1111111111111111 IIIIII IIIII 11111 1111111111 1111111111 11111 111111111111111 1111111111 11111111
`US 20050138362Al
`
`(19) United States
`(12) Patent Application Publication
`Kelly et al.
`
`(10) Pub. No.: US 2005/0138362 Al
`Jun. 23, 2005
`(43) Pub. Date:
`
`(54) AUTHENTICATION SYSTEM FOR
`NETWORKED COMPUTER APPLICATIONS
`
`(75)
`
`Inventors: Edward R. Kelly, Rock Hill, SC (US);
`Christopher Wayne Howser, Concord,
`NC (US); Jonathan Francis Savage,
`Charlotte, NC (US); Yuliang Zheng,
`Charlotte, NC (US)
`
`Correspondence Address:
`KENNEDY COVINGTON LOBDELL &
`HICKMAN,LLP
`214 N. TRYON STREET
`HEARST TOWER, 47TH FLOOR
`CHARLOTTE, NC 28202 (US)
`
`(73) Assignee: Wachovia Corporation, Charlotte, NC
`
`(21) Appl. No.:
`
`11/022,534
`
`(22) Filed:
`
`Dec. 22, 2004
`
`Related U.S. Application Data
`
`(60) Provisional application No. 60/531,695, filed on Dec.
`23, 2003.
`
`Publication Classification
`
`Int. Cl.7
`....................................................... H04L 9/32
`(51)
`(52) U.S. CI. . ............................................................. 713/156
`ABSTRACT
`(57)
`A system such as in a networked computer system compris(cid:173)
`ing a user, an application server, a gatekeeper server and an
`authentication server. Communication within the system is
`managed by the gatekeeper server, wherein the user com(cid:173)
`municates with the authentication server and the application
`server through the gatekeeper server. Once the user has been
`initially authenticated by the authentication server, the user
`may request application services from a plurality of appli(cid:173)
`cation servers within the networked computer system with(cid:173)
`out having to be re-authenticated.
`
`START
`
`405 --:--. -----
`
`LOGIN SERVER RECEIVES
`CREDENTIALS FROM WEB
`SERVER
`.
`
`415
`
`420
`
`LOGIN SERVER SENDS
`ERROR MESSAGE TO WEB ,
`SERVER
`
`LOGIN SERVER PRODUCES
`INNER TOKEN
`
`425
`
`LOGIN SERVER SIGNS INNER
`TOKEN
`
`---~430
`
`LOGIN SERVER ENCRYPTS
`INNl;R TOKEN .
`
`LOGIN SERVER SENDS
`SIGNED, ENCRYPTED INNER
`• TOKEN AND TOKEN ID TO
`WEB SERVER
`•
`
`435
`
`440
`
`END
`
`END
`
`Google Exhibit 1010
`Google v. Ericsson
`
`

`

`Patent Application Publication Jun. 23, 2005 Sheet 1 of 12
`
`US 2005/0138362 Al
`
`·Bl ~I Ill
`
`,•,
`
`: +
`
`~,
`
`\
`
`\
`
`\
`
`\
`\
`\
`\
`\
`
`, ,
`
`Ill
`
`Bl
`+ I
`,
`
`I
`I
`I
`I
`
`N
`(")
`
`~
`
`_O)
`
`.
`u::
`
`0
`C")
`
`......
`0 ......
`
`N ......
`
`co'
`C")
`
`,
`
`Bl
`
`Ill
`
`I
`I
`I
`I
`I
`I
`I I
`I
`I
`I
`I
`I '
`I
`I
`I
`I
`I
`I
`
`/
`
`00
`N
`
`N
`0
`......
`
`......
`
`BI ~I Ill
`
`'V
`0 ......
`
`®;
`
`i
`
`'
`
`

`

`Patent Application Publication Jun.23,2005 Sheet 2 of 12
`
`US 2005/0138362 Al
`
`co
`
`'I"""
`
`Bl
`
`-Ill
`
`,,.
`
`/
`
`/
`
`/
`
`/
`
`/
`
`I
`
`I
`
`I
`
`-.....
`
`: -----
`,,-
`,,.
`•
`
`.
`
`. co
`C")
`
`'
`
`.....
`
`•
`
`'
`
`'
`
`0
`N
`
`~I
`
`. )
`
`. •.
`
`'
`'
`'
`'
`'
`'
`
`\
`
`\
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`Ill
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`\
`\
`\
`\
`\
`\
`\
`\
`
`co
`N
`
`0
`C")
`
`Bl
`
`N
`'I"""
`
`i
`
`i
`
`Bl
`
`Ill
`
`CX)
`N
`
`Bl
`
`Ill
`
`\
`
`\
`\
`\
`\
`\
`\
`\
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`Bl
`
`Ill
`
`\
`
`\
`
`\
`
`'
`'
`·,
`'
`'
`'
`'
`'
`
`.N
`C")
`
`..... .....
`
`...... __ ----
`
`/
`
`/
`
`,,.
`
`/
`
`,,.
`
`I
`
`I
`
`I
`
`I
`
`I
`
`I
`
`/
`
`C\J
`.
`u::
`
`_O)
`
`

