Digital identity creation and coalescence for service authorization

US 7,325,143 B2
Filed: 10/15/2002
Issued: 01/29/2008
Est. Priority Date: 10/15/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

generating a user identity from a message digest algorithm that uses as input a user credential associated with a particular user and a user credential identifier identifying a class to which the user credential belongs;

generating a service authorization identity from a hashed message authentication coding algorithm that uses as input a service authentication key, a user identity and a service identity;

permuting each of the service authorization identity, the user identity and the service identity; and

storing the permuted user identity, the permuted service identity and the permuted service authorization identity in a directory;

wherein generating the user identity comprises a) generating a first hash value from a message digest algorithm using as input the user credential identifier, b) forming a first linear vector of the user credential identifier and the first hash value, c) generating a second hash value from a message digest algorithm using as input the first linear vector, d) forming a second linear vector of the second hash value and an organization identity, and e) generating the user identity from a message digest algorithm using as input the second linear vector.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed to provide service authorization. The system provides authorized access to services using various identity tokens that represent authorized users, services, servers or other devices, as well as specific instances of users authorized for a service and specific instances of users authorized for a service on a particular server or other device.

22 Citations

View as Search Results

55 Claims

1. A method comprising:
- generating a user identity from a message digest algorithm that uses as input a user credential associated with a particular user and a user credential identifier identifying a class to which the user credential belongs;
  
  generating a service authorization identity from a hashed message authentication coding algorithm that uses as input a service authentication key, a user identity and a service identity;
  
  permuting each of the service authorization identity, the user identity and the service identity; and
  
  storing the permuted user identity, the permuted service identity and the permuted service authorization identity in a directory;
  
  wherein generating the user identity comprises a) generating a first hash value from a message digest algorithm using as input the user credential identifier, b) forming a first linear vector of the user credential identifier and the first hash value, c) generating a second hash value from a message digest algorithm using as input the first linear vector, d) forming a second linear vector of the second hash value and an organization identity, and e) generating the user identity from a message digest algorithm using as input the second linear vector.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 including generating the organization identity from a message digest algorithm that uses as input a organization credential associated with a particular organization and a organization credential identifier identifying a class to which the organization credential belongs, wherein generating the organization identity includes:
    - generating a first hash value from a message digest algorithm using as input the organization credential;
      
      forming a linear vector of the first hash value and the organization credential identifier; and
      
      generating the organization identity from the message digest algorithm using as input the linear vector.
  - 3. The method of claim 1 including:
    - generating the service identity from a message digest algorithm that uses as input a service credential associated with a particular service and a service credential identifier identifying a class to which the service credential belongs.
  - 4. The method of claim 3 wherein generating the service identity comprises:
    - generating a first hash value from a message digest algorithm using as input the first credential;
      
      forming a first linear vector of the service credential identifier and the first hash value;
      
      generating a second hash value from a message digest algorithm using as input the first linear vector;
      
      forming a second linear vector of the second hash value and an organization identity; and
      
      generating the service identity from a message digest algorithm using as input the second linear vector.
  - 5. The method of claim 4 including generating the organization identity from a message digest algorithm that uses as input a organization credential associated with a particular organization and an organization credential identifier identifying a class to which the credential belongs, wherein generating the organization identity includes:
    - generating a first hash value from a message digest algorithm using as input the organization credential;
      
      forming a linear vector of the first hash value and the organization credential identifier; and
      
      generating the organization identity from the message digest algorithm using as input the linear vector.
  - 6. The method of claim 1 comprising:
    - forming a linear vector of the user identity and service identity; and
      
      passing as input the linear vector and the service authentication key to the hashed message authentication coding algorithm to generate the service authorization identity.
  - 7. The method of claim 1 wherein permuting the user identity comprises:
    - forming a linear vector of a permutation base and the user identity; and
      
      generating the permuted user identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 8. The method of claim 1 wherein permuting the service identity comprises:
    - forming a linear vector of a permutation base and the service identity; and
      
      generating the permuted service identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 9. The method of claim 1 wherein permuting the service authorization identity comprises:
    - forming a linear vector of the permuted user identity and the permuted service identity; and
      
      generating the permuted service authorization identity from a hashed message authentication coding algorithm that uses as input the linear vector and the service authentication key.
  - 10. The method of claim 1 comprising receiving the service authentication key from a kerberos-based authentication server.
  - 11. The method of claim 1 comprising storing the permuted user identity, permuted service identity, permuted service authorization identity in a light weight directory access protocol compliant server.
  - 12. The method of claim 1 comprising:
    - generating a server authorization identity from a hashed message authentication coding algorithm that uses as input the service authentication key, the user identity, the service identity and a server identity;
      
