Setuid-filter method for providing secure access to a credentials store for computer systems

US 7,392,386 B2
Filed: 01/28/2004
Issued: 06/24/2008
Est. Priority Date: 01/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method for use in a computer system that effects secure access to a store, comprising:

receiving a request to access a store from a first process initiated by a requester;

initiating a second process responsive to said store access request, wherein data generated by said second process is accessible to said first process but inaccessible to the requester;

changing a context of said second process to the user id of said store;

providing said store with an exclusive user id, said exclusive user id being different from a user id of the requestor;

said second process receiving tokenized credentials corresponding to the user id and password of the requestor from said first process responsive to said request without the use of files and without interaction with said requester;

said second precess converting the tokenized credentials to the user id and password of the requestor and performing a lookup of said user id and password of the requestor in a credential store;

said second process passing a user id and password associated with said store to said first process if said user id and password of the requestor are found in said credential store;

communicating between said first process and said store via inter-process pipes; and

said first process obtaining data from said store via said inter-process pipes responsive to said store access request using said user id and password associated with said store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method that provides access to Privileged Accounts to users by way of a two-way-encrypted credential store. In accordance with this invention, a process that needs to retrieve credentials for a third party system causes the operating system to launch a second process. This second process runs under a secured user id without interactive access. The requesting process can then pass generalized command streams to the second process, including tokenized credential retrieval requests. These tokenized credential retrieval requests are processed to authenticate the requests, perform audit logging of requests and retrieval of credentials. Tokenized credential requests transformed by the second process into credentials, which can be embedded within a command stream and then either forwarded to a sub-process or returned to the requesting process.

283 Citations

12 Claims

1. A method for use in a computer system that effects secure access to a store, comprising:
- receiving a request to access a store from a first process initiated by a requester;
  
  initiating a second process responsive to said store access request, wherein data generated by said second process is accessible to said first process but inaccessible to the requester;
  
  changing a context of said second process to the user id of said store;
  
  providing said store with an exclusive user id, said exclusive user id being different from a user id of the requestor;
  
  said second process receiving tokenized credentials corresponding to the user id and password of the requestor from said first process responsive to said request without the use of files and without interaction with said requester;
  
  said second precess converting the tokenized credentials to the user id and password of the requestor and performing a lookup of said user id and password of the requestor in a credential store;
  
  said second process passing a user id and password associated with said store to said first process if said user id and password of the requestor are found in said credential store;
  
  communicating between said first process and said store via inter-process pipes; and
  
  said first process obtaining data from said store via said inter-process pipes responsive to said store access request using said user id and password associated with said store.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method in accordance with claim 1 further comprising:
    - sending the data responsive to said store access request to a downstream process.
  - 3. A method in accordance with claim 1 farther comprising:
    - logging said store access request.
  - 4. A method in accordance with claim 3 wherein sending the data responsive to said store access request to a downstream process further comprises never sending the data to the requestor.
  - 5. A method in accordance with claim 1 wherein said computer system employs the UNIX operating system and wherein said context changing comprises invoking the UNIX set user id facility.

6. A computer system comprising:
- a data store having an exclusive user id in the computer system;
  
  a system for providing secure access to said data store, said system being configured to receive a request for access to said data store from a first process initiated by a requester, said exclusive user id being inaccessible to said requester, said exclusive user id being different from a user id of the requestor, said first process being configured to initiate a second process responsive to said request for access to said data store, wherein data generated by said second process is accessible to said first process but inaccessible to the requester, said second process being responsive to said request for access to said data store by changing its user id to the exclusive user id, said second process being operable to receive tokenized credentials corresponding to the user id and password of the recquestor from said first process responsive to said request without the use of files and without interaction with said requester, said second process converting the tokenized credentials to the user id and password of the requestor and being operable to perform a lookup of said user id and password of the requestor in a credential store, said second process being operable to pass a user id and password associated with said data store to said first process if said user id and password of the requestor are found in said credential store; and
  
  inter-process pipes between said first process and said data store for communicating and responding to requests for data by said first process using said user id and password associated with said data store, said inter-process pipes being inaccessible to the requester.
- View Dependent Claims (7, 8)
- - 7. A computer system according to claim 6 wherein the system for providing secure access is further configured to provide data from said data store to a downstream process.
  - 8. A computer system according to claim 6 wherein the system for providing secure access is further configured to log requests for access to said data store.

9. A method for use in a computer system that operates under the UNIX operating system that effects secure access to a store, comprising:
- executing a shell script which creates a data stream containing a tokenized user id and password in order to initiate a request to access a store from a first process initiated by a requester, said tokenized user id and password corresponding to the user id and password of the requestor;
  
  said first process initiating a second process responsive to said store access request, said second process and said store being in a protected area, wherein data generated by said second process is accessible to said first process but inaccessible to the requester;
  
  said second process obtaining the tokenized user id and password of the requestor from said first process along said data stream;
  
  changing a context of said second process to the effective user id of said store using the UNIX set user id facility, said user id of said store being different from a user id of the requestor;
  
  said second process providing said store with said effective user id, said effective user id being different from said user id of the requestor;
  
  said second process receiving said tokenized user id and password from said first process responsive to said request without the use of files and without interaction with said requester;
  
  said second process converting the tokens to said user id and password of the requestor and performing a lookup of said user id and password of the requestor in a credential store;
  
  said second process passing a user id and password associated with said store to said first process along a second data stream if said user id and password of the requestor are found in said credential store;
  
  communicating between said first process and said store via a sending inter-process pipe and a receiving inter-process pipe, said first and second inter-process pipes being inaccessible to the requester; and
  
  said first process obtaining data from said store via said second inter-process pipe responsive to said store access request via said first inter-process pipe using said user id and password associated with said store;
  
  receiving a request to access a store from a first process initiated by a requester;
  
  initiating a second process responsive to said store access request, wherein data generated by said second process is accessible to said first process but inaccessible to the requester.
- View Dependent Claims (10, 11, 12)
- - 10. A method in accordance with claim 9 further comprising:
    - sending the data responsive to said store access request to a downstream process.
  - 11. A method in accordance with claim 9 further comprising:
    - logging said store access request.
  - 12. A method in accordance with claim 11 wherein sending the data responsive to said store access request to a downstream process further comprises never sending the data to the requestor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Magennis, Gerard, Buchendorfer, Thomas
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US10/766,168
Publication Number

US 20050166048A1
Time in Patent Office

1,609 Days
Field of Search

713/168
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

Setuid-filter method for providing secure access to a credentials store for computer systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

283 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Setuid-filter method for providing secure access to a credentials store for computer systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

283 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links