US20040054898A1 - Authenticating and communicating verifiable authorization between disparate network domains - Google Patents
Authenticating and communicating verifiable authorization between disparate network domains Download PDFInfo
- Publication number
- US20040054898A1 US20040054898A1 US10/229,693 US22969302A US2004054898A1 US 20040054898 A1 US20040054898 A1 US 20040054898A1 US 22969302 A US22969302 A US 22969302A US 2004054898 A1 US2004054898 A1 US 2004054898A1
- Authority
- US
- United States
- Prior art keywords
- user
- internet site
- digitally signed
- digital signature
- computer readable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/68—Special signature format, e.g. XML format
Definitions
- the present invention is related to systems, program products and methods for secure computer data sharing, more particularly to authorizing communication with a secure entity in an Internet network.
- FIG. 1 depicts the elements that make up a typical computer for use in presenting and maintaing an application.
- the computer 100 consists of a Base Computer 101 which comprises a processor 106 , storage media such as a magnetic disk 107 and a high speed volatile main memory 105 .
- An operating system and application programs 111 reside on the storage media 107 and are paged into main memory 105 as needed for computations performed by the processor 106 .
- the Base computer may include optional peripheral devices including a video display 102 , a printer or scanner 110 , a keyboard 104 , a pointing device (mouse) 103 and a connection 108 to a network 109 .
- a user In a client environment, a user will interact with a (Graphical User Interface) GUI by use of a keyboard 104 and mouse 103 in conjunction with the display of information on the display 102 under control of an application program (application 1 ) 112 .
- the client application program 112 will then interact with remote users by way of the network 109 .
- FIG. 2 an example Internet system is shown.
- a user 210 at client 1 201 uses applications on his system.
- This user (user 1 210 ) at client 1 201 can interact with clients 2 - 4 202 - 204 by way of a client server computer 206 .
- Applications 112 may be provided by each client 201 - 205 and or the client server 206 or some remote server 208 by way of the network 207 .
- the user at client 1 201 can interact with a remote user (user 5 211 ) at client 5 205 by way of the Internet 207 .
- HTTP HyperText Transfer Protocol
- W3C World Wide Web Consortium
- IETF Internet Engineering Task Force
- HTTP Redirect is a mechanism in which an HTTP Server can indicate to the user-agent that further action is needed to fulfill the request.
- a simple example is a resource moving to a different location.
- the original server can provide a pointer to the new location of the resource, and can further indicate that the pointer is intended to be permanent or temporary.
- Encoding is the formatting of data according to a standard format.
- Base64 encoding (described in IETF RFC 1521 ) is a way of representing an arbitrary binary stream as the lower 65 characters in the ASCII alphabet.
- URL Encoding is a way in which strings meant to represent the arbitrary characters to which a given universal resource locator (URL) can be mapped within the bounds of the allowed url-safe subset of the ASCII alphabet.
- Encryption is the act of encoding a file to prevent any person but the intended recipient(s) from reading it.
- Hashing is the act of applying a one way function to generate a fixed length value from an input of arbitrary size. The output of the hash function is useful for determining if content has been altered.
- MD5 and “SHA” are some popular example hashing algorithms.
- Synigning also known as “digital signing”) combines encryption with hashing to generate a representation of an object that can be proven to have been generated only by the sender.
- Digital Signature Standard DSS
- Federal Information Processing Standards Publication 186 May 19, 1994
- XML Extensible Markup Language
- W3C Wideband Markup Language
- XML is a standard way of presenting information such that the content describes itself. It is both human and machine readable.
- the format of a XML document can be specified externally, and document can be validated against these external specifications.
- a “remote procedure call” is a way in which one computer can ask a second computer to perform an operation on some given input on its behalf and return the result.
- a World Wide Web (web) service is a remote procedure call that is encoded in XML and can be transported over HTTP as well as other mediums.
- Popular Web service protocols are SOAP and XML-RPC.
- authentication is the process of establishing the identity of a client.
- Authorization is the process of taking the confirmed identity of a client and determining if that client is allowed to perform the requested actions.
- the present invention (IIPX) teaches a system for authenticating a user without passing an id and password to the protected server.
- a client browser presents an authentication prompt to the user.
- the user provides their credentials.
- the server processes the authentication request resulting in a digitally signed token.
- the token is then sent to the target server.
- the target server receives the token and requests signature verification from the originating client.
- FIG. 1 is a diagram depicting example components of a computer system
- FIG. 2 is a diagram depicting example components of a client-server network
- FIG. 3 is a diagram depicting example components of the invention.
- FIG. 4 depicts an example flow diagram depicting creating a digitally signed token according to the present invention
- FIG. 5 is an example flow diagram depicting verifying the digitally signed token at a secure server
- FIG. 6 is a flow diagram representing major events of the present invention.
- FIG. 7 is a flow diagram representing credential authentication
- FIG. 8 is a flow diagram representing digital signature creation
- FIG. 9 is a flow diagram representing verification of the digitally signed token.
- FIG. 10 is a representation of a login display for accessing a remote secure server.
- the present invention provides a method for securely accessing a secure remote server (preferably a web server) without passing authentication credentials to the remote server.
- a secure remote server preferably a web server
- the example system employing the present invention is herein called “IIPX” or IBM Intranet Password External.
- IIPX comprises an LDAP directory 303 , authentication/redirection application 302 , a client web browser 301 , a disparate web site 304 and a digital signature verification service 305 .
- the LDAP directory 303 provides a means for storing information pertaining to entities in an organization. It is a digital network name and address book.
- the LDAP directory 303 provides:
- the authentication/redirection application 302 is comprised of a web application (dynamic HTML).
- the authentication/redirection application runs on a computer system similar to the one shown in FIG. 1 wherein an application resides in storage 105 to be executed in processor 106 .
- the application provides:
- the client web browser 301 also running in a user's computer as taught in FIG. 1, is an application for viewing web technologies, such as HTML, DHTML, JavaScript, VBScript and Java Applets.
- the client web browser also provides the ability to submit content to remote servers by way of a network (preferably the Internet 207 ).
- the client browser application 301 provides:
- the disparate web site 304 is any web site that requires authentication but does not have access the user's authentication server.
- the disparate web site 304 is a set of applications running on a computer similar to the one shown in FIG. 1 and provides:
- the signature validation service 305 is part of the originating entity providing a secure interface for remote systems to request token verification.
- a secured connection preferably uses SSL encryption to establish trusted connections between two machines.
- a web browser client 301 communicates to the authentication/redirection Server 302 via a secure URL specifying a desired vendor.
- a secured web site uses SSL encryption to establish trusted connections between two machines. Most web browsers provide this technology transparently to the end user 308 . Often a pad-lock icon FIG. 10 1005 indicates when the HTTP communication is secured.
- the data store 303 such as a database, flat file or memory is maintained with vendor ids and the specific requirements of the vendor (remote secure server) login.
- the vendor ID indicates which HTML form to present to the user 308 via the browser 301 .
- each remote secure website 304 has a unique HTML prompt form which is dynamically presented to the user 308 when he selects a remote secure service 304 .
- the vendor ID prompts an HTTP 401 challenge (see FIG. 4).
- the data can be entered in many different ways, however, a web based interface is preferred. This interface provides an HTML form to allow for the creation and association of the vendor code and authentication method.
- the authentication/redirection server 302 supplies an HTML web page to prompt the client 301 for login information. In a preferred embodiment, this authentication prompt is customized based on the vendor ID.
- the user 308 of the web browser 301 enters their authentication credentials.
- the user 301 (or optionally the user's organization) in one embodiment, also provides other information to be incorporated into the authentication token.
- the authentication/redirection server 302 checker checks the credentials. If the credentials are OK, an authorizer authorizes user access, the authentication redirection server 302 then generates an XML based token (reference example Table 1) which may include personal information such as first name, last name, address or employee number. TABLE 1 Sample XML token.
- the XML token optionally includes a time-to-live field representing the time during which the token is valid.
- the authentication/authorization application 302 uses a signature generator to digitally signs the XML token.
- the token reference example token in Table 1, is BASE64 encoded and URL encoded. The result is shown in Table 2.
- the server redirects the client web browser transmitter to transmit the resulting request to the remote vendor's server 304 using HTTP URL redirection.
- the vendor's server 304 receives the token and digital signature as CGI variables.
- CGI variables are a means for passing name and value pairs to applications running in a web server.
- the vendor application communicates to a verification service 305 to check the token validity.
- the verification service 305 checks the originating digital signature against the signature and XML token provided by the remote server 304 . It 305 further checks that the token has not been checked before and that the token has not timed out. The verification services 305 returns an indication of the token's validity “YES/NO/ERROR” to the remote vendor server 304 . TABLE 2 Sample HTTP 301 for user “John Q.
- digital signatures and XML tokens would be represented using Base-64 and URL encoding as exemplified in table 2.
- James is trying to access a travel web site from within his company's intranet. James 308 begins his web travels using his HTML browser 301 . The starting URL is hosted on the corporate secure web site 304 .
- James' browser 301 requests a login web page FIG. 10 for the secure site.
- login request is directed to the authentication server 302 which preferably dynamically builds an HTML form, customized for the requested site.
- authentication server returns the HTML form to James' browser.
- the web page begins with some information about the external vendor web site, but also prompts him for his username and password.
- the login form is customized to the style of the external travel web site. This customization was determined by the vendor code maintained by James' company. It provides the unique design of the travel web site while clearly indicating that James can use his intranet password to login. James will use his common authentication password stored in the corporate LDAP directory.
- James enters his ID 1002 and Password 1003 and hits the “Submit” button 1004 .
- James presses the submit button on the HTML form his user name and password are sent at 604 to the authentication/authorization 302 to verify his credentials.
- the authentication server 302 When the authentication server 302 receives his credentials at FIG. 7 701 , the authentication server 302 makes a connection to the corporate LDAP directory at 702 .
- the corporate LDAP directory is like a phone book. It stores information about individuals in a organization. Two of the fields it stores is a user's user name and password.
- the web server requests verification that James has entered the appropriate user name and password for his LDAP entry. If there is an error, James is prompted as such. In this case James has provided the correct credentials and the LDAP check is successful at 703 .
- the external travel web site 304 needs personal information about James. In the case of his company, they have opted to provide that on James' behalf at 605 .
- the web server queries the LDAP server 704 for James' first name, last name, employee ID and e-mail address. Referring to FIG. 8, 606 the web server builds an XML document at 801 containing this personal information. It adds three more parts, the vendor's ID, a time stamp as to when the packet was created and an expiration time. The expiration time will indicate as to when this XML document is to be treated as invalid.
- the web server digitally signs the XML packet at 802 . This process is done through technology, applications and code well known in the art.
- the web server now builds the HTTP 301 URL redirect with the digital signature and XML packet.
- the XML packet is BASE64 encoded and URL encoded to preserve the content while making it URL compliant (Table 2).
- the web server sends the redirection URL back to James' HTTP browser at 804 .
