WO2001029757A1 - Method and apparatus for providing secure authentication of portable devices through internet host servers - Google Patents

Method and apparatus for providing secure authentication of portable devices through internet host servers Download PDF

Info

Publication number
WO2001029757A1
WO2001029757A1 PCT/US2000/023781 US0023781W WO0129757A1 WO 2001029757 A1 WO2001029757 A1 WO 2001029757A1 US 0023781 W US0023781 W US 0023781W WO 0129757 A1 WO0129757 A1 WO 0129757A1
Authority
WO
WIPO (PCT)
Prior art keywords
token
log
network server
password
valid
Prior art date
Application number
PCT/US2000/023781
Other languages
French (fr)
Inventor
Neil Daswani
Suman Kumar Inala
Ramakrishna Satyavolu
Ji Lee
Matthew Idema
Original Assignee
Yodlee.Com, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yodlee.Com, Inc. filed Critical Yodlee.Com, Inc.
Priority to AU70891/00A priority Critical patent/AU7089100A/en
Priority to EP00959599A priority patent/EP1244998A1/en
Priority to JP2001532477A priority patent/JP2003527672A/en
Publication of WO2001029757A1 publication Critical patent/WO2001029757A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99951File or database maintenance
    • Y10S707/99952Coherency, e.g. same view to multiple users

