Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing
Reexamination Certificate
2000-09-14
2004-10-19
Burgess, Glenton B. (Department: 2153)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
C709S229000, C709S224000, C709S225000, C709S203000, C713S155000, C713S156000, C713S152000
Reexamination Certificate
active
06807577
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field of the Invention
This invention pertains to computer networks. More particularly, it pertains to establishing a client to server connection by associating legacy profiles with user certificates to simplify the log-on or sign-on process.
2. Background Art
Referring to
FIG. 1
, many legacy and current computer systems, such as server system
104
accessed over network (such as an Internet or intranet network)
102
, use the concept of user profiles and passwords to establish the identity of a user on that system. In other words, as is represented by lines
107
and
109
, a user must submit a profile name
106
and accompanying password
108
to establish that he is an allowed user on this computer
104
. This is typically enforced via what is called a Sign-On Panel
100
where, as is represented by line
111
, one is prompted by server
104
to enter his profile name
106
and password
108
. The user must remember and enter the exact combination of profile (a.k.a., user identifier)
106
and passwords
108
, or is denied access to the server
104
.
This introduces problems. The user is expected to “memorize” his name
106
and password
108
. If the user is a software developer, who is required to work on many different computer systems
104
, recalling multiple names and passwords becomes intimidating. This is especially true when passwords
108
can have arcane rules, such as being required to have so many numbers or alphabetic characters, and must be changed periodically. Because the user must remember so many, or because he simply cannot remember any, these user profiles and/or associated passwords are written down on paper, posted on the computer terminal or nearby note board, or put in a desk or other insecure place. Whatever the case, the user has compromised security on the computer system, should someone manage to get this information, not to mention the additional frustration and time it causes the user.
This problem is compounded in networks, where the user may use a client application to connected to a server
104
. To sign on to that server, the user must send his profile name
106
and password
108
over the network
102
to server
104
. This means that at any point in the network
102
, someone can intercept this information before it arrives at the server
104
, find out the user's profile name
106
and password
108
, and then use it without his knowledge. Thus, a primary security concern is protecting information being exchanged between clients
100
and servers
104
, in particular any server
104
that prompts
111
for a profile and password.
Referring to
FIG. 2
, protection of data while it traverses the Internet is essential for many companies and their customers. One popular means of securing data is via Secure Sockets Layer (SSL) technology, which uses RSA Data Security techniques to encrypt and decrypt data at each endpoint, foiling attempts to read any data intercepted in transit through network
102
. SSL also makes possible exchange of certificates
110
,
112
, which are a mechanism by which each endpoint
101
,
104
(such as a computer node, server
104
or client
101
) can validate the identity of the other endpoint. For example, if a user
101
wants to connect and sign-on to a particular web server
104
, certificates allow the user to be sure the connection is really to that web server
104
, and not some other machine. Likewise, certificates allow the web server
104
to be sure of the identity of a particular user
101
. As is represented by lines
113
and
115
, after the certificate
110
,
112
is used to authenticate the user
101
and server
104
, the certificate is no longer needed, and the user
101
is allowed to establish an SSL connection to the web server
104
and proceed to a sign-on panel
100
, where he must then enter and communicated via lines
117
,
119
and
103
,
105
, respectively, his traditional user profile
106
and password
108
to server
104
for comparison with profile
114
and password
116
.
Since certificates
110
,
112
have already validated the client identity, it is redundant to require that the user, or client
101
, also sign-on using a profile name
106
,
114
and password
108
,
116
. This profile information is not part of any SSL information exchange, which means that even though the user has already established his identity via SSL
110
,
112
, he must still prove his identity again, once via SSL and again via sign-on
100
with profile
106
and password
108
. This makes it even more difficult for a particular user to manage his profiles and passwords.
User exits enable server administrators a way to provide a program to validate a client identity using the IP address of the connection. This security is very weak, and can be faked, since IP addresses are easily spoofed and cannot be trusted. Alternatively, encrypted passwords may be sent to a Telnet Server, which provides good security.
It is an object of the invention to provide a system and method for bypassing sign-on panels, avoiding double validation for SSL users.
It is an object of the invention to provide a network connection which requires no exchange of profiles and passwords over the network.
It is an object of the invention to eliminate or substantially reduce profile and password management.
It is an object of the invention to provide a system and method for allowing a user, once having created, received or installed a certificate, to log-on to a computer network without further exchange of profiles and passwords.
It is an object of the invention to provide an improved system and method for enabling exchange or initiation of specific actions. Such actions may include initial programs, object access authority, and environment set up.
It is an object of the invention to provide a system and method for boosting performance by turning encryption off after client authentication.
It is an object of the invention to provide a system and method enabling a user to be limited to a pre-defined profile or to the number of sessions simultaneously active.
It is an object of the invention to avoid the use of passwords to sign-on to a server.
SUMMARY OF THE INVENTION
In accordance with preferred embodiments of the invention, a system and method are provided for connecting a client system to a server system. A user profile is associated with a user certificate in a client database. Responsive to user input of said profile, the user is authenticated to a certificate in the client database, which certificate is then communicated to the server. The server validates the certificate and upon validation establishes a job session with the client without prompting the user for subsequent input of profile and password.
In accordance with an aspect of the invention, there is provided a computer program product configured to be operable to connect a client to a server system based upon certificates without server prompting for user input of profile and password.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.
REFERENCES:
patent: 5220603 (1993-06-01), Parker
patent: 5339403 (1994-08-01), Parker
patent: 5497421 (1996-03-01), Kaufman et al.
patent: 5761309 (1998-06-01), Ohashi et al.
patent: 5784463 (1998-07-01), Chen et al.
patent: 5825877 (1998-10-01), Dan et al.
patent: 5943423 (1999-08-01), Muftic
patent: 6088451 (2000-07-01), He et al.
patent: 6233577 (2001-05-01), Ramasubramani et al.
patent: 6446109 (2002-09-01), Gupta
patent: 8-335207 (1996-12-01), None
patent: 869637 (1997-04-01), None
patent: 09265551 (1997-10-01), None
patent: 10111729 (1998-04-01), None
patent: 1016979 (1998-06-01), None
patent: 10269184 (1998-10-01), None
patent: 11-25048 (1999-01-01), None
patent: 11065443 (1999-03-01), None
patent: WO 99/19845 (1999-04-01), None
patent: WO 99/35783 (1999-07-01), None
“Generalizaing Distributed Computingenvironme
Gillespie Don R.
Murphy, Jr. Thomas E.
Rieth Paul F.
Stevens Jeffrey S.
Beckstrand Shelley M.
Burgess Glenton B.
Parton Kevin
LandOfFree
System and method for network log-on by associating legacy... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for network log-on by associating legacy..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for network log-on by associating legacy... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3326124