Identity authentication migration between different authentication systems

US 10,412,077 B2
Filed: 03/21/2016
Issued: 09/10/2019
Est. Priority Date: 03/21/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

validating a digital program code signature received with an authentication request which includes a security credential for a first identity, wherein the authentication request indicates a first system that uses a first cryptographic technology to authenticate the first identity based on the security credential;

validating a security token also received with the authentication request, wherein the security token represents a trust relationship between an intermediary that received the authentication request and a requestor of the authentication request;

storing the security credential after validation of the authentication request based, at least in part, on the validating of the digital program code signature and the security token;

communicating the authentication request to the first system after storing the security credential;

in response to receipt of a successful authentication response from the first system for the first identity based on the security credential, generating a migrate request to update a credential store of a second system that uses a second cryptographic technology with the security credential and the first identity, wherein the migrate request includes the security credential; and

communicating the migrate request to the second system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary can securely migrate a security credential between systems despite different underlying encoding technologies used for authentication by the system. This intermediary can also securely migrate an identity between different authentication technologies. A secure login interface program code that is digitally signed by the intermediary is provided in advance to devices that will source authentication requests. The interface program code is at least secure because it has been digitally signed by the intermediary. An instance of the secure interface program code directs authentication requests entered into the interface instance to the intermediary, which is at least identified by the digital signature. After a successful authentication by a destination system identified by the authentication request, the intermediary can migrate the authenticated security credential to a migration target.

Citations

20 Claims

1. A method comprising:
- validating a digital program code signature received with an authentication request which includes a security credential for a first identity, wherein the authentication request indicates a first system that uses a first cryptographic technology to authenticate the first identity based on the security credential;
  
  validating a security token also received with the authentication request, wherein the security token represents a trust relationship between an intermediary that received the authentication request and a requestor of the authentication request;
  
  storing the security credential after validation of the authentication request based, at least in part, on the validating of the digital program code signature and the security token;
  
  communicating the authentication request to the first system after storing the security credential;
  
  in response to receipt of a successful authentication response from the first system for the first identity based on the security credential, generating a migrate request to update a credential store of a second system that uses a second cryptographic technology with the security credential and the first identity, wherein the migrate request includes the security credential; and
  
  communicating the migrate request to the second system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising communicating the authentication response to the requestor.
  - 3. The method of claim 1, wherein the first cryptographic technology used to encode security credentials for authentication of identities and the second cryptographic technology used to encode security credentials and authenticate identities are different.
  - 4. The method of claim 1 further comprising providing login interface program code to a set of one or more devices before receipt of the authentication request, wherein the login interface program code is signed with the digital program code signature and the set of one or more devices includes a first device which hosts the requestor of the authentication request.
  - 5. The method of claim 1 further comprising determining whether the security credential is to be migrated to the second system based, at least in part, on the authentication response.
  - 6. The method of claim 1 further comprising deleting the security credential either after communicating the migrate request to the second system or in response to receipt of a failed authentication response for the authentication request.
  - 7. The method of claim 1 further comprising extracting the authentication request from a secured request generated with login interface program code previously provided to the requestor, wherein the secured request includes the digital program code signature and the security token as well as the authentication request.
  - 8. The method of claim 1 further comprising discarding the authentication request in response to a determination that either the security token or the digital program code signature fails validation.

9. One or more non-transitory machine-readable media comprising program code for authentication migration, the program code to:
- validate a digital program code signature received with an authentication request which includes a security credential for a first identity, wherein the authentication request corresponds to a first authentication technology;
  
  validate a security token also received with the authentication request, wherein the security token represents a trust relationship between a device that received the authentication request and a requestor of the authentication request;
  
  communicate the authentication request to a first system that will authenticate the first identity with the security credential after successful validation of the digital program code signature and the security token; and
  
  in response to receipt of an authentication response that indicates successful authentication of the first identity and that indicates the first identity is to be migrated to a second authentication technology,obtain security data that will be used by the second authentication technology to authenticate the first identity; and
  
  migrate the first identity and the obtained security data to the second authentication technology, wherein the second authentication technology will authenticate the first identity based, at least in part, on the obtained security data.
- View Dependent Claims (10, 11)
- - 10. The one or more non-transitory machine-readable media of claim 9, wherein the program code to obtain the security data comprises the program code to interact with a secure login interface corresponding to the authentication request to obtain the security data for the first identity, wherein the secure login interface is an instance of previously deployed program code signed with the digital program code signature.
  - 11. The one or more non-transitory machine-readable media of claim 9 further comprising program code to generate the security token based on information that represents the trust relationship and to communicate the security token to the requestor.

12. An apparatus comprising:
- a processor; and
  
  a non-transitory machine-readable medium comprising program code executable by the processor to cause the apparatus to,validate a digital program code signature received with an authentication request which includes a security credential for a first identity;
  
  validate a security token also received with the authentication request, wherein the security token represents a trust relationship between the apparatus and a requestor of the authentication request;
  
  store the security credential for possible migration after validation of the authentication request based, at least in part, on validation of the digital program code signature and the security token;
  
  communicate the authentication request for authentication of the first identity after the security credential has been stored; and
  
  in response to receipt of a successful authentication response for the first identity and an indication of migration, migrate at least one of the first identity and the security credential to a different authentication system.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus of claim 12, wherein the program code to migrate comprises the program code executable by the processor unit to cause the apparatus to generate an update request to update the different authentication system to process subsequent authentication requests for the first identity.
  - 14. The apparatus of claim 13, wherein the non-transitory machine-readable medium further comprises program code executable by the processor unit to cause the apparatus to obtain security data to be used by the different authentication system to authenticate the first identity in response to receipt of the successful authentication response.
  - 15. The apparatus of claim 14, wherein the program code to migrate comprises program code to generate and communicate an update request to the different authentication system, wherein the update request comprises the security credential and an indication of the first identity.
  - 16. The apparatus of claim 12, wherein the non-transitory machine-readable medium further comprises program code executable by the processor to cause the apparatus to provide login interface program code to a set of one or more devices before receipt of the authentication request, wherein the login interface program code is signed with the digital program code signature and the set of one or more devices includes a first device which hosts the requestor.
  - 17. The apparatus of claim 12, wherein the non-transitory machine-readable medium further comprises program code executable by the processor to cause the apparatus to determine whether an authentication response indicates whether a migration is to be performed for at least one of an identity and a security credential corresponding to the authentication response.
  - 18. The apparatus of claim 17, wherein the non-transitory machine-readable medium further comprises program code executable by the processor to cause the apparatus to delete the security credential either after the migration or in response to receipt of a failed authentication response for the authentication request.
  - 19. The apparatus of claim 12, wherein the non-transitory machine-readable medium further comprises program code executable by the processor to cause the apparatus to extract the authentication request from a secured request generated with login interface program code previously provided to the requestor, wherein the secured request includes the digital program code signature and the security token as well as the authentication request.
  - 20. The apparatus of claim 12, wherein the non-transitory machine-readable medium further comprises program code executable by the processor to cause the apparatus to discard the authentication request in response to a determination the authentication request cannot be validated based on the security token and the digital program code signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Kumar, Nikhil
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Nguy, Chi D

Application Number

US15/076,241
Publication Number

US 20170272419A1
Time in Patent Office

1,268 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/119   Details of migration of fil...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

Identity authentication migration between different authentication systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity authentication migration between different authentication systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links