Security architecture with environment sensitive credential sufficiency evaluation
First Claim
1. A method of determining sufficiency of a credential type for access to an information resource, the method comprising:
- establishing a correspondence between a session and an access request targeting the information resource;
establishing a trust level requirement for access to the information resource; and
evaluating correspondence of one or more credential types with the trust level requirement for access to the information resource and with environment information associated with the session.
2 Assignments
0 Petitions
Accused Products
Abstract
By including environment information in a security policy, a security architecture advantageously allows temporal, locational, connection type and/or client capabilities-related information to affect the sufficiency of a given credential type (and associated authentication scheme) for access to a particular information resource. In some configurations, time of access, originating location (physical or network) and/or connection type form a risk profile that can be factored into credential type sufficiency. In some configurations, changing environmental parameters may cause a previously sufficient credential to become insufficient. Alternatively, an authenticated credential previously insufficient for access at a given trust level may be sufficient based on a changed or more fully parameterized session environment. In some configurations, the use of session tracking facilites (e.g., the information content of session tokens) can be tailored to environmental parameters (e.g., connection type or location). Similarly, capabilities of a particular client entity (e.g., browser support for 128-bit cipher or availablity of a fingerprint scanner or card reader) may affect the availability or sufficiency of particular authentication schemes to achieve a desired trust level.
542 Citations
26 Claims
-
1. A method of determining sufficiency of a credential type for access to an information resource, the method comprising:
-
establishing a correspondence between a session and an access request targeting the information resource;
establishing a trust level requirement for access to the information resource; and
evaluating correspondence of one or more credential types with the trust level requirement for access to the information resource and with environment information associated with the session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
wherein one or more authenticated credentials of the one or more credential types are associated with the session; - and
wherein the correspondence evaluating includes determining whether at least one of the one or more authenticated credentials is sufficient to achieve the trust level requirement given the environment information.
-
-
3. A method as in claim 2, further comprising:
-
if at least one of the one or more authenticated credentials is sufficient to achieve the trust level requirement given the environment information, allowing the requested access; and
otherwise, obtaining and authenticating a sufficient credential before allowing the requested access.
-
-
4. A method as in claim 1,
wherein the correspondence evaluating includes determining a set of the credential types sufficient to achieve the trust level requirement given the environment information. -
5. A method as in claim 4, further comprising:
-
obtaining at least one credential of a type selected from the set of sufficient credential types;
authenticating a client entity thereby; and
performing the requested access on behalf of the client entity.
-
-
6. A method as in claim 1,
wherein the correspondence evaluating includes evaluating a mapping rule encoding suitable credential types as a function of trust levels and environment parameters. -
7. A method as in claim 1,
wherein the session correspondence establishing includes use of a cryptographically secured session token encoded with the access request to resolve the session and the environment information. -
8. A method as in claim 1, further comprising:
coincident with receipt of the access request, updating the environment information associated with the corresponding session.
-
9. A method as in claim 1,
wherein the environment information includes one or more of connect location, access request time, access request date, session start time, session start date, client type and client capabilities. -
10. A method as in claim 1,
wherein the session includes a dial-up connection; - and
wherein the environment information includes one or more of connection speed and low-level line encryption.
- and
-
11. A method as in claim 1, wherein the environment information includes one or more of source identifier and signaling type.
-
12. A method as in claim 1,
wherein the session includes a network connection; - and
wherein the environment information includes one or more of source network, source node, Virtual Private Network (VPN) low-level encryption and routing information.
- and
-
13. A method as in claim 1,
wherein the set of the credential types includes one or more of a usemname password pair, digital certificate, an encrypted credentials based on asymmetric, symmetric, public, private, or secret key technology, a one-time password, a biometric credential based on retinal scan, voice print, or finger print, and a possession based credential embodied in a smart card, Enigma card or physical key. -
14. A method as in claim 1,
wherein the trust level requirement establishing includes querying an authorization service with a resource identifier for the information resource targeted by the access request and with a session identifier for the corresponding session. -
15. A method as in claim 1, embodied as a computer program product including functionally descriptive information for directing a processor to perform the correspondence establishing, the trust level requirement establishing, and the evaluating, the computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.
-
16. A method of operating a security architecture, the method comprising:
-
matching an access request of a client entity with a corresponding session, the access request targeting a first of plural information resources and the session having an associated one or more session parameters affecting sufficiency of credential types;
determining a set of one or more credential types sufficient for access to the first information resource, the determining based, at least in part, on the one or more session parameters;
if an authenticated credential associated with the session is of one of the sufficient credential types, then allowing access to the first information resource; and
otherwise, obtaining a new credential and authenticating the client entity thereby, the obtained credential being of one of the sufficient credential types; and
allowing access to the first information resource. - View Dependent Claims (17, 18, 19, 20, 21, 22)
obtaining a trust level requirement associated with the first information resource;
selecting only those credential types sufficient, if authenticated, to achieve the trust level requirement given current values of the one or more session parameters.
-
-
18. A method as in claim 16, wherein the determining of sufficient credential types includes:
evaluating decision logic encoding the set of sufficient credential types as a function of the session parameters and particular one of the information resource for which access is requested.
-
19. A method as in claim 17, wherein the decision logic is encoded at least partly as one of:
-
mapping rules;
fuzzy sets; and
session parameter-based trust level discounts; and
an enumeration of trust level and session parameter minima corresponding to individual of the credential types.
-
-
20. A method as in claim 16, wherein the determining of sufficient credential types includes:
evaluating decision logic encoding the set of sufficient credential types as a function of the session parameters and a trust level requirement associated with the targeted information resource.
-
21. A method as in claim 16,
wherein the one or more session parameters are indicative of temporal, locational or connection-related states of the matched session. -
22. A method as in claim 16,
wherein the client entity includes a browser; - and
wherein the matching of the access request with the session includes use of a cryptographically secured session token encoded in cookie supplied to the browser.
- and
-
23. An information system comprising:
-
plural information resources hosted on one or more servers coupled via a communication network to a client entity, the plural information resources having individualized authentication requirements; and
an access control facility common to the plural information resources, the common access control facility obtaining a credential for the client entity and authenticating the client entity thereby;
wherein, in response to a request for access to a first of the information resources, the common access control facility evaluates, based in part on current parameters of a corresponding persistent session, sufficiency of associated authenticated credentials for access to the first information resource.
-
-
24. An access control facility for providing a single sign-on for sessions that potentially include accesses to plural information resources having differing security requirements, the access control facility comprising:
-
an application proxy for receiving an access request targeting one of the information resources, associating the access request with a session, and selectively proxying the access request;
means responsive to the application proxy for evaluating sufficiency of credential types based on then current parameters of the session and on a trust level requirement of the targeted information resource, the application proxy proxying the access request if at least one sufficient credential is associated with the session. - View Dependent Claims (25, 26)
credential gathering means responsive to an insufficient zero or more credentials associated with the session, the credential gathering means obtaining a credential of type sufficient, if authenticated, to achieve the trust level requirement of the targeted information resource given then current parameters of the session.
-
-
26. An access control facility as in claim 24, embodied as a computer program product encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.
Specification