Definitions

  • the present invention is in the field of secure network protocols related to transferring data across a data network to a receiving device and pertains more particularly to methods and apparatus for authenticating various portable devices such as personal digital assistants (PDAs) and the like for operation on a secure network link.
  • PDAs personal digital assistants
  • the present invention is related in some aspects to a patent application entitled “Method and Apparatus for Restructuring of Personalized Data for Transmission from a Data Network to Connected and Portable Network Appliances", S/N 09/398,320, which is related also to U.S.
  • patent application S/N 09/323,598 filed on 6/1/1999 and entitled “Method and Apparatus for Obtaining and Presenting WEB Summaries to Users ", which is a continuation in part (CIP) of patent application S/N 09/208,740 entitled “Method and Apparatus for Providing and Maintaining a User- Interactive Portal System Accessible via Internet or other Switched-Packet- Network” filed on 12/08/98, disclosures of which are incorporated herein in their entirety by reference.
  • CIP continuation in part
  • Portable communication devices capable of linking to a data network such as the Internet are now being provided with more memory capabilities than has been usual in the past. This development has allowed users to store much more information on their portable devices than was previously possible.
  • a personal digital assistant such as 3-Com's Palm PilotTM now has up to 2 MB of memory.
  • Such a PDA can store approximately 6,000 addresses, 5 years worth of scheduled appointments, and up to 200 e-mail messages.
  • back-end database servers located anywhere on a data network such as the Internet. Companies such as HotmailTM and YahooTM use these back-end servers to store e-mail and other message information for users .
  • a user wishing to access his or her e-mail account or other information account from a portable internet-capable device such as a PDA must have the device authenticated to the server storing the desired information.
  • Conduit software on a cooperating PC is responsible for synchronizing the data on the portable device with the data in such a back-end server.
  • the synchronization process is generally known in the art and involves replacing data on the portable with new updated data from the server and vice versa.
  • the conduit application downloads any new mail from the server and uploads any new mail authored by a user operating the PDA.
  • conduit programs are available for synchronizing data from many different types of data sources.
  • a problem with the prior art methods and systems is that for a user to successfully access and receive data to a portable device (PD) he or she must provide an appropriate password and log-in information to access the site.
  • the data source must know the portable device by configuration and password.
  • a user having many different sites that are routinely accessed would have to remember many passwords, log-in codes, screen names, etc. in order to successfully interact with all the sites.
  • conduit software programs that accomplish data synchronization tasks between network data sources and portable devices are typically proprietary in nature and configured only for one host that oversees the data sources. Such a host is typically the provider of the conduit application, which resides on a user's PC.
  • data may be collected, aggregated, and restructured to be delivered to or held for access for a variety of wireless portable devices including PDAs, cellular phones, and even such as paging devices.
  • the system uses a data center for interfacing various portable devices that operate on usually wireless communication networks, and PC interfaces for communicating with such as PDAs and like peripherals.
  • the system is capable of aggregating data from many sources into a common data store with each updated data summary tagged to a user ID.
  • this system requires that a user of a portable device supply device configuration and authentication information to the service for accessing summary data. Therefore, a password and log-in is still required, at least for the aggregate service, in order to operate within the scope of the data gathering and presentation system known to the inventors.
  • a system for providing instant, automatic, and secure log-in to a network server for a portable device (PD) logging in to the network server via a first computer station acting as an Internet Host (IH) for the PD comprising first software executing on the computer station, including a location code (H-token) random number generator and a storage location reserved for the H-token; second software executing on the network server, including a password code (P-token) random number generator, and one or more tables relating P-tokens, H-tokens, and subscriber's user names and passwords; and third software executing on the PD, and a storage location on the PD reserved for a P-token generated by the different than the user's password.
  • H-token location code
  • P-token password code
  • the IH Upon a log-in request signal to the IH from the PD, the IH opens a communication link to the network server, requests the P-token from the PD, and, receiving the P-token, furnishes both the P-token and the IH-stored H-token, if any, to the network server, and the network server, only upon finding a match between P-token, H-token, and a valid subscriber, validates log-in without requesting user name and password.
  • the network server requests the subscriber's user name and password, then creates a randomly-generated P-token, which is transmitted to the IH, and from the IH to the PD, where the PD stores the code for future log in operations.
  • the IH randomly generates a new H-token, stores the new H-token in the storage location reserved for it, then furnishes the P-token and the new H-token to the network server, which requests user name and password for log in, and receiving a valid user name and password, grants log-in, and stores the new H- token associated with the user and the P-token for future log-in operations, thus validating a new IH location for valid instant log-in.
  • the network server which requests user name and password for log in, and receiving a valid user name and password, grants log-in, and stores the new H- token associated with the user and the P-token for future log-in operations, thus validating a new IH location for valid instant log-in.
  • the network server requests user name and password for log-in, and refuses log-in if the user name and password are not for a valid subscriber.
  • the network server in many useful applications is a Web server connected to the Internet.
  • a method for providing instant, automatic, and secure log-in to a network server for a portable device (PD) logging in to the network server via a first computer station acting as an Internet Host (IH) for the PD comprising steps of (a) upon receiving a log-in request signal by the IH from the PD, opening by the IH a communication link to the network server, requesting by the IH a password code (P-token) from the PD, and, receiving the P- token, furnishing both the P-token and an IH-stored H-token to the network server; and (b) upon finding a match by the network server between P-token, H-token, and a valid subscriber, validating log-in without requesting user name and password.
  • IH Internet Host
  • a subscriber requests log-in from a PD having no valid stored random-number P-token, requesting by the network server the subscriber's user name and password, then creating a randomly-generated P-token, transmitting the new P-token to the IH, and from the IH to the PD, and the PD storing the new P-token for future log in operations.
  • the network server requests user name and password for log-in, and refuses log-in if the user name and password are not for a valid subscriber.
  • the network server is a Web server connected to the Internet.
  • users of PDs logging onto network servers and services through computer hosts may enjoy instant and automatic secure one-button log-in.
  • Fig. 1 is an overview of a data-sync connection between a network data source and a portable device according to prior art.
  • Fig. 2 is an overview of a data-sync process between a network data source and a portable device according to an embodiment of the present invention.
  • Fig. 3 is a block diagram illustrating token generation and storage according to an embodiment of the present invention.
  • Fig. 4 is a process flow diagram illustrating logical steps for accomplishing a first time registering of a new host from a portable device according to an embodiment of the present invention.
  • Fig. 5 is a process flow diagram illustrating logical steps for accomplishing a routine data-sync process from a portable device according to an embodiment of the present invention.
  • Fig. 6 is a process flow chart illustrating a fail to authenticate scenario wherein a portable device was compromised.
  • Fig. 7 is a process flow diagram illustrating a fail to authenticate scenario wherein the network host was compromised.
  • the inventor provides a method and apparatus for data synchronization between a PD and a network-based data source that requires no password or log-in information to be repetitively provided to authenticate a user for the purpose of accessing personal information.
  • the method and apparatus of the present invention is taught in the enabling disclosure below.
  • Fig. 1 is an overview of a network architecture to illustrate a data-sync connection between a network data source and a portable device according to prior art.
  • a data-communication network 9 comprises a data packet network (DPN) 11, which in this case is the Internet, and an internet-service- provider (ISP) 13.
  • DPN data packet network
  • ISP internet-service- provider
  • Network 11 may be another type of data packet network instead of the Internet such as perhaps a private or corporate wide area network (WAN) as long as Transfer Control Protocol/Internet protocol (TCP/IP) or other suitable network protocols are supported.
  • WAN wide area network
  • TCP/IP Transfer Control Protocol/Internet protocol
  • Internet 11 may include any geographical portion of the global Internet network including such as data sub-nets.
  • Internet 11 has an Internet backbone 27 distributed throughout, which represents the many lines and connections which comprise the wired Internet as is known in the art.
  • Servers 21-25 are, in this prior art example, assumed to be "data sources” known in the art for serving data that is held for and requested by users. Users in many cases operate by connecting directly to data servers 21-25, or may alternatively connect and download data through such as a host server (HS) 19 illustrated at far left. The types of data that may be held will depend on the nature of the data server and somewhat on the nature of the portable device used to gain access. Typically servers 21 through 25 hold e-mail, bank-account information, securities trading information and the like.
  • ISP 13 is adapted, in this prior-art example, for providing Internet services as known in the art. Illustrated within ISP 13 are a main connection server 15 and a modem bank 17, illustrated herein as a single modem icon. Main server 15 is directly connected to Internet 11.
  • PC 31 is illustrated in this example as having an active Internet connection to Internet 11 through ISP 13 via a telephone line 29 and by virtue of modem bank 17 as is typical in the art of Internet access.
  • PC 31 is thus an Internet Host (IH) for a PDA 33 in this architecture.
  • Line 29 may be a normal telephone line, an integrated services digital network (ISDN) line(s), or any other suitable wired connection.
  • ISDN integrated services digital network
  • Other alternative Internet-access methods are known in the art and may be used.
  • PC/modem illustrates the most common method (PC/modem).
  • PC 31 represents an exemplary user's PC that will act as an IH when the user is operating a connected peripheral device such as a PDA 33 illustrated to the right of PC 31.
  • PDA 33 maintains a wireless connection to PC 31 as illustrated by the dotted double arrow.
  • the wireless connection may be such as a line-of-sight infra red system as known in the art.
  • PDA 33 may also be connected to PC 31 by hard-wire connection, such a RS-232, TCP/IP, conventional serial port, Universal Serial Bus (USB), or any other suitable protocol.
  • This prior art example illustrates a simple data-sync connection between PDA 33 and any one of data servers 21-25, either directly or through a host server 19.
  • a conduit software application 35 is provided to run on PC 31 at a user's discretion.
  • Software 35 is responsible for synchronizing data between PDA 33 and any one, or all of servers 21-25.
  • each data server is a separate and non-cooperating entity, there will be more than one password and log-in requirement for the user to obtain authentication for all subscribed data.
  • FIG. 2 is an overview of an architecture for illustrating data-sync operations between network data-sources and various portable devices according to an embodiment of the present invention.
  • a unique authentication system for portable network devices is provided to be used in conjunction with a data gathering and presentation service that is already known to the inventors.
  • a data gathering and presentation service that is already known to the inventors.
  • One such service is that disclosed in the cross-referenced patent application 09/323,598 wherein Web summaries are gathered and made available to users operating any network- capable appliance including portable devices.
  • the preferred embodiment also includes a previously disclosed enhancement described in the related application entitled "Method and Apparatus for Abstract Restructuring of Personalized Data or Transmission from a Data Network to Varied Connected and Portable Network Appliances" wherein data to portable devices may be aggregated and restructured for such devices based on device model and device-specific software protocol. It is to be understood, however, that practice of the invention is not limited to such aggregating and restructuring services.
  • the method and apparatus of the present invention may be implemented with other existing data gathering systems such as may be known in the art.
  • the method and apparatus of the present invention may be used in conjunction with a system that is adapted solely for providing data to specific or varied portable devices.
