Method and system for coupling an X.509 digital certificate with a host identity

US 6,854,056 B1
Filed: 09/21/2000
Issued: 02/08/2005
Est. Priority Date: 09/21/2000
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a client within a distributed data processing system, the method comprising the steps of:

receiving a digital certificate from the client at a host within the distributed data processing system;

obtaining a host identity for the client from the digital certificate, wherein the host identity for the client identifies the client to the host, and wherein the host is not a certifying authority that issued the digital certificate;

retrieving host-decryptable secret data associated with the host identity from the digital certificate;

decrypting the host-decryptable secret data with a host private key to generate secret data; and

authenticating the client at the host using the host identity and the secret data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method or system is presented for coupling identities through the use of digital certificates, thereby allowing a client to be authenticated for a variety of services without those services having to modify their existing methods of authentication. The client generates a request for a digital certificate containing its host identity for a targeted host and secret data associated with its host identity. The secret data has been encrypted using the public key of the certifying authority that receives the request for the digital certificate. The certifying authority decrypts the secret data using its private key and encrypts the secret data using the public key of the targeted host. The digital certificate is then generated and returned to the client. At some point in time, a host receives the certificate from the client and obtains the client'"'"'s host identity from the certificate, i.e. the host identity uniquely identifies the client or the user of the client to the host. Encrypted secret data associated with the host identity, such as a password, is also retrieved from the digital certificate. The host decrypts the secret data with its private key, and the host then authenticates the client using the host identity and the decrypted secret data for various services. The digital certificate may be formatted according to the X.509 standard, and the host identity and secret information may be stored in an X.509 extension within the digital certificate.

Citations

40 Claims

1. A method for authenticating a client within a distributed data processing system, the method comprising the steps of:
- receiving a digital certificate from the client at a host within the distributed data processing system;
  
  obtaining a host identity for the client from the digital certificate, wherein the host identity for the client identifies the client to the host, and wherein the host is not a certifying authority that issued the digital certificate;
  
  retrieving host-decryptable secret data associated with the host identity from the digital certificate;
  
  decrypting the host-decryptable secret data with a host private key to generate secret data; and
  
  authenticating the client at the host using the host identity and the secret data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the host acts as a proxy for the client.
  - 3. The method of claim 1 further comprising:
    - verifying the received digital certificate.
  - 4. The method of claim 1 further comprising:
    - generating, at the client, a request for a digital certificate comprising host identity mapping data;
      
      sending the request for the digital certificate to a certifying authority (CA); and
      
      receiving a digital certificate comprising host identity mapping data from the certifying authority.
  - 5. The method of claim 4 further comprising:
    - storing the host identity in the request for the digital certificate;
      
      encrypting secret data associated with the host identity using a public key of the certifying authority to generate CA-decryptable secret data; and
      
      storing the CA-decryptable secret data in the request for the digital certificate, wherein the host identity and the CA-decryptable secret data comprise the host identity mapping data in the request for the digital certificate.
  - 6. The method of claim 4 further comprising:
    - receiving, at the certifying authority, the request for a digital certificate;
      
      generating the digital certificate in response to the received request for the digital certificate; and
      
      sending the generated digital certificate to the client.
  - 7. The method of claim 4 further comprising:
    - retrieving CA-decryptable secret data from the host identity mapping data in the request for the digital certificate;
      
      decrypting the CA-decryptable secret data associated with the host identity using a private key of the certifying authority to generate secret data;
      
      encrypting the secret data associated with the host identity using a public key of the host to generate the host-decryptable secret data; and
      
      storing the host-decryptable secret data in the digital certificate, wherein the host identity and the host-decryptable secret data comprise the host identity mapping data in the digital certificate.
  - 8. The method of claim 1 wherein the digital certificate comprises multiple host identities for multiple hosts within the distributed data processing system.
  - 9. The method of claim 1 wherein the digital certificate is formatted according to the X.509 standard.
  - 10. The method of claim 9 wherein the host identity and the host-decryptable secret data associated with the host identity is stored within an X.509 extension within the digital certificate.
  - 11. The method of claim 1 further comprising:
    - performing multiple authentication processes within the distributed data processing system for the client through the host using information within the digital certificate.

12. A method for generating a digital certificate, the method comprising the steps of:
- receiving, at a certifying authority (CA), a request for a digital certificate from a client, wherein the request for a digital certificate comprises host identity mapping data, wherein a host identity for the client within the host identity mapping data identifies the client to a host, and wherein the host is not the certifying authority;
  
  generating the digital certificate in response to the received request for a digital certificate; and
  
  sending the generated digital certificate to the client, wherein the digital certificate comprises host identity mapping data.
- View Dependent Claims (13)
- - 13. The method of claim 12 further comprising:
    - retrieving CA-decryptable secret data from the host identity mapping data in the request for a digital certificate;
      
      decrypting the CA-decryptable secret data associated with a host identity using a private key of the certifying authority to generate secret data;
      
      encrypting the secret data associated with the host identity using a public key of a host to generate a host-decryptable secret data; and
      
      storing the host-decryptable secret data in the digital certificate, wherein the host identity and the host-decryptable secret data comprise the host identity mapping data in the digital certificate.

