Method and apparatus for proxy authentication

US 5,913,025 A
Filed: 11/14/1996
Issued: 06/15/1999
Est. Priority Date: 11/14/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method in a computer system, comprising the steps of:

(a) obtaining by a source the rights of a source object, the rights of the source object including authorization to access a target object and to modify authentication data of the target object, the target object having rights to access one or more objects;

(b) generating new authentication data by the source;

(c) accessing the target object by the source using the rights of the source object;

(d) modifying, at least partially due to the source having obtained the rights of the source object, the authentication data of the target object to include the new authentication data;

(e) using the new authentication data by the source to obtain the rights of the target object to access the one or more objects, whereby the source becomes a proxy for the target object; and

(f) using by the source the rights of the target object.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for a source to obtain the rights of a target object is disclosed. The source first obtains the rights of a source object, which rights include authorization to access a target object and to modify authentication data of the target object. Next, the source object generates new authentication data. After accessing the target object using the rights of the source object, the source modifies the authentication data of the target object to include the new authentication data. Using the new authentication data, the source obtains the rights of the target object, whereby the source becomes a proxy for the target object. As a proxy, the source uses the rights of the target object. Alternative processes for proxy authentication, as well as apparatus for proxy authentication, are also disclosed.

125 Citations

38 Claims

1. A method in a computer system, comprising the steps of:
- (a) obtaining by a source the rights of a source object, the rights of the source object including authorization to access a target object and to modify authentication data of the target object, the target object having rights to access one or more objects;
  
  (b) generating new authentication data by the source;
  
  (c) accessing the target object by the source using the rights of the source object;
  
  (d) modifying, at least partially due to the source having obtained the rights of the source object, the authentication data of the target object to include the new authentication data;
  
  (e) using the new authentication data by the source to obtain the rights of the target object to access the one or more objects, whereby the source becomes a proxy for the target object; and
  
  (f) using by the source the rights of the target object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A method as recited in claim 1, wherein the source object represents one or more programs loaded on a computer.
  - 3. A method as recited in claim 2, wherein the computer is a server.
  - 4. A method as recited in claim 2, wherein the source is a program loaded on the computer.
  - 5. A method as recited in claim 4, wherein the source can obtain the rights of the source object at least partially due to the program is running on the computer.
  - 6. A method as recited in claim 1, wherein step (a) involves the source logging in as the source object.
  - 7. A method as recited in claim 1, wherein step (a) involves the source obtaining authentication data of the source object.
  - 8. A method as recited in claim 1, wherein step (b) involves generating a random password.
  - 9. A method as recited in claim 1, wherein step (d) includes the step of cryptographically transmitting the new authentication data to the target object.
  - 10. A method as recited in claim 1, wherein step (e) involves the source logging in as the target object using the new authentication data.
  - 11. A method as recited in claim 1, wherein the source object, target object, and one or more objects are objects in a distributed directory.
  - 12. A method as recited in claim 11, wherein the rights of the source object and target object are at least partially enforced by directory security.
  - 13. A method as recited in claim 11, wherein steps (a) and (e) involve at least a portion of login security.
  - 14. A method as recited in claim 1, wherein the source is secured.

15. A computer readable medium, comprising a program operative to perform the steps of:
- (a) obtaining by a source the rights of a source object, the rights of the source object including authorization to access a target object and to modify authentication data of the target object, the target object having rights to access one or more objects;
  
  (b) generating new authentication data by the source;
  
  (c) accessing the target object by the source using the rights of the source object;
  
  (d) modifying, at least partially due to the source having obtained the rights of the source object, the authentication data of the target object to include the new authentication data;
  
  (e) using the new authentication data by the source to obtain the rights of the target object to access the one or more objects, whereby the source becomes a proxy for the target object; and
  
  (f) using by the source the rights of the target object.