  • communication network 10 comprises Internet network 11, ISP 13, a data center 48, and at least one exemplary wireless data network represented herein by element number 14.
  • Internet 11 may be another type of data packet network instead of the Internet, such as perhaps a private or corporate wide area network (WAN) as long as Transfer Control Protocol/Internet protocol (TCP/IP) or other suitable network protocols are supported.
  • WAN wide area network
  • TCP/IP Transfer Control Protocol/Internet protocol
  • Internet 11 may comprise any geographical portion of the global network including such as data sub-networks connected thereto.
  • Internet backbone 27 represents the many lines and connection points making up the wired Internet as was described in Fig. 1.
  • WS Web servers
  • Servers 39-43 are, in this embodiment, file servers known in the art for serving data in such as hypertext markup language (HTML), XML, or other suitable languages associated with electronic information pages known as WEB pages in the art.
  • a portal Server (PS) 38 is shown as an Internet-connected Web server, and represents an aggregating service as known to the inventors and taught in individual ones of the cross-referenced documents.
  • WS 39 may be an on-line bank server containing general information and links to more personal data (source data) such as user account information, loan information, user profile information and the like.
  • WS 41 may be a main server for an instant messaging company. Information pages contained therein may contain links to message servers, user account information, and so on.
  • WS 43 may be a server providing stock tracking and purchase services to individuals through the Internet. Web servers 39-43 are not related to or affiliated with each other in this example. In prior art, a user would have to negotiate with each WS 39-43 separately in order to get access to source data hosted by such servers. It should also be noted here that there are many server combinations used by companies practicing their trades on the Internet. In most instances, separate machines are used for holding separate kinds of data such as for secure information as opposed to general information. However, this is not always true as some companies may combine all information and data on one powerful machine.
  • ISP 13 is enabled, in this example, for providing Internet access services as known in the art. Illustrated within ISP 13 are a main connection server 15, a host server (HS) 37, and a modem bank 17. Main connection server 15 is directly connected to Internet 11. Server 15 is adapted to maintain user Internet connections and other normal ISP interface routines.
  • HS 37 provides enhanced services for the ISP, to provide, for example, Internet access for miscellaneous PDs via a data center 48 communicating by a satellite 16 with PDs 32-36. In this enhancement data protocols may be changed to protocols commonly used by PDs by unique software not shown in this illustration.
  • a Portal Server 38 in the Internet in this embodiment is enabled to aggregate data from other Internet Web servers, such as servers 39-43, and to provide aggregated data to subscribers, as taught in the cross-referenced documents.
  • a data repository 45 contains data about individual subscribers to the service of the present invention.
  • Repository 45 may be an optical storage facility or any other convenient facility that is adapted for warehousing data.
  • Repository 45 is illustrated as connected to PS 38.
  • repository 45 may also hold aggregated data gathered from such as Internet 11 before being delivered to or being accessed by users.
  • HS 37 is connected to a data center 48 by a data link 47.
  • Data center 48 provides an Internet interface to HS 37 for various wireless data networks represented by network 14.
  • Network 14 is further characterized by the illustration of a communication satellite 16, which exhibits an exemplary wireless data link connection to data center 48 as illustrated by a dotted double arrow.
  • network 14 may be plural in the sense that plural wireless data networks specific to certain communication devices may accomplish an interface to HS 37 through such as satellite 16 or another type of wireless transceiver/receiver and data center 48.
  • a plurality of Internet-capable appliances which are in this example, portable devices (PDs). These are a pager 32, a notebook computer 34, and a cellular telephone 36.
  • appliances 32-36 broadcast data, which is picked up by such as satellite 16 and relayed to data center 48.
  • data arriving to such as satellite 16 from data center 48 is broadcast and picked-up by appliances 32, 34, and 36 as illustrated herein with dotted double arrows representing respective communication links.
  • network 14 would be a cellular network as typically implemented for those devices.
  • network 14 may be a wireless Internet service using cellular or other suitable wireless technologies.
  • main connection server 15 is connected to modem bank 17 as is known in the art of Internet access through an ISP.
  • PC 31 is a user station operated by a user/subscriber to the data-gathering and presentation service, and is illustrated as connected to modem bank 17 by Internet connection line 29 as described in Fig. 1.
  • Line 29 may be a normal telephone line, an integrated digital services network (ISDN) connection line, or any other suitable wired connection as was described in Fig. 1.
  • PDA 33 is illustrated by a dotted double arrow as having a wireless communication link to PC 3, such as an infra-red communication link.
  • This connection may also be by any suitable hard-wired link, such as serial, USB, and so on.
  • the present invention provides a unique software application 51 that runs on any machine used as an Internet host (IH) for PDs.
  • IH Internet host
  • the IH is PC 31.
  • SW 51 enables instant and automatic security authentication for PDs according to embodiments of the present invention.
  • Other instances of SW 51 are illustrated in this example as well.
  • an instance of SW 51 is provided on HS 37 to provide authentication services for PDs 32-36 connecting through data center 39.
  • Yet another instance of SW 51 is provided to run on PS 38, and provides authentication services for requesting IH platforms for candidate PDs.
  • the several instances of SW 51 are not meant to indicate that the software is identical in each instance, but to indicate that the several instances are provided as compatible software which interact to provide the described features of the invention.
  • the device authentication methods of the present invention involve the use of binary strings (tokens). Some are generated randomly by SW 51 at IH devices, and some by SW51 at PS 38 or possibly at another Internet Web server.
  • SW 51 Some are generated randomly by SW 51 at IH devices, and some by SW51 at PS 38 or possibly at another Internet Web server.
  • a user operating an Internet-capable device, or a portable device having an Internet host such as PDA 33 or PDs 32-36 (Fig.l) wishes to synchronize data with PS 38 or another Web server enhanced with software according to an embodiment of the present invention, he/she may simply initiate an automated secure process by depressing one button, making a single keystroke, or single-clicking with a mouse, for example.
  • Fig. 3 is a block diagram illustrating authentication architecture according to an embodiment of the present invention.
  • PC Internet Host (IH) 31 or 37 has a number generator 57 (known in the art) adapted for generating random binary string tokens. This generator is a part of or associated with SW 51.
  • the IH also has a non-volatile storage (may be local hard disk) 59 adapted for storing data.
  • the server-source with which data is to be synchronized which is in this example Portal Server 38, has data repository 45 having data base 55 which is enabled by SW 51 to cooperate with IH devices and PDs to establish secure log-on according to embodiments oft he present invention.
  • Database 55 stores user data including user ID, device configurations, and other user parameters as represented generally by a dotted rectangle labeled user block.
  • table 61 which is a password table
  • table 63 which is a locations table.
  • Database 55 may also comprise aggregated data represented by element number 65. Data 65 is requested synchronization-data collected from various Web sources by the data gathering and presentation service of the Portal Server 38.
  • Password table 61 stores user password tokens (P-tokens), user passwords, and user log-in names or codes.
  • Locations table 63 stores user location tokens (H-tokens) and login names or codes. P-tokens are associated with H-tokens as described with reference to Fig. 2. Although only a single user-authentication data-set is represented in tables 61 and 63 in Fig. 3, it is noted that in actual practice, tables 61 and 63 will contain all of the authentication data-sets specific to all of the subscribers to the authentication service, all verified IH locations for each subscriber, and all P-tokens for PDs operated and verified for each subscriber.
  • the authentication system of the present invention is set up to provide easy one-button authentication for PDs through enabled IH devices, and to remember PDs authenticated to the system as well as which IH devices a user accesses for authentication.
  • instant authentication is enabled under the conditions that the user is a subscriber to the system, the PD used has been authenticated previously and has a stored P-token, and the IH through which the user attempts log-in is also authenticated to the system, having a stored H-token. Under these conditions the network server will have the P-token and the H-token stored and associated, and can quickly determine if the request for instant log-in is authentic.
  • the system will ask for a user name and password.
  • a known user subscriber
  • a P-token logs on through a new IH device
  • the IH device is identified (location) so subsequent log-ons may be automatic.
  • the user will be asked for log-in name and password again. If the new log-in is successful, the new H-token will be stored in location tables at server level, and added to the list of IH devices the user may use for automated access.
  • Fig. 4 is a process flow diagram illustrating steps for accomplishing first time registering of a new Internet host (IH) by logging in from a new PD according to an embodiment of the present invention.
  • IH Internet host
  • the user in the example has previously provided password and log-in information such as user name and password to the data server, in this example Portal Server 38.
  • the example will be most easily understood with reference to both Figs. 3 and 4, and for simplicity will be assumed to involve PD 33, IH 31 and PS 38 as the network-level data source.
  • the user initiates a log-in to the subscription service on PS 38 from PD 33, not before used for log-in using IH 31, not before used for log-in either.
  • IH 31 stores the generated H-token to NV storage, such as to disk.
  • NV storage such as to disk.
  • added security tokens are typically 32 bit binary words or longer, but may be shorter is desired.
  • IH 31 opens a secure socket layer (SSL) connection (known in the art) to PS 38.
  • SSL secure socket layer
  • IH 31 sends the actual log- in, password and H-token to repository 45 at PS 38 over the secure connection.
  • repository 45 tables the generated H-token and the actual log-in name or code in table 63 of Fig. 3. Also at step 77, a random P-token is generated by the server (generator 58).
  • repository 45 tables the generated P-token, actual password, and actual log- in name or code in table 61 of Fig. 3.
  • repository 45 sends the generated P-token to IH 33.
  • IH 31 sends the generated P-token to the user's requesting device, PD 33, where it is stored.
  • IH 31 eliminates all knowledge of the generated P-token at IH 31.
  • a user is now configured through the system of the invention to automatically log-on and synchronize data from PD 33 with PS 38 through IH 31 without being required to repeat any authentication process such as re-entering a password or log-in. This may be done by a single-button input by the PD, for example.
  • IH 31 has a stored, valid H-token and PD 33 has a stored and valid P-token.
  • FIG. 5 is a process flow diagram illustrating logical steps for accomplishing a routine data-sync authentication and process from a portable device according to an embodiment of the present invention.
  • a user initiates an authentication and synchronization procedure by a one-button input on his/her PD, such as PD 33, through IH 31.
  • IH 31 has been used previously for such log-in and data sync.
  • IH 31 requests a P-token from PD 33.
  • PD 33 send the stored P-token to IH 31.
  • IH 31 retrieves the H-token from its own internal storage (location code).
  • IH 31 sends the H-token and P-token to PS 38.
  • repository 45 at PS 38 looks for the P-token in table 61 in DB 55, and finding the P- token listed there obtains the corresponding password and log-in name or code listed in the table.
  • repository 45 looks for and obtains corresponding H-tokens listed in table 62 (Fig. 2).
  • step 99 If at step 99, one of the corresponding H-tokens matches the H-token sent to repository 45 by IH 31, then authentication is complete. At step 101 then, the repository sends all collected and aggregated data to IH 31. The user's device is then synchronized with the aggregated data at step 103.
  • the method and apparatus of the present invention may be practiced with the data gathering and presentation service as known to the inventors.
  • the method and apparatus of the present invention may also be practiced with virtually any Internet host that has locally-stored data or controls connected data sources. It is only necessary that the server portion of software 51 be implemented on the network server to enable interaction with local Internet hosts through which users may log-in.
  • tokens may be of varying length.
  • tokens need not be randomly generated numbers in every case.
  • a P-token could instead be a secure cryptographic hash of a username/password combination for example. Steps of the process may be somewhat re-ordered.
  • Internet data sources may be of many different sorts, and so on.
  • An H-token could be device or chip IDs for the Internet Host (IH) CPU, for example.