`

`Patent Application Publication Jun.23,2005 Sheet 3 of 12
`
`US 2005/0138362 Al
`
`~I
`
`0
`N
`
`)
`
`.....
`
`'
`
`'
`
`'
`
`'
`'
`'
`'
`'
`'
`
`\
`
`\
`
`............
`
`-~---
`co
`('t')
`
`.
`
`•
`
`,,,,. ,.,
`,,
`,,
`
`•
`
`/
`
`/
`
`/
`
`/
`
`/
`
`Bl
`
`Ill
`
`/
`
`I
`
`I
`/.
`
`co
`.....
`
`Bl
`
`Ill
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`• I
`I
`I
`I
`I
`I
`
`Bl
`
`111
`
`co
`N
`
`N
`0
`('t')
`
`0
`('t')
`
`.....
`0
`('t')
`
`.....
`N
`
`\
`\
`\
`\
`\
`\
`\
`\
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`('t)
`.
`.Ol
`u::
`
`co
`N
`
`'V
`0
`('t')
`
`Bl
`
`Ill
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`\
`I
`\
`\
`\
`\
`\
`\
`\
`\
`
`co
`0
`C")
`
`.
`
`I
`
`'~
`
`Bl
`
`111
`
`\
`
`\
`
`\
`
`'
`
`\
`
`\
`
`'
`'
`'
`'
`'
`
`.....
`
`.....
`
`I
`I
`
`I
`
`I
`
`I
`
`I
`
`/
`
`/
`
`/
`
`/
`
`N
`('t')
`
`-------
`
`/
`
`,,
`,,
`
`

`

`START
`
`405.
`
`LOGIN SERVER RECEIVES
`CREDENTIALS FROM WEB .
`SERVER
`
`415--
`
`y
`
`SERVER'
`EUSER
`DETERMI
`
`N
`
`420
`
`LOGIN SERVER SENDS
`ERROR MESSAGE TO WEB
`SERVER
`
`LOGIN SERVER PRODUCES
`INNER TOKEN
`
`LOGIN SERVER SIGNS INNER
`TOKEN
`
`LOGIN SERVER ENCRYPTS
`INNER TOKEN .
`
`LOGIN SERVER SENDS
`SIGNED, ENCRYPTED INNER
`• TOKEN AND TOKEN ID TO
`WEB SERVER
`
`425-
`
`430
`
`435 .•
`
`440
`
`END
`
`END
`
`Fig. 4
`
`""C
`
`(')
`
`~ .... ~ = ....
`~ "Cl -....
`~ ....
`.... 0 =
`O' -....
`~ ....
`.... 0 =
`~ = ?
`
`~
`
`(')
`
`Jj
`N
`0
`0
`Ul
`
`,i;;..
`
`'JJ. =(cid:173)~
`~ ....
`0 ....,
`'"""' N
`
`d
`'JJ.
`N
`0
`0
`~
`0
`'"""' ~
`00
`~
`O'I
`N
`
`>
`'"""'
`
`

`

`Patent Application Publication Jun. 23, 2005 Sheet 5 of 12
`
`US 2005/0138362 Al
`
`w
`0:::
`:::,
`r-
`<( z
`c.,
`Cl)
`
`0:::
`0 r-
`::s
`:::,
`~ w
`
`_,,,,,,.,.
`
`"
`"
`
`0
`0:::
`~ w
`(j)
`:::, .
`
`L---
`
`zw
`~~
`L--- ~ o-r- r-
`
`........
`-
`0
`0
`w
`z Q r-
`w w a..
`....- ~
`>-
`z
`0
`c., 0:::
`r-
`(.)
`(j) z
`....... w
`........
`
`....-
`
`I
`I
`
`lO
`lO
`
`I
`
`I
`
`I
`
`I
`('I')
`lO
`
`/
`
`N
`lO
`
`I
`I
`
`'I""".
`lO
`
`LO
`•
`. 0)
`
`....... u..:
`
`

