Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-12-17
2003-08-26
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C380S001000
Reexamination Certificate
active
06611916
ABSTRACT:
FIELD OF THE INVENTION
The invention disclosed herein relates generally to membership verification and, more particularly to a method of verifying membership in order to access a secure environment.
BACKGROUND OF THE INVENTION
In a typical situation, when a user wants access to a secure environment, the user exchanges information such as a user name and password with that secure environment. When the user wants access to another secure environment, the user would exchange other information, such as another user name and password, with that secure environment. An example of this scenario is where several users, each access secure environment A and secure environment B by exchange of information known to each user and to each secure environment. In this situation, prior to authentication of the user, the user is known as the claimant or party presenting an identity and claiming to be a principal. The principal is a legitimate owner of an identity. The secure environments are known as verifiers or parties that gain confidence that the claimant's claim is legitimate.
Claimants can be authenticated using a variety of methods. Generally, there are three types or levels of authentication based on information shared with a claimant. Each of the three levels provides a different level of security. The three levels of authentication are based upon 1) “what a claimant knows”, such as, for example, a user name and password; 2) “what a claimant has,” such as, for example, a cryptographic token or a smart card with secret information; and 3) “what a claimant is”, such as, for example, biometrics information including fingerprints and retinal prints. Each of these levels or types of authentication require that the claimant and the verifier know the information that is being used for authentication purposes.
Access to secure environments can be set up so that security requires claimants and verifiers each to know information that will be used for authentication. These shared knowledge security systems can be based upon, for example, user name and password, and user locations, etc. Administration of the shared knowledge is costly, difficult and impractical for systems with many users. For example, many large corporations have thousands of users of their computer systems. In a system using user name and password, a data base of thousands of user names and passwords must be stored and maintained. Some systems use address-based security which authenticates a claimant based on the originating address of the claimant, such as for example, the Internet Protocol Address of the claimant's server. The problem with these systems is that the claimant frequently changes addresses and the system is costly and administratively difficult to manage. Another problem with the address-based system is that, even if the claimants do not change addresses, the number of addresses that need to be maintained could be, for a large company, too difficult and costly to manage. Another problem with the address-based system is that it is unable to provide a means of access for a mobile user, such as, for example a mobile worker.
Not only is the shared information administratively difficult and costly for the administrator of the secure environment to maintain, the information can also be cumbersome for the user to remember. This is because each user must remember information for each secure environment. In addition to being cumbersome, the situation might compromise the security of the passwords. For example, a user might write down the password in an attempt to remember it. The password could then be obtained (from the user's written note) by an unauthorized person.
Secure environments can be secure domains such as interconnected networks. For example, a company intranet which is an interconnected collection of networks can be a secure domain. Secure domains can be interconnected by networks, such as for example, the Internet. Multiple secure domains connected to the Internet is an example of a situation where a user would need access to multiple secure domains in order to obtain services provided by those domains. Each secure domain may require some common information for authentication purposes. Thus, the situations described above are applicable to the authentication of an Internet service claimant.
In the Internet example, there are scenarios where providing access to a secure domain by use of authentication information is cumbersome and/or administratively difficult. For example, in one scenario, if a user after gaining access to a secure domain, remembers a particular URL in that domain, by use of, for example, a browser bookmark and the user would like to later gain access to that URL, the user will not be able to access the secure domain without first providing the user's authentication information. In another scenario, if the user would like to access another secure domain, the user will not be able to access the secure domain without first providing the user's authentication information associated with that secure domain. In yet another scenario, if secure domain A and secure domain B are associated in such a way that the administrator of secure domain A wants users of secure domain A to gain access to secure domain B or some subset of secure domain B, access to both domains would not be available without the administrative burden of maintaining a database of user authentication information at each secure domain.
Thus, one of the problems of the prior art is that providing access to a secure environment requires that the verifier know particular information about each claimant. Another problem of the prior art is that providing access to a secure environment requires that the verifier know particular information about the claimant's address. Another problem of the prior art is that information shared between the claimant and the verifier is administratively difficult and impractical to gather and maintain for a system with, for example, thousands of claimants seeking access to the secure domain. Another problem of the prior art is that access to a URL at a secure domain requires verification of the claimant each time the URL is accessed. Another problem of the prior art is that associated secure domains each need verification information.
SUMMARY OF THE INVENTION
This invention overcomes the disadvantages of the prior art by providing a way to access a secure environment by first accessing another secure environment. The present invention is directed to, in a general aspect, a method of authenticating membership for providing access to a secure environment. The environment for which access is requested can be a network environment, such as, for example, an Internet, containing a first secure domain and a second secure domain. Network connections can be made using TCP/IP protocols (Transmission Control Protocol/Internet Protocol). Claimants inside and outside of the first secure environment are afforded access to the second secure environment, or portion thereof, by virtue of being authenticated into the first secure environment. Also, specific information can be obtained based on the knowledge that claimants have access to the first secure environment. The first secure environment uses its own authentication information, such as a database of user names and passwords, for authenticating claimants. In order for an outside claimant to gain access to the second secure environment, the outside claimant must have previously been an inside claimant that used the first secure environment and accessed to second secure environment while using the first secure environment. When the inside claimant accesses the second secure environment, the second secure environment server stores location information with the claimant's computer. That information can be a cookie containing first secure environment's URL. The cookie can be stored on the claimant's computer. The information is updated each time the claimant accesses the second secure environment from inside the first secure envi
Cacace-Bailey Melissa
Carvell Rebecca E.
Gardner David P.
Obrea Andrei
Pierce Jeffrey
Chaclas Angelo N.
Malandra, Jr. Charles R.
Pitney Bowes Inc.
Vitale Alberta A.
Wright Norman M.
LandOfFree
Method of authenticating membership for providing access to... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method of authenticating membership for providing access to..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method of authenticating membership for providing access to... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3127862