Cryptographic authorization with prioritized and weighted authentication

US 6,687,823 B1
Filed: 05/05/1999
Issued: 02/03/2004
Est. Priority Date: 05/05/1999
Status: Active Grant

First Claim

Patent Images

1. A method of authorization of user access to a selected resource, the method comprising the steps of:

providing I user authentication mechanisms, numbered i=1, 2, . . . , I (I≧

1), for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;

providing a user response for each of the authentication mechanisms;

computing a sum TS of all the weights w_ifor which the user satisfies authentication test number i; and

when the sum TS is not at least equal to a threshold value TS_thr,1, granting the user access to a selected default subset of the resource, and including the step of associating a numerical cryptographic strength with each of said authentication mechanisms.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and associated method for authorizing, or withholding authorization of, user access to a selected computer application or other resource, based on the user'"'"'s response to one or more user authentication tests. If the user is presented with two or more authentication tests, each with an associated test weight, the system optionally sums the weights of the tests satisfied by the user; and if this sum is greater than a selected test score threshold, the user is granted access to the resource. Alternatively, the user is granted access to selected subsets of the application, including an empty or non-empty default subset, depending upon the sum of the weights of the tests satisfied by the user. An authentication test or its associated weight may change at a selected time, and the selected time may be determined with reference to a time at which the resource changes. A smartcard may be used to respond to one or more authentication tests.

72 Citations

View as Search Results

37 Claims

1. A method of authorization of user access to a selected resource, the method comprising the steps of:
- providing I user authentication mechanisms, numbered i=1, 2, . . . , I (I≧
  
  1), for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  providing a user response for each of the authentication mechanisms;
  
  computing a sum TS of all the weights w_ifor which the user satisfies authentication test number i; and
  
  when the sum TS is not at least equal to a threshold value TS_thr,1, granting the user access to a selected default subset of the resource, and including the step of associating a numerical cryptographic strength with each of said authentication mechanisms.
- View Dependent Claims (2, 3, 4, 5, 8)
- - 2. The method of claim 1, further comprising the step of selecting said default subset to be an empty set.
  - 3. The method of claim 1, further comprising the step of granting said user access to said resource when said sum TS is at least equal to said threshold value TS_thr,1.
  - 4. The method of claim 1, further comprising the step of granting said user access to a second selected subset of said resource when said sum TS is at least equal to said threshold value TS_thr,1and is not at least equal to a second selected threshold value TS_thr,2, where TS_thr,1≦
    - TS_thr,2and said first selected subset is contained in said second selected subset.
  - 5. The method of claim 1, further comprising the step of selecting a sequence of said associated weights w_ithat increases monotonically with an increase of said cryptographic strength of said associated authentication mechanism i, for at least one value of i (i=1, . . . , I).
  - 8. The method of claims 1, wherein at least one of said responses from said user is provided by a smartcard that is programmed to provide said user response in response to receiving a selected electronic command.

6. A method of authorization of user access to a selected resource, the method comprising the steps of:
- providing I user authentication mechanisms, numbered i=1, 2, . . . , I (I≧
  
  1), for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  providing a user response for each of the authentication mechanisms;
  
  computing a sum TS of all the weights w_ifor which the user satisfies authentication test number i; and
  
  when the sum TS is not at least equal to a threshold value TS_thr,1, granting the user access to a selected default subset of the resource, and including the step of causing a change in at least one of said test and said weight associated with at least one of said authentication mechanisms at a selected time.
- View Dependent Claims (7)
- - 7. The method of claim 6, further comprising the step of choosing said selected time to be approximately equal to a selected time at which said resource changes.

9. A method of authorization of user access to a selected resource, the method comprising the steps of:
- providing I user authentication mechanisms, numbered i=1, 2, . . . , I (I≧
  
  1), for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  providing a user response for each of the authentication mechanisms;
  
  computing a sum TS of all the weights w_ifor which the user satisfies the ith authentication test;
  
  providing a sequence of threshold values TS_thr,j(j=1, 2, . . . J;
  
  J≧
  
  1)) satisfying TS_thr,1<
  
  TS_thr,2<
  
  . . .<
  
  TS_thr,J; and
  
  when the sum TS satisfies the condition TS_thr,j≦
  
  TS<
  
  TS_thr,j+1for some integer j in the range 1≦
  
  j≦
  
  J−
  
  1, allowing the user access to a selected subset of the resource corresponding to the value TS_thr,j, and including the step of associating a numerical cryptographic strength with each of said authentication mechanisms.
- View Dependent Claims (10, 11, 12, 15)
- - 10. The method of claim 9, further comprising the step of delaying said user access to said resource when said sum TS is less than said threshold value TS_thr,1.
  - 11. The method of claim 9, further comprising the step of granting said user access to a selected default subset of said resource when said sum TS is less than said threshold value TS_thr,1.
  - 12. The method of claim 9, further comprising the step of selecting a sequence of said associated weights w_ithat increases monotonically with an increase of said cryptographic strength of said associated authentication mechanism i, for at least one value of i (i=1, . . . , I).
  - 15. The method of claim 9, wherein at least one of said responses from said user is provided by a smartcard that is programmed to provide said user response in response to receiving a selected electronic command.

