Systems for authenticating a user's credentials against multiple sets of credentials

US 7,882,549 B2
Filed: 01/15/2009
Issued: 02/01/2011
Est. Priority Date: 03/28/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for determining an appropriate level of access authority for a person in a distributed computer network including multiple sets of access credentials, wherein the system is in communication with a plurality of client machines over the network, wherein the system performs operations, the operations comprising:

maintaining a set of access credential information for node users;

maintaining a set of access credential information for admin users;

wherein the set of access credential information for node users and the set of access credential information for admin users are maintained in respective separate name spaces;

receiving from one of the client machines the person'"'"'s request for access to the computer network or a subcomponent thereof, wherein the request includes the person'"'"'s input credentials;

comparing the person'"'"'s input credentials to the set of access credential information for node users, wherein the set of access credential information for node users is stored in a node table in a database;

determining whether the person'"'"'s input credentials are successfully verified against the set of access credential information stored in the node table, and if so, an authentication against the set of access credential information stored in the node table is successful;

comparing the person'"'"'s input credentials to the set of access credential information for admin users, wherein the set of access credential information for admin users is stored in an admin table in the database;

determining whether the person'"'"'s input credentials are successfully verified against the set of access credential information stored in the admin table, and if so, an authentication against the set of access credential information stored in the admin table is successful;

wherein the operation of comparing the person'"'"'s input credentials to the set of access credential information for node users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to the set of access credential information for admin users;

wherein the node table contains a set of access credential information for a different class of users than the set of access credential information contained in the admin table;

wherein the node table and the admin table are ranked, with the admin table having a higher ranking than the node table;

comparing results of the authentication against the set of access credential information stored in the node table and results of the authentication against the set of access credential information stored in the admin table;

ascertaining a level of access authority for the person, without the person specifying an intended level of access authority, wherein the ascertained level of access authority corresponds with the highest ranked set of access credentials for which authentication is successful;

and wherein the appropriate level of access authority for the person is ascertained without regard to a specific machine, a location of the machine, an IP address of the machine, and a MAC address of the machine, from which the person'"'"'s request is received.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are systems for authenticating the identity of a user for use in a distributed computer network including multiple sets of access credentials. A user request, including the user'"'"'s input credentials, is received, and then compared simultaneously to multiple sets of access credentials in order to verify the user'"'"'s input credentials. When the user'"'"'s input credentials are verified, the appropriate level of access authority is then determined, and proper access is granted to the user.

56 Citations

View as Search Results

17 Claims

1. A system for determining an appropriate level of access authority for a person in a distributed computer network including multiple sets of access credentials, wherein the system is in communication with a plurality of client machines over the network, wherein the system performs operations, the operations comprising:
- maintaining a set of access credential information for node users;
  
  maintaining a set of access credential information for admin users;
  
  wherein the set of access credential information for node users and the set of access credential information for admin users are maintained in respective separate name spaces;
  
  receiving from one of the client machines the person'"'"'s request for access to the computer network or a subcomponent thereof, wherein the request includes the person'"'"'s input credentials;
  
  comparing the person'"'"'s input credentials to the set of access credential information for node users, wherein the set of access credential information for node users is stored in a node table in a database;
  
  determining whether the person'"'"'s input credentials are successfully verified against the set of access credential information stored in the node table, and if so, an authentication against the set of access credential information stored in the node table is successful;
  
  comparing the person'"'"'s input credentials to the set of access credential information for admin users, wherein the set of access credential information for admin users is stored in an admin table in the database;
  
  determining whether the person'"'"'s input credentials are successfully verified against the set of access credential information stored in the admin table, and if so, an authentication against the set of access credential information stored in the admin table is successful;
  
  wherein the operation of comparing the person'"'"'s input credentials to the set of access credential information for node users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to the set of access credential information for admin users;
  
  wherein the node table contains a set of access credential information for a different class of users than the set of access credential information contained in the admin table;
  
  wherein the node table and the admin table are ranked, with the admin table having a higher ranking than the node table;
  
  comparing results of the authentication against the set of access credential information stored in the node table and results of the authentication against the set of access credential information stored in the admin table;
  
  ascertaining a level of access authority for the person, without the person specifying an intended level of access authority, wherein the ascertained level of access authority corresponds with the highest ranked set of access credentials for which authentication is successful;
  
  and wherein the appropriate level of access authority for the person is ascertained without regard to a specific machine, a location of the machine, an IP address of the machine, and a MAC address of the machine, from which the person'"'"'s request is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the person'"'"'s input credentials include a username and password which cause the authentication to be successful for the node table and the admin table.
  - 3. The system of claim 1, wherein the operations further comprise:
    - comparing the person'"'"'s input credentials to a third set of access credential information for a third set of users stored in a third table;
      
      determining whether the person'"'"'s input credentials are successfully verified against the third set of access credential information stored in the third table, and if so, an authentication against the third set of access credential information stored in the third table is successful;
      