Abstract

A system for instant log-in (67) to network servers and services from portable devices through computer-station Internet hosts has first software executing on the computer station, including a location code (H-token) (69) generator and a storage location reserved for the H-token (69), second software executing on the network server, including a password code (P-token) (79) generator, and one or more tables relating P-tokens (79), H-tokens (69), and subscriber's user names and passwords, third software executing on the PD (83), and a storage location on the PD (83) reserved for a P-token (79) different than the user's password. Upon a log-in (67) request signal to the IH (85) from the PD (83), the IH (85) opens a communication link to the network server, requests the P-token (79) from the PD (83), and, receiving the P-token (79), furnishes both the P-token (79) and the IH-stored (71) H-token (69), if any, to the network server, and the network server, only upon finding a match between P-token (79), H-token (69), and a valid subscriber, validates log-in (67) without requesting user name and password. Methods are provided for generating new P-tokens (79) by enabled servers, sending the new P-tokens (79) to enabled PDs (83), and associating the new tokens with users and location codes, to validate new PDs (83) to the system, and also for generating new H-tokens (69), validating new Internet Hosts to the system.

Description

Method and Apparatus for Providing Secure Authentication of Portable Devices
Through Internet Host Servers by inventor(s) Neil Daswani, Matthew Idema, Sam Inala, Ji Lee, Ramakrishna Satyavolu
Field of the Invention
The present invention is in the field of secure network protocols related to transferring data across a data network to a receiving device and pertains more particularly to methods and apparatus for authenticating various portable devices such as personal digital assistants (PDAs) and the like for operation on a secure network link.
Cross-Reference to Related Documents
The present invention is related in some aspects to a patent application entitled "Method and Apparatus for Restructuring of Personalized Data for Transmission from a Data Network to Connected and Portable Network Appliances", S/N 09/398,320, which is related also to U.S. patent application S/N 09/323,598 filed on 6/1/1999 and entitled "Method and Apparatus for Obtaining and Presenting WEB Summaries to Users ", which is a continuation in part (CIP) of patent application S/N 09/208,740 entitled "Method and Apparatus for Providing and Maintaining a User- Interactive Portal System Accessible via Internet or other Switched-Packet- Network" filed on 12/08/98, disclosures of which are incorporated herein in their entirety by reference.
Background of the Invention
Portable communication devices capable of linking to a data network such as the Internet are now being provided with more memory capabilities than has been usual in the past. This development has allowed users to store much more information on their portable devices than was previously possible. For example, a personal digital assistant (PDA) such as 3-Com's Palm Pilot™ now has up to 2 MB of memory. Such a PDA can store approximately 6,000 addresses, 5 years worth of scheduled appointments, and up to 200 e-mail messages.
In addition to the capability of storing more information on such as a PDA, users typically have much personal information stored in "back-end" database servers located anywhere on a data network such as the Internet. Companies such as Hotmail™ and Yahoo™ use these back-end servers to store e-mail and other message information for users .
Generally, a user wishing to access his or her e-mail account or other information account from a portable internet-capable device such as a PDA must have the device authenticated to the server storing the desired information. Conduit software on a cooperating PC is responsible for synchronizing the data on the portable device with the data in such a back-end server. The synchronization process is generally known in the art and involves replacing data on the portable with new updated data from the server and vice versa. In the simple case of e-mail, the conduit application downloads any new mail from the server and uploads any new mail authored by a user operating the PDA. In addition to e-mail, conduit programs are available for synchronizing data from many different types of data sources.
A problem with the prior art methods and systems is that for a user to successfully access and receive data to a portable device (PD) he or she must provide an appropriate password and log-in information to access the site. In other words, the data source must know the portable device by configuration and password. A user having many different sites that are routinely accessed would have to remember many passwords, log-in codes, screen names, etc. in order to successfully interact with all the sites. Moreover, conduit software programs that accomplish data synchronization tasks between network data sources and portable devices are typically proprietary in nature and configured only for one host that oversees the data sources. Such a host is typically the provider of the conduit application, which resides on a user's PC. In a system known to the inventor and referenced under the documents listed in the Cross-Reference to Related Documents section, data may be collected, aggregated, and restructured to be delivered to or held for access for a variety of wireless portable devices including PDAs, cellular phones, and even such as paging devices. The system uses a data center for interfacing various portable devices that operate on usually wireless communication networks, and PC interfaces for communicating with such as PDAs and like peripherals. The system is capable of aggregating data from many sources into a common data store with each updated data summary tagged to a user ID. However, this system requires that a user of a portable device supply device configuration and authentication information to the service for accessing summary data. Therefore, a password and log-in is still required, at least for the aggregate service, in order to operate within the scope of the data gathering and presentation system known to the inventors.
It is desired that users of portable devices be relieved of a requirement for storing a variety of passwords, log-in names and the like on their machines for accessing various data sources. Although the data-gathering and presentation service, known also as an Internet portal service, maintains, and manages passwords and login names or codes for subscribers, authentication to the service still must be completed whenever a subscriber wishes to synchronize his or her portable device with aggregated data. Prior-art data synchronization methods do not offer optimum security or convenience as was described further above.
What is clearly needed is a method and apparatus for secure authentication and data synchronization that eliminates the need for a user to provide password or log-in information to access a routinely-visited data source, and offers a protection against a single-point security breech of the data gathering and presentation service. Such a method and apparatus would be a convenience to users that routinely access more than one network-based data source from a portable device such as a PDA. Summarv of the Invention
In a preferred embodiment of the present invention a system for providing instant, automatic, and secure log-in to a network server for a portable device (PD) logging in to the network server via a first computer station acting as an Internet Host (IH) for the PD is provided, the system comprising first software executing on the computer station, including a location code (H-token) random number generator and a storage location reserved for the H-token; second software executing on the network server, including a password code (P-token) random number generator, and one or more tables relating P-tokens, H-tokens, and subscriber's user names and passwords; and third software executing on the PD, and a storage location on the PD reserved for a P-token generated by the different than the user's password. Upon a log-in request signal to the IH from the PD, the IH opens a communication link to the network server, requests the P-token from the PD, and, receiving the P-token, furnishes both the P-token and the IH-stored H-token, if any, to the network server, and the network server, only upon finding a match between P-token, H-token, and a valid subscriber, validates log-in without requesting user name and password.
In embodiments of the present invention, the first time a subscriber requests log-in from a PD having no valid stored random-number P-token, the network server requests the subscriber's user name and password, then creates a randomly-generated P-token, which is transmitted to the IH, and from the IH to the PD, where the PD stores the code for future log in operations. Also in embodiments of the invention, the first time a subscriber requests log-in from a PD having a valid P-token through an IH having no valid stored H-token, the IH randomly generates a new H-token, stores the new H-token in the storage location reserved for it, then furnishes the P-token and the new H-token to the network server, which requests user name and password for log in, and receiving a valid user name and password, grants log-in, and stores the new H- token associated with the user and the P-token for future log-in operations, thus validating a new IH location for valid instant log-in. In preferred embodiments, in the absence of either a valid P-token or a valid
H-token, the network server requests user name and password for log-in, and refuses log-in if the user name and password are not for a valid subscriber. The network server in many useful applications is a Web server connected to the Internet.
In another aspect of the invention a method for providing instant, automatic, and secure log-in to a network server for a portable device (PD) logging in to the network server via a first computer station acting as an Internet Host (IH) for the PD is provided, the method comprising steps of (a) upon receiving a log-in request signal by the IH from the PD, opening by the IH a communication link to the network server, requesting by the IH a password code (P-token) from the PD, and, receiving the P- token, furnishing both the P-token and an IH-stored H-token to the network server; and (b) upon finding a match by the network server between P-token, H-token, and a valid subscriber, validating log-in without requesting user name and password.
In a preferred embodiments of the method there is a step for, the first time a subscriber requests log-in from a PD having no valid stored random-number P-token, requesting by the network server the subscriber's user name and password, then creating a randomly-generated P-token, transmitting the new P-token to the IH, and from the IH to the PD, and the PD storing the new P-token for future log in operations.
Also in preferred embodiments there is a step for, , the first time a subscriber requests log-in from a PD having a valid P-token through an IH having no valid stored H-token, the IH randomly generating a new H-token, storing the new H-token in the storage location reserved for it, then furnishing the P-token and the new H-token to the network server, which requests user name and password for log in, and receiving a valid user name and password, granting log-in, and storing the new H-token associated with the user and the P-token for future log-in operations, thus validating a new IH location for valid instant log-in. In the absence of either a valid P-token or a valid H-token, the network server requests user name and password for log-in, and refuses log-in if the user name and password are not for a valid subscriber.
In many useful applications of the methods of the invention the network server is a Web server connected to the Internet. For the first time with systems and methods according to preferred embodiments of the present invention, taught in enabling detail below, users of PDs logging onto network servers and services through computer hosts, may enjoy instant and automatic secure one-button log-in.
Brief Description of the Drawing Figures
Fig. 1 is an overview of a data-sync connection between a network data source and a portable device according to prior art.
Fig. 2 is an overview of a data-sync process between a network data source and a portable device according to an embodiment of the present invention.
Fig. 3 is a block diagram illustrating token generation and storage according to an embodiment of the present invention.
Fig. 4 is a process flow diagram illustrating logical steps for accomplishing a first time registering of a new host from a portable device according to an embodiment of the present invention.
Fig. 5 is a process flow diagram illustrating logical steps for accomplishing a routine data-sync process from a portable device according to an embodiment of the present invention.
Fig. 6 is a process flow chart illustrating a fail to authenticate scenario wherein a portable device was compromised.
Fig. 7 is a process flow diagram illustrating a fail to authenticate scenario wherein the network host was compromised.
Description of the Preferred Embodiments
In order to provide users of network-capable portable devices (PDs) with ultimate convenience in a secure operating environment, the inventor provides a method and apparatus for data synchronization between a PD and a network-based data source that requires no password or log-in information to be repetitively provided to authenticate a user for the purpose of accessing personal information. The method and apparatus of the present invention is taught in the enabling disclosure below.
Fig. 1 is an overview of a network architecture to illustrate a data-sync connection between a network data source and a portable device according to prior art. In this simple, prior-art example, a data-communication network 9 comprises a data packet network (DPN) 11, which in this case is the Internet, and an internet-service- provider (ISP) 13.
Network 11 may be another type of data packet network instead of the Internet such as perhaps a private or corporate wide area network (WAN) as long as Transfer Control Protocol/Internet protocol (TCP/IP) or other suitable network protocols are supported.
Internet 11 may include any geographical portion of the global Internet network including such as data sub-nets. Internet 11 has an Internet backbone 27 distributed throughout, which represents the many lines and connections which comprise the wired Internet as is known in the art.
Three data servers (DS) 21, 23, and 25 are illustrated within Internet 11 and connected to backbone 27. Servers 21-25 are, in this prior art example, assumed to be "data sources" known in the art for serving data that is held for and requested by users. Users in many cases operate by connecting directly to data servers 21-25, or may alternatively connect and download data through such as a host server (HS) 19 illustrated at far left. The types of data that may be held will depend on the nature of the data server and somewhat on the nature of the portable device used to gain access. Typically servers 21 through 25 hold e-mail, bank-account information, securities trading information and the like. ISP 13 is adapted, in this prior-art example, for providing Internet services as known in the art. Illustrated within ISP 13 are a main connection server 15 and a modem bank 17, illustrated herein as a single modem icon. Main server 15 is directly connected to Internet 11.
A personal computer (PC) 31 is illustrated in this example as having an active Internet connection to Internet 11 through ISP 13 via a telephone line 29 and by virtue of modem bank 17 as is typical in the art of Internet access. PC 31 is thus an Internet Host (IH) for a PDA 33 in this architecture. Line 29 may be a normal telephone line, an integrated services digital network (ISDN) line(s), or any other suitable wired connection. Other alternative Internet-access methods are known in the art and may be used. This prior art example illustrates the most common method (PC/modem). PC 31 represents an exemplary user's PC that will act as an IH when the user is operating a connected peripheral device such as a PDA 33 illustrated to the right of PC 31. In this case PDA 33 maintains a wireless connection to PC 31 as illustrated by the dotted double arrow. The wireless connection may be such as a line-of-sight infra red system as known in the art. PDA 33 may also be connected to PC 31 by hard-wire connection, such a RS-232, TCP/IP, conventional serial port, Universal Serial Bus (USB), or any other suitable protocol.
This prior art example illustrates a simple data-sync connection between PDA 33 and any one of data servers 21-25, either directly or through a host server 19. In the practice of this prior art example, a conduit software application 35 is provided to run on PC 31 at a user's discretion. Software 35 is responsible for synchronizing data between PDA 33 and any one, or all of servers 21-25.
When a user operating PDA 33 desires to synchronize data with data stored on servers 21-25, he must first authenticate PDA 33 to the target data store via manual password and log-in requirement illustrated as manual operation 37. This log-in may alternatively be accomplished at IH 31. Once properly authenticated SW 35 may access secure data at servers 21-25 and synchronize the data with data already stored on PDA 33.
Typically, because each data server is a separate and non-cooperating entity, there will be more than one password and log-in requirement for the user to obtain authentication for all subscribed data.
One with skill in the art will recognize that the prior-art example represented herein may require considerable user resource in effecting synchronization of data between PDA 33 and a plurality of data sources such as those that would include servers 21-25. Fig. 2 is an overview of an architecture for illustrating data-sync operations between network data-sources and various portable devices according to an embodiment of the present invention.
In a preferred embodiment of the present invention, a unique authentication system for portable network devices is provided to be used in conjunction with a data gathering and presentation service that is already known to the inventors. One such service is that disclosed in the cross-referenced patent application 09/323,598 wherein Web summaries are gathered and made available to users operating any network- capable appliance including portable devices. The preferred embodiment also includes a previously disclosed enhancement described in the related application entitled "Method and Apparatus for Abstract Restructuring of Personalized Data or Transmission from a Data Network to Varied Connected and Portable Network Appliances" wherein data to portable devices may be aggregated and restructured for such devices based on device model and device-specific software protocol. It is to be understood, however, that practice of the invention is not limited to such aggregating and restructuring services.
