`
`[193
`
`[11] Patent Number:
`
`5,684,951
`
`Goldman et a].
`
`[45] Date of Patent:
`
`Nov. 4, 1997
`
`USOOS684951A
`
`[54] METHOD AND SYSTEM FOR USER
`AUTHORIZATION OVER A MULTI-USER
`COMPUTER SYSTEM
`
`Ari Lvotonen, Access Authorization Ovaview, Dec/1993,
`World Wide Web Document Chitp://www. w3:orglpub/
`WWW/Access Authorization/Overviewhtml).
`
`[75]
`
`Inventors: Jonathan Goldman. Menlo Park;
`Garry Saperstein, Sunnyvale, both of
`Calif.
`
`['73] Assignee: Synopsys, Inc, Mountain View. Calif.
`
`[21] Appl. No.: 619,892
`
`[22] Filed:
`
`Mar. 20, 1996
`
`Int. Cl.6 ...................................................... G06F 11/00
`[51]
`
`[52] US. Cl.
`395/188.01; 395l187.01;
`395/609
`[58] Field of Search ......................... 395/188.01, 187.01.
`395/ 186. 200.06. 606, 609, 610; 380/30.
`3; 379/145
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`5/1995 Haber et a].
`Re. 34,954
`4,876,716 10/1989 Okamoto .......
`
`5,136,642
`8/1992 Kawamura et 31.
`
`5,251,258
`10/1993 Tanaka ..............
`5,261,052
`11/1993 Shimarnoto
`
`5,398,285
`3/1995 Borgelt et al.
`.. 380/30
`5,457,746 10/1995 Dolphin ............
`380/4
`
`5,465,300 11/1995 Altschuler et a].
`.. 380/30
`
`8/1996 Gelb ..................
`395/200.”
`5,550,984
`
`5,557,678
`9/1996 Ganesan
`380/21
`1/1997 Cooper et a]. .................. 380/4
`5,598,470
`
`1/1997 Slaughter, III et al.
`. 395/20016
`5,598,536
`5,623,601
`4/1997 Vu
`395/1870]
`
`OI'HER PUBLICATIONS
`
`Title: Secure Access to Data Over the Internet; Authors: Eric
`Bina et al.; pp. 99—102; Date: Sep. 1994.
`Title: Dynamically Selecting Protocols for Socket Applica—
`tions; Author: David M. Ogle et al.; pp. 48—57; Date: May
`1993.
`
`USER ID
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Scott Baderman
`
`Attorney, Agent, or Firm—Wagner. Murabito & Hao
`
`[57]
`
`ABSTRACT
`
`A method and system for performing user authorization in a
`mulfi—u ser computer system. The novel method has particu-
`lar application to the multi—user internet protocol. Within the
`system, an application contains a list of registered users. For
`each registered user.
`the application stores a user
`identification, an email (electronic mail) address. and a
`database containing each authorized IP address for that user.
`When a user requests access to the application over the
`multi-user system, the application requires the user to input
`a user identification value and, simultaneously. the applica-
`tion accesses the user’s current IP address (e.g.. the user’s
`internet domain address) over the multi—user system. The
`application attempts to validate the user identification. and if
`valid, the application examines its database to determine if
`the user is authorized for its current IP address. If so, access
`is permitted. If the user identification is valid but the current
`IP address is not authorized, the application determines a
`validation key (“key”) based on the user identification and
`the current IP address. The pseudo unique key is then
`forwarded via the email protocol to the user’s known email
`address. The user then is required to enter that key into the
`application to authorized the current IP address. Security is
`provided because (1) given a user identification, which can
`be stolen. the unauthorized user also needs to access the
`application using an authorized IP address and (2) email is
`used to transmit the keys to the user to a known user email
`address.
