Policy driven, credential delegation for single sign on and secure access to network resources

US 7,913,084 B2
Filed: 05/26/2006
Issued: 03/22/2011
Est. Priority Date: 05/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:

sending a request from a client for at least one of an application, a service and a resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server;

initiating a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server;

negotiating with the server to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server;

authenticating the server utilizing the selected authentication package as the authentication mechanism;

determining whether authentication has occurred according to said authenticating step, and only when authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server;

receiving, on the client, an indication of a classification for the server;

prior to transmitting the user credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user credentials, wherein the pre-defined policy is based on the received server classification;

authenticating the Kpub of the server by;

encrypting the Kpub with the shared secret;

sending the encrypted Kpub to the server;

receiving a response from the server; and

verifying that the response includes (Kpub+1) encrypted with the shared secret; and

if the server can be trusted according to the pre-defined policy and the response is verified, transmitting the user'"'"'s credentials to the server to gain access to the at least one of the requested application, service and resource of the server from the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user'"'"'s credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

78 Citations

View as Search Results

19 Claims

1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:
- sending a request from a client for at least one of an application, a service and a resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server;
  
  initiating a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server;
  
  negotiating with the server to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server;
  
  authenticating the server utilizing the selected authentication package as the authentication mechanism;
  
  determining whether authentication has occurred according to said authenticating step, and only when authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server;
  
  receiving, on the client, an indication of a classification for the server;
  
  prior to transmitting the user credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user credentials, wherein the pre-defined policy is based on the received server classification;
  
  authenticating the Kpub of the server by;
  
  encrypting the Kpub with the shared secret;
  
  sending the encrypted Kpub to the server;
  
  receiving a response from the server; and
  
  verifying that the response includes (Kpub+1) encrypted with the shared secret; and
  
  if the server can be trusted according to the pre-defined policy and the response is verified, transmitting the user'"'"'s credentials to the server to gain access to the at least one of the requested application, service and resource of the server from the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the at least one pre-defined policy is a plurality of policies used to control and restrict the delegation of user credentials from a client to a server.
  - 3. The method of claim 2, wherein the plurality of policies address mitigation of a broad range of attacks including at least one of Trojan or malware running on the client, default group policy settings and group policy values configurable by an administrator of the client, domain name service (DNS) poisoning to avoid resolution to a rogue server and denial of service attacks.
  - 4. The method of claim 2, wherein the plurality of policies include policies that at least allow or deny delegation based on a list of service principal names (SPNs) of the server.
  - 5. The method of claim 1, wherein the performing includes performing a policy check according to at least one pre-defined policy defined based on a type of the user credentials.
  - 6. The method of claim 5, wherein the performing includes performing a policy check according to at least one pre-defined policy defined based on whether the user credentials are fresh, saved or default credentials.
  - 7. The method of claim 1, wherein said transmitting of the user'"'"'s credentials includes transmitting the user'"'"'s credentials in a format that only a trusted subsystem of a local security system has access to the user credentials in clear text format.
  - 8. The method of claim 7, wherein the performing of the policy check is performed by a local security authority (LSA) and the trusted subsystem is a trusted subsystem of the LSA.
  - 9. The method of claim 1, further comprising:
    - after establishing the session between the client and server, authenticating a public key of the server.
  - 10. The method of claim 1, wherein said steps are performed via a credential security support provider component made available to the client making the request via a security support provider interface (SSPI).
  - 11. The method of claim 1, wherein the initial handshake is a handshake according to the secure sockets layer (SSL) or transport layer security (TLS) protocol.
  - 12. The method of claim 1, wherein the negotiating includes negotiating using Simple and Protected Generic Security Service Application Program Interface (GSSAPI) Negotiation Mechanism (SPNEGO) negotiation.
  - 13. The method of claim 1, wherein the selected authentication package a Kerberos or NT Local Area Network (LAN) Manager (NTLM).
  - 14. The method of claim 1, wherein said shared secret is shared session key.

