METHOD AND A SERVER FOR PROCESSING A REQUEST FROM A TERMINAL TO ACCESS A COMPUTER RESOURCE

US 20140380048A1
Filed: 06/24/2014
Published: 12/25/2014
Est. Priority Date: 06/25/2013
Status: Active Grant

First Claim

Patent Images

1. A processing method for processing an access request from a terminal of a user to a computer resource made available to a client entity by a platform of a cloud computer service supplier, said method being for performing by an authentication and authorization module of a server situated between the terminal and the platform, said authentication and authorization module being dedicated to said client entity, said processing method comprising, on the access request being received by the server:

authenticating the user with the help of at least a first authentication parameter for authenticating the user with the server;

verifying that the user is authorized to access the computer resource via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are obtained by said authentication and authorization module for said client entity; and

if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform;

orelse rejecting the access request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment disclosed herein is a method of processing a request made by a terminal of a user to access a resource made available to a client entity by a platform of a cloud computer service supplier.

31 Citations

View as Search Results

21 Claims

1. A processing method for processing an access request from a terminal of a user to a computer resource made available to a client entity by a platform of a cloud computer service supplier, said method being for performing by an authentication and authorization module of a server situated between the terminal and the platform, said authentication and authorization module being dedicated to said client entity, said processing method comprising, on the access request being received by the server:
- authenticating the user with the help of at least a first authentication parameter for authenticating the user with the server;
  
  verifying that the user is authorized to access the computer resource via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are obtained by said authentication and authorization module for said client entity; and
  
  if the user is authorized to access the computer resource, sending to the platform a request derived from the access request on the basis of at least one second authentication parameter for authenticating the client entity with the platform;
  
  orelse rejecting the access request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 20, 21)
- - 2. A processing method according to claim 1, wherein the verification process further comprises obtaining information about the availability of the computer resource coming from the platform.
  - 3. A processing method according to claim 1, wherein:
    - said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server, or a private and public key pair held respectively by the terminal and the server;
      
      the access request from the terminal includes first authentication data for authenticating the terminal with the server generated from at least a portion of the access request and/or from an identifier of the user with the help of a said first encryption key held by the terminal; and
      
      the authentication process comprises decrypting the first authentication data with the help of a said first encryption key held by the server.
  - 4. A processing method according to claim 1, wherein:
    - said at least second authentication parameter comprises at least a second encryption key comprising a secret key held by the server and by the platform, or a private and public key pair held respectively by the server and by the platform; and
      
      the request derived from the access request from the terminal includes second authentication data for authenticating the entity with the platform as generated from at least a portion of the access request and/or of an identifier of the client entity with the help of a said second encryption key held by the server.
  - 5. A processing method according to claim 3, wherein:
    - said at least one second authentication parameter for authenticating the entity comprises at least a second encryption key comprising a secret key held by the terminal and by the platform, or a private and public key pair held respectively by the terminal and by the platform;
      
      the access request from the terminal further includes second authentication data for authenticating the entity as generated from at least a portion of the access request and/or from an identifier of said client entity with the help of a said second encryption key (held by the terminal; and
      
      the request derived from the access request from the terminal includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
  - 6. A processing method according to claim 5, wherein:
    - said second authentication data is incorporated in said third authentication data;
      
      orsaid third authentication data is generated with the help of said third encryption key from said at least one portion of the access request and/or from the identifier used to generate said second signature.
  - 7. A processing method according to claim 3, wherein said authentication data comprises or is digital signatures.
  - 8. A processing method according to claim 1, wherein the request derived from the access request from the terminal further includes information representative of the user authentication and verification processes being successful.
  - 9. A supply method for supplying access to a computer resource made available to a client entity by a platform of a cloud computer service supplier, said method being for performing by said service supplier platform and comprising:
    - receiving a request derived by a server from an access request from a terminal of a user made to said computer resource and resulting from executing the access request processing method according to claim 5, said server being situated between the terminal and the platform;
      
      authenticating the client entity with the help of at least one second authentication parameter for authenticating the client entity with the platform and comprising;
      
      decrypting the third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and
      
      decrypting the second authentication data with the help of a said second encryption key held by the platform; and
      
      supplying the computer resource to the terminal.
  - 10. A supply method according to claim 9, further comprising, before the supply process, verifying that the client entity is authorized to access said computer resource.
  - 11. A computer program including instructions for executing the processing method according to claim 1, when said program is executed by a computer.
  - 12. A non-transitory computer readable data medium having stored thereon a computer program including instructions for executing the processing method according to claim 1.
  - 20. A computer program including instructions for executing the supply method according to claim 9, when said program is executed by a computer.
  - 21. A non-transitory computer readable data medium having stored thereon a computer program including instructions for executing the supply method according to claim 9.