`
`21 Claims, 12 Drawing Sheets
`
`/
`
`IP ADDRESS
`
`
`
`USER TERMINAL
`USER VALIDATION
`
`
`
`
`SYSTEM
`SYSTEM
`WWW APPLICATION 212
`
`
`
`(IP ADDRESS)l
`
`|2
`
` USER:
`
`
`
`
`2201)
`220;,
`(1 ) USER—ID
`KEY RETURNED
`
`
`(2) EMAIL ADDRESS
`
`FOR USER
`
`
`(3) AUTHORIZED IP
`
`
`USER EMAIL
`ADDRESSES FOR
`
`
`
`
`ACCOUNT
`EMAIL APPLICATION 216
`USER
`
`
`
`
`220
`
`
`
`
`KEY FORWARDED
`
`SAMSUNG EX. 1033 - 1/20
`
`SAMSUNG EX. 1033 - 1/20
`
`
`
`159s
`
`H_
`
`cm__1_S.8._m_40528
`ufiflfimz8._s_2200SE50gamma,-<:5<83mm““PDmZ—1220aS<ZOrE9
`
`
`
`
`3<ZOELOV><Amm~fl___w_.
`
`40—mw253m
`
`.,20:5:an.MUm5wHHmuémmeéaE7332.
`
`SAMSUNG EX. 1033 - 2/20
`
`US. Patent
`
`1
`
`_
`
`_
`
`[—
`
`I I | I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I L
`
`.
`
`4a_”m_.N..__
`I:3—m2.5—
`
`mUSmQ
`
`<P<Q
`
`_u__.___
`m0<m0rrm32%20%MOmmmUOmm
`
`SAMSUNG EX. 1033 - 2/20
`
`
`
`
`
`US. Patent
`
`Nov.4, 1997
`
`Sheet 2 of 12
`
`5,684,951
`
`6:
`[-
`
`WWW(HTTP)
`
`FIG.2
`
`SAMSUNG EX. 1033 - 3/20
`
`E L
`
`”,
`
`d< 2I
`
`n
`
`SAMSUNG EX. 1033 - 3/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 3 of 12
`
`5,684,951
`
`
`
`mmmmonzd<2mS
`
`
`
`A:BEMOFSZ5ammo
`«Om
`
`
`
`GEESA:szmprmm>5”8%8S ”mmmD
`
`
`
`ZOF<DE<>MmmDA<Z~2mmhmmmD
`
`55%zofi<ufifi<333355%
` Na
`
`AmmWMQO<m:
`
`S_
`
`mmmMQQ<n=\\
`A:”~me
`
`
`
`
`«mm:2N.558%
`
`
`
`
`
`«OnmmmmmmonzZOF<UEmm<422md<2mmum:
`
`<m.UE
`
`amomgégEm
`
`cam
`
`SAMSUNG EX. 1033 - 4/20
`
`SAMSUNG EX. 1033 - 4/20
`
`
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 4 of 12
`
`5,684,951
`
`PROCESSOR
`
`101'
`
`104
`
`NON-VOLATILE
`STORAGE
`
`100 '
`
`USER VALIDATION SYSTEM
`
`310a
`
`310 102
`
`APPLICATION PROGRAM
`
`FIG. 3B
`
`SAMSUNG EX. 1033 - 5/20
`
`SAMSUNG EX. 1033 - 5/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 5 of 12
`
`5,684,951
`
`APPLICATION TITLE HEADER AND
`
`INTRODUCTORY INFORMATION
`
`OTHER MESSAGES / INFORMATION
`
`262
`
`264
`
`260
`
`FIG. 4A
`
`SAMSUNG EX. 1033 - 6/20
`
`SAMSUNG EX. 1033 - 6/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 6 of 12
`
`5,684,951
`
`VALIDATION SCREEN
`
`USER INFORMATION
`
`ENTER VALIDATION KEY:
`
`OTHER MESSAGES / INFORMATION
`
`‘
`
`SUBMIT
`286
`
`)
`
`CLEAR
`
`288
`
`EXIT
`
`29
`
`2
`
`280
`
`FIG. 4B
`
`SAMSUNG EX. 1033 - 7/20
`
`SAMSUNG EX. 1033 - 7/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 7 of 12
`
`5,684,951
`
`EMAIL IDENTIFICATION
`
`OF MESSAGE
`
`OTHER MESSAGES / INFORMATION
`
`YOUR VALIDATION KEY IS:
`
`ENTER YOUR VALIDATION
`
`KEY AT THE SPACE
`
