Technique for synchronizing security credentials using a trusted authenticating domain

US 6,986,039 B1
Filed: 07/11/2000
Issued: 01/10/2006
Est. Priority Date: 07/11/2000
Status: Expired due to Fees

First Claim

Patent Images

1. In a computing environment having a plurality of secure network connections, a computer program product for securely propagating security credentials using a trusted authenticating domain, the computer program product embodied on one or more computer-readable media and comprising:

computer-readable program code means for receiving, by a password synchronization agent (“

PSA”

) from a user at a client device over a first secure connection between the client device and the PSA on which the PSA has authenticated itself to the client device, a password propagation request providing an identifier of the user and an identifying secret of the user;

computer-readable program code means for forwarding, by the PSA to a trusted authenticating domain over a second secure connection therebetween on which the trusted authenticating domain has authenticated itself to the PSA, the received user identifier and identifying secret, wherein the trusted authenticating domain stores identifying secrets for user identifiers only as secured, non-recoverable versions thereof;

computer-readable program code means for receiving, by the PSA from the trusted authenticating domain over the second connection, a validation result created by the trusted authenticating domain responsive to the forwarding, the validation result being a successful result if it indicates that the trusted authenticating domain had previously stored, for the user identifier, a secured version of the identifying secret; and

computer-readable program code means for propagating, if the validation result is the successful result, the received user identifier and identifying secret from the PSA to a master registry over a third mutually-authenticated secure connection therebetween, such that the master registry can store, for the user identifier, a secured version of the identifying secret, wherein the secured version stored by the master registry is not required to be identical to the secured version stored at the trusted authenticating domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method, system, and computer program product for synchronizing security credentials of users and/or groups of users between directories, operating system platforms, and/or registries. A user'"'"'s security credentials at a master registry are to be securely set (or reset). To ensure that the user has the required permission for this operation, the user is first authenticated with a trusted authenticating domain. The authenticating domain may be identified by the user, or the identification of the domain may be obtained from the master registry. The master registry may store an identification of the authenticating domain on a per-user basis, or for groups of users, or for the master registry as a whole. The credentials may be propagated to other registries, in addition to the master. This technique enables synchronizing multiple copies of a user'"'"'s security credentials without requiring access to a plaintext version thereof, and without forcing the credentials to a new value as part of the synchronization process.

Citations

34 Claims

1. In a computing environment having a plurality of secure network connections, a computer program product for securely propagating security credentials using a trusted authenticating domain, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for receiving, by a password synchronization agent (“
  
  PSA”
  
  ) from a user at a client device over a first secure connection between the client device and the PSA on which the PSA has authenticated itself to the client device, a password propagation request providing an identifier of the user and an identifying secret of the user;
  
  computer-readable program code means for forwarding, by the PSA to a trusted authenticating domain over a second secure connection therebetween on which the trusted authenticating domain has authenticated itself to the PSA, the received user identifier and identifying secret, wherein the trusted authenticating domain stores identifying secrets for user identifiers only as secured, non-recoverable versions thereof;
  
  computer-readable program code means for receiving, by the PSA from the trusted authenticating domain over the second connection, a validation result created by the trusted authenticating domain responsive to the forwarding, the validation result being a successful result if it indicates that the trusted authenticating domain had previously stored, for the user identifier, a secured version of the identifying secret; and
  
