`Goldman et al.
`
`US00568.4951A
`Patent Number:
`11
`45) Date of Patent:
`
`5,684.951
`Nov. 4, 1997
`
`54 METHOD AND SYSTEM FOR USER
`AUTHORIZATION OVERA MULT-USER
`COMPUTER SYSTEM
`
`Ari Lvotonen, Access Authorization Ovaview, Dec./1993,
`World Wide Web Document Chttp://www.w3.org/pub/
`www/Access Authorization/Overview.html).
`
`75
`
`Inventors: Jonathan Goldman, Menlo Park;
`Garry Saperstein, Sunnyvale, both of
`Calif.
`(73) Assignee: Synopsys, Inc., Mountain View, Calif.
`
`21 Appl. No.: 619,892
`22 Filed:
`Mar 20, 1996
`(51
`int. Cl. ... GO6F 11/00
`52 U.S. C. ................................ 395/188.01; 395/187.01;
`395/609
`58 Field of Search ......................... 395/188.01, 187.01.
`395/186, 200.06, 606, 609, 610; 380/30,
`3; 379/145
`
`56
`
`References Cited
`U.S. PATENT DOCUMENTS
`Re. 34,954 5/1995 Haber et al. ..............................
`4,876,716 10/1989 Okamoto .......
`5,136,642
`8/1992 Kawamura et al.
`5,251.258 10/1993 Tanaka ..............
`5,261,052 11/1993 Shimamoto ...
`330/30
`5,398.285 3/1995 Borgelt et al.
`... 380/4
`5,457,746 10/1995 Dolphin ............
`330/30
`5,465,300
`l/1995 Altschuler et al.
`395/200.
`5,550,984 8/1996 Gelb ..................
`... 3802
`5557,678 9/1996 Ganesan ........
`5,598,470
`l/1997 Cooper et al. .............................. 380?.
`5,598.536
`l/1997 Slaughter, III et al.
`395/2006
`5,623,601
`4/1997 Vu ...................................... 395/18701
`OTHER PUBLICATIONS
`Title: Secure Access to Data Over the Internet Authors: Eric
`Bina et al.; pp. 99-102; Date: Sep. 1994.
`Title: Dynamically Selecting Protocols for Socket Applica
`tions; Author: David M. Ogle et al.; pp. 48-57; Date: May
`1993.
`
`Primary Examiner-Robert W. Beausoliel, Jr.
`Assistant Examiner-Scott Baderman
`Attorney, Agent, or Firm-Wagner, Murabito & Hao
`57
`ABSTRACT
`
`A method and system for performing user authorization in a
`multi-user computer system. The novel method has particu
`lar application to the multi-user internet protocol. Within the
`system, an application contains a list of registered users. For
`each registered user, the application stores a user
`identification, an email (electronic mail) address, and a
`database containing each authorized IP address for that user.
`When a user requests access to the application over the
`multi-user system, the application requires the user to input
`a user identification value and, simultaneously, the applica
`tion accesses the user's current IP address (e.g., the user's
`internet domain address) over the multi-user system. The
`application attempts to validate the user identification, and if
`valid, the application examines its database to determine if
`the user is authorized for its current IP address. If so, access
`is permitted. If the user identification is valid but the current
`IP address is not authorized, the application determines a
`validation key ("key") based on the user identification and
`the current IP address. The pseudo unique key is then
`forwarded via the email protocol to the user's known email
`address. The user then is required to enter that key into the
`application to authorized the current IP address. Security is
`provided because (1) given a user identification, which can
`be stolen, the unauthorized user also needs to access the
`application using an authorized IP address and (2) email is
`used to transmit the keys to the user to a known user email
`address.
`
`21 Claims, 12 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`JSERD
`
`PADDRESS
`
`WWW APPLICATION 22
`
`2
`220a KEY RETURNED
`
`USER TERMINA
`SYSTEM
`(IPADDRESS)
`
`220
`
`USER EMAIL
`ACCOUNT
`220
`
`EMAIL APPLICATION 216
`
`
`
`KEY FORWARDED
`
`USERVALIDATION
`SYSTEM
`
`
`
`
`
`USER:
`(1) USER-ID
`(2) EMAIL ADDRESS
`FOR USER
`(3) AUTHORIZED IP
`ADDRESSES FOR
`USER
`
`Page 1
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 1 of 12
`
`5,684.951
`
`
`
`NOI LVOITCHdV
`
`019
`
`W§JLSÅS
`
`
`
`
`
`
`
`
`
`
`
`{{9 VYHOLS
`
`WOYI
`
`?HOSSEHOORICH
`
`
`
`90' LindNI
`
`(TVNOILHO)
`
`-WHATIV
`
`OI?I?IVN?IN
`
`XVII-ISICI
`
`Page 2
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 2 of 12
`
`5,684.951
`
`
`
`A.
