Method and system for controlling access to a secondary system

US 20070143597A1
Filed: 10/12/2006
Published: 06/21/2007
Est. Priority Date: 12/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access of a user to a secondary system, said user being logged on a user system, a primary system connecting the user system to the secondary system, said method comprising:

receiving first authentication information from the user system;

determining that the first authentication information conforms to protected primary authentication data comprised by the primary system, followed by providing access of the user to the primary system;

after providing access of the user to the primary system, generating a user-specific key from the first authentication information;

deriving second authentication information from protected secondary authentication data comprised by the primary system, said deriving the second authentication information comprising using the user-specific key in conjunction with the protected secondary authentication data; and

providing the second authentication information to the secondary system to enable access of the user to the secondary system, wherein said receiving first authentication information, said determining and providing access, said deriving the second authentication information, and said providing the second authentication information to the secondary system are performed by the primary system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for controlling access of a user to a secondary system. The user is logged on a user system. A primary system connects the user system to the secondary system. A first authentication information is received from the user system. After determining that the first authentication information conforms to protected primary authentication data included in the primary system, access of the user to the primary system is provided followed by generation of a user-specific key from the first authentication information. Second authentication information is derived from protected secondary authentication data included in the primary system, by use of the user-specific key in conjunction with the protected secondary authentication data. The second authentication information is provided to the secondary system to enable access of the user to the secondary system.

81 Citations

View as Search Results

35 Claims

1. A method for controlling access of a user to a secondary system, said user being logged on a user system, a primary system connecting the user system to the secondary system, said method comprising:
- receiving first authentication information from the user system;
  
  determining that the first authentication information conforms to protected primary authentication data comprised by the primary system, followed by providing access of the user to the primary system;
  
  after providing access of the user to the primary system, generating a user-specific key from the first authentication information;
  
  deriving second authentication information from protected secondary authentication data comprised by the primary system, said deriving the second authentication information comprising using the user-specific key in conjunction with the protected secondary authentication data; and
  
  providing the second authentication information to the secondary system to enable access of the user to the secondary system, wherein said receiving first authentication information, said determining and providing access, said deriving the second authentication information, and said providing the second authentication information to the secondary system are performed by the primary system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the first authentication information is a password of the user, wherein said determining that the first authentication information conforms to the protected primary authentication data comprises determining that a first one way encryption of the password is equal to the protected primary authentication data, and wherein said generating the user-specific key is implemented by performing a second one way encryption of the password to generate the user-specific key.
  - 3. The method of claim 2, wherein the second one way encryption of the password differs from the first one way encryption of the password.
  - 4. The method of claim 1, wherein the first authentication information is an encryption of user-specific data pertaining to the user by use of a private key of the user, wherein said determining that the first authentication information conforms to the protected primary authentication data comprises decrypting the first authentication information by use of a public key that is associated with the private key followed by determining that the decrypted first authentication information is equal to the protected primary authentication data, and wherein said generating the user-specific key comprises setting the user-specific key equal to the encryption of the user-specific data by the private key.
  - 5. The method of claim 4, wherein the user-specific data is a random string.
  - 6. The method of claim 1, wherein the primary system comprises an application, said application comprising a portal through which the secondary system may be accessed from the user system after access of the user to the secondary system has been enabled via said providing the second authentication information to secondary system.
  - 7. The method of claim 1, wherein said deriving the second authentication information comprises performing a decryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 8. The method of claim 1, wherein said deriving the second authentication information comprises performing a two way encryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 9. The method of claim 1, wherein the method further comprises:
    - responsive to the user logging off the primary system, deleting the user-specific key and the secondary authentication information.
  - 10. The method of claim 1, wherein the method further comprises:
    - receiving second secondary authentication information from the user;
      
      generating second protected secondary authentication data by two-way encryption of the second secondary authentication information by use of the user-specific key; and
      
      replacing the protected secondary authentication data by the second protected secondary authentication data.
  - 11. The method of claim 1, wherein the method further comprises:
    - after the user has accessed the primary system in response to said determining that the first authentication information conforms to the protected primary authentication data, receiving a request from the user to change the protected primary authentication data;
      
      requesting second primary authentication information from the user;
      
      transforming the second primary authentication information into second protected primary authentication data;
      
      replacing the protected primary authentication data by the second protected primary authentication data;
      
      generating second secondary authentication data by two-way encrypting the secondary authentication information by use of the second primary authentication information; and
      
      replacing the secondary authentication data by the second secondary authentication data.
  - 12. The method of claim 1, wherein the method further comprises storing the user-specific key on the primary system.
  - 13. The method of claim 1, wherein the primary system comprises a credential store, and wherein the credential store comprises the protected primary authentication data and the protected secondary authentication data.

14. A computer program product comprising computer executable instructions for performing a method for controlling access of a user to a secondary system, said user being logged on a user system, a primary system connecting the user system to the secondary system, said method comprising:
- receiving first authentication information from the user system;
  
  determining that the first authentication information conforms to protected primary authentication data comprised by the primary system, followed by providing access of the user to the primary system;
  
  after providing access of the user to the primary system, generating a user-specific key from the first authentication information;
  
  deriving second authentication information from protected secondary authentication data comprised by the primary system, said deriving the second authentication information comprising using the user-specific key in conjunction with the protected secondary authentication data; and
  