`

`Patent Application Publication Jun. 23, 2005 Sheet 6 of 12
`
`US 2005/0138362 Al
`
`I-
`0:::
`
`~ en
`
`c:: w ~ zo
`z c::
`-
`LL
`(J) Cl w
`.
`> - c::
`-zW
`w >
`(.)~ c:: wow
`c:: I- (J)
`C:: Cl ID WzW
`> <( ~
`c:: . wz
`(J) w
`-~
`a.. .o
`a.. I-
`<(
`
`(J)
`
`I-a.. >-c:: z Uw w ~ oo
`c:: I-w c:: >w
`c:: z Wz
`a.: a..
`
`(J) -
`
`<(
`
`>-
`
`c:: c:: Ow
`c:: >
`c:: c:: Ww
`(J) (J)
`0
`ID zw
`~~
`c:: 0 w I->W
`c:: (9 w <(
`(J) (J)
`. (J)
`a.. w
`a.. ~
`<(
`
`z
`
`0 z
`w
`
`LO
`0 co
`
`0
`T""
`co
`
`LO
`T""
`co
`
`0
`N co
`
`

`

`s25-(cid:173)
`v.
`
`N
`
`535--
`
`N
`
`y
`
`N
`
`540---
`
`APP. SERVER SENDS ERROR
`MESSAGE TO WEB SERVER
`
`Fig. 6B
`
`END
`
`/
`
`START USER SESSION,
`CREATE APP. RESPONSE
`I. (AND OPTIONALLY CREATE
`APP. TOKEN)
`
`.---545
`
`APP. SERVER CALCULATES
`HASH VALUE OF ENCRYPTED
`INNER TOKEN AND STORES
`FOR FUTURE USE
`
`---555
`
`y
`
`SEND RESPONSE AND APP.
`TOKEN TO WEB SERVER
`
`-660
`
`END
`
`""C
`
`(')
`
`~ .... ~ = ....
`~ "Cl -....
`~ ....
`.... 0 =
`O' -....
`~ ....
`.... 0 =
`~ = ?
`
`~
`
`(')
`
`Jj
`N
`0
`0
`Ul
`
`'JJ. =(cid:173)~
`~ ....
`-..J
`0 ....,
`'"""' N
`
`d
`'JJ.
`N
`0
`0
`~
`0
`'"""' ~
`00
`~
`O'I
`N
`
`>
`'"""'
`
`

`

`START)
`
`WEB.SERVER RECEIVES
`APPLICATION SERVER
`RESPONSE
`
`r705
`
`CREATE OUTER TOKEN
`
`r
`
`WRAP INNER TOKEN W/OUTER r
`TOKEN TO CREATE COMBINED
`TOKEN
`.
`•
`
`CALCULATE MAC OF COMBINED
`TOKEN AND ATTACH TO
`COMBINED TOKEN
`
`ENCRYPT COMBINED TOKEN
`
`f/
`
`710
`
`715
`
`720
`
`725
`
`Fig. 7
`
`l END)
`
`""C
`
`(')
`
`(')
`
`0
`
`~ .... ~ = ....
`> "Cl
`"Cl -....
`~ ....
`.... 0 =
`""C = O' -....
`~ ....
`....
`=
`~ = ?
`
`N
`~~
`N
`0
`0
`Ul
`
`'JJ. =-~
`~ ....
`00
`....,
`0
`'"""'
`N
`
`d
`'JJ.
`N
`0
`0
`
`Ul -0
`
`'"""' ~
`00
`~
`O'I
`N
`
`>
`'"""'
`
`

`

`70
`
`51 ~64 ~65 ~66 ~68
`
`~ 69 ~75 -~71
`
`IKEYTAG-1 MODEL I AST I APP I
`
`FIELDS
`
`MAC
`
`INNER
`
`/TYPE
`
`I
`
`TOl~EN I .. RTP I
`
`RTS
`
`Fig. BA
`
`"Cl
`
`(')
`~
`
`0
`
`(')
`
`~ ....
`
`""C
`~ .... ~
`=
`....
`>
`"Cl -....
`....
`....
`=
`""C = O' -....
`.... 0 =
`~ = ?
`
`N
`~~
`N
`0
`0
`Ul
`
`60
`
`KEYTA~-
`OUTER
`
`61 ~51 ~64 ~65 ~66 ~50 ~68 ~69 ~75 ~71
`
`7
`
`7
`TOKEN
`ID
`[KEYED HASH]
`[ENCRYPTED]
`
`RTP
`
`7
`
`RTS
`
`7
`7
`7
`INNER MODEL
`KEYTAG-
`INNER TOKEN
`/TYPE
`
`7
`
`AST
`
`7
`APP
`FIELDS
`
`I
`
`MAC
`
`Fig. BB.
`
`1 2 -
`
`7 3 _ /
`
`rF.J.
`
`=-~
`~ ....
`\0
`0 ....,
`'"""' N
`
`d
`rF.J.
`N
`0
`0
`
`Ul -0
`
`'"""' ~
`00
`~
`O'I
`N
`
`>
`'"""'
`
`