`>
`9.
`
`<
`>
`t
`
`Page 3
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 3 of 12
`
`5,684,951
`
`
`
`NOLLVOIIVAWHsnTYNINGSLLWHS
`
`WHLSASNOLLVOI'IddVMMMWALSAS
`
`
`Ziz(SsauddvdP)
`
`ssauddvwvdiwasn
`
`
`
`SSHUGdGVMVWA(7)
`
`ddsnAxos
`
`diGHZIHIOHLNV(¢)
`
`ar-agsn(1)
`
`wasn
`
`
`
`
`
`GHNUNLAYADAggzzq0zz
`
`cul
`
`TVWassn
`
`YOSASSAAGGV
`91zINNOOOV
`
`NOILVOITddvVTIVWad
`
`wasn
`
`
`
`GHdaVMaOdADA ad
`
`VeOld
`
`Page 4
`
`IPR2021-01406
`ANCORA EX2045
`
`Page 4
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 4 of 12
`
`5,684.951
`
`PROCESSOR
`
`101"
`
`NON-VOLATILE
`STORAGE
`
`04
`
`
`
`OO
`
`USERVALIDATION SYSTEM
`
`310a
`
`APPLICATION PROGRAM
`
`30
`
`FIG. 3B
`
`Page 5
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 5 of 12
`
`5,684.951
`
`
`
`APPLICATION TITLE HEADER AND
`INTRODUCTORY INFORMATION
`262
`
`264
`
`OTHER MESSAGES 1 INFORMATION
`
`260
`
`FIG. 4A
`
`Page 6
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 6 of 12
`
`5,684.951
`
`
`
`VALIDATION SCREEN
`USER INFORMATION
`
`ENTERVALIDATION KEY:
`
`SUBMIT )
`286
`
`CLEAR
`28 8
`
`EXIT
`29
`2
`
`280
`
`OTHER MESSAGES 1 INFORMATION
`
`FIG. 4B
`
`Page 7
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 7 of 12
`
`5,684.951
`
`
`
`EMAIL IDENTIFICATION
`OF MESSAGE
`
`YOUR VALIDATION KEY IS:
`
`ENTER YOUR VALIDATION
`KEY AT THE SPACE
`PROVIDED AT:
`
`USE USER ID SCREEN AFTER VALIDATION FOR DIRECT ACCESS
`
`32O
`
`OTHER MESSAGES 1 INFORMATION
`
`FIG.5
`
`Page 8
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 8 of 12
`
`5,684.951
`
`400
`
`DISPLAY USER ID SCREEN AND
`INPUT USER ID INFORMATION
`40
`
`VERIFY USER ID BASED ON CHECK
`BITS AND/OR FROM USERID
`DATABASE
`
`415
`
`
`
`
`
`
`
`
`
`ACCESS IP ADDRESS OF USER FROM
`WWW INTERNETAPPLICATION 42.5
`
`CHECK F USER ID VALIDATED FOR
`IP ADDRESS OF USER
`
`430
`
`FIG. 6
`
`YES
`
`GRANT ACCESS TO
`REQUEST 44
`
`i.