15. A client computing device, comprising:
- a credential security support provider component for handling a request from the client computing device for at least one of an application, a service and a resource of a server in a networked computing environment, wherein the request implicates delegation of user credentials from the client computing device to the server;
  
  wherein the credential security support provider component initiates a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server, negotiates selection of a security support provider shared between the client and server to utilize as an authentication package for authenticating communications between the client and the server, and performs steps to authenticate the server and the client utilizing the authentication package; and
  
  wherein, only after authentication has occurred, the credential security support provider component;
  
  establishes a session between the client and server and a shared secret for encryption of messages communicated between the client and server according to the session, and upon receiving an indication of a classification for the server performs a policy check according to at least one pre-defined policy used to control and restrict the delegation of user credentials from the client computing device to the server, the policy check based on the received server classification; and
  
  authenticates the Kpub of the server by;
  
  encrypting the Kpub with the shared secret;
  
  sending the encrypted Kpub to the server;
  
  receiving a response from the server; and
  
  verifying that the response includes (Kpub+1) encrypted with the shared secret; and
  
  transmits the user'"'"'s credentials to the server to gain access to the requested at least one of the application, the service and the resource of the server from the client only when the policy check is passed and the response is verified.
- View Dependent Claims (16, 17, 18)
- - 16. The client computing device of claim 15, wherein the credential security support provider component transmits the user'"'"'s credentials in a format that a trusted subsystem of a local security authority (LSA) can decode to a clear text format.
  - 17. The client computing device of claim 15, wherein the at least one pre-defined policy addresses mitigation of any one or more of a broad range of attacks including Trojan or malware running on the client, default group policy settings and group policy values configurable by an administrator of the client, domain name service (DNS) poisoning to avoid resolution to a rogue server, and denial of service attacks.
  - 18. The client computing device of claim 15, wherein the at least one predefined policy includes a delegation policy based on whether the user credentials are fresh, saved or default credentials.

19. A computer implemented system delegating user credentials from a client to a server in a networked computing environment as part of a single sign on to a server'"'"'s resources, the system comprising:
- at least one processor; and
  
  a memory, communicatively coupled to the at least one processor and containing instructions that, when executed by the at least one processor, perform a method, the method comprising;
  
  sending a request from a client for at least one of an application, a service and a resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server;
  
  initiating a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server;
  
  negotiating with the server to select an authentication package shared between the client and the server to utilize as an authentication mechanism for authenticating communications between the client and the server;
  
  authenticating the server utilizing the selected authentication package as the authentication mechanism;
  
  determining whether authentication has occurred according to said authenticating step, and only when authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server;
  
  receiving, on the client, an indication of a classification for the server;
  
  prior to transmitting the user credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user credentials, wherein the pre-defined policy is based on the received server classification;
  
  authenticating the Kpub of the server by;
  
  encrypting the Kpub with the shared secret;
  
  sending the encrypted Kpub to the server;
  
  receiving a response from the server, andverifying that the response includes (Kpub+1) encrypted with the shared secret; and
  
  if the server can be trusted according to the pre-defined policy and the response is verified, transmitting the user'"'"'s credentials to the server to gain access to the at least one of the requested application, service and resource of the server from the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kamel, Tarek Bahaa El-Din Mahmoud, Medvinsky, Gennady, Ilac, Cristian, Fathalla, Mohamed Emad El Din, Leach, Paul J., Parsons, John E., Hagiu, Costin
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Nguy; Chi

Application Number

US11/441,588
Publication Number

US 20070277231A1
Time in Patent Office

1,761 Days
Field of Search

726/1, 726/22, 726/24, 713/159, 713/169, 713/168, 713/171, 709/219, 709/229
US Class Current

713/168
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

H04L 9/3273   for mutual authentication n...

Policy driven, credential delegation for single sign on and secure access to network resources

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Policy driven, credential delegation for single sign on and secure access to network resources

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others