Proxy server security token authorization

US 7,836,493 B2
Filed: 04/24/2003
Issued: 11/16/2010
Est. Priority Date: 04/24/2003
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing use of a particular computing resource by a user, comprising:

(a) a management server issuing, to a user computer, a secure authorization token, said secure authorization token having data including connection permission information that identifies the specific protected computer resource by at least one of name and port number;

(b) examining, with a proxy server, the secure authorization token for authenticity, and extracting, with said proxy server, said connection permission information contained in the token to determine the user'"'"'s authorization to access said specific protected computing resource; and

(c) if the secure authorization token is authentic, said proxy server using said secure authorization token data connection permission information to establish a proxy connection with said specific protected computing resource on behalf of the user and acting as an intermediary to pass information between the user computer and the specific protected computing resource, without said proxy server accessing or communicating with the management server to obtain user authorization information,wherein said management server is separate from said proxy server, said protected computing resource and said user computer.

View all claims

25 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management server manufactures a secure, tamper-resistant token for a particular user specifying the permissions and authorizations that user possesses. The token may be in the form of a digitally-signed message specifying, for example, a particular computer and associated port number that the user is permitted to access. The management server delivers the token to the user, preferably over a secure communications session. When challenged, the user presents the secure token to the security proxy server. The security proxy server examines the token to be sure it is authentic and has not be tampered with, and then extracts information contained in the token to determine the user'"'"'s authorization to access a particular computer, particular port number and/or other resource. The security proxy server then establishes authorized communication with the authorized computing resource based on the information contained in the user'"'"'s token, and thereafter may act in one embodiment as essentially a passthrough or proxy for permitting the user to access and communicate with the resource.

94 Citations

View as Search Results

14 Claims

1. A method of authorizing use of a particular computing resource by a user, comprising:
- (a) a management server issuing, to a user computer, a secure authorization token, said secure authorization token having data including connection permission information that identifies the specific protected computer resource by at least one of name and port number;
  
  (b) examining, with a proxy server, the secure authorization token for authenticity, and extracting, with said proxy server, said connection permission information contained in the token to determine the user'"'"'s authorization to access said specific protected computing resource; and
  
  (c) if the secure authorization token is authentic, said proxy server using said secure authorization token data connection permission information to establish a proxy connection with said specific protected computing resource on behalf of the user and acting as an intermediary to pass information between the user computer and the specific protected computing resource, without said proxy server accessing or communicating with the management server to obtain user authorization information,wherein said management server is separate from said proxy server, said protected computing resource and said user computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein said management server comprises a trusted entity different from said proxy server.
  - 3. The method of claim 1 wherein said management server digitally signs said token with a digital signature and said examining includes authenticating said digital signature.
  - 4. The method of claim 1 wherein said management server time-stamps said token.
  - 5. The method of claim 1 further including said proxy server challenging said user for said token and said user responding to said challenge by presenting said token to said proxy server.
  - 6. The method of claim 1 wherein said using step is performed conditionally based at least in part on whether said token is unexpired.
  - 7. The method of claim 1 wherein said using step includes extracting both a computer name and port number from said token and establishing a connection using said computer name and port number.

8. A proxy server comprising:
- means for receiving a secure authorization token from a user device, said secure authorization token having been issued by a management server, said authorization token including connection data comprising computer name and port numbermeans for examining said token to determine the authenticity thereof and to extract at least connection data therefrom; and
  
  means for establishing a proxy server session conditioned on the authenticity of said token, wherein said proxy server acts as an intermediary between said user device and a specific protected computing resource the token specifies and said extracted connection data is used to establish said proxy server session without said proxy server accessing or communicating with said management server to obtain user authorization information.

9. A proxy server comprising:
- a challenge function that challenges a user device to present a secure authorization token issued by a management server;
  
  a token validator that validates said secure authorization token; and
  
  a token content extractor that extracts connection information from said validated token including at least one of computer name and port number; and
  
  a session controller that establishes a proxy connection with a specific protected computing resource based at least in part on the extracted connection information without need for said session controller to directly access or communicate with said management server to obtain user device authorization information, and intermediates a session between said user device and the specific protected computing resource conditioned at least in part on token validation by said token validator, said proxy server using secure authorization token data connection permission information within said secure authorization token to establish a proxy connection with said specific protected computing resource on behalf of the user and acting as an intermediary to pass information between the user computer and the specific protected computing resource.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The proxy server of claim 9 wherein said token is digitally signed and said token validator validates said digital signature.
  - 11. The proxy server of claim 9 wherein connection information contained in said token includes at least computer name and port number.
  - 12. The proxy server of claim 9 wherein said token validator determines whether said token has expired and whether said token has been tampered with.
  - 13. The proxy server of claim 9 wherein said management server comprises a trusted entity different from said proxy server.
  - 14. The proxy server of claim 9 wherein said proxy server establishes a first connection behind a firewall with a legacy host computer not equipped with SSL/TLS and establishes a second connection with said user device through said firewall, said proxy server proxying, in said first connection, on behalf of the user device connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Attachmate Corporation (Open Text Corporation)
Original Assignee
Attachmate Corporation (Open Text Corporation)
Inventors
Xia, Sharon (Hong), Brombaugh, Dan
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US10/421,948
Publication Number

US 20050005133A1
Time in Patent Office

2,763 Days
Field of Search

713/156, 713/185, 726/9, 726/10, 726/12, 726/19, 726/20, 726/14
US Class Current

726/9
CPC Class Codes

H04L 63/0281 Proxies

H04L 63/0807 using tickets, e.g. Kerbero...

Proxy server security token authorization

First Claim

25 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Proxy server security token authorization

First Claim

25 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links