- the external travel web site 304 has a special URL for employees from James' company. Referring to FIG. 9, at 901 the redirection URL points there. At 902 , the travel web site receives James' HTTP request. Name and value pairs are passed via the URL format. As seen in Table 2, the web server is able to identify the digital signature and the XML token. The travel web site now has these two parts but still needs to validate the token.
- the travel web server first BASE64 decodes the XML packet (Table 2) and looks at the vendor ID to make sure it was intended for them. The travel web server optionally checks to see if the XML packet has already expired via the expiration time stamp. If the packet is still viable then the web site makes a connection back to James' company.
- James' company runs a signature verification service 305 .
- the validation service is provided by any trusted party.
- the service validates digital signatures for data that has been previously signed. In this scenario it will be validating digital signatures of XML documents.
- the travel web site makes a request for validation.
- the verification service recieves the request form the travel web site.
- the request contains the digital signature and the XML document.
- the verification service checks to see that the XML document has not expired at 906 . If it has, it returns that result to the travel web site. Otherwise, the verification service keeps a record of each XML token it receives in storage, such as memory, database or hard disk. It removes them from storage after the XML token's expiration time has been reached.
- the verification system can determine if a requested token has already been processed.
- the time to store each token is determined based on the expiration of each token. Retaining the token until expiration renders the XML document useless in future requests.
- the verification service compares the signature it created with the signature that the travel web site presented as part of the verification request. If they do not match the result is returned to the travel web site. If they match then a positive result is returned at 908 to the travel web site.
- the external travel web site receives the results from the verification service. If the results are negative then it presents an HTML page to James' HTTP browser to alert him of the condition. If the result is positive the travel web site uses the personal data in the XML token to provide a customized web page to be sent back to James' HTTP browser 301 . While there are many steps to this process, James experienced a quick and seamless end-to-end response. As far as James was concerned he logged in from inside his company and was transparently transported to an external web site that had personal information about James for an enhanced user experience.
- All the network connections in the preferred embodiment use SSL to encrypt transactions. While the external web site verifies authentication and authorization via the digital signature service, it is possible for network communications to be compromised. One way would be to capture the redirect URL and attempt to use it to replay the series of events. If no extra security precautions were taken it would be feasible for an eavesdropper to obtain a URL that was not theirs and therein access web sites as someone else.
- Firewalls 306 , 307 act as barriers on a network. They often delineate the internal “Intranet” and the external “Internet”. They are often used to keep bad traffic out. Bad traffic is considered unsolicited network connections. However, firewalls 306 , 307 also keep network traffic in. Intranets often can access the Internet, but the Internet is usually prevented from accessing the Intranet. Usually these unwanted communications are perpetrated by hackers. Firewalls 306 , 307 also regulate what kind of network activity can leave the network. Firewalls 306 , 307 provide the management at the network layer defining and enforcing which types of connections are to be permitted. In the preferred embodiment the connection traverses the firewall using HTTP URL redirection. HTTP/HTTPS is a common protocol allowed through most firewalls. URL redirection is a preferred method for indirectly traversing disparate networks.
- the user 308 views an HTML page on his browser running on his client machine 301 .
- the secure remote site (customer site) 304 he is presented with an HTML page FIG. 10 1000 prompting him for his Password and ID (his credentials).
- the browser is pointing to an internal server 402 , which is preferably the authentication/redirection server 302 .
- the user enters the information and submits the request as shown in step 1 .
- the authentication server 302 running an intranet password servlet 401 user checker, checks the user's credentials (step 2 ) against the LDAP directory 303 (the authenticator program retrieves LDAP user credentials).
- the authentication server 302 creates an XML document (a token generator generates a token message) and digitally signs it (step 3 ).
- the authentication server 302 then (step 4 ) uses a redirection creator to create an “HTTP 302 ” redirection message and by way of a redirect communicator routine, returns the “HTTP 302 ” containing generated redirect URL query strings to the browser 301 .
- the browser is redirected at 402 to the customer site 304 .
- the signed XML is sent to the customer site 304 over secure socket layer.
- a secure remote server “customer site” 304 receiver receives the signed request token and the secure site server's signature sender sends an SSL request (step 6 ) comprising the signed token via network dispatcher 505 to a digital signature verification web service 305 .
- the web service signature validity receiver receives the token and the digital signature verifier verifies the token (step 7 ) and returns an indicator of the validity (True/False/Error) to the Secure customer site.
- the Secure site 304 session establisher establishes a session with the user (step 8 ) if the token verification was successful.
- the digital signature verification service 305 is a separate entity from the authentication/redirection server 302 .
- groups or individuals acquire digital signature components that are instantiated in the separate digital signature verification service 305 .
- a user wishing to have access to a remote web site 304 opens a security generating web page.
- the web page comprises HTML code for communicating with the Digital Signature Verification service 305 , supplying identifying information and optionally paying fees.
- the Verification service 305 provides a private key to the user which is used by the user's authentication redirection server to generate a digital signature for the user's token.
- the digital verification service 305 associates the user's token with a unique private key for digital signature generation and verification.
- the digital signature verification service 305 supports multiple private keys, one or more private keys are associated (preferably by table lookup) with individual remote web sites 304 .
- multiple private keys are associated with more granular elements such as user ID, subgroup ID (Corporate Department), Project ID (associating a private key with an ID shared by users having similar authority) and the like.
Abstract
Verifiable authentication credentials are provided to foreign systems without passing an id and password to the protected resource. A user wishing to access a secure remote site is prompted for credentials, the credentials are authenticated locally and a digitally signed token is created. The token is redirected to the secure remote site by the user's browser using HTTP redirection. The digitally signature is verified by the secure remote site preferably by a digital signature web service. The remote site establishes communications with the user if the digital signature is valid.
Description
- The present invention is related to systems, program products and methods for secure computer data sharing, more particularly to authorizing communication with a secure entity in an Internet network.
- FIG. 1 depicts the elements that make up a typical computer for use in presenting and maintaing an application. The
computer 100 consists of aBase Computer 101 which comprises aprocessor 106, storage media such as amagnetic disk 107 and a high speed volatilemain memory 105. An operating system andapplication programs 111 reside on thestorage media 107 and are paged intomain memory 105 as needed for computations performed by theprocessor 106. The Base computer may include optional peripheral devices including avideo display 102, a printer orscanner 110, akeyboard 104, a pointing device (mouse) 103 and aconnection 108 to anetwork 109. In a client environment, a user will interact with a (Graphical User Interface) GUI by use of akeyboard 104 andmouse 103 in conjunction with the display of information on thedisplay 102 under control of an application program (application 1) 112. Theclient application program 112 will then interact with remote users by way of thenetwork 109. - In FIG. 2 an example Internet system is shown. A
user 210 atclient 1 201 uses applications on his system. This user (user 1 210) atclient 1 201 can interact with clients 2-4 202-204 by way of aclient server computer 206.Applications 112 may be provided by each client 201-205 and or theclient server 206 or someremote server 208 by way of thenetwork 207. The user atclient 1 201 can interact with a remote user (user 5 211) atclient 5 205 by way of the Internet 207. - One way that computers interact via networks such as the Internet is using the HyperText Transfer Protocol (HTTP) open standard designed by the World Wide Web Consortium (W3C) and standardized as Internet Engineering Task Force (IETF) RFC2616. It is an intentionally simple and open protocol that is implemented across many heterogeneous computer systems.
- An “HTTP Redirect” is a mechanism in which an HTTP Server can indicate to the user-agent that further action is needed to fulfill the request. A simple example is a resource moving to a different location. The original server can provide a pointer to the new location of the resource, and can further indicate that the pointer is intended to be permanent or temporary.
- “Encoding” is the formatting of data according to a standard format. Base64 encoding (described in IETF RFC1521) is a way of representing an arbitrary binary stream as the lower 65 characters in the ASCII alphabet. “URL Encoding” is a way in which strings meant to represent the arbitrary characters to which a given universal resource locator (URL) can be mapped within the bounds of the allowed url-safe subset of the ASCII alphabet.
- “Encryption” is the act of encoding a file to prevent any person but the intended recipient(s) from reading it. “Hashing” is the act of applying a one way function to generate a fixed length value from an input of arbitrary size. The output of the hash function is useful for determining if content has been altered. “MD5” and “SHA” are some popular example hashing algorithms. “Signing” (also known as “digital signing”) combines encryption with hashing to generate a representation of an object that can be proven to have been generated only by the sender. Digital Signature Standard (DSS) by Federal Information Processing Standards Publication 186 (May 19, 1994) and can be found at www.itl.nist.gov/fipspubs/fip186.htm.
- “Extensible Markup Language” (XML) is an open standard from the W3C. XML is a standard way of presenting information such that the content describes itself. It is both human and machine readable. The format of a XML document can be specified externally, and document can be validated against these external specifications.
- A “remote procedure call” is a way in which one computer can ask a second computer to perform an operation on some given input on its behalf and return the result. A World Wide Web (web) service is a remote procedure call that is encoded in XML and can be transported over HTTP as well as other mediums. Popular Web service protocols are SOAP and XML-RPC.
- In the context of computer security, “authentication” and “authorization” are two different processes. Authentication is the process of establishing the identity of a client. Authorization is the process of taking the confirmed identity of a client and determining if that client is allowed to perform the requested actions.
- User authentication and authorization are some of the fundamental security concerns of enterprise computing. Management of user access to resources within an enterprise becomes increasingly difficult as the number of resources grows particularly if the access of users must be managed at the individual resource. The user takes on an increasing burden if he/she must remember a long list of different user identity and password combinations in order to access a large number of resources. Significantly, the longer the list gets, the more chance there is that the user will begin to insecurely store such passwords and inadvertently cause a security breach.
- Centralizing the administration of user id and passwords provides an enormous benefit to an enterprise of even a small size. For example when an employee separates from the enterprise, the access formerly granted to that user can be centrally and instantly revoked. A given user can use the same id and password to login at every site that chooses to allow him or her access. In a system like this, when the user attempts to use a given resource, the user is prompted for a user id and password, which is forwarded by the resource to a central user id and password repository which will confirm the validity of the entered user identity and password combination. LDAP and Microsoft Windows networking are examples of such systems.
- Having a central ID and password store is a big leap, but there is still a vulnerability in the system. Computers on the network are trusted with the handling of sensitive passwords. A rogue computer could be configured to log or otherwise improperly disseminate the passwords of each user that logs in to that system. Another solution is to have a trusted central authority that will be the only system to handle password related information. The trusted system then needs a way to notify the individual resources of the confirmed identity of a given resource. Microsoft Passport and DCE/kerberos-like systems are examples of this kind of central authentication systems.
- The prior descriptions of the various enterprise security schemes are simplified to only encompass authentication. Security systems typically retrieve authorization information along with the authentication information.
- The present invention (IIPX) teaches a system for authenticating a user without passing an id and password to the protected server. A client browser presents an authentication prompt to the user. The user provides their credentials. The server processes the authentication request resulting in a digitally signed token. The token is then sent to the target server. The target server receives the token and requests signature verification from the originating client.