In some other embodiments, the method and apparatus of the present invention may be implemented with other existing data gathering systems such as may be known in the art. In still other embodiments, the method and apparatus of the present invention may be used in conjunction with a system that is adapted solely for providing data to specific or varied portable devices.
Referring again to Fig. 2, communication network 10 comprises Internet network 11, ISP 13, a data center 48, and at least one exemplary wireless data network represented herein by element number 14. Internet 11 may be another type of data packet network instead of the Internet, such as perhaps a private or corporate wide area network (WAN) as long as Transfer Control Protocol/Internet protocol (TCP/IP) or other suitable network protocols are supported.
Internet 11 may comprise any geographical portion of the global network including such as data sub-networks connected thereto. Internet backbone 27 represents the many lines and connection points making up the wired Internet as was described in Fig. 1. In this embodiment, three Web servers (WS) 39, 41, and 43 are illustrated within Internet 11 and connected to backbone 27.
Servers 39-43 are, in this embodiment, file servers known in the art for serving data in such as hypertext markup language (HTML), XML, or other suitable languages associated with electronic information pages known as WEB pages in the art. A portal Server (PS) 38 is shown as an Internet-connected Web server, and represents an aggregating service as known to the inventors and taught in individual ones of the cross-referenced documents.
For example, WS 39 may be an on-line bank server containing general information and links to more personal data (source data) such as user account information, loan information, user profile information and the like. WS 41 may be a main server for an instant messaging company. Information pages contained therein may contain links to message servers, user account information, and so on. WS 43 may be a server providing stock tracking and purchase services to individuals through the Internet. Web servers 39-43 are not related to or affiliated with each other in this example. In prior art, a user would have to negotiate with each WS 39-43 separately in order to get access to source data hosted by such servers. It should also be noted here that there are many server combinations used by companies practicing their trades on the Internet. In most instances, separate machines are used for holding separate kinds of data such as for secure information as opposed to general information. However, this is not always true as some companies may combine all information and data on one powerful machine.
ISP 13 is enabled, in this example, for providing Internet access services as known in the art. Illustrated within ISP 13 are a main connection server 15, a host server (HS) 37, and a modem bank 17. Main connection server 15 is directly connected to Internet 11. Server 15 is adapted to maintain user Internet connections and other normal ISP interface routines. HS 37 provides enhanced services for the ISP, to provide, for example, Internet access for miscellaneous PDs via a data center 48 communicating by a satellite 16 with PDs 32-36. In this enhancement data protocols may be changed to protocols commonly used by PDs by unique software not shown in this illustration. A Portal Server 38 in the Internet in this embodiment is enabled to aggregate data from other Internet Web servers, such as servers 39-43, and to provide aggregated data to subscribers, as taught in the cross-referenced documents. In this aspect, a data repository 45 contains data about individual subscribers to the service of the present invention. Repository 45 may be an optical storage facility or any other convenient facility that is adapted for warehousing data. Repository 45 is illustrated as connected to PS 38. In addition to holding data specific to individual subscribers such as account information, address parameters, user ID and authorization data, repository 45 may also hold aggregated data gathered from such as Internet 11 before being delivered to or being accessed by users. Also residing in repository 45 is a database (DB) 55 that contains tabled encrypted data representing multiple user passwords and log-in codes organized in tables that are essential to practicing the device authentication methods of the present invention. Such tables and their contents are described in further detail below. HS 37 is connected to a data center 48 by a data link 47. Data center 48, among other tasks, provides an Internet interface to HS 37 for various wireless data networks represented by network 14. Network 14 is further characterized by the illustration of a communication satellite 16, which exhibits an exemplary wireless data link connection to data center 48 as illustrated by a dotted double arrow. As previously described, network 14 may be plural in the sense that plural wireless data networks specific to certain communication devices may accomplish an interface to HS 37 through such as satellite 16 or another type of wireless transceiver/receiver and data center 48.
Within network 14 is illustrated a plurality of Internet-capable appliances, which are in this example, portable devices (PDs). These are a pager 32, a notebook computer 34, and a cellular telephone 36. In this example, appliances 32-36 broadcast data, which is picked up by such as satellite 16 and relayed to data center 48. Similarly, data arriving to such as satellite 16 from data center 48 is broadcast and picked-up by appliances 32, 34, and 36 as illustrated herein with dotted double arrows representing respective communication links. In the case of appliances 32 and 36, network 14 would be a cellular network as typically implemented for those devices. In the case of notebook 34, network 14 may be a wireless Internet service using cellular or other suitable wireless technologies.
As previously described, main connection server 15 is connected to modem bank 17 as is known in the art of Internet access through an ISP. PC 31 is a user station operated by a user/subscriber to the data-gathering and presentation service, and is illustrated as connected to modem bank 17 by Internet connection line 29 as described in Fig. 1. Line 29 may be a normal telephone line, an integrated digital services network (ISDN) connection line, or any other suitable wired connection as was described in Fig. 1. PDA 33 is illustrated by a dotted double arrow as having a wireless communication link to PC 3, such as an infra-red communication link. This connection may also be by any suitable hard-wired link, such as serial, USB, and so on.
It was described in the background section that typical conduit software is used such as on a PC for synchronizing data between a data source and a portable device. It was also described that such software is generally proprietary in nature and covers only one host and affiliated data sources. The present invention provides a unique software application 51 that runs on any machine used as an Internet host (IH) for PDs. In this example the IH is PC 31. SW 51 enables instant and automatic security authentication for PDs according to embodiments of the present invention. Other instances of SW 51 are illustrated in this example as well. For example, an instance of SW 51 is provided on HS 37 to provide authentication services for PDs 32-36 connecting through data center 39. Yet another instance of SW 51 is provided to run on PS 38, and provides authentication services for requesting IH platforms for candidate PDs. There may be instances of SW 51 running on other Web servers as well. The several instances of SW 51 are not meant to indicate that the software is identical in each instance, but to indicate that the several instances are provided as compatible software which interact to provide the described features of the invention.
The device authentication methods of the present invention involve the use of binary strings (tokens). Some are generated randomly by SW 51 at IH devices, and some by SW51 at PS 38 or possibly at another Internet Web server. In a preferred embodiment, when a user operating an Internet-capable device, or a portable device having an Internet host such as PDA 33 or PDs 32-36 (Fig.l) wishes to synchronize data with PS 38 or another Web server enhanced with software according to an embodiment of the present invention,, he/she may simply initiate an automated secure process by depressing one button, making a single keystroke, or single-clicking with a mouse, for example.
Fig. 3 is a block diagram illustrating authentication architecture according to an embodiment of the present invention. PC Internet Host (IH) 31 or 37 has a number generator 57 (known in the art) adapted for generating random binary string tokens. This generator is a part of or associated with SW 51. The IH also has a non-volatile storage (may be local hard disk) 59 adapted for storing data.
The server-source with which data is to be synchronized, which is in this example Portal Server 38, has data repository 45 having data base 55 which is enabled by SW 51 to cooperate with IH devices and PDs to establish secure log-on according to embodiments oft he present invention. There is a number generator 58 provided for generating random binary string tokens as is generator 57 in IH 31,37. Database 55 stores user data including user ID, device configurations, and other user parameters as represented generally by a dotted rectangle labeled user block. Also maintained in database 55 are two tables, table 61, which is a password table, and table 63, which is a locations table. Database 55 may also comprise aggregated data represented by element number 65. Data 65 is requested synchronization-data collected from various Web sources by the data gathering and presentation service of the Portal Server 38.
Password table 61 stores user password tokens (P-tokens), user passwords, and user log-in names or codes. Locations table 63 stores user location tokens (H-tokens) and login names or codes. P-tokens are associated with H-tokens as described with reference to Fig. 2. Although only a single user-authentication data-set is represented in tables 61 and 63 in Fig. 3, it is noted that in actual practice, tables 61 and 63 will contain all of the authentication data-sets specific to all of the subscribers to the authentication service, all verified IH locations for each subscriber, and all P-tokens for PDs operated and verified for each subscriber. The authentication system of the present invention is set up to provide easy one-button authentication for PDs through enabled IH devices, and to remember PDs authenticated to the system as well as which IH devices a user accesses for authentication. In the system of the invention instant authentication is enabled under the conditions that the user is a subscriber to the system, the PD used has been authenticated previously and has a stored P-token, and the IH through which the user attempts log-in is also authenticated to the system, having a stored H-token. Under these conditions the network server will have the P-token and the H-token stored and associated, and can quickly determine if the request for instant log-in is authentic.
There are four situations with which the system must deal in addition to the fully authenticated case of a valid subscriber with a valid PD and a valid IH. One is when a valid user/subscriber attempts to log-in through an authenticated IH with a new PD having enabling software but no P-token, this being a first-time use of the new PD with the system. Another is when a user with a valid PD attempts to log-in through a new IH. Still another is when both the PD and the IH are new to the system, but the user is a valid subscriber, and both the PD and the IH are enabled to operate with the system. The fourth situation is when a hacker attempts to log in, having found or stolen a valid PD, which will most likely occur through a non-valid IH.
In all cases other than a fully authenticated PD logging in through a fully authenticated IH, the system will ask for a user name and password. The first time a known user (subscriber) having a previously-used PD with a P-token logs on through a new IH device, he/she must provide a user name and password. In this initial process the IH device is identified (location) so subsequent log-ons may be automatic. If a user logs on from a different device, or new device other than one already identified in location tables at server-level, the user will be asked for log-in name and password again. If the new log-in is successful, the new H-token will be stored in location tables at server level, and added to the list of IH devices the user may use for automated access.
Fig. 4 is a process flow diagram illustrating steps for accomplishing first time registering of a new Internet host (IH) by logging in from a new PD according to an embodiment of the present invention. In this example, it is assumed that the user in the example has previously provided password and log-in information such as user name and password to the data server, in this example Portal Server 38. The example will be most easily understood with reference to both Figs. 3 and 4, and for simplicity will be assumed to involve PD 33, IH 31 and PS 38 as the network-level data source. In step 67, the user initiates a log-in to the subscription service on PS 38 from PD 33, not before used for log-in using IH 31, not before used for log-in either. The user enters the correct password and log-in previously known to the secure server (38). IH 31, as a part of the process, generates a random H-token identifying IH 31 at step 69. At step 71, IH 31 stores the generated H-token to NV storage, such as to disk. For added security tokens are typically 32 bit binary words or longer, but may be shorter is desired.
In step 73 IH 31 opens a secure socket layer (SSL) connection (known in the art) to PS 38. In step 75, IH 31 sends the actual log- in, password and H-token to repository 45 at PS 38 over the secure connection. In step 77, repository 45 tables the generated H-token and the actual log-in name or code in table 63 of Fig. 3. Also at step 77, a random P-token is generated by the server (generator 58).
At step 79, repository 45 tables the generated P-token, actual password, and actual log- in name or code in table 61 of Fig. 3. At step 81, repository 45 sends the generated P-token to IH 33. At step 83, IH 31 sends the generated P-token to the user's requesting device, PD 33, where it is stored. At step 85, IH 31 eliminates all knowledge of the generated P-token at IH 31. A user is now configured through the system of the invention to automatically log-on and synchronize data from PD 33 with PS 38 through IH 31 without being required to repeat any authentication process such as re-entering a password or log-in. This may be done by a single-button input by the PD, for example. IH 31 has a stored, valid H-token and PD 33 has a stored and valid P-token.
It will be apparent to the skilled artisan that the process varies only in detail for the case where either the IH is new and the PD has a P-token, or the PD is new and the IH has an H-token. In either case the missing token will be generated and stored, and the system will require full user name and password before validating log-in. Each time a user requests authentication through a new IH, the system will list another H-code to identify the new location. For example, the present user may now attempt to log-in to PS 38 through server 37 as IH. When the log-in is done, asking the user for name and password, a new H-code generated randomly by IH 37 will be listed in the location table at PS 38. A user may thus configure to have one-button service from any number of IHs by logging on through each. Fig. 5 is a process flow diagram illustrating logical steps for accomplishing a routine data-sync authentication and process from a portable device according to an embodiment of the present invention. At step 87, a user initiates an authentication and synchronization procedure by a one-button input on his/her PD, such as PD 33, through IH 31. IH 31 has been used previously for such log-in and data sync. At step 88 IH 31 requests a P-token from PD 33. At step 89 PD 33 send the stored P-token to IH 31. At step 91, IH 31 retrieves the H-token from its own internal storage (location code).
At step 93, IH 31 sends the H-token and P-token to PS 38. In step 95, repository 45 at PS 38 looks for the P-token in table 61 in DB 55, and finding the P- token listed there obtains the corresponding password and log-in name or code listed in the table. At step 97, repository 45 looks for and obtains corresponding H-tokens listed in table 62 (Fig. 2).
If at step 99, one of the corresponding H-tokens matches the H-token sent to repository 45 by IH 31, then authentication is complete. At step 101 then, the repository sends all collected and aggregated data to IH 31. The user's device is then synchronized with the aggregated data at step 103.
After following the descriptions above, it will be apparent that there are several advantages to the system of the invention. To hack the system, for example, requires two points of entry. If an attacker finds or steals a user's PD, and also finds a kiosk or other Internet host that is enabled with compatible software, when that attacker initiates the transaction with the one-button input, the system will generate at the IH a new H-code, which will not be found listed on the network-level server. The server part of the system will then demand the name and password, which of course the attacker will not know. To cheat the system requires that the attacker not only acquire the PD, but attempt the authentication through an IH already configured by the user, such as the user's home or office PC. The method and apparatus of the present invention may be practiced with the data gathering and presentation service as known to the inventors. The method and apparatus of the present invention may also be practiced with virtually any Internet host that has locally-stored data or controls connected data sources. It is only necessary that the server portion of software 51 be implemented on the network server to enable interaction with local Internet hosts through which users may log-in.
It will be apparent to the skilled artisan that there may be a variety of alterations made in the embodiments of the description described herein without departing from the spirit and scope of the invention. For example, tokens may be of varying length. Also, tokens need not be randomly generated numbers in every case. A P-token could instead be a secure cryptographic hash of a username/password combination for example. Steps of the process may be somewhat re-ordered. Internet data sources may be of many different sorts, and so on. An H-token could be device or chip IDs for the Internet Host (IH) CPU, for example. The spirit and scope of the present invention is limited only by the claims that follow.