`PROVIDED AT:
`
`USE USER ID SCREEN AFTER VALIDATION FOR DIRECT ACCESS
`
`320
`
`FIG. 5 _
`
`SAMSUNG EX. 1033 - 8/20
`
`SAMSUNG EX. 1033 - 8/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 8 of 12
`
`5,684,951
`
`M
`
`INPUT USER ID INFORMATION 410
`
`DISPLAY USER ID SCREEN AND
`
`
`
`VERIFY USER ID BASED ON CHECK
`
`
`BITS AND/OR FROM USER ID
`DATABASE
` 415
`
`ACCESS IP ADDRESS OF USER FROM
`WWW INTERNET APPLICATION425
`
`430
`
`CHECK IF USER ID VALIDATED FOR
`
`[P ADDRESS OF USER
`
`FIG. 6
`
`YES
`
`GRANT ACCESS TO
`
`REQUEST 44
`
`-0
`
`SAMSUNG EX. 1033 - 9/20
`
`SAMSUNG EX. 1033 - 9/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 9 of 12
`
`5,684,951
`
`
`
`INDICATE TO USER THAT USER
`ID IS NOT RECOGNIZED
`
`
`
`
`
`445
`
`
`
`
`OPTIONALLY DISPLAY
`
`REGISTRATION INFORMATION
`
`AND TERMS
`
` 450
`
`FIG. 7
`
`SAMSUNG EX. 1033 - 10/20
`
`SAMSUNG EX. 1033 - 10/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 10 of 12
`
`5,684,951
`
`DETERMINE NEW KEY BASED ON
`
`USER ID AND IP ADDRESS
`
`CONSTRUCT VALIDATION INFORMATION
`
`MESSAGE INCLUDING KEY
`
`465
`
`SEND VALIDATION INFORMATION
`
`MESSAGE TO USERS EMAIL ADDRESS470
`
`
`
`OPTIONALLY TIMESTAMP KEY
`
`WITH PRESENT TIME
`
`RECORD KEY INTO VALIDATION
`
`DATABASE FOR USER
`
`FIG. 8
`
`SAMSUNG EX. 1033 - 11/20
`
`SAMSUNG EX. 1033 - 11/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 11 of 12
`
`5,684,951
`
`USER
`SELECTED EXIT
`
`o
`
`[w RENDER VALIDATION SCREEN TO USER
`505
`DISPLAYING VALIDATION INSTRUCTION§IO
`
`109
`
`REQUEST INPUT OF USER KEY FOR
`USER IP ADDRESS
`
`515
`
`EXIT
`
`NO MATCH
`
`o
`
`COMPARE
`
`
`INPUT TO
`
`DETERMINED
`VALUE?
`
`520
`
`MATCH
`
`CHECK FOR
`TIME-OUT?
`
`
`OPTIONALLY
`
`
`TIME OK
`
`UPDATE PRIOR VALIDATION
`
`DATABASE WITH 1P ADDRESS
`
`530
`
`GRANT ACCESS TO REQUEST
`'
`
`540
`
`m FIG 9
`
`SAMSUNG EX. 1033 - 12/20
`
`SAMSUNG EX. 1033 - 12/20
`
`
`
`US. Patent
`
`Nov. 4, 1997
`
`Sheet 12 of 12
`
`5,684,951
`
`DISPLAY MESSAGE INDICATING
`
`KEY BAD OR TIMEOUT
`
`550
`
`
`
`
`
`DENY ACCESS AND RETURN TO
`
`VALIDATION SCREEN
`
`560
`
`FIG. 10
`
`SAMSUNG EX. 1033 - 13/20
`
`SAMSUNG EX. 1033 - 13/20
`
`
`
`1
`METHOD AND SYSTEM FOR USER
`AUTHORIZATION OVER A MULTI-USER
`COMPUTER SYSTEM
`
`BACKGROUND OF THE INVENTION
`
`(1) Field of the Invention
`The present invention relates to the field of user validation
`within a computer system. In particular, the present inven—
`tion relates to user validation with respect to a multi-user
`computer system (“network”).
