Method and system for public-key-based secure authentication to distributed legacy applications

US 20020144108A1
Filed: 03/29/2001
Published: 10/03/2002
Est. Priority Date: 03/29/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for an authentication process within a distributed data processing system, the method comprising:

receiving an attribute certificate from a client at a host within the distributed data processing system;

extracting encrypted authentication data from the attribute certificate, wherein the encrypted authentication data was generated by encrypting authentication data with a public key associated with the host;

decrypting the encrypted authentication data to regenerate the authentication data using a private key associated with the host; and

forwarding the authentication data to a controlled resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, a system, an apparatus, and a computer program product are presented for an authentication process. A host application or system within a distributed data processing system supports one or more controlled resources, such as a legacy application, that requires the receipt of authentication data prior to allowing a user to have access to the controlled resource. The required authentication data is encrypted using the public key of the host system, and an attribute certificate containing the encrypted authentication data is generated by an attribute-certificate-issuing authority. When a user of a client application or system requires access to the controlled resource, the attribute certificate is sent to the host, which decrypts the authentication data with its private key prior to forwarding the authentication data to the controlled resource. The controlled resource then authenticates a user based on the provided authentication data.

Citations

35 Claims

1. A method for an authentication process within a distributed data processing system, the method comprising:
- receiving an attribute certificate from a client at a host within the distributed data processing system;
  
  extracting encrypted authentication data from the attribute certificate, wherein the encrypted authentication data was generated by encrypting authentication data with a public key associated with the host;
  
  decrypting the encrypted authentication data to regenerate the authentication data using a private key associated with the host; and
  
  forwarding the authentication data to a controlled resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the controlled resource is a legacy application.
  - 3. The method of claim 1 wherein the authentication data comprises a user identity and a password.
  - 4. The method of claim 1 further comprising:
    - authenticating the client for access to the controlled resource based on the authentication data.
  - 5. The method of claim 1, wherein the attribute certificate contains multiple sets of authentication data for multiple hosts, the method further comprising:
    - parsing the authentication data to retrieve a specific set of authentication data for the host.
  - 6. The method of claim 1 wherein the authentication data contains multiple sets of authentication parameters for multiple controlled resources, the method further comprising:
    - parsing the authentication data to retrieve a specific set of authentication data for the controlled resource.
  - 7. The method of claim 1 wherein the attribute certificate and the public key certificate are formatted according to an X.509 standard.

8. A method for generating a digital certificate, the method comprising:
- receiving, at an attribute-certificate-issuing authority, a request for an attribute certificate from a client;
  
  generating the attribute certificate in response to the received request for an attribute certificate, wherein the attribute certificate comprises encrypted authentication data that was generated by encrypting authentication data for a controlled resource at a host with a public key associated with the host; and
  
  sending the generated attribute certificate to the client.
- View Dependent Claims (9)
- - 9. The method of claim 8 wherein the controlled resource is a legacy application.

10. A method for obtaining a digital certificate, the method comprising:
- retrieving a public key certificate associated with a host within a distributed data processing system;
  
  extracting a public key associated with the host from the public key certificate;
  
  encrypting with the public key authentication data for a controlled resource at the host;
  
  generating a request for an attribute certificate;
  
  storing the encrypted authentication data within the request for the attribute certificate;
  
  sending the request for the attribute certificate to an attribute-certificate-issuing authority; and
  
  receiving an attribute certificate from the attribute-certificate-issuing authority, wherein the attribute certificate comprises the encrypted authentication data.
- View Dependent Claims (11, 13, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10 wherein the controlled resource is a legacy application.
  - 13. The data structure of claim 12 wherein the controlled resource is a legacy application.
  - 15. The apparatus of claim 14 wherein the controlled resource is a legacy application.
  - 16. The apparatus of claim 14 wherein the authentication data comprises a user identity and a password.
  - 17. The apparatus of claim 14 further comprising:
    - authenticating means for authenticating the client for access to the controlled resource based on the authentication data.
  - 18. The apparatus of claim 14, wherein the attribute certificate contains multiple sets of authentication data for multiple hosts, the apparatus further comprising:
    - first parsing means for parsing the authentication data to retrieve a specific set of authentication data for the host.
  - 19. The apparatus of claim 14 wherein the authentication data contains multiple sets of authentication parameters for multiple controlled resources, the apparatus further comprising:
    - second parsing means for parsing the authentication data to retrieve a specific set of authentication data for the controlled resource.
  - 20. The apparatus of claim 14 wherein the attribute certificate and the public key certificate are formatted according to an X.509 standard.

12. A data structure representing an attribute certificate for use in a data processing system, the data structure comprising:
- an issuer name;
  
  a signature;
  
  a holder name;
  
  an attribute containing encrypted authentication data that was generated by encrypting authentication data for a controlled resource at a host with a public key associated with the host.