13. A server situated between a terminal of a user and a platform of a cloud computer service supplier for making computer resources available to at least one client entity, said server including at least one authentication and authorization module dedicated to a said client entity and comprising:
- an authentication unit for authenticating the user, which unit is activated on receiving a request from said terminal to access a said computer resource made available to said client entity, said authentication unit being suitable for using at least a first authentication parameter for authenticating the user with the server;
  
  a verification unit suitable for verifying that said user is authorized to access said computer resource via said terminal by applying to said user and to said resource an access control model and an access control policy corresponding to said model, which model and policy are obtained by said verification unit for said client entity;
  
  a sender unit that is activated if the user is authorized to access said computer resource for sending to the platform a request that is derived from the access request on the basis of at least a second authentication parameter for authenticating the client entity with the platform; and
  
  a unit suitable for rejecting the access request if the user is not authorized to access said computer resource.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. A server according to claim 13, wherein said access control model used by said verification entity is derived from a metadata file (describing elements defining said model and a structure of said elements.
  - 15. A server according to claim 13, wherein said authentication and authorization module further comprises an updating unit suitable for detecting a change in said model and/or said access control policy into a new model and/or a new access control policy, and for obtaining said new model and/or said new access control policy in order to use it during the verification process.
  - 16. A server according to claim 13, wherein for each authentication and authorization module:
    - said at least one first authentication parameter comprises at least a first encryption key comprising a secret key held by the terminal and by the server or a private and public key pair held respectively by the terminal and by the server;
      
      said at least one second authentication parameter for authenticating the client entity comprises at least one second encryption key comprising a secret key held by the terminal and by the platform or a private and public key pair held respectively by the terminal and by the platform;
      
      the access request from the terminal includes first authentication data generated from at least a portion of the access request and/or an identifier of the user with the help of a said first encryption key held by the terminal, and second authentication data generated from at least a portion of the access request and/or an identifier of the client entity with the help of a second encryption key held by the terminal;
      
      the authentication unit is suitable for decrypting the first authentication data with the help of a said first encryption key held by the server; and
      
      the derived request includes said second authentication data and third authentication data generated with the help of a third encryption key held by the server.
  - 17. A platform of a computer service supplier making computer resources available to at least one client entity, the platform comprising:
    - a validation module comprising;
      
      a reception unit for receiving a request derived by a server according to claim 16 from an access request from a terminal of a user requesting access to a said computer resource made available to said client entity, said server being situated between the terminal and the platform; and
      
      a client entity authentication unit comprising;
      
      a component configured to decrypt the third authentication data with the help of an encryption key held by the platform and associated with the third encryption key held by the server; and
      
      a component configured to decrypt the second authentication key with the help of a said second encryption key held by the platform; and
      
      a module for supplying said computer resource to said terminal.
  - 18. A system comprising:
    - a platform of a cloud computer service supplier making computer resources available to at least one client entity; and
      
      according to claim 13, situated between said platform of said service supplier and a terminal from which an access request originates requesting access to a said computer resource made available to said client entity by said platform of the service supplier.
  - 19. A system according to claim 18, wherein the server is in accordance with claim 16 and the platform is in accordance with claim 17.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
He, Ruan, Qian, Xiangjun

Granted Patent

US 9,729,531 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

METHOD AND A SERVER FOR PROCESSING A REQUEST FROM A TERMINAL TO ACCESS A COMPUTER RESOURCE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND A SERVER FOR PROCESSING A REQUEST FROM A TERMINAL TO ACCESS A COMPUTER RESOURCE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links