`(2) Prior Art
`In multi—user networked computer systems (e.g., within
`the internet protocol). an application program
`(“application”) is available to a large number of unregulated
`users over the network. Typically for a given application,
`only a subset of the total number of users on the network are
`authorized to enter and use the application. In these cases,
`the application is required to perform some type of user
`validation or authentication which is designed to discrimi—
`nate among the attempted users of the application so that
`only authorized or validated users are permitted entry. The
`user authentication system is typically implemented at user
`logon time, or, as the case with stateless systems. user
`authentication is performed upon each transaction between
`the user and the application because there is no memory of
`prior transactions in stateless systems.
`In the past, one method of user authentication required a
`user password that was given to each authorized user and
`entry to the application was denied to any user without the
`password. However. user passwords and user identification
`codes can be readily compromised over a multi-user com—
`puter system. Once a password is stolen for a particular user,
`entry to the application is then compromised and detection
`of the unauthorized entry can go unrecorded in these prior
`art systems. What is needed is a user authentication system
`that oifers security of access even if a user password or
`identification is stolen. What is also needed is an authenti—
`cation system that effectively records and flags unauthorized
`entry. The present invention provides such security.
`In one particular prior art system. a user is requested to
`input a user identification (e.g., a user name or handle), a
`personal password, and a user email address (e.g., using
`smtp, simple mail transport protocol, over the internet). A
`generated key is then forwarded to the email address of the
`user. The user then accesses the email message and inputs
`the key to the application to gain entry. Once access is
`granted, the user uses the user identification and password to
`gain entry. The application is entered using the internet and
`http. hypertext transfer protocol. However, this system can
`be compromised because an unauthorized user knowing the
`user’s identification and password can gain entry to the
`application. Further. this prior art system does not take into
`account
`the unique address of the computer system
`employed by the user to communicate with the application.
`What is needed is a system that does not allow this type of
`breach of security by preventing unauthorized email
`addresses from being entered by a user. The present inven—
`tion provides such a system.
`Accordingly, the present invention provides a user vali-
`dation system that offers entry security even if a user
`password or identification number is compromised. Further,
`the present invention offers a user validation system that not
`only safe guards against unauthorized entry, but also effec—
`tively records and flags unauthorized entries to authorized
`users. Further. the present invention provides the above user
`validation system that also does not allow the entry of
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`65
`
`5,684,951
`
`2
`
`unauthorized email addresses by unauthorized users. These
`and other advantages of the present invention not specifi-
`cally described above will become clear within discussions
`of the present invention herein.
`SUMMARY OF THE INVENTION
`
`A method and system are described for performing user
`validation in a multi—user computer system. The present
`invention has particular application to the multi-user internet
`protocol. Within the system an application contains a list of
`registered users. For each registered user. the application
`stores a user identification number, an email (electronic
`mail) address, and a database containing each validated 1P
`address for that user. The email address is obtained off-line
`
`during user registration. When a user requests access to the
`application over the multi-user system (e. g., using http), the
`application requires the user to input a user identification
`value and, simultaneously.
`the application accesses the
`user’s current IP address (e.g., the user’s internet domain
`address) over the multi—user system. The application
`attempts to validate the user identification, and if valid. the
`application examines its database to determine if the user is
`authorized for its current I? address. If so, access is permit~
`ted. If the user identification is not valid, access is denied. If
`the user identification is valid, but the current 1P address is
`not authorized, the application determines a validation key
`(“key") based on the user identification and the current IP
`address. A procedure is used to determine the pseudo unique
`key such that it cannot be readily guessed knowing the user
`identification and the current IP address. The key is then
`forwarded over the multi-user system via the email internet
`application (e.g., smtp) to the user’s known email address.
`The user then is required to access the user’s email and enter
`that key into the application to authorize the current IP
`address. Security is provided because (1) given a user
`identification, which can be stolen, the unauthorized user
`also needs to access the application using a validated IP
`address and (2) email (a “presen " rather than demand
`system) is used to transmit the key to the user at a known
`user address that is not given on-line.
