Credential management

US 7,210,167 B2
Filed: 01/08/2001
Issued: 04/24/2007
Est. Priority Date: 01/08/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for accommodating a legacy application, the legacy application resident on a legacy system having provisions for a low-level credential authorization model which employs username-and-password based authorization, the method comprising:

obtaining a request from a high-level credential authorization model for a high-level credential to be provided by the legacy application, wherein the high-level credential authorization model does not employ username-and-password based authorization;

retrieving the requested high level credential from a database of credentials; and

marshaling the requested high-level credential, the marshaling is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the legacy application employing a low-level credential authorization model, wherein the marshaling is a mechanism by which a description of the high-level credential is passed through a secured operating system layer using an interface designed to output low-level credentials.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein is an implementation of a technology for managing credentials. With an implementation, a credential manager is domain-authentication aware and concurrent authentications with multiple independent networks (e.g., domains) may be established and maintained. Moreover, a credential manager provides a credential model retrofit for legacy applications that only understand the password model. The manager provides a mechanism where the application is only a “blind courier” of credentials between the trusted part of the OS to the network and/or network resource. The manager fully insulates the application from “read” access to the credentials. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Citations

32 Claims

1. A method for accommodating a legacy application, the legacy application resident on a legacy system having provisions for a low-level credential authorization model which employs username-and-password based authorization, the method comprising:
- obtaining a request from a high-level credential authorization model for a high-level credential to be provided by the legacy application, wherein the high-level credential authorization model does not employ username-and-password based authorization;
  
  retrieving the requested high level credential from a database of credentials; and
  
  marshaling the requested high-level credential, the marshaling is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the legacy application employing a low-level credential authorization model, wherein the marshaling is a mechanism by which a description of the high-level credential is passed through a secured operating system layer using an interface designed to output low-level credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1, wherein a high-level credential is a credential selected from a group composed of X.509 Certificates and bio-metrics.
  - 3. A method as recited in claim 1, wherein the marshaled credentials appear to be a conventional username and password pair to the legacy application.
  - 4. A method as recited in claim 1, wherein marshaling comprises:
    - obtaining the requested high-level credential;
      
      converting the requested high-level credential to generate a low-level credential that represents the requested high-level credential while appearing to be a conventional username and password pair to the legacy application.
  - 5. A method as recited in claim 1, wherein the legacy application never has access to the high-level credential.
  - 6. A computer-readable medium having computer-executable instructions that, when executed by a computer, perform a method as recited in claim 1.
  - 7. A method as recited in claim 1, wherein the marshaling is performed by creating a reference to a certificate by taking a certificate hash and computing a text string for the certificate hash.
  - 8. A method as recited in claim 1, wherein the marshaling is performed by creating a reference to credential stored in credential manager.

9. In a computing environment where legacy processes have a provision for low-level credentials but have no provision for high-level credentials, wherein a provision for low-level credentials employs username-and-password based authorization while a provision for high-level credentials does not employ username-and-password based authorization, a method for accommodating such processes comprising:
- obtaining a request for a credential from a legacy process, wherein the requested credential is a high-level credential, which is not username-and-password based;
  
  retrieving the requested credential from a database;
  
  converting the requested high-level credential into a format approximating a low-level credential and representative of the requested high-level credential; and
  
  passing a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials.
- View Dependent Claims (10, 11, 12, 13)
- - 10. A method as recited in claim 9, wherein a high-level credential is a credential selected from a group composed of X.509 Certificates and bio-metrics.
  - 11. A method as recited in claim 9, wherein the converted credentials appear to be a conventional username and password pair to the legacy process.
  - 12. A method as recited in claim 9, wherein the legacy process never has access to the high-level credential.
  - 13. A computer-readable medium having computer-executable instructions that, when executed by a computer, perform a method as recited in claim 9.

14. A method for authenticating a user to a network, the method comprising:
- using an interface designed to output low-level credentials;
  
  obtaining a request for a high-level credential to authenticate the user to access a resource within the network, wherein the resource requires an appropriate high-level credential before the user may access the resource;
  
  locating the appropriate high-level credential;
  
  passing a description of the high-level credential, through a secured operating system layer using said interface so high-level credential is formatted as a low-level credentials,returning the appropriate high-level credential to the resource within the network, so that the resource allows the user to access such resource;
  
  wherein the obtaining, locating, and returning, and passing are performed without user interaction so that the user need not be aware that such steps are being performed.
- View Dependent Claims (15, 16)
- - 15. A method as recited in claim 14 further comprising repeating the obtaining, locating, and returning for a different network that is authenticated using a different credential.
  - 16. A computer-readable medium having computer-executable instructions that, when executed by a computer, perform a method as recited in claim 14.