- It is therefore an object of the present invention to provide user access to a remote secure server wherein a user's credentials are checked at a first server and a digitally signed token is sent to the remote secure server, the remote secure server decodes the digitally signed token to confirm authenticity.
- It is a further object of the present invention to provide a method for transmitting an authenticated verifiable identity token, transparently to the user, via HTTP301 URL redirection.
- It is another objective of this present invention to provide a means to communicate across disparate networks using HTTP301 URL redirection.
- It is a further objective of the present invention to provide a method for using digital signatures to maintain URL integrity in a networked environment.
- It is still a further objective of the present invention to provide a method for generating and mapping authentication challenges via unique “resource identifying” codes.
- It is still a further objective of the present invention to provide a means of expiring digitally signed tokens (XML/Document/Messages).
- The above as well as additional objectives, features, and advantages of the present invention will become apparent in the following written description.
- FIG. 1 is a diagram depicting example components of a computer system;
- FIG. 2 is a diagram depicting example components of a client-server network;
- FIG. 3 is a diagram depicting example components of the invention;
- FIG. 4 depicts an example flow diagram depicting creating a digitally signed token according to the present invention;
- FIG. 5 is an example flow diagram depicting verifying the digitally signed token at a secure server;
- FIG. 6 is a flow diagram representing major events of the present invention;
- FIG. 7 is a flow diagram representing credential authentication;
- FIG. 8 is a flow diagram representing digital signature creation;
- FIG. 9 is a flow diagram representing verification of the digitally signed token; and
- FIG. 10 is a representation of a login display for accessing a remote secure server.
- The present invention provides a method for securely accessing a secure remote server (preferably a web server) without passing authentication credentials to the remote server. The example system employing the present invention is herein called “IIPX” or IBM Intranet Password External.
- In the preferred embodiment (referring to FIG. 3), IIPX comprises an
LDAP directory 303, authentication/redirection application 302, aclient web browser 301, adisparate web site 304 and a digitalsignature verification service 305. - The
LDAP directory 303 provides a means for storing information pertaining to entities in an organization. It is a digital network name and address book. TheLDAP directory 303 provides: - 1. Ability to store, retrieve, edit, organize entity information in an efficient manner; and
- 2. Ability to provide a central store of authentication, such as, user id/password or digital certificates.
- The authentication/
redirection application 302 is comprised of a web application (dynamic HTML). The authentication/redirection application runs on a computer system similar to the one shown in FIG. 1 wherein an application resides instorage 105 to be executed inprocessor 106. The application provides: - 1. Authentication checks to the LDAP directory;
- 2. XML document creation; and
- 3. Digital signing and dynamic URL redirection.
- The
client web browser 301, also running in a user's computer as taught in FIG. 1, is an application for viewing web technologies, such as HTML, DHTML, JavaScript, VBScript and Java Applets. The client web browser also provides the ability to submit content to remote servers by way of a network (preferably the Internet 207). Theclient browser application 301 provides: - 1. Submitting authentication credentials;
- 2. Connecting to servers securely using SSL; and
- 3. Following redirection prompts as provided by web servers.
- The
disparate web site 304 is any web site that requires authentication but does not have access the user's authentication server. Thedisparate web site 304 is a set of applications running on a computer similar to the one shown in FIG. 1 and provides: - 1. Protected content or services;
- 2. Receives signed token from authentication/redirection application; and
- 3. Makes necessary calls to the digital signature validation service to verify tokens.
- In the preferred embodiment the
signature validation service 305 is part of the originating entity providing a secure interface for remote systems to request token verification. A secured connection preferably uses SSL encryption to establish trusted connections between two machines. - In a preferred embodiment, a
web browser client 301 communicates to the authentication/redirection Server 302 via a secure URL specifying a desired vendor. A secured web site uses SSL encryption to establish trusted connections between two machines. Most web browsers provide this technology transparently to theend user 308. Often a pad-lock icon FIG. 10 1005 indicates when the HTTP communication is secured. - The
data store 303, such as a database, flat file or memory is maintained with vendor ids and the specific requirements of the vendor (remote secure server) login. In this case the vendor ID indicates which HTML form to present to theuser 308 via thebrowser 301. In one embodiment, each remotesecure website 304 has a unique HTML prompt form which is dynamically presented to theuser 308 when he selects a remotesecure service 304. In another embodiment, the vendor ID prompts anHTTP 401 challenge (see FIG. 4). The data can be entered in many different ways, however, a web based interface is preferred. This interface provides an HTML form to allow for the creation and association of the vendor code and authentication method. - Based on the vendor ID, the authentication/
redirection server 302 supplies an HTML web page to prompt theclient 301 for login information. In a preferred embodiment, this authentication prompt is customized based on the vendor ID. Theuser 308 of theweb browser 301 enters their authentication credentials. The user 301 (or optionally the user's organization) in one embodiment, also provides other information to be incorporated into the authentication token. Upon receiving the login request, the authentication/redirection server 302 checker checks the credentials. If the credentials are OK, an authorizer authorizes user access, theauthentication redirection server 302 then generates an XML based token (reference example Table 1) which may include personal information such as first name, last name, address or employee number.TABLE 1 Sample XML token. <SignonRequest vendor=“ABC123”> <Name> <LastName>Smith</LastName> <FirstName>John Q.</FirstName> </Name> <EmployeeID> <CountryCode>us</CountryCode> <SerialNumber>123456</SerialNumber> </EmployeeID> <EmailAddress>chao@us.ibm.com</EmailAddress> <TimeStamp>2002.07.17 15:38:46 GMT</TimeStamp> <Expiration>2002.09.11 15:38:46 GMT</Expiration> </SignonRequest> - The XML token optionally includes a time-to-live field representing the time during which the token is valid. The authentication/
authorization application 302 then uses a signature generator to digitally signs the XML token. The token, reference example token in Table 1, is BASE64 encoded and URL encoded. The result is shown in Table 2. The server then redirects the client web browser transmitter to transmit the resulting request to the remote vendor'sserver 304 using HTTP URL redirection. The vendor'sserver 304 receives the token and digital signature as CGI variables. CGI variables are a means for passing name and value pairs to applications running in a web server. The vendor application communicates to averification service 305 to check the token validity. Theverification service 305 checks the originating digital signature against the signature and XML token provided by theremote server 304. It 305 further checks that the token has not been checked before and that the token has not timed out. Theverification services 305 returns an indication of the token's validity “YES/NO/ERROR” to theremote vendor server 304.TABLE 2 Sample HTTP 301 for user “John Q. Smith”http://ww.remote-server.com/remote-login?SiteID=IBM& msg= PFNpZ25vblJ1cXVlc3QgdmVuZG9yPSJBQkMxMjMiPjxOYW1lPjxMYXN0TmFtZT5Z ZWFnZXI8L0xh%0D%0Ac3ROYW1lPjxGaXJzdE5hbWU%2BS3JpC3RlbjwvRmlyc3RO YW1lPjwvTmFtZT48RW1wbG95ZWVJRD48%0D%0AQ291bnRyeUNvZGU%2BdXM8L0Nv dW50cnlDb2RlPjxTZXJpYWxOdW1iZXI%2BQzAwMzk3MzwvU2VyaWFs%0D%0ATnVt YmVyPjwvRW1wbG95ZWVJRD48RW1haWxBZGRyZXNzPmtyaXN0ZW4ueWVhZ2VyQGdh bGlsZW8u%0D%0AY29tPC9FbWFpbEFkZHJlc3M%2BPFRpbWVTdGFtcD4yMDAyLjA1 LjE3IDEzOjA5OjU1IEdNVDwvVGlt%0D%0AZVN0YW1wPjxFeHBpcmF0aW9uPjIwMD IuMDUuMzEgMTM6MDk6NTUgR01UPC9FeHBpcmF0aW9uPjwv%0D%0AU2lnbm9uUmVx dWVzdD4%3D& sig= ANTy5kFaTOO73uAF9LD%2FvKHl3mWbgtiTMWDu%2B7mGLcbEXhNlyT%2F9zsRHZ2 mz5ANAtsXcE9Ov0FHL%0D%0A%2B1JlaNwTQyIIILdefVmifYsQCEnaRnncZCBPt6 lF0ieh%2FnNqEiQoC7YDniGzrMQ4L%2FEj3j6SQNr9%0D%0AXQyGNvnCq%2FoHpR hNouk%3D - In a preferred embodiment, digital signatures and XML tokens would be represented using Base-64 and URL encoding as exemplified in table 2.
- In the example that follows, James is trying to access a travel web site from within his company's intranet.
James 308 begins his web travels using hisHTML browser 301. The starting URL is hosted on the corporatesecure web site 304. - Referring to FIG. 6, James'
browser 301 requests a login web page FIG. 10 for the secure site. At 601, login request is directed to theauthentication server 302 which preferably dynamically builds an HTML form, customized for the requested site. At 602, authentication server returns the HTML form to James' browser. The web page begins with some information about the external vendor web site, but also prompts him for his username and password. The login form is customized to the style of the external travel web site. This customization was determined by the vendor code maintained by James' company. It provides the unique design of the travel web site while clearly indicating that James can use his intranet password to login. James will use his common authentication password stored in the corporate LDAP directory. - At603, James enters his
ID 1002 andPassword 1003 and hits the “Submit”button 1004. When James presses the submit button on the HTML form, his user name and password are sent at 604 to the authentication/authorization 302 to verify his credentials. - When the
authentication server 302 receives his credentials at FIG. 7 701, theauthentication server 302 makes a connection to the corporate LDAP directory at 702. The corporate LDAP directory is like a phone book. It stores information about individuals in a organization. Two of the fields it stores is a user's user name and password. The web server requests verification that James has entered the appropriate user name and password for his LDAP entry. If there is an error, James is prompted as such. In this case James has provided the correct credentials and the LDAP check is successful at 703. - As with many useful web sites, the external
travel web site 304 needs personal information about James. In the case of his company, they have opted to provide that on James' behalf at 605. The web server queries theLDAP server 704 for James' first name, last name, employee ID and e-mail address. Referring to FIG. 8, 606 the web server builds an XML document at 801 containing this personal information. It adds three more parts, the vendor's ID, a time stamp as to when the packet was created and an expiration time. The expiration time will indicate as to when this XML document is to be treated as invalid. - Having created the XML document the web server digitally signs the XML packet at802. This process is done through technology, applications and code well known in the art.
- At803, the web server now builds the
HTTP 301 URL redirect with the digital signature and XML packet. The XML packet is BASE64 encoded and URL encoded to preserve the content while making it URL compliant (Table 2). The web server sends the redirection URL back to James' HTTP browser at 804. - Most common browsers automatically follow URL redirect from
web servers 607. Other browsers simply state that the resource requested has moved please look to the following URL to find it. In this case, James' web browser receives the URL redirect and automatically follows thenew URL 607. Because James has configured his browser correctly, the URL redirection seamlessly points him at the externaltravel web site 304. - The external
travel web site 304 has a special URL for employees from James' company. Referring to FIG. 9, at 901 the redirection URL points there. At 902, the travel web site receives James' HTTP request. Name and value pairs are passed via the URL format. As seen in Table 2, the web server is able to identify the digital signature and the XML token. The travel web site now has these two parts but still needs to validate the token. - The travel web server first BASE64 decodes the XML packet (Table 2) and looks at the vendor ID to make sure it was intended for them. The travel web server optionally checks to see if the XML packet has already expired via the expiration time stamp. If the packet is still viable then the web site makes a connection back to James' company.
