US007089585B1
`
`(12) United States Patent
`Dharmarajan
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,089,585 B1
`Aug. 8, 2006
`
`(54) METHOD AND SYSTEM FOR
`AUTHORIZING ACLIENT COMPUTER TO
`ACCESS ASERVER COMPUTER
`
`(75) Inventor: baya permara an, Mountain
`
`(73) Assignee: Microsoft Corporation, Redmond, WA
`(US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 902 days.
`
`(21) Appl. No.: 09/650,105
`(22) Filed:
`Aug. 29, 2000
`(51) Int. Cl.
`(2006.01)
`H04L 9/00
`(2006.01)
`GO6F 13/14
`(52) U.S. Cl. .............................. 726s. 7131so. 726/2:
`726/4; 726/21: 709/201: 709/219: 709/229:
`370,401. 370,313. 370,332. 380286
`(58) Field of Classification Search ................ 712o
`713/100, 150: 714742: 380/286 370/401.
`370/3 12 332. 705 f 400 700f219 229.
`s 709f2O1 726/3 8-10, 2 21 4
`See application file for complete search history. s
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`5,455,953 A * 10/1995 Russell ....................... T10,266
`5,481,539 A *
`1/1996 Hershey et al. ............. 370,312
`5,721,777 A * 2/1998 Blaze ......................... 380.286
`5.999,711 A * 12/1999 Misra et al. ................ T13 201
`6,005,853 A * 12/1999 Wang et al. ................ 370,332
`6,041,357 A * 3/2000 Kunzelman et al. ........ TO9,228
`6,088,451 A * 7/2000 He et al. .................... T13 201
`6,101,486 A * 8/2000 Roberts et al. .
`... 7027
`6,236,971 B1* 5/2001 Stefik et al. ................... 70.5/1
`6,240,512 B1* 5/2001 Fang et al. ................. T13,150
`6,263.432 B1* 7/2001 Sasmazel et al. ........... T13/100
`
`
`
`6,401.223 B1* 6/2002 DePenning .................. T14? 42
`6.427.209 B1* 7/2002 Brezak et al. .............. 713/201
`6.510.464 B1* 1/2003 Grantges et al. ..
`... 709,225
`6,678,733 B1* 1/2004 Brown et al. .....
`... 709,229
`6,877,095 B1 * 4/2005 Allen ...............
`... 713, 182
`2003/0067926 A1* 4/2003 Golikeri et al. ............. 370/401
`* cited by examiner
`Primary Examiner Taghi T. Arani
`(74) Attorney, Agent, or Firm—Christensen O'Connor
`Johnson Kindness PLLC
`
`(57)
`
`ABSTRACT
`
`The present invention includes a client computer, a first
`server computer, and a second server computer. The first
`server provides an authorization ticket containing a time
`stamp to the client computer when the client computer is
`authorized to access the first server. An elapsed time counter
`is started at the client computer when access is provided to
`the first server. When a request is received at the client
`computer to access the second server, the client computer
`determines the session length based upon the elapsed time
`counter. The client computer calculates a hash value for the
`authorization ticket, the session length, and a secret shared
`with the second server computer. The client computer trans
`mits a login request to the second server including the
`authorization ticket, the session length, and the hash. The
`second server decrypts the authorization ticket and retrieves
`a copy of the shared secret. The second server executes a
`hash function on the authorization ticket, the session length,
`and the shared secret. The second server then compares the
`computed hash to the hash value received from the second
`client application. If the two hash values are identical, the
`second server retrieves the time stamp from the authoriza
`tion ticket and adds the session length to the time stamp. The
`second server then compares the resulting value to the
`current time. If the resulting value and the current time are
`within a preset threshold value, the client computer is
`provided
`
`21 Claims, 6 Drawing Sheets
`
`
`
`
`
`as SESSM23
`Foresai
`
`REST?
`RRENS
`
`NENAEA
`ICKE,SESSION LENGTH,
`NSAR SERE
`
`RFRA NE-YSOF
`ceased
`
`Pi3S2 OFS:
`ASRSE FRCd
`WBRWs
`
`sak M3
`RegiesTEpwww.sire
`
`TRANSMERROR
`Assas Tsway
`sksik
`
`8.
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 1 of 15
`
`

