Policy driven, credential delegation for single sign on and secure access to network resources
First Claim
1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:
- sending a request from a client for at least one of an application, a service and a resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server;
initiating a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server;
negotiating with the server to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server;
authenticating the server utilizing the selected authentication package as the authentication mechanism;
determining whether authentication has occurred according to said authenticating step, and only when authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server;
receiving, on the client, an indication of a classification for the server;
prior to transmitting the user credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user credentials, wherein the pre-defined policy is based on the received server classification;
authenticating the Kpub of the server by;
encrypting the Kpub with the shared secret;
sending the encrypted Kpub to the server;
receiving a response from the server; and
verifying that the response includes (Kpub+1) encrypted with the shared secret; and
if the server can be trusted according to the pre-defined policy and the response is verified, transmitting the user'"'"'s credentials to the server to gain access to the at least one of the requested application, service and resource of the server from the client.
3 Assignments
0 Petitions
Accused Products
Abstract
A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user'"'"'s credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.
78 Citations
19 Claims
-
1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:
-
sending a request from a client for at least one of an application, a service and a resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server; initiating a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server; negotiating with the server to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server; authenticating the server utilizing the selected authentication package as the authentication mechanism; determining whether authentication has occurred according to said authenticating step, and only when authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server; receiving, on the client, an indication of a classification for the server; prior to transmitting the user credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user credentials, wherein the pre-defined policy is based on the received server classification; authenticating the Kpub of the server by; encrypting the Kpub with the shared secret; sending the encrypted Kpub to the server; receiving a response from the server; and verifying that the response includes (Kpub+1) encrypted with the shared secret; and if the server can be trusted according to the pre-defined policy and the response is verified, transmitting the user'"'"'s credentials to the server to gain access to the at least one of the requested application, service and resource of the server from the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A client computing device, comprising:
-
a credential security support provider component for handling a request from the client computing device for at least one of an application, a service and a resource of a server in a networked computing environment, wherein the request implicates delegation of user credentials from the client computing device to the server; wherein the credential security support provider component initiates a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server, negotiates selection of a security support provider shared between the client and server to utilize as an authentication package for authenticating communications between the client and the server, and performs steps to authenticate the server and the client utilizing the authentication package; and wherein, only after authentication has occurred, the credential security support provider component; establishes a session between the client and server and a shared secret for encryption of messages communicated between the client and server according to the session, and upon receiving an indication of a classification for the server performs a policy check according to at least one pre-defined policy used to control and restrict the delegation of user credentials from the client computing device to the server, the policy check based on the received server classification; and authenticates the Kpub of the server by; encrypting the Kpub with the shared secret; sending the encrypted Kpub to the server; receiving a response from the server; and verifying that the response includes (Kpub+1) encrypted with the shared secret; and transmits the user'"'"'s credentials to the server to gain access to the requested at least one of the application, the service and the resource of the server from the client only when the policy check is passed and the response is verified. - View Dependent Claims (16, 17, 18)
-
-
19. A computer implemented system delegating user credentials from a client to a server in a networked computing environment as part of a single sign on to a server'"'"'s resources, the system comprising:
-
at least one processor; and a memory, communicatively coupled to the at least one processor and containing instructions that, when executed by the at least one processor, perform a method, the method comprising; sending a request from a client for at least one of an application, a service and a resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server; initiating a handshake between the client and the server, including receiving by the client a public key (Kpub) of the server; negotiating with the server to select an authentication package shared between the client and the server to utilize as an authentication mechanism for authenticating communications between the client and the server; authenticating the server utilizing the selected authentication package as the authentication mechanism; determining whether authentication has occurred according to said authenticating step, and only when authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server; receiving, on the client, an indication of a classification for the server; prior to transmitting the user credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user credentials, wherein the pre-defined policy is based on the received server classification; authenticating the Kpub of the server by; encrypting the Kpub with the shared secret; sending the encrypted Kpub to the server; receiving a response from the server, and verifying that the response includes (Kpub+1) encrypted with the shared secret; and if the server can be trusted according to the pre-defined policy and the response is verified, transmitting the user'"'"'s credentials to the server to gain access to the at least one of the requested application, service and resource of the server from the client.
-
Specification