14. An apparatus for authenticating a client within a distributed data processing system, the apparatus comprising:
- first receiving means for receiving a digital certificate from the client at a host within the distributed data processing system;
  
  obtaining means for obtaining a host identity for the client from the digital certificate, wherein the host identity for the client identifies the client to the host, and wherein the host is not a certifying authority that issued the digital certificate;
  
  first retrieving means for retrieving host-decryptable secret data associated with the host identity from the digital certificate;
  
  first decrypting means for decrypting the host-decryptable secret data with a host private key to generate secret data; and
  
  authenticating means for authenticating the client at the host using the host identity and the secret data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The apparatus of claim 14, wherein the host acts as a proxy for the client.
  - 16. The apparatus of claim 14 further comprising:
    - verifying means for verifying the received digital certificate.
  - 17. The apparatus of claim 14 further comprising:
    - first generating means for generating, at the client, a request for a digital certificate comprising host identity mapping data;
      
      first sending means for sending the request for the digital certificate to a certifying authority (CA); and
      
      second receiving means for receiving a digital certificate comprising host identity mapping data from the certifying authority.
  - 18. The apparatus of claim 17 further comprising:
    - first storing means for storing the host identity in the request for the digital certificate;
      
      first encrypting means for encrypting secret data associated with the host identity using a public key of the certifying authority to generate CA-decryptable secret data; and
      
      second storing means for storing the CA-decryptable secret data in the request for the digital certificate, wherein the host identity and the CA encrypted CA-decryptable secret data comprise the host identity mapping data in the request for the digital certificate.
  - 19. The apparatus of claim 17 further comprising:
    - third receiving means for receiving, at the certifying authority, the request for a digital certificate;
      
      second generating means for generating the digital certificate in response to the received request for the digital certificate; and
      
      second sending means for sending the generated digital certificate to the client.
  - 20. The apparatus of claim 17 further comprising:
    - second retrieving means for retrieving CA-decryptable secret data from the host identity mapping data in the request for the digital certificate;
      
      second decrypting means for decrypting the CA-decryptable secret data associated with the host identity using a private key of the certifying authority to generate secret data;
      
      second encrypting means for encrypting the secret data associated with the host identity using a public key of the host to generate the host-decryptable secret data; and
      
      third storing means for storing the host-decryptable secret data in the digital certificate, wherein the host identity and the host-decryptable secret data comprise the host identity mapping data in the digital certificate.
  - 21. The apparatus of claim 14 wherein the digital certificate comprises multiple host identities for multiple hosts within the distributed data processing system.
  - 22. The apparatus of claim 14 wherein the digital certificate is formatted according to the X.509 standard.
  - 23. The apparatus of claim 22 wherein the host identity and the host-decryptable secret data associated with the host identity is stored within an X.509 extension within the digital certificate.
  - 24. The apparatus of claim 14 further comprising:
    - performing means for performing multiple authentication processes within the distributed data processing system for the client through the host using information within the digital certificate.

25. An apparatus for generating a digital certificate, the apparatus comprising:
- receiving means for receiving, at a certifying authority (CA), a request for a digital certificate from a client, wherein the request for a digital certificate comprises host identity mapping data, wherein a host identity for the client within the host identity mapping data identifies the client to a host, and wherein the host is not the certifying authority;
  
  generating means for generating the digital certificate in response to the received request for a digital certificate; and
  
  sending means for sending the generated digital certificate to the client, wherein the digital certificate comprises host identity mapping data.
- View Dependent Claims (26)
- - 26. The apparatus of claim 25 further comprising:
    - retrieving means for retrieving CA-decryptable secret data from the host identity mapping data in the request for a digital certificate;
      
      decrypting means for decrypting the CA-decryptable secret data associated with a host identity using a private key of the certifying authority to generate secret data;
      
      encrypting means for encrypting the secret data associated with the host identity using a public key of a host to generate host-decryptable secret data; and
      
      storing means for storing the host-decryptable secret data in the digital certificate, wherein the host identity and the host-decryptable secret data comprise the host identity mapping data in the digital certificate.