`

`U.S. Patent
`
`Aug.8, 2006
`
`Sheet 1 of 6
`
`US 7,089,585 B1
`
`
`
`co|ISVHSAW
`
`00°_HIDNITNOISSIS
`
`
`
`LIIOLLNOLLVZRIOH.INV\9y
`
`
`
`WAIINdWOD)DWIAYASMMM
`
`9¢
`
`
`
`ONIDVSSAWINVISNI
`
`
`
`WAINdTWO)WAANAS
`
`WaANASMMM
`
`
`
`ONIDVSSAWINVISNI
`
`ST
`
`WVdD0Ud,NOILVOIIddV
`
`WVeo0udANOLLVOIIddVW4AuNAS
`
`9LINOWLoenv
`
`oTWISMOUdMMM
`WVwDOUdNOLLVOITddV
`
`
`NOLLVOIIddvVLINIITOD
`
`
`
`OINIDVSSAWINVISNI
`
`OL
`
`[Sty
`
`
`
`IDIOLNOILVZIYOHINV
`
`
`
`HIDNITNOISSAS
`
`HSVHSGW
`
`WVeDOuUd
`
`Ex. 1007
`CISCO SYSTEMS, INC./ Page 2 of 15
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 2 of 15
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Aug.8, 2006
`
`Sheet 2 of 6
`
`US 7,089,585 B1
`
`8ONISSIIOUNd
`
`NSICCUVH
`
`FATT
`
`FOVATLLINI
`
`Ex. 1007
`CISCO SYSTEMS, INC./ Page 3 of 15
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 3 of 15
`
`
`

`

`U.S. Patent
`
`Aug. 8, 2006
`
`Sheet 3 of 6
`
`US 7,089,585 B1
`
`
`
`0II.31N0WW.
`
`
`
`3AINICI XISICI
`
`
`
`NOII VZTAHOHIINV
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 4 of 15
`
`

`

`U.S. Patent
`
`Aug. 8, 2006
`
`Sheet 4 of 6
`
`US 7,089,585 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`INSTANTMESSAGING
`CLIENT LOGIN
`
`400
`
`PERFORM
`ENCRYPTED/SECURE
`LOGINTO INSTANT
`MESSAGING SERVER
`
`RECEIVE
`AUTHORIZATION
`TICKET CONTAINING
`TIME STAMP FROM
`INSTANT MESSAGING
`SERVER
`
`STARTELAPSED TIME
`COINTER
`
`
`
`408
`
`Fig.4
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 5 of 15
`
`

`

`U.S. Patent
`
`Aug. 8, 2006
`
`Sheet 5 of 6
`
`US 7,089,585 B1
`
`LOGIN TO WWW SERVER
`
`- N500
`
`
`
`
`
`
`
`
`
`
`
`
`
`YES
`DETERMINESESSION
`LENGTH FROM ELAPSED
`TIME COUNTER
`
`504
`
`CONCATENATE
`AUTHORIZATION TICKET,
`SESSION LENGTH, AND
`SHARED SECRET
`
`506
`PERFORM ONE-WAY HASH OF
`CONCATENATED DATA
`508
`STORE AUTHORIZATION
`TICKET, SESSION LENGTH,
`AND HASH
`
`510
`LAUNCHBROWSER AND
`REQUEST CONNECTION TO
`WWW SERVER
`
`512
`HTTP POSTAUTHORIZATION
`TICKET, SESSION LENGTH,
`AND HASH TO WWW SERVER
`514
`START PERSISTENCE TIMER
`
`516
`
`RECEIVE WWWPAGE
`FROM WWW SERVER
`
`DISPLAY WWWPAGE
`RECEIVED FROM WWW
`SERVER
`
`524
`
`526
`
`Fig.5
`
`
`
`PERSISTENCE
`RELAPSED2
`
`DELETE FILE
`CONTAINING ALITH.
`TICKET, SESS. LENGTH,
`AND HASH FROM
`CLIENT
`
`
`
`
`
`
`
`
`
`
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 6 of 15
`
`

