Cryptographic binding of authentication schemes
First Claim
1. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource on a second computing device, comprising:
- executing at the first computing device two login sequences for the authentication schemes with a strong authentication framework;
upon completion of a first sequence of the two login sequences at the first computing device, generating an authentication token;
by the first sequence of the two login sequences, encrypting at the first computing device the authentication token using a private key corresponding to the first sequence;
upon completion of a second sequence of the two login sequences at the first computing device, encrypting the encrypted authentication token with a private key corresponding to the second sequence; and
upon a user attempting to access the sensitive application or resource on the second computing device, verifying the secure authentication sequence at the first computing device by twice decrypting the encrypted said encrypted authentication token to recover the authentication token.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus cryptographically bind authentication schemes to verify that a secure authentication sequence was executed for access to sensitive applications/resources. Users execute two login sequences with a strong authentication framework. Upon completion of the first, the framework generates an unencrypted token from underlying data, later hashed into an authentication token. With a private key corresponding to the first sequence, the authentication token is encrypted and passed to the second sequence where it is encrypted again with a private key corresponding to the second sequence. Upon access attempts to the sensitive applications/resources, verification of execution of the two login sequences includes recovering the authentication token from its twice encrypted form and comparing it to a comparison token independently generated by the application/resource via the underlying data. An audit log associated with the application/resource stores the data, the recovered authentication token, etc., for purposes of later non-repudiation.
-
Citations
18 Claims
-
1. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource on a second computing device, comprising:
-
executing at the first computing device two login sequences for the authentication schemes with a strong authentication framework; upon completion of a first sequence of the two login sequences at the first computing device, generating an authentication token; by the first sequence of the two login sequences, encrypting at the first computing device the authentication token using a private key corresponding to the first sequence; upon completion of a second sequence of the two login sequences at the first computing device, encrypting the encrypted authentication token with a private key corresponding to the second sequence; and upon a user attempting to access the sensitive application or resource on the second computing device, verifying the secure authentication sequence at the first computing device by twice decrypting the encrypted said encrypted authentication token to recover the authentication token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource at a second computing device, comprising:
-
installing two login sequences at the first computing device for the authentication schemes, including generating a public key and private key pair for each sequence of the two login sequences; upon completion of a first sequence of the two login sequences at the first computing device, generating an authentication token; encrypting the authentication token using the private key corresponding to the first sequence; upon completion of a second sequence of the two login sequences at the first computing device, encrypting the encrypted authentication token with a private key corresponding to the second sequence; upon a user attempting to access the sensitive application or resource at the second computing device, verifying the secure authentication sequence at the first computing device by twice decrypting the encrypted said encrypted authentication token to recover the authentication token, including retrieving the public key for the each sequence in order to perform the twice decrypting; and storing at the second computing device the recovered authentication token in an audit log corresponding to the sensitive application or resource for purposes of later non-repudiation. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource at a second computing device, comprising:
-
installing two login sequences at the first computing device, including generating a public key and private key pair for each sequence of the two login sequences; executing at the first computing device the two login sequences with a strong authentication framework; upon completion of a first sequence of the two login sequences, generating an unencrypted token; by the strong authentication framework, hashing the unencrypted token to achieve an authentication token; by the first sequence of the two login sequences at the first computing device, encrypting the authentication token using the private key for the first sequence; forwarding the encrypted authentication token to a second sequence of the two login sequences at the first computing device; upon completion of a second sequence of the two login sequences at the first computing device, encrypting the forwarded encrypted authentication token; upon a user attempting to access the sensitive application or resource at the second computing device, verifying the secure authentication sequence at the first computing device by the sensitive application or resource including computing a comparison token for comparing to a version of the authentication token recovered from the encrypted said forwarded encrypted authentication token; and making the verifying available for later auditing.
-
Specification