The present invention is directed to an efficient authentication method, apparatus, and/or system for primary and secondary servers and, more specifically, to an efficient authentication system for obtaining access to at least one secondary server without using a user account database.
One known basic authentication method for obtaining access to a software application and/or server is based on usernames and passwords being compared to entries stored in a user account database. At login, the user provides a username and a password. For purposes of this disclosure, the username and password are any two variables (e.g. numbers, letters, and/or characters) or strings of variables associated with the user. For example, the username could be selected by the user, could be assigned to the user, or could be a determinable variable (e.g. an e-mail address, a social security number, a phone number, a birth date, and coordinates). Similarly, the password could be selected by the user, could be assigned to the user, or could be a determinable variable (e.g. an e-mail address, a social security number, a phone number, a birth date, and coordinates). The username and password are sent to the server. The server permits the login if there is a match to the password stored in the user account database for the specified username.
Another known authentication method for obtaining access to a software application and/or server adds a hashing element. A hash (also called a “message digest”) is an output code (e.g. a string of numbers, letters, and/or characters) generated from input data (e.g. a password or code that may include a string of numbers, letters, and/or characters). The hashed output code is generally smaller than the input data, and is generated by a formula in such a way that it is extremely unlikely that some other input will produce the same hashed output code. A hash algorithm (or function) is a reproducible method that turns input data (e.g. a password or code) into an output code that may serve as a digital “fingerprint” of the input data. The hash algorithm changes (e.g. substitutes, transposes, calculates, and/or generates) the input data to create such fingerprints. In one known method, a hash algorithm is performed using a one-way cryptographic algorithm (i.e. it cannot be unencrypted), a hash key (a parameter to the algorithm), and an ephemeral datum (e.g. current time). Cryptographic hash algorithms add security properties so that the hashed output codes are suitable for use as a primitive in various information security applications, such as authentication. In a hash authentication method, the passwords are the input data that are hashed and stored in a user account database as hashed output codes. At login, the user inputs a username and a password. Using a hash algorithm, the password is hashed, preferably on the user's client device (e.g. computer), into a hashed output code (the hashed password). The username and the hashed password are sent to the server. The server permits the login if there is a match to the hashed password stored in the user account database for this username. One advantage of a hash authentication method is increased security. A hacker who monitors the data stream to the server, or who compromises the server database, will not be able to get the user's password. Further, the database administrator will not be able to discover the user's password even if he has the hashed output code.
One limitation of known authentication methods (e.g. the “basic authentication method” and the “hash authentication method”) is that there has to be a database of user accounts (e.g. usernames and passwords). In many applications and/or systems, provisioning this user account database is acceptable. Other applications and/or systems can leverage an existing user account database such as LDAP (Lightweight Directory Access Protocol). For some applications and/or systems, however, it is not desirable to provision a separate user account database. For example, in an application and/or system such as adding voice servers to existing applications like games, social networks, or collaboration platforms, it is not desirable to provision a separate user account database. One reason it may not be desirable to provision a separate user account database is because the voice server is provided as a service by a separate entity (e.g. company) than the game developer or provider of the social network or collaboration platform. Provision of a separate user account database to a separate entity may present security issues. Another reason it may not be desirable to provision a separate user account database is because of space (e.g. memory) issues. Yet another reason it may not desirable to provision a separate user account database is because of the bandwidth issues that arise when a massive amount of data is transmitted between systems.