Mashauth: using mashssl for efficient delegated authentication

US 7,966,652 B2
Filed: 04/07/2008
Issued: 06/21/2011
Est. Priority Date: 04/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for efficient delegated authentication to allow a delegator entity, to delegate authority to another delegatee entity, to obtain information from, or take actions at, a third entity, on its behalf;

the method comprising;

configuring a processor to perform the steps of;

(a) the delegatee entity sending the first SSL Client-Hello handshake message, to the third entity, via the delegator entity, which the delegatee entity authenticates, and having the delegator entity approve the submission of the request en route;

(b) the third entity replying by sending the SSL Server-Hello handshake message to the delegatee entity, via the delegator entity which the third entity authenticates, and having the delegator entity approve the submission of the response en route;

(c) the delegatee entity replying by sending the SSL Client-Key-Exchange handshake message to the third entity, via the delegator entity;

(d) the delegatee entity and the third entity agreeing on a master-secret not known to there delegator which can be used to authenticate each other; and

(e) the third entity replying by sending the SSL Server-Finished handshake message including a delegation-ticket to the delegatee entity, via the delegator entity, wherein the ticket contains parameters to be used for a session with said delegator entity including a ticked lifetime for which the session can be reused and wherein said parameters can be reused to allow a plurality of delegated authentication sessions on behalf of, and via, a different delegator entity between said delegatee and said third entities without having to reestablished session parameters during said ticket lifetime time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method that allows the MashSSL protocol to be used to provide a secure and efficient way for delegated authentication. The invention allows services which already have an SSL infrastructure to reuse that infrastructure for delegated authentication, and to do so in a fashion where the cryptographic overhead is amortized across multiple users, and which provides the user with greater control of what information is shared on their behalf.

Citations

16 Claims

1. A method for efficient delegated authentication to allow a delegator entity, to delegate authority to another delegatee entity, to obtain information from, or take actions at, a third entity, on its behalf;
- the method comprising;
  
  configuring a processor to perform the steps of;
  
  (a) the delegatee entity sending the first SSL Client-Hello handshake message, to the third entity, via the delegator entity, which the delegatee entity authenticates, and having the delegator entity approve the submission of the request en route;
  
  (b) the third entity replying by sending the SSL Server-Hello handshake message to the delegatee entity, via the delegator entity which the third entity authenticates, and having the delegator entity approve the submission of the response en route;
  
  (c) the delegatee entity replying by sending the SSL Client-Key-Exchange handshake message to the third entity, via the delegator entity;
  
  (d) the delegatee entity and the third entity agreeing on a master-secret not known to there delegator which can be used to authenticate each other; and
  
  (e) the third entity replying by sending the SSL Server-Finished handshake message including a delegation-ticket to the delegatee entity, via the delegator entity, wherein the ticket contains parameters to be used for a session with said delegator entity including a ticked lifetime for which the session can be reused and wherein said parameters can be reused to allow a plurality of delegated authentication sessions on behalf of, and via, a different delegator entity between said delegatee and said third entities without having to reestablished session parameters during said ticket lifetime time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 1, wherein either the delegatee and/or the third entity do not authenticate the delegator.
  - 3. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 1, wherein additional data are sent in some or all of the messages in addition to the SSL handshake messages.
  - 4. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 3, wherein the additional data parameters in the handshake messages are used by(a) the delegator entity and the third entity to agree on a shared-secret not known to the delegatee entity by the end of the handshake messages.(b) the delegator entity and the delegatee entity to agree on a shared-secret not known to the third entity by the end of the handshake messages.
  - 5. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 4, wherein the three entities can send messages to each other encrypted with one of the shared secrets such that only the other entities who have that shared secret can decrypt the message.
  - 6. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 5, wherein the delegatee can send a message to the third entity, via the delegator, requesting data or asking for action to be performed, on behalf of the delegator.
  - 7. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 6, where the delegator can be shown the delegatee'"'"'s request and explicitly authorizes some or all portions of the request before sending on to the third entity.
  - 8. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 5, wherein the third party can send data to the delegatee via the delegator.
  - 9. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 8, where the delegator can be shown the data being sent and explicitly authorizes some or all portions of the data transfer before sending on to the delegatee.
  - 10. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 8, wherein, the ticket contains various parameters which scope the privileges and lifetime associated with the ticket.
  - 11. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 1 wherein any of the SSL handshake messages being sent between the delegatee and third entities via the delegator entity, can be fully or partially scrambled and then unscrambled before processing using multiple methods of scrambling and unscrambling.
  - 12. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 1, wherein, the mutual authentication of the delegatee and the third entity happens using their SSL digital certificates.
  - 13. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 1, wherein, the delegatee entity and the third entity agree on a ticket unique to the delegator, which can be used by the delegatee to access information of take action on behalf of the delegator.
  - 14. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 1, wherein the delegatee entity and the third entity can communicate directly using the shared master-secret.
  - 15. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 14, wherein such communication can only happen if the delegator has authorized it to the delegatee and the third entity during the initial handshake.
  - 16. A method for allowing a one entity, the delegator, to delegate authority to another entity, the delegatee, to obtain information from, or take actions at, a third entity, on its behalf according to claim 1, wherein, the delegatee entity and the third entity agree to reuse the agreed master-secret not known to the delegator entity, as a basis for re-establishment of communications on behalf of, and via, a different delegator entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Safemashups Incorporated
Original Assignee
Safemashups Incorporated
Inventors
Ganesan, Ravi
Primary Examiner(s)
Chai; Longbit

Application Number

US12/098,789
Publication Number

US 20110047372A1
Time in Patent Office

1,170 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

Mashauth: using mashssl for efficient delegated authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Mashauth: using mashssl for efficient delegated authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links