Controlling exposure of sensitive data and operation using process bound security tokens in cloud computing environment

US 10,341,109 B2
Filed: 06/12/2017
Issued: 07/02/2019
Est. Priority Date: 01/21/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server;

endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and

responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages;

determining, by the downstream server process, that the second or more message has a single sign-on cookie attached;

looking up, by the downstream server process, a user token associated with the attached single sign-on cookie;

endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and

forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server;

thereby binding the plurality of request messages together through endorsement by the downstream server process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request. A receiving server accepts a request if (1) the token-owning process endorses the request by signing the request; (2) the token is valid (token is signed by its issuer and the digital signature is verified and unexpired); (3) user entity, which can be a real user or a deployment or a server process, that is represented by the token has the authorization to access the specified resources; and (4) the token-owning process is authorized to endorse the user entity represented by the token to access the specified resources.

28 Citations

15 Claims

1. A method comprising:
- receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server;
  
  endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and
  
  responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages;
  
  determining, by the downstream server process, that the second or more message has a single sign-on cookie attached;
  
  looking up, by the downstream server process, a user token associated with the attached single sign-on cookie;
  
  endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and
  
  forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server;
  
  thereby binding the plurality of request messages together through endorsement by the downstream server process.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as set forth in claim 1 wherein a source of the request comprises a user device.
  - 3. The method as set forth in claim 1 wherein a source of the request comprises a user process.
  - 4. The method as set forth in claim 3 wherein a second attached security token comprises an identification of the owning process.
  - 5. The method as set forth in claim 1 wherein the attached security token is signed, by the downstream server process, using a cryptographic key.
  - 6. The method as set forth in claim 5 further comprising responsive to one or more security verifications of the endorsed second or more request, performing by the targeted server a requested access, usage of a resource, or performance of a service according to the second request.
  - 7. The method as set forth in claim 6 further comprising:
    - responsive to results generation by the access, usage, or service performance, receiving the results from the targeted server to the downstream server server process with the user token attached;
      
      detaching, by the downstream server process, the user token from the results;
      
      forwarding, by the downstream server process, to the source of the second or more request the results and the single sign-on cookie.

8. A computer program product comprising:
- a computer-readable storage memory which is not a propagating signal per se; and
  
  program instructions embodied by the computer-readable storage memory which cause one or more processors to, when executed, perform the steps comprising;
  
  receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server;
  
  endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and
  
  responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages;
  
  determining, by the downstream server process, that the second or more message has a single sign-on cookie attached;
  
  looking up, by the downstream server process, a user token associated with the attached single sign-on cookie;
  
  endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and
  
  forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server;
  
  thereby binding the plurality of request messages together through endorsement by the downstream server process.
- View Dependent Claims (9, 10, 11)
- - 9. The computer program product as set forth in claim 8 wherein a source of the request comprises a user device.
  - 10. The computer program product as set forth in claim 8 wherein the source of a request comprises a user process.
  - 11. The computer program product as set forth in claim 10 wherein a second security token comprises an identification of the owning process.

12. A system comprising:
- a computing system having one or more processors;
  
  a computer-readable storage memory which is not a propagating signal per se; and
  
  program instructions embodied by the computer-readable storage memory which cause the one or more processors to, when executed, perform the steps comprising;
  
  receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server;
  
  endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and
  
  responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages;
  
  determining, by the downstream server process, that the second or more message has a single sign-on cookie attached;
  
  looking up, by the downstream server process, a user token associated with the attached single sign-on cookie;
  
  endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and
  
  forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server;
  
  thereby binding the plurality of request messages together through endorsement by the downstream server process.
- View Dependent Claims (13, 14, 15)
- - 13. The system as set forth in claim 12 wherein a source of the request comprises a user device.
  - 14. The system as set forth in claim 12 wherein the source of a request comprises a user process.
  - 15. The system as set forth in claim 14 wherein a second security token comprises an identification of the owning process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chang, John Y-C., Chao, Ching-Yun, Chiu, Bertrand Be-Chung, Park, Ki H.
Primary Examiner(s)
Turchen, James R

Application Number

US15/620,660
Publication Number

US 20170279610A1
Time in Patent Office

750 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 65/61   for supporting one-way stre...

H04L 67/01   Protocols

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

Controlling exposure of sensitive data and operation using process bound security tokens in cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling exposure of sensitive data and operation using process bound security tokens in cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links