`
`Page 9
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 9 of 12
`
`5,684.951
`
`
`
`
`
`
`
`
`
`INDICATE TO USER THAT USER
`ID IS NOT RECOGNIZED
`
`445
`
`OPTIONALLY DISPLAY
`REGISTRATION INFORMATION
`AND TERMS
`
`
`
`450
`
`
`
`FIG. 7
`
`Page 10
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 10 of 12
`
`5,684.951
`
`
`
`DETERMINE NEW KEY BASED ON
`USER HD AND IP ADDRESS
`
`CONSTRUCT VALIDATION INFORMATION
`MESSAGE INCLUDING KEY
`465
`
`SEND VALIDATION INFORMATION
`MESSAGE TO USERS EMAIL ADDRESS
`
`OPTIONALLY TIMESTAMP KEY
`WITH PRESENT TIME
`
`RECORD KEY INTO VALIDATION
`DATABASE FOR USER
`
`FIG. 8
`
`Page 11
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 11 of 12
`
`5,684.951
`
`500
`SERENTRY
`505
`
`O
`RENDERVALIDATION SCREEN TO USER SELECTED EXIT
`DISPLAYING VALIDATION INSTRUCTIONS
`
`USER
`
`REQUESTINPUT OF USER KEY FOR
`USER IP ADDRESS
`
`515
`
`EXIT
`
`NOMATCH
`
`
`
`COMPARE
`INPUT TO
`DETERMINED
`VALUE
`520
`MATCH
`
`Go)
`
`
`
`OPTIONALLY
`
`CHECK FOR
`TIME-OUT
`
`
`
`TIME OK
`
`UPDATE PRIOR VALIDATION
`DATABASE WITH IP ADDRESS
`
`GRANT ACCESS TO REQUEST
`
`540
`
`C RETURN D
`
`FIG. 9
`
`Page 12
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`U.S. Patent
`
`Nov. 4, 1997
`
`Sheet 12 of 12
`
`5,684.951
`
`
`
`
`
`
`
`
`
`DISPLAY MESSAGE INDICATING
`KEY BAD OR TIMEOUT
`
`550
`
`DENYACCESS AND RETURN TO
`VALIDATION SCREEN
`
`
`
`560
`
`FIG 10
`
`Page 13
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`5,684.951
`
`O
`
`15
`
`20
`
`30
`
`35
`
`25
`
`1.
`METHOD AND SYSTEM FOR USER
`AUTHORIZATION OVERA MULT-USER
`COMPUTER SYSTEM
`BACKGROUND OF THE INVENTION
`(1) Field of the Invention
`The present invention relates to the field of user validation
`within a computer system. In particular, the present inven
`tion relates to user validation with respect to a multi-user
`computer system ("network”).
`(2) Prior Art
`In multi-user networked computer systems (e.g., within
`the internet protocol), an application program
`("application") is available to a large number of unregulated
`users over the network. Typically for a given application,
`only a subset of the total number of users on the network are
`authorized to enter and use the application. In these cases,
`the application is required to perform some type of user
`validation or authentication which is designed to discrimi
`nate among the attempted users of the application so that
`only authorized or validated users are permitted entry. The
`user authentication system is typically implemented at user
`logon time, or, as the case with stateless systems, user
`authentication is performed upon each transaction between
`the user and the application because there is no memory of
`prior transactions in stateless systems.
`In the past, one method of user authentication required a
`user password that was given to each authorized user and
`entry to the application was denied to any user without the
`password. However, user passwords and user identification
`codes can be readily compromised over a multi-user com
`puter system. Once a password is stolen for aparticular user,
`entry to the application is then compromised and detection
`of the unauthorized entry can go unrecorded in these prior
`art systems. What is needed is a user authentication system
`that offers security of access even if a user password or
`identification is stolen. What is also needed is an authenti
`cation system that effectively records and flags unauthorized
`entry. The present invention provides such security.
`In one particular prior art system, a user is requested to
`input a user identification (e.g., a user name or handle), a
`personal password, and a user email address (e.g., using
`smtp, simple mail transport protocol, over the internet). A
`generated key is then forwarded to the email address of the
`45
`user. The user then accesses the email message and inputs
`the key to the application to gain entry. Once access is
`granted, the user uses the user identification and password to
`gain entry. The application is entered using the internet and
`http, hypertext transfer protocol. However, this system can
`be compromised because an unauthorized user knowing the
`user's identification and password can gain entry to the
`application. Further, this prior art system does not take into
`account the unique address of the computer system
`employed by the user to communicate with the application.
`What is needed is a system that does not allow this type of
`breach of security by preventing unauthorized email
`addresses from being entered by a user. The present inven
`tion provides such a system.
`Accordingly, the present invention provides a user vali
`dation system that offers entry security even if a user
`password or identification number is compromised. Further,
`the present invention offers a user validation system that not
`only safe guards against unauthorized entry, but also effec
`tively records and flags unauthorized entries to authorized
`users. Further, the present invention provides the above user
`validation system that also does not allow the entry of
`
`50
`
`55
`
`65
`
`2
`unauthorized email addresses by unauthorized users. These
`and other advantages of the present invention not specifi
`cally described above will become clear within discussions
`of the present invention herein.