      permuting the server identity and the server authorization identity; and
      
      storing the permuted server identity and the permuted server authorization identity in the directory.
  - 13. The method of claim 12 comprising:
    - generating the server identity from a message digest algorithm that uses as input a server credential associated with a particular server and a server credential identifier identifying a class to which the server credential belongs.
  - 14. The method of claim 13 wherein generating a server identity comprises:
    - generating a first hash value from a message digest algorithm using as input the server credential;
      
      forming a first linear vector of the server credential identifier and the first hash value;
      
      generating a second hash value from a message digest algorithm using as input the first linear vector;
      
      forming a second linear vector of the second hash value and an organization identity; and
      
      generating the server identity from a message digest algorithm using as input the second linear vector.
  - 15. The method of claim 14 including generating the organization identity from a message digest algorithm that uses as input an organization credential associated with a particular organization and an organization credential identifier identifying a class to which the first credential belongs, wherein generating the organization identity includes:
    - generating a first hash value from a message digest algorithm using as input the organization credential;
      
      forming a linear vector of the first hash value and the organization credential identifier; and
      
      generating the organization identity from the message digest algorithm using as input the linear vector.
  - 16. The method of claim 12 including:
    - forming a linear vector of the user identity, the service identity and the server identity; and
      
      passing as input the linear vector and the service authentication key to the hashed message authentication coding algorithm to generate the server authorization identity.
  - 17. The method of claim 12 wherein permuting the server identity comprises:
    - obtaining a permutation base;
      
      forming a linear vector of the permutation base and server identity; and
      
      generating the permuted server identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 18. The method of claim 12 wherein permuting the server authorization identity comprises:
    - forming a linear vector of the permuted user identity, the permuted service identity and the permuted server identity; and
      
      generating the permuted server authorization identity from a hashed message authentication coding algorithm that uses as input the linear vector and a service authentication key.

19. An article comprising a machine-readable medium storing machine-readable instructions that, when applied to the machine, cause the machine to:
- generate a user identity from a message digest algorithm that uses as input a first user credential associated with a particular user and a second user credential identifying a class to which the first user credential belongs;
  
  generate a service authorization identity from a hashed message authentication coding algorithm that uses as input a service authentication key, the user identity and a service identity;
  
  permute the service authorization identity, the user identity and the service identity; and
  
  store the permuted user identity, permuted service identity, and the permuted service authorization identity in a directory;
  
  wherein generating the user identity comprises a) generating a first hash value from a message digest algorithm using as input the first user credential, b) forming a first linear vector of the first user credential identifier and the first hash value, c) generating a second hash value from a message digest algorithm using as input the first linear vector, d) forming a second linear vector of the second hash value and an organization identity, and d) generating the user identity from a message digest algorithm using as input the second linear vector.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The article of claim 19 including instructions that, when applied to the machine, cause the machine to:
    - generate a first hash value from a message digest algorithm using as input a organization credential associated with a particular organization;
      
      form a linear vector of the first hash value and a organization credential identifier that identifies a class to which the organization credential belongs;
      
      generate the organization identity from the message digest algorithm using as input the linear vector.
  - 21. The article of claim 19 including instructions that, when applied to the machine, cause the machine to:
    - generate the service identity from a message digest algorithm that uses as input a service credential associated with a particular service and a service credential identifier identifying a class to which the service credential belongs.
  - 22. The article of claim 21 including instructions that, when applied to the machine, cause the machine to:
    - generate a first hash value from a message digest algorithm using as input the service credential;
      
      form a first linear vector of the service credential identifier and the first hash value;
      
      generate a second hash value from a message digest algorithm using as input the first linear vector;
      
      form a second linear vector of the second hash value and an organization identity; and
      
      generate the service identity from a message digest algorithm using as input the second linear vector.
  - 23. The article of claim 22 including instructions that, when applied to the machine, cause the machine to:
    - generate a first hash value from a message digest algorithm using as input a organization credential associated with a particular organization;
      
      form a linear vector of the first hash value and a organization credential identifier that identifies a class to which the organization credential belongs; and
      
      generate the organization identity from the message digest algorithm using as input the linear vector.
  - 24. The article of claim 19 including instructions that, when applied to the machine, cause the machine to:
    - form a linear vector of the user identity and service identity; and
      
      pass as input the linear vector and the service authentication key to the hashed message authentication coding algorithm to generate the service authorization identity.
  - 25. The article of claim 19 including instructions that, when applied to the machine, cause the machine to:
    - form a linear vector of a permutation base and the user identity; and
      
      generate the permuted user identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 26. The article of claim 19 including instructions that, when applied to the machine, cause the machine to:
    - form a linear vector of a permutation base and service identity; and
      
