Trusted third party authentication for web services

US 20060206932A1
Filed: 03/14/2005
Published: 09/14/2006
Est. Priority Date: 03/14/2005
Status: Active Grant

First Claim

Patent Images

1. At a computer system, a method of authenticating a web services:

component, the method comprising;

an act of sending an authentication request to an authentication service;

an act of receiving an authentication response from the authentication service, the authentication response including two instances of a first symmetric session key for securing communication between the Web services component and an access granting service, the first instance of the first symmetric session key secured for delivery to the Web services client and included in a first proof token, the second instance of the first symmetric session key encrypted with a secret symmetric key of the security token service and included in a token granting token;

an act of sending an access request for access to a Web service to the access granting service, the access request including the token granting token; and

an act of receiving an access granting response from the access granting service, the access granting response including two instances of a second symmetric session key for securing communication between the Web services component and the Web service, the first instance of the second symmetric session key being encrypted with the first symmetric session key and included in a second proof token, the second instance of the second symmetric session key being encrypted with a public key from a public/private key pair corresponding to the Web service and included in a service token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to trusted third party authentication for Web services. Web services trust and delegate user authentication responsibility to a trusted third party that acts as an identity provider for the trusting Web services. The trusted third party authenticates users through common authentication mechanisms, such as, for example, username/password and X.509 certificates and uses initial user authentication to bootstrap subsequent secure sessions with Web services. Web services construct user identity context using a service session token issued by the trusted third party and reconstruct security states without having to use a service-side distributed cache.

Citations

20 Claims

1. At a computer system, a method of authenticating a web services:
- component, the method comprising;
  
  an act of sending an authentication request to an authentication service;
  
  an act of receiving an authentication response from the authentication service, the authentication response including two instances of a first symmetric session key for securing communication between the Web services component and an access granting service, the first instance of the first symmetric session key secured for delivery to the Web services client and included in a first proof token, the second instance of the first symmetric session key encrypted with a secret symmetric key of the security token service and included in a token granting token;
  
  an act of sending an access request for access to a Web service to the access granting service, the access request including the token granting token; and
  
  an act of receiving an access granting response from the access granting service, the access granting response including two instances of a second symmetric session key for securing communication between the Web services component and the Web service, the first instance of the second symmetric session key being encrypted with the first symmetric session key and included in a second proof token, the second instance of the second symmetric session key being encrypted with a public key from a public/private key pair corresponding to the Web service and included in a service token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, wherein the act of sending an authentication request to an authentication service comprises an act of sending a username and password to the authentication service.
  - 3. The method as recited in claim 1, wherein the act of sending an authentication request to an authentication service comprises an act of sending a digitally signed X.509 certificate to the authentication service.
  - 4. The method as recited in claim, 1 wherein the act of receiving an authentication response from the authentication service comprises an act of receiving a SOAP message that includes a custom XML token granting token.
  - 5. The method as recited in claim, 1 wherein the act of receiving access granting response from the access granting service comprises an act of receiving a SOAP message that includes a custom XML service token.
  - 6. The method as recited in claim 1, further comprising:
    - an act of sending a security token request to the Web service, the security token request including identity information for the Web services component and the service token;
      
      an act of receiving a security token response from the Web service, the security token response including a security context token and a master symmetric session key for securing communication between the Web services component and the Web service.
  - 7. The method as recited in claim 6, further comprising:
    - an act of deriving one or more derived symmetric session keys from the master symmetric session key; and
      
      an act of sending a service request to the Web service, the service request encrypted using a first derived symmetric session key from among the one or more derived session keys and signed using a second derived symmetric session key from among the one or more derived session keys.
  - 8. The method as recited in claim 7, further comprising:
    - an act of receiving a service response from the Web service, the service response encrypted using a third derived symmetric session key from among the one or more derived session, the service response signed with a digital signature using a fourth derived symmetric session key from among of the one or more derived session keys;
      
      an act of using the third derived symmetric session key to decrypt the service response; and
      
      an act of using the fourth derived symmetric session key to validate the digital signature.

