User authentication system and method for multiple process applications

US 6,898,711 B1
Filed: 01/13/1999
Issued: 05/24/2005
Est. Priority Date: 01/13/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of authenticating a user within a multiple process environment, comprising:

authenticating the user;

receiving, by a first process requesting a profile token, the profile token representative of the user in response to successfully authenticating the user, the profile token having one or more associated usage limitations;

transferring the profile token to a second process;

changing a user under which the second process is running to the authenticated user represented by the profile token within the usage limitations associated with the profile token; and

performing, by the second process, one or more tasks on behalf of the authenticated user represented by the profile token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user within a multiple process environment is initially authenticated, such as by verifying the user'"'"'s identification and password. A first process, such as a client, requests a profile token representative of the user in response to authenticating the user. The profile token has associated with it one or more usage limitations. The profile token is transferred from the first process to a second process, such as a server. The second process, upon receiving a valid profile token, is allowed to perform one or more tasks on behalf of the user within the token'"'"'s usage limitations. A profile token is invalidated upon violation of a usage limitation, such as a preestablished time-out period. One or more lookup tables are used to manage the profile tokens and to store certain user and profile token information, providing increased processing security.

159 Citations

30 Claims

1. A method of authenticating a user within a multiple process environment, comprising:
- authenticating the user;
  
  receiving, by a first process requesting a profile token, the profile token representative of the user in response to successfully authenticating the user, the profile token having one or more associated usage limitations;
  
  transferring the profile token to a second process;
  
  changing a user under which the second process is running to the authenticated user represented by the profile token within the usage limitations associated with the profile token; and
  
  performing, by the second process, one or more tasks on behalf of the authenticated user represented by the profile token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein authenticating the user comprises authenticating the user by using an identification and a password associated with the user, a digital certificate identification, retinal scan data or palm print data.
  - 3. The method of claim 1, wherein the second process performs the one or more tasks on behalf of the authenticated user represented by the profile token without the second process authenticating the user.
  - 4. The method of claim 1, wherein the first process and the second process operate on a first platform.
  - 5. The method of claim 1, wherein the first process operates on a first platform and the second process operates on a second platform.
  - 6. The method of claim 1, wherein the first process constitutes a client process and the second process constitutes a server process.
  - 7. The method of claim 1, wherein the second process is communicatively isolated from the user.
  - 8. The method of claim 1, wherein the usage limitations comprise a preestablished time period, and performing the one or more tasks by the second process comprises performing a swap operation only during the preestablished time period.
  - 9. The method of claim 1, wherein the usage limitations comprise a preestablished time period, and the method further comprises invalidating the profile token upon expiration of the preestablished time period.
  - 10. The method of claim 1, wherein the usage limitations comprise authorization to generate one or more additional profile tokens by the second process, and the method further comprises transferring the one or more additional profile tokens to one or more additional processes, each of the additional processes performing one or more tasks on behalf of the authenticated user represented by the respective additional profile tokens.
  - 11. The method of claim 10, wherein the usage limitations comprise authorization to generate an additional set of one or more additional profile tokens by the second process only during a preestablished time period.
  - 12. The method of claim 1, wherein the profile token is characterized as a single-use profile token or a multiple-use profile token.
  - 13. The method of claim 12, wherein the multiple-use profile token is characterized as a regenerable multiple-use profile token or a non-regenerable multiple-use profile token.

14. An apparatus for authenticating a user within a multiple process environment, comprising:
- a processor, a first process and a second process respectively operating on the processor;
  
  a first interface, callable by the first process, that authenticates the user and generates a profile token representative of the user in response to successfully authenticating the user, the profile token having one or more associated usage limitations; and
  
  a second interface, callable by the second process, that verifies validity of the profile token received from the first process, invalidates the profile token if usage limitations are violated, and, if valid, changes a user under which the second process is running to the authenticated user represented by the profile token within the usage limitations associated with the profile token so as to allow the second process to perform one or more tasks on behalf of the authenticated user represented by the profile token.
- View Dependent Claims (15, 16, 18, 19, 20, 21, 22)
- - 15. The apparatus of claim 14, wherein the processor comprises a first processor and a second processor, the first process operating on the first processor and the second process operating on the second processor.
  - 16. The apparatus of claim 15, wherein the first processor and the second processor are provided on respective first and second platforms or on a common platform.
  - 18. The apparatus of claim 14, wherein the processor is coupled to memory, the memory comprising one or more lookup tables for storing information used by the processor to manage one or more profile tokens.
  - 19. The apparatus of claim 18, wherein a profile token comprises a first data storing portion and an entry of a lookup table comprises a second data storing portion, the second interface using data stored in the first and second data storing portions to verify validity of the profile token received from the first process.
  - 20. The apparatus of claim 18, wherein the usage limitations comprise a predetermined time-out value, the predetermined time-out value hardcoded in an entry of the lookup table associated with the profile token.
  - 21. The apparatus of claim 14, wherein the profile token is characterized as a single-use profile token or a multiple-use profile token.
  - 22. The apparatus of claim 21, wherein the multiple-use profile token is characterized as a regenerable multiple-use profile token or a non-regenerable multiple-use profile token.

17. The apparatus of claim is, wherein the first processor is coupled to the second processor via a network connection.

23. A computer readable medium tangibly embodying a program executable for authenticating a user within a multiple process environment, comprising:
- authenticating the user;
  
  generating, by a first process, a profile token representative of the user in response to successfully authenticating the user, the profile token having associated usage limitations;
  
  transferring the profile token to a second process;
  
  changing a user under which the second process is running to the authenticated user represented by the profile token within the usage limitations associated with the profile token; and
  
  performing, by the second process, one or more tasks on behalf of the authenticated user represented by the profile token.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The medium of claim 23, wherein authenticating the user comprises authenticating the user by using an identification and a password associated with the user, a digital certificate identification, retinal scan data or palm print data.
  - 25. The medium of claim 23, wherein the second process performs the one or more tasks on behalf of the authenticated user represented by the profile token without the second process authenticating the user.
  - 26. The medium of claim 23, wherein the first process operates on a first platform and the second process operates on the first platform or on a second platform.
  - 27. The medium of claim 23, wherein the usage limitations comprise a preestablished time period, and performing the one or more tasks by the second process comprises performing a swap operation only during the preestablished time period.
  - 28. The medium of claim 23, wherein the usage limitations comprise a preestablished time period, and the method further comprises invalidating the profile token upon expiration of the preestablished time period.
  - 29. The medium of claim 23, wherein the profile token is characterized as a single-use profile token or a multiple-use profile token.
  - 30. The medium of claim 29, wherein the multiple-use profile token is characterized as a regenerable multiple-use profile token or a non-regenerable multiple-use profile token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bauman, Mark Linus, Botz, Patrick S., Rapp, William Craig
Primary Examiner(s)
Darrow, Justin T.

Application Number

US09/229,733
Time in Patent Office

2,323 Days
Field of Search

713/155, 713/156, 713/159, 713/164, 713/166, 713/167, 713/182, 713/185, 713/186, 713/189, 713/193, 713/200, 713/201, 713/202, 705/41, 705/65, 705/66, 705/67, 708/135, 709/100, 709/102, 709/104, 709/107, 709/108, 711/163, 711/164
US Class Current

713/185
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2151   Time stamp

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

User authentication system and method for multiple process applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

159 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

User authentication system and method for multiple process applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links