16. A computer system, comprising:
- (a) a distributed directory having a plurality objects;
  
  (b) a plurality of computers accessing the distributed directory;
  
  (c) a target object in the distributed directory having authentication data and rights to access one or more of the plurality objects in the distributed directory;
  
  (d) a source object in the distributed directory having rights to access the target object and to modify the authentication data of the target object, said source object having authentication data capable of being obtained by a source;
  
  (e) a generation mechanism operative to generate new authentication data for replacement of the authentication data of the target object; and
  
  (f) a replacement mechanism operative to replace the authentication data of the target object with the new authentication data, which enables the source to obtain the rights of the target object.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. A computer system as recited in claim 16, wherein the source object represents one or more programs loaded on a computer.
  - 18. A computer system as recited in claim 17, wherein the computer is a server.
  - 19. A computer system as recited in claim 17, wherein the computer is physically secured.
  - 20. A computer system as recited in claim 16, wherein the authentication data of the target object includes a private/public key pair.
  - 21. A computer system as recited in claim 16, wherein the replacement mechanism requires the rights of the source object to implement the replacement.
  - 22. A computer system as recited in claim 16, wherein the plurality of computers comprises a client/server network.

23. A method in a computer system, comprising the steps of:
- (a) obtaining by a source the rights of a source distributed directory object in a distributed directory;
  
  (b) reading an attribute of one or more distributed directory objects to determine if the source object has proxy rights to a target distributed directory object in the distributed directory, the target object having rights to access one or more objects in the distributed directory;
  
  (c) obtaining by the source object the rights of the target object, if the source object has proxy rights; and
  
  (d) using by the source object the rights of the target object to access the one or more objects.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38)
- - 24. A method as recited in claim 23, further comprising the step of storing one or more events that transpire while the source object is using the rights of the target object.
  - 25. A method as recited in claim 23, further including the step of recording that the source object is acting as a proxy for the target object.
  - 26. A method as recited in claim 23, wherein step (c) involves changing the state of the source object to the state of the target object.
  - 27. A method as recited in claim 26, wherein a record is maintained that the source object is a proxy for the target object.
  - 28. A method as recited in claim 23, wherein step (a) involves at least a portion of login security.
  - 29. A method as recited in claim 23, wherein step (b) involves at least a portion of directory security.
  - 30. A method as recited in claim 29, wherein the target object has authentication data and step (b) involves determining whether the source object has rights to access the authentication data of the target object.
  - 31. A method as recited in claim 29, wherein the target object has authentication data and step (b) involves determining whether the source object has rights to modify the authentication data of the target object.
  - 32. A method as recited in claim 29, wherein step (b) involves determining whether the source object has been assigned proxy rights to the target object.
  - 33. A method as recited in claim 23, wherein the source is physically secured.
  - 34. A method as recited in claim 23, wherein step (c) preserves the rights of the source object.
  - 35. A method as recited in claim 23, wherein the computer system has a connection table with a record for the source object and step (c) involves changing the record of the source object in the connection table to reflect the target object.
  - 36. A method as recited in claim 23, further comprising the step of storing in a database information read from the one or more objects.
  - 38. A method as recited in claim 24, further comprising the step of auditing the source by using the one or more stored events.

37. A computer readable medium, comprising a program operative to perform the steps of:
- (a) obtaining by a source the rights of a source distributed directory object in a distributed directory;
  
  (b) reading an attribute of one or more distributed directory objects to determine if the source object has proxy rights to a target distributed directory object, the target object in the distributed directory having rights to access one or more objects in the distributed directory;
  
  (c) obtaining by the source object the rights of the target object, if the source object has proxy rights; and
  
  (d) using by the source object the rights of the target object to access the one or more objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Higley, DeeAnne Barker, Thorne, Bruce Warner, Jarvis, Brian Lee
Primary Examiner(s)
Palys, Joseph E.

Application Number

US08/748,889
Time in Patent Office

943 Days
Field of Search

395/186, 395/187.01, 395/188.01, 395/701, 395/704, 395/601, 395/609, 395/610, 395/677, 380/3, 380/4, 380/25, 707/9, 707/10
US Class Current

726/4
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0281   Proxies

H04L 63/104   Grouping of entities

Y10S 707/99939   Privileged access

Method and apparatus for proxy authentication

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for proxy authentication

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links