`

`U.S. Patent
`
`Aug. 8, 2006
`
`Sheet 6 of 6
`
`US 7,089,585 B1
`
`PROCESS LOGIN REQUEST
`ATWWW SERVER
`
`600
`YN-1
`
`RECEIVE HTTPS POST
`INCLUDINGAUTH. TICKET,
`SESS. LENGTH, AND HASH
`FROM WWW BROWSER
`602 O
`DECRYPTAUTHORIZATION
`TICKET
`
`604
`RETRIEVE SHARED SECRET
`FROM DATABASE
`
`606
`CONCATENATEAUTH,
`TICKET, SESSION LENGTH,
`AND SHARED SECRET
`608
`PERFORM ONE-WAY HASH OF
`CONCATENATED DATA
`610
`COMPARE RESULT OF HASH
`TO HASHRECEIVED FROM
`WWW BROWSER
`
`
`
`
`
`RETRIEVE TIMESTAMP YES
`FROMAUTHORIZATION
`TICKET
`
`612
`
`611
`
`
`
`NO
`
`TRANSMTERROR
`MESSAGE TO WWW
`BROWSER
`
`ADD SESSION LENGTH
`TO TIMESTAMP
`
`
`
`COMPARE RESULTTO
`CURRENT TIME
`
`620
`
`WIN
`THRESHOLD
`VALIE
`
`YES
`LOG LISER INTO
`REQUESTED WWWSITE
`
`624
`TRANSMIT REQUESTED
`WWWPAGE TO WWW
`BROWSER
`
`
`
`Fig.6
`
`END
`
`628
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 7 of 15
`
`

`

`US 7,089,585 B1
`
`1.
`METHOD AND SYSTEM FOR
`AUTHORIZING ACLIENT COMPUTER TO
`ACCESS ASERVER COMPUTER
`
`FIELD OF THE INVENTION
`
`This invention generally relates to the field of computer
`security and, more specifically, relates to a method and
`system for authorizing a client computer to access a server
`computer system based upon authorization previously pro
`vided to access another server computer system.
`
`BACKGROUND OF THE INVENTION
`
`10
`
`15
`
`25
`
`30
`
`35
`
`45
`
`With the advent and explosion of the Internet has come a
`similar explosion in the number of services available over
`the Internet. In addition to the popular World Wide Web
`(“WWW or “Web’), services are available over the Internet
`that provide instant messaging, chat facilities, e-mail, and
`other types of services. To access these services, a user must
`typically utilize several different client application pro
`grams. For instance, a user may utilize an instant messaging
`client to interface with the instant messaging service and,
`simultaneously, the user may utilize a Web browser appli
`cation to retrieve Web-based e-mail or other types of Web
`pageS.
`While many client computers are capable of simulta
`neously executing multiple client application programs to
`communicate with multiple Internet services, it is not always
`convenient for a user to use the client application programs
`in this way. For instance, when a user launches the instant
`messaging client, the user may be required to provide a
`username and password. The instant messaging client may
`then perform a Sophisticated and time consuming login
`procedure to gain access to the server computer that pro
`vides the instant messaging service. If the user then desires
`to access a Web site through a Web browser application
`40
`program, the user has to launch the Web browser application
`and then provide the address of the desired Web site. When
`the Web site responds, the user may then have to again
`provide their username and password. The user may also
`have to wait while the Web site and the Web browser
`application program perform another Sophisticated and time
`consuming login procedure. If the user wants to access
`additional services, the user will again have to provide a
`username and password and endure a lengthy login proce
`dure to access these services. Providing a username and
`password for each client application in this manner can be
`extremely monotonous for a computer user. Moreover, each
`time a computer user desires to utilize another client appli
`cation program, the user may have to wait for a login screen
`before they can provide their username and password.
`Waiting for several Such login screens to appear may also be
`monotonous for a computer user.
`Therefore, in light of the above, there is a need for a
`method and system for providing access to a computer
`system that does not require a user to provide login infor
`mation if the user has previously been provided access to
`another computer system. Additionally, there is a need for a
`method and system for providing access to a computer