      wherein the operation of comparing the person'"'"'s input credentials to a third set of access credential information for a third set of users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to a set of access credential information for node users and with the operation of comparing the person'"'"'s input credentials to a set of access credential information for admin users;
      
      wherein the node table and the admin table and the third table are in the database;
      
      wherein the third table contains a set of access credential information for a different class of users than the set of access credential information contained in the node table and the set of access credential information contained in the admin table; and
      
      wherein the node table and the admin table and the third table are ranked.
  - 4. The system of claim 3, wherein the operations further comprise:
    - comparing the person'"'"'s input credentials to a fourth set of access credential information for a fourth set of users stored in a fourth table;
      
      determining whether the person'"'"'s input credentials are successfully verified against the fourth set of access credential information stored in the fourth table, and if so, an authentication against the fourth set of access credential information stored in the fourth table is successful;
      
      wherein the operation of comparing the person'"'"'s input credentials to a fourth set of access credential information for a fourth set of users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to a set of access credential information for node users and with the operation of comparing the person'"'"'s input credentials to a set of access credential information for admin users and with the operation of comparing the person'"'"'s input credentials to a third set of access credential information for a third set of users;
      
      wherein the node table and the admin table and the third table and the fourth table are in the database;
      
      wherein the fourth table contains a set of access credential information for a different class of users than the respective sets of access credential information contained in the node table and the admin table and the third table; and
      
      wherein the node table and the admin table and the third table and the fourth table are ranked.
  - 5. The system of claim 4, wherein the person'"'"'s input credentials include a password, and wherein the method further comprises building a request key from the person'"'"'s password.
  - 6. The system of claim 5, wherein the operations further comprise creating random session keys.
  - 7. The system of claim 6, wherein the operations further comprise building a set of node and admin messages containing a decoded validation token.
  - 8. The system of claim 1, wherein the authentication against the node table is performed in parallel with the authentication against the admin table.

9. A system for determining an appropriate level of access authority for a person in a distributed computer network including multiple sets of access credentials, wherein the system is in communication with a plurality of client machines over the network, wherein the system performs operations, the operations comprising:
- accepting the person'"'"'s request for access to the computer network, wherein the request includes the person'"'"'s input credentials;
  
  maintaining a set of access credential information for a first class of users;
  
  maintaining a set of access credential information for a second class of users;
  
  wherein the set of access credential information for the first class of users and the set of access credential information for the second class of users are maintained in respective separate name spaces;
  
  comparing the person'"'"'s input credentials to the set of access credential information for the first class of users, wherein the set of access credential information for the first class of users is stored in a first table;
  
  determining whether the person'"'"'s input credentials are successfully verified against the set of access credential information stored in the first table, and if so, an authentication against the set of access credential information stored in the first table is successful;
  
  comparing the person'"'"'s input credentials to the set of access credential information for the second class of users, wherein the set of access credential information for the second class of users is stored in a second table;
  
  determining whether the person'"'"'s input credentials are successfully verified against the set of access credential information stored in the second table, and if so, an authentication against the set of access credential information stored in the second table is successful;
  
  wherein the operation of comparing the person'"'"'s input credentials to the set of access credential information for the first class of users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to the set of access credential information for the second class of users;
  
  wherein the first table and the second table are in a single database;
  
  wherein the first class of users is a different class than the second class of users;
  
  wherein the first table and the second table are ranked, with the second table having a higher ranking than the first table;
  
  comparing results of the authentication against the set of access credential information stored in the first table and results of the authentication against the set of access credential information stored in the second table;
  
  ascertaining a level of access authority for the person, without the person specifying an intended level of access authority, wherein the ascertained level of access authority corresponds with the highest ranked set of access credentials for which authentication is successful;
  
  and wherein the appropriate level of access authority for the person is ascertained without regard to a specific machine, location of the machine, IP address of the machine, and MAC address of the machine, from which the person'"'"'s request is received.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9 wherein the operations further comprise:
    - comparing the person'"'"'s input credentials to a third set of access credential information for a third class of users stored in a third table;
      
      determining whether the person'"'"'s input credentials are successfully verified against the third set of access credential information stored in the third table, and if so, an authentication against the third set of access credential information stored in the third table is successful;
      
      wherein the operation of comparing the person'"'"'s input credentials to a third set of access credential information for a third class of users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to the set of access credential information for the first class of users and with the operation of comparing the person'"'"'s input credentials to the set of access credential information for the second class of users;
      
      wherein the first table and the second table and the third table are in a single database;
      
      wherein the third table contains a set of access credential information for a different class of users than the set of access credential information contained in the first table and the set of access credential information contained in the second table; and
      
      wherein the first table and the second table and the third table are ranked.
  - 11. The system of claim 10, further comprising:
    - comparing the person'"'"'s input credentials to a fourth set of access credential information for a fourth class of users stored in a fourth table;
      
      determining whether the person'"'"'s input credentials are successfully verified against the fourth set of access credential information stored in the fourth table, and if so, an authentication against the fourth set of access credential information stored in the fourth table is successful;
      