`

`Patent Application Publication Jun.23,2005 Sheet 10 of 12
`
`US 2005/0138362 Al
`
`co ..-
`
`Bl
`
`Ill
`
`,,,.,
`
`/
`
`/
`
`,'/
`
`/
`
`/
`
`I
`
`I
`
`I
`
`_ . . . ; - - - - - )
`
`. •
`
`co
`
`.....
`
`.....
`
`•
`'
`• ~,
`
`0
`N
`
`•
`
`C")
`
`'
`'
`
`\
`
`\
`
`\
`
`\
`
`\
`
`Bl
`
`Ill
`
`CX)
`N
`
`'V
`0
`0)
`
`Bl
`
`Ill
`
`~I
`
`0)
`0)
`·-
`LL.
`
`\
`
`\
`\
`\
`\ .
`\
`\
`\
`\
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`Ill
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`\
`I
`I
`\
`I
`I
`\
`\
`\
`\
`\
`\
`
`Bl
`
`0
`C")
`
`..-
`0
`0)
`
`'V
`N
`
`LO
`0
`0)
`
`Bl
`
`Ill
`
`f
`I
`I
`I
`I
`I
`I
`
`N
`C")
`
`\
`
`\
`
`\
`
`\
`
`\
`
`\
`
`co
`0
`0)
`
`I
`
`'~ .
`
`I
`
`I
`
`/
`
`/
`
`I
`
`'
`'
`'
`'
`'
`
`'
`
`.....
`
`/
`
`/
`
`/
`
`/
`
`/
`
`/
`
`-
`
`-----
`
`--
`
`/
`
`

`

`START)
`
`1 005 ------.._
`
`APP. SERVER RECEIVES INNER TOKEN
`AND TOKEN ID FROM WEB SERVER
`
`1 010 ---------
`
`I APP. SERVER CALCULATES
`HASH VALUE OF ENCRYPTED
`INNER TOKEN
`
`1025
`
`y
`
`SSION TIM
`
`1 015 ---------
`
`~ I~
`
`---......___
`
`y
`
`I
`
`I
`
`I
`
`NI
`
`I
`
`N~
`
`/
`
`1030
`I
`
`START USER SESSION,
`CREATE APP. RESPONSE
`(AND OPTIONALLY CREATE
`APP. TOKEN)
`
`1 020 -------
`
`APP. SERVERSENDS ERROR
`MESSAGE TO WEB SERVER •
`
`Fig. 10
`
`l END)
`
`1040
`
`SEND RESPONSE AND APP.
`TOKEN TO WEB.SERVER
`
`(END)
`
`""C
`~ ....
`~ = ....
`> "Cl
`"Cl -
`....
`~ ....
`....
`0 =
`""C = O' -....
`~ ....
`.... 0
`=
`~ = ?
`
`(')
`
`(')
`
`N
`~~
`N
`0
`0
`Ul
`
`~
`
`'JJ. =-
`~ ....
`'"""
`'"""
`0 ....,
`'"""
`N
`
`d
`'JJ.
`N
`0
`0
`
`Ul -0
`
`'""" ~
`
`00
`~
`O'I
`N
`
`>
`'"""
`
`

`

`Patent Application Publication Jun.23,2005 Sheet 12 of 12
`
`US 2005/0138362 Al
`
`co
`.....
`
`Bl
`
`Ill
`
`0
`N
`
`.,,.-------..... )
`
`'
`'
`'
`'
`'
`
`\
`
`\
`
`.,,.
`.,
`
`•
`
`•
`
`,
`.,
`/
`
`/
`
`/
`
`/
`
`/
`
`.....
`
`.....
`
`'
`
`'
`
`.
`
`co
`
`C"')
`
`/
`
`I
`
`/
`
`I
`
`LC)
`0
`
`.....
`.....
`
`Bl
`
`Ill
`
`•,
`
`\
`
`\
`
`\
`
`\
`
`\
`\
`\
`\
`
`+
`Ill
`BI
`
`<X)
`N
`
`.....
`.....
`
`~I
`
`.,_
`.,_
`.
`u::
`
`_O)
`
`\
`\
`\
`\
`\
`\
`\
`\
`\
`\
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`r
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`Ill
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`\
`\
`I
`\
`\
`\
`\
`
`Bl
`
`0
`C"')
`
`.....
`.....
`0
`
`T""
`
`v
`.N
`
`Bl
`
`Ill
`
`\
`\
`
`\
`
`\
`
`'
`
`\
`
`'
`'
`'
`'
`'
`'
`
`.....
`
`.....
`
`N
`C"')
`
`.,
`
`/
`
`,,,.
`
`.,,.
`
`-------
`
`/
`i
`I
`
`/
`
`/
`
`/
`
`/
`
`/
`
`co
`.....
`0
`.....
`
`~
`
`'
`
`