  computer-readable program code means for propagating, if the validation result is the successful result, the received user identifier and identifying secret from the PSA to a master registry over a third mutually-authenticated secure connection therebetween, such that the master registry can store, for the user identifier, a secured version of the identifying secret, wherein the secured version stored by the master registry is not required to be identical to the secured version stored at the trusted authenticating domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 30)
- - 2. The computer program product according to claim 1, further comprising computer-readable program code means for propagating code means for propagating, if the validation result is the successful result, the received identifying secret from the PSA to one or more target registries over fourth mutually-authenticated secure connections, each of the fourth connections being between the PSA and a distinct one of the target registries, such that the each target registry can store, for the user identifier, a secured version of the identifying secret.
  - 3. The computer program product according to claim 1, wherein the password propagation request further provides an identification of the trusted authenticating domain;
    - andfurther comprising computer-readable program code means for verifying that the trusted authenticating domain is trusted by the master registry as a prerequisite to the propagating.
  - 4. The computer program product according to claim 1, further comprising:
    - computer-readable program code means for obtaining, by the PSA using the third connection, an identification of the trusted authenticating domain from the master registry as a prerequisite to the forwarding.
  - 5. The computer program product according to claim 3, wherein the master registry stores trust policy information, and wherein the computer-readable program code means for verifying that the trusted authenticating domain is trusted further comprises a computer-readable program code means for checking whether the stored trust policy information for the user identifier includes the trusted authenticating domain identification provided in the password propagation request.
  - 6. The computer program product according to claim 3, wherein the master registry stores trust policy information, and wherein the computer-readable program codfe means for verifying that the trusted authenticating domain is trusted further comprises computer-readable program code means for checking whether the stored trust policy information for a user group of which the user identified by the user identifier is a member includes the trusted authenticating domain identification provided in the password propagation request.
  - 7. The computer program product according to claim 4, wherein the master registry stores trust policy information, and wherein the computer-readable program code means for obtaining the identification of the trusted authenticating domain from the master registry further comprises computer-readable program cofde means for obtaining the trusted authenticating domain identification using the stored trust policy information for the user identifier.
  - 8. The computer program product according to claim 4, wherein the master registry stores trust policy information, and wherein the computer-readable program code means for obtaining the identification of the trusted authenticating domain from the master registry further comprises computer-readable program code means for obtaining the trusted authenticating domain identification using the stored trust policy information for a user group of which the user identified by the user identifier is a member.
  - 9. The computer program product according to claim 2, wherein the master registry stores password synchronization policy information, and wherein the computer-readable program code means for propagating the received identifying secret to the one or more target registries further comprises computer-readable program code means for identifying the one or more other target registries using the stored password synchronization policy information for the user identifier.
  - 10. The computer program product according to claim 2, wherein the master registry stores password synchronization policy information, and wherein the computer-readable program code means for propagating the received the received identifying secret to the one or more target registries further comprises computer-readable program code means for identifying the one or more target registries using the stored password synchronization policy information for a user group of which the user identified by the user identifier is a member.
  - 11. The computer program product according to claim 1, wherein the previously-stored secured version of the identifying secret was created, at the trusted authenticating domain, by performing a security function on a previously-received copy of the identifying secret of the user, wherein the security function comprises one of (i) a one-way algorithm or (ii) an encryption algorithm;
    - wherein the security function is repeated, at the trusted authenticating domain, on the forwarded identifying secret of the user, after which, if a result thereof is identical to the previously-stored secured version, the trusted authenticating domain then creates the successful result.
  - 12. The computer program product according to claim 1, wherein the validation result is created, at the trusted authenticating domain, by invoking an authenticated LDAP bind or other native authentication mechanism of the trusted authenticating domain, using the forwarded user identifier and the identifying secret of the user, and wherein the validation result is created using a result of the LDAP bind or other native authentication mechanism.
  - 13. The computer program product according to claim 1, wherein the PSA has administrative authority for performing operations at the master registry.
  - 14. The computer program product according to claim 2, wherein the PSA has administrative authority for performing operations at the one or more target registries.
  - 30. The computer program product according to claim 1, further comprising:
    - computer-readable program code means for obtaining a new value from the user to be used as the propagated identifying secret if the validation has the successful result; and
      
      computer-readable program code means for substituting the new value for the received identifying secret prior to operations of the computer-readable program code means for propagating.

15. A system for securely propagating security credentials using a trusted authenticating domain, comprising:
- means for receiving by a password synchronization agent (“
  
  PSA”
  
  ) from a user at a client device over a first secure connection between the client device and the PSA on which the PSA has authenticated itself to the client device, a password propagation request providing an identifier of the user and an identifying secret of the user;
  
  means for forwarding, by the PSA to a trusted authenticating domain over a second secure connection therebetween on which the trusted authenticating domain has authenticated itself to the PSA, the received user identifier and identifying secret, wherein the trusted authenticating domain stores identifying secrets for user identifiers only as secured, non-recoverable versions thereof;
  
  means for receiving, by the PSA from the trusted authenticating domain over the second connection, a validation result created by the trusted authenticating domain responsive to the forwarding, the validation result being a successful result if it indicates that the trusted authenticating domain had previously stored, for the user identifier, a secured version of the identifying secret; and
  