`invention
`Specifically, embodiments of the present
`include a method in a computer system, the method autho-
`rizing a user for access to an application system and com-
`prising the steps of: requesting a user identification from a
`user, the step of requesting performed over a first interface
`protocol of the multi-user computer system; accessing an
`address identifying a computer system employed by the user
`to originate access requests; generating a key for the user
`and specific to the address. the key based on the address and
`the user identification; transferring the key to the user via a
`second interface protocol of the multi—user computer system;
`receiving a user entered validation value from the user over
`the first interface protocol of the multi-user computer sys-
`tem; and granting access of the application system to the
`user if the user entered validation value equals the key for
`that address and user identification.
`Embodiments include the above and wherein the multi-
`user computer system utilizes an internet protocol and
`wherein the first interface protocol is the world wide web
`internet application using the hypertext transfer protocol
`(http) and wherein the second interface protocol
`is the
`electronic mail internet application using the simple mail
`transport protocol (smtp). Embodiments include the above
`and wherein the step of generating the key comprises the
`steps of: accessing a secret code string; concatenating the
`secret code string, the user identification. and the address to
`generate a first value; and performing a first procedure upon
`
`SAMSUNG EX. 1033 - 14/20
`
`SAMSUNG EX. 1033 - 14/20
`
`
`
`5,684,951
`
`3
`the first value to produce a fixed length pseudo unique value
`corresponding to the first value wherein said pseudo unique
`value is said key. Embodiments also include a computer
`system implemented in accordance with the above.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 illustrates an exemplary hardware configuration
`that can be used in accordance with the present invention
`validation system.
`FIG. 2 is a logical block diagram of dilferent protocols
`accessible over an exemplary internet multi-user computer
`system in accordance with the present invention.
`FIG. 3A is a logical block diagram illustrating two dif-
`ferent communication protocols (e.g., www using http and
`email using smtp) that are used by a user to communicate
`with the validation system in accordance with the preset
`invention.
`
`FIG. 3B is a logical block diagram of components of the
`application system 310 of the present invention.
`FIG. 4A illustrates an exemplary user identification screen
`(“form") in accordance with the validation system of the
`present invention.
`FIG. 4B illustrates an exemplary IP address validation
`screen (“form”) in accordance with the validation system of
`the present invention.
`FIG. 5 illustrates an exemplary email validation message
`containing a key in accordance with the present invention.
`FIG. 6 illustrates a flow diagram of steps of the present
`invention validation method including steps for accessing a
`user identification and validating the user's current I?
`address.
`
`10
`
`15
`
`25
`
`30
`
`FIG. 7 illustrates steps of the present invention validation
`method for an invalid user identification.
`
`35
`
`FIG. 8 is a flow diagram of steps of the present invention
`method for determining a new key for an unrecognized user
`IP address.
`
`FIG. 9 illustrates steps of the present invention validation
`system for validating an input key from a user with respect
`to a user IP address.
`
`FIG. 10 illustrates steps of the present invention valida—
`tion method in response to an invalid key or validation
`time-out.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`In the following detailed description of the present
`invention. numerous specific details are set forth in orda to
`provide a thorough understanding of the present invention.
`However. it will be obvious to one skilled in the art that the
`present invention may be practiced without these specific
`details. In other instances. well known methods. procedures.
`components. and circuits have not been described in detail
`to avoid unnecessarily obscuring aspects of the present
`invention.
`
`NOTATION AND NOMENCLATURE
`
`Some portions of the detailed descriptions which follow
`are presented in terms of procedures. steps, logic blocks,
`processing. and other symbolic representations of operations
`on data bits within a computer memory. These descriptions
`and representations are the means used by those skilled in
`the data processing arts to most efiecfively convey the
`substance of their work to others skilled in the art. A
`
`procedure. computer executed step, logic block. process,
`
`45
`
`55
`
`65
`
`4
`etc, is here, and generally, conceived to be a self-consistent
`sequence of steps or instructions leading to a desired result.
`The steps are those requiring physical manipulations of
`physical quantities. Usually, though not necessarily. these
`quantities take the form of electrical or magnetic signals
`capable of being stored, transferred. combined. compared.
