Systems and methods for state-less authentication

US 7,020,645 B2
Filed: 04/19/2001
Issued: 03/28/2006
Est. Priority Date: 04/19/2001
Status: Expired

First Claim

Patent Images

1. A method of enabling access to a resource of a processing system, comprising the steps of:

establishing a secure communication session between a user desiring access and a logon component of the processing system;

verifying that logon information, provided by the user to the logon component during the secure communication session, matches stored information identifying the user to the processing system;

generating a security context from the logon information and authorization information that is necessary for access to the resource, wherein the security context comprises a plaintext header and an encrypted body, and the plaintext header comprises a security context ID, a key handle, and an algorithm identifier and key size;

providing the security context to the user; and

sending, by the user to the processing system, the security context and a request for access to the resource.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing user logon and state-less authentication are described in a distributed processing environment. Upon an attempted access by a user to an online resource, transaction, or record, a logon component asks the user to supply a logon ID and a password. The logon component verifies the provided information, and upon successful identification, a security context is constructed from information relevant to the user. The security context is sent to the user and is presented to the system each time the user attempts to invoke a new resource, such as a program object, transaction, record, or certified printer avoiding the need for repeated logon processing.

289 Citations

28 Claims

1. A method of enabling access to a resource of a processing system, comprising the steps of:
- establishing a secure communication session between a user desiring access and a logon component of the processing system;
  
  verifying that logon information, provided by the user to the logon component during the secure communication session, matches stored information identifying the user to the processing system;
  
  generating a security context from the logon information and authorization information that is necessary for access to the resource, wherein the security context comprises a plaintext header and an encrypted body, and the plaintext header comprises a security context ID, a key handle, and an algorithm identifier and key size;
  
  providing the security context to the user; and
  
  sending, by the user to the processing system, the security context and a request for access to the resource.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the encrypted body comprises at least one of a user identifier, an organization identifier, access information, an expiration time, public key information, symmetric key information, and a hash.
  - 3. The method of claim 2, wherein the access information specifies at least one resource accessible by the user;
    - the expiration time specifies a time after which the security context is invalid;
      
      the hash is computed over the plaintext header and the encrypted body before encryption; and
      
      the hash is digitally signed by the logon component.
  - 4. The method of claim 2, wherein the encrypted body includes the expiration time and access to the resource is denied if the expiration time differs from a selected time.

5. A method of accessing a resource of a processing system, comprising the steps of:
- providing by a user logon information to a logon component of the processing system during a secure communication session between the user and the processing system;
  
  verifying that the provided logon information matches stored information identifying the user to the processing system;
  
  generating a security context from the logon information and authorization information that is necessary for access to the resource, wherein the security context comprises a plaintext header and an encrypted body;
  
  the plaintext header comprises a security context ID, a key handle, and an algorithm identifier and key size; and
  
  the encrypted body comprises at least one of a user identifier, an organization identifier, access information, an expiration time, public key information, symmetric key information, and a hash;
  
  providing the security context to the user;
  
  sending, by the user to the processing system, the security context and a request for access to the resource; and
  
  determining, by a stateless component of the processing system, based on the security context sent with the request for access by the user, whether access to the requested resource should be granted to the user.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The method of claim 5, wherein the security context includes a symmetric encryption key, and the request for access is at least partially encrypted with the symmetric encryption key.
  - 7. The method of claim 5, wherein the logon information includes a password and at least one of a user identifier, an organization identifier, a sub-organization identifier, a user location, a user role, and a user position.
  - 8. The method of claim 7, wherein the logon information is verified by checking for agreement between the stored information identifying the user to the processing system and the password and at least one of a user identifier, an organization identifier, a sub-organization identifier, a user location, a user role, and a user position provided by the user to the logon component.
  - 9. The method of claim 5, wherein the access information specifies at least one resource accessible by the user;
    - the expiration time specifies a time after which the security context is invalid;
      
      the hash is computed over the plaintext header and the encrypted body before encryption; and
      
      the hash is digitally signed by the logon component.
  - 10. The method of claim 5, wherein the encrypted body includes the expiration time and access to the resource is denied if the expiration time differs from a selected time.
  - 11. The method of claim 5, wherein a hash value is computed over the request for access, the hash value is included with the security context and the request for access sent by the user to the processing system, the integrity of the request for access is checked based on the hash value, and access is granted only if the integrity of the hash value is verified.
  - 12. The method of claim 5, wherein the user digitally signs the request for access, at least the user'"'"'s digital signature and the request for access are enclosed in a wrapper, the security context and the wrapper are sent to the processing system, the user'"'"'s digital signature is checked by the processing system, and access to the resource is granted only if the user'"'"'s digital signature is authenticated.
  - 13. The method of claim 5, further comprising the step, after access to the requested resource is granted, of sending a response to the user that includes a request counter that enables the user to match the response to the request for access.
  - 14. The method of claim 5, wherein at least one of a client time and a request counter is sent by the user to the processing system with the security context and the request for access to the resource.
  - 15. The method of claim 14, wherein the request counter is sent by the user and access to the resource is denied if the request counter differs from a predetermined value.