`

`US 2005/0138362 Al
`
`Jun.23,2005
`
`1
`
`AUTHENTICATION SYSTEM FOR NETWORKED
`COMPUTER APPLICATIONS
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`[0001] This application is entitled to the benefit of, and
`claims priority to provisional U.S. patent application Ser.
`No. 60/531,695, filed on Dec. 23, 2003, which is incorpo(cid:173)
`rated herein by reference in its entirety.
`
`FIELD OF THE INVENTION
`[0002] The present invention relates to a system and a
`method for protecting applications within a networked com(cid:173)
`puter system.
`
`BACKGROUND OF THE INVENTION
`[0003] Businesses and individuals are increasingly depen(cid:173)
`dent on computers and computer-based electronic commu(cid:173)
`nication. More and more businesses are moving toward
`"paperless" modes of operation, and the convenience of the
`Internet has resulted in individuals using electronic media
`for various activities, such as communicating via email,
`banking, paying bills, investing money and shopping, to
`name but a few. While businesses and individuals desire the
`convenience of electronic transactions, these entities also
`want to maintain at least the same level of security that more
`traditional transactional methods provide. However, in some
`ways, more traditional transactions are inherently more
`secure than electronic transactions because computers may
`easily be used to intercept the information being communi(cid:173)
`cated between two or more computers. Accordingly, tech(cid:173)
`niques have been created to secure information being com(cid:173)
`municated electronically.
`
`[0004] Many of these techniques make use of various
`aspects of cryptography. Cryptography is the study of send(cid:173)
`ing and/or receiving a message in a secret form so that only
`those authorized to receive the message are able to read it.
`Cryptography may be used for any form of communication,
`but for the purposes of this application, cryptography for
`electronic communication will be discussed. Examples of
`cryptographic techniques include symmetric encryption,
`asymmetric encryption and hashing. For electronic commu(cid:173)
`nication, an encrypted message may be transformed into a
`secret form using an encryption key and then may be
`transformed back into its original or clear form with a
`decryption key.
`
`[0005]
`In addition to cryptographic functions for securing
`information, entities desiring to protect information that is
`stored electronically may also create defined communication
`relationships between components within a networked com(cid:173)
`puter system and a user wishing to access services within the
`system. For example, a networked computer system may
`require that a user be authenticated before being able to
`receive services from an application within the networked
`computer system.
`
`[0006]
`In a conventional networked computer system, user
`authentication may occur at each application server indi(cid:173)
`vidually, i.e., each application server is responsible for
`authenticating a user when the user requests services from
`that application server. This conventional authentication
`process requires a user to be authenticated for each appli(cid:173)
`cation server that it wishes to access within the networked
`computer system.
`
`[0007]
`It is desirable to provide a more efficient, flexible
`and secure authentication system and method for receiving
`services from an application server in a networked computer
`system.
`
`SUMMARY OF THE INVENTION
`[0008] The present invention relates to a system and
`method for authenticating a user within a networked com(cid:173)
`puter system. The system comprises a user, an application
`server, a gatekeeper server and an authentication server,
`wherein communication within the system is managed by
`the gatekeeper server.
`[0009] According to the method of the present invention,
`the user presents credentials to the gatekeeper server, and the
`gatekeeper server provides the presented user credentials to
`the authentication server. The authentication server authen(cid:173)
`ticates the user. The authentication server creates an authen(cid:173)
`tication token upon authentication of the user and transmits
`the authentication token to the application server. Transmis(cid:173)
`sion of the authentication token to the application server
`from the authentication server may comprise transmitting
`the authentication token to the gatekeeper server and then
`the application server. The authentication server may
`encrypt the authentication token after it has been created. It
`is preferred that an encryption key used by the authentica(cid:173)
`tion server to encrypt the authentication token is shared by
`the authentication server and application server, but not
`shared with the gatekeeper server. The authentication server
`may also digitally sign the authentication token after it has
`been created. It is preferred that the authentication server
`sign the authentication token with a key pair, wherein at least
`a portion of the key pair is shared with the authentication
`server and application server.
`[0010] Further areas of applicability of the present inven(cid:173)
`tion will become apparent from the detailed description
`provided hereinafter. It should be understood that the
`detailed description and specific examples, while indicating
`the preferred embodiment of the invention, are intended for
`purposes of illustration only and are not intended to limit the
`scope of the invention.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`[0011] The present invention will become more fully
`understood from the detailed description and the accompa(cid:173)
`nying drawings, wherein:
`[0012] FIG. 1 is a depiction of a conventional authenti(cid:173)
`cation system for networked computer applications.
`[0013] FIG. 2 is a depiction of the networked computer
`system of the present invention.
`[0014] FIG. 3 is a depiction of the authentication process
`for a user beginning a login session and initially accessing
`an application server within the authentication zone of the
`networked computer system of FIG. 2.
`[0015] FIG. 4 is a flowchart depicting the process of a
`login server authenticating a user.
`[0016] FIG. 5 is a depiction of the structure and content of
`the inner token created in FIG. 4.
`[0017] FIG. 6A is a first flowchart illustrating the verifi(cid:173)
`cation process that an application server performs when it
`receives an encrypted inner token and token ID from a web
`server for the first time.
`
`

