Secure delegation using public key authorization

US 7,428,749 B2
Filed: 08/03/2001
Issued: 09/23/2008
Est. Priority Date: 08/03/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of impersonating a client to a plurality of servers, comprising:

obtaining by a middle tier server, a common nonce that is created based at least in part upon a pre-nonce contribution from each of a plurality of back-end servers, wherein the common nonce is generated front an entity other than the client that the middle tier server is to impersonate or the plurality of back-end servers that the middle tier server is to interact with on behalf of the client;

receiving by the middle tier server, a request from the client for a transaction with at least one of yhe plurality of back-end servers;

providing the common nonce from the middle tier server to the client;

receiving the common nonce signed by the client with the client'"'"'s digital signature at the middle-tier server; and

impersonating the client by the middle tier server interacting with a selected one of the plurality of back-end servers for implementation of the client request on behalf of the client by providing the signed common nonce and the client request from the middle tier server to at least one of the plurality of back-end servers so as to authenticate the client to the plurality of servers for implementation of the client request on behalf of the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client is impersonated to a plurality of servers using a middle-tier server. A common nonce associated with each of the plurality of servers is obtained and the common nonce is provided to the client. The common nonce signed by the client is received at the middle-tier server and provided as a signature for transactions from the client to the plurality of servers so as to authenticate the client to the plurality of servers.

Citations

25 Claims

1. A method of impersonating a client to a plurality of servers, comprising:
- obtaining by a middle tier server, a common nonce that is created based at least in part upon a pre-nonce contribution from each of a plurality of back-end servers, wherein the common nonce is generated front an entity other than the client that the middle tier server is to impersonate or the plurality of back-end servers that the middle tier server is to interact with on behalf of the client;
  
  receiving by the middle tier server, a request from the client for a transaction with at least one of yhe plurality of back-end servers;
  
  providing the common nonce from the middle tier server to the client;
  
  receiving the common nonce signed by the client with the client'"'"'s digital signature at the middle-tier server; and
  
  impersonating the client by the middle tier server interacting with a selected one of the plurality of back-end servers for implementation of the client request on behalf of the client by providing the signed common nonce and the client request from the middle tier server to at least one of the plurality of back-end servers so as to authenticate the client to the plurality of servers for implementation of the client request on behalf of the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1, wherein obtaining the common nonce comprises:
    - obtaining the pre-nonce contributions from the plurality of servers;
      
      combining the pre-nonce contributions to provide a single pre-nonce token; and
      
      providing the common nonce based on the pre-nonce token.
  - 3. The method of claim 2, wherein the step of providing the common nonce comprises reducing the pre-nonce token to provide the common nonce.
  - 4. The method of claim 3, wherein the step of reducing the pre-nonce token to provide the common nonce comprises the step of hashing the pre-nonce token utilizing a one-way hash function so as to provide the common nonce.
  - 5. The method of claim 4 wherein at least one of the plurality of servers carries out the steps of:
    - receiving the signed common nonce, the common nonce and the pre-nonce token;
      
      hashing the received pre-nonce token;
      
      comparing the hashed pre-nonce token to the common nonce;
      
      indicating that the client is not authenticated if the hashed pre-nonce token is different from the common nonce.
  - 6. The method of claim 2, wherein the step of combining the pre-nonce contributions to provide a single pre-nonce token comprises concatenating the pre-nonce contributions.
  - 7. The method of claim 2, wherein the step of obtaining pre-nonce contributions comprises the steps of:
    - requesting a pre-nonce contribution from each of the plurality of servers; and
      
      receiving the pre-nonce contribution from the plurality of servers.
  - 8. The method of claim 7, wherein requesting a pre-nonce contribution comprises sending authenticated requests to the plurality of servers.
  - 9. The method of claim 8, further comprising the step of encrypting the authenticated requests sent to the plurality of servers.
  - 10. The method of claim 8, wherein the authenticated requests include at least one of an identification of a source of the request, a time stamp and a random number.
  - 11. The method of claim 2, wherein the pre-nonce contributions include at least one of an identification of a server of the plurality of servers and a random number.
  - 12. The method of claim 11, wherein at least one of the plurality of servers carries out the steps of;
    - receiving the pre-nonce token;
      