      wherein the operation of comparing the person'"'"'s input credentials to a fourth set of access credential information for a fourth class of users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to the set of access credential information for the first class of users and with the operation of comparing the person'"'"'s input credentials to the set of access credential information for the second class of users and with the operation of comparing the person'"'"'s input credentials to a third set of access credential information for a third set of users;
      
      wherein the first table and the second table and the third table and the fourth table are in a single database;
      
      wherein the fourth table contains a set of access credential information for a different class of users than the respective sets of access credential information contained in the first table and the second table and the third table; and
      
      wherein the first table and the second table and the third table and the fourth table are ranked.
  - 12. The system of claim 9 wherein the authentication against the first table is performed in parallel with the authentication against the second table.
  - 13. The system of claim 11, wherein the operations further comprise:
    - comparing the person'"'"'s input credentials to a fifth set of access credential information for a fifth class of users stored in a fifth table;
      
      determining whether the person'"'"'s input credentials are successfully verified against the fifth set of access credential information stored in the fifth table, and if so, an authentication against the fifth set of access credential information stored in the fifth table is successful;
      
      wherein the operation of comparing the person'"'"'s input credentials to a fifth set of access credential information for a fifth class of users at least partially overlaps in time with the operation of comparing the person'"'"'s input credentials to the set of access credential information for the first class of users and with the operation of comparing the person'"'"'s input credentials to the set of access credential information for the second class of users and with the operation of comparing the person'"'"'s input credentials to a third set of access credential information for a third class of users and with the operation of comparing the person'"'"'s input credentials to a fourth set of access credential information for a fourth class of users;
      
      wherein the first table and the second table and he third table and the fourth table and the fifth table are in a single database;
      
      wherein the fifth table contains a set of access credential information for a different class of users than the respective sets of access credential information contained in the first table and the second table and the third table and the fourth table; and
      
      wherein the first table and the second table and the third table and the fourth table and the fifth table are ranked.
  - 14. The system of claim 13 wherein the fourth table and the fifth table have a same rank.

15. A system for determining an appropriate level of access authority for a person in a distributed computing environment, wherein the system is in communication with a plurality of client machines over the network, wherein the system performs operations, the operations comprising:
- accepting the person'"'"'s request for access to the computer network, wherein the request includes the person'"'"'s input credentials;
  
  performing, during a first time period, an authentication against a node table, wherein the authentication against the node table includes comparing the person'"'"'s input credentials to a set of access credential information for node users stored in the node table, and determining whether authentication against the node table is successful;
  
  performing, during a second time period, an authentication against an admin table, wherein the authentication against the admin table includes comparing the person'"'"'s input credentials to a set of access credential information for admin users stored in the admin table, and determining whether authentication against the admin table is successful;
  
  performing, during a third time period, an authentication against a third table, wherein the authentication against the third table includes comparing the person'"'"'s input credentials to a set of access credential information for users stored in the third table, and determining whether authentication against the third table is successful;
  
  performing, during a fourth time period, an authentication against a fourth table, wherein the authentication against the fourth table includes comparing the person'"'"'s input credentials to a set of access credential information for users stored in the fourth table, and determining whether authentication against the fourth table is successful;
  
  performing, during a fifth time period, an authentication against a fifth table, wherein the authentication against the fifth table includes comparing the person'"'"'s input credentials to a set of access credential information for users stored in the fifth table, and determining whether authentication against the fifth table is successful;
  
  wherein the first time period and the second time period and the third time period and the fourth time period and the fifth time period at least partially overlap;
  
  wherein the node table and the admin table and the third table and the fourth table and the fifth table are in a database;
  
  wherein the node table and the admin table and the third table and the fourth table and the fifth table each contain a set of access credential information that are respectively for different classes of users;
  
  wherein the node table and the admin table and the third table and the fourth table and the fifth table are ranked, with the admin table having a higher ranking than the node table;
  
  and wherein the method further comprises ascertaining a level of access authority for the person, without the person specifying an intended level of access authority, wherein the ascertained level of access authority corresponds with the highest ranked set of access credentials for which authentication is successful;
  
  and wherein the appropriate level of access authority for the person is ascertained without regard to a specific machine, location of the machine, IP address of the machine, and MAC address of the machine, from which the person'"'"'s request is received.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the person'"'"'s input credentials include a username and a password.
  - 17. The system of claim 16, wherein the respective authentications against the node table, the admin table, the third table, the fourth table, and the fifth table, are performed in parallel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kaczmarski, Michael Allen, Vargas, Omar Bond, Edwards, Robert Clair Jr.
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Avery; Jeremiah

Application Number

US12/354,770
Publication Number

US 20090187975A1
Time in Patent Office

747 Days
Field of Search

726/5
US Class Current

726/5
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

Systems for authenticating a user's credentials against multiple sets of credentials

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems for authenticating a user's credentials against multiple sets of credentials

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links