Virtual smart card to perform security-critical operations
US-9832188-B1 · Nov 28, 2017 · US
End user authentication using a virtual private network
US9942200B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9942200-B1 |
| Application number | US-201414558669-A |
| Country | US |
| Kind code | B1 |
| Filing date | Dec 2, 2014 |
| Priority date | Dec 2, 2014 |
| Publication date | Apr 10, 2018 |
| Grant date | Apr 10, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A user is provisioned for a Web service by supplying a user name and password. A digital certificate and VPN identifier are generated and downloaded to the user's computer. The VPN identifier and user identifier are stored into a database. The user accesses the Web service and establishes a VPN using the certificate and VPN identifier. A user identifier, user name or user password is not required. A gateway computer uses the VPN identifier to access the database previously established during the provisioning session to retrieve the user identifier. Retrieval of the user identifier validates that the computing device is authorized to use the Web service. The gateway computer stores the client IP address and a mapping to the user identifier into a database. A proxy server retrieves the user identifier from the database using the IP address and includes the user identifier in Web traffic for a remote computer.
First claim
Opening claim text (preview).
We claim: 1. A method of authenticating a user of a Web service, said method comprising: at a gateway computer of said Web service, receiving a request to establish a virtual private network (VPN) that includes a digital certificate and a VPN identifier from a user computing device, said VPN identifier being a unique identifier of said user; establishing said VPN between said user computing device and said gateway computer; retrieving, by said gateway computer, from a first database of said Web service a user identifier using said VPN identifier as a key into said first database, said user identifier being distinct from said VPN identifier and identifying said user; authorizing by said gateway computer, said user to use said Web service based upon said VPN identifier without requiring said user identifier and a password from said user; and authenticating, by a proxy server computer that provides said Web service, that said user identifier represents a valid user of said Web service and providing said Web service to said user via said proxy server computer and said gateway computer. 2. The method as recited in claim 1 further comprising: receiving an IP address of said user computing device during said establishing; and storing said IP address in conjunction with said user identifier in a second database of said Web service; and retrieving said user identifier from said second database by a server computer of said Web service using said IP address as a key into said second database. 3. The method as recited in claim 1 further comprising: performing said authenticating by determining that said VPN identifier exists in said first database. 4. The method as recited in claim 1 further comprising: performing said authenticating by determining that said user identifier exists in said first database. 5. The method as recited in claim 1 further comprising: performing said authenticating by determining that said retrieved user identifier matches a valid user identifier in possession of said gateway computer. 6. The method as recited in claim 2 further comprising: performing said authenticating by said server computer only via use of said IP address received from said user computing device. 7. The method as recited in claim 1 further comprising: performing said authenticating only via use of said VPN identifier received from said user computing device. 8. A method of provisioning a user of a Web service, said method comprising: receiving at a portal computer of a Web service a user name and a password from a user computing device; authenticating a user of said Web service using said user name and said password; generating a digital certificate and a virtual private network (VPN) identifier for said user, said VPN identifier being a unique identifier of said user; storing in a first database of said Web service a mapping from said VPN identifier to a user identifier that is distinct from said VPN identifier and uniquely identifies said user within said Web service; and downloading said digital certificate and said VPN identifier to said user computing device, whereby said user may establish a VPN with said Web service using said digital certificate and said VPN identifier in order to be authorized and to receive said Web service via a proxy server computer of said Web service without requiring said user identifier and a password from said user. 9. The method as recited in claim 8 further comprising: performing said authenticating and downloading by said portal computer. 10. The method as recited in claim 8 wherein said digital certificate includes said VPN identifier. 11. The method as recited in claim 8 wherein said digital certificate is common to any user of said Web service. 12. The method as recited in claim 8 further comprising: ending a session between said user computing device and said portal computer before any other connection between said user computing device and said Web service is established. 13. A method of authenticating a user of a Web service, said method comprising: at a portal computer of said Web service, authenticating an end user using a user identifier received from a user computing device, said user identifier identifying said user who is authorized to use said Web service; downloading a digital certificate and a virtual private network (VPN) identifier to said user computing device, said VPN identifier being a unique identifier of said user and being distinct from said user identifier; storing said VPN identifier and said user identifier in association with each other in a first database of said Web service; establishing a VPN between said user computing device and a gateway computer of said Web service; retrieving, by said gateway computer, from said first database of said Web service said user identifier using said VPN identifier as a key into said first database; and authorizing, by said gateway computer, that said user computing device represents a valid user of said Web service based upon said VPN identifier without requiring said user identifier and a password from said user; and authenticating, by a proxy server computer that provides said Web service, that said user identifier represents a valid user of said Web service and providing said Web service to said user via said proxy server computer and said gateway computer. 14. The method as recited in claim 13 further comprising: ending a session between said user computing device and said Web service after said storing; and beginning a new session between said user computing device and said Web service upon said establishing. 15. The method as recited in claim 13 further comprising: receiving a request to establish said VPN from said user computing device that includes a digital certificate and said VPN identifier. 16. The method as recited in claim 13 further comprising: receiving an IP address of said user computing device during said establishing; and storing said IP address in conjunction with said user identifier in a second database of said Web service; and retrieving said user identifier from said second database by a server computer of said Web service using said IP address as a key into said second database. 17. The method as recited in claim 13 further comprising: performing said authenticating by determining that said VPN identifier exists in said first database. 18. The method as recited in claim 13 further comprising: performing said authenticating by determining that said user identifier exists in said first database. 19. The method as recited in claim 13 further comprising: performing said authenticating by determining that said retrieved user identifier matches a valid user identifier in possession of said gateway computer. 20. The method as recited in claim 13 further comprising: performing said authenticating without receiving said user identifier or a password from said user computing device.
Assignees
Inventors
Classifications
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
- H04L63/0272Primary
Virtual private networks · CPC title
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
Proxies · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9942200B1 cover?
- A user is provisioned for a Web service by supplying a user name and password. A digital certificate and VPN identifier are generated and downloaded to the user's computer. The VPN identifier and user identifier are stored into a database. The user accesses the Web service and establishes a VPN using the certificate and VPN identifier. A user identifier, user name or user password is not requir…
- Who is the assignee on this patent?
- Tan Dan, Wang Lei, Shi Bin, and 2 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0272. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 10 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).