`system based upon previously provided access to another
`computer system that can authenticate a client computer for
`access without requiring a user of the client computer to
`endure a lengthy login procedure.
`
`50
`
`55
`
`60
`
`65
`
`2
`SUMMARY OF THE INVENTION
`
`The present invention solves the above problems by
`providing a method and system for providing authorization
`to access to a second computer system based upon previ
`ously provided authorization to access to a first computer
`system that does not require a user to provide login infor
`mation more than once. The present invention also solves
`the above problems by providing a method and system for
`providing access to a computer system based upon previ
`ously provided access to another computer system that can
`securely authenticate a client computer for access without
`requiring a user of the client computer to endure a lengthy
`login procedure.
`Generally described, the present invention includes a
`client computer connected to the Internet that is capable of
`simultaneously executing multiple client application pro
`grams, such as an instant messaging client application and a
`Web browser application. The present invention also
`includes a first server computer, such as an instant messag
`ing server computer, that is operative to receive an access
`request from the client computer. This request may include
`a username and password. If the client computer is autho
`rized to access the first server computer, the first server
`computer will transmit an authorization ticket to the client
`computer. The authorization ticket is encrypted and includes
`a time stamp indicating the time at which the authentication
`ticket was created. Once the client computer has been
`provided authorization to access the first server computer,
`the client application communicating with the first computer
`starts an elapsed time counter.
`When a request is received at the client computer to
`access a second server computer, the client application
`communicating with the first server computer determines the
`session length based upon the elapsed time counter. The
`client application then concatenates the original authoriza
`tion ticket, the session length, and a secret shared with the
`second server computer, like a user password. A hash
`function is then applied to the concatenated data to create a
`unique hash value. The client stores the authorization ticket,
`the session length, and the hash value in a file that is
`accessible to a second client application executing on the
`client computer, such as a Web browser. The client also starts
`a persistence timer when the file is saved. The persistence
`timer is periodically checked to determine if a predeter
`mined amount of time has lapsed. If the predetermined
`amount of time has elapsed, the file is deleted from the client
`computer.
`The client application then launches the second client
`application and causes a login request to be transmitted from
`the second client application to the second server computer.
`The request includes the file containing the authorization
`ticket, the session length, and the hash. The second client
`application then receives and displays results received from
`the second server computer.
`When the second server computer receives the login
`request, the second server computer decrypts the authoriza
`tion ticket. The second server computer then retrieves the
`shared secret from its own database containing this infor
`mation. The second server concatenates the authorization
`ticket, the session length, and the shared secret and executes
`ahash function on the concatenated data identical to the hash
`function utilized by the client computer. The second server
`then compares the computed hash to the hash value received
`from the second client application. If the two hash values are
`not identical, the second server does not authorize the client
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 8 of 15
`
`

