017-08-15 Marvell International Ltd. Methods and apparatus for synchronizing devices in a wireless data communication system
US9860862B1 (en) 2013-05-21 2018-01-02 Marvell International Ltd. Methods and apparatus for selecting a device to perform shared functionality in a deterministic and fair manner in a wireless data communication system
US9836306B2 (en) 2013-07-31 2017-12-05 Marvell World Trade Ltd. Parallelizing boot operations
US20150163065A1 (en) * 2013-12-05 2015-06-11 Xiaolai Li Identity authentication method and apparatus and server
US9426152B2 (en) 2014-07-08 2016-08-23 International Business Machines Corporation Secure transfer of web application client persistent state information into a new domain
US9699177B2 (en) 2014-07-08 2017-07-04 International Business Machines Corporation Secure transfer of web application client persistent state information into a new domain
US9509691B2 (en) 2014-07-08 2016-11-29 International Business Machines Corporation Secure transfer of web application client persistent state information into a new domain
US9712523B2 (en) 2014-07-08 2017-07-18 International Business Machines Corporation Secure transfer of web application client persistent state information into a new domain
CN104123380A (en) * 2014-07-31 2014-10-29 珠海市君天电子科技有限公司 Webpage access method and device
US10050955B2 (en) 2014-10-24 2018-08-14 Netflix, Inc. Efficient start-up for secured connections and related services
WO2016065318A1 (en) * 2014-10-24 2016-04-28 Netflix, Inc. Efficient start-up for secured connections and related services
WO2016089503A3 (en) * 2014-10-24 2016-07-28 Netflix, Inc. Failure recovery mechanism to re-establish secured communications
US20160191473A1 (en) * 2014-12-31 2016-06-30 Vasco Data Security, Inc. Method And Apparatus For Securing An Application Using A Measurement Of A Location Dependent Physical Property Of The Environment
CN104965852A (en) * 2015-04-30 2015-10-07 百度在线网络技术(北京)有限公司 Method for account number access, network device, and user device
US9992163B2 (en) 2015-12-14 2018-06-05 Bank Of America Corporation Multi-tiered protection platform
US9832229B2 (en) 2015-12-14 2017-11-28 Bank Of America Corporation Multi-tiered protection platform
US9832200B2 (en) 2015-12-14 2017-11-28 Bank Of America Corporation Multi-tiered protection platform

Also Published As

Publication number Publication date Type
CN1506873A (en) 2004-06-23 application
US20070289004A1 (en) 2007-12-13 application
CN100369030C (en) 2008-02-13 grant
US8499339B2 (en) 2013-07-30 grant

Similar Documents

Publication Publication Date Title
Kohl et al. The Kerberos network authentication service (V5)
Franks et al. HTTP authentication: Basic and digest access authentication
US6801998B1 (en) Method and apparatus for presenting anonymous group names
US7644275B2 (en) Pass-thru for client authentication
Hardt The OAuth 2.0 authorization framework
Hammer-Lahav The oauth 1.0 protocol
US6629246B1 (en) Single sign-on for a network system that includes multiple separately-controlled restricted access resources
US7356690B2 (en) Method and system for managing a distributed trust path locator for public key certificates relating to the trust path of an X.509 attribute certificate
US7657531B2 (en) Systems and methods for state-less authentication
US7685631B1 (en) Authentication of a server by a client to prevent fraudulent user interfaces
US7346775B2 (en) System and method for authentication of users and web sites
Franks et al. An extension to HTTP: digest access authentication
US6732270B1 (en) Method to authenticate a network access server to an authentication server
US7240192B1 (en) Combining a browser cache and cookies to improve the security of token-based authentication protocols
US20050138362A1 (en) Authentication system for networked computer applications
US20050154889A1 (en) Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol
US7257836B1 (en) Security link management in dynamic networks
US20070143829A1 (en) Authentication of a principal in a federation
US20100250955A1 (en) Brokered information sharing system
Gutzmann Access control and session management in the HTTP environment
US20050198501A1 (en) System and method of providing credentials in a network
US20030163691A1 (en) System and method for authenticating sessions and other transactions
US20040143738A1 (en) System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data
US20040230831A1 (en) Passive client single sign-on for Web applications
US6993596B2 (en) System and method for user enrollment in an e-community

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHAO, LI-LUNG;GOODMAN, BRIAN D.;KEBINGER, JAMES K.;REEL/FRAME:022935/0446

Effective date: 20020826