- James' company runs a
signature verification service 305. In another embodiment, the validation service is provided by any trusted party. The service validates digital signatures for data that has been previously signed. In this scenario it will be validating digital signatures of XML documents. At 903, the travel web site makes a request for validation. - At904, the verification service recieves the request form the travel web site. The request contains the digital signature and the XML document. The verification service checks to see that the XML document has not expired at 906. If it has, it returns that result to the travel web site. Otherwise, the verification service keeps a record of each XML token it receives in storage, such as memory, database or hard disk. It removes them from storage after the XML token's expiration time has been reached. By storing previous tokens for a period of time, at 905 the verification system can determine if a requested token has already been processed. One of the ways to further secure the system, the time to store each token is determined based on the expiration of each token. Retaining the token until expiration renders the XML document useless in future requests.
- Assuming the XML token is still timely it signs the XML document. At907, the verification service then compares the signature it created with the signature that the travel web site presented as part of the verification request. If they do not match the result is returned to the travel web site. If they match then a positive result is returned at 908 to the travel web site.
- As shown at609, the external travel web site receives the results from the verification service. If the results are negative then it presents an HTML page to James' HTTP browser to alert him of the condition. If the result is positive the travel web site uses the personal data in the XML token to provide a customized web page to be sent back to James'
HTTP browser 301. While there are many steps to this process, James experienced a quick and seamless end-to-end response. As far as James was concerned he logged in from inside his company and was transparently transported to an external web site that had personal information about James for an enhanced user experience. - All the network connections in the preferred embodiment use SSL to encrypt transactions. While the external web site verifies authentication and authorization via the digital signature service, it is possible for network communications to be compromised. One way would be to capture the redirect URL and attempt to use it to replay the series of events. If no extra security precautions were taken it would be feasible for an eavesdropper to obtain a URL that was not theirs and therein access web sites as someone else.
- Referring to FIG. 3,
Firewalls Firewalls Firewalls - To review the preferred embodiment functionality, refer to FIG. 4. The
user 308 views an HTML page on his browser running on hisclient machine 301. When theuser 308 wishes to go to the secure remote site (customer site) 304, he is presented with an HTML page FIG. 10 1000 prompting him for his Password and ID (his credentials). The browser is pointing to aninternal server 402, which is preferably the authentication/redirection server 302. The user enters the information and submits the request as shown instep 1. Theauthentication server 302 running anintranet password servlet 401 user checker, checks the user's credentials (step 2) against the LDAP directory 303 (the authenticator program retrieves LDAP user credentials). Theauthentication server 302 creates an XML document (a token generator generates a token message) and digitally signs it (step 3). Theauthentication server 302 then (step 4) uses a redirection creator to create an “HTTP 302” redirection message and by way of a redirect communicator routine, returns the “HTTP 302” containing generated redirect URL query strings to thebrowser 301. The browser is redirected at 402 to thecustomer site 304. Instep 5 the signed XML is sent to thecustomer site 304 over secure socket layer. - Referring to FIG. 5, a secure remote server “customer site”304 receiver receives the signed request token and the secure site server's signature sender sends an SSL request (step 6) comprising the signed token via
network dispatcher 505 to a digital signatureverification web service 305. The web service signature validity receiver receives the token and the digital signature verifier verifies the token (step 7) and returns an indicator of the validity (True/False/Error) to the Secure customer site. TheSecure site 304 session establisher establishes a session with the user (step 8) if the token verification was successful. - While the preferred embodiment has been described comprising a corporate business site servicing many users, it should be apparent to one skilled in the art that other variations exist. For instance, an another embodiment, the digital
signature verification service 305 is a separate entity from the authentication/redirection server 302. In such an environment, groups or individuals acquire digital signature components that are instantiated in the separate digitalsignature verification service 305. For example, a user wishing to have access to aremote web site 304 opens a security generating web page. The web page comprises HTML code for communicating with the DigitalSignature Verification service 305, supplying identifying information and optionally paying fees. TheVerification service 305 provides a private key to the user which is used by the user's authentication redirection server to generate a digital signature for the user's token. Thedigital verification service 305 associates the user's token with a unique private key for digital signature generation and verification. - In another embodiment, the digital
signature verification service 305 supports multiple private keys, one or more private keys are associated (preferably by table lookup) with individualremote web sites 304. In another embodiment, multiple private keys are associated with more granular elements such as user ID, subgroup ID (Corporate Department), Project ID (associating a private key with an ID shared by users having similar authority) and the like. - While the preferred embodiment of the invention has been illustrated and described herein, it is to be understood that the invention is not limited to the precise construction herein disclosed, and the right is reserved to all changes and modifications coming within the scope of the invention as defined in the appended claims.
Claims (30)
1. A method for a user to access a secure Internet site, the method utilizing user credential data and other user data, the method comprising the steps of:
checking user credential data according to a first predetermined plan;
authorizing said user to access a secure Internet site if said user credentials permit;
creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and
transmitting said digitally signed request to said secure Internet site.
2. The method according to claim 1 wherein said Internet site comprises world wide web pages.
3. The method according to claim 1 comprising the further steps of:
providing a web page to a client browser, said web page prompting said user for identification information; and
using said identification information to retrieve user credentials.
4. The method according to claim 3 wherein the providing step further comprises the step of dynamically generating said web page based on identifying information associated with said secure site.
5. The method according to claim 4 wherein said dynamically generating step further comprises an authentication prompt.
6. The method according to claim 1 further comprising the steps of:
receiving said digitally signed request at said secure Internet site;
verifying the validity of said digitally signed request; and
establishing a communication session with said first user if said digitally signed request is valid.
7. The method according to claim 6 wherein said verifying step comprises the further steps of:
sending said digital signature to a digital signature verification service at a verification Internet site; and
receiving an indication of the validity of said digital signature from said verification Internet site.
8. The method according to claim 1 wherein said checking user credentials step further comprises the steps of:
checking said user credentials against data in a common directory;
creating token message;
creating a redirect URL to the secure Internet site; and
communicating the redirect URL to a user browser.
9. The method according to claim 8 wherein said token message comprises any one of XML data, an expiration field or unique user information.
10. The method according to claim 8 wherein said redirect URL is digitally signed.
11. A system for a user to access a secure Internet site, the system utilizing user credential data and other user data, the system comprising:
a checker checking user credential data according to a first predetermined plan;
an authorizer authorizing said user to access a secure Internet site if said user credentials permit;
a signature generator creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and
a transmitter transmitting said digitally signed request to said secure Internet site.
12. The system according to claim 11 wherein said Internet site comprises world wide web pages.
13. The system according to claim 11 further comprising:
a web page provider providing a web page to a client browser, said web page prompting said user for identification information; and
an authenticator using said identification information to retrieve user credentials.
14. The system according to claim 13 wherein the web page provider further dynamically generates said web page based on identifying information associated with said secure site.
15. The system according to claim 14 wherein said web page provider dynamically generates an authentication prompt.
16. The system according to claim 11 further comprising:
a receiver receiving said digitally signed request at said secure Internet site;
a digital signature verifier, verifying the validity of said digitally signed request; and
a session establisher establishing a communication session with said first user if said digitally signed request is valid.
17. The system according to claim 16 wherein said digital signature verifier further comprises:
signature sender sending said digital signature to a digital signature verification service at a verification Internet site; and
a signature validity receiver receiving an indication of the validity of said digital signature from said verification Internet site.
18. The system according to claim 11 wherein said checker further comprises:
a user checker checking said user credentials against data in a common directory;
a token generator creating token message;
a redirection creator creating a redirect URL to the secure Internet site; and
a redirect communicator communicating the redirect URL to a user browser.
19. The system according to claim 18 wherein said token message comprises any one of XML data, an expiration field or unique user information.
20. The system according to claim 18 wherein said redirect URL is digitally signed.
21. A computer program product for a user to access a secure Internet site, the computer program product utilizing user credential data and other user data, the computer program product comprising a computer readable medium having computer readable program code therein, the computer program product comprising:
computer readable program code for checking user credential data according to a first predetermined plan;
computer readable program code for authorizing said user to access a secure Internet site if said user credentials permit;
computer readable program code for creating a digitally signed request comprising said other user data for said authorized user according to a second predetermined plan; and
computer readable program code for transmitting said digitally signed request to said secure Internet site.
22. The computer program product according to claim 21 wherein said Internet site comprises world wide web pages.
23. The computer program product according to claim 21 further comprising:
computer readable program code for providing a web page to a client browser, said web page prompting said user for identification information; and
computer readable program code for using said identification information to retrieve user credentials.
24. The computer program product according to claim 23 wherein the web page provider further dynamically generates said web page based on identifying information associated with said secure site.
25. The computer program product according to claim 24 wherein said web page provider dynamically generates an authentication prompt.
26. The computer program product according to claim 21 further comprising:
computer readable program code for receiving said digitally signed request at said secure Internet site;
a digital signature verifier, verifying the validity of said digitally signed request; and
computer readable program code for establishing a communication session with said first user if said digitally signed request is valid.
27. The computer program product according to claim 26 wherein said digital signature verifier further comprises:
computer readable program code for sending said digital signature to a digital signature verification service at a verification Internet site; and
computer readable program code for receiving an indication of the validity of said digital signature from said verification Internet site.
28. The computer program product according to claim 21 wherein said checker further comprises:
computer readable program code for checking said user credentials against data in a common directory;
computer readable program code for creating token message;
a redirection creator creating a redirect URL to the secure Internet site; and
computer readable program code for communicating the redirect URL to a user browser.
29. The computer program product according to claim 28 wherein said token message comprises any one of XML data, an expiration field or unique user information.