`

`US 7,089,585 B1
`
`3
`computer to access the second server and transmits an error
`message to the second client application.
`If the two hash values are identical, the second server
`retrieves the time stamp from the authorization ticket and
`adds the session length to the time stamp. The second server
`then compares the resulting value to the current time. If the
`resulting value and the current time are not within a preset
`threshold value, the client computer is not permitted to
`access the second server and an error message is sent to the
`second client application. If the resulting value and the
`current time are within a preset threshold value, the client
`computer is provided access to the second server computer.
`The present invention also provides an method, apparatus,
`and computer-readable medium for providing authorization
`to access a second computer based on previously provided
`authorization to access a first computer.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The foregoing aspects and many of the attendant advan
`tages of this invention will become more readily appreciated
`as the same becomes better understood by reference to the
`following detailed description, when taken in conjunction
`with the accompanying drawings, wherein:
`FIG. 1 is a block diagram illustrating a system architec
`ture and general operation for an actual embodiment of the
`present invention.
`FIG. 2 is a block diagram illustrating a client computer
`utilized in an actual embodiment of the present invention.
`FIG. 3 is a block diagram illustrating a server computer
`utilized in an actual embodiment of the present invention.
`FIG. 4 is a flow diagram illustrating a routine for provid
`ing authorization to access a first computer to a client
`computer according to an actual embodiment of the present
`invention.
`FIG. 5 is a flow diagram illustrating a routine for logging
`a client computer into a second computer based upon access
`previously provided to a first computer according to an
`actual embodiment of the present invention.
`FIG. 6 is a flow diagram illustrating a routine for autho
`rizing a client computer to access a second computer based
`upon access previously provided to the client computer to
`access a first computer according to an actual embodiment
`of the present invention.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`4
`include routines, programs, components, data structures, etc.
`that perform particular tasks or implement particular abstract
`data types. Moreover, those skilled in the art will appreciate
`that the invention may be practiced with other computer
`system configurations, including hand-held devices, multi
`processor Systems, microprocessor-based or programmable
`consumer electronics, minicomputers, mainframe comput
`ers, and the like. Although the invention is also described as
`being practiced in distributed computing environment,
`where tasks are performed by remote processing devices that
`are linked through a communications network, other pos
`sible implementations should be apparent to those skilled in
`the art.
`Referring now to FIG. 1, aspects of the present invention
`and an illustrative operating environment for an embodiment
`of the present invention will be described. According to an
`embodiment of the present invention, a client computer 10,
`an instant messaging server computer 2, and a Web server
`computer 26 are each connected to the Internet 8. An
`illustrative client computer 10 is described in detail below
`with reference to FIG. 2. An illustrative Web server com
`puter 26 and an illustrative instant messaging server com
`puter 2 are described below with respect to FIG. 3.
`As is well known to those skilled in the art, the Internet
`8 comprises a collection of networks and routers that use the
`Transmission Control Protocol/Internet Protocol (“TCP/IP')
`to communicate with one another. The Internet typically
`includes a plurality of local area networks (“LANs) and
`wide area networks (“WANs) that are interconnected by
`routers. Routers are special purpose computers used to
`interface one LAN or WAN to another. Communication
`links within the LANs may be twisted wire pair, or coaxial
`cable, while communication links between networks may
`utilize 56 Kbps analog telephone lines, 1 Mbps digital T-1
`lines, 45 Mbps T-3 lines or other communications links
`known to those skilled in the art. Furthermore, computers,
`such as the client computer 10, and other related electronic
`devices can be remotely connected to either the LANs or the
`WANs via a permanent network connection or via a modem
`and temporary telephone link. It will be appreciated that the
`Internet 8 comprises a vast number of Such interconnected
`networks, computers, and routers.
`According to an actual embodiment of the present inven
`tion, the client computer 10 executes an instant messaging
`client application program 12. The instant messaging client
`application program 12 communicates through the Internet
`8 with an instant messaging server application 4 executing
`on the instant messaging server computer 2. Together, the
`instant messaging client application program 12 and the
`instant messaging server application program 4 provide
`instant messaging capabilities to a user of the client com
`puter 10. Instant messaging services allow a user of the
`client computer 10 to send real-time messages to other users
`also connected to the instant messaging server computer 2
`and are well known to those skilled in the art.
`The client computer 10 also executes a Web browser
`application program 24. Such as Internet Explorer provided
`by Microsoft(R). The Web browser application program 24
`transmits requests for Web pages or other resources located
`at the Web server computer 26 to the Web server application
`program 18. The Web server application program 18
`receives the request, determines whether the client computer
`is authorized to access the Web server computer 26, and
`responds to the request accordingly. If the client computer
`10 is authorized to access the Web server computer 26, the
`Web server application program 18 will transmit the
`requested resource to the client computer 10. If the client
`
`The present invention is directed to method and system
`for provided access to a server computer based upon previ
`ously provided access to another server computer. Aspects
`of the present invention may be embodied in a Web server
`application program, Such as the Internet Information Server
`program owned and licensed by the Microsoft(R) Corporation
`of Redmond, Wash. Additionally, aspects of the present
`invention may be embodied in an instant messaging server
`application program and an instant messaging client appli
`cation program, such as those utilized to provide the MSN
`Messenger service, also provided by Microsoft(R).
`Referring now to the figures, in which like numerals
`represent like elements, an actual embodiment of the present
`invention will be described. Although aspects of the inven
`tion will be described in the general context of an application
`program that executes on an operating system in conjunction
`with a server computer, those skilled in the art will recognize
`that the invention also may be implemented in combination
`with other program modules. Generally, program modules
`
`50
`
`55
`
`60
`
`65
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 9 of 15
`
`

