Authentication method to enable servers using public key authentication to obtain user-delegated tickets
First Claim
1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS), comprising:
- subprocess for obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;
a subprocess for delegating said obtained authorization to said server;
a subprocess in said server for performing said requested task using said delegated authorization; and
a subprocess in said server for returning a result of said performing to said client.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, system, and computer-readable code for delegating authority in a public key authentication environment from a client to a server machine or process, in order that the server machine or process can then securely access resources and securely perform tasks on behalf of the client. The authority is delegated by obtaining tickets (or other equivalent representation of user credentials) from a private key system, such as the Kerberos system, where the tickets identify a user'"'"'s access rights or privileges. The present invention provides several alternative techniques with which this delegation model can be implemented. In these techniques, the client does not directly access the private key system.
207 Citations
30 Claims
-
1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS), comprising:
-
subprocess for obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;
a subprocess for delegating said obtained authorization to said server;
a subprocess in said server for performing said requested task using said delegated authorization; and
a subprocess in said server for returning a result of said performing to said client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
said subprocess for obtaining further comprises;
a subprocess in said PRKS for authenticating an identification of said client; and
a subprocess in said PRKS for comparing said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
said subprocess for delegating further comprises;
a subprocess for sending a session credential from said PRKS to said server when said subprocess for comparing successfully locates said identification of said client;
a subprocess in said server, responsive to receiving a request from said client, for sending said session credential and a request for said delegated authorization to said PRKS;
a subprocess in said PRKS, responsive to receiving said session credential and said request for delegated authorization, for checking stored policies; and
a subprocess in said PRKS for sending said requested delegated authorization to said server when said subprocess for checking has a successful outcome.
-
-
3. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 2, wherein said delegated authorization is represented by one or more authorization tickets.
-
4. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, further comprising a subprocess in said client for authenticating said PRKS, and wherein:
-
said subprocess for obtaining further comprises;
a subprocess in said PRKS for authenticating an identification of said client; and
a subprocess in said PRKS for comparing said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
said subprocess for delegating further comprises;
a subprocess for sending a session credential and, if message encryption is to be used, a session key from said PRKS to said server when said subprocess for comparing successfully locates said identification of said client;
a subprocess in said server, responsive to a request from said client, for sending said session credential and a request for said delegated authorization to said PRKS;
a subprocess in said PRKS, responsive to receiving said session credential and said request for delegated authorization, for checking stored policies; and
a subprocess in said PRKS for sending said requested delegated authorization to said server when said subprocess for checking has a successful outcome.
-
-
5. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 4, wherein said delegated authorization is represented by one or more authorization tickets.
-
6. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, further comprising:
-
a subprocess for authenticating said server at said client; and
a subprocess for authenticating said client at said server; and
wherein;
said subprocess for obtaining is invoked in response to receiving a request from said client, and further comprises;
a subprocess in said server for determining one more authorization privileges that are required to perform said requested task; and
a subprocess for requesting said authorization privileges from said client; and
said subprocess for delegating is invoked in response to receiving said request for authorization privileges, and further comprises;
a subprocess in said client for verifying said requested authorization privileges;
a subprocess in said client for sending a client certificate and a signed request for said requested authorization privileges to said server;
a subprocess in said server for forwarding said client certificate and said signed request to said PRKS;
a subprocess in said PRKS for comparing an identification of said client from said client certificate to a stored mapping between a plurality of client identifications and client access privileges;
a subprocess in said PRKS for checking stored delegation privileges to determine whether said client authorizes said server to receive said requested authorization privileges; and
a subprocess for sending said requested authorization privileges from said PRKS to said server when said subprocess for checking has a successful outcome.
-
-
7. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 6, wherein said requested authorization privileges are represented by one or more authorization tickets.
-
8. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, further comprising a subprocess in said client for authenticating said PRKS and a subprocess in said PRKS for authenticating said client, and wherein:
-
said subprocess for obtaining is invoked in response to a request from said client, and further comprises;
a subprocess in said server for forwarding said request to said PRKS; and
a subprocess in said PRKS for determining one or more authorization privileges which are required for performing said request; and
said subprocess for delegating further comprises a subprocess for sending a session key and said determined authorization privileges from said PRKS to said server.
-
-
9. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 8, wherein said requested authorization privileges are represented by one or more authorization tickets.
-
10. Computer readable code for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 1, wherein said PRKS is a system known as “
- the Kerberos system”
.
- the Kerberos system”
-
11. A system for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS) in a computing environment having a connection to a network, comprising:
-
means for obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;
means for delegating said obtained authorization to said server;
means in said server for performing said requested task using said delegated authorization; and
means in said server for returning a result of said performing to said client. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
said means for obtaining further comprises;
means in said PRKS for authenticating an identification of said client; and
means in said PRKS for comparing said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
said means for delegating further comprises;
means for sending a session credential from said PRKS to said server when said means for comparing successfully locates said identification of said client;
means in said server, responsive to receiving a request from said client, for sending said session credential and a request for said delegated authorization to said PRKS;
means in said PRKS, responsive to receiving said session credential and said request for delegated authorization, for checking stored policies; and
means in said PRKS for sending said requested delegated authorization to said server when said means for checking has a successful outcome.
-
-
13. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 12, wherein said delegated authorization is represented by one or more authorization tickets.
