CONTROLLING ACCESS
First Claim
Patent Images
1. A method comprising:
- receiving in an apparatus an access request to an account in the apparatus;
creating, in response to the access request, a challenge;
forwarding the challenge;
receiving a signed token relating to the challenge;
checking whether or not the token is signed by a centralized entity that is verifiable by the apparatus and authorized to provide signing services for the account;
if the token is signed by the centralized entity, checking whether a first response in the token corresponds to a response the apparatus expects to receive for the challenge; and
if yes, checking whether the access enabling data indicates that a further input from a user is required or the token is an access token itself;
if the token is an access token itself, granting the access;
if the further input is required;
prompting the user for credentials;
receiving credentials via a user interface;
checking whether the received credentials correspond to credentials in the access enabling data;
if yes, granting the access to the account.
2 Assignments
0 Petitions
Accused Products
Abstract
To provide access to an account in an apparatus in response to a request to the account, the apparatus creates and forwards a challenge for this request and waits for a token signed by a centralized signing entity for the account, the token comprising access enabling data. When such a token is received, the apparatus validates the token, and only if the validation succeeds, enables access to the account.
-
Citations
21 Claims
-
1. A method comprising:
-
receiving in an apparatus an access request to an account in the apparatus; creating, in response to the access request, a challenge; forwarding the challenge; receiving a signed token relating to the challenge; checking whether or not the token is signed by a centralized entity that is verifiable by the apparatus and authorized to provide signing services for the account; if the token is signed by the centralized entity, checking whether a first response in the token corresponds to a response the apparatus expects to receive for the challenge; and if yes, checking whether the access enabling data indicates that a further input from a user is required or the token is an access token itself; if the token is an access token itself, granting the access; if the further input is required; prompting the user for credentials; receiving credentials via a user interface; checking whether the received credentials correspond to credentials in the access enabling data; if yes, granting the access to the account. - View Dependent Claims (2, 3, 4, 5, 6, 17, 18)
-
-
7. A method comprising:
-
authenticating and authorizing by a first apparatus a user for an account allowing access to a signing service request service; receiving a challenge; authenticating and authorizing the first apparatus with a centralized entity providing signing services; establishing a secured communication channel between the first apparatus and the centralized entity; forming a signing request including at least the challenge; sending the signing request to the centralized entity over the channel; receiving in the first apparatus a signed token from the centralized entity, the signed token comprising at least access enabling data for another account in a second apparatus; and forwarding the signed token to the second apparatus. - View Dependent Claims (8, 9, 10)
-
-
11. A method comprising:
-
providing a centralized entity for signing services; authenticating and authorizing, by the centralized entity, a first apparatus; establishing a secure communication channel between the first apparatus and the centralized entity; receiving in the centralized entity from the first apparatus a signing request containing a challenge, the signing request indicating that it is for obtaining access enabling data to an account in a second apparatus; generating by the centralized entity access enabling data; calculating by the centralized entity a response to the challenge; forming by the centralized entity a token comprising at least the access enabling data and the challenge; signing by the centralized entity the token; and sending the signed token over the secure communication channel to the first apparatus. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
19. A system, comprising:
-
a first apparatus, including a first processor; a first memory, including first computer code, the at least one memory and first computer code configured to, with the at least one processor, cause the first apparatus to receive an access request to an account in the first apparatus; create, in response to the access request, a challenge; forward the challenge; receive a signed token relating to the challenge; check whether or not the token is signed by a centralized entity that is verifiable by the apparatus and authorized to provide signing services for the account; if the token is signed by the centralized entity, check whether a first response in the token corresponds to a response the apparatus expects to receive for the challenge; and if yes, check whether the access enabling data indicates that a further input from a user is required or the token is an access token itself; if the token is an access token itself, grant the access; if the further input is required; prompt the user for credentials; receive credentials via a user interface; check whether the received credentials correspond to credentials in the access enabling data; if yes, granting the access to the account;
said system further comprising a second apparatus, said second apparatus including;a second processor; a second memory including second computer program code, said second memory and second computer program code configured to with the second processor, cause the second apparatus to authenticate and authorize by the first apparatus a user for an account allowing access to a signing service request service; receive a challenge; authenticate and authorize the first apparatus with a centralized entity providing signing services; establish a secured communication channel between the first apparatus and the centralized entity; form a signing request including at least the challenge; send the signing request to the centralized entity over the channel; receive in the first apparatus a signed token from the centralized entity, the signed token comprising at least access enabling data for another account in a second apparatus; and forward the signed token to the second apparatus, said system further comprising; a third apparatus, said third apparatus including a third processor; a third memory including third computer program code, said third memory and third computer program code configured to, with the third processor, cause the third apparatus to provide a centralized entity for signing services; authenticate and authorize, by the centralized entity, the first apparatus; establish a secure communication channel between the first apparatus and the centralized entity; receive in the centralized entity from the first apparatus a signing request containing a challenge, the signing request indicating that it is for obtaining access enabling data to an account in the second apparatus; generate by the centralized entity access enabling data; calculate by the centralized entity a response to the challenge; form by the centralized entity a token comprising at least the access enabling data and the challenge; sign by the centralized entity the token; and send the signed token over the secure communication channel to the first apparatus, said system further comprising a fourth apparatus, said fourth apparatus including a root certificate issuance service, the fourth apparatus being configured to provide the third apparatus with information needed for signing tokens; wherein the second apparatus is connectable at least to the third apparatus, the third apparatus is connectable to the second apparatus and to the fourth apparatus, and the first apparatus is not directly connectable to the third and fourth apparatus. - View Dependent Claims (20, 21)
-
Specification