`SUMMARY OF THE INVENTION
`A method and system are described for performing user
`validation in a multi-user computer system. The present
`invention has particular application to the multi-user internet
`protocol. Within the system, an application contains a list of
`registered users. For each registered user, the application
`stores a user identification number, an email (electronic
`mail) address, and a database containing each validated IP
`address for that user. The email address is obtained off-line
`during user registration. When a user requests access to the
`application over the multi-user system (e.g., using http), the
`application requires the user to input a user identification
`value and, simultaneously, the application accesses the
`user's current IP address (e.g., the user's internet domain
`address) over the multi-user system. The application
`attempts to validate the user identification, and if valid, the
`application examines its database to determine if the user is
`authorized for its current IP address. If so, access is permit
`ted. If the user identification is not valid, access is denied. If
`the user identification is valid, but the current IP address is
`not authorized, the application determines a validation key
`("key") based on the user identification and the current IP
`address. A procedure is used to determine the pseudo unique
`key such that it cannot be readily guessed knowing the user
`identification and the current IP address. The key is then
`forwarded over the multi-user system via the email internet
`application (e.g., smtp) to the user's known email address.
`The user then is required to access the user's email and enter
`that key into the application to authorize the current IP
`address. Security is provided because (1) given a user
`identification, which can be stolen, the unauthorized user
`also needs to access the application using a validated IP
`address and (2) email (a "present" rather than demand
`system) is used to transmit the key to the user at a known
`user address that is not given on-line.
`Specifically, embodiments of the present invention
`include a method in a computer system, the method autho
`rizing a user for access to an application system and com
`prising the steps of: requesting a user identification from a
`user, the step of requesting performed over a first interface
`protocol of the multi-user computer system; accessing an
`address identifying a computer system employed by the user
`to originate access requests; generating a key for the user
`and specific to the address, the key based on the address and
`the user identification; transferring the key to the user via a
`second interface protocol of the multi-user computer system;
`receiving a user entered validation value from the user over
`the first interface protocol of the multi-user computer sys
`tem; and granting access of the application system to the
`user if the user entered validation value equals the key for
`that address and user identification.
`Embodiments include the above and wherein the multi
`user computer system utilizes an internet protocol and
`wherein the first interface protocol is the world wide web
`internet application using the hypertext transfer protocol
`(http) and wherein the second interface protocol is the
`electronic mail internet application using the simple mail
`transport protocol (smtp). Embodiments include the above
`and wherein the step of generating the key comprises the
`steps of: accessing a secret code string; concatenating the
`secret code string, the user identification, and the address to
`generate a first value; and performing a first procedure upon
`
`Page 14
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`5,684.951
`
`O
`
`15
`
`25
`
`30
`
`35
`
`45
`
`3
`the first value to produce a fixed length pseudo unique value
`corresponding to the first value wherein said pseudo unique
`value is said key. Embodiments also include a computer
`system implemented in accordance with the above.
`BRIEF DESCRIPTION OF THE DRAWNGS
`FIG. 1 illustrates an exemplary hardware configuration
`that can be used in accordance with the present invention
`validation system.
`FIG. 2 is a logical block diagram of different protocols
`accessible over an exemplary internet multi-user computer
`system in accordance with the present invention.
`FIG. 3A is a logical block diagram illustrating two dif
`ferent communication protocols (e.g., www using http and
`email using smtp) that are used by a user to communicate
`with the validation system in accordance with the preset
`invention.
`FIG. 3B is a logical block diagram of components of the
`application system 310 of the present invention.
`FIG. 4A illustrates an exemplary user identification screen
`(“form") in accordance with the validation system of the
`present invention.
`FIG. 4B illustrates an exemplary IP address validation
`screen ("form") in accordance with the validation system of
`the present invention.
`FIG. 5 illustrates an exemplary email validation message
`containing a key in accordance with the present invention.
`FIG. 6 illustrates a flow diagram of steps of the present
`invention validation method including steps for accessing a
`user identification and validating the user's current IP
`address.
`FIG. 7 illustrates steps of the present invention validation
`method for an invalid user identification.