17. A credential management architecture, comprising:
- a trusted computing base (TCB) that has full access to persisted credentials, the TCB being configured to interact with an untrusted computing layer (UTCL) that accesses the persisted credentials via the TCB,the TCB comprises;
  
  a credential management module configured to receive requests from the UTCL for a high-level credential for a resource, the high-level credential being associated with a user and not being username-and-password based authorization;
  
  a credential database associated with the user, wherein credentials are persisted within the database;
  
  the credential management module being configured to retrieve credentials from the database; and
  
  an interface that performs marshaling, wherein marshaling is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the legacy application.
- View Dependent Claims (18, 19, 20)
- - 18. An architecture as recited in claim 17, wherein the marshaled credentials appear to be a conventional username and password pair to the UTCL.
  - 19. A computer-readable medium having computer-executable instructions that, when executed by a computer, employ an architecture as recited in claim 17.
  - 20. An operating system embodied on a computer-readable medium having computer-executable instructions that, when executed by a computer, employ an architecture as recited in claim 17.

21. An apparatus comprising:
- a processor;
  
  a marshaller executable on the processor to;
  
  obtain a high-level credential, wherein a high-level credential is employed in an authorization model which is not username-and-password based authorization;
  
  convert the high-level credential to generate a representation of the high-level credential that is formatted as a low-level credential so that it appears to be a conventional username and password pair; and
  
  pass a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials.

22. An accommodation system comprising:
- a request obtainer configured to obtain a request for a high-level credential from a low-level-credential-application, wherein low-level credentials utilizes username-and-password based authorization while high-level credentials do not employ username-and-password based authorization;
  
  a credential retriever configured to retrieve the requested credential from a database of credentials;
  
  a marshaler configured to marshal the requested credential and return the marshaled credential to the low-level-credential-application, wherein marshaling performed by the marshaler is characterized by converting a description of the high-level credential into a format recognizable as a low-level credential by the low-level-credential-application employing a low-level credential authorization model and passing a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials.
- View Dependent Claims (23, 24, 25)
- - 23. A system as recited in claim 22, wherein a high-level credential is a credential selected from a group composed of X.509 Certificates and bio-metrics.
  - 24. A system as recited in claim 22, wherein the marshaled credentials appear to be a conventional username and password pair to the legacy application.
  - 25. A system as recited in claim 22, wherein the low-level-credential-application never has access to the high-level credential.

26. A system for authenticating a user to a network, the system comprising:
- a request obtainer configured to obtain a request for a high-level credential to authenticate the user to access a resource within the network, wherein the resource requires an appropriate credential before the user may access the resource, wherein a high-level credential do not utilize username-and-password based for high-level credential authorization;
  
  a credential retriever configured to retrieve the appropriate high-level credential from a database of credentials;
  
  a credential marshaler configured to generate a representation of the high-level credential formatted as a low-level credential so that it appears to be a conventional username and password pair to a low-level-credential-application, wherein a low-level credential utilizes username-and-password based authorization, and pass a description of the high-level credential through a secured operating system layer using an interface designed to output low-level credentials; and
  
  a credential returner configured to return the marshaled high-level credential to the resource within the network, so that the resource allows the user to access such resource;
  
  wherein the obtainer, retriever, marshaler, and returner are further configured to operate without user interaction.
- View Dependent Claims (27, 28)
- - 27. An operating system comprising a system as recited in claim 26.
  - 28. A network environment comprising a system as recited in claim 26.

29. An application programming interface (API) method comprising:
- receiving a CredUI-promptfor-credentials call having a set of parameters comprising a TargetName, Context, AuthFlags, and Flags;
  
  retrieving the parameters from the call to determine a specified resource;
  
  obtaining a high-level credential;
  
  associating the high-level credential with the specified resource;
  
  persisting the high-level credential into a database while maintaining the credential'"'"'s association with the specified resource; and
  
  passing a description of a high-level credential, in place of the low-level credential, through a secured operating system layer using an interface designed to output low-level credentials.
- View Dependent Claims (30)
- - 30. A method as recited in claim 29, wherein the set of parameters further comprises an indicator of a data structure containing customized information to display in conjunction with a user interface.

31. An application programming interface (API) method comprising:
- receiving a CredUI-promptfor-credentials call having a set of parameters comprising a TargetName, UserName, Password, and Flags;
  
  retrieving the parameters from the call to determine a requesting application;
  
  obtaining a request from the application for a high-level credential; and
  
  passing a description of a high-level credential, in a format representing a low-level credential, through a secured operating system layer using an interface designed to output low-level credentials.
- View Dependent Claims (32)
- - 32. A method as recited in claim 31, wherein the set of parameters further comprises an indicator of a data structure containing customized information to display in conjunction with a user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Brezak, John E., Schutz, Klaus U., Hawkins, John M., Van Dyke, Clifford P.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Tran; Ellen C.

Application Number

US09/757,058
Publication Number

US 20030065940A1
Time in Patent Office

2,297 Days
Field of Search

713/201, 713/202, 709/227, 726/8, 726/2, 726/4, 726/19, 726/18
US Class Current

726/18
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

Credential management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Credential management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links