-
14. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, further comprising means in said client for authenticating said PRKS, and wherein:
-
said means for obtaining further comprises;
means in said PRKS for authenticating an identification of said client; and
means in said PRKS for comparing said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
said means for delegating further comprises;
means for sending a session credential and, if message encryption is to be used, a session key from said PRKS to said server when said means for comparing successfully locates said identification of said client;
means in said server, responsive to a request from said client, for sending said session credential and a request for said delegated authorization to said PRKS;
means in said PRKS, responsive to receiving said session credential and said request for delegated authorization, for checking stored policies; and
means in said PRKS for sending said requested delegated authorization to said server when said means for checking has a successful outcome.
-
-
15. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 14, wherein said delegated authorization is represented by one or more authorization tickets.
-
16. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, further comprising:
-
means for authenticating said server at said client;
means for authenticating said client at said server; and
wherein;
said means for obtaining is invoked in response to receiving a request from said client, and further comprises;
means in said server for determining one more authorization privileges that are required to perform said requested task; and
means for requesting said authorization privileges from said client; and
said means for delegating is invoked in response to receiving said request for authorization privileges, and further comprises;
means in said client for verifying said requested authorization privileges;
means in said client for sending a client certificate and a signed request for said requested authorization privileges to said server;
means in said server for forwarding said client certificate and said signed request to said PRKS;
means in said PRKS for comparing an identification of said client from said client certificate to a stored mapping between a plurality of client identifications and client access privileges;
means in said PRKS for checking stored delegation privileges to determine whether said client authorizes said server to receive said requested authorization privileges; and
means for sending said requested authorization privileges from said PRKS to said server when said means for checking has a successful outcome.
-
-
17. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 16, wherein said requested authorization privileges are represented by one or more authorization tickets.
-
18. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, further comprising means in said client for authenticating said PRKS and means in said PRKS for authenticating said client, and wherein:
-
said means for obtaining is invoked in response to a request from said client, and further comprises;
means in said server for forwarding said request to said PRKS; and
means in said PRKS for determining one or more authorization privileges which are required for performing said request; and
said means for delegating further comprises means for sending a session key and said determined authorization privileges from said PRKS to said server.
-
-
19. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 18, wherein said requested authorization privileges are represented by one or more authorization tickets.
-
20. The system for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 11, wherein said PRKS is a system known as “
- the Kerberos system”
.
- the Kerberos system”
-
21. A method for enabling a server to perform tasks on behalf of a client in a public key environment using authorization obtained from a private key system (PRKS) in a computing environment having a connection to a network, comprising the steps of:
-
obtaining said authorization by said server for said client from said PRKS using public key authentication, without said client directly accessing said PRKS;
delegating said obtained authorization to said server;
performing, by said server, said requested task using said delegated authorization; and
returning a result of said performing from said server to said client. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
said obtaining step further comprises the steps of;
authenticating, in said PRKS, an identification of said client; and
comparing, in said PRKS, said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
said delegating step further comprises the steps of;
sending a session credential from said PRKS to said server when said comparing step successfully locates said identification of said client;
sending, responsive to receiving a request from said client, said session credential and a request for said delegated authorization from said server to said PRKS;
checking stored policies in said PRKS, responsive to receiving said session credential and said request for delegated authorization; and
sending said requested delegated authorization from said PRKS to said server when said checking step has a successful outcome.
-
-
23. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 22, wherein said delegated authorization is represented by one or more authorization tickets.
-
24. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, further comprising the step of authenticating said PRKS in said client, and wherein:
-
said obtaining step further comprises the steps of;
authenticating an identification of said client in said PRKS; and
comparing, in said PRKS, said identification of said client to a stored mapping between a plurality of client identifications and client access privileges; and
said delegating step further comprises the steps of;
sending a session credential and, if message encryption is to be used, a session key from said PRKS to said server when said comparing step successfully locates said identification of said client;
sending, responsive to a request from said client, said session credential and a request for said delegated authorization from said server to said PRKS;
checking stored policies in said PRKS, responsive to receiving said session credential and said request for delegated authorization; and
sending said requested delegated authorization from said PRKS to said server when said checking step has a successful outcome.
-
-
25. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 24, wherein said delegated authorization is represented by one or more authorization tickets.
-
26. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, further comprising the steps of:
-
authenticating said server at said client; and
authenticating said client at said server; and
wherein;
said obtaining step is invoked in response to receiving a request from said client, and further comprises the steps of;
determining, in said server, one more authorization privileges that are required to perform said requested task; and
requesting said authorization privileges from said client; and
said delegating step is invoked in response to receiving said request for authorization privileges, and further comprises the steps of;
verifying, in said client, said requested authorization privileges;
sending a client certificate and a signed request for said requested authorization privileges from said client to said server;
forwarding said client certificate and said signed request from said server to said PRKS;
comparing, in said PRKS, an identification of said client from said client certificate to a stored mapping between a plurality of client identifications and client access privileges;
checking, in said PRKS, stored delegation privileges to determine whether said client authorizes said server to receive said requested authorization privileges; and
sending said requested authorization privileges from said PRKS to said server when said checking step has a successful outcome.
-
-
27. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 26, wherein said requested authorization privileges are represented by one or more authorization tickets.
-
28. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, further comprising the step of authenticating said PRKS in said client and the step of authenticating said client in said PRKS, and wherein:
-
said obtaining step is invoked in response to a request from said client, and further comprises the steps of;
forwarding said request from said server to said PRKS; and
determining, in said PRKS, one or more authorization privileges which are required for performing said request; and
said delegating step further comprises the step of sending a session key and said determined authorization privileges from said PRKS to said server.
-
-
29. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 28, wherein said requested authorization privileges are represented by one or more authorization tickets.
-
30. The method for enabling a server to perform tasks on behalf of a client in a public key environment according to claim 21, wherein said PRKS is a system known as “
- the Kerberos system”
.
- the Kerberos system”
Specification