16. A processing system having resources that are selectively accessible to users, the resources including processors, program objects, and records, the processing system comprising:
- a communication device through which a user desiring access to a resource communicates sends and receives information in a secure communication session with the processing system;
  
  an information database that stores information identifying users to the processing system and authorization information that identifies resources accessible to users and that is necessary for access to resources; and
  
  a logon component that communicates with the communication device and with the information database, wherein the logon component receives logon information provided by the user during the secure communication session, verifies the received logon information by matching against information identifying the user to the processing system that is retrieved from the information database, and generates a security context from the received logon information and authorization information;
  
  wherein the logon component provides the security context to the user'"'"'s communication device, and the user sends, to the processing system, the security context and a request for access to a resource.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The processing system of claim 16, further comprising a cryptographic accelerator, and wherein the logon component receives a symmetric encryption key from the cryptographic accelerator and provides the symmetric encryption key to the user'"'"'s communication device.
  - 18. The processing system of claim 16, wherein the logon information includes a password and at least one of a user identifier, an organization identifier, a sub-organization identifier, a user location, a user role, and a user position.
  - 19. The processing system of claim 18, wherein the logon component verifies received logon information by checking for agreement between information identifying the user to the processing system that is retrieved from the information database and the password and at least one of a user identifier, an organization identifier, a sub-organization identifier, a user location, a user role, and a user position provided by the user to the logon component.
  - 20. The processing system of claim 16, wherein the security context comprises a plaintext header and an encrypted body, and the plaintext header comprises a security context ID, a key handle, and an algorithm identifier and key size.
  - 21. The processing system of claim 20, wherein the encrypted body comprises at least one of a user identifier, an organization identifier, access information, an expiration time, public key information, symmetric key information, and a hash.
  - 22. The processing system of claim 21, wherein the access information specifies at least one resource accessible by the user;
    - the expiration time specifies a time after which the security context is invalid;
      
      the hash is computed over the plaintext header and the encrypted body before encryption; and
      
      the hash is digitally signed by the logon component.
  - 23. The processing system of claim 21, wherein the encrypted body includes the expiration time and access to the resource is denied if the expiration time differs from a selected time.
  - 24. The processing system of claim 16, further comprising a stateless component that determines, based on the security context sent with the request for access by the user, whether access to the requested resource should be granted to the user.
  - 25. The processing system of claim 24, wherein the communication device at least partially encrypts the request for access with a symmetric encryption key included in the security context.
  - 26. The processing system of claim 25, wherein a hash value is computed over the request for access, the hash value is included with the security context and the request for access sent by the user to the processing system, the integrity of the request for access is checked based on the hash value, and access is granted only if the integrity of the hash value is verified.
  - 27. The processing system of claim 24, wherein the communication device appends a digital signature of the user to the request for access, at least the user'"'"'s digital signature and the request for access are enclosed in a wrapper, the security context and the wrapper are sent to the processing system that checks the user'"'"'s digital signature, and access to the resource is granted only if the user'"'"'s digital signature is authenticated.
  - 28. The processing system of claim 24, wherein after access to the requested resource is granted, the stateless component sends a response to the user that includes a request counter that enables the user to match the response to the request for access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alto Dynamics, LLC (IP Investments Group LLC)
Original Assignee
eOriginal, Inc.
Inventors
Bisbee, Stephen F., Twaddell, Gordon W., Peterson, Ellis K., Becker, Keith F., Moskowitz, Jack J.
Primary Examiner(s)
Alam, Shahid
Assistant Examiner(s)
FLEURANTIN, JEAN B

Application Number

US09/839,551
Publication Number

US 20020184217A1
Time in Patent Office

1,804 Days
Field of Search

707 1- 10, 707100-1041, 707200-206, 709/217, 709/219, 709/225, 709/229, 713/200, 715/741, 715/743
US Class Current

1/1
CPC Class Codes

F23H 17/12   Fire-bars

G06F 16/00   Information retrieval; Data...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0435   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

H04L 63/123   received data contents, e.g...

H04L 9/3226   using a predetermined code,...

Y10S 707/99931   Database or file accessing

Y10S 707/99936   Pattern matching access

Systems and methods for state-less authentication

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

289 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for state-less authentication

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

289 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links