`and otherwise manipulated in a computer system. It has
`proven convenient at times, principally for reasons of com-
`mon usage, to refer to these signals as bits, values. elements,
`symbols, characters, terms, numbm's, or the like.
`It should be borne in mind, however, that all of these and
`similar terms are to be associated with the appropriate
`physical quantities and are merely convenient labels applied
`to these quantities. Unless specifically stated otherwise as
`apparent from the following discussions, it is appreciated
`that throughout the present invention. discussions utilizing
`terms such as “processing” or “computing" or “calculating”
`or “determining” or “displaying” or the like, refer to the
`action and processes of a computer system, or similar
`electronic computing device. that manipulates and trans-
`forms data represented as physical (electronic) quantities
`within the computer system's registers and memories into
`other data similarly represented as physical quantities within
`the computer system memories or registers or other such
`information storage, transmission or display devices.
`COMPUTER SYSTEM 112
`
`With reference to the user validation system of the present
`invention, as described below, aspects of the present inven-
`tion are described in terms of steps executed on a computer
`system. Although a variety of diflerent computer systems
`can be used with the present invention, an exemplary
`computer system 112 is shown in FIG. 1. In general,
`computer systems 112 that can be used by the present
`invention comprise an address/data bus 100 for communi-
`cating information, a central processor 101 coupled with the
`bus for processing information and instructions, a volatile
`memory 102 (e.g., random access memory) coupled with the
`bus 100 for storing information and instructions for the
`central processor 101, a non-volatile memory 103 (e.g.. read
`only memory) coupled with the bus 100 for storing static
`information and instructions for the processor 101, a data
`storage device 104 such as a magnetic or optical disk and
`disk drive coupled with the bus 100 for storing information
`and instructions, a display device 105 coupled to the bus 100
`for displaying information to the computer user, an optional
`alphanumeric input device 106 including alphanumeric and
`function keys coupled to the bus 100 for communicating
`information and command selections to the central processor
`101, an optional cursor control device 107 coupled to the bus
`for communicating user input information and command
`selections to the central processor 101, and a signal gener-
`ating device 108 coupled to the bus 100 for interfacing with
`other networked computer systems.
`The display device 105 of FIG. 1 utilized with the
`computer system 112 of the present invention may be a
`liquid crystal device, cathode ray tube, or other display
`device suitable for creating graphic images and alphanu-
`ma-ic characters recognizable to the user. Also coupled to
`the signal generating device is a multi-user network inter-
`face (e.g., an internet interface) which couples computer
`system 112 to a multi-user system (e.g., the internet in one
`embodiment of the present invention). Interface 110 is
`coupled to communicate with an application system 310. It
`is appreciated that the application system 310 contains a
`hardware platform (e.g., analogous to computer system 112)
`which executes instructions to implement the application
`
`SAMSUNG EX. 1033 - 15/20
`
`SAMSUNG EX. 1033 - 15/20
`
`
`
`5,684,951
`
`5
`
`program. The present invention user validation system gives
`the application system 310 a level of security to help prevent
`unauthorized entry of the application system 310 over the
`internet interface 110.
`
`PRESENT INVENTION COMMUNICATION
`INTERFACES
`
`With reference to FIG. 2. the internet interface 110 (FIG.
`1) is described in more detail. The internet 210 is a well
`known connection of world wide computer systems that
`operate using the well known internet protocol. The internet
`210 is one type of multi—user computer system. Other
`internet applications (e.g.. using specific protocols) operate
`on top of the internet protocol. One such application is the
`well known world wide web or w internet application
`212 which operates using the hypertext transfer protocol or
`http. The www internet application 212 is a “demand
`system” in which a user requests information from a site and
`the site transfers the information back to the user on-line.
`Also well known is the email internet application 216 which
`operates using the simple mail transport protocol or smtp.
`The email internet application 216 is a “present system” in
`that an information transfer command originates from a
`sender site and information pursuant that command is pre-
`sented to the target email address. Another internet applica-
`tion is the file transfer internet application 214 which
`operates using the file transfer protocol, ftp.