30. The computer program product according to claim 28 wherein said redirect URL is digitally signed.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/229,693 US20040054898A1 (en) | 2002-08-28 | 2002-08-28 | Authenticating and communicating verifiable authorization between disparate network domains |
CNB031559778A CN100369030C (en) | 2002-08-28 | 2003-08-27 | Method and system for identifying & transmitting verifiable authorization among complete heteroyeneous network area |
US11/840,684 US8499339B2 (en) | 2002-08-28 | 2007-08-17 | Authenticating and communicating verifiable authorization between disparate network domains |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/229,693 US20040054898A1 (en) | 2002-08-28 | 2002-08-28 | Authenticating and communicating verifiable authorization between disparate network domains |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/840,684 Continuation US8499339B2 (en) | 2002-08-28 | 2007-08-17 | Authenticating and communicating verifiable authorization between disparate network domains |
Publications (1)
Publication Number | Publication Date |
---|---|
US20040054898A1 true US20040054898A1 (en) | 2004-03-18 |
Family
ID=31990371
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/229,693 Abandoned US20040054898A1 (en) | 2002-08-28 | 2002-08-28 | Authenticating and communicating verifiable authorization between disparate network domains |
US11/840,684 Expired - Fee Related US8499339B2 (en) | 2002-08-28 | 2007-08-17 | Authenticating and communicating verifiable authorization between disparate network domains |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/840,684 Expired - Fee Related US8499339B2 (en) | 2002-08-28 | 2007-08-17 | Authenticating and communicating verifiable authorization between disparate network domains |
Country Status (2)
Country | Link |
---|---|
US (2) | US20040054898A1 (en) |
CN (1) | CN100369030C (en) |
Cited By (74)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040049220A1 (en) * | 2002-04-19 | 2004-03-11 | Pelikan Technologies, Inc. | Method and apparatus for a multi-use body fluid sampling device with sterility barrier release |
US20040170314A1 (en) * | 2002-12-20 | 2004-09-02 | Harris Rodney C. | Method and apparatus for measuring assembly and alignment errors in sensor assemblies |
US20050015591A1 (en) * | 2003-06-12 | 2005-01-20 | International Business Machines Corporation | Multi-level multi-user web services security system and method |
US20050198501A1 (en) * | 2004-03-02 | 2005-09-08 | Dmitry Andreev | System and method of providing credentials in a network |
US20050240869A1 (en) * | 2004-04-23 | 2005-10-27 | Kalev Leetaru | Method and system for editable web browsing |
US20050240864A1 (en) * | 2004-04-23 | 2005-10-27 | Kalev Leetaru | Method and system for retrieving information using an authentication web page |
US20050268100A1 (en) * | 2002-05-10 | 2005-12-01 | Gasparini Louis A | System and method for authenticating entities to users |
US20050277420A1 (en) * | 2004-06-10 | 2005-12-15 | Samsung Electronics Co., Ltd. | Single-sign-on method based on markup language and system using the method |
US20060005234A1 (en) * | 2004-06-30 | 2006-01-05 | International Business Machines Corporation | Method and apparatus for handling custom token propagation without Java serialization |
US20060068799A1 (en) * | 2004-09-27 | 2006-03-30 | T-Mobile, Usa, Inc. | Open-host wireless access system |
WO2006102738A1 (en) * | 2005-04-01 | 2006-10-05 | Ve Networks Canada, Inc. | Visual and audible indication of secure communication |
US20060259767A1 (en) * | 2005-05-16 | 2006-11-16 | Mansz Robert P | Methods and apparatuses for information authentication and user interface feedback |
US20060291700A1 (en) * | 2005-06-08 | 2006-12-28 | Ogram Mark E | Internet signature verification system |
US20070030965A1 (en) * | 2005-07-19 | 2007-02-08 | Mansz Robert P | Methods and apparatuses for management of entitlement to digital security operations |
US20070219462A1 (en) * | 2002-04-19 | 2007-09-20 | Barry Briggs | Methods and apparatus for lancet actuation |
US20070219573A1 (en) * | 2002-04-19 | 2007-09-20 | Dominique Freeman | Method and apparatus for penetrating tissue |
US20070244499A1 (en) * | 2002-04-19 | 2007-10-18 | Barry Briggs | Methods and apparatus for lancet actuation |
KR100875919B1 (en) | 2005-12-07 | 2008-12-26 | 한국전자통신연구원 | Apparatus and method for providing personal information sharing service using signed callback UEL message |
US20090048997A1 (en) * | 2007-08-16 | 2009-02-19 | Verizon Data Services India Private Limited | Method and apparatus for rule-based masking of data |
US20090069716A1 (en) * | 2004-06-03 | 2009-03-12 | Dominique Freeman | Method and apparatus for a fluid sampling device |
US20090292925A1 (en) * | 2006-04-13 | 2009-11-26 | Alexander Meisel | Method for providing web application security |
US20090320119A1 (en) * | 2008-06-20 | 2009-12-24 | Wetpaint.Com, Inc. | Extensible content service for attributing user-generated content to authored content providers |
US7730215B1 (en) * | 2005-04-08 | 2010-06-01 | Symantec Corporation | Detecting entry-portal-only network connections |
US7731729B2 (en) | 2002-04-19 | 2010-06-08 | Pelikan Technologies, Inc. | Method and apparatus for penetrating tissue |
US20100199089A1 (en) * | 2009-02-05 | 2010-08-05 | Wwpass Corporation | Centralized authentication system with safe private data storage and method |
US7780631B2 (en) | 1998-03-30 | 2010-08-24 | Pelikan Technologies, Inc. | Apparatus and method for penetration with shaft having a sensor for sensing penetration depth |
US20100217989A1 (en) * | 2005-03-23 | 2010-08-26 | Microsoft Corporation | Visualization of trust in an address bar |
US20100223471A1 (en) * | 2009-02-27 | 2010-09-02 | Research In Motion Limited | Cookie Verification Methods And Apparatus For Use In Providing Application Services To Communication Devices |
US7909775B2 (en) | 2001-06-12 | 2011-03-22 | Pelikan Technologies, Inc. | Method and apparatus for lancet launching device integrated onto a blood-sampling cartridge |
US7938787B2 (en) | 2002-04-19 | 2011-05-10 | Pelikan Technologies, Inc. | Method and apparatus for penetrating tissue |
US8156228B1 (en) * | 2007-09-28 | 2012-04-10 | Symantec Corporation | Method and apparatus to enable confidential browser referrals |
US8197421B2 (en) | 2002-04-19 | 2012-06-12 | Pelikan Technologies, Inc. | Method and apparatus for penetrating tissue |
US8206317B2 (en) | 2001-06-12 | 2012-06-26 | Sanofi-Aventis Deutschland Gmbh | Tissue penetration device |
US20120174198A1 (en) * | 2010-12-30 | 2012-07-05 | Verisign, Inc. | Shared Registration Multi-Factor Authentication Tokens |
US8230224B2 (en) | 2005-03-08 | 2012-07-24 | International Business Machines Corporation | Transmitting security data in multipart communications over a network |
US8251921B2 (en) | 2003-06-06 | 2012-08-28 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for body fluid sampling and analyte sensing |
CN102882675A (en) * | 2012-10-18 | 2013-01-16 | 杭州也要买电子商务有限公司 | Password encryption method for social network sites |
US8382682B2 (en) | 2002-04-19 | 2013-02-26 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for penetrating tissue |
CN102984161A (en) * | 2012-12-05 | 2013-03-20 | 北京奇虎科技有限公司 | Identification method and device for reliable website |
US8574895B2 (en) | 2002-12-30 | 2013-11-05 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus using optical techniques to measure analyte levels |
US8689099B1 (en) * | 2010-12-23 | 2014-04-01 | Amazon Technologies, Inc. | Cross-domain communication |
US8769651B2 (en) * | 2012-09-19 | 2014-07-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US20140280883A1 (en) * | 2013-03-15 | 2014-09-18 | International Business Machines Corporation | Secure URL update for HTTP redirects |
CN104123380A (en) * | 2014-07-31 | 2014-10-29 | 珠海市君天电子科技有限公司 | Webpage access method and device |
US9027099B1 (en) | 2012-07-11 | 2015-05-05 | Microstrategy Incorporated | User credentials |
US9037963B1 (en) | 2011-04-22 | 2015-05-19 | Amazon Technologies, Inc. | Secure cross-domain web browser communications |
US20150163065A1 (en) * | 2013-12-05 | 2015-06-11 | Xiaolai Li | Identity authentication method and apparatus and server |
US9154303B1 (en) | 2013-03-14 | 2015-10-06 | Microstrategy Incorporated | Third-party authorization of user credentials |
CN104965852A (en) * | 2015-04-30 | 2015-10-07 | 百度在线网络技术(北京)有限公司 | Method for account number access, network device, and user device |
US9253175B1 (en) * | 2007-04-12 | 2016-02-02 | Marvell International Ltd. | Authentication of computing devices using augmented credentials to enable actions-per-group |
WO2016065318A1 (en) * | 2014-10-24 | 2016-04-28 | Netflix, Inc. | Efficient start-up for secured connections and related services |
US20160191473A1 (en) * | 2014-12-31 | 2016-06-30 | Vasco Data Security, Inc. | Method And Apparatus For Securing An Application Using A Measurement Of A Location Dependent Physical Property Of The Environment |
WO2016089503A3 (en) * | 2014-10-24 | 2016-07-28 | Netflix, Inc. | Failure recovery mechanism to re-establish secured communications |
US9426152B2 (en) | 2014-07-08 | 2016-08-23 | International Business Machines Corporation | Secure transfer of web application client persistent state information into a new domain |
US9575768B1 (en) | 2013-01-08 | 2017-02-21 | Marvell International Ltd. | Loading boot code from multiple memories |
US9640001B1 (en) | 2012-11-30 | 2017-05-02 | Microstrategy Incorporated | Time-varying representations of user credentials |
US9652249B1 (en) | 2008-09-18 | 2017-05-16 | Marvell World Trade Ltd. | Preloading an application while an operating system loads |
US9736801B1 (en) | 2013-05-20 | 2017-08-15 | Marvell International Ltd. | Methods and apparatus for synchronizing devices in a wireless data communication system |
US9769653B1 (en) | 2008-08-20 | 2017-09-19 | Marvell International Ltd. | Efficient key establishment for wireless networks |
US9795747B2 (en) | 2010-06-02 | 2017-10-24 | Sanofi-Aventis Deutschland Gmbh | Methods and apparatus for lancet actuation |
US9820684B2 (en) | 2004-06-03 | 2017-11-21 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for a fluid sampling device |
US9832200B2 (en) | 2015-12-14 | 2017-11-28 | Bank Of America Corporation | Multi-tiered protection platform |
US9832229B2 (en) | 2015-12-14 | 2017-11-28 | Bank Of America Corporation | Multi-tiered protection platform |
US9836306B2 (en) | 2013-07-31 | 2017-12-05 | Marvell World Trade Ltd. | Parallelizing boot operations |
US9860862B1 (en) | 2013-05-21 | 2018-01-02 | Marvell International Ltd. | Methods and apparatus for selecting a device to perform shared functionality in a deterministic and fair manner in a wireless data communication system |
