Cryptographic binding of authentication schemes

US 7,793,340 B2
Filed: 11/21/2007
Issued: 09/07/2010
Est. Priority Date: 11/21/2007
Status: Active Grant

First Claim

Patent Images

1. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource on a second computing device, comprising:

executing at the first computing device two login sequences for the authentication schemes with a strong authentication framework;

upon completion of a first sequence of the two login sequences at the first computing device, generating an authentication token;

by the first sequence of the two login sequences, encrypting at the first computing device the authentication token using a private key corresponding to the first sequence;

upon completion of a second sequence of the two login sequences at the first computing device, encrypting the encrypted authentication token with a private key corresponding to the second sequence; and

upon a user attempting to access the sensitive application or resource on the second computing device, verifying the secure authentication sequence at the first computing device by twice decrypting the encrypted said encrypted authentication token to recover the authentication token.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus cryptographically bind authentication schemes to verify that a secure authentication sequence was executed for access to sensitive applications/resources. Users execute two login sequences with a strong authentication framework. Upon completion of the first, the framework generates an unencrypted token from underlying data, later hashed into an authentication token. With a private key corresponding to the first sequence, the authentication token is encrypted and passed to the second sequence where it is encrypted again with a private key corresponding to the second sequence. Upon access attempts to the sensitive applications/resources, verification of execution of the two login sequences includes recovering the authentication token from its twice encrypted form and comparing it to a comparison token independently generated by the application/resource via the underlying data. An audit log associated with the application/resource stores the data, the recovered authentication token, etc., for purposes of later non-repudiation.

Citations

18 Claims

1. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource on a second computing device, comprising:
- executing at the first computing device two login sequences for the authentication schemes with a strong authentication framework;
  
  upon completion of a first sequence of the two login sequences at the first computing device, generating an authentication token;
  
  by the first sequence of the two login sequences, encrypting at the first computing device the authentication token using a private key corresponding to the first sequence;
  
  upon completion of a second sequence of the two login sequences at the first computing device, encrypting the encrypted authentication token with a private key corresponding to the second sequence; and
  
  upon a user attempting to access the sensitive application or resource on the second computing device, verifying the secure authentication sequence at the first computing device by twice decrypting the encrypted said encrypted authentication token to recover the authentication token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further including, by the sensitive application or resource, computing a comparison token for comparing to the authentication token.
  - 3. The method of claim 2, wherein the authentication token is generated from a UID and a nonce, further including passing the UID and the nonce to the sensitive application or resource for the computing the comparison token.
  - 4. The method of claim 1, further including installing the two login sequences, including generating a public key and private key pair for each sequence of the two login sequences.
  - 5. The method of claim 4, wherein the sensitive application or resource retrieves the public key for the each sequence in order to perform the twice decrypting.
  - 6. The method of claim 1, further including generating an unencrypted token upon successful completion of the first sequence of the two login sequences.
  - 7. The method of claim 6, wherein the generating the authentication token further includes hashing the unencrypted token.
  - 8. The method of claim 6, wherein the generating the unencrypted token further includes generating a UID and a nonce.
  - 9. The method of claim 1, further including agreeing upon a format of the authentication token by the strong authentication framework and the sensitive application or resource.
  - 10. The method of claim 1, wherein the generating the authentication token further includes setting an expiration time.
  - 11. The method of claim 1, further including storing at the second computing device the recovered authentication token in an audit log corresponding to the sensitive application or resource for purposes of non-repudiation at a future time.

12. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource at a second computing device, comprising:
- installing two login sequences at the first computing device for the authentication schemes, including generating a public key and private key pair for each sequence of the two login sequences;
  
  upon completion of a first sequence of the two login sequences at the first computing device, generating an authentication token;
  
  encrypting the authentication token using the private key corresponding to the first sequence;
  
  upon completion of a second sequence of the two login sequences at the first computing device, encrypting the encrypted authentication token with a private key corresponding to the second sequence;
  
  upon a user attempting to access the sensitive application or resource at the second computing device, verifying the secure authentication sequence at the first computing device by twice decrypting the encrypted said encrypted authentication token to recover the authentication token, including retrieving the public key for the each sequence in order to perform the twice decrypting; and
  
  storing at the second computing device the recovered authentication token in an audit log corresponding to the sensitive application or resource for purposes of later non-repudiation.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further including, by the sensitive application or resource, computing a comparison token for comparing to the authentication token.
  - 14. The method of claim 13, wherein the authentication token is generated from a UID and a nonce, further including passing the UID and the nonce to the sensitive application or resource for the computing the comparison token.
  - 15. The method of claim 12, further including generating an unencrypted token upon successful completion of the first sequence of the two login sequences.
  - 16. The method of claim 15, wherein the generating the authentication token further includes hashing the unencrypted token.
  - 17. The method of claim 12, further including agreeing upon a format of the authentication token by the strong authentication framework and the sensitive application or resource.

18. In a computing system environment having pluralities of computing devices, a method of cryptographically binding authentication schemes to verify that a secure authentication sequence was executed at a first computing device to gain access to a sensitive application or resource at a second computing device, comprising:
- installing two login sequences at the first computing device, including generating a public key and private key pair for each sequence of the two login sequences;
  
  executing at the first computing device the two login sequences with a strong authentication framework;
  
  upon completion of a first sequence of the two login sequences, generating an unencrypted token;
  
  by the strong authentication framework, hashing the unencrypted token to achieve an authentication token;
  
  by the first sequence of the two login sequences at the first computing device, encrypting the authentication token using the private key for the first sequence;
  
  forwarding the encrypted authentication token to a second sequence of the two login sequences at the first computing device;
  
  upon completion of a second sequence of the two login sequences at the first computing device, encrypting the forwarded encrypted authentication token;
  
  upon a user attempting to access the sensitive application or resource at the second computing device, verifying the secure authentication sequence at the first computing device by the sensitive application or resource including computing a comparison token for comparing to a version of the authentication token recovered from the encrypted said forwarded encrypted authentication token; and
  
  making the verifying available for later auditing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Kiester, W. Scott, Ford, Karl E., Mashayekhi, Cameron
Primary Examiner(s)
Henning; Matthew T

Application Number

US11/943,783
Publication Number

US 20090132828A1
Time in Patent Office

1,021 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 9/3213 using tickets or tokens, e....

H04L 9/3247 involving digital signatures

Cryptographic binding of authentication schemes

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic binding of authentication schemes

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links