`In one
`embodiment. the present invention usm' validation system
`utilizes the w 212 and email 216 internet applications as
`well as the internet protocol 210. Other embodiments of the
`present invention are implemented in other multi—user com-
`puter environments.
`FIG. 3A illustrates a logical diagram of the present
`invention user validation system 310a in combination with
`a user terminal system 112 (user system). the user’s email
`account 220. and elements of the internet interface 110 (FIG.
`1). The user terminal system 112 (FIG. 1) is used by the user
`to originate access requests to the application system 310
`(which contains validation system 3100). FIG. 3A specifi-
`cally illustrates pertinent information transfers and commu-
`nication interfaces in accordance with the present invention.
`The user system 112 is assigned a unique internet domain
`address number (“1? address”) by the internet interface 110.
`In one embodiment. the IP address is composed of four octet
`wide addresses to produce a 32 bits wide address. The user
`system 112 is communicatively coupled to the user valida—
`tion system 310a using the www internet application 212
`and the email internet application 216.
`Although shown as a single system in FIG. 3A, the user
`can utilize a number of diiferent user systems to communi-
`cate with the user validation system 310a of the present
`invention. In this case. the user can be validated for and from
`a number of different IP addresses. Within the present
`invention. the user is allowed a number of different user
`systems 112 (FIG. 1) and each is recorded by the present
`invention. However. it is understood that of the recognized
`accounts. the present invention selects a particular mail
`account 220 for communicating a validation key (“key”). It
`is appreciated that the user system 112 contains software to
`implement a forms-capable browser allowing the user to
`browse sites having forms (also called “screens” herein)
`over the internet 110 (FIG. 1) using the www internet
`application 212 running http.
`The user validation system 310a of FIG. 3A is a part of
`the application system 310 of FIG. 1 and functions to
`regulate the use of application system 310 to authorized
`
`6
`users only. The user system 112 is also coupled to commu-
`nicate with a user email account 220 which contains mes—
`
`sages for the user that are received over the email internet
`application 216. During validation. a user identification
`value (user ID). the IP address of the user system 112 (IP
`address). and a user-returned key (validation value) are
`supplied by the user over the www internet application 212.
`The email internet application 216 is also used during user
`validation. Specifically.
`the user validation system 310a
`originates the key and forwards it to the user via the email
`internet application 216.
`As shown by FIG. 3A, the user validation system 310a of
`the present invention maintains a database having an entry
`for each authorized user. Each entry includes the user’s
`identification (user ID). the user’s email address. and each IP
`address for which the user is authorized. This information is
`described in more detail to follow. The user’s email address
`is known to the user validation system 3100 upon user
`registration. During the validation process. the usu’ valida-
`tion system 310a does not request the user email address
`from the user over the internet interface 110 (FIG. 1) to
`prevent entry of unauthorized email addresses.
`FIG. 3B illustrates components of the application system
`310 (FIG. 1) of the present
`invention.
`Included are a
`processor 101'. a non—volatile information storage unit 104',
`and an inputloutput device 108'. each coupled to a bus 100'.
`Also coupled to the bus 100' is a computer readable memory
`unit 102' which contains program code to implement the
`user validation system 310a. Memory 102' can optionally
`also include the application program 312. The input/output
`device 108' couples to the internet and interface block 110
`(FIG. 1).
`
`USER VALIDATION USER SCREENS AND
`MESSAGES
`
`During user validation. the present invention user valida-
`tion system 310a (FIG. 3A) utilizes several display screens
`(also called “forms”) and messages that are rendered to the
`user (e.g.. over display device 105 of FIG. 1). With reference
`to FIG. 4A, the user identification screen 260 is illustrated
`Upon an attempted access to the application system 310
`(FIG. 1). the user validation system 3100 generates the user
`identification screen 260 to the user to access the user’s user
`
`ID. The screen 260 contains a message header 262 indicat-
`ing thepurpose of the screen and optionally contains instruc—
`tions and introductory information. An input field 264 is
`displayed to receive the user 1]) from the user. An enter
`button 266 is optionally displayed that can be activated to
`accept the user 1]) when the user ]D is completely entered by
`the user. An exit button 268 is also optionally provided to
`clear the user ID or to exit the screen 260. Other messages
`and/or internet (e.g. www) addresses can be displayed in
`optional message field 270.
