Methods and arrangements for protecting information in forwarded authentication messages

US 20020150253A1
Filed: 04/12/2001
Published: 10/17/2002
Est. Priority Date: 04/12/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for use in protecting information in forwarded authentication messages, the method comprising:

encoding data using an encryption key;

encoding the encryption key using at least one other encryption key; and

encapsulating the resulting encoded data and the encoded encryption key in a forwarded authentication message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and arrangements are provided to selectively control access to the authentication information or portions thereof. The methods and arrangements are based on a scheme wherein the authentication information further includes specially encoded portions that can only be decoded by selected server-based services/processes. One method for use in protecting information in forwarded authentication messages includes encoding the selected data using an encryption key, then encoding the encryption key itself, using at least one other encryption key that only certain selected servers/services have access to, and then encapsulating the resulting encoded data and the encoded encryption key in an authentication message. This and other methods are particularly applicable to Kerberos and other like authentication arrangements.

Citations

17 Claims

1. A method for use in protecting information in forwarded authentication messages, the method comprising:
- encoding data using an encryption key;
  
  encoding the encryption key using at least one other encryption key; and
  
  encapsulating the resulting encoded data and the encoded encryption key in a forwarded authentication message.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as recited in claim 1, further comprising encoding the encryption key a plurality of times using a plurality of other encryption keys, and further encapsulating the resulting encoded encryption keys in the authentication message.
  - 3. The method as recited in claim 1, wherein the authentication message includes a Kerberos ticket.
  - 4. The method as recited in claim 3, wherein the data includes authorization data within the Kerberos ticket.
  - 5. The method as recited in claim 1, further comprising:
    - providing the authentication message to a service;
      
      providing the at least one other encryption key to the service;
      
      causing the service to decode the encoded encryption key using the at least one other encryption key; and
      
      causing the service to decode the encoded data using the resulting decoded encryption key.

6. A computer-readable medium for use in protecting information in forwarded authentication messages, the computer-readable medium having computer-executable instructions for performing acts comprising:
- using an encryption key to encode data;
  
  using at least one other encryption key to encode the encryption key;
  
  including the resulting encoded data in at least one authentication message; and
  
  including the encoded encryption key in at least one authentication message.
- View Dependent Claims (7, 8, 9, 10, 11, 13, 14, 15, 16)
- - 7. The computer-readable medium as recited in claim 6, wherein including the resulting encoded data in at least one authentication message and including the encoded encryption key in at least one authentication message, cause the resulting encoded data and the encoded encryption key to be included in the same authentication message.
  - 8. The computer-readable medium as recited in claim 6, further comprising computer-executable instructions for encoding the encryption key a plurality of times using a plurality of other encryption keys, and further encapsulating the resulting encoded encryption keys in at least one authentication message.
  - 9. The computer-readable medium as recited in claim 6, wherein the authentication message includes a Kerberos ticket.
  - 10. The computer-readable medium as recited in claim 9, wherein the data includes authorization data within the Kerberos ticket.
  - 11. The computer-readable medium as recited in claim 6, further comprising computer-executable instructions for:
    - providing the authentication message to a service;
      
      providing the at least one other encryption key to the service;
      
      causing the service to decode the encoded encryption key using the at least one other encryption key; and
      
      causing the service to decode the encoded data using the resulting decoded encryption key.
  - 13. The apparatus as recited in claim 12, wherein the logic is further configured to encode the encryption key a plurality of times using a plurality of other encryption keys, and further encapsulate the resulting encoded encryption keys in the authentication message.
  - 14. The apparatus as recited in claim 12, wherein the authentication message includes a Kerberos ticket.
  - 15. The apparatus as recited in claim 14, wherein the data includes authorization data within the Kerberos ticket.
  - 16. The apparatus as recited in claim 12, further comprising a least one service operatively coupled to receive the authentication message from the logic, and configured to decode the encoded encryption key using the at least one other encryption key and decode the encoded data using the resulting decoded encryption key.

12. An apparatus for use in protecting information in forwarded authentication messages, the apparatus comprising logic configured to encode data using an encryption key, encode the encryption key using at least one other encryption key, and encapsulate the resulting encoded data and the encoded encryption key in an authentication message.

17. A computer-readable medium having stored thereon an authentication message, comprising:
- encoded data; and
  
  at least one encoded encryption key operatively associated with at least a portion of the encoded data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Brezak, John E., Ward, Richard B.

Application Number

US09/834,704
Publication Number

US 20020150253A1
Time in Patent Office

Days
Field of Search
US Class Current

380/281
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

Methods and arrangements for protecting information in forwarded authentication messages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and arrangements for protecting information in forwarded authentication messages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links