Proxy Authentication and Indirect Certificate Chaining

US 20070245414A1
Filed: 04/14/2006
Published: 10/18/2007
Est. Priority Date: 04/14/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving, at a proxy server, a communication from a client configured to cause the proxy server to perform tasks on the client'"'"'s behalf;

submitting a request to an authentication server on behalf of the client; and

caching, at the proxy server, one or more security tokens received from the authentication server in response to the request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of proxy authentication and indirect certificate chaining are described herein. In an implementation, authentication for a client occurs via a proxy service. Proxy service communicates between client and server, and caches security tokens on behalf of the client. In an implementation, trustworthiness of certificate presented to a client to establish trust is determined utilizing a signed data package which incorporates a plurality of known certificates. The presented certificate is verified without utilizing root certificates installed on the client device.

Citations

20 Claims

1. A method comprising:
- receiving, at a proxy server, a communication from a client configured to cause the proxy server to perform tasks on the client'"'"'s behalf;
  
  submitting a request to an authentication server on behalf of the client; and
  
  caching, at the proxy server, one or more security tokens received from the authentication server in response to the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as recited in claim 1 further comprising presenting one said security token to a corresponding service provider at the client'"'"'s request to permit the client to access services of the service provider.
  - 3. A method as recited in claim 1 wherein at least one said security token is an authentication token configured to prove the client'"'"'s identity at the authentication server.
  - 4. A method as recited in claim 3 wherein the authentication token is presented by the proxy server to the authentication server in order to obtain additional security tokens.
  - 5. A method as recited in claim 1 wherein the proxy server is configured to route messages between the client and authentication server having encrypted portions which the proxy server is unable to understand.
  - 6. A method as recited in claim 1 further comprising indicating to the client that one or more security tokens received from the authentication server have been cached on the proxy server.
  - 7. A method as recited in claim 1 wherein the client is configured as a mobile device selected from the group consisting of:
    - a cell phone a personal digital assistant;
      
      a hand held computing device;
      
      a gaming device; and
      
      a laptop computer.

8. A method comprising:
- maintaining, on behalf of a client on a proxy server remote from the client, one or more security tokens configured to prove an identity of the client and received from an authentication service; and
  
  upon request from the client, presenting one said security token on the client'"'"'s behalf to permit the client to access to corresponding services.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method as recited in claim 8, wherein the one said security token is a service token configured to proof identity of the client at a corresponding service provider.
  - 10. The method as recited in claim 8, wherein the one said token is an authentication token configured to proof identity of the client at the authentication service to receive one or more service token to be cached at the proxy server.
  - 11. The method as recited in claim 8 wherein the authentication token is a limited discretionary access token (LDAT) limiting the service tokens which may be obtained using the LDAT.
  - 12. The method as recited in claim 11, wherein the service tokens which may be obtained using the LDAT are limited based upon the type of client.
  - 13. The method as recited in claim 8, wherein the one said security token may be presented to access services without inputting of user credentials.

14. A method comprising:
- receiving at a client a certificate via a network presented by a party to establish trust;
  
  determining whether the received certificate corresponds to a known certificate maintained in a signed data package; and
  
  establishing trust in the party based on the determination.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method as recited in claim 14 wherein if the received certificate corresponds to a known certificate, the party presenting the received certificate is trusted.
  - 16. The method recited in claim 14, wherein the trustworthiness of the received certificate is established without utilizing a root certificate installed on the client.
  - 17. The method recited in claim 14 further comprising extracting information from the received certificate identifying an issuer certificate corresponding to the received certificate, wherein the determining includes using the extracted information to determine if the issuer certificate matches a good certificate contained in the signed data package.
  - 18. The method recited in claim 14, wherein the determining is performed via a certificate store maintaining one or more known certificate in one or more signed data packages.
  - 19. The method recited in claim 18, wherein the certificate store is located on the client.
  - 20. The method recited in claim 14 wherein the signed data package is selected from the group consisting of:
    - a dynamic link library (DLL);
      
      a portion of code; and
      
      a binary large object (blob)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rouskov, Yordan, Huang, Lin, Jiang, Wei, Chow, Colin, Chow, Trevin, Chan, Kok, Wong, Pui-Yin, Jain, Naresh, Paya, Ismail, Hurst, Ryan

Application Number

US11/279,869
Publication Number

US 20070245414A1
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

H04L 9/3234   involving additional secure...

H04L 9/3265   using certificate chains, t...

Proxy Authentication and Indirect Certificate Chaining

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Proxy Authentication and Indirect Certificate Chaining

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links