      generate the permuted service identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 27. The article of claim 19 including instructions that, when applied to the machine, cause the machine to:
    - form a linear vector of the permuted user identity and the permuted service identity; and
      
      generate the permuted service authorization identity from a hashed message authentication coding algorithm that uses as input the linear vector and the service authentication key.
  - 28. The article of claim 19 including instructions that, when applied to the machine, cause the machine to receive the service authentication key from a kerberos-based authentication server.
  - 29. The article of claim 19 including instructions that, when applied to the machine, cause the machine to store the permuted user identity, permuted service identity and permuted service authorization identity in a light weight directory access protocol compliant server.
  - 30. The article of claim 19 including instructions that, when applied to the machine, cause the machine to:
    - generate a server authorization identity from a hashed message authentication coding algorithm that uses as input the service authentication key, the user identity, the service identity and a server identity; and
      
      permute the server identity and the server authorization identity; and
      
      store the permuted server identity and the permuted server authorization identity in the directory.
  - 31. The article of claim 30 including instructions that, when applied to the machine, cause the machine to:
    - generate the server identity from a message digest algorithm that uses as input a server credential associated with a particular server and a server credential identifier identifying a class to which the server credential belongs.
  - 32. The article of claim 31 including instructions that, when applied to the machine, cause the machine to:
    - generate a first hash value from a message digest algorithm using as input the server credential;
      
      form a first linear vector of the server credential identifier and the first hash value;
      
      generate a second hash value form a message digest algorithm using as input the first linear vector;
      
      form a second linear vector of the second hash value and an organization identity; and
      
      generate the server identity from a message digest algorithm using as input the second linear vector.
  - 33. The article of claim 32 including instructions that, when applied to the machine, cause the machine to:
    - generate a first hash value from a message digest algorithm using as input an organization credential associated with a particular organization;
      
      form a linear vector of the first hash value and an organization credential identifier that identifies a class to which the organization credential belongs; and
      
      generate the organization identity from the message digest algorithm using as input the linear vector.
  - 34. The article of claim 30 including instructions that, when applied to the machine, cause the machine to:
    - form a linear vector of the user identity, the service identity, and the server identity; and
      
      pass as input the linear vector and the service authentication key to the hashed message authentication coding algorithm to generate the server authorization identity.
  - 35. The article of claim 30 including instructions that, when applied to the machine, cause the machine to:
    - obtain a permutation base;
      
      form a linear vector of the permutation base and server identity; and
      
      generate the permuted server identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 36. The article of claim 30 including instructions that, when applied to the machine, cause the machine to:
    - form a linear vector of the permuted user identity, the permuted service identity and the permuted server identity; and
      
      generate the permuted server authorization identity from a hashed message authentication coding algorithm that uses as input the linear vector and a service authentication key.

37. A system comprising:
- an identity repository and a directory;
  
  a server coupled to the identity repository and the directory, the server adapted to;
  
  generate a service authorization identity from a hashed message authentication coding algorithm that uses as input a service authentication key, a user identity that corresponds to a specific user, and a service identity that corresponds to a specific service to which the user has access; and
  
  generate a server authorization identity from a hashed message authentication coding algorithm that uses as input a service authentication key, the user identity, the service identity and a server identity;
  
  generate the server identity from a message digest algorithm that uses as input a server credential associated with a particular server and a server credential identifier identifying a class to which the server credential belongs;
  
  generate a first hash value from a message digest algorithm using as input the server credential;
  
  form a first linear vector of the server credential identifier and the first hash value;
  
  generate a second hash value from a message digest algorithm using as input the first linear vector;
  
  form a second linear vector of the second hash value and an organization identity; and
  
  generate the server identity from a message digest algorithm using as input the second linear vector;
  
  permute the user identity, the service identity, the server identity, the service authorization identity and the server authorization identity;
  
  store the user identity, service identity, server identity, service authorization identity, server authorization identity, permuted user identity, permuted service identity, permuted server identity, permuted service authorization identity and permuted server authorization identity in the identity repository; and
  
  store the permuted user identity, permuted service identity, permuted server identity, permuted service authorization identity and permuted server authorization identity in the directory.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 38. The system of claim 37 wherein the server is adapted to:
    - generate the user identity from a message digest algorithm that uses as input a user credential associated with a particular user and a user credential identifier identifying a class to which the user credential belongs.
  - 39. The system of claim 38 wherein the server is adapted to:
    - generate a first hash value from a message digest algorithm using as input the user credential;
      
      form a first linear vector of the user credential identifier and the first hash value;
      
      generate a second hash value from a message digest algorithm using as input the first linear vector;
      
