Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
2000-06-30
2004-06-22
Morse, Gregory (Department: 2134)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S160000, C713S161000
Reexamination Certificate
active
06754825
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to the field of transaction processing. The present invention can relate to the field of palmtop computers and transaction processing using a palmtop computer.
2. Related Art
As the components required to build a computer system have reduced in size, new categories of computer systems have emerged. One of the new categories of computer systems is the “palmtop” computer system. A palmtop computer system is a computer that is small enough to be held in the hand of a user and can be “palm-sized.” Most palmtop computer systems are used to implement various Personal Information Management (PIM) applications such as an address book, a daily organizer and electronic notepads, to name a few.
The latest generation of palmtop computers includes an internal RF transceiver that allows a user to carry out many types of online transactions from almost anywhere. Many online transactions involve access to information or services. For these types of transactions, users are typically required to pay access fees. However, to prevent fraud, and to assure that only paying users are accesing fee-based services, authentication and authorization of users is required. That is, the request must be authenticated to make sure that it originated from a particular user and the access must be authorized. That is, the particular user must be entitled to use that particular service at the time of the requested access to the service.
Authentication and authorization of palmtop computer users is typically accomplished as follows. Upon payment of the required fee, an identification number associated with a particular palmtop computer is entered into one or more database. Each time that a user requests access to information, the palmtop computer is queried to determine the identification number of the palmtop computer from which the request originated. The database containing the requested information then compares the identification number with authorized identification numbers to determine whether the request is coming from an authorized palmtop computer. If the request is coming from an authorized palmtop computer, the requested information is obtained and is sent from the database to the palmtop computer.
These types of prior art systems require multiple transmissions between the database containing the desired information and the requesting palmtop computer. This consumes valuable power and system resources of the palmtop computer, slowing response time. Also, the use of multiple transmissions, database searches, and comparisons of received data to data from the database further slow response time and consume valuable processing resources of each server that provides a service each time that a request for services is received. In addition, constant updating of authorization numbers is required on all systems that provide services. Moreover, because the identification number of the device is used for authentication, users cannot access services using computing devices other than the particular device that was used when the service was initially ordered. This is particularly disadvantageous to those users that have multiple palmtop computers because they must register each palmtop computer for each desired service.
Therefore, it would be useful to provide a way to authenticate and authorize usage of transaction services that will allow for quick access to the desired service and that would not consume excessive power and system resources of a palmtop computer. Also, a way to authenticate and authorize usage of transaction services is needed that will not require constant updating of authorization numbers, and that will not consume valuable processing resources at each system that provides services. In addition, a way to authenticate and authorize usage of transaction services is needed that allows for access from multiple palmtop computers and that allows for access from other computing devices.
SUMMARY OF THE INVENTION
A method and apparatus for secure transaction processing which can be utilized with a palmtop computer is described that allows for quick access to services while providing authentication and authorization. The method and apparatus of the present invention does not consume excessive power and system resources of a palmtop computer. Also, the method and apparatus of the present invention allows for access to services from client systems other than palmtop computers and allows for the use of multiple client systems to access services using a single account.
Upon activation, an entry is created in a user database. The user will have a certain profile that is represented in the user database. The first time that a client attempts to access a service for which a fee is charged, a software program on the client system will detect the absence of an authentication cookie. This will cause the software program to send a registration request to a server. This request will result in the the assignment of user identification data and the generation of an authentication cookie that is returned to the client system. The authentication cookie is then stored on the client system.
In the present embodiment, the authentication cookie includes a user encryption key that is generated using a secret key and other data relating to the user or that is arbitrarily generated. In one embodiment, a key identifier, user identification data and a secret key are used to generate the user encryption key. The cookie also includes an encrypted buffer that includes the user identification data and profile code. The profile code identifies the services that the user is entitled to use.
Subsequent requests prompt the user to enter user identification data. The entered user identification data is used in conjunction with data from the authentication cookie to generate a query. In the present embodiment, the query includes a request buffer and the encrypted buffer from the received cookie which are encrypted using the user encryption key. The user identification data entered by the user and the key identifier are then added to encrypted portion of the query “in the clear” (e.g., not encrypted). The query is then transmitted from the client system to an authentication and authorization server.
Queries received at each authentication and authorization server are analyzed to determine if the query is authentic and authorized. In the present embodiment, the authentication and authorization server reads the user identification data input by the user and the key identifier, which are then used to reconstruct the user encryption key. The authentication and authorization server then uses the reconstructed user encryption key to decrypt the request buffer. If the decryption fails, the server will return an authentication failure response to the client system.
If the decryption is successful, the authentication and authorization server will decrypt the encrypted buffer and will retrieve the user identification data and profile code. If the decryption fails, or if the user identification data input by the user does not match the user identification data from the encrypted buffer, the server will return an “authorization failure” response to the client computer.
If the decryption is successful and if the user identification data input by the user matches the user identification data from the encrypted buffer, the server will analyze the profile code to determine whether the profile code indicates that the user is entitled to the requested service.
If the profile code indicates that the user is entitled to the requested service, the authentication and authorization server will forward the unencrypted request buffer to a server that provides the desired service.
A response to the query is then generated and is transmitted from the server that provides the desired service, via the authentication and authorization server, back to the client system.
Authentication and authorization of a query is accomplished without recourse to the registration server or the user da
Chen Carl
Dalbec Gabe
Lennie Robert
Brown Christopher J.
Morse Gregory
Palm Source, Inc.
Wagner , Murabito & Hao LLP
LandOfFree
Secure authentication and authorization for transaction... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure authentication and authorization for transaction..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure authentication and authorization for transaction... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3342769