US9886569B1 (en) | 2012-10-26 | 2018-02-06 | Microstrategy Incorporated | Credential tracking |
US9887992B1 (en) | 2012-07-11 | 2018-02-06 | Microstrategy Incorporated | Sight codes for website authentication |
US9907502B2 (en) | 2002-04-19 | 2018-03-06 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for penetrating tissue |
US9992163B2 (en) | 2015-12-14 | 2018-06-05 | Bank Of America Corporation | Multi-tiered protection platform |
US10275377B2 (en) | 2011-11-15 | 2019-04-30 | Marvell World Trade Ltd. | Dynamic boot image streaming |
US10462084B2 (en) * | 2003-03-25 | 2019-10-29 | Verisign, Inc. | Control and management of electronic messaging via authentication and evaluation of credentials |
US10979412B2 (en) | 2016-03-08 | 2021-04-13 | Nxp Usa, Inc. | Methods and apparatus for secure device authentication |
CN115037545A (en) * | 2022-06-14 | 2022-09-09 | 江苏银承网络科技股份有限公司 | Method, device and storage medium for login of website without secret authorization |
US11533297B2 (en) | 2014-10-24 | 2022-12-20 | Netflix, Inc. | Secure communication channel with token renewal mechanism |
Families Citing this family (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100417066C (en) * | 2004-12-29 | 2008-09-03 | 国际商业机器公司 | Multi-territory accessing proxy using in treating safety problem based on browser application |
CN101273331B (en) * | 2005-09-26 | 2015-01-28 | 皇家Kpn公司 | Method of controlling a browser window |
US8590027B2 (en) * | 2007-02-05 | 2013-11-19 | Red Hat, Inc. | Secure authentication in browser redirection authentication schemes |
US11843594B2 (en) * | 2007-09-04 | 2023-12-12 | Live Nation Entertainment, Inc. | Controlled token distribution to protect against malicious data and resource access |
US8271536B2 (en) * | 2008-11-14 | 2012-09-18 | Microsoft Corporation | Multi-tenancy using suite of authorization manager components |
US8819848B2 (en) | 2009-11-24 | 2014-08-26 | Comcast Interactive Media, Llc | Method for scalable access control decisions |
US9544143B2 (en) | 2010-03-03 | 2017-01-10 | Duo Security, Inc. | System and method of notifying mobile devices to complete transactions |
US9532222B2 (en) | 2010-03-03 | 2016-12-27 | Duo Security, Inc. | System and method of notifying mobile devices to complete transactions after additional agent verification |
US8510820B2 (en) | 2010-12-02 | 2013-08-13 | Duo Security, Inc. | System and method for embedded authentication |
US9282085B2 (en) | 2010-12-20 | 2016-03-08 | Duo Security, Inc. | System and method for digital user authentication |
CN102546579A (en) * | 2010-12-31 | 2012-07-04 | 北大方正集团有限公司 | Method, device and system used for providing system resources |
US8863248B2 (en) * | 2011-04-07 | 2014-10-14 | International Business Machines Corporation | Method and apparatus to auto-login to a browser application launched from an authenticated client application |
US8892885B2 (en) | 2011-08-31 | 2014-11-18 | Duo Security, Inc. | System and method for delivering a challenge response in an authentication protocol |
US9467463B2 (en) | 2011-09-02 | 2016-10-11 | Duo Security, Inc. | System and method for assessing vulnerability of a mobile device |
US9830435B2 (en) * | 2011-10-04 | 2017-11-28 | Salesforce.Com, Inc. | Method and system for providing login as a service |
US8763077B2 (en) | 2011-10-07 | 2014-06-24 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US8990898B2 (en) * | 2012-02-16 | 2015-03-24 | Citrix Systems, Inc. | Connection leasing for hosted services |
US8752203B2 (en) * | 2012-06-18 | 2014-06-10 | Lars Reinertsen | System for managing computer data security through portable data access security tokens |
US8819803B1 (en) * | 2012-06-29 | 2014-08-26 | Emc Corporation | Validating association of client devices with authenticated clients |
US8893230B2 (en) | 2013-02-22 | 2014-11-18 | Duo Security, Inc. | System and method for proxying federated authentication protocols |
US9338156B2 (en) | 2013-02-22 | 2016-05-10 | Duo Security, Inc. | System and method for integrating two-factor authentication in a device |
US9607156B2 (en) * | 2013-02-22 | 2017-03-28 | Duo Security, Inc. | System and method for patching a device through exploitation |
US9443073B2 (en) | 2013-08-08 | 2016-09-13 | Duo Security, Inc. | System and method for verifying status of an authentication device |
US9053310B2 (en) | 2013-08-08 | 2015-06-09 | Duo Security, Inc. | System and method for verifying status of an authentication device through a biometric profile |
US9608814B2 (en) | 2013-09-10 | 2017-03-28 | Duo Security, Inc. | System and method for centralized key distribution |
US9092302B2 (en) | 2013-09-10 | 2015-07-28 | Duo Security, Inc. | System and method for determining component version compatibility across a device ecosystem |
US9774448B2 (en) | 2013-10-30 | 2017-09-26 | Duo Security, Inc. | System and methods for opportunistic cryptographic key management on an electronic device |
US9762590B2 (en) | 2014-04-17 | 2017-09-12 | Duo Security, Inc. | System and method for an integrity focused authentication service |
US9979719B2 (en) | 2015-01-06 | 2018-05-22 | Duo Security, Inc. | System and method for converting one-time passcodes to app-based authentication |
US9641341B2 (en) | 2015-03-31 | 2017-05-02 | Duo Security, Inc. | Method for distributed trust authentication |
ES2758755T3 (en) | 2015-06-01 | 2020-05-06 | Duo Security Inc | Method of applying endpoint health standards |
US9774579B2 (en) | 2015-07-27 | 2017-09-26 | Duo Security, Inc. | Method for key rotation |
CN105764056B (en) * | 2016-04-13 | 2020-04-24 | 趣增信息科技(上海)有限公司 | Web authentication system and method for public wifi access |
GB201617620D0 (en) * | 2016-10-18 | 2016-11-30 | Cybernetica As | Composite digital signatures |
US10412113B2 (en) | 2017-12-08 | 2019-09-10 | Duo Security, Inc. | Systems and methods for intelligently configuring computer security |
CN108712492A (en) * | 2018-05-17 | 2018-10-26 | 中兴通讯股份有限公司 | A kind of HTTP redirection method, apparatus, routing device and computer storage media |
US11120107B2 (en) | 2018-12-06 | 2021-09-14 | International Business Machines Corporation | Managing content delivery to client devices |
US11658962B2 (en) | 2018-12-07 | 2023-05-23 | Cisco Technology, Inc. | Systems and methods of push-based verification of a transaction |
Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5497421A (en) * | 1992-04-28 | 1996-03-05 | Digital Equipment Corporation | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system |
US5655077A (en) * | 1994-12-13 | 1997-08-05 | Microsoft Corporation | Method and system for authenticating access to heterogeneous computing services |
US5659616A (en) * | 1994-07-19 | 1997-08-19 | Certco, Llc | Method for securely using digital signatures in a commercial cryptographic system |
US5757920A (en) * | 1994-07-18 | 1998-05-26 | Microsoft Corporation | Logon certification |
US5815665A (en) * | 1996-04-03 | 1998-09-29 | Microsoft Corporation | System and method for providing trusted brokering services over a distributed network |
US5815574A (en) * | 1994-12-15 | 1998-09-29 | International Business Machines Corporation | Provision of secure access to external resources from a distributed computing environment |
US5875296A (en) * | 1997-01-28 | 1999-02-23 | International Business Machines Corporation | Distributed file system web server user authentication with cookies |
US5909492A (en) * | 1994-10-24 | 1999-06-01 | Open Market, Incorporated | Network sales system |
US6055637A (en) * | 1996-09-27 | 2000-04-25 | Electronic Data Systems Corporation | System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential |
US6092196A (en) * | 1997-11-25 | 2000-07-18 | Nortel Networks Limited | HTTP distributed remote user authentication system |
US6128738A (en) * | 1998-04-22 | 2000-10-03 | International Business Machines Corporation | Certificate based security in SNA data flows |
US6131164A (en) * | 1998-02-27 | 2000-10-10 | Sprint Communications Company, L.P. | Reverse internet protocol lookup |
US6226752B1 (en) * | 1999-05-11 | 2001-05-01 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
US6275944B1 (en) * | 1998-04-30 | 2001-08-14 | International Business Machines Corporation | Method and system for single sign on using configuration directives with respect to target types |
US6403974B1 (en) * | 2000-11-13 | 2002-06-11 | Behavior Tech Computer Corporation | Test device for horizontal position of an optical disc drive motor |
US6725376B1 (en) * | 1997-11-13 | 2004-04-20 | Ncr Corporation | Method of using an electronic ticket and distributed server computer architecture for the same |
US6957334B1 (en) * | 1999-06-23 | 2005-10-18 | Mastercard International Incorporated | Method and system for secure guaranteed transactions over a computer network |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5403974A (en) * | 1993-01-08 | 1995-04-04 | Square D Company | Interlocking wireway assembly for electrical distribution devices |
JP3493141B2 (en) * | 1998-06-12 | 2004-02-03 | 富士通株式会社 | Gateway system and recording medium |
US6647532B1 (en) * | 1998-10-29 | 2003-11-11 | Dell Usa L.P. | Built-in automatic customer identifier when connecting to a vendor website |
US6304974B1 (en) | 1998-11-06 | 2001-10-16 | Oracle Corporation | Method and apparatus for managing trusted certificates |
JP2003518283A (en) * | 1999-12-21 | 2003-06-03 | ネットスケープ コミュニケーションズ コーポレーション | Hardware token self-registration process |
US7356711B1 (en) * | 2002-05-30 | 2008-04-08 | Microsoft Corporation | Secure registration |
-
2002
- 2002-08-28 US US10/229,693 patent/US20040054898A1/en not_active Abandoned
-
2003
- 2003-08-27 CN CNB031559778A patent/CN100369030C/en not_active Expired - Fee Related
-
2007
- 2007-08-17 US US11/840,684 patent/US8499339B2/en not_active Expired - Fee Related
Patent Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5497421A (en) * | 1992-04-28 | 1996-03-05 | Digital Equipment Corporation | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system |
US5757920A (en) * | 1994-07-18 | 1998-05-26 | Microsoft Corporation | Logon certification |
US5659616A (en) * | 1994-07-19 | 1997-08-19 | Certco, Llc | Method for securely using digital signatures in a commercial cryptographic system |
US5909492A (en) * | 1994-10-24 | 1999-06-01 | Open Market, Incorporated | Network sales system |
US5655077A (en) * | 1994-12-13 | 1997-08-05 | Microsoft Corporation | Method and system for authenticating access to heterogeneous computing services |
US5815574A (en) * | 1994-12-15 | 1998-09-29 | International Business Machines Corporation | Provision of secure access to external resources from a distributed computing environment |
