Methods and Apparatus for Delegated Authentication

US 20080313719A1
Filed: 10/31/2007
Published: 12/18/2008
Est. Priority Date: 03/23/2007
Status: Active Grant

First Claim

Patent Images

1. A user authentication method comprising the steps of:

receiving a request from a relying party for delegated authentication information associated with a particular user, the delegated authentication information having the property that the user can be presently authenticated based on such information;

determining a level of trust associated with the relying party; and

providing the delegated authentication information to the relying party if the relying party has a sufficient level of trust, so as to permit the relying party to authenticate the user based on the delegated authentication information.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication-delegating service implemented in an authentication server or other processing device is configured to receive a request from a relying party for delegated authentication information associated with a particular user, to determine a level of trust associated with the relying party, and to provide the delegated authentication information to the relying party if the relying party has a sufficient level of trust, so as to permit the relying party to authenticate the user based on the delegated authentication information. The delegated authentication information has the property that the user can be presently authenticated based on such information. The delegated authentication information may comprise, for example, at least one value derived from a one-time password or other authentication credential of the particular user. The authentication-delegating service may be graded to provide different types of delegated authentication information based on respective levels of trust that may be associated with relying parties.

144 Citations

23 Claims

1. A user authentication method comprising the steps of:
- receiving a request from a relying party for delegated authentication information associated with a particular user, the delegated authentication information having the property that the user can be presently authenticated based on such information;
  
  determining a level of trust associated with the relying party; and
  
  providing the delegated authentication information to the relying party if the relying party has a sufficient level of trust, so as to permit the relying party to authenticate the user based on the delegated authentication information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the delegated authentication information comprises at least one value derived from an authentication credential of the particular user.
  - 3. The method of claim 2 wherein the at least one value comprises a protected one-time password derived from a one-time password of the particular user.
  - 4. The method of claim 2 wherein the at least one value comprises a doubly protected one-time password derived from a protected one-time password of the particular user.
  - 5. The method of claim 2 wherein the authentication credential comprises at least a portion of at least one password.
  - 6. The method of claim 5 wherein the password comprises a one-time password.
  - 7. The method of claim 1 wherein the step of determining a level of trust associated with the relying party further comprises determining which of a plurality of trust levels is associated with the relying party, the plurality of trust levels corresponding to respective ones of a plurality of different types of delegated authentication information, and the step of providing the delegated authentication information to the relying party further comprises providing delegated authentication information of a particular one of the plurality of different types to the relying party based on the particular one of the plurality of trust levels determined to be associated with the relying party.
  - 8. The method of claim 1 wherein the relying party is not in possession of an authentication credential of the user but is in possession of information derived from the authentication credential of the user.
  - 9. The method of claim 8 wherein the delegated authentication information permits the relying party to authenticate the information derived from the authentication credential of the user.
  - 10. The method of claim 9 wherein the information derived from the authentication credential of the user comprises a message authentication code generated based on at least the authentication credential.
  - 11. The method of claim 9 wherein the information derived from the authentication credential of the user comprises an encryption performed utilizing at least a function of the authentication credential.
  - 12. The method of claim 1 wherein the delegated authentication information comprises one or more seeds utilized to generate an authentication credential of the user.
  - 13. The method of claim 1 further comprising the step of receiving feedback information from the relying party indicative of status of the authentication of the user.
  - 14. The method of claim 13 further comprising the step of updating high watermark information based on the feedback information.
  - 15. A machine-readable storage medium having encoded therein executable instructions, wherein the executable instructions when executed by one or more processing devices implement the steps of the user authentication method of claim 1.

16. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory, said processing device implementing an authentication-delegating service which is configured to receive a request from a relying party for delegated authentication information associated with a particular user, the delegated authentication information having the property that the user can be presently authenticated based on such information;
  
  to determine a level of trust associated with the relying party; and
  
  to provide the delegated authentication information to the relying party if the relying party has a sufficient level of trust, so as to permit the relying party to authenticate the user based on the delegated authentication information.
- View Dependent Claims (17, 18)
- - 17. The apparatus of claim 16 wherein said processing device comprises an authentication server.
  - 18. The apparatus of claim 16 wherein the authentication-delegating service comprises a graded authentication-delegating service configured to determine which of a plurality of trust levels is associated with the relying party, the plurality of trust levels corresponding to respective ones of a plurality of different types of delegated authentication information, and to provide delegated authentication information of a particular one of the plurality of different types to the relying party based on the particular one of the plurality of trust levels determined to be associated with the relying party.

19. A method comprising the steps of:
- sending a request from a relying party to an authentication-delegating service for delegated authentication information associated with a particular user;
  
  receiving the delegated authentication information from the authentication-delegating service if the relying party is determined by that service to have a sufficient level of trust associated therewith; and
  
  utilizing the delegated authentication information to establish a key to be shared between the relying party and the user.
- View Dependent Claims (20)
- - 20. The method of claim 19 wherein the user is implicitly authenticated by the relying party based on subsequent correct use of the shared key by the user.

21. A system for authenticating a user, comprising:
- a plurality of processing devices;
  
  a first one of the processing devices implementing a relying party and configured for communication with a second one of the processing devices implementing an authentication-delegating service;
  
  wherein the authentication-delegating service is configured to receive a request from a relying party for delegated authentication information associated with a particular user, the delegated authentication information having the property that the user can be presently authenticated based on such information;
  
  to determine a level of trust associated with the relying party; and
  
  to provide the delegated authentication information to the relying party if the relying party has a sufficient level of trust, so as to permit the relying party to authenticate the user based on the delegated authentication information.
- View Dependent Claims (22)
- - 22. The system of claim 21 wherein the authentication-delegating service comprises a graded authentication-delegating service configured to determine which of a plurality of trust levels is associated with the relying party, the plurality of trust levels corresponding to respective ones of a plurality of different types of delegated authentication information, and to provide delegated authentication information of a particular one of the plurality of different types to the relying party based on the particular one of the plurality of trust levels determined to be associated with the relying party.

23. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory, said processing device implementing a relying party configured to send a request to an authentication-delegating service for delegated authentication information associated with a particular user, the delegated authentication information having the property that the user can be presently authenticated based on such information;
  
  to receive the delegated authentication information from the authentication-delegating service if the relying party is determined by that service to have a sufficient level of trust associated therewith; and
  
  to authenticate the user based on the delegated authentication information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Kaliski, Burton S. JR., Nystrom, Magnus

Granted Patent

US 8,413,221 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/0838 using one-time-passwords

Methods and Apparatus for Delegated Authentication

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

144 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and Apparatus for Delegated Authentication

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links