Method for delegating authorization from one entity to another through the use of session encryption keys

US 5,224,163 A
Filed: 09/28/1990
Issued: 06/29/1993
Est. Priority Date: 09/28/1990
Status: Expired due to Term

First Claim

Patent Images

1. In a distributed computer system, a method for delegating authorization from a user to a workstation for a computing session and of terminating the delegated authorization at the end of the computing session, the method comprising the steps of:

(a) the user initiating a computing session by logging into the computer system through the workstation;

(b) the workstation generating a public and private encryption key pair;

(c) the workstation providing the public encryption key to the user;

(d) the user certifying that the workstation possessing the private encryption key is authorized to speak on the user'"'"'s behalf; and

(e) the workstation erasing the private encryption key to terminate the the computing session.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for delegating authorization from one entity in a distributed computing system to another for a computing session is disclosed wherein a session public/private encryption key pair is utilized for each computing session. The private encryption key is erased to terminate the computing session.

467 Citations

15 Claims

1. In a distributed computer system, a method for delegating authorization from a user to a workstation for a computing session and of terminating the delegated authorization at the end of the computing session, the method comprising the steps of:
- (a) the user initiating a computing session by logging into the computer system through the workstation;
  
  (b) the workstation generating a public and private encryption key pair;
  
  (c) the workstation providing the public encryption key to the user;
  
  (d) the user certifying that the workstation possessing the private encryption key is authorized to speak on the user'"'"'s behalf; and
  
  (e) the workstation erasing the private encryption key to terminate the the computing session.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the public/private key pair is generated by the workstation prior to the user'"'"'s login and step (b) comprises the step of selecting one of the pre-generated pairs.
  - 3. The method of claim 1 wherein the private encryption key is erased at the time the user logs out of the computer system.
  - 4. The method of claim 1 wherein the workstation demonstrates its rights to speak for the user by receiving a challenge from another workstation and signing the challenge with the private encryption key.
  - 5. The method of claim 1 wherein the private encryption key is not erased if the workstation has not made any requests on the user'"'"'s behalf.

6. A method for authorizing a second entity in a distributed computing system to speak for a first entity in the system, the method comprising the steps of:
- (a) the first entity issuing a nonce challenge to the second entity;
  
  (b) the second entity receiving the nonce challenge and generating in response a public and private encryption key pair;
  
  (c) the second entity issuing a response to the first entity, the response including the generated public encryption key; and
  
  (d) the first entity issuing a certificate indicating that any entity possessing the private key corresponding to the generated public key can speak on its behalf.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 including a step after step (d) wherein the second entity speaks on behalf of the first entity by signing challenges from other entities with the generated private encryption key.
  - 8. The method of claim 6 wherein the second entity is trusted to erase the generated private encryption key upon a request by the first entity.
  - 9. The method of claim 6 wherein the second entity is trusted to erase the generated private encryption key upon a request by the first entity only when the second entity has made a request on behalf of the first entity.
  - 10. The method of claim 6 wherein the first entity is a human user and the second entity is a workstation.
  - 11. The method of claim 6 wherein both the first and the second entities are workstations.

12. A workstation in a distributed computing system comprising:
- (a) means for receiving a nonce challenge from a first entity in the distributed system;
  
  (b) means for generating a public and private encryption key pair in response to the received challenge;
  
  (c) means for issuing a response to the first entity, the response including the generated public encryption key;
  
  (d) means for erasing the generated private key in response to a request from the first entity.
- View Dependent Claims (13, 14, 15)
- - 13. The workstation of claim 12 wherein the first entity is a different workstation.
  - 14. The workstation of claim 12 wherein the first entity is a human user.
  - 15. The workstation of claim 12 further comprising:
    - means for receiving a request from the first entity for access to a second entity;
      
      means for signing challenges issued by the second entity with the generated private encryption key; and
      
      means for forwarding the request from the first entity to the second entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Digital Equipment Corporation (HP Inc.)
Inventors
Gasser, Morrie, Kaufman, Charles W., Lampson, Butler W., Goldstein, Andrew C.
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US07/589,925
Time in Patent Office

1,005 Days
Field of Search

380/23-25, 380/3, 380/4, 380/30, 380/49, 380/50, 380/21, 380/43, 364/222.5, 364/240.8, 364/246.6, 364/246.9, 364/283.3, 364/286.4, 364/286.5, 364/709.05, 364/958.1, 364/969.4, 340/825.31, 340/825.34
US Class Current

380/30
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2153   Using hardware token as a s...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/50   using hash chains, e.g. blo...

Method for delegating authorization from one entity to another through the use of session encryption keys

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

467 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for delegating authorization from one entity to another through the use of session encryption keys

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

467 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links