`

`US 2005/0138362 Al
`
`Jun.23,2005
`
`2
`
`[0018] FIG. 6B is a second flowchart illustrating the
`verification process that an application server performs
`when it receives an encrypted inner token and token ID from
`a web server for the first time.
`[0019] FIG. 7 is a flowchart illustrating the processing of
`the inner token by the web server after receiving the inner
`token back from the application server.
`[0020] FIG. SA is a depiction of the structure and content
`of the outer token created in FIG. 7.
`[0021] FIG. 8B is a depiction of a combined token includ(cid:173)
`ing the contents of the outer token and the inner token of
`FIGS. 5 and SA
`[0022] FIG. 9 is a depiction of the process of a subsequent
`visit by a user to a previously accessed application server.
`[0023] FIG. 10 is a flowchart illustrating the verification
`process that an application server performs upon the subse(cid:173)
`quent receipt of an encrypted inner token and token ID from
`a web server.
`[0024] FIG. 11 is a depiction of the process by which a
`user accesses a second application server after being initially
`authenticated by the login server.
`
`DESCRIPTION OF EMBODIMENTS
`
`[0025] The following description of the embodiments of
`the present invention is merely exemplary in nature and is in
`no way intended to limit the invention, its application, or
`uses. The present invention has broad potential application
`and utility, which is contemplated to be adaptable to a wide
`range of entities for securing and limiting access to appli(cid:173)
`cations and information within a networked computer sys(cid:173)
`tem. For example, it is contemplated that the authentication
`system and method for networked computer applications
`would be beneficial for use by any bank that provides online
`banking, investment and/or mortgage services. Additionally,
`it is contemplated that the system and method of the present
`invention would be equally beneficial for user authentication
`by any retail business that provides online retail services.
`Further, the system and method of the present invention
`would be beneficial to any entity maintaining secure appli(cid:173)
`cations and information that are accessed by third-party
`computers or users. The following description is provided
`herein solely by way of example for purposes of providing
`an enabling disclosure of the invention, but does not limit
`the scope or substance of the invention.
`[0026] A networked computer system comprises an appli(cid:173)
`cation server, a database system, a gatekeeper server, and a
`user such as a person, computer, or software application. In
`a networked computer system that includes application
`servers capable of accessing sensitive information, protec(cid:173)
`tive relationships may be implemented to limit access to the
`sensitive information.
`[0027] Referring now to the accompanying drawings,
`FIG. 1 depicts an embodiment of a conventional networked
`computer system 10. The conventional system 10 may
`comprise one or more protected application servers 32, 36,
`a protected database system 28, a gatekeeper server 30 and
`a user 12. One of ordinary skill will understand that an
`application server 32, 36 may comprise a plurality of appli(cid:173)
`cation functions (not shown). Similarly, a database system
`28 may comprise a plurality of databases (not shown). The
`
`gatekeeper server 30 communicatively connects the appli(cid:173)
`cation servers 32, 36 and the user 12. In fact, the user 12 may
`not communicate with the application servers 32, 36 except
`through the gatekeeper server 30.
`
`[0028]
`In order to receive services from an application
`server 32 within the system 10, a user 12 may contact the
`gatekeeper server 30 and request services from the applica(cid:173)
`tion server 32 by offering user credentials to the gatekeeper
`server 30 (step 101). The gatekeeper server 30 forwards the
`user credentials to the application server 32 (step 102),
`which comprises an authentication application 33. The
`authentication application 33 compares the given user cre(cid:173)
`dentials with the user credentials stored in the database
`system 28 or the mainframe of the operating entity (not
`shown). If the user 12 is authenticated, the application server
`32 creates an authentication token, which comprises the user
`credentials. If the user 12 is not authenticated, communica(cid:173)
`tion ends.
`
`[0029] The application server 32 encrypts the authentica(cid:173)
`tion token with an encryption key shared among all servers
`in the networked computer system. The application server
`32 then sends the encrypted authentication token and appli(cid:173)
`cation response to the gatekeeper server 30 (step 103). The
`gatekeeper server 30 creates another token, namely an outer
`token, to be wrapped around the authentication token. The
`outer token comprises a time stamp that is used to ensure
`that the outer token has not become stale. The outer token
`and authentication token together comprise a combined
`token, which is encrypted by the gatekeeper server 30 with
`the same encryption key used by the application server 32.
`The gatekeeper server 30 forwards the encrypted combined
`token and a response by the application server to the user 12
`(step 104).
`
`If the user 12 wishes to access the application
`[0030]
`server 32 again, the user 12 presents the encrypted combined
`token to the gatekeeper server 30 and requests access to the
`application server 32 again. The gatekeeper server 30
`decrypts the outer token to ensure that the communication
`has not timed out. Assuming the outer token has not timed(cid:173)
`out, the gatekeeper server 30 presents the encrypted authen(cid:173)
`tication token and the request by the user 12 to the appli(cid:173)
`cation server 32 (step 102). The application server 32
`decrypts the inner token and, using the authentication appli(cid:173)
`cation 33, compares the information contained in the inner
`token against the information stored in the database system.
`If the user 12 is authenticated again, the application server
`32 creates a new authentication token, encrypts the authen(cid:173)
`tication token and sends the authentication token, along with
`the application server 32 response, to the gatekeeper server
`30 (step 103). The gatekeeper server 30 creates a new outer
`token with a new time stamp, combines the authentication
`token and outer token, encrypts the combined token with the
`shared encryption key and sends the encrypted combined
`token and the application server response to the user 12 (step
`104). Subsequent requests by the user 12 for services may
`follow the procedure set forth above.
`
`If a user 12 wishes to access a second application
`[0031]
`server 36 within the networked computer system 10, the
`second application server 36 has to perform the same
`process that the first application server 32 performed to
`authenticate the user 12. This duplicative process is indi(cid:173)
`cated by dotted flow
`lines indicating communication
`
`