`FIG. 8 is a flow diagram of steps of the present invention
`method for determining a new key for an unrecognized user
`P address.
`FIG. 9 illustrates steps of the present invention validation
`system for validating an input key from a user with respect
`to a user IP address.
`FIG. 10 illustrates steps of the present invention valida
`tion method in response to an invalid key or validation
`time-out.
`
`DETALED DESCRIPTION OF THE
`NVENTION
`In the following detailed description of the present
`invention, numerous specific details are set forth in order to
`provide a thorough understanding of the present invention.
`However, it will be obvious to one skilled in the art that the
`present invention may be practiced without these specific
`details. In other instances, well known methods, procedures,
`components, and circuits have not been described in detail
`to avoid unnecessarily obscuring aspects of the present
`invention.
`
`55
`
`NOTATION AND NOMENCLATURE
`Some portions of the detailed descriptions which follow
`are presented in terms of procedures, steps, logic blocks,
`processing, and other symbolic representations of operations
`on data bits within a computer memory. These descriptions
`and representations are the means used by those skilled in
`the data processing arts to most effectively convey the
`65
`substance of their work to others skilled in the art. A
`procedure, computer executed step, logic block, process,
`
`4
`etc., is here, and generally, conceived to be a self-consistent
`sequence of steps or instructions leading to a desired result.
`The steps are those requiring physical manipulations of
`physical quantities. Usually, though not necessarily, these
`quantities take the form of electrical or magnetic signals
`capable of being stored, transferred, combined, compared,
`and otherwise manipulated in a computer system. It has
`proven convenient at times, principally for reasons of com
`mon usage, to refer to these signals as bits, values, elements,
`symbols, characters, terms, numbers, or the like.
`It should be borne in mind, however, that all of these and
`similar terms are to be associated with the appropriate
`physical quantities and are merely convenient labels applied
`to these quantities. Unless specifically stated otherwise as
`apparent from the following discussions, it is appreciated
`that throughout the present invention, discussions utilizing
`terms such as "processing" or "computing" or "calculating"
`or "determining" or "displaying" or the like, refer to the
`action and processes of a computer system, or similar
`electronic computing device, that manipulates and trans
`forms data represented as physical (electronic) quantities
`within the computer system's registers and memories into
`other data similarly represented as physical quantities within
`the computer system memories or registers or other such
`information storage, transmission or display devices.
`COMPUTER SYSTEM 12
`With reference to the user validation system of the present
`invention, as described below, aspects of the present inven
`tion are described in terms of steps executed on a computer
`system. Although a variety of different computer systems
`can be used with the present invention, an exemplary
`computer system 112 is shown in FIG. 1. In general,
`computer systems 112 that can be used by the present
`invention comprise an address/data bus 100 for communi
`cating information, a central processor 101 coupled with the
`bus for processing information and instructions, a volatile
`memory 102(e.g., random access memory) coupled with the
`bus 100 for storing information and instructions for the
`central processor 101, a non-volatile memory 103 (e.g., read
`only memory) coupled with the bus 100 for storing static
`information and instructions for the processor 101, a data
`storage device 104 such as a magnetic or optical disk and
`disk drive coupled with the bus 100 for storing information
`and instructions, a display device 105 coupled to the bus 100
`for displaying information to the computer user, an optional
`alphanumeric input device 106 including alphanumeric and
`function keys coupled to the bus 100 for communicating
`information and command selections to the central processor
`101, an optional cursor control device 107 coupled to the bus
`for communicating user input information and command
`selections to the central processor 101, and a signal gener
`ating device 108 coupled to the bus 100 for interfacing with
`other networked computer systems.
`The display device 105 of FIG. 1 utilized with the
`computer system 112 of the present invention may be a
`liquid crystal device, cathode ray tube, or other display
`device suitable for creating graphic images and alphanu
`meric characters recognizable to the user. Also coupled to
`the signal generating device is a multi-user network inter
`face (e.g., an internet interface) which couples computer
`system 112 to a multi-user system (e.g., the internet in one
`embodiment of the present invention). Interface 110 is
`coupled to communicate with an application system 310. It
`is appreciated that the application system 310 contains a
`hardware platform (e.g., analogous to computer system 112)
`which executes instructions to implement the application
`
`Page 15
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`5,684.951
`
`5
`program. The present invention user validation system gives
`the application system 310 a level of security to help prevent
`unauthorized entry of the application system 310 over the
`internet interface 110.
