Security assertion revocation

US 8,095,969 B2
Filed: 09/08/2006
Issued: 01/10/2012
Est. Priority Date: 09/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method for creating a security token having independently-revocable assertions, the method comprising:

generating a first assertion with an associated first assertion identifier;

generating a second assertion with an associated second assertion identifier, wherein the second assertion is independently-revocable with respect to the first assertion;

combining, at a computing device, the first assertion and the second assertion into the security token and digitally signing the security token comprising multiple independently-revocable assertions;

ascertaining, at the computing device, whether a plurality of conditional revocation assertions are valid;

in response to ascertaining that one or more conditional revocation assertions are valid, including a corresponding assertion identifier from each of the one or more valid conditional revocation assertions in a set of revoked assertion identifiers;

rejecting the first assertion when the first assertion identifier matches a revoked assertion identifier in the set of revoked assertion identifier; and

applying the second assertion to an evaluation algorithm when the second assertion identifier does not match any revoked assertion identifier in the set of revoked assertion identifiers.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implementation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.

112 Citations

View as Search Results

13 Claims

1. A method for creating a security token having independently-revocable assertions, the method comprising:
- generating a first assertion with an associated first assertion identifier;
  
  generating a second assertion with an associated second assertion identifier, wherein the second assertion is independently-revocable with respect to the first assertion;
  
  combining, at a computing device, the first assertion and the second assertion into the security token and digitally signing the security token comprising multiple independently-revocable assertions;
  
  ascertaining, at the computing device, whether a plurality of conditional revocation assertions are valid;
  
  in response to ascertaining that one or more conditional revocation assertions are valid, including a corresponding assertion identifier from each of the one or more valid conditional revocation assertions in a set of revoked assertion identifiers;
  
  rejecting the first assertion when the first assertion identifier matches a revoked assertion identifier in the set of revoked assertion identifier; and
  
  applying the second assertion to an evaluation algorithm when the second assertion identifier does not match any revoked assertion identifier in the set of revoked assertion identifiers.
- View Dependent Claims (2, 3, 4)
- - 2. The method as recited in claim 1, wherein the generating a first assertion with an associated first assertion identifier comprises:
    - generating the first assertion with the associated first assertion identifier, wherein the first assertion identifier comprises a set of values.
  - 3. The method as recited in claim 1, wherein:
    - the generating a first assertion with an associated first assertion identifier comprises generating the first assertion with the associated first assertion identifier, wherein the first assertion identifier comprises a first value and a third value; and
      
      the generating a second assertion with an associated second assertion identifier comprises generating the second assertion with the associated second assertion identifier, wherein the second assertion identifier comprises a second value and the third value.
  - 4. The method as recited in claim 1, wherein the generating a first assertion with an associated first assertion identifier comprises:
    - generating the first assertion with the associated first assertion identifier, wherein the first assertion comprises a security assertion that is logically of the form;
      
      principal says ID fact if fact₁, . . . , fact_n, c₁, . . . , c_m, with the first assertion identifier represented by ID and any constraints represented by c₁, . . . , c_m, with “
      
      m”
      
      being an integer of zero or greater.

5. A computer-implemented method configured to execute instructions which, when executed by a computer processor, direct a computing device to perform acts for filtering revoked assertions, the method comprising:
- acquiring multiple assertions from a security token at the computing device, each respective assertion of the multiple assertions associated with a respective assertion identifier of multiple assertion identifiers;
  
  comparing the multiple assertion identifiers to a set of revoked assertion identifiers;
  
  determining, by the computing