Claims

What is claimed is:
1. A system for providing instant, automatic, and secure log-in to a network server for a portable device (PD) logging in to the network server via a first computer station acting as an Internet Host (IH) for the PD, the system comprising: first software executing on the computer station, including a location token (H- token) generator and a storage location reserved for the H-token; second software executing on the network server, including a password code (P-token) generator, and one or more tables relating P-tokens, H-tokens, and subscriber's user names and passwords; and third software executing on the PD, and a storage location on the PD reserved for the P-token; characterized in that, upon a log-in request signal to the IH from the PD, the IH opens a communication link to the network server, requests the P-token from the PD, and, receiving the P-token, furnishes both the P-token and the IH-stored H-token, if any, to the network server, and the network server, only upon finding a match between P-token, H-token, and a valid subscriber, validates log-in without requesting user name and password.
2. The system of claim 1 wherein the first time a subscriber requests log-in from a PD having no valid stored P-token, the network server requests the subscriber's user name and password, then creates a P-token, which is transmitted to the IH, and from the IH to the PD, where the PD stores the P-token for future log-in operations.
3. The system of claim 1 wherein the first time a subscriber requests log-in from a PD having a valid P-token through an IH having no valid stored H-token, the IH generates a new H-token, stores the new H-token in the storage location reserved for it, then furnishes the P-token and the new H-token to the network server, which requests user name and password for log in, and receiving a valid user name and password, grants log-in, and stores the new H-token associated with the user and the P-token for future log-in operations, thus validating a new IH location for valid instant log-in.
4. The system of claim 1 wherein, in the absence of either a valid P-token or a valid H-token, the network server requests user name and password for log-in, and refuses log-in if the user name and password are not for a valid subscriber.
5. The system of claim 1 wherein the network server is a Web server connected to the Internet.
6. A method for providing instant, automatic, and secure log-in to a network server for a portable device (PD) logging in to the network server via a first computer station acting as an Internet Host (IH) for the PD, the method comprising steps of:
(a) upon receiving a log-in request signal by the IH from the PD, opening by the IH a communication link to the network server, requesting by the IH a password code (P-token) from the PD, and, receiving the P-token, furnishing both the P-token and an IH-stored location code (H-token) to the network server; and
(b) upon finding a match by the network server between P-token, H-token, and a valid subscriber, validating log-in without requesting user name and password.
7. The method of claim 6 further comprising a step for, the first time a subscriber requests log-in from a PD having no valid stored P-token, requesting by the network server the subscriber's user name and password, then creating a P-token, transmitting the new P-token to the IH, and from the IH to the PD, and the PD storing the new P- token for future log in operations.
8. The method of claim 6 further comprising a step for, the first time a subscriber requests log-in from a PD having a valid P-token through an IH having no valid stored H-token, the IH generating a new H-token, storing the new H-token in the storage location reserved for it, then furnishing the P-token and the new H-token to the network server, which requests user name and password for log in, and receiving a valid user name and password, granting log-in, and storing the new H-token associated with the user and the P-token for future log-in operations, thus validating a new IH location for valid instant log-in.
9. The method of claim 6 wherein, in the absence of either a valid P-token or a valid H-token, the network server requests user name and password for log-in, and refuses log-in if the user name and password are not for a valid subscriber.
10. The method of claim 6 wherein the network server is a Web server connected to the Internet.
PCT/US2000/023781 1999-10-20 2000-08-29 Method and apparatus for providing secure authentication of portable devices through internet host servers WO2001029757A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU70891/00A AU7089100A (en) 1999-10-20 2000-08-29 Method and apparatus for providing secure authentication of portable devices through internet host servers
EP00959599A EP1244998A1 (en) 1999-10-20 2000-08-29 Method and apparatus for providing secure authentication of portable devices through internet host servers
JP2001532477A JP2003527672A (en) 1999-10-20 2000-08-29 Method and apparatus for providing secure authentication of a portable device via an internet host server

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US42228099A 1999-10-20 1999-10-20
US09/422,280 1999-10-20

Publications (1)

Publication Number Publication Date
WO2001029757A1 true WO2001029757A1 (en) 2001-04-26

Family

ID=23674169

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/023781 WO2001029757A1 (en) 1999-10-20 2000-08-29 Method and apparatus for providing secure authentication of portable devices through internet host servers

Country Status (5)

Country Link
US (1) US7039656B1 (en)
EP (1) EP1244998A1 (en)
JP (1) JP2003527672A (en)
AU (1) AU7089100A (en)
WO (1) WO2001029757A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002021791A2 (en) * 2000-09-08 2002-03-14 M-Systems Flash Disk Pioneers Ltd. Internet switch
WO2003030464A1 (en) * 2001-09-29 2003-04-10 Huawei Technologies Co., Ltd. A method for pc client security authentication
KR100587158B1 (en) 2004-10-28 2006-06-08 에스케이 텔레콤주식회사 Method And Apparatus For Automatically Authentication at Wireless Internet
US8775214B2 (en) 2006-07-19 2014-07-08 Thompson Reuters (Market) LLC Management method and system for a user
US11212290B1 (en) 2005-04-21 2021-12-28 Seven Networks, Llc Multiple data store authentication