`

`US 2005/0138362 Al
`
`Jun.23,2005
`
`3
`
`between the gatekeeper server 30 and application server 36
`in FIG. 1. In a system. 10, a second application server 36
`does not receive the benefit of the user authentication
`previously performed by another application server 32
`within the system 10. Rather, each subsequent application
`server 36 has to repeat the same process for authenticating
`a user 12 that the first application server 32 has already
`performed.
`
`[0032] The system 10 is relatively easily compromised
`because it utilizes a single encryption key that is shared by
`each of the servers in the system 10. In this system 10, a user
`12 may be limited to utilizing a usemame and password for
`authentication because of the limited functionality of the
`authentication application 33, 35 in the application servers
`32, 36. Additionally, requiring each subsequent application
`server within the system 10 to authenticate a user 12 that has
`already been authenticated by a first application server is
`unnecessarily time consuming for the system 10 and for the
`user 12. Furthermore, because the inner token of this system
`10 has no time-out function, an inner token could theoreti(cid:173)
`cally be valid for an indefinite period of time. The avail(cid:173)
`ability of valid inner tokens for an indefinite period of time
`is a further disadvantage of this system 10.
`
`[0033] FIG. 2 depicts an exemplary networked computer
`system 110 in accordance with the present invention. The
`networked computer system 110 of FIG. 2 comprises appli(cid:173)
`cation servers 32, 36, a database system 28, a gatekeeper
`server 30, an authentication server 16 and a user 12. In this
`embodiment, a login server is the authentication server 16
`and a web server is the gatekeeper server 30. The web server
`30 acts as a communication hub for the networked computer
`system 110. Specifically, the user 12, the login server 16 and
`the application servers 32, 36 all communicate with the web
`server 30 and with one another through the web server 30.
`In addition to being the communication hub for the net(cid:173)
`worked computer system 110, the web server 30 also pro(cid:173)
`vides a protective gatekeeper function, i.e., the web server
`30 will not forward a user request to an application server
`32, 36 unless the user 12 making the request has been
`authenticated by the login server 16. In this manner, the
`application servers 32, 36 are protected from a user 12 that
`has not been authenticated. As a short-hand way to designate
`the communication relationship between the user 12, the
`web server 30, the application servers 32, 36 and the
`database system 28, with which the application servers 32,
`36 communicate, the application servers 32, 36 and database
`system 28 are said to be in an authentication zone 20. Only
`a request made by an authenticated user 24 (best shown in
`FIGS. 9 & 11) will be forwarded by the web server 30 into
`the authentication zone 20. However, once a user 12 has
`been authenticated, he or she will be allowed to request
`application services from any application server 32, 36
`within the authentication zone 20 without having to be
`re-authenticated by the login server 16. One of ordinary skill
`will appreciate that a plurality of application servers may be
`located within the authentication zone and further that a
`plurality of application servers may be needed to provide
`application services for a single application. For purposes of
`this application, the reference numeral 12 will be utilized to
`designate a user that has not been authenticated by the login
`server, and the reference numeral 24 will be utilized to
`designate a user that has been authenticated by the login
`server 16.
`
`[0034] The web server 30 also provides a protective
`function for the login server 16 by prohibiting a user 12 from
`directly communicating with the login server 16. The login
`server 16 does not receive direct communication from the
`user 12, the application servers 32, 36 or the database system
`28. Since a user 12 must be authenticated in order for
`communication from the user 12 to be forwarded into the
`authentication zone 20, the login server 16 is not located in
`the authentication zone 20. In order to further secure the
`login server 16, an additional security measure 26 that
`prevents unauthorized communication, such as a firewall,
`may be disposed between the login server 16 and the other
`components of the system 110.
`
`[0035] FIG. 3 depicts the authentication process for a user
`12 beginning a login session and initially accessing an
