Access management system and method employing secure credentials

US 6,668,322 B1
Filed: 08/05/1999
Issued: 12/23/2003
Est. Priority Date: 08/05/1999
Status: Expired due to Term

First Claim

Patent Images

1. A session credential for use in a security architecture controlling access to one or more information resources, the session credential comprising:

a principal identifier uniquely identifying a principal; and

an encoding of authorization accorded by the security architecture after prior authentication of a login credential corresponding to the principal, the principal identifier and authorization encoding being cryptographically secured and allowing the security architecture to evaluate sufficiency of the authorization for access to the one or more information resources without re-authentication of the login credentials.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security architecture has been developed in which a single sign-on is provided. Session credentials are used to maintain continuity of a persistent session across multiple accesses to one or more information resources, and in some embodiments, across credential level changes. Session credentials are secured, e.g., as a cryptographically secured session token, such that they may be inspected by a wide variety of entities or applications to verify an authenticated trust level, yet may not be prepared or altered except by a trusted authentication service. Some embodiments of the present invention associate trust level requirements with information resources. Authentication schemes (e.g., those based on passwords, certificates, biometric techniques, smart cards, etc.) are associated with trust levels, and in some embodiments, with environmental parameters. For example, in one configuration, a login service obtains login credentials for an entity commensurate with the trust level requirement(s) of an information resource (or information resources) to be accessed and with environment parameters that affect the sufficiency of a given credential type. Once login credentials have been obtained for an entity and have been authenticated to a given trust level, session credentials are issued and access is granted to information resources for which the trust level is sufficient. Advantageously, by using the session credentials access is granted without the need for further login credentials and authentication. In some configurations, session credentials evidencing an insufficient trust level may be remedied by a session continuity preserving upgrade of login credential.

Citations

32 Claims

1. A session credential for use in a security architecture controlling access to one or more information resources, the session credential comprising:
- a principal identifier uniquely identifying a principal; and
  
  an encoding of authorization accorded by the security architecture after prior authentication of a login credential corresponding to the principal, the principal identifier and authorization encoding being cryptographically secured and allowing the security architecture to evaluate sufficiency of the authorization for access to the one or more information resources without re-authentication of the login credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A session credential as in claim 1,
- 3. A session credential as in claim 1, further comprising:
  - an encrypted portion and an unencrypted portion;
    
    the unencrypted portion allowing contents of the session credential, including the principal identifier and authorization encoding, to be read without possession of a key;
    
    the encrypted portion being encrypted with a private key associated with the security architecture and allowing authenticity of the unencrypted portion to be confirmed using a public key corresponding to the private key.
- 4. A session credential as in claim 3,wherein the encrypted portion is supplied external to the security architecture as a session token that uniquely identifies a corresponding persistent session maintained by the security architecture.
- 5. A session credential as in claim 4,wherein the session token is encoded as a cookie supplied to a browser;
  - and wherein the cookie is included with access requests made by the browser targeting the one or more information resources.
- 6. A session credential as in claim 3,wherein the cryptographic securing is by a private key possessed substantially only by an authentication component of the security architecture;
  - and wherein authenticity of the cryptographically secured principal identifier and authorization encoding is verifiable by components other than the authentication component using a public key corresponding to the private key.
- 7. A session credential as in claim 1,wherein the cryptographic securing includes a digital signature encompassing at least the principal identifier and authorization encoding and thereby allows authenticity of the principal identifier and authorization encoding to be confirmed using a public key.
- 8. A session credential as in claim 1, further comprising:
  - an expiration encoding.
- 9. A session credential as in claim 1, further comprising:
  - a session identifier.
- 10. A session credential as in claim 1, further comprising:
  - a group identifier.
- 11. A session credential as in claim 1, further comprising:
  - one or more additional elements selected from an expiration encoding;
    
    a session identifier; and
    
    a group identifier, the one or more additional elements also cryptographically secured.

