Method and system for providing certificates holding authentication and authorization information for users/machines

US 5,999,711 A
Filed: 07/18/1994
Issued: 12/07/1999
Est. Priority Date: 07/18/1994
Status: Expired due to Term

First Claim

Patent Images

1. In a distributed system having computer resources and a facility for checking credentials information to authenticate principals and provide with authorization data, a method for authenticating and authorizing principals comprising the computer implemented steps of:

providing a principal with a secure package holding credentials information for a client;

receiving a principal request to connect to the distributed system at a location in the distributed system that lacks credentials information about the principal to gain access to at least some of the computing resources;

accessing the credentials information held in the secure package to enable the facility for checking credentials information to determine whether the principal is authorized and authenticated to be connected to the distributed system without obtaining credentials information about the principal from a source other than the secure package;

where the principal is not authorized or not authenticated to connect to the distributed system, denying the principal request to be connected to the distributed system; and

where the principal is authorized and authenticated to connect to the distributed system, granting the principal request to be connected to the distributed system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Logon certificates are provided to support disconnected operation within the distributed system. Each logon certificate is a secure package holding credentials information sufficient to establish the identity and rights and privileges for a user/machine in a domain that is not their home domain. When a user/machine attempts to connect to the system at a domain other than the home domain of the user/machine, the user/machine presents a logon certificate that evidences his credentials. The domain where the user/machine attempts to connect to the system, decrypts and unseals the secure package as required to obtain the credentials information contained therein. If the user/machine has sufficient credentials, the user/machine is permitted to connect to the system. If the user/machine lacks sufficient credentials, the user/machine is not permitted to connect to the system.

Citations

16 Claims

1. In a distributed system having computer resources and a facility for checking credentials information to authenticate principals and provide with authorization data, a method for authenticating and authorizing principals comprising the computer implemented steps of:
- providing a principal with a secure package holding credentials information for a client;
  
  receiving a principal request to connect to the distributed system at a location in the distributed system that lacks credentials information about the principal to gain access to at least some of the computing resources;
  
  accessing the credentials information held in the secure package to enable the facility for checking credentials information to determine whether the principal is authorized and authenticated to be connected to the distributed system without obtaining credentials information about the principal from a source other than the secure package;
  
  where the principal is not authorized or not authenticated to connect to the distributed system, denying the principal request to be connected to the distributed system; and
  
  where the principal is authorized and authenticated to connect to the distributed system, granting the principal request to be connected to the distributed system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the principal is a user.
  - 3. The method of claim 1 wherein the principal is a portable computer.
  - 4. The method of claim 1 wherein the distributed system includes a portable computer having memory and the step of providing the principal with the secure package holding credentials information for the client further comprises a step of loading the secure package holding credentials information for the client into the memory of the portable computer.
  - 5. The method of claim 1 wherein the step of providing the principal with the secure package holding credentials information for the client further comprises a step of storing the secure package on a portable storage medium.
  - 6. The method of claim 5 wherein the portable storage medium is a floppy disk and the step of storing the secure package on the portable storage medium comprises a step of storing the secure package on the floppy disk.
  - 7. The method of claim 1 wherein the step of providing the principal with the secure package holding credentials information for the client comprises a step of providing the principal with an encrypted package holding credentials information for the client.
  - 8. The method of claim 1 wherein the step of providing the principal with the secure package holding credentials information for the client comprises a step of providing a digitally signed and sealed package holding credentials information for a user of the distributed system.
  - 9. The method of claim 1 wherein determining whether the principal is authenticated to be connected to the distributed system comprises the steps of:
    - (i) determining whether the secure package is authentic; and
      
      (ii) where the secure package is determined to be authentic, determining that the principal is authenticated to be connected to the distributed system.

10. In a distributed system logically partitioned into domains, wherein each user has an associated home domain, a method of maintaining secure access to the distributed system, comprising the computer implemented steps of:
- providing a user with a secure package holding credentials information for the user;
  
  receiving a user request to logon to the distributed system in a domain other than the associated home domain of the user, said domain lacking credentials information about the user;
  
  accessing the secure package to examine the credentials information for the user; and
  
  without obtaining credentials information about the user from another source, based on the credentials information for the user provided in the secure package, deciding whether to allow the user to logon or not.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 wherein the distributed system includes a portable computer having memory and the step of providing the user with the secure package holding credentials information for the user comprises loading the secure package holding credentials information for the user into the memory of the portable computer.
  - 12. The method of claim 10 wherein the step of providing the user with the secure package holding credentials information for the user further comprises storing the secure package on a portable storage medium.
  - 13. The method of claim 10 wherein the step of providing the user with the secure package holding credentials information for the user comprises providing the user with an encrypted package holding credentials information for the user.
  - 14. The method of claim 10 wherein the step of providing the user with the secure package holding credentials information for the user comprises providing a digitally signed and sealed package holding credentials information for the user.

15. In a distributed system having a facility for checking credentials information, a method of authorizing connections to the distributed system, comprising the computer implemented steps of:
- providing a portable computer with a secure package holding credentials information for the portable computer;
  
  requiring the portable computer to present the secure package when the portable computer wishes to connect to the distributed system at a location lacking credentials information about the portable computer to become part of the distributed system;
  
  examining the credentials information contained within the secure package by the facility for checking credentials information to determine whether the portable computer is authorized to connect to the distributed system,wherein the portable computer is authorized to connect to the distributed system, allowing the portable computer to connect to the distributed system; and
  
  wherein the portable computer is not authorized to correct to the distributed system, not allowing the portable computer to connect to the distributed system.

16. In a distributed system that is logically partitioned into domains and having a plurality of computers, wherein each computer in the distributed system has an associated home domain, a method of authorizing access to the distributed system, comprising the computer implemented steps of:
- providing a secure package at the home domain of a selected computer to the selected computer, said secure package holding credentials information for the selected computer;
  
  receiving a request from the selected computer, to connect to the distributed system at a target domain other than the home domain of the selected computer said target domain lacking credentials information about the selected computer; and
  
  examining the credentials information contained in the secure package to determine whether the selected computer is authorized to be connected to the distributed system at the target domain to become part of the distributed system without obtaining credentials information about the selected computer from a source other than the secure package.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ward, Richard B., Miller, Arnold S., Misra, Pradyumna K.
Primary Examiner(s)
Nguyen, Hoa T.

Application Number

US08/277,144
Time in Patent Office

1,968 Days
Field of Search

395/187.01, 395/186, 395/680, 395/200.09, 380/4, 380/23, 380/25
US Class Current

726/4
CPC Class Codes

G06F 21/33   using certificates

G06F 21/6236   between heterogeneous systems

G06Q 20/3821   Electronic credentials

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

Method and system for providing certificates holding authentication and authorization information for users/machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing certificates holding authentication and authorization information for users/machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links