`application server 32 within the authentication zone 20 of
`the networked computer system 110 of FIG. 2. For exem(cid:173)
`plary purposes, the user 12 in this example may be an
`individual trying to access his or her account information
`(application server 32) on a bank web site (web server 30).
`A user 12 will begin by presenting his or her credentials,
`which in this example may be a user name and password, to
`the web server 30 (step 301). User credentials may also
`include a digital certificate, a portable hardware device such
`as a secure identification card or any combination of cre(cid:173)
`dentials. The security protocol of the entity operating the
`networked computer system 110 will determine the nature of
`the credentials which will be accepted. Additionally, the
`system and method of the present invention assumes a user's
`initial registration with the entity operating the networked
`computer system 110, whereby the user 12 provides iden(cid:173)
`tification information to the entity and the entity stores this
`identification information with the user's credentials for
`later authentication. Registration methods of this type are
`conventional and thus further explanation is not provided
`herein. The web server 30 then presents the user's creden(cid:173)
`tials to the login server 16 (step 302).
`
`[0036] FIG. 4 is a flowchart depicting the login server 16
`authenticating a user 12. When the login server 16 receives
`user credentials from the web server 30 (step 405), the login
`server 16 compares the presented credentials with the cre(cid:173)
`dentials stored for the registered user 12 (step 415). If the
`values match, the user 12 is authenticated. However, if the
`values do not match, then the login server 16 sends an error
`message back to the web server 30 (step 420). The web
`server 30 then may determine whether to end communica(cid:173)
`tion or to allow the user 12 to reenter his or her credentials.
`One of ordinary skill will appreciate that comparing stored
`credentials to presented credentials is only one method of
`authenticating a user 12. Other methods may include algo(cid:173)
`rithmic verification through message exchange between the
`login server 16 and a user 12 presenting a digital certificate
`or a challenge response protocol implemented when a user
`12 utilizes a hardware token as his or her credentials.
`Regardless of the authentication method utilized, once the
`user 24 is authenticated, the login server 16 begins a login
`session by creating a token 50, in this example an inner
`token 50, that identifies the authenticated user 24 and the
`login session (step 425).
`
`[0037]
`It is an advantage of the present invention to
`separate the login function from the application function as
`it provides flexibility to the networked computer system 110.
`In a conventional system, a user 12 is limited to certain
`
`

`

`US 2005/0138362 Al
`
`Jun.23,2005
`
`4
`
`credentials because of the limited functionality of the
`authentication application 33 within the application server
`32. Typically, a user 12 is required to have a user name and
`password for authentication. In the context of a user 12 that
`is a computer or software application, this requirement is a
`limitation. In contrast, the system of the present invention
`can authenticate any user 12 having a credential recognized
`by the web server 30 and login server 16.
`[0038] The login server 16 of the present invention creates
`an inner token 50 with a defined format, which is indepen(cid:173)
`dent of the credential presented by a user 12 for authenti(cid:173)
`cation. Application servers 32, 36 within the authentication
`zone 20 will accept the inner token 50 created by the login
`server 16 regardless of the credential type that a user 12
`utilized for authentication. The advantage of the login server
`16 authenticating a user 12 and creating an inner token 50
`that is recognized by all application servers 32, 36 within the
`authentication zone 20 is that these application servers 32,
`36 are assured that the user 24 requesting services from them
`has been authenticated already. Application servers 32, 36
`rely on authentication of the login server 16, specifically the
`inner token 50 created by the login server 16, rather than
`having to re-authenticate a user 24 for each new application
`server 32, 36 within a single login session.
`
`[0039] FIG. 5 depicts the structure and content of the
`inner token 50 created in FIG. 4. The inner token 50 is a data
`structure that comprises a plurality of