14. An apparatus for performing an authentication process within a distributed data processing system, the apparatus comprising:
- receiving means for receiving an attribute certificate from a client at a host within the distributed data processing system;
  
  extracting means for extracting encrypted authentication data from the attribute certificate, wherein the encrypted authentication data was generated by encrypting authentication data with a public key associated with the host;
  
  decrypting means for decrypting the encrypted authentication data to regenerate the authentication data using a private key associated with the host; and
  
  forwarding means for forwarding the authentication data to a controlled resource.

21. An apparatus for generating a digital certificate, the apparatus comprising:
- receiving means for receiving, at an attribute-certificate-issuing authority, a request for an attribute certificate from a client;
  
  generating means for generating the attribute certificate in response to the received request for an attribute certificate, wherein the attribute certificate comprises encrypted authentication data that was generated by encrypting authentication data for a controlled resource at a host with a public key associated with the host; and
  
  sending means for sending the generated attribute certificate to the client.
- View Dependent Claims (22, 24, 26, 27, 28, 29, 30, 31)
- - 22. The apparatus of claim 21 wherein the controlled resource is a legacy application.
  - 24. The apparatus of claim 23 wherein the controlled resource is a legacy application.
  - 26. The computer program product of claim 25 wherein the controlled resource is a legacy application.
  - 27. The computer program product of claim 25 wherein the authentication data comprises a user identity and a password.
  - 28. The computer program product of claim 25 further comprising:
    - instructions for authenticating the client for access to the controlled resource based on the authentication data.
  - 29. The computer program product of claim 25, wherein the attribute certificate contains multiple sets of authentication data for multiple hosts, the computer program product further comprising:
    - instructions for parsing the authentication data to retrieve a specific set of authentication data for the host.
  - 30. The computer program product of claim 25 wherein the authentication data contains multiple sets of authentication parameters for multiple controlled resources, the computer program product further comprising:
    - instructions for parsing the authentication data to retrieve a specific set of authentication data for the controlled resource.
  - 31. The computer program product of claim 25 wherein the attribute certificate and the public key certificate are formatted according to an X.509 standard.

23. An apparatus for obtaining a digital certificate, the apparatus comprising:
- retrieving means for retrieving a public key certificate associated with a host within a distributed data processing system;
  
  extracting means for extracting a public key associated with the host from the public key certificate;
  
  encrypting means for encrypting with the public key authentication data for a controlled resource at the host;
  
  generating means for generating a request for an attribute certificate;
  
  storing means for storing the encrypted authentication data within the request for the attribute certificate;
  
  sending means for sending the request for the attribute certificate to an attribute-certificate-issuing authority; and
  
  receiving means for receiving an attribute certificate from the attribute-certificate-issuing authority, wherein the attribute certificate comprises the encrypted authentication data.

25. A computer program product in a computer readable medium for use in a distributed data processing system for performing an authentication process, the computer program product comprising:
- instructions for receiving an attribute certificate from a client at a host within the distributed data processing system;
  
  instructions for extracting encrypted authentication data from the attribute certificate, wherein the encrypted authentication data was generated by encrypting authentication data with a public key associated with the host;
  
  instructions for decrypting the encrypted authentication data to regenerate the authentication data using a private key associated with the host; and
  
  instructions for forwarding the authentication data to a controlled resource.

32. A computer program product in a computer readable medium for use in a data processing system for generating a digital certificate, the computer program product comprising:
- instructions for receiving, at an attribute-certificate-issuing authority, a request for an attribute certificate from a client;
  
  instructions for generating the attribute certificate in response to the received request for an attribute certificate, wherein the attribute certificate comprises encrypted authentication data that was generated by encrypting authentication data for a controlled resource at a host with a public key associated with the host; and
  
  instructions for sending the generated attribute certificate to the client.
- View Dependent Claims (33, 35)
- - 33. The computer program product of claim 32 wherein the controlled resource is a legacy application.
  - 35. The computer program product of claim 34 wherein the controlled resource is a legacy application.

34. A computer program product in a computer readable medium for use in a data processing system for obtaining a digital certificate, the computer program product comprising:
- instructions for retrieving a public key certificate associated with a host within a distributed data processing system;
  
  instructions for extracting a public key associated with the host from the public key certificate;
  
  instructions for encrypting with the public key authentication data for a controlled resource at the host;
  
  instructions for generating a request for an attribute certificate;
  
  instructions for storing the encrypted authentication data within the request for the attribute certificate;
  
  instructions for sending the request for the attribute certificate to an attribute-certificate-issuing authority; and
  
  instructions for receiving an attribute certificate from the attribute-certificate-issuing authority, wherein the attribute certificate comprises the encrypted authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Benantar, Messaoud

Application Number

US09/821,079
Publication Number

US 20020144108A1
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

H04L 9/3263   involving certificates, e.g...

Method and system for public-key-based secure authentication to distributed legacy applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for public-key-based secure authentication to distributed legacy applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links