Methods and arrangements for controlling access to resources based on authentication method

US 7,305,701 B2
Filed: 04/30/2001
Issued: 12/04/2007
Est. Priority Date: 04/30/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for use in a computer capable of supporting multiple authentication mechanisms, the method comprising:

generating at least one access token that identifies a user, and is associated with and identifies at least one authentication mechanism that has been used to authenticate the user, wherein generating the access token further includes identifying within the access token at least one characteristic associated with the authentication mechanism, wherein the at least one characteristic associated with the authentication mechanism includes a measure of strength of the authentication mechanism, wherein the measure of strength of the authentication mechanism depends on the length of key employed in an encryption process; and

controlling the user'"'"'s access to at least one resource based on the access token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with certain aspects of the present invention, improved methods and arrangements are provided that improve access control within a computer. The methods and arrangements specifically identify the authentication mechanism/mechanisms, and/or characteristics thereof, that were used in verifying that a user with a unique name is the actual user that the name implies, to subsequently operating security mechanisms. Thus, differentiating user requests based on this additional information provides additional control.

38 Citations

View as Search Results

17 Claims

1. A method for use in a computer capable of supporting multiple authentication mechanisms, the method comprising:
- generating at least one access token that identifies a user, and is associated with and identifies at least one authentication mechanism that has been used to authenticate the user, wherein generating the access token further includes identifying within the access token at least one characteristic associated with the authentication mechanism, wherein the at least one characteristic associated with the authentication mechanism includes a measure of strength of the authentication mechanism, wherein the measure of strength of the authentication mechanism depends on the length of key employed in an encryption process; and
  
  controlling the user'"'"'s access to at least one resource based on the access token.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein generating the access token further includes receiving inputs, providing the inputs to the authentication mechanism, and causing the authentication mechanism to generate at least one security identifier (SID) that identifies the authentication mechanism.
  - 3. The method as recited in claim 1, wherein the measure of strength of the authentication mechanism identifies a length of an encryption key employed by the authentication mechanism.
  - 4. The method as recited in claim 1, wherein controlling access to the resource based on the access token further includes comparing the access token to at least one access control list having at least one access control entry therein.
  - 5. The method as recited in claim 4, wherein if the access control entry operatively specifies that the at least one authentication mechanism is permitted to access the resource, then access to the at least one resource is allowed to proceed.
  - 6. The method as recited in claim 4, wherein if the access control entry operatively specifies that the at least one authentication mechanism is not permitted to access the resource, then access to the at least one resource is not allowed to proceed.
  - 7. The method as recited in claim 4, wherein if the access control entry does not operatively specify that the at least one authentication mechanism is permitted to access the resource, then access to the at least one resource is not allowed to proceed.

8. A computer-readable medium for use in a device capable of supporting multiple authentication mechanisms, the computer-readable medium having computer-executable instructions for performing acts comprising:
- producing at least one access token that identifies a user, and uniquely identifies at least one authentication mechanism supported by the device that has been used to authenticate the user, wherein producing the access token further includes identifying within the access token at least one characteristic of the authentication mechanism, wherein the at least one characteristic of the authentication mechanism includes a strength characteristic of the authentication mechanism, wherein the strength characteristic of the authentication mechanism depends on the length of key employed in an encryption process; and
  
  causing the device to selectively control the user'"'"'s access to at least one resource operatively coupled to the device based at least in part on the access token.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium as recited in claim 8, wherein producing the access token further includes receiving inputs, providing the inputs to the authentication mechanism, and causing the authentication mechanism to generate at least one security identifier (SID) that identifies the authentication mechanism, in response thereto.
  - 10. The computer-readable medium as recited in claim 9, wherein the strength characteristic identifies a length of an encryption key employed by the authentication mechanism.
  - 11. The computer-readable medium as recited in claim 8, wherein causing the device to selectively control access to the at least one resource based on the access token further includes causing the device to compare the access token to control data.
  - 12. The computer-readable medium as recited in claim 11, wherein if the control data specifies that the authentication mechanism is permitted to access the resource, to which subsequent access to the resource is allowed.
  - 13. The computer-readable medium as recited in claim 11, wherein if the control data operatively specifies that the authentication mechanism is not permitted to access the resource, to which subsequent access to the resource is prohibited.
  - 14. The computer-readable medium as recited in claim 11, wherein if the control data does not operatively specify that the authentication mechanism is permitted to access the resource, to which subsequent access to the resource is prohibited.

15. An apparatus comprising:
- at least one authentication mechanism facilitating generation of at least one access token that identifies a user, and identifies the authentication mechanism that has been used to authenticate the user, wherein the access token further includes at least one identifying characteristic associated with the authentication mechanism, wherein the at least one identifying characteristic associated with the authentication mechanism indicates a measure of strength of the authentication mechanism, wherein the measure of strength of the authentication mechanism depends on the length of key employed in an encryption process;
  
  an access control list;
  
  at least one access controlled resource; and
  
  logic operatively facilitating comparison of the access token with the access control list and selectively control the user'"'"'s access to the resource based on the access token.
- View Dependent Claims (16, 17)
- - 16. The apparatus as recited in claim 15, wherein the authentication mechanism is further configured to receive user inputs and generate at least one security identifier (SID) that identifies the authentication mechanism based on the user inputs.
  - 17. The apparatus as recited in claim 15, wherein the measure of strength of the authentication mechanism identifies a length of an encryption key employed by the authentication mechanism.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Brezak, John E., Ward, Richard B., Brundrett, Peter T.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Dada; Beemnet W

Application Number

US09/846,175
Publication Number

US 20020162030A1
Time in Patent Office

2,409 Days
Field of Search

713/202, 713/200, 713155-159, 713/167, 713/168, 380/281, 380/276, 726/4, 726 17- 20, 726/27, 726/28, 726 5- 9, 726/3, 726/172, 709/225, 709/226, 709/229, 711147-153
US Class Current

726/5
CPC Class Codes

G06F 21/46   by designing passwords or c...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2141   Access rights, e.g. capabil...

Methods and arrangements for controlling access to resources based on authentication method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and arrangements for controlling access to resources based on authentication method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links