Application-to-application security in enterprise security services

US 7,823,192 B1
Filed: 04/01/2004
Issued: 10/26/2010
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A system to provide application-to-application enterprise security for different applications on different platforms where there is no continuing context or session and a new context is created with new invocations from one of the applications to another, the system comprising:

a first computer comprising a security application program interface and an application program interface coupled to a client application on a first platform, the security application program interface operable to provide a security credential;

an authentication authority receiving the security credential from the security application program interface, the authentication authority further generates a token and communicates the token to the security application program interface where the security credential is valid, wherein the token contains user credentials encoded as a platform and application independent string data type;

a store maintaining data validating the security credential, the store in communication with the authentication authority to validate the security credential,the application program interface coupled to the client application communicating regarding the validity of the token; and

a second computer comprising a distinct server application on a second platform to receive the token from the application program interface coupled to the client application, a security application program interface coupled to the distinct server application communicating with the authentication authority to validate the token to enable the client application to use services of the server application, wherein there is no continuing context or session and a new context is created with every invocation of service of the distinct server application by the client application.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present system allows disparate secure applications to communicate directly with one another in a heterogeneous application environment by providing for the creation of tokens that can be passed between the applications without human intervention. Security information is passed between applications in the form of a token with a string data type. Since a string is a primitive data type, it can be recognized by a large number of applications and interfaces. The token has no header and therefore no application-specific header configuration, making it platform and technology independent. This eliminates the need for conversion of security information between different formats. The use of tokens also eliminates the need for an application to be authenticated and authorized every time it sends a message to another application. Instead of a permanent context or session, a context is created with every invocation from one application to another.

Citations

32 Claims

1. A system to provide application-to-application enterprise security for different applications on different platforms where there is no continuing context or session and a new context is created with new invocations from one of the applications to another, the system comprising:
- a first computer comprising a security application program interface and an application program interface coupled to a client application on a first platform, the security application program interface operable to provide a security credential;
  
  an authentication authority receiving the security credential from the security application program interface, the authentication authority further generates a token and communicates the token to the security application program interface where the security credential is valid, wherein the token contains user credentials encoded as a platform and application independent string data type;
  
  a store maintaining data validating the security credential, the store in communication with the authentication authority to validate the security credential,the application program interface coupled to the client application communicating regarding the validity of the token; and
  
  a second computer comprising a distinct server application on a second platform to receive the token from the application program interface coupled to the client application, a security application program interface coupled to the distinct server application communicating with the authentication authority to validate the token to enable the client application to use services of the server application, wherein there is no continuing context or session and a new context is created with every invocation of service of the distinct server application by the client application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the server application further comprises:
    - an application program interface to communicate with the application program interface of the client application; and
      
      a security application program interface to communicate with the authentication authority.
  - 3. The system of claim 1, wherein the server application caches the token after validating the token with the authentication authority such that when the client application requests service of the server application, via the application program interfaces of the client application, the server application uses the cached token to validate the client application.
  - 4. The system of claim 1, wherein the token generated by the authentication authority comprises a string including at least a portion of the security credential.
  - 5. The system of claim 4, wherein at least a portion of the token is in Extensible Markup Language format.
  - 6. The system of claim 4, wherein at least a portion of the token is in Security Assertion Markup Language format.
  - 7. The system of claim 4, wherein the token includes information related to an expiration date of the token.
  - 8. The system of claim 1, wherein validating the token by the authentication authority includes determining whether the authentication authority created the token.
  - 9. The system of claim 1, wherein the invocation of service is an invocation of a method.

10. A method for providing application-to-application enterprise security for different applications on different platforms where there is no continuing context or session and a new context is created with new invocations from one of the applications to another, the method comprising:
- coupling a security application program interface and an application program interface to a client application on a first platform;
  
  communicating a security credential from the security application program interface to an authentication authority;
  
  communicating information related to the security credential between the authentication authority and a data store to determine whether the security credential is valid;
  
  generating a token by the authentication authority when the security credential is valid, wherein the token contains user credentials encoded as a platform and application independent string data type;
  
  communicating the token to a security application program interlace of the client application;
  
  providing, by the application program interface coupled to the client application on the first platform, the token to a distinct server application, the distinct server application on a second platform, wherein there is no continuing context or session and a new context is created with each of a plurality of invocations of service of the distinct server application by the client application; and
  