13. A method of authorization of user access to a selected resource, the method comprising the steps of:
- providing I user authentication mechanisms, numbered i=1, 2, . . . , I (I>
  
  1), for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  providing a user response for each of the authentication mechanisms;
  
  computing a sum TS of all the weights w_ifor which the user satisfies the ith authentication test;
  
  providing a sequence of threshold values TS_thr,j(j=1, 2, . . . J;
  
  J>
  
  1)) satisfying TS_thr,1<
  
  TS_thr,2<
  
  . . .<
  
  TS_thr,J; and
  
  when the sum TS satisfies the condition TS_thr,j≦
  
  TS≦
  
  TS_thr,j+1for some integer j in the range 1<
  
  j<
  
  J−
  
  1, allowing the user access to a selected subset of the resource corresponding to the value TS_thr,j, further including the step of causing a change in at least one of said test and said weight associated with at least one of said authentication mechanisms at a selected time.
- View Dependent Claims (14)
- - 14. The method of claim 13, further comprising the step of choosing said selected time to be approximately equal to a selected time at which said selected resource changes.

16. A system for authorization of user access to a selected resource, the system comprising a computer that is programmed:
- to provide I user authentication mechanisms, numbered i=1, 2, . . . , I (I≧
  
  1) for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  to receive or provide a user response for each or the authentication mechanisms;
  
  to compute a sum TS of all the weights w_ifor which the user satisfies the ith authentication test; and
  
  when the sum TS is not at least equal to a threshold value TS_thr,1, to grant the user access to a selected default subset of the resource, wherein said computer is further programmed to associate a numerical cryptographic strength with each of said authentication mechanisms.
- View Dependent Claims (17, 18, 19, 20, 23)
- - 17. The system of claim 16, wherein said computer is further programmed to select said default subset to be an empty set.
  - 18. The system of claim 16, wherein said computer is further programmed to grant said user access to said resource when said sum TS is at least equal to said threshold value TS_thr,1.
  - 19. The system of claim 18, wherein said computer is further programmed to grant said user access to a second selected subset of said resource when said sum TS is at least equal to said threshold value TS_thr,1and is not at least equal to a second selected threshold value TS_thr,2, where TS_thr,1<
    - TS_thr,2and said first selected subset is contained in said second selected subset.
  - 20. The system of claim 16, wherein said computer is further programmed to select a sequence of said associated weights w_ithat increases monotonically with an increase of said cryptographic strength of said associated authentication mechanism i, for at least one value of i (i=1, . . . , I).
  - 23. The system of claim 16, further comprising a smartcard, associated with said user, that communicates with said computer and that is programmed to provide said user response in response to receiving at least one selected electronic command.

21. A system for authorization of user access to a selected resource, the system comprising a computer that is programmed:
- to provide I user authentication mechanisms, numbered i=1, 2, . . . , I (I>
  
  1) for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  to receive or provide a user response for each or the authentication mechanisms;
  
  to compute a sum TS of all the weights w_ifor which the user satisfies the ith authentication test; and
  
  when the sum TS is not at least equal to a threshold value TS_thr,1, to grant the user access to a selected default subset of the resource, wherein said computer is further programmed to cause a change in at least one of said test and said weight associated with at least one of said authentication mechanisms at a selected time.
- View Dependent Claims (22)
- - 22. The system of claim 21, wherein said computer is further programmed to choose said selected time to be approximately equal to a selected time at which said resource changes.

24. A system for authorization of user access to a selected resource, the system comprising a computer that is programmed:
- to provide I user authentication mechanisms, numbered i=1, 2, . . . , I (I≧
  
  1) for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  to receive or provide a user response for each of the authentication mechanisms;
  
  to compute a sum TS of all the weights w_ifor which the user satisfies the ith authentication test;
  
  providing a sequence of threshold values TS_thr,j(j=1, 2, . . . , J;
  
  J≧
  
  1)) satisfying TS_thr,1<
  
  TS_thr,2<
  
  . . .<
  
  TS_thr,J; and
  
  when the sum TS satisfies the condition TS_thr,j≦
  
  TS<
  
  TS_thr,j+1for some integer j in the range 1≦
  
  j≦
  
  J−
  
  1, to allow the user access to a selected subset of the resource corresponding to the value TS_thr,j, wherein said computer is further programmed to associating a numerical cryptographic strength with each of said authentication mechanisms.
- View Dependent Claims (25, 26, 27, 30)
- - 25. The system of claim 24, wherein said computer is further programmed to deny said user access to said resource when said sum TS is less than said threshold value TS_thr,1.
  - 26. The system of claim 24, wherein said computer is further programmed to grant said user access to a default subset of said resource when said sum TS is less than said threshold value TS_thr,1.
  - 27. The system of claim 24, wherein said computer is further programmed to select a sequence of said associated weights wi that increases monotonically with an increase of said cryptographic strength of said associated authentication mechanism i, for at least one value of i (I=1, . . . , I).
  - 30. The system of claim 24, further comprising a smartcard, associated with said user, that communicates with said computer and that is programmed to provide said user response in response to receiving at least one selected electronic command.

