Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1997-11-13
2004-04-20
Wright, Norman M. (Department: 2134)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C380S029000
Reexamination Certificate
active
06725376
ABSTRACT:
TECHNICAL FIELD
The present invention relates to user authentication and/or authorization of data communications and, more particularly, to data communication over a distributed computer system and server architecture that securely maintains user authentication and/or authorization throughout the distributed computer system and server architecture.
BACKGROUND ART
Many Internet protocols and applications are designed to serve large public user groups. Because of this, Internet Servers were designed to serve their community in a stateless manner. One request to the server has no relationship to the previous or next request. All requests are independent, rather than considered as part of a user “session” to that server. This approach simplified server activity to service many requests from many users, without having to establish and track sessions for each user. However, the approach introduces a new problem to solve; user privacy and security.
In a network environment, security issues such as communication channel integrity and privacy, user authentication, and user authorization exist. Communication between two end points in a network has to be guarded against outside intervention (i.e., High Voltage noise, Lightning or Human). Security affording protection against this kind of intervention is commonly referred to as communication channel integrity and privacy.
Channel integrity and privacy precautions against “natural” events and are typically handled by communication protocols. Algorithms have been developed over the years to perfect and solve these “natural” events and have been proven effective through many years of usage. However, when introducing a channel integrity and privacy problem, such as Human intervention, the reliability of these algorithms deteriorates. Protocol level controls typically do not encrypt data, enabling human intervenors to change Cyclic Residency Control (CRC) information and any information on an open transmission channel. Hence, any user sensitive data (for example, credit card numbers or other private user information) traveling on the Internet can be obtained by any human intervenor.
In an effort to resolve this problem, Web Technology providers architected Secure Socket Layer (SSL). SSL is the product residing between Web applications and the Communication Protocol Layer. SSL provides data encryption, server authentication and message integrity for TCP/IP connections. This effectively handles protecting the privacy and integrity of data traveling over the Internet.
User authentication is defined as “determining the true identity of a user or an object attempting to access a system.” Any non-public system has to have an authentication system in order to filter and identify users from one another. However, Web servers do not typically keep track of the user identity throughout the duration of that users visit to the site. For complete security, the user identity must be provided with each request made of the Web server. This may be accomplished by having the user “log on” for each new request, or by conducting a behind the scenes “re-authentication” of the user for each request. These techniques are, however, inconvenient for the user and/or time consuming for the application.
User authorization involves determining what types of activities are permitted for an authenticated user or object. Authorization is generally grouped into two categories: (1) Data Set Authorization (typically controlled by the application), and (2) Function Set Authorization (typically controlled by the operating system).
Based on the foregoing, we have determined that web user “authentication” must first be accomplished before optionally following with user “authorization”. Hence, efficiency may be increased if “authentication” for each “authorization” request is eliminated.
SUMMARY OF THE INVENTION
To overcome the above-identified disadvantages and shortcomings of the prior art, it is a feature and advantage of the present invention to transmit data over a distributed computer system and server architecture, such as the world wide web, in a more secure and efficient manner.
It is another feature and advantage of the present invention to provide user authentication information which is maintained throughout transmission over a distributed computer system and server architecture, such as the world wide web.
It is another feature and advantage of the present invention to provide user authorization information in addition to the authentication information, enabling the user to gain access to system resources provided, for example, over the world wide web.
According to one aspect of the invention, a distributed computer system and server architecture transmit an electronic ticket, used for verifying user authorization information, to provide secure data communications over the distributed computer system and server architecture. At least one storage device stores data, and at least one user computer transmits the user authorization information and a user request to at least one server. The at least one server, connectable to the at least one user computer, generates the electronic ticket based on at least the authorization information. The authorization information is hashed to produce a signature, the signature is encrypted to prevent unauthorized alteration of the authorization information, and the authorization information and the encrypted signature are concatenated.
In one embodiment of the invention, the distributed computer system and architecture further includes at least another server authorizing the user to access system resources upon validating the integrity of the information in the electronic ticket.
In another embodiment of the invention, the at least one server is an authentication server authenticating the user based on authentication information to generate the electronic ticket including the authorization information.
Another aspect of the invention provides a method for using an electronic ticket generated on a distributed computer system and server architecture for verifying user authorization to provide secure data communication over a distributed computer system and server architecture. The method provides a data packet having information based at least on authorization information to at least a first server connectable to the distributed computer system and server architecture, produces a signature from the at least server by hashing at least the authentication information, encrypting at least the signature using the at least first server, concatenating the information in the data packet with the encrypted signature using the at least first server, and transmitting the ticket over the system in a non-secured environment. A user is authorized by at least a second server to access system resources upon validating the integrity of the information in the ticket having been transmitted in the non-secured environment.
In one embodiment of the invention, MD5 protocol is used to hash the information in the data packet.
In another embodiment of the invention, a private key is used to encrypt the signature.
REFERENCES:
patent: 5481720 (1996-01-01), Loucks et al.
patent: 5535276 (1996-07-01), Ganesan
patent: 5544322 (1996-08-01), Cheng et al.
patent: 5560008 (1996-09-01), Johnson et al.
patent: 5706427 (1998-01-01), Tabuki
patent: 5835712 (1998-11-01), DuFresne
patent: 5875296 (1999-02-01), Shi et al.
patent: 6065117 (2000-05-01), White
patent: 6073241 (2000-06-01), Rosenberg et al.
patent: 0 695 985 (1996-02-01), None
Reichard, K. and E. Johnson. “Securing your X environment.” Unix Review. vol. 13, n2, p 73 (4). Feb. 1995.*
Schneier, Bruce. Applied Cryptography, 2nd ed. John Wiley and Sons. pp. 38, 39, 566-571, Oct. 1995.*
(1) B. Schneier, “Applied Cryptography: Protocols, Algorithms, and Source Code in C. ”, 1994.
Sasmazel Levent M D
Schneider David H.
Lowe Hauptman & Gilman & Berner LLP
NCR Corporation
Wright Norman M.
LandOfFree
Method of using an electronic ticket and distributed server... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method of using an electronic ticket and distributed server..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method of using an electronic ticket and distributed server... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3262340