Families Citing this family (108)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8620286B2 (en) 2004-02-27 2013-12-31 Synchronoss Technologies, Inc. Method and system for promoting and transferring licensed content and applications
US8156074B1 (en) 2000-01-26 2012-04-10 Synchronoss Technologies, Inc. Data transfer and synchronization system
US6671757B1 (en) 2000-01-26 2003-12-30 Fusionone, Inc. Data transfer and synchronization system
US6842861B1 (en) * 2000-03-24 2005-01-11 Networks Associates Technology, Inc. Method and system for detecting viruses on handheld computers
US7640200B2 (en) * 2000-07-10 2009-12-29 Byallaccounts, Inc. Financial portfolio management system and method
US7895334B1 (en) 2000-07-19 2011-02-22 Fusionone, Inc. Remote access communication architecture apparatus and method
US8073954B1 (en) 2000-07-19 2011-12-06 Synchronoss Technologies, Inc. Method and apparatus for a secure remote access system
US7587446B1 (en) * 2000-11-10 2009-09-08 Fusionone, Inc. Acquisition and synchronization of digital media to a personal information space
US7818435B1 (en) 2000-12-14 2010-10-19 Fusionone, Inc. Reverse proxy mechanism for retrieving electronic content associated with a local network
US8615566B1 (en) 2001-03-23 2013-12-24 Synchronoss Technologies, Inc. Apparatus and method for operational support of remote network systems
US20020156921A1 (en) * 2001-04-19 2002-10-24 International Business Machines Corporation Automatic backup of wireless mobile device data onto gateway server while device is idle
US20030167318A1 (en) * 2001-10-22 2003-09-04 Apple Computer, Inc. Intelligent synchronization of media player with host computer
WO2003036541A1 (en) * 2001-10-22 2003-05-01 Apple Computer, Inc. Intelligent synchronization for a media player
US20030120560A1 (en) * 2001-12-20 2003-06-26 John Almeida Method for creating and maintaning worldwide e-commerce
JP4279499B2 (en) * 2002-03-01 2009-06-17 シャープ株式会社 Information processing device
US8150937B2 (en) 2004-10-25 2012-04-03 Apple Inc. Wireless synchronization between media player and host device
US20080086494A1 (en) * 2006-09-11 2008-04-10 Apple Computer, Inc. Transfer and synchronization of media data
US7680849B2 (en) * 2004-10-25 2010-03-16 Apple Inc. Multiple media type synchronization between host computer and media device
US7979348B2 (en) 2002-04-23 2011-07-12 Clearing House Payments Co Llc Payment identification code and payment system using the same
US7076567B1 (en) * 2002-04-25 2006-07-11 Oracle International Corporation Simplified application object data synchronization for optimized data storage
US7606881B2 (en) * 2002-04-25 2009-10-20 Oracle International Corporation System and method for synchronization of version annotated objects
US8140642B1 (en) * 2002-05-17 2012-03-20 Mcafee, Inc. Network connection-independent updating system and method
US7222139B2 (en) * 2002-07-30 2007-05-22 International Business Machines Corporation Method, system and program for synchronizing data
US7956272B2 (en) * 2002-07-30 2011-06-07 Apple Inc. Management of files in a personal communication device
US7166791B2 (en) 2002-07-30 2007-01-23 Apple Computer, Inc. Graphical user interface and methods of use thereof in a multimedia player
US7787489B2 (en) * 2002-10-07 2010-08-31 Oracle International Corporation Mobile data distribution
US7650364B2 (en) * 2002-10-09 2010-01-19 Hewlett-Packard Development Company, L.P. Portable database system
US7287068B1 (en) * 2002-12-13 2007-10-23 Bmc Software, Inc. System and method for updating devices that execute an operating system or application program directly from nonvolatile storage
US20050010916A1 (en) * 2003-05-24 2005-01-13 Hagen David A. System for providing software application updates to multiple clients on a network
WO2005010715A2 (en) 2003-07-21 2005-02-03 Fusionone, Inc. Device message management system
US7216133B2 (en) * 2003-07-29 2007-05-08 Microsoft Corporation Synchronizing logical views independent of physical storage representations
US7844965B2 (en) * 2003-12-11 2010-11-30 International Business Machines Corporation Providing user applications for accessing data on multiple platforms from a removable storage medium
US8725607B2 (en) 2004-01-30 2014-05-13 The Clearing House Payments Company LLC Electronic payment clearing and check image exchange systems and methods
US6944636B1 (en) * 2004-04-30 2005-09-13 Microsoft Corporation Maintaining time-date information for syncing low fidelity devices
US7342555B2 (en) * 2004-04-30 2008-03-11 Microsoft Corporation Detecting low fidelity sync data
EP1759521B1 (en) 2004-05-12 2016-06-29 Synchronoss Technologies, Inc. Advanced contact identification system
US9542076B1 (en) 2004-05-12 2017-01-10 Synchronoss Technologies, Inc. System for and method of updating a personal profile
US8797926B2 (en) 2004-06-04 2014-08-05 Apple Inc. Networked media station
US8443038B2 (en) 2004-06-04 2013-05-14 Apple Inc. Network media device
US20070110074A1 (en) 2004-06-04 2007-05-17 Bob Bradley System and Method for Synchronizing Media Presentation at Multiple Recipients
US10972536B2 (en) 2004-06-04 2021-04-06 Apple Inc. System and method for synchronizing media presentation at multiple recipients
US7284021B2 (en) * 2004-06-28 2007-10-16 Microsoft Corporation Determining when a low fidelity property value has changed during a SYNC
US8141118B2 (en) * 2004-07-26 2012-03-20 Microsoft Corporation Data broadcasting receiver power management
US7653018B2 (en) * 2004-07-27 2010-01-26 Microsoft Corporation Differential update for data broadcasting
US7817157B2 (en) 2004-08-23 2010-10-19 Hewlett-Packard Company, L.P. Method and apparatus for capturing slices of video data
US7840528B2 (en) * 2004-10-22 2010-11-23 Research In Motion Limited System and method for integrating continuous synchronization on a host handheld device
US11314378B2 (en) 2005-01-07 2022-04-26 Apple Inc. Persistent group of media items for a media device
US7516393B2 (en) * 2005-03-01 2009-04-07 International Business Machines Corporation System and method of error detection for unordered data delivery
US20070244071A1 (en) * 2006-03-07 2007-10-18 Mount Sinai Hospital Treatment of proliferative diseases
US8484167B2 (en) * 2006-08-31 2013-07-09 Sap Ag Data verification systems and methods based on messaging data
US8315988B2 (en) * 2006-08-31 2012-11-20 Sap Ag Systems and methods for verifying a data communication process
US7627595B2 (en) * 2006-12-06 2009-12-01 Verizon Data Services Inc. Apparatus, method, and computer program product for synchronizing data sources
US20080168185A1 (en) * 2007-01-07 2008-07-10 Robbin Jeffrey L Data Synchronization with Host Device in Accordance with Synchronization Preferences
US10083184B2 (en) * 2007-01-07 2018-09-25 Apple Inc. Widget synchronization in accordance with synchronization preferences
US8850140B2 (en) * 2007-01-07 2014-09-30 Apple Inc. Data backup for mobile device
US8631088B2 (en) 2007-01-07 2014-01-14 Apple Inc. Prioritized data synchronization with host device
US20080168525A1 (en) * 2007-01-07 2008-07-10 David Heller Background Data Transmission between Media Device and Host Device
US8868495B2 (en) * 2007-02-21 2014-10-21 Netapp, Inc. System and method for indexing user data on storage systems
US8285656B1 (en) 2007-03-30 2012-10-09 Consumerinfo.Com, Inc. Systems and methods for data verification
US7983702B2 (en) * 2007-07-09 2011-07-19 Qualcomm Incorporated Synchronization of a peer-to-peer communication network
US8780885B2 (en) 2007-07-09 2014-07-15 Qualcomm Incorporated Synchronization of a peer-to-peer communication network
US8811372B2 (en) * 2007-07-09 2014-08-19 Qualcomm Incorporated Synchronization of a peer-to-peer communication network
US8032497B2 (en) 2007-09-26 2011-10-04 International Business Machines Corporation Method and system providing extended and end-to-end data integrity through database and other system layers
DE102007057248A1 (en) * 2007-11-16 2009-05-20 T-Mobile International Ag Connection layer for databases
US9990674B1 (en) 2007-12-14 2018-06-05 Consumerinfo.Com, Inc. Card registry systems and methods
US8181111B1 (en) 2007-12-31 2012-05-15 Synchronoss Technologies, Inc. System and method for providing social context to digital activity
GB0807590D0 (en) * 2008-04-25 2008-06-04 Ominplug Technologies Ltd Data synchronisation
US8312033B1 (en) 2008-06-26 2012-11-13 Experian Marketing Solutions, Inc. Systems and methods for providing an integrated identifier
US8060424B2 (en) 2008-11-05 2011-11-15 Consumerinfo.Com, Inc. On-line method and system for monitoring and reporting unused available credit
US9262754B1 (en) 2009-08-21 2016-02-16 Wells Fargo Bank, N.A. Request tracking system and method
US8255006B1 (en) 2009-11-10 2012-08-28 Fusionone, Inc. Event dependent notification system and method
US8468119B2 (en) * 2010-07-14 2013-06-18 Business Objects Software Ltd. Matching data from disparate sources
US8943428B2 (en) 2010-11-01 2015-01-27 Synchronoss Technologies, Inc. System for and method of field mapping
US9483606B1 (en) 2011-07-08 2016-11-01 Consumerinfo.Com, Inc. Lifescore
US9106691B1 (en) 2011-09-16 2015-08-11 Consumerinfo.Com, Inc. Systems and methods of identity protection and management
US8738516B1 (en) 2011-10-13 2014-05-27 Consumerinfo.Com, Inc. Debt services candidate locator
US9661073B2 (en) * 2011-11-18 2017-05-23 Google Inc. Web browser synchronization with multiple simultaneous profiles
SG194245A1 (en) * 2012-04-17 2013-11-29 ZingMobile Pte Ltd A method for real-time synchronization between a device and host servers
US9853959B1 (en) 2012-05-07 2017-12-26 Consumerinfo.Com, Inc. Storage and maintenance of personal data
US9654541B1 (en) 2012-11-12 2017-05-16 Consumerinfo.Com, Inc. Aggregating user web browsing data
US9916621B1 (en) 2012-11-30 2018-03-13 Consumerinfo.Com, Inc. Presentation of credit score factors
US9406085B1 (en) 2013-03-14 2016-08-02 Consumerinfo.Com, Inc. System and methods for credit dispute processing, resolution, and reporting
US10102570B1 (en) 2013-03-14 2018-10-16 Consumerinfo.Com, Inc. Account vulnerability alerts
US9858052B2 (en) 2013-03-21 2018-01-02 Razer (Asia-Pacific) Pte. Ltd. Decentralized operating system
US10685398B1 (en) 2013-04-23 2020-06-16 Consumerinfo.Com, Inc. Presenting credit score information
US10102536B1 (en) 2013-11-15 2018-10-16 Experian Information Solutions, Inc. Micro-geographic aggregation system
US9477737B1 (en) 2013-11-20 2016-10-25 Consumerinfo.Com, Inc. Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules
US10262362B1 (en) 2014-02-14 2019-04-16 Experian Information Solutions, Inc. Automatic generation of code for attributes
US10783030B2 (en) * 2014-03-12 2020-09-22 Sensia Llc Network synchronization for master and slave devices
US9525604B2 (en) 2014-03-18 2016-12-20 International Business Machines Corporation Automated synchronization of distributed dashboards
EP2978226A1 (en) * 2014-07-21 2016-01-27 Thomson Licensing Method of acquiring of electronic program guide information and corresponding apparatus
US11295308B1 (en) 2014-10-29 2022-04-05 The Clearing House Payments Company, L.L.C. Secure payment processing
US9854029B1 (en) * 2014-11-04 2017-12-26 Amazon Technologies, Inc. Systems for determining improper assignments in statistical hypothesis testing
US11042882B2 (en) 2015-07-01 2021-06-22 The Clearing House Payments Company, L.L.C. Real-time payment system, method, apparatus, and computer program
US11694168B2 (en) 2015-07-01 2023-07-04 The Clearing House Payments Company L.L.C. Real-time payment system, method, apparatus, and computer program
US11227001B2 (en) 2017-01-31 2022-01-18 Experian Information Solutions, Inc. Massive scale heterogeneous data ingestion and user resolution
US10853033B1 (en) * 2017-10-11 2020-12-01 Amperity, Inc. Effectively fusing database tables
US10993274B2 (en) 2018-03-30 2021-04-27 Apple Inc. Pairing devices by proxy
US10783929B2 (en) 2018-03-30 2020-09-22 Apple Inc. Managing playback groups
US11297369B2 (en) 2018-03-30 2022-04-05 Apple Inc. Remotely controlling playback devices
US11436577B2 (en) 2018-05-03 2022-09-06 The Clearing House Payments Company L.L.C. Bill pay service with federated directory model support
US10614857B2 (en) 2018-07-02 2020-04-07 Apple Inc. Calibrating media playback channels for synchronized presentation
US20200074541A1 (en) 2018-09-05 2020-03-05 Consumerinfo.Com, Inc. Generation of data structures based on categories of matched data items
US10963434B1 (en) 2018-09-07 2021-03-30 Experian Information Solutions, Inc. Data architecture for supporting multiple search models
US11315179B1 (en) 2018-11-16 2022-04-26 Consumerinfo.Com, Inc. Methods and apparatuses for customized card recommendations
US11238656B1 (en) 2019-02-22 2022-02-01 Consumerinfo.Com, Inc. System and method for an augmented reality experience via an artificial intelligence bot
US11880377B1 (en) 2021-03-26 2024-01-23 Experian Information Solutions, Inc. Systems and methods for entity resolution
US20230205862A1 (en) * 2021-12-27 2023-06-29 Providence St. Joseph Health Single sign-on across multiple application instances, such as electronic medical record system instances