28. A system for authorization of user access to a selected resource, the system comprising a computer that is programmed:
- to provide I user authentication mechanisms, numbered i=1, 2, . . . , I (I≧
  
  1) for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  to receive or provide a user response for each of the authentication mechanisms;
  
  to compute a sum TS of all the weights w_ifor which the user satisfies the ith authentication test;
  
  providing a sequence of threshold values TS_thr,j(j=1, 2, . . . , J;
  
  J>
  
  1)) satisfying TS_thr,1<
  
  TS_thr,2<
  
  . . .<
  
  TS_thr,J; and
  
  when the sum TS satisfies the condition TS_thr,j<
  
  TS<
  
  TS_thr,j+1for some integer j in the range 1<
  
  j<
  
  J−
  
  1, to allow the user access to a selected subset of the resource corresponding to the value TS_thr,j, wherein said computer is further programmed to cause a change in at least one of said test and said weight associated with at least one of said authentication mechanisms at a selected time.
- View Dependent Claims (29)
- - 29. The system of claim 28, wherein said computer is further programmed to choosing said selected time to be approximately equal to a selected time at which said resource changes.

31. An article of manufacture comprising:
- a computer usable medium having computer readable program code means embodied in the medium for authorizing access to a resource, the computer readable program code means in the article of manufacture comprising;
  
  computer readable program code means for providing I user authentication mechanisms, numbered i=1, 2, . . . , I (I≦
  
  1) for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  computer readable program code means for receiving or providing a user response for each of the authentication mechanisms;
  
  computer readable program code means for computing a sum TS of all the weights w_ifor which the user satisfies authentication test number i; and
  
  when the sum TS is not at least equal to a selected threshold value TS_thr,1, computer readable program code means for denying the user access to the resource, and further comprising computer readable program code means for associating a numerical cryptographic strength with each of said authentication mechanisms.
- View Dependent Claims (32, 33, 34, 37)
- - 32. The article of manufacture of claim 31, further comprising computer readable program code means for granting said user access to said resource when said sum TS is at least equal to said threshold value TS_thr,1.
  - 33. The article of manufacture of claim 31, further comprising computer readable program code means for granting said user access to a second selected subset of said resource when said sum TS is at least equal to said threshold value TS_thr,1and is not at least equal to a second selected threshold value TS_thr,2, where TS_thr,1<
    - TS_thr,2and said first selected subset is contained in said second selected subset.
  - 34. The article of manufacture of claim 31, further comprising computer readable program code means for selecting a sequence of said associated weights w_ithat increases monotonically with an increase of said cryptographic strength of said associated authentication mechanism i, for at least one value of i (i=1, . . . , I).
  - 37. The article of manufacture of claim 31, further comprising computer readable program means, contained in a smartcard, associated with said user, that communicates with said computer and that is programmed to provide said user response in response to receiving at least one selected electronic command.

35. An article of manufacture comprising:
- a computer usable medium having computer readable program code means embodied in the medium for authorizing access to a resource, the computer readable program code means in the article of manufacture comprising;
  
  computer readable program code means for providing I user authentication mechanisms, numbered i=1, 2, . . . , I (I<
  
  1) for authenticating a user who seeks access to a resource, where the ith authentication mechanism has an associated authentication weight w_i;
  
  computer readable program code means for receiving or providing a user response for each of the authentication mechanisms;
  
  computer readable program code means for computing a sum TS of all the weights w_ifor which the user satisfies authentication test number i; and
  
  when the sum TS is not at least equal to a selected threshold value TS_thr,1, computer readable program code means for denying the user access to the resource, and further comprising computer readable program code means for causing a change in at least one of said test and said weight associated with at least one of said authentication mechanisms at a selected time.
- View Dependent Claims (36)
- - 36. The article of manufacture of claim 35, further comprising computer readable program code means for choosing said selected time to be approximately equal to a selected time at which said selected resource changes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Ranganathan, Aravindan, Varma, Sangeeta, Al-Salqan, Yayha
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Brown, Christopher J.

Application Number

US09/305,487
Time in Patent Office

1,735 Days
Field of Search

713/202, 713/168, 713/182, 713/184, 713/166, 713/185, 713/159, 709/229
US Class Current

713/167
CPC Class Codes

G06F 21/40 by quorum, i.e. whereby two...

G06F 21/46 by designing passwords or c...

Cryptographic authorization with prioritized and weighted authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic authorization with prioritized and weighted authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links