Authentication delegation based on re-verification of cryptographic evidence

US 20080134311A1
Filed: 12/01/2006
Published: 06/05/2008
Est. Priority Date: 12/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method of authentication delegation between a client/user accessing service provider through a gateway, the method comprising the steps of:

performing a TLS handshake with client authentication between the client/user and the gateway;

recording at least a sufficient portion of messages of the TLS handshake to prove that the client/user authenticated to the gateway; and

providing the recording to the service provider.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.

206 Citations

20 Claims

1. A method of authentication delegation between a client/user accessing service provider through a gateway, the method comprising the steps of:
- performing a TLS handshake with client authentication between the client/user and the gateway;
  
  recording at least a sufficient portion of messages of the TLS handshake to prove that the client/user authenticated to the gateway; and
  
  providing the recording to the service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the service provider is not involved in the authentication between the client/user and the gateway.
  - 3. The method of claim 1, wherein said providing step provides the recording directly from the gateway to the service provider.
  - 4. The method of claim 1, wherein said recording step records all of the messages in the TLS handshake up to and including the certificate verify message.
  - 5. The method of claim 1, further comprising the step of embedding time-related data in messages in the TLS handshake.
  - 6. The method of claim 5, wherein the client/user embeds the time-related data.
  - 7. The method of claim 5, wherein the gateway embeds the time-related data.
  - 8. The method of claim 1, further comprising the step of embedding a nonce provided by the service provider in a message from the gateway to the client/user as part of the TLS handshake.
  - 9. The method of claim 1, wherein the service provider maintains a memory of all received recordings and confirms that a same recording is not used more than once.
  - 10. The method of claim 1, wherein the step of performing a TLS handshake further comprises:
    - performing a first handshake without client authentication; and
      
      upon successful completion of said performing a first handshake, performing a second handshake with client authentication.
  - 11. The method of claim 10, wherein said second handshake between the client/user and gateway is encrypted by a session key derived from said first handshake.
  - 12. The method of claim 11, wherein the recording provided to the service provider is unencrypted.

13. A method of granting access to a service on an end server using authentication delegation, the method comprising:
- receiving a request at the end server to gain access to a service requested by a user;
  
  receiving a recording of at least a portion of a TLS handshake with client authentication performed between the user and the gateway/middle server at the end server; and
  
  utilizing the portion of the TLS handshake to re-verify the TLS handshake and confirm the identity of the user.

14. A method of authentication delegation between a client/user accessing a service provider through a gateway, wherein the gateway performs the method comprising:
- performing a TLS handshake with client authentication between the client/user and the gateway;
  
  recording at least a sufficient portion of messages of the TLS handshake to prove that the client/user authenticated to the gateway;
  
  providing the recording to the third party entity;
  
  receiving user credentials from the third party entity upon confirmation by the third party entity of the validity of the recording; and
  
  authenticating the user to the service provider with the user credentials.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the third party entity is a Certificate Authority.
  - 16. The method of claim 15, wherein the step of receiving user credentials comprises receiving a temporal certificate and associated private key.
  - 17. The method of claim 15, wherein the step of authenticating the user to the service provider is performed using Kerberos with PKINIT.
  - 18. The method of claim 14, wherein the third party entity is a KDC and wherein said step of receiving user credentials comprises receiving a Kerberos service ticket from the KDC.
  - 19. The method of claim 14, wherein the third party entity resides together with the gateway in a single device.
  - 20. The method of claim 14, wherein the step of performing a TLS handshake further comprises:
    - performing a first handshake without client authentication; and
      
      upon successful completion of said performing a first handshake, performing a second handshake with client authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Teplitsky, Alexander, Neystadt, John, Nice, Nir, Medvinsky, Gennady, Shiran, Tomer, Leach, Paul

Granted Patent

US 9,055,107 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2115   Third party

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/50   using hash chains, e.g. blo...

Authentication delegation based on re-verification of cryptographic evidence

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Authentication delegation based on re-verification of cryptographic evidence

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others