Authentication method to enable servers using public key authentication to obtain user-delegated tickets

US 6,643,774 B1
Filed: 04/08/1999
Issued: 11/04/2003
Est. Priority Date: 04/08/1999
Status: Active Grant

First Claim

Patent Images

1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS), comprising:

subprocess for obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;

a subprocess for delegating said obtained authorization to said server;

a subprocess in said server for performing said requested task using said delegated authorization; and

a subprocess in said server for returning a result of said performing to said client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer-readable code for delegating authority in a public key authentication environment from a client to a server machine or process, in order that the server machine or process can then securely access resources and securely perform tasks on behalf of the client. The authority is delegated by obtaining tickets (or other equivalent representation of user credentials) from a private key system, such as the Kerberos system, where the tickets identify a user'"'"'s access rights or privileges. The present invention provides several alternative techniques with which this delegation model can be implemented. In these techniques, the client does not directly access the private key system.

207 Citations

30 Claims

1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS), comprising:
- subprocess for obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;
  
  a subprocess for delegating said obtained authorization to said server;
  
  a subprocess in said server for performing said requested task using said delegated authorization; and
  
  a subprocess in said server for returning a result of said performing to said client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, further comprising a subprocess in said client for authenticating said server, and wherein:
3. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 2, wherein said delegated authorization is represented by one or more authorization tickets.
4. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, further comprising a subprocess in said client for authenticating said PRKS, and wherein:
- said subprocess for obtaining further comprises;
  
  a subprocess in said PRKS for authenticating an identification of said client; and
  
  a subprocess in said PRKS for comparing said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
  
  said subprocess for delegating further comprises;
  
  a subprocess for sending a session credential and, if message encryption is to be used, a session key from said PRKS to said server when said subprocess for comparing successfully locates said identification of said client;
  
  a subprocess in said server, responsive to a request from said client, for sending said session credential and a request for said delegated authorization to said PRKS;
  
  a subprocess in said PRKS, responsive to receiving said session credential and said request for delegated authorization, for checking stored policies; and
  
  a subprocess in said PRKS for sending said requested delegated authorization to said server when said subprocess for checking has a successful outcome.
5. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 4, wherein said delegated authorization is represented by one or more authorization tickets.
6. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, further comprising:
- a subprocess for authenticating said server at said client; and
  
  a subprocess for authenticating said client at said server; and
  
  wherein;
  
  said subprocess for obtaining is invoked in response to receiving a request from said client, and further comprises;
  
  a subprocess in said server for determining one more authorization privileges that are required to perform said requested task; and
  
  a subprocess for requesting said authorization privileges from said client; and
  
  said subprocess for delegating is invoked in response to receiving said request for authorization privileges, and further comprises;
  
  a subprocess in said client for verifying said requested authorization privileges;
  
  a subprocess in said client for sending a client certificate and a signed request for said requested authorization privileges to said server;
  
  a subprocess in said server for forwarding said client certificate and said signed request to said PRKS;
  
  a subprocess in said PRKS for comparing an identification of said client from said client certificate to a stored mapping between a plurality of client identifications and client access privileges;
  
  a subprocess in said PRKS for checking stored delegation privileges to determine whether said client authorizes said server to receive said requested authorization privileges; and
  
  a subprocess for sending said requested authorization privileges from said PRKS to said server when said subprocess for checking has a successful outcome.
7. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 6, wherein said requested authorization privileges are represented by one or more authorization tickets.
8. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, further comprising a subprocess in said client for authenticating said PRKS and a subprocess in said PRKS for authenticating said client, and wherein:
- said subprocess for obtaining is invoked in response to a request from said client, and further comprises;
  
  a subprocess in said server for forwarding said request to said PRKS; and
  
  a subprocess in said PRKS for determining one or more authorization privileges which are required for performing said request; and
  
  said subprocess for delegating further comprises a subprocess for sending a session key and said determined authorization privileges from said PRKS to said server.
9. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 8, wherein said requested authorization privileges are represented by one or more authorization tickets.
10. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, wherein said PRKS is a system known as “
- the Kerberos system”
  
  .

11. A system for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS) in a computing environment having a connection to a network, comprising:
- means for obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;
  
  means for delegating said obtained authorization to said server;
  
  means in said server for performing said requested task using said delegated authorization; and
  
  means in said server for returning a result of said performing to said client.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, further comprising means in said client for authenticating said server, and wherein:
13. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 12, wherein said delegated authorization is represented by one or more authorization tickets.
14. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, further comprising means in said client for authenticating said PRKS, and wherein:
- said means for obtaining further comprises;
  
  means in said PRKS for authenticating an identification of said client; and
  
  means in said PRKS for comparing said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
  
  said means for delegating further comprises;
  
  means for sending a session credential and, if message encryption is to be used, a session key from said PRKS to said server when said means for comparing successfully locates said identification of said client;
  
  means in said server, responsive to a request from said client, for sending said session credential and a request for said delegated authorization to said PRKS;
  
  means in said PRKS, responsive to receiving said session credential and said request for delegated authorization, for checking stored policies; and
  
