Client security for networked applications
First Claim
1. A method of providing client security for networked services, the method comprising the computer-implemented steps of:
- storing a credential such that the credential is accessible only by using a local security authority;
generating a secret value corresponding to the credential; and
storing the secret value in a secret file that can be modified and retrieved only by a first user.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatuses are provided for limiting access, by users of a networked computer system, to networked services on the computer system. More specifically, the present invention facilitates limiting access by other users to a first user'"'"'s credential that can be used to facilitate access to networked services. A method includes authenticating a user, determining a credential for that user, and generating a corresponding random secret. The credential is stored in memory that can only be accessed through execution of a local security authority (LSA). The random secret is written to a secret file that is readable and writeable only by the user. When the user initiates an application, a security library associated with the application reads the random secret from the secret file and passes the secret to the LSA. The LSA identifies the credential corresponding to that secret and return a credential handle to the application client via the security library. The application client can use the credential handle to have the LSA use the credential on its behalf; in the Kerberos case, the LSA obtains GSSAPI Kerberos tokens and returns them to the application. The technique is also used in combination with the Unix setuid mechanism to allow one or more programs to have all of the user'"'"'s network rights while all other programs have one of one or more subsets of the user'"'"'s rights. Additional embodiments of the present invention also include computer readable medium with program instructions and a computer system configured to perform the above operations.
-
Citations
51 Claims
-
1. A method of providing client security for networked services, the method comprising the computer-implemented steps of:
-
storing a credential such that the credential is accessible only by using a local security authority; generating a secret value corresponding to the credential; and storing the secret value in a secret file that can be modified and retrieved only by a first user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer readable storage medium containing program instructions for limiting access to a credential that can facilitate access by a first user to a computer networked service on a networked computer system, wherein when the computer readable medium is read by a computer system having a processor and memory the program instructions are configured to be executed by the processor, the computer readable medium comprising:
-
program instructions for storing the credential such that the credential is accessible only by using a local security authority; program instructions for generating a secret value corresponding to the credential; and program instructions for storing the secret value in a secret file that can be modified and retrieved only by the first user. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A computer system configured to provide client security for networked services, the computer system comprising:
-
a local security authority configured to authenticate the identity of a user, to determine a credential corresponding to the user, to generate a secret value corresponding to the determined credential, and to determine authorization information associated with both the user and an application; local security authority memory associated with the local security authority, configured only by operation of the local security authority; and computer-readable memory configured to store a secret file which is configured to store the secret value and which is readable substantially only by processes executed by the user. - View Dependent Claims (22, 23)
-
-
24. An apparatus for providing client security for networked services, comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom; a processor; one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; storing a credential such that the credential is accessible only by using a local security authority; generating a secret value corresponding to the credential; and storing the secret value in a secret file that can be modified and retrieved only by a first user. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. An apparatus providing client security for networked services, comprising:
-
means for storing a credential such that the credential is accessible only by using a local security authority; means for generating a secret value corresponding to the credential; and means for storing the secret value in a secret file that can be modified and retrieved only by a first user. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
Specification