12. A session token for transfer between a client entity operating on behalf of a principal and a security architecture controlling access to an information resource, the session token comprising:
- a principal identifier uniquely identifying the principal; and
  
  an indication of authorization level accorded by the security architecture after prior authentication of a login credential corresponding to the principal, the principal identifier and authorization level indication being cryptographically secured and allowing the security architecture to evaluate sufficiency of the authorization for access to the information resource without re-authentication of the login credentials.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. A session token as in claim 12, encoded as a cookie stored at a browser.
  - 14. A session token as in claim 12, placed at a browser in response to a set cookie directive by the security architecture.
  - 15. A session token as in claim 12, encoded for transfer to the client entity.
  - 16. A session token as in claim 12, encoded in a communication medium as information in transit between the client entity and the security architecture.
  - 17. A session token as in claim 12,

18. A method of providing authorization verification in a security architecture controlling access to one or more information resources, the method comprising:
- obtaining a login credential and authenticating a principal thereby;
  
  issuing a cryptographically secured session credential encoding at least an identifier for the principal and a first authorization accorded based on the authenticating; and
  
  for plural requests for accesses to the one or more of the information resources, selectively allowing access based on sufficiency of the first authorization encoded by the cryptographically secured session credential for access to the one or more of the information resources, wherein the selective allowing is performed without additional login credential authenticating.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. A method as in claim 18, further comprising:
20. A method as in claim 18, further comprising:
- encrypting at least the identifier for the principal and the first authorization using a private key, the issued cryptographically secured session credential including at least the identifier for the principal and the first authorization in both encrypted and free text form; and
  
  prior to the selective allowing, verifying authenticity of the principal identifier and first authorization encoding using a public key corresponding to the private key.
21. A method as in claim 20, further comprising:
- supplying the encrypted form of at least the identifier for the principal and the first authorization to a client entity external to the security architecture as a session token;
  
  the client entity presenting the session token with subsequent access requests so that the security architecture may perform the selective allowing of the subsequent access requests without additional login credential authenticating.
22. A method as in claim 21,wherein the client entity includes a browser;
- and wherein the session token is encoded as a cookie.
23. A method as in claim 18, further comprising:
- on an access request for which the first authorization encoded by the cryptographically secured session credential is insufficient, obtaining a second login credential and authenticating the principal thereby;
  
  issuing a second cryptographically secured session credential encoding a second authorization accorded based on the authenticating by the second login credential; and
  
  selectively allowing the access request based on sufficiency of the second authorization encoded by the second cryptographically secured session credential.
24. A method as in claim 18,wherein the cryptographically secured session credential also encodes an expiration;
- the method further comprising;
  
  prior to the expiration, reauthenticating the principal by the first login credential;
  
  issuing a third cryptographically secured session credential cncoding a third authorization accorded based on the authenticating by the first login credential; and
  
  selectively allowing subsequent access requests based on sufficiency of the third authorization encoded by the third cryptographically secured session credential.
25. A method as in claim 24,wherein the first and third authorizations are equivalent.
26. A method as in claim 24,wherein the first and third authorization are encoded as trust levels that differ in accordance with either or both of a changed session environment and changed mappings of credential types to trust levels.
27. A method as in claim 18,wherein the login credential is selected from a set of credential types including one or more of a username password pair, digital certificate, an encrypted credentials based on asymmetric, symmetric, public, private, or secret key technology, a one-time password, a biometric credential based on retinal scan, voice print, or finger print, and a possession based credential embodied in a smart card, Enigma card or physical key.
28. A method as in claim 18, embodied as one or more computer program products including functionally descriptive information for directing a processor to perform the login credential obtaining and principal authenticating, the cryptographically secured session credential issuing, and the selectively allowing access based on sufficiency of the first authorization by the cryptographically secured session credential, the one or more computer program products encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.

29. An information access control facility comprising:
- an application proxy for receiving an access request targeting one of a set of information resources, extracting a cryptographically secured session token from the access request, and selectively proxying the access request;
  
  means responsive to the application proxy for evaluating sufficiency of an authorization encoded in the cryptographically secured session token for access to the targeted information resource.
- View Dependent Claims (30, 31, 32)
- - 30. An access control facility as in claim 29, further comprising:
31. An access control facility as in claim 29, further comprising:
- means for transferring the session token between the access control facility and the client entity.
32. An access control facility as in claim 29, embodied as a computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Wood, David L., Norton, Derk
Primary Examiner(s)
Smithers, Matthew

Application Number

US09/368,502
Time in Patent Office

1,601 Days
Field of Search

713/182, 713/153, 713/168, 713/185, 713/200, 713/201, 713/202
US Class Current

713/182
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

Access management system and method employing secure credentials

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Access management system and method employing secure credentials

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links