27. A computer program product on a computer readable medium for use in a distributed data processing system for authenticating a client, the computer program product comprising:
- instructions for receiving a digital certificate from the client at a host within the distributed data processing system;
  
  instructions for obtaining a host identity for the client from the digital certificate, wherein the host identity for the client identifies the client to the host, and wherein the host is not a certifying authority that issued the digital certificate;
  
  instructions for retrieving host-decryptable secret data associated with the host identity from the digital certificate;
  
  instructions for decrypting the host-decryptable secret data with a host private key to generate secret data; and
  
  instructions for authenticating the client at the host using the host identity and the data.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 28. The computer program product of claim 27, wherein the host acts as a proxy for the client.
  - 29. The computer program product of claim 27 further comprising:
    - instructions for verifying the received digital certificate.
  - 30. The computer program product of claim 27 further comprising:
    - instructions for generating, at the client, a request for a digital certificate comprising host identity mapping data;
      
      instructions for sending the request for the digital certificate to a certifying authority (CA); and
      
      instructions for receiving a digital certificate comprising host identity mapping data from the certifying authority.
  - 31. The computer program product of claim 30 further comprising:
    - instructions for storing the host identity in the request for the digital certificate;
      
      instructions for encrypting secret data associated with the host identity using a public key of the certifying authority to generate CA-decryptable secret data; and
      
      instructions for storing the CA-decryptable secret data in the request for the digital certificate, wherein the host identity and the CA-decryptable secret data comprise the host identity mapping data in the request for the digital certificate.
  - 32. The computer program product of claim 30 further comprising:
    - instructions for receiving, at the certifying authority, the request for a digital certificate;
      
      instructions for generating the digital certificate in response to the received request for the digital certificate; and
      
      instructions for sending the generated digital certificate to the client.
  - 33. The computer program product of claim 30 further comprising:
    - instructions for retrieving CA-decryptable secret data from the host identity mapping data in the request for the digital certificate;
      
      instructions for decrypting the CA-decryptable secret data associated with the host identity using a private key of the certifying authority to generate secret data;
      
      instructions for encrypting the secret data associated with the host identity using a public key of the host to generate the host-decryptable secret data; and
      
      instructions for storing the host-decryptable secret data in the digital certificate, wherein the host identity and the host-decryptable secret data comprise the host identity mapping data in the digital certificate.
  - 34. The computer program product of claim 27 wherein the digital certificate comprises multiple host identities for multiple hosts within the distributed data processing system.
  - 35. The computer program product of claim 27 wherein the digital certificate is formatted according to the X.509 standard.
  - 36. The computer program product of claim 35 wherein the host identity and the host-decryptable secret data associated with the host identity is stored within an X.509 extension within the digital certificate.
  - 37. The computer program product of claim 27 further comprising:
    - instructions for performing multiple authentication processes within the distributed data processing system for the client through the host using information within the digital certificate.

38. A computer program product on a computer readable medium for use in a distributed data processing system for generating a digital certificate, the computer program product comprising:
- instructions for receiving, at a certifying authority (CA), a request for a digital certificate from a client, wherein the request for a digital certificate comprises host identity mapping data, wherein a host identity for the client within the host identity mapping data identifies the client to a host, and wherein the host is not the certifying authority;
  
  instructions for generating the digital certificate in response to the received request for a digital certificate; and
  
  instructions for sending the generated digital certificate to the client, wherein the digital certificate comprises host identity mapping data.
- View Dependent Claims (39)
- - 39. The computer program product of claim 38 further comprising:
    - instructions for retrieving CA-decryptable secret data from the host identity mapping data in the request for a digital certificate;
      
      instructions for decrypting the CA-decryptable secret data associated with a host identity using a private key of the certifying authority to generate secret data;
      
      instructions for encrypting the secret data associated with the host identity using a public key of a host to generate host-decryptable secret data; and
      
      instructions for storing the host-decryptable secret data in the digital certificate, wherein the host identity and the host-decryptable secret data comprise the host identity mapping data in the digital certificate.

40. A data structure representing a digital certificate for use in a data processing system, the data structure comprising:
- an issuer name;
  
  a signature;
  
  a subject name; and
  
  an extension, wherein the extension comprises a host identity and host-decryptable secret data associated with the host identity, wherein the host identity identifies a client to a host, wherein the host is not a certifying authority that issued the digital certificate, and wherein the host-decryptable secret data is used by the host to authenticate the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Benantar, Messaoud, Milman, Ivan, Gindin, Thomas L.
Primary Examiner(s)
MOISE, EMMANUEL LIONEL

Application Number

US09/667,090
Time in Patent Office

1,601 Days
Field of Search

713/156, 713/155, 713/168, 713/172, 713/182, 713/201, 713/186, 382/116, 709/227, 709/229, 380/30, 380/282, 380/285
US Class Current

713/156
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 9/3263   involving certificates, e.g...

Method and system for coupling an X.509 digital certificate with a host identity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for coupling an X.509 digital certificate with a host identity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links