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5613012A (en) * 1994-11-28 1997-03-18 Smarttouch, Llc. Tokenless identification system for authorization of electronic transactions and electronic transmissions
US5892900A (en) * 1996-08-30 1999-04-06 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0465019B1 (en) * 1990-06-29 1997-05-14 Oracle Corporation Method and apparatus for managing state identifiers for efficient recovery
US5710922A (en) * 1993-06-02 1998-01-20 Apple Computer, Inc. Method for synchronizing and archiving information between computer systems
US6044381A (en) * 1997-09-11 2000-03-28 Puma Technology, Inc. Using distributed history files in synchronizing databases
US5999947A (en) * 1997-05-27 1999-12-07 Arkona, Llc Distributing database differences corresponding to database change events made to a database table located on a server computer
US6199077B1 (en) * 1998-12-08 2001-03-06 Yodlee.Com, Inc. Server-side web summary generation and presentation
US6412073B1 (en) * 1998-12-08 2002-06-25 Yodiee.Com, Inc Method and apparatus for providing and maintaining a user-interactive portal system accessible via internet or other switched-packet-network
US6463427B1 (en) * 1999-03-16 2002-10-08 Microsoft Corporation Use of object signature property as a search parameter during synchronization of objects on a computer
US6477565B1 (en) * 1999-06-01 2002-11-05 Yodlee.Com, Inc. Method and apparatus for restructuring of personalized data for transmission from a data network to connected and portable network appliances
US6526418B1 (en) * 1999-12-16 2003-02-25 Livevault Corporation Systems and methods for backing up data files
US6625623B1 (en) * 1999-12-16 2003-09-23 Livevault Corporation Systems and methods for backing up data files
US6460055B1 (en) * 1999-12-16 2002-10-01 Livevault Corporation Systems and methods for backing up data files
US6779003B1 (en) * 1999-12-16 2004-08-17 Livevault Corporation Systems and methods for backing up data files
US20030037020A1 (en) * 2000-02-22 2003-02-20 Lars Novak Method and apparatus for synchronizing databases of portable devices without change logs
US6839564B2 (en) * 2001-04-25 2005-01-04 Nokia Corporation Synchronization of database data
US7076736B2 (en) * 2001-07-31 2006-07-11 Thebrain Technologies Corp. Method and apparatus for sharing many thought databases among many clients
US7143117B2 (en) * 2003-09-25 2006-11-28 International Business Machines Corporation Method, system, and program for data synchronization by determining whether a first identifier for a portion of data at a first source and a second identifier for a portion of corresponding data at a second source match

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5613012A (en) * 1994-11-28 1997-03-18 Smarttouch, Llc. Tokenless identification system for authorization of electronic transactions and electronic transmissions
US5892900A (en) * 1996-08-30 1999-04-06 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002021791A2 (en) * 2000-09-08 2002-03-14 M-Systems Flash Disk Pioneers Ltd. Internet switch
WO2002021791A3 (en) * 2000-09-08 2002-05-16 Milsys Ltd Internet switch
WO2003030464A1 (en) * 2001-09-29 2003-04-10 Huawei Technologies Co., Ltd. A method for pc client security authentication
US7418727B2 (en) 2001-09-29 2008-08-26 Huawei Technologies Co., Ltd Method for PC client security authentication
KR100587158B1 (en) 2004-10-28 2006-06-08 에스케이 텔레콤주식회사 Method And Apparatus For Automatically Authentication at Wireless Internet
US11212290B1 (en) 2005-04-21 2021-12-28 Seven Networks, Llc Multiple data store authentication
US11295360B1 (en) 2005-04-21 2022-04-05 Seven Networks, Llc Multiple data store authentication
US11430029B1 (en) 2005-04-21 2022-08-30 Seven Networks, Llc Multiple data store authentication
US11651400B1 (en) 2005-04-21 2023-05-16 Seven Networks, Llc Multiple data store authentication
US11694241B1 (en) 2005-04-21 2023-07-04 Seven Networks, Llc Multiple data store authentication
US11861525B1 (en) 2005-04-21 2024-01-02 Seven Networks, Llc Multiple data store authentication
US11915281B1 (en) 2005-04-21 2024-02-27 Seven Networks, Llc Multiple data store authentication
US8775214B2 (en) 2006-07-19 2014-07-08 Thompson Reuters (Market) LLC Management method and system for a user

Also Published As

Publication number Publication date
JP2003527672A (en) 2003-09-16
AU7089100A (en) 2001-04-30
EP1244998A1 (en) 2002-10-02
US7039656B1 (en) 2006-05-02

Similar Documents

Publication Publication Date Title
EP1244998A1 (en) Method and apparatus for providing secure authentication of portable devices through internet host servers
US7082532B1 (en) Method and system for providing distributed web server authentication
US6629246B1 (en) Single sign-on for a network system that includes multiple separately-controlled restricted access resources
US5586260A (en) Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
US6895511B1 (en) Method and apparatus providing for internet protocol address authentication
JP4782986B2 (en) Single sign-on on the Internet using public key cryptography
TWI322609B (en) System and method for authenticating clients in a client-server environment
US6643782B1 (en) Method for providing single step log-on access to a differentiated computer network
US6199114B1 (en) Initiating a user session at an internet terminal using a smart card
JP4867663B2 (en) Network communication system
US8484316B2 (en) Methods and apparatus for providing access to content
US20090094383A1 (en) User Enrollment in an E-Community
US20030065956A1 (en) Challenge-response data communication protocol
US20040205243A1 (en) System and a method for managing digital identities
JP2005527909A (en) User authentication method and system using e-mail address and hardware information
EP1440359A2 (en) User access control to distributed resources on a data communications network
JP2005538434A (en) Method and system for user-based authentication in a federated environment
CN1823513A (en) Method and system for stepping up to certificate-based authentication without breaking an existing ssl session
WO2002006964A1 (en) Method and apparatus for a secure remote access system
CA2451313A1 (en) Systems and methods for controlling access to a public data network from a visited access provider
US6611916B1 (en) Method of authenticating membership for providing access to a secure environment by authenticating membership to an associated secure environment
US20040083296A1 (en) Apparatus and method for controlling user access
EP2286567A1 (en) Authentication of sessions between mobile clients and a server
EP1039724A2 (en) Method and apparatus providing for internet protocol address authentication
KR20030060658A (en) Method and System of Automatically Authenticating Web Site using Log in Information of Operating System

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref country code: JP

Ref document number: 2001 532477

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: 2000959599

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWP Wipo information: published in national office

Ref document number: 2000959599

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2000959599

Country of ref document: EP