`
`6
`users only. The user system 112 is also coupled to commu
`nicate with a user email account 220 which contains mes
`sages for the user that are received over the email internet
`application 216. During validation, a user identification
`value (user ID), the IP address of the user system 112 (IP
`address), and a user-returned key (validation value) are
`supplied by the user over the www internet application 212.
`The email internet application 216 is also used during user
`validation. Specifically, the user validation system 310a
`originates the key and forwards it to the user via the email
`internet application 216.
`As shown by FIG. 3A, the user validation system 310a of
`the present invention maintains a database having an entry
`for each authorized user. Each entry includes the user's
`identification (userID), the user's email address, and each IP
`address for which the user is authorized. This information is
`described in more detail to follow. The user's email address
`is known to the user validation system 310a upon user
`registration. During the validation process, the user valida
`tion system 310 a does not request the user email address
`from the user over the internet interface 110 (FIG. 1) to
`prevent entry of unauthorized email addresses.
`FIG. 3B illustrates components of the application system
`310 (FIG. 1) of the present invention. Included are a
`processor 101", a non-volatile information storage unit 104,
`and an input/output device 108', each coupled to a bus 100.
`Also coupled to the bus 100' is a computer readable memory
`unit 102' which contains program code to implement the
`user validation system 310a. Memory 102 can optionally
`also include the application program 312. The input/output
`device 108' couples to the internet and interface block 110
`(FIG. 1).
`USERVALIDATION USER SCREENS AND
`MESSAGES
`During user validation, the present invention user valida
`tion system 310a (FIG. 3A) utilizes several display screens
`(also called "forms") and messages that are rendered to the
`user (e.g., over display device 105 of FIG. 1). With reference
`to FIG. 4A, the user identification screen 260 is illustrated.
`Upon an attempted access to the application system 310
`(FIG. 1), the user validation system 310a generates the user
`identification screen 260 to the user to access the user's user
`ID. The screen 260 contains a message header 262 indicat
`ing the purpose of the screen and optionally contains instruc
`tions and introductory information. An input field 264 is
`displayed to receive the user ID from the user. An enter
`button 266 is optionally displayed that can be activated to
`accept the userID when the userID is completely entered by
`the user. An exit button 268 is also optionally provided to
`clear the user ID or to exit the screen 260. Other messages
`and/or internet (e.g. www) addresses can be displayed in
`optional message field 270.
`If application system 310 (FIG. 1) is a connection system,
`then screen 260 is only displayed upon initial user logon. If
`application system 310 is a stateless system, then screen 260
`is displayed upon the initial access to application system 310
`by the user. The initial access to application system 310
`opens an http access window (also known as an http form)
`on the user system 112 (FIG. 1). In accordance with one
`embodiment of the present invention (e.g., with regard to the
`stateless system), screen 260 will not be displayed again for
`subsequent user transactions unless the user closes the http
`internet access window to the application system 310. In a
`stateless system, for each transaction between the user and
`the application system310, the present invention embeds the
`
`O
`
`15
`
`25
`
`35
`
`PRESENT INVENTION COMMUNICATION
`INTERFACES
`With reference to FIG. 2, the internet interface 110 (FIG.
`1) is described in more detail. The internet 210 is a well
`known connection of world wide computer systems that
`operate using the well known internet protocol. The internet
`210 is one type of multi-user computer system. Other
`internet applications (e.g., using specific protocols) operate
`on top of the internet protocol. One such application is the
`well known world wide web or www internet application
`212 which operates using the hypertext transfer protocol or
`http. The www internet application 212 is a "demand
`system” in which a user requests information from a site and
`the site transfers the information back to the user on-line.
`Also well known is the email internet application 216 which
`operates using the simple mail transport protocol or smtp.
`The email internet application 216 is a "present system” in
`that an information transfer command originates from a
`sender site and information pursuant that command is pre
`sented to the target email address. Another internet applica
`tion is the file transfer internet application 214 which
`operates using the file transfer protocol, ftp. In one
`embodiment, the present invention user validation system
`utilizes the www 212 and email 216 internet applications as
`30
`well as the internet protocol 210. Other embodiments of the
`present invention are implemented in other multi-user com
`puter environments.
