Controlling Exposure of Sensitive Data and Operation Using Process Bound Security Tokens in Cloud Computing Environment
First Claim
1. A method for controlling exposure of sensitive data and using process bound security tokens comprising:
- representing a service requester using one or more security tokens containing a user identity, one or more user credentials, an identity of a token issuer, and an identity of the owning process;
responsive to requesting services and subsequent authenticating to a server process, issuing the one or more security tokens including an issuer key name which indicates a key which was used to sign the security token;
responsive to receiving the security token, using an issuer process name and the issuer key name to uniquely identify a public key needed to verify a token issuer digital signature; and
responsive to verifying the token issuer digital signature, granting access to a requested process or server resource to the requesting service.
1 Assignment
0 Petitions
Accused Products
Abstract
Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request. A receiving server accepts a request if (1) the token-owning process endorses the request by signing the request; (2) the token is valid (token is signed by its issuer and the digital signature is verified and unexpired); (3) user entity, which can be a real user or a deployment or a server process, that is represented by the token has the authorization to access the specified resources; and (4) the token-owning process is authorized to endorse the user entity represented by the token to access the specified resources.
17 Citations
12 Claims
-
1. A method for controlling exposure of sensitive data and using process bound security tokens comprising:
-
representing a service requester using one or more security tokens containing a user identity, one or more user credentials, an identity of a token issuer, and an identity of the owning process; responsive to requesting services and subsequent authenticating to a server process, issuing the one or more security tokens including an issuer key name which indicates a key which was used to sign the security token; responsive to receiving the security token, using an issuer process name and the issuer key name to uniquely identify a public key needed to verify a token issuer digital signature; and responsive to verifying the token issuer digital signature, granting access to a requested process or server resource to the requesting service. - View Dependent Claims (2, 3, 4)
-
-
5. A method for controlling exposure of sensitive data and using process bound security tokens comprising:
-
receiving by a server process a set of user authentication credentials a request to access or communicate to a server; creating and signing with a token issuer cryptographic key a first security token that is owned by the first server; sending to a downstream server the signed first token and the request endorsed by the server by digitally sign the request message; endorsing the request by the downstream server by attaching a second security token representing the downstream server that is signed by a token issuer cryptographic key; sending the endorsed request to a targeted server; responsive to one or more security verifications of the endorsed request, issuing by the targeted server a user token; returning the user token to the server process; and the server process storing and associating the user token with a single sign-on token; and sending the single sign-on token to the source of the request. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
Specification