METHOD AND SYSTEM FOR TOKEN RECYCLING

US 20080209224A1
Filed: 02/28/2007
Published: 08/28/2008
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method of recycling a locked token in an enterprise having an enterprise security client (ESC) including a token interface and a security server, the locked token locked in accordance with a security operation including a response to a failed authentication attempt, the method comprising:

establishing a secure connection between the locked token and the security server;

activating a security process in the security server to determine an identity of an authorized user of the locked token; and

activating an unlock procedure to unlock the locked token upon receipt of an out-of-band parameter associated with a requester of the unlock procedure to produce an unlocked token,wherein the out-of-band parameter is provided by the requester of the unlock procedure in an independent communication to an enterprise agent associated with the security server so as to verify that the requester is the authorized user of the locked token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide for recycling a locked token in an enterprise. A secure connection can be established between a locked token and a server and a security process activated to determine an identity of an authorized user of the locked token. An unlock procedure can be activated to unlock the locked token upon receipt of an out-of-band parameter associated with a requester of the unlock procedure to produce an unlocked token. The out-of-band parameter can be provided by the requester of the unlock procedure in an independent communication to an enterprise agent associated with the security server so as to verify that the requester is the authorized user of the locked token. A password reset process associated with a new password for the unlocked token can be activated to provide an assigned password or a password entered by the requester.

103 Citations

View as Search Results

19 Claims

1. A method of recycling a locked token in an enterprise having an enterprise security client (ESC) including a token interface and a security server, the locked token locked in accordance with a security operation including a response to a failed authentication attempt, the method comprising:
- establishing a secure connection between the locked token and the security server;
  
  activating a security process in the security server to determine an identity of an authorized user of the locked token; and
  
  activating an unlock procedure to unlock the locked token upon receipt of an out-of-band parameter associated with a requester of the unlock procedure to produce an unlocked token,wherein the out-of-band parameter is provided by the requester of the unlock procedure in an independent communication to an enterprise agent associated with the security server so as to verify that the requester is the authorized user of the locked token.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising activating a password reset process in the ESC after the locked token is unlocked, the password reset process associated with a new password for the unlocked token, wherein the new password includes one of an assigned password and a password entered by the requester of the unlock procedure.
  - 3. The method of claim 1, wherein the unlock procedure includes mutually authenticating, in the security server and the locked token, a security parameter independently stored with the locked token and the security server.
  - 4. The method of claim 1, wherein the unlock procedure includes mutually authenticating, in the security server and the locked token, a security parameter independently stored with the locked token and the security server, and the method further comprises updating the token with a new password based on the receipt of the out-of-band parameter.
  - 5. The method of claim 1, wherein the token includes one of a universal serial bus (USB) token and a smartcard.
  - 6. An apparatus configured to perform the method of claim 1.
  - 7. A computer readable medium comprising computer executable instructions for performing the method of claim 1.

8. A security server in an enterprise computer system for recycling a locked token, the enterprise computer system including at least an enterprise security client (ESC) and a token interface, the security server comprising:
- a communication interface;
  
  a data store; and
  
  a processor coupled to the communication interface and the data store, the processor configured to;
  
  establish a secure channel between the security server and the locked token over the communication interface to process a request from a requester associated with the ESC to unlock the locked token;
  
  locate a first identity of an owner of the locked token, the first identity stored in the data store with information associated with the locked token; and
  
  unlock the locked token if a flag stored in the data store in association with the information indicates that a second identity of the requester has been independently verified as matching the first identity of the owner of the locked token.
- View Dependent Claims (9, 10)
- - 9. The security server of claim 8, wherein the processor is further configured to store a new password that has been one of selected by the owner of the locked token and assigned by the security processor, in the data store.
  - 10. The security server of claim 8, wherein the processor, in establishing the secure channel, is further configured to mutually authenticate a security parameter independently stored with the locked token and in the data store.

11. An enterprise security client (ESC) in a computer system for facilitating the unlocking of a locked token, the computer system including a security server, the enterprise security client comprising:
- a token interface;
  
  a communication interface; and
  
  a client processor coupled to the token interface and the communication interface, the client processor configured to;
  
  activate a token unlock process associated with the connection of the locked token to the token interface, the activation of the token unlock process associated with a request to the server by a requester to unlock the token; and
  
  facilitate a secure channel established between a server-based authentication process and token unlock process in response to the request to unlock the token,wherein;
  
  the server-based authentication process and the token unlock process mutually authenticate a security parameter independently stored in the locked token and the security server; and
  
  the server-based authentication process unlocks the locked token after independently verifying that an identity of the requester matches an identity of the owner of the locked token stored in the security server.
- View Dependent Claims (12)
- - 12. The enterprise security client of claim 11, wherein the client processor is further configured to update the token with a new password after unlocking the locked token.

13. A computer system for recycling a locked token in an enterprise, the computer system comprising:
- a server;
  
  an enterprise security client (ESC);
  
  a token interface; and
  
  a communication channel connecting the server, the ESC and the token interface, wherein;
  
  a secure communication is established between the locked token and the server through the ESC and the communication channel in response to a request made by a requester to unlock the locked token;
  
  the server and the locked token are configured to mutually authenticate upon successfully validating an authentication credential independently obtained by an enterprise agent, the authentication credential verifying an identity of the requester; and
  
  the locked token is unlocked based on a successful result of the mutual authentication and the validation of the authentication credential.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer system of claim 13, wherein a password reset process is activated in the ESC after the locked token is unlocked and provides a new password for the unlocked token.
  - 15. The computer system of claim 14, wherein the new password includes one of a pre-assigned password and a password entered by the requester of the unlock procedure.
  - 16. The computer system of claim 13, wherein the mutually authenticating includes verifying a security parameter independently stored with the locked token and the server.
  - 17. The computer system of claim 13, wherein authentication credential includes a response to an identify verification question presented on a separate channel established between the enterprise agent and the requester.
  - 18. The computer system of claim 17, wherein the separate channel established between the enterprise agent and the requester includes a telephone channel.
  - 19. The computer system of claim 13, wherein the token includes one of a universal serial bus (USB) token and a smartcard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Lord, Robert

Granted Patent

US 8,832,453 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06F 21/42   using separate channels for...

G06F 21/604   Tools and structures for ma...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

METHOD AND SYSTEM FOR TOKEN RECYCLING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR TOKEN RECYCLING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links