`

`5
`computer 10 is not authorized to access the requested
`resource, the Web server application program 18 will trans
`mit an error message to the client computer 10.
`According to an embodiment of the present invention, the
`instant messaging client application program 12 utilizes a
`Sophisticated secure login mechanism to gain access to the
`instant messaging server application program 4. As part of
`this procedure, the instant messaging server application
`program 4 transmits an encrypted authentication ticket 6 to
`the client computer 10 when authorization is provided to the
`client computer 10 to access the instant messaging server
`computer 2. The authentication ticket 6 contains a time
`stamp indicating the time at which the authentication ticket
`was created and transmitted to the client computer 10. The
`authentication ticket 6 is stored by the client computer 10 for
`Subsequent use in accessing the Web server computer 26.
`Additionally, the client computer 10 begins a session timer
`that represents the length of time, or session length, the
`client computer 10 has been authorized to access the instant
`messaging server computer 2. An illustrative routine for
`logging the client computer 10 into the instant messaging
`server computer 2 is described in detail below with reference
`to FIG. 4.
`According to an embodiment of the present invention, a
`user of the client computer may select a user interface option
`provided by the instant messaging client application pro
`gram 12 for gaining quick access to the Web server com
`puter. For instance, a user of the MSN Messenger client
`application may desire to quickly gain access to their
`Web-based e-mail account with the HotMail service, also
`from Microsoft(R). In order to provide this functionality, the
`instant messaging client application program 12 may pro
`vide a menu item, button, or other user interface item for
`quickly accessing the Web server computer 26. In response
`to the selection of this user interface item, the client com
`35
`puter 10 may gain authorization to access to the Web server
`computer 26 based upon the previously provided authoriza
`tion to access the instant messaging server computer 2.
`According to an embodiment of the present invention, the
`client computer 10 gains authorization to access to the Web
`40
`server computer by first determining the session length of
`the communications session with the instant messaging
`server computer 2. The client computer 10 then concatenates
`the authorization ticket received from the instant messaging
`server computer 2, the session length, and a shared secret
`stored at the client computer 10. The shared secret comprises
`a secret Such as a user login, e-mail address or password, that
`is shared between the client computer and the Web server
`computer. A hash function is then applied to the concat
`enated data to determine a unique hash value for the con
`catenated data. The authorization ticket, session length, and
`hash value are then stored in a file 16 on the client computer
`10 in a location that is accessible to the Web browser
`application program 24.
`The instant messaging client application program 12
`causes the Web browser application program 24 to be
`executed on the client computer and provides a Uniform
`Resource Locator (“URL) corresponding to the Web server
`computer 26. The instant messaging client application pro
`gram 12 also causes the Web browser application program
`24 to post the file 16 containing the authorization ticket,
`session length, and hash value to the Web server application
`program 18 as a part of a request for authorization to access
`the Web server computer 26. The client computer 10 then
`receives a response from the Web server computer 26. If the
`Web server application program 18 authorizes the client
`computer 10 to access the Web server computer 26, the Web
`
`50
`
`45
`
`55
`
`60
`
`65
`
`US 7,089,585 B1
`
`10
`
`15
`
`25
`
`30
`
`6
`page located at the requested URL will be returned to the
`Web browser application program 24. If the Web server
`application program 18 does not authorize the client com
`puter 10 to access the Web server computer 26, an error
`message will be returned to the Web browser application
`program. Additionally, the client computer may delete the
`file 16 containing the authorization ticket, session length,
`and hash value after a predetermined amount of time has
`elapsed to ensure that an unauthorized user does not retrieve
`this information. An illustrative routine for accessing the
`Web server computer 26 from the client computer 10 based
`upon authorization previously provided to access the instant
`messaging server computer 2 will be described in more
`detail below with respect to FIG. 5.
`According to an embodiment of the invention, the Web
`server application program 18 receives the authorization
`ticket, the session length, and the hash value from the client
`computer 10 as part of a request to access the Web server
`computer 26. To process the login request, the Web server
`application program 18 concatenates the authorization
`ticket, the session length, and a copy of the shared secret
`stored at the Web server computer. The Web server appli
`cation program 18 then calculates a hash value for the
`concatenated data using the same hash function as the one
`utilized by the client computer 10. The Web server appli
`cation program 18 then compares the computed hash value
`to the hash value received from the client computer 10. If the
`hash values are not identical, the Web server application
`program 18 does not provide authorization to the client
`computer 10 to access the Web server computer 26. Rather,
`the Web server application program 18 transmits an error
`message to the client computer 10.
`If the hash values are identical, the Web server application
`program 18 performs an additional security check by retriev
`ing the time stamp from the authorization ticket, adding the
`session length to the time stamp, and comparing the result
`ing value to the current time. If the Sum of the session length
`and the time stamp are not within a preset range of the
`current time, the Web server application program 18 trans
`mits an error message to the client computer 10. If the Sum
`of the session length and the time stamp are within a preset
`range of the current time, the Web server application pro
`gram 18 authorizes the client computer 10 to access the Web
`server computer 26 and responds to the request for a
`resource located at the Web server computer 26. An illus
`trative routine for processing a request to login to the Web
`server computer will be described in more detail below with
`reference to FIG. 6.
`Referring now to FIG. 2, an illustrative client computer 10
`will be described. The client computer 10 comprises a
`conventional personal computer, including a processing unit
`38, a system memory 30, and a system bus 40 that couples
`the system memory 30 to the processing unit 38. The system
`memory 30 includes a read only memory (“ROM) 32 and
`a random access memory (“RAM) 36. A basic input/output
`system 34 (“BIOS), containing the basic routines that help
`to transfer information between elements within the client
`computer 10, such as during start-up, is stored in ROM 32.
`The client computer 10 further includes a hard disk drive 46,
`a magnetic disk drive 52, e.g., to read from or write to a
`removable disk 48, and an optical disk drive 54, e.g., for
`reading a CD-ROM disk 50 or to read from or write to other
`optical media such as a Digital Versatile Disk (DVD). The
`hard disk drive 46, magnetic disk drive 52, and optical disk
`drive 54 are connected to the system bus 40 by a hard disk
`drive interface 56, a magnetic disk drive interface 58, and an
`optical drive interface 60, respectively. The drives and their
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 10 of 15
`
`