9. At a computer system including a security token service, a method of authenticating a Web services component, the method comprising:
- an act of receiving an authentication request from a Web services component;
  
  an act of validating authentication data contained in the authentication request;
  
  an act of sending an authentication response to the Web services client, the authentication response including two instances of a symmetric session key for securing communication between the Web services component and an access granting service, the first instance of the symmetric session key secured for delivery to the Web services component and included in a first proof token, the second instance of the symmetric session key encrypted with a secret symmetric key of the security token service and included in a token granting token; and
  
  an act of receiving an access request for access to a Web service from the Web services component, the access request including the token granting token;
  
  an act of verifying that the Web service component has an authenticated session to the security token service based on the contents of the token granting token; and
  
  an act of sending an access granting response to the Web service component, the access granting response including two instances of a second symmetric session key for securing communication between the Web services component and the Web service, the first instance of the second symmetric session key being encrypted with the first symmetric session key and including in a second proof token, the second instance of the second symmetric session key being encrypted with a public key from a public/private key pair corresponding to the Web service and included in a service token.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method as recited in claim 9, wherein the act of receiving an authentication request from a Web services component comprises an act of receiving a user name and password from the Web services component.
  - 11. The method as recited in claim 9, wherein the act of receiving an authentication request from a Web services component comprises an act of receiving a signed X.509 certificate from the Web services component.
  - 12. The method as recited in claim 9, wherein the act of sending an authentication response to the Web services client comprises an act of sending a SOAP message that includes a custom XML token granting token.
  - 13. The method as recited in claim 9, wherein the act of sending a an access granting response to the Web service component comprises an act of sending a SOAP message that includes a custom XML service token.

14. At a computer system including a Web service, a method of granting access to the Web service, the method comprising:
- an act of receiving a security token request from a Web service component, the request including a service token that was issued from a security token service, the service token including identity information for the Web service component and an encrypted symmetric session key for securing communication between the Web services client and the Web service, the encrypted symmetric session key being encrypted using the public key from a public/private key pair corresponding to the Web service. an act of decrypting the encrypted symmetric session key with the private key from the public/private key pair;
  
  an act of authorizing the Web service component to access the Web service based on the contents of the service token;
  
  an act of generating a master symmetric session key for securing communication between the Web services client and the Web service;
  
  an act of encrypting the master symmetric session key using the symmetric session key to generate an encrypted master symmetric session key;
  
  an act of including the encrypted master symmetric session key along with a security context token in a security token response; and
  
  an act of sending the security token response to the Web services component such that communication between the Web services component and the Web service can be secured using derived symmetric session keys derived from the master symmetric session key.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method as recited in claim 14, wherein the act of receiving a security token request comprises an act of receiving a SOAP message that includes a custom XML service token issued from a trusted third party.
  - 16. The method as recited in claim 14, wherein the act of including the encrypted master symmetric session key along with a security context token in a security token response comprises an act of including an extended security context token in a SOAP message, the extended security context token containing a binary extension such that the Web service can recreate security session state for the Web services client form the binary extension without referring to a distributed service-side cache
  - 17. The method as recited in claim 16, further comprising:
    - an act of an instance of the Web service receiving a Web service request from the Web services client, the Web services request including the extended security context token; and
      
      an act of the instance using the extended security context token to recreate security session state for the Web services client without referring to a distributed service-side cache.
  - 18. The method as recited in claim 14, wherein the an act of sending the security token response to the Web services component comprises an act of sending a SOAP message that includes an extended security context token.
  - 19. The method as recited in claim 14, further comprising:
    - an act of receiving a service request from the Web services component, the service request encrypted using a first derived symmetric session key derived from the master symmetric session key and signed with a digital signature using a second derived symmetric session key derived from the master symmetric session key.
  - 20. The method as recited in claim 19, further comprising:
    - an act of using the first derived symmetric session key to decrypt the service request;
      
      an act of using the second derived symmetric session key to validate the digital signature;
      
      an act of including response data to return to the Web services component in a service response; and
      
      an act of sending the service response to the Web services component, the service response encrypted using a third derived symmetric session key derived from the master symmetric session key and signed with a digital signature using a fourth derived symmetric session key derived from the master symmetric session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chong, Frederick C.

Granted Patent

US 7,900,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/02   based on web technology, e....

Trusted third party authentication for web services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted third party authentication for web services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links