`If application system 310 (FIG. 1) is a connection system.
`then screen 260 is only displayed upon initial user logon. If
`application system 310 is a stateless system. then screen 260
`is displayed upon the initial access to application system 310
`by the user. The initial access to application system 310
`opens an http access window (also known as an http form)
`on the user system 112 (FIG. 1). In accordance with one
`embodiment of the present invention (e.g.. with regard to the
`stateless system). screen 260 will not be displayed again for
`subsequent user transactions unless the user closes the http
`internet access window to the application system 310. In a
`stateless system. for each transaction between the user and
`the application system 310. the present invention embeds the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`65
`
`SAMSUNG EX. 1033 - 16/20
`
`SAMSUNG EX. 1033 - 16/20
`
`
`
`5,684,951
`
`7
`user 1]) value into the http access window in a text string
`whose input type is hidden. In this way, each transaction
`performed by the user using the http access window of the
`present invention automatically transmits the user’s user ID.
`If user validation is required (described further below),
`the present invention displays to the user a user validation
`screen 280 as shown in FIG. 4B. The user validation screen
`
`280 contains a message header 282 which optionally con-
`tains instructions and other information for the user. It is
`
`appreciated that message header 282 contains instructions to
`the user indicating that a key is being forwarded from the
`user validation system 310a (FIG. 3A) to the user’s known
`email address. An information field 284 receives the vali-
`
`dan'on value that is to be entered by the user. The user is
`instructed to obtain the key from the user’s email account
`220 (FIG. 3A) and input that key into information field 284
`of the validation screen 280. The value entered into infor-
`mation field 284 is the user entered validation value. Once
`the validation value is entered, a submit button 286 can be
`activated by the user to present the validation value to user
`validation system 310a. A clear button 288 is optionally
`provided to erase an incorrect key entered at field 284. Other
`messages and/or internet (e.g., www) addresses can be
`displayed in optional message field 290. The user is able to
`exit the validation screen 280 without entering a key by
`invoking the exit button 292.
`FIG. 5 illustrates an exemplary message format of the
`present invention validation message that is forwarded from
`the user validation system 310a (FIG. 3A). over the email
`internet application 216 (FIG. 3A), to the user’s lmown user
`email address. The validation message format 320 in one
`embodiment is a text file and contains a message header 322
`indicating the nature of the message (e.g., validation for the
`application system 310 of FIG. 1) and other optional instruc-
`tions. Irnportantly, the message format 320 contains the
`transmitted key in information field 324 for the user. As
`discussed further below, the key is pseudo unique to the user
`ID and the user’s current IP address. The validation message
`format 320 also contains an internet address (e.g., in the
`form of a Uniform Resource Locator or URL format) within
`information field 326. The internet address (e.g., URL) in
`field 326 specifies the address (e.g., URL) at which the
`validation saeen 280 (FIG. 4B) is located. The user is
`instructed to return to this internet address (e.g., URL) to
`enter the key of field 324. The user is also instructed by
`validation message 320 that the user identification screen
`260 (FIG. 4A) allows direct access to the application system
`310 after validation is complete for this current IP address.
`Other messages and/or internet (e.g., www) addresses can be
`displayed in optional message field 328.
`USER VALIDATION PROCEDURE OF THE
`PRESENT INVENTION
`
`FIG. 6 illustrates steps of the user validation procedure
`400 of the present invention operable within the user vali-
`dation system 310a (FIG. 3A) of the application system 310
`(FIG. 1). At step 410, the present invention responds to a
`user attempt to enter the application system 310 by display—
`ing the user identification screen 260 (FIG. 4A) to the user
`over the www internet application 212 (FIG. 3A) using http.
`At step 410. the present invention receives the user's user ID
`from the user identification screen 260. At step 415. the
`present invention verifies the received user ID based on a
`m