      form a second linear vector of the second hash value and an organization identity; and
      
      generate the user identity from a message digest algorithm using as input the second linear vector.
  - 40. The system of claim 39 wherein the server is adapted to:
    - generate the organization identity from a message digest algorithm that uses as input an organization credential and an organization credential identifier;
      
      generate a first hash value from a message digest algorithm using as input the organization credential associated with a particular organization;
      
      form a linear vector of the first hash value and the organization credential identifier that identifies a class to which the organization credential belongs; and
      
      generate the organization identity from the message digest algorithm using as input the second linear vector.
  - 41. The system of claim 37 wherein the server is adapted to:
    - generate the service identity from a message digest algorithm that uses as input a service credential associated with a particular service and a service credential identifier identifying a class to which the service credential belongs.
  - 42. The system of claim 41 wherein the server is adapted to:
    - generate a first hash value from a message digest algorithm using as input the service credential;
      
      form a first linear vector of the service credential identifier and the first hash value;
      
      generate a second hash value from a message digest algorithm using as input the first linear vector;
      
      form a second linear vector of the second hash value and an organization identity; and
      
      generate the service identity from a message digest algorithm using as input the second linear vector.
  - 43. The system of claim 42 wherein the server is adapted to:
    - generate a first hash value from a message digest algorithm using as input an organization credential associated with a particular organization;
      
      form a linear vector of the first hash value and an organization credential identifier that identifies a class to which the organization credential belongs; and
      
      generate the organization identity from the message digest algorithm using as input the linear vector.
  - 44. The system of claim 37 wherein the server is adapted to:
    - form a linear vector of the user identity and service identity; and
      
      pass as input the linear vector and the service authentication key to the hashed message authentication coding algorithm to generate the service authorization identity.
  - 45. The system of claim 37 wherein the server is adapted to:
    - form a linear vector of a permutation base and the user identity; and
      
      generate the permuted user identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 46. The system of claim 37 wherein the server is adapted to:
    - form a linear vector of a permutation base and the service identity; and
      
      generate the permuted service identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 47. The system of claim 37 wherein the server is adapted to:
    - form a linear vector of the permuted user identity and the permuted service identity; and
      
      generate the permuted service authorization identity from a hashed message authentication coding algorithm using as input the linear vector and a service authentication key.
  - 48. The system of claim 37 wherein the service authentication key is from a kerberos-based authentication server.
  - 49. The system of claim 37 wherein the server is adapted to:
    - store the permuted user identity, permuted service identity and permuted service authorization identity in a light weight directory access protocol compliant server.
  - 50. The system of claim 37 wherein the server is adapted to:
    - generate a server authorization identity from a hashed message authentication coding algorithm that uses as input the service authentication key, the user identity, the service identity and a server identity;
      
      permute the server identity and the server authorization identity; and
      
      store the permuted server identity and the permuted server authorization identity in the directory.
  - 51. The system of claim 37 wherein the server is adapted to:
    - generate a first hash value from a message digest algorithm using as input an organization credential associated with a particular organization;
      
      form a linear vector of the first hash value and an organization credential identifier that identifies a class to which the organization credential belongs; and
      
      generate the organization identity from the message digest algorithm using as input the linear vector.
  - 52. The system of claim 37 wherein the server is adapted to:
    - form a linear vector of the user identity, the service identity and the server identity; and
      
      pass as input the linear vector and the service authentication key to the hashed message authentication coding algorithm to generate the server authorization identity.
  - 53. The system of claim 37 wherein the server is adapted to:
    - obtain a permutation base;
      
      form a linear vector of the permutation base and the server identity;
      
      generate the permuted server identity from a hashed message authentication coding algorithm using as input the linear vector and a permutation key.
  - 54. The system of claim 37 wherein the server is adapted to:
    - form a linear vector of the permuted user identity, the permuted service identity and the permuted server identity; and
      
      generate the permuted server authorization identity from a hashed message authentication coding algorithm that uses as input the linear vector and a service authentication key.
  - 55. The system of claim 37 wherein the server is adapted to:
    - store the permuted user identity, the permuted service identity, the permuted server identity, the permuted service authorization identity and the permuted server authorization identity in a light weight directory access protocol complaint server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Linux Foundation
Original Assignee
The Linux Foundation
Inventors
Wettstein, Gregory H.
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US10/270,984
Publication Number

US 20030093681A1
Time in Patent Office

1,932 Days
Field of Search

713/155, 713/185, 726/5
US Class Current

713/185
CPC Class Codes

H04L 63/0407   wherein the identity of one...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

Digital identity creation and coalescence for service authorization

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Digital identity creation and coalescence for service authorization

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links