`

`US 7,089,585 B1
`
`5
`
`10
`
`7
`associated computer-readable media provide nonvolatile
`storage for the client computer 10. Although the description
`of computer-readable media above refers to a hard disk, a
`removable magnetic disk and a CD-ROM disk, it should be
`appreciated by those skilled in the art that other types of
`media which are readable by a computer, Such as magnetic
`cassettes, flash memory cards, digital video disks, Bernoulli
`cartridges, ZIP disks, and the like, may also be used in the
`illustrative operating environment.
`A number of program modules may be stored in the drives
`and RAM 36, including an operating system 78, a Web
`browser application program 24 and an instant messaging
`client application 12, such as MSN Messenger from
`Microsoft(R). As described briefly above, the client computer
`10 initiates a communications session with a server com
`15
`puter, such as instant messaging server computer 2 using the
`instant messaging client application 12. When the commu
`nications session is initiated, the instant messaging server 2
`transmits an authorization ticket to the client computer 10.
`As will be described in more detail below, the client com
`puter 10 may then utilize the authorization ticket, a session
`length indicating the length of time the client computer 10
`has been authorized to access the instant messaging server 2,
`and a hash value to receive authorization to access the
`WWW server 26. The client computer 10 may store the
`authorization ticket, session length and the hash value in a
`file 16 that is transmitted to the WWW server 26 as part of
`the request for authorization. The operation of the client
`computer 10, the WWW server computer 26, and the instant
`messaging server 2 in this regard will be described in more
`detail below with reference to FIGS. 3–6.
`A user may enter commands and information into the
`client computer 10 through input devices such as a keyboard
`66 or a mouse 64. Other input devices (not shown) may
`include a microphone, touchpad, joystick, game pad, satel
`lite dish, scanner, or the like. These and other input devices
`are often connected to the processing unit 38 through a serial
`port interface 62 that is coupled to the system bus 40, but
`may be connected by other interfaces, such as a game port
`or a universal serial bus (USB). A monitor 74 or other type
`of display device is also connected to the system bus 40 via
`an interface. Such as a video adapter 42. In addition to the
`monitor, a client computer 10 may include other peripheral
`output devices, such as speakers 76 connected through an
`audio adapter 44 or a printer (not shown).
`45
`As described briefly above, the client computer 10 may
`operate in a networked environment using logical connec
`tions to one or more remote computers, such as a WWW
`server computer 26 and instant messaging server computer
`2. According to an embodiment of the invention, the client
`computer 10 communicates with the WWW server computer
`26 and the instant messaging server 2 over the Internet 8.
`The client computer 10 connects to the Internet 8 through a
`network interface 70. Alternatively, the client computer 10
`may include a modem 68 and use an Internet Service
`Provider ("ISP") 72 to establish communications over the
`Internet 8. The modem 68, which may be internal or
`external, is connected to the system bus 40 via the serial port
`interf