  communicating, by a security application program interface coupled to the distinct server application, with the authentication authority to validate the token before providing access to services of the distinct server application by the client application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 11. The method of claim 10, wherein the application program interface coupled to the client application communicates the token to an application program interface of the distinct server application.
  - 12. The method of claim 10, wherein validating the token by the distinct server application further comprises:
    - communicating information related to the token to the authentication authority;
      
      determining, by the authentication authority, whether the token is authentic; and
      
      receiving validation related information from the authentication authority.
  - 13. The method of claim 12, wherein the information related to the token comprises the token itself.
  - 14. The method of claim 12, wherein the information related to the token comprises a portion of data included in the token.
  - 15. The method of claim 12, wherein the authentication authority determines whether the authentication authority generated the token to validate the token.
  - 16. The method of claim 15, wherein the authentication authority determines whether the token has expired.
  - 17. The method of claim 12, wherein the authentication authority determines whether the token has expired.
  - 18. The method of claim 10, wherein the token includes a portion of the security credential in a string format.
  - 19. The method of claim 18, wherein the token includes at least an information related to an expiration date of the token.
  - 20. The method of claim 18, wherein the token is encrypted.
  - 21. The method of claim 18, wherein the string format of the token is further defined as an Extensible Markup Language format.
  - 22. The method of claim 18, wherein the string format of the token is further defined as Security Assertion Markup Language format.
  - 23. The method of claim 10, wherein the client further includes the application program interface coupled to the client application for communicating with the server application and wherein the client further includes the security application program interface coupled to the client application to communicate with the authentication authority.
  - 24. The method of claim 10, wherein the security credential is further defined as including a password and user identification.
  - 25. The method of claim 24, wherein the security credential is further defined as encrypted and the data store is further defined as a data store maintaining user identifications and passwords.
  - 26. The method of claim 10, wherein the security credential is an X.509 certificate and the data store is a certificate authority.
  - 27. The method of claim 26, further comprising:
    - communicating the X.509 certificate from the authentication authority to the certificate authority;
      
      validating the X.509 certificate by the certificate authority; and
      
      communicating validation information to the authentication authority.

28. A system to provide application-to-application enterprise security for different applications on different platforms where there is no continuing context or session and a new context is created with new invocations from one of the applications to another, the system comprising:
- a first computer comprising a first application program interface coupled to a first application on a first platform and a first security application program interface coupled to the first application on the first platform, to provide a first security credential;
  
  a first security application program interface coupled to the first application on the first platform, to provide a first security credential;
  
  a second computer comprising a second application program interface coupled to a second application on a second platform and a second security application program interface coupled to the second application on the second platform, to provide a second security credential;
  
  an authentication authority receiving the first and second security credentials from the first and second security application program interfaces, the authentication authority further generating tokens and communicating the tokens to the first and second security application program interfaces where the first and second security credentials are valid, wherein the tokens contain user credentials encoded as a platform and application independent string data type, wherein the tokens generated by the authentication authority are further defined as a first token generated by the authentication authority for the first application based on the first security credential and a second token generated by the authentication authority for the second application based on the second security credential;
  
  a store maintaining data validating the first and second security credentials, the store in communication with the authentication authority to validate the first and second security credentials;
  
  the first application program interface communicating regarding tokens; and
  
  the second application program interface receiving the first token from the first application program interface, wherein there is no continuing context or session and a new context is created with each invocation of the second application program interface by the first application program interface, the second security application program interface communicating with the authentication authority to validate the first token to enable the first application to use services of the second application and wherein the first application program interface receives the second token from the second application program interface, wherein there is no continuing context or session and a new context is created with each invocation of the first application program interface by the second application program interface, the first security application program interface communicating with the authentication authority to validate the second token to enable the second application to use services of the first application.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The system of claim 28, wherein the first and second tokens are further defined as data provided in a string format including at least portions of the first and second security credentials, respectively.
  - 30. The system of claim 29, wherein the first and second tokens include an expiration date.
  - 31. The system of claim 29, wherein the string format of the first and second tokens is further defined as Extensible Markup Language Format.
  - 32. The system of claim 29, wherein the string format of the first and second tokens is further defined as Security Assertion Markup Language Format.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Hsin, Alan, Fultz, David, Jannu, Shrikant
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US10/815,518
Time in Patent Office

2,399 Days
Field of Search

713/152, 713/155, 713/167, 713/168, 713/170, 713/189, 713/183, 713/185, 726/1, 726/2, 726/17, 726/21, 726/6, 726/18, 726/28, 726/29, 726/30, 726/26, 709/229, 709/225
US Class Current

726/7
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

Application-to-application security in enterprise security services

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Application-to-application security in enterprise security services

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links