      determining if the pre-nonce token includes a random number associated with the at least one if the plurality of servers; and
      
      indicating that the client is not authenticated if the hashed pre-nonce token does not include the random number associated with the at least one of the plurality of servers.
  - 13. The method of claim 12, wherein at least one of the plurality of servers carries out the steps of:
    - associating an expiration with the random number associated with the at least one of the plurality of servers; and
      
      indicating that the client is not authenticated if the pre-nonce token does not include a random number associated with the at least one of the plurality of servers which has not expired.
  - 14. The method of claim 2, wherein the pre-nonce contributions are signed with a signature corresponding to a server from which the pre-nonce contribution was obtained, the method further comprising incorporating the signatures in the pre-nonce token.
  - 15. The method of claim 2, wherein the pre-nonce contributions are signed with a signature corresponding to a server from which the pre-nonce contribution was obtained, the method further comprising authenticating signatures of the pre-nonce contributions and rejecting pre-nonce contributions for which the digital signature is not authentic.
  - 16. The method of claim 2, further comprising the steps of:
    - receiving a transaction identification from a trusted server of the plurality of servers; and
      
      associating the transaction identification with the common nonce.
  - 17. The method of claim 16, further comprising the step of tracking use of the common nonce based on the transaction identification.
  - 18. The method of claim 2, further comprising the steps of:
    - associating an expiration time with a pre-nonce contribution; and
      
      determining if the pre-nonce contribution has expired based on its associated expiration time.
  - 19. The method of claim 18, further comprising the steps of:
    - receiving the common nonce at a server of the plurality of servers;
      
      determining a pre-nonce contribution associated with the received common nonce; and
      
      accepting the received common nonce if the associated pre-nonce contribution has not expired.
  - 20. The method of claim 2, wherein at least one of the plurality of servers carries out the steps of:
    - receiving a client certificate;
      
      determining if the client certificate is trusted; and
      
      indicating that the client is not authenticated if the client certificate is not trusted.
  - 21. The method of claim 2 wherein at least one of the plurality of servers carries out the steps of:
    - receiving the signed common nonce and a client certificate;
      
      determining if the signature of the signed common nonce corresponds to a signature of the client certificate; and
      
      indicating that the client is not authenticated if the signature of the signed common nonce does not correspond to the signature of the client certificate.
  - 22. The method of claim 1 wherein the step of obtaining a common nonce comprises the stops of:
    - obtaining the common nonce from a party trusted by the middle-tier server and the plurality of servers, the common nonce being signed by the trusted party; and
      
      verifying the signature of the common nonce is the signature of the trusted party.
  - 23. The method of claim 22, wherein at least one of the plurality of servers carries out the steps of:
    - receiving a client certificate;
      
      determining if the client certificate is trusted; and
      
      indicating that the client is not authenticated if the client certificate is not trusted.
  - 24. The method of claim 22, wherein at least one of the plurality of servers carries out the steps of:
    - receiving the signed common nonce and a client certificate;
      
      determining if the signature of the signed common nonce corresponds to a signature of the client certificate; and
      
      indicating that the client is not authenticated if the signature of the signed common nonce does not correspond to the signature of the client certificate.
  - 25. The method according to claim 1, further comprising:
    - combining the pre-nonce contributions from the plurality of back-end servers into a pre-nonce token;
      
      hashing the pre-nonce token by the middle-tier server to generate the common nonce; and
      
      providing the pre-nonce token to the selected one of the plurality of back-end servers;
      
      wherein;
      
      the selected back-end server hashes the pre-nonce token using the same hashing technique used by the middle-tier server and compares it to the verified common nonce thus authenticating both the client and the middle-tier server the selected back-end server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
McGarvey, John R., Kuehr-McLaren, David
Primary Examiner(s)
Revak; Christopher
Assistant Examiner(s)
HENNING, MATTHEW T

Application Number

US09/921,536
Publication Number

US 20030028773A1
Time in Patent Office

2,608 Days
Field of Search

713/176, 713/155, 713/168, 713/201, 726/4, 726/8
US Class Current

726/8
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Secure delegation using public key authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure delegation using public key authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links