Electrical computers and digital processing systems: support – Reconfiguration
Reexamination Certificate
1997-10-06
2001-07-17
Davis, George B. (Department: 2122)
Electrical computers and digital processing systems: support
Reconfiguration
Reexamination Certificate
active
06263432
ABSTRACT:
TECHNICAL FIELD
The present invention relates to user authentication and/or authorization of data communications and, more particularly, to data communication over a network that securely maintains user authentication and/or authorization throughout the network.
BACKGROUND ART
Many Internet protocols and applications are designed to serve large public user groups. Because of this, Internet Servers were designed to serve their community in a stateless manner. One request to the server has no relationship to the previous or next request. All requests are independent, rather than considered as part of a user “session” to that server. This approach simplified server activity to service many requests from many users, without having to establish and track sessions for each user. However, the approach introduces a new problem to solve; user privacy and security.
In a network environment, security issues such as communication channel integrity and privacy, user authentication, and user authorization exist. Communication between two end points in a network has to be guarded against outside intervention (i.e., High Voltage noise, Lightning or Human). Security affording protection against this kind of intervention is commonly referred to as communication channel integrity and privacy.
Channel integrity and privacy precautions against “natural” events and are typically handled by communication protocols. Algorithms have been developed over the years to perfect and solve these “natural” events and have been proven effective through many years of usage. However, when introducing a channel integrity and privacy problem, such as Human intervention, the reliability of these algorithms deteriorates. Protocol level controls typically do not encrypt data, enabling human intervenors to change Cyclic Residency Control (CRC) information and any information on an open transmission channel. Hence, any user sensitive data (for example, credit card numbers or other private user information) traveling on the Internet can be obtained by any human intervenor.
In an effort to resolve this problem, Web Technology providers architected Secure Socket Layer (SSL). SSL is the product residing between Web applications and the Communication Protocol Layer. SSL provides data encryption, server authentication and message integrity for TCP/IP connections. This effectively handles protecting the privacy and integrity of data traveling over the Internet.
User authentication is defined as “determining the true identity of a user or an object attempting to access a system.” Any non-public system has to have an authentication system in order to filter and identify users from one another. However, Web servers do not typically keep track of the user identity throughout the duration of that users visit to the site. For complete security, the user identity must be provided with each request made of the Web server. This may be accomplished by having the user “log on” for each new request, or by conducting a behind the scenes “re-authentication” of the user for each request. These techniques are, however, inconvenient for the user and/or time consuming for the application.
User authorization involves determining what types of activities are permitted for an authenticated user or object. Authorization is generally grouped into two categories: (1) Data Set Authorization (typically controlled by the application), and (2) Function Set Authorization (typically controlled by the operating system).
Based on the foregoing, we have determined that web user “authentication” must first be accomplished before optionally following with user “authorization”. Hence, efficiency may be increased if “authentication” for each “authorization” request is eliminated.
SUMMARY OF THE INVENTION
To overcome the above-identified disadvantages and shortcomings of the prior art, it is a feature and advantage of the present invention to transmit data over a system, such as the world wide web, in a more secure and efficient manner.
It is another feature and advantage of the present invention to provide user authentication information which is maintained throughout transmission over a system, such as the world wide web.
It is another feature and advantage of the present invention to provide user authorization information in addition to the authentication information, enabling the user to gain access to system resources provided, for example, over the world wide web.
According to one aspect of the invention, a computer program memory stores computer instructions, generating an electronic ticket used for verifying user authorization to provide secure data communication over a system. The computer instructions generate a data packet based on authorization information, hash the information in the data packet to produce a hash number, encrypt the hash number to prevent unauthorized alteration of the information in the data packet and concatenate the data packet and encrypted hash number to produce a ticket. The ticket may then be transmitted in a non-secure environment and a user may be authorized based on the validation of the integrity of the information in the ticket.
In one embodiment of the invention, MD5 protocol is used to hash the information in the data packet.
In another embodiment of the invention, a private key is used to encrypt the hash number.
In another embodiment of the invention, the is identification information includes issue host name, client IP address, expiration date and time and authorization level. User extension information may also be provided.
Another aspect of the invention provides a method for securing data communication over a system, including generating an electronic ticket used for verifying user authorization to provide secure data communication over a system, producing a signature by hashing at least the authentication information, encrypting the signature, concatenating the information in the data packet with the encrypted signature, and transmitting the ticket over the system in a non-secured environment. A user is authorized to access system resources upon validating the integrity of the information in the ticket having been transmitted in the non-secured environment.
In one embodiment of the invention, MD5 protocol is used to hash the information in the data packet.
In another embodiment of the invention, a private key is used to encrypt the signature.
REFERENCES:
patent: 5481720 (1996-01-01), Loucks et al.
patent: 5535276 (1996-07-01), Ganesan
patent: 5544322 (1996-08-01), Cheng et al.
patent: 5560008 (1996-09-01), Johnson et al.
patent: 5706427 (1998-01-01), Tabuki
patent: 0 695 985 (1996-02-01), None
(1) B. Schneier, “Applied Cryptography, 2nd Ed.: Protocols, Algorithms, and Source Code in C”, 1996.
Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 1994.
Sasmazel Levent M D
Schneider David H.
Davis George B.
Lowe Hauptman Gopstein Gilman & Berner LLP
NCR Corporation
LandOfFree
Electronic ticketing, authentication and/or authorization... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Electronic ticketing, authentication and/or authorization..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Electronic ticketing, authentication and/or authorization... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2508563