  means for propagating, if the validation result is the successful result, the received user identifier and identifying secret from the PSA to a master registry over a third mutually-authenticated source connection therebetween, such that the master registry can store, for the user identifier, a secured version of the identifying secret, wherein the secured version stored by the master registry is not required to be identical to the secured version stored at the trusted authenticating domain.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 31)
- - 16. The system according to claim 15, further comprising means for propagating, if the validation result is the successful result, the received identifying secret from the PSA to one or more target registries over fourth mutually-authenticated secure connections, each of the fourth connections being between the PSA and a distinct one of the target registries, such that each target registry can store, for the user identifier, a secured version of the identifying secret.
  - 17. The system according to claim 15, wherein the password propagation request further provides an identification of the trusted authenticating domain;
    - andfurther comprising means for verifying that the trusted authenticating domain is trusted by the master registry as a prerequisite to the propagating.
  - 18. The system according to claim 15, further comprising:
    - means for obtaining, by the PSA using the third connection, an identification of the trusted authenticating domain from the master registry as a prerequisite to the forwarding.
  - 19. The system according to claim 17, wherein the master registry stores trust policy information, and wherein the means for verifying that the trusted authenticating domain is trusted further comprises means for checking whether the stored trust policy information for the user identifier includes the trusted authenticating domain identification provided in the password propagation request.
  - 20. The system according to claim 17, wherein the master registry stores trust policy information, and wherein the means for verifying that the trusted authenticating domain is trusted further comprises means for checking whether the stored trust policy information for a user group of which the user identified by the user identifier is a member includes the trusted authenticating domain identification provided in the password propagation request.
  - 21. The system according to claim 18, wherein the master registry stores trust policy information, and wherein the means for obtaining the identification of the trusted authenticating domain from the master registry further comprises means for obtaining the trusted authenticating domain identification using the stored trust policy information for the user identifier.
  - 22. The system according to claim 18, wherein the master registry stores trust policy information, and wherein the means for obtaining the identification of the trusted authenticating domain from the master registry further comprises means for obtaining the trusted authenticating domain identification using the stored trusted policy information for a user group of which the user identified by the user identifier is a member.
  - 23. The system according to claim 16, wherein the master registry stores password synchronization policy information, and wherein the means for propagating the received identifying secret to the one or more target registries further comprises means for identifying the one or more other target registries using the stored password synchronization policy information for the user identifier.
  - 24. The system according to claim 16, wherein the master registry stores password synchronization policy information, and wherein the means for propagating the received identifying secret to the one or more other target registries further comprises means for identifying the one or more target registries using the stored password synchronization policy information for a user group of which the user identified by the user identifier is a member.
  - 25. The system according to claim 15, wherein the previously-stored secured version of the identifying secret was created, at the trusted authenticating domain, by performing a security function on a previously received copy of the identifying secret of the user, wherein the security function comprises one of (i) a one-way hashing algorithm or (ii) an encryption algorithm;
    - andwherein the security function is repeated, at the trusted authenticating domain, on the forwarded identifying secret of the user, after which, if a result thereof is identical to the previously-stored secured version, the trusted authenticating domain then creates the successful result.
  - 26. The system according to claim 15, wherein the validation result is created, at the trusted authenticating domain, by invoking an authenticated LDAP bind or other native authentication mechanism of the trusted authenticating domain, using the forwarded user identifier and the identifying secret of the user, and wherein the validation result is created using a result of the LDAP bind or other native authentication mechanism.
  - 27. The system according to claim 15, wherein the PSA has administrative authority for performing operations at the master registry.
  - 28. The system according to claim 16, wherein the PSA has administrative authority for performing operations at the one or more target registries.
  - 31. The system according to claim 15, further comprising:
    - means for obtaining a new value from the user to be used as the propagated identifying secret if the validation has the successful result; and
      
      means for substituting the new value for the received identifying secret prior to operation of the means for propagating.

29. A computer-implemented method for securely propagating security credentials using a trusted authenticating domain, comprising steps of:
- receiving, by a password synchronization agent (“
  
  PSA”
  
  ) from a user at a client device over a first secure connection between the client device and the PSA on which the PSA has authenticated itself to the client device, a password propagation request providing an identifier of the user and an identifying secret of the user;
  
  forwarding, by the PSA to a trusted authenticating domain over a second secure connection therebetween on which the trusted authenticating domain has authenticated itself to the PSA, the received user identifier and identifying secret, wherein the trusted authenticating domain stores identifying secrets for user identifiers only as secured, non-recoverable versions thereof;
  
  receiving, by the PSA from the trusted authenticating domain over the second connection, a validation result created by the trusted authenticating domain responsive to the forwarding, the validation result being a successful result if it indicates that the trusted authenticating domain had previously stored, for the user identifier, a secured version of the identifying secret; and
  
  propagating, if the validation result is the successful result, the received user identifier and identifying secret from the PSA to a master registry over a third mutually-authenticated secure connection therebetween, such that the master registry can store, for the user identifier, a secured version of the identifying secret.
- View Dependent Claims (32, 33, 34)
- - 32. The method according to claim 29, further comprising steps of:
    - obtaining a new value from the user to be used as the propagated identifying secret if the validation has the successful result; and
      
      substituting the new value for the received identifying secret prior to operation of the propagating step.
  - 33. The method according to claim 29, wherein the forwarding and receiving steps use secure interprocess communications between the PSA and the trusted authenticating domain instead of the second connection.
  - 34. The method according to claim 29, wherein the second version stored by the master registry is not required to be identical to the secured version stored at the trusted authenticating domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Leah, Robert C., McGarvey, John Ryan
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Tran, Tongoc

Application Number

US09/614,087
Time in Patent Office

2,009 Days
Field of Search

713/55, 713/161, 713/169, 713/170, 713183-184, 713200-202, 713/155, 380/274, 705/72, 705/76, 705/8, 707/1, 709/206, 709/246
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

H04L 63/062   for key distribution, e.g. ...

H04L 63/0846   using time-dependent-passwo...

H04L 67/1095   Replication or mirroring of...

Technique for synchronizing security credentials using a trusted authenticating domain

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Technique for synchronizing security credentials using a trusted authenticating domain

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links