  providing the second authentication information to the secondary system to enable access of the user to the secondary system, wherein said receiving first authentication information, said determining and providing access, said deriving the second authentication information, and said providing the second authentication information to the secondary system are performed by the primary system.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The computer program product of claim 14, wherein the first authentication information is a password of the user, wherein said determining that the first authentication information conforms to the protected primary authentication data comprises determining that a first one way encryption of the password is equal to the protected primary authentication data, and wherein said generating the user-specific key is implemented by performing a second one way encryption of the password to generate the user-specific key.
  - 16. The computer program product of claim 15, wherein the second one way encryption of the password differs from the first one way encryption of the password.
  - 17. The computer program product of claim 14, wherein the first authentication information is an encryption of user-specific data pertaining to the user by use of a private key of the user, wherein said determining that the first authentication information conforms to the protected primary authentication data comprises decrypting the first authentication information by use of a public key that is associated with the private key followed by determining that the decrypted first authentication information is equal to the protected primary authentication data, and wherein said generating the user-specific key comprises setting the user-specific key equal to the encryption of the user-specific data by the private key.
  - 18. The computer program product of claim 17, wherein the user-specific data is a random string.
  - 19. The computer program product of claim 14, wherein the primary system comprises an application, said application comprising a portal through which the secondary system may be accessed from the user system after access of the user to the secondary system has been enabled via said providing the second authentication information to secondary system.
  - 20. The computer program product of claim 14, wherein said deriving the second authentication information comprises performing a decryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 21. The computer program product of claim 14, wherein said deriving the second authentication information comprises performing a two way encryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 22. The computer program product of claim 14, wherein the method further comprises:
    - responsive to the user logging off the primary system, deleting the user-specific key and the secondary authentication information.
  - 23. The computer program product of claim 14, wherein the method further comprises:
    - receiving second secondary authentication information from the user;
      
      generating second protected secondary authentication data by two-way encryption of the second secondary authentication information by use of the user-specific key; and
      
      replacing the protected secondary authentication data by the second protected secondary authentication data.
  - 24. The computer program product of claim 14, wherein the method further comprises:
    - after the user has accessed the primary system in response to said determining that the first authentication information conforms to the protected primary authentication data, receiving a request from the user to change the protected primary authentication data;
      
      requesting second primary authentication information from the user;
      
      transforming the second primary authentication information into second protected primary authentication data;
      
      replacing the protected primary authentication data by the second protected primary authentication data;
      
      generating second secondary authentication data by two-way encrypting the secondary authentication information by use of the second primary authentication information; and
      
      replacing the secondary authentication data by the second secondary authentication data.

25. A primary system comprising a processor and a computer program product, said computer program product comprising computer executable instructions that when executed by the processor perform a method for controlling access of a user to a secondary system when the user is logged on a user system subject to the primary system connecting the user system to the secondary system, said method comprising:
- receiving first authentication information from the user system;
  
  determining that the first authentication information conforms to protected primary authentication data comprised by the primary system, followed by providing access of the user to the primary system;
  
  after providing access of the user to the primary system, generating a user-specific key from the first authentication information;
  
  deriving second authentication information from protected secondary authentication data comprised by the primary system, said deriving the second authentication information comprising using the user-specific key in conjunction with the protected secondary authentication data; and
  
  providing the second authentication information to the secondary system to enable access of the user to the secondary system.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The primary system of claim 25, wherein the first authentication information is a password of the user, wherein said determining that the first authentication information conforms to the protected primary authentication data comprises determining that a first one way encryption of the password is equal to the protected primary authentication data, and wherein said generating the user-specific key is implemented by performing a second one way encryption of the password to generate the user-specific key.
  - 27. The primary system of claim 26, wherein the second one way encryption of the password differs from the first one way encryption of the password.
  - 28. The primary system of claim 25, wherein the first authentication information is an encryption of user-specific data pertaining to the user by use of a private key of the user, wherein said determining that the first authentication information conforms to the protected primary authentication data comprises decrypting the first authentication information by use of a public key that is associated with the private key followed by determining that the decrypted first authentication information is equal to the protected primary authentication data, and wherein said generating the user-specific key comprises setting the user-specific key equal to the encryption of the user-specific data by the private key.
  - 29. The primary system of claim 28, wherein the user-specific data is a random string.
  - 30. The primary system of claim 25, wherein the primary system comprises an application, said application comprising a portal through which the secondary system may be accessed from the user system after access of the user to the secondary system has been enabled via said providing the second authentication information to secondary system.
  - 31. The primary system of claim 25, wherein said deriving the second authentication information comprises performing a decryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 32. The primary system of claim 25, wherein said deriving the second authentication information comprises performing a two way encryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 33. The primary system of claim 25, wherein the method further comprises:
    - responsive to the user logging off the primary system, deleting the user-specific key and the secondary authentication information.
  - 34. The primary system of claim 25, wherein the method further comprises:
    - receiving second secondary authentication information from the user;
      
      generating second protected secondary authentication data by two-way encryption of the second secondary authentication information by use of the user-specific key; and
      
      replacing the protected secondary authentication data by the second protected secondary authentication data.
  - 35. The primary system of claim 25, wherein the method further comprises:
    - after the user has accessed the primary system in response to said determining that the first authentication information conforms to the protected primary authentication data, receiving a request from the user to change the protected primary authentication data;
      
      requesting second primary authentication information from the user;
      
      transforming the second primary authentication information into second protected primary authentication data;
      
      replacing the protected primary authentication data by the second protected primary authentication data;
      
      generating second secondary authentication data by two-way encrypting the secondary authentication information by use of the second primary authentication information; and
      
      replacing the secondary authentication data by the second secondary authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Feil, Stephan

Granted Patent

US 8,230,487 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/159
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/41   where a single sign-on prov...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3271   using challenge-response

Method and system for controlling access to a secondary system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for controlling access to a secondary system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links