US5815665A (en) * | 1996-04-03 | 1998-09-29 | Microsoft Corporation | System and method for providing trusted brokering services over a distributed network |
US6055637A (en) * | 1996-09-27 | 2000-04-25 | Electronic Data Systems Corporation | System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential |
US5875296A (en) * | 1997-01-28 | 1999-02-23 | International Business Machines Corporation | Distributed file system web server user authentication with cookies |
US6725376B1 (en) * | 1997-11-13 | 2004-04-20 | Ncr Corporation | Method of using an electronic ticket and distributed server computer architecture for the same |
US6092196A (en) * | 1997-11-25 | 2000-07-18 | Nortel Networks Limited | HTTP distributed remote user authentication system |
US6131164A (en) * | 1998-02-27 | 2000-10-10 | Sprint Communications Company, L.P. | Reverse internet protocol lookup |
US6128738A (en) * | 1998-04-22 | 2000-10-03 | International Business Machines Corporation | Certificate based security in SNA data flows |
US6275944B1 (en) * | 1998-04-30 | 2001-08-14 | International Business Machines Corporation | Method and system for single sign on using configuration directives with respect to target types |
US6226752B1 (en) * | 1999-05-11 | 2001-05-01 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
US6957334B1 (en) * | 1999-06-23 | 2005-10-18 | Mastercard International Incorporated | Method and system for secure guaranteed transactions over a computer network |
US6403974B1 (en) * | 2000-11-13 | 2002-06-11 | Behavior Tech Computer Corporation | Test device for horizontal position of an optical disc drive motor |
Cited By (130)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7780631B2 (en) | 1998-03-30 | 2010-08-24 | Pelikan Technologies, Inc. | Apparatus and method for penetration with shaft having a sensor for sensing penetration depth |
US9937298B2 (en) | 2001-06-12 | 2018-04-10 | Sanofi-Aventis Deutschland Gmbh | Tissue penetration device |
US8206319B2 (en) | 2001-06-12 | 2012-06-26 | Sanofi-Aventis Deutschland Gmbh | Tissue penetration device |
US8206317B2 (en) | 2001-06-12 | 2012-06-26 | Sanofi-Aventis Deutschland Gmbh | Tissue penetration device |
US7909775B2 (en) | 2001-06-12 | 2011-03-22 | Pelikan Technologies, Inc. | Method and apparatus for lancet launching device integrated onto a blood-sampling cartridge |
US8216154B2 (en) | 2001-06-12 | 2012-07-10 | Sanofi-Aventis Deutschland Gmbh | Tissue penetration device |
US8282577B2 (en) | 2001-06-12 | 2012-10-09 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for lancet launching device integrated onto a blood-sampling cartridge |
US8622930B2 (en) | 2001-06-12 | 2014-01-07 | Sanofi-Aventis Deutschland Gmbh | Tissue penetration device |
US8679033B2 (en) | 2001-06-12 | 2014-03-25 | Sanofi-Aventis Deutschland Gmbh | Tissue penetration device |
US7875047B2 (en) | 2002-04-19 | 2011-01-25 | Pelikan Technologies, Inc. | Method and apparatus for a multi-use body fluid sampling device with sterility barrier release |
US7988644B2 (en) | 2002-04-19 | 2011-08-02 | Pelikan Technologies, Inc. | Method and apparatus for a multi-use body fluid sampling device with sterility barrier release |
US20040049220A1 (en) * | 2002-04-19 | 2004-03-11 | Pelikan Technologies, Inc. | Method and apparatus for a multi-use body fluid sampling device with sterility barrier release |
US9907502B2 (en) | 2002-04-19 | 2018-03-06 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for penetrating tissue |
US8197421B2 (en) | 2002-04-19 | 2012-06-12 | Pelikan Technologies, Inc. | Method and apparatus for penetrating tissue |
US9089678B2 (en) | 2002-04-19 | 2015-07-28 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for penetrating tissue |
US20070167872A1 (en) * | 2002-04-19 | 2007-07-19 | Dominique Freeman | Method and apparatus for a multi-use body fluid sampling device with sterility barrier release |
US20070219462A1 (en) * | 2002-04-19 | 2007-09-20 | Barry Briggs | Methods and apparatus for lancet actuation |
US20070219573A1 (en) * | 2002-04-19 | 2007-09-20 | Dominique Freeman | Method and apparatus for penetrating tissue |
US20070244499A1 (en) * | 2002-04-19 | 2007-10-18 | Barry Briggs | Methods and apparatus for lancet actuation |
US8382682B2 (en) | 2002-04-19 | 2013-02-26 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for penetrating tissue |
US7731729B2 (en) | 2002-04-19 | 2010-06-08 | Pelikan Technologies, Inc. | Method and apparatus for penetrating tissue |
US8079960B2 (en) | 2002-04-19 | 2011-12-20 | Pelikan Technologies, Inc. | Methods and apparatus for lancet actuation |
US7909778B2 (en) | 2002-04-19 | 2011-03-22 | Pelikan Technologies, Inc. | Method and apparatus for penetrating tissue |
US8388551B2 (en) | 2002-04-19 | 2013-03-05 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for multi-use body fluid sampling device with sterility barrier release |
US7981056B2 (en) | 2002-04-19 | 2011-07-19 | Pelikan Technologies, Inc. | Methods and apparatus for lancet actuation |
US7938787B2 (en) | 2002-04-19 | 2011-05-10 | Pelikan Technologies, Inc. | Method and apparatus for penetrating tissue |
US8496601B2 (en) | 2002-04-19 | 2013-07-30 | Sanofi-Aventis Deutschland Gmbh | Methods and apparatus for lancet actuation |
US8491500B2 (en) | 2002-04-19 | 2013-07-23 | Sanofi-Aventis Deutschland Gmbh | Methods and apparatus for lancet actuation |
US7562222B2 (en) * | 2002-05-10 | 2009-07-14 | Rsa Security Inc. | System and method for authenticating entities to users |
US20050268100A1 (en) * | 2002-05-10 | 2005-12-01 | Gasparini Louis A | System and method for authenticating entities to users |
US20040170314A1 (en) * | 2002-12-20 | 2004-09-02 | Harris Rodney C. | Method and apparatus for measuring assembly and alignment errors in sensor assemblies |
US8574895B2 (en) | 2002-12-30 | 2013-11-05 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus using optical techniques to measure analyte levels |
US10462084B2 (en) * | 2003-03-25 | 2019-10-29 | Verisign, Inc. | Control and management of electronic messaging via authentication and evaluation of credentials |
US8251921B2 (en) | 2003-06-06 | 2012-08-28 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for body fluid sampling and analyte sensing |
US7299492B2 (en) * | 2003-06-12 | 2007-11-20 | International Business Machines Corporation | Multi-level multi-user web services security system and method |
US20050015591A1 (en) * | 2003-06-12 | 2005-01-20 | International Business Machines Corporation | Multi-level multi-user web services security system and method |
US8364957B2 (en) * | 2004-03-02 | 2013-01-29 | International Business Machines Corporation | System and method of providing credentials in a network |
US20050198501A1 (en) * | 2004-03-02 | 2005-09-08 | Dmitry Andreev | System and method of providing credentials in a network |
US20050240864A1 (en) * | 2004-04-23 | 2005-10-27 | Kalev Leetaru | Method and system for retrieving information using an authentication web page |
US20050240869A1 (en) * | 2004-04-23 | 2005-10-27 | Kalev Leetaru | Method and system for editable web browsing |
US7716352B2 (en) * | 2004-04-23 | 2010-05-11 | The Board Of Trustees Of The University Of Illinois | Method and system for retrieving information using an authentication web page |
US20090069716A1 (en) * | 2004-06-03 | 2009-03-12 | Dominique Freeman | Method and apparatus for a fluid sampling device |
US9820684B2 (en) | 2004-06-03 | 2017-11-21 | Sanofi-Aventis Deutschland Gmbh | Method and apparatus for a fluid sampling device |
US20050277420A1 (en) * | 2004-06-10 | 2005-12-15 | Samsung Electronics Co., Ltd. | Single-sign-on method based on markup language and system using the method |
US8108921B2 (en) * | 2004-06-10 | 2012-01-31 | Samsung Electronics Co., Ltd. | Single-sign-on method based on markup language and system using the method |
US20060005234A1 (en) * | 2004-06-30 | 2006-01-05 | International Business Machines Corporation | Method and apparatus for handling custom token propagation without Java serialization |
US20090109946A1 (en) * | 2004-09-27 | 2009-04-30 | T-Mobile, Usa, Inc. | Open-Host Wireless Access System |
US20060068799A1 (en) * | 2004-09-27 | 2006-03-30 | T-Mobile, Usa, Inc. | Open-host wireless access system |
US8230224B2 (en) | 2005-03-08 | 2012-07-24 | International Business Machines Corporation | Transmitting security data in multipart communications over a network |
US20100217989A1 (en) * | 2005-03-23 | 2010-08-26 | Microsoft Corporation | Visualization of trust in an address bar |
US8843749B2 (en) | 2005-03-23 | 2014-09-23 | Microsoft Corporation | Visualization of trust in an address bar |
US20130332740A1 (en) * | 2005-03-23 | 2013-12-12 | Microsoft Corporation | Visualization of Trust in an Address Bar |
US9444630B2 (en) * | 2005-03-23 | 2016-09-13 | Microsoft Technology Licensing, Llc | Visualization of trust in an address bar |
US9838380B2 (en) | 2005-03-23 | 2017-12-05 | Zhigu Holdings Limited | Visualization of trust in an address bar |
US7506163B2 (en) | 2005-04-01 | 2009-03-17 | Ve Networks | Methods and apparatuses for security visualization |
US20060224888A1 (en) * | 2005-04-01 | 2006-10-05 | Mansz Robert P | Methods and apparatuses for security visualization |
WO2006102738A1 (en) * | 2005-04-01 | 2006-10-05 | Ve Networks Canada, Inc. | Visual and audible indication of secure communication |
US7730215B1 (en) * | 2005-04-08 | 2010-06-01 | Symantec Corporation | Detecting entry-portal-only network connections |
US20060259767A1 (en) * | 2005-05-16 | 2006-11-16 | Mansz Robert P | Methods and apparatuses for information authentication and user interface feedback |
US20060291700A1 (en) * | 2005-06-08 | 2006-12-28 | Ogram Mark E | Internet signature verification system |
US20070030965A1 (en) * | 2005-07-19 | 2007-02-08 | Mansz Robert P | Methods and apparatuses for management of entitlement to digital security operations |
KR100875919B1 (en) | 2005-12-07 | 2008-12-26 | 한국전자통신연구원 | Apparatus and method for providing personal information sharing service using signed callback UEL message |
US20090292925A1 (en) * | 2006-04-13 | 2009-11-26 | Alexander Meisel | Method for providing web application security |
US9253175B1 (en) * | 2007-04-12 | 2016-02-02 | Marvell International Ltd. | Authentication of computing devices using augmented credentials to enable actions-per-group |
US8341104B2 (en) * | 2007-08-16 | 2012-12-25 | Verizon Patent And Licensing Inc. | Method and apparatus for rule-based masking of data |
US20090048997A1 (en) * | 2007-08-16 | 2009-02-19 | Verizon Data Services India Private Limited | Method and apparatus for rule-based masking of data |
US8156228B1 (en) * | 2007-09-28 | 2012-04-10 | Symantec Corporation | Method and apparatus to enable confidential browser referrals |
US20090320119A1 (en) * | 2008-06-20 | 2009-12-24 | Wetpaint.Com, Inc. | Extensible content service for attributing user-generated content to authored content providers |
US8516366B2 (en) * | 2008-06-20 | 2013-08-20 | Wetpaint.Com, Inc. | Extensible content service for attributing user-generated content to authored content providers |
US9769653B1 (en) | 2008-08-20 | 2017-09-19 | Marvell International Ltd. | Efficient key establishment for wireless networks |
US9652249B1 (en) | 2008-09-18 | 2017-05-16 | Marvell World Trade Ltd. | Preloading an application while an operating system loads |
US8826019B2 (en) | 2009-02-05 | 2014-09-02 | Wwpass Corporation | Centralized authentication system with safe private data storage and method |
US8327141B2 (en) | 2009-02-05 | 2012-12-04 | Wwpass Corporation | Centralized authentication system with safe private data storage and method |
US20100199089A1 (en) * | 2009-02-05 | 2010-08-05 | Wwpass Corporation | Centralized authentication system with safe private data storage and method |
US20100223471A1 (en) * | 2009-02-27 | 2010-09-02 | Research In Motion Limited | Cookie Verification Methods And Apparatus For Use In Providing Application Services To Communication Devices |
WO2010096913A1 (en) * | 2009-02-27 | 2010-09-02 | Research In Motion Limited | Cookie verification methods and apparatus for use in providing application services to communication devices |
US9059979B2 (en) | 2009-02-27 | 2015-06-16 | Blackberry Limited | Cookie verification methods and apparatus for use in providing application services to communication devices |
US9795747B2 (en) | 2010-06-02 | 2017-10-24 | Sanofi-Aventis Deutschland Gmbh | Methods and apparatus for lancet actuation |
US8689099B1 (en) * | 2010-12-23 | 2014-04-01 | Amazon Technologies, Inc. | Cross-domain communication |
US8769655B2 (en) * | 2010-12-30 | 2014-07-01 | Verisign, Inc. | Shared registration multi-factor authentication tokens |
US20120174198A1 (en) * | 2010-12-30 | 2012-07-05 | Verisign, Inc. | Shared Registration Multi-Factor Authentication Tokens |
US11010822B2 (en) | 2011-04-22 | 2021-05-18 | Amazon Technologies, Inc. | Cross-domain communications between browser windows |
US9037963B1 (en) | 2011-04-22 | 2015-05-19 | Amazon Technologies, Inc. | Secure cross-domain web browser communications |
US10366446B2 (en) | 2011-04-22 | 2019-07-30 | Amazon Technologies, Inc. | Cross-domain communications between browser windows |
US10275377B2 (en) | 2011-11-15 | 2019-04-30 | Marvell World Trade Ltd. | Dynamic boot image streaming |
US9887992B1 (en) | 2012-07-11 | 2018-02-06 | Microstrategy Incorporated | Sight codes for website authentication |
US9264415B1 (en) | 2012-07-11 | 2016-02-16 | Microstrategy Incorporated | User credentials |
US9269358B1 (en) | 2012-07-11 | 2016-02-23 | Microstrategy Incorporated | User credentials |
US9860246B1 (en) | 2012-07-11 | 2018-01-02 | Microstrategy Incorporated | Generation and validation of user credentials having multiple representations |
US9027099B1 (en) | 2012-07-11 | 2015-05-05 | Microstrategy Incorporated | User credentials |
US9807074B1 (en) * | 2012-07-11 | 2017-10-31 | Microstrategy Incorporated | User credentials |
US9979723B1 (en) | 2012-07-11 | 2018-05-22 | Microstrategy Incorporated | User credentials |
US9742781B1 (en) | 2012-07-11 | 2017-08-22 | Microstrategy Incorporated | Generation and validation of user credentials |
US8769651B2 (en) * | 2012-09-19 | 2014-07-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US20170111351A1 (en) * | 2012-09-19 | 2017-04-20 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US20150007299A1 (en) * | 2012-09-19 | 2015-01-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US10200357B2 (en) * | 2012-09-19 | 2019-02-05 | Secureauth Corporation | Mobile single-sign-on authentication using browser as intermediary |
US9369457B2 (en) * | 2012-09-19 | 2016-06-14 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
CN102882675A (en) * | 2012-10-18 | 2013-01-16 | 杭州也要买电子商务有限公司 | Password encryption method for social network sites |
US9886569B1 (en) | 2012-10-26 | 2018-02-06 | Microstrategy Incorporated | Credential tracking |
US10084775B1 (en) | 2012-11-30 | 2018-09-25 | Microstrategy Incorporated | Time-varying representations of user credentials |
US9640001B1 (en) | 2012-11-30 | 2017-05-02 | Microstrategy Incorporated | Time-varying representations of user credentials |
CN102984161A (en) * | 2012-12-05 | 2013-03-20 | 北京奇虎科技有限公司 | Identification method and device for reliable website |
US9575768B1 (en) | 2013-01-08 | 2017-02-21 | Marvell International Ltd. | Loading boot code from multiple memories |
US10027680B1 (en) | 2013-03-14 | 2018-07-17 | Microstrategy Incorporated | Third-party authorization of user credentials |
US9154303B1 (en) | 2013-03-14 | 2015-10-06 | Microstrategy Incorporated | Third-party authorization of user credentials |
US20140280883A1 (en) * | 2013-03-15 | 2014-09-18 | International Business Machines Corporation | Secure URL update for HTTP redirects |
US9736801B1 (en) | 2013-05-20 | 2017-08-15 | Marvell International Ltd. | Methods and apparatus for synchronizing devices in a wireless data communication system |
US9860862B1 (en) | 2013-05-21 | 2018-01-02 | Marvell International Ltd. | Methods and apparatus for selecting a device to perform shared functionality in a deterministic and fair manner in a wireless data communication system |
US9836306B2 (en) | 2013-07-31 | 2017-12-05 | Marvell World Trade Ltd. | Parallelizing boot operations |
US20150163065A1 (en) * | 2013-12-05 | 2015-06-11 | Xiaolai Li | Identity authentication method and apparatus and server |
US9426152B2 (en) | 2014-07-08 | 2016-08-23 | International Business Machines Corporation | Secure transfer of web application client persistent state information into a new domain |
US9509691B2 (en) | 2014-07-08 | 2016-11-29 | International Business Machines Corporation | Secure transfer of web application client persistent state information into a new domain |
US9712523B2 (en) | 2014-07-08 | 2017-07-18 | International Business Machines Corporation | Secure transfer of web application client persistent state information into a new domain |
US9699177B2 (en) | 2014-07-08 | 2017-07-04 | International Business Machines Corporation | Secure transfer of web application client persistent state information into a new domain |
CN104123380A (en) * | 2014-07-31 | 2014-10-29 | 珠海市君天电子科技有限公司 | Webpage access method and device |
US10050955B2 (en) | 2014-10-24 | 2018-08-14 | Netflix, Inc. | Efficient start-up for secured connections and related services |
WO2016065318A1 (en) * | 2014-10-24 | 2016-04-28 | Netflix, Inc. | Efficient start-up for secured connections and related services |
US11533297B2 (en) | 2014-10-24 | 2022-12-20 | Netflix, Inc. | Secure communication channel with token renewal mechanism |
US11399019B2 (en) | 2014-10-24 | 2022-07-26 | Netflix, Inc. | Failure recovery mechanism to re-establish secured communications |
WO2016089503A3 (en) * | 2014-10-24 | 2016-07-28 | Netflix, Inc. | Failure recovery mechanism to re-establish secured communications |
US10541986B2 (en) * | 2014-12-31 | 2020-01-21 | Onespan North America Inc. | Method and apparatus for securing an application using a measurement of a location dependent physical property of the environment |
US20160191473A1 (en) * | 2014-12-31 | 2016-06-30 | Vasco Data Security, Inc. | Method And Apparatus For Securing An Application Using A Measurement Of A Location Dependent Physical Property Of The Environment |
CN104965852A (en) * | 2015-04-30 | 2015-10-07 | 百度在线网络技术(北京)有限公司 | Method for account number access, network device, and user device |
US9832200B2 (en) | 2015-12-14 | 2017-11-28 | Bank Of America Corporation | Multi-tiered protection platform |
US9992163B2 (en) | 2015-12-14 | 2018-06-05 | Bank Of America Corporation | Multi-tiered protection platform |
US9832229B2 (en) | 2015-12-14 | 2017-11-28 | Bank Of America Corporation | Multi-tiered protection platform |
US10263955B2 (en) | 2015-12-14 | 2019-04-16 | Bank Of America Corporation | Multi-tiered protection platform |
US10979412B2 (en) | 2016-03-08 | 2021-04-13 | Nxp Usa, Inc. | Methods and apparatus for secure device authentication |
CN115037545A (en) * | 2022-06-14 | 2022-09-09 | 江苏银承网络科技股份有限公司 | Method, device and storage medium for login of website without secret authorization |
Also Published As
Publication number | Publication date |
---|---|
US20070289004A1 (en) | 2007-12-13 |
CN1506873A (en) | 2004-06-23 |
US8499339B2 (en) | 2013-07-30 |
CN100369030C (en) | 2008-02-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8499339B2 (en) | Authenticating and communicating verifiable authorization between disparate network domains | |
US9882728B2 (en) | Identity-based certificate management | |
US6092196A (en) | HTTP distributed remote user authentication system | |
US7197568B2 (en) | Secure cache of web session information using web browser cookies | |
US7774612B1 (en) | Method and system for single signon for multiple remote sites of a computer network | |
US7562222B2 (en) | System and method for authenticating entities to users | |
Erdos et al. | Shibboleth architecture draft v05 | |
US8340283B2 (en) | Method and system for a PKI-based delegation process | |
KR100800339B1 (en) | Method and system for user-determined authentication and single-sign-on in a federated environment | |
US7496755B2 (en) | Method and system for a single-sign-on operation providing grid access and network access | |
KR101475981B1 (en) | Handling expired passwords | |
US20050278538A1 (en) | Method for naming and authentication | |
US20060294366A1 (en) | Method and system for establishing a secure connection based on an attribute certificate having user credentials | |
EP1703694A2 (en) | Trusted third party authentication for web services | |
US20020144108A1 (en) | Method and system for public-key-based secure authentication to distributed legacy applications | |
US20090240936A1 (en) | System and method for storing client-side certificate credentials | |
US8033459B2 (en) | System and method for secure electronic data delivery | |
EP2404427B1 (en) | Method and apparatus for securing network communications | |
JP2001186122A (en) | Authentication system and authentication method | |
CN114079645B (en) | Method and device for registering service | |
WO2005094264A2 (en) | Method and apparatus for authenticating entities by non-registered users | |
Farrell | Securely available credentials protocol | |
Scurtescu et al. | RFC 8935: Push-Based Security Event Token (SET) Delivery Using HTTP | |
Prateek Mishra et al. | OASIS SSTC Bindings Model | |
Parecki | The Little Book of OAuth 2.0 RFCs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHAO, LI-LUNG;GOODMAN, BRIAN D.;KEBINGER, JAMES K.;REEL/FRAME:022935/0446 Effective date: 20020826 |