`FIG. 3A illustrates a logical diagram of the present
`invention user validation system 310a in combination with
`a user terminal system 112 (user system), the user's email
`account 220, and elements of the internet interface 110 (FIG.
`1). The user terminal system 112 (FIG. 1) is used by the user
`to originate access requests to the application system 310
`(which contains validation system 310a). FIG. 3A specifi
`cally illustrates pertinent information transfers and commu
`nication interfaces in accordance with the present invention.
`The user system 112 is assigned a unique internet domain
`address number ("IP address”) by the internet interface 110.
`In one embodiment, the IP address is composed of four octet
`wide addresses to produce a 32 bits wide address. The user
`system 112 is communicatively coupled to the user valida
`tion system 310a using the www internet application 212
`and the email internet application 216.
`Although shown as a single system in FIG. 3A, the user
`can utilize a number of different user systems to communi
`cate with the user validation system 310a of the present
`invention. In this case, the user can be validated for and from
`a number of different IP addresses. Within the present
`invention, the user is allowed a number of different user
`systems 112 (FIG. 1) and each is recorded by the present
`invention. However, it is understood that of the recognized
`accounts, the present invention selects a particular mail
`account 220 for communicating a validation key ("key"). It
`is appreciated that the user system 112 contains software to
`implement a forms-capable browser allowing the user to
`browse sites having forms (also called "screens' herein)
`over the internet 110 (FIG. 1) using the www internet
`application 212 running http.
`The user validation system 310a of FIG. 3A is a part of
`the application system 310 of FIG. 1 and functions to
`regulate the use of application system 310 to authorized
`
`55
`
`45
`
`50
`
`65
`
`Page 16
`
`IPR2021-01406
`ANCORA EX2045
`
`
`
`7
`user ID value into the http access window in a text string
`whose input type is hidden. In this way, each transaction
`performed by the user using the http access window of the
`present invention automatically transmits the user's userID,
`If user validation is required (described further below),
`the present invention displays to the user a user validation
`screen 280 as shown in FIG. 4B. The user validation screen
`280 contains a message header 282 which optionally con
`tains instructions and other information for the user. It is
`appreciated that message header 282 contains instructions to
`the user indicating that a key is being forwarded from the
`user validation system 310a (FIG. 3A) to the user's known
`email address. An information field 284 receives the vali
`dation value that is to be entered by the user. The user is
`instructed to obtain the key from the user's email account
`220 (FIG. 3A) and input that key into information field 284
`of the validation screen 280. The value entered into infor
`mation field 284 is the user entered validation value. Once
`the validation value is entered, a submit button 286 can be
`activated by the user to present the validation value to user
`validation system 310a. A clear button 288 is optionally
`provided to erase an incorrect key entered at field 284. Other
`messages and/or internet (e.g., www) addresses can be
`displayed in optional message field 290. The user is able to
`exit the validation screen 280 without entering a key by
`invoking the exit button 292.
`FIG. 5 illustrates an exemplary message format of the
`present invention validation message that is forwarded from
`the user validation system 310a (FIG. 3A), over the email
`internet application 216 (FIG. 3A), to the user's known user
`email address. The validation message format 320 in one
`embodiment is a textfile and contains a message header 322
`indicating the nature of the message (e.g., validation for the
`application system 310 of FIG. 1) and other optional instruc
`tions. Importantly, the message format 320 contains the
`transmitted key in information field 324 for the user. As
`discussed further below, the key is pseudo unique to the user
`ID and the user's current IP address. The validation message
`format 320 also contains an internet address (e.g., in the
`form of a Uniform Resource Locator or URL format) within
`information field 326. The internet address (e.g., URL) in
`field 326 specifies the address (e.g., URL) at which the
`validation screen 280 (FIG. 4B) is located. The user is
`instructed to return to this internet address (e.g., URL) to
`enter the key of field 324. The user is also instructed by
`validation message 320 that the user identification screen
`260 (FIG. 4A) allows direct access to the application system
`310 after validation is complete for this current IP address.
`Other messages and/or internet (e.g., www) addresses can be
`displayed in optional message field 328.
`USERVALIDATION PROCEDURE OF THE
`PRESENT INVENTON
`FIG. 6 illustrates steps of the user validation procedure
`400 of the present invention operable within the user vali
`dation system 310a (FIG. 3A) of the application system 310
`(FIG. 1). At step 410, the present inve