  means in said PRKS for sending said requested delegated authorization to said server when said means for checking has a successful outcome.
15. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 14, wherein said delegated authorization is represented by one or more authorization tickets.
16. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, further comprising:
- means for authenticating said server at said client;
  
  means for authenticating said client at said server; and
  
  wherein;
  
  said means for obtaining is invoked in response to receiving a request from said client, and further comprises;
  
  means in said server for determining one more authorization privileges that are required to perform said requested task; and
  
  means for requesting said authorization privileges from said client; and
  
  said means for delegating is invoked in response to receiving said request for authorization privileges, and further comprises;
  
  means in said client for verifying said requested authorization privileges;
  
  means in said client for sending a client certificate and a signed request for said requested authorization privileges to said server;
  
  means in said server for forwarding said client certificate and said signed request to said PRKS;
  
  means in said PRKS for comparing an identification of said client from said client certificate to a stored mapping between a plurality of client identifications and client access privileges;
  
  means in said PRKS for checking stored delegation privileges to determine whether said client authorizes said server to receive said requested authorization privileges; and
  
  means for sending said requested authorization privileges from said PRKS to said server when said means for checking has a successful outcome.
17. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 16, wherein said requested authorization privileges are represented by one or more authorization tickets.
18. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, further comprising means in said client for authenticating said PRKS and means in said PRKS for authenticating said client, and wherein:
- said means for obtaining is invoked in response to a request from said client, and further comprises;
  
  means in said server for forwarding said request to said PRKS; and
  
  means in said PRKS for determining one or more authorization privileges which are required for performing said request; and
  
  said means for delegating further comprises means for sending a session key and said determined authorization privileges from said PRKS to said server.
19. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 18, wherein said requested authorization privileges are represented by one or more authorization tickets.
20. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, wherein said PRKS is a system known as “
- the Kerberos system”
  
  .

21. A method for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS) in a computing environment having a connection to a network, comprising the steps of:
- obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;
  
  delegating said obtained authorization to said server;
  
  performing, by said server, said requested task using said delegated authorization; and
  
  returning a result of said performing from said server to said client.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, further comprising the step of authenticating, in said client, said server, and wherein:
23. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 22, wherein said delegated authorization is represented by one or more authorization tickets.
24. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, further comprising the step of authenticating said PRKS in said client, and wherein:
- said obtaining step further comprises the steps of;
  
  authenticating an identification of said client in said PRKS; and
  
  comparing, in said PRKS, said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
  
  said delegating step further comprises the steps of;
  
  sending a session credential and, if message encryption is to be used, a session key from said PRKS to said server when said comparing step successfully locates said identification of said client;
  
  sending, responsive to a request from said client, said session credential and a request for said delegated authorization from said server to said PRKS;
  
  checking stored policies in said PRKS, responsive to receiving said session credential and said request for delegated authorization; and
  
  sending said requested delegated authorization from said PRKS to said server when said checking step has a successful outcome.
25. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 24, wherein said delegated authorization is represented by one or more authorization tickets.
26. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, further comprising the steps of:
- authenticating said server at said client; and
  
  authenticating said client at said server; and
  
  wherein;
  
  said obtaining step is invoked in response to receiving a request from said client, and further comprises the steps of;
  
  determining, in said server, one more authorization privileges that are required to perform said requested task; and
  
  requesting said authorization privileges from said client; and
  
  said delegating step is invoked in response to receiving said request for authorization privileges, and further comprises the steps of;
  
  verifying, in said client, said requested authorization privileges;
  
  sending a client certificate and a signed request for said requested authorization privileges from said client to said server;
  
  forwarding said client certificate and said signed request from said server to said PRKS;
  
  comparing, in said PRKS, an identification of said client from said client certificate to a stored mapping between a plurality of client identifications and client access privileges;
  
  checking, in said PRKS, stored delegation privileges to determine whether said client authorizes said server to receive said requested authorization privileges; and
  
  sending said requested authorization privileges from said PRKS to said server when said checking step has a successful outcome.
27. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 26, wherein said requested authorization privileges are represented by one or more authorization tickets.
28. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, further comprising the step of authenticating said PRKS in said client and the step of authenticating said client in said PRKS, and wherein:
- said obtaining step is invoked in response to a request from said client, and further comprises the steps of;
  
  forwarding said request from said server to said PRKS; and
  
  determining, in said PRKS, one or more authorization privileges which are required for performing said request; and
  
  said delegating step further comprises the step of sending a session key and said determined authorization privileges from said PRKS to said server.
29. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 28, wherein said requested authorization privileges are represented by one or more authorization tickets.
30. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, wherein said PRKS is a system known as “
- the Kerberos system”
  
  .

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
McGarvey, John Ryan
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US09/287,993
Time in Patent Office

1,671 Days
Field of Search

380/30, 380/259, 380/282, 713/155, 713/156, 713/164, 713/170, 713/176
US Class Current

713/155
CPC Class Codes

H04L 63/062 for key distribution, e.g. ...

H04L 63/0823 using certificates cryptogr...

Authentication method to enable servers using public key authentication to obtain user-delegated tickets

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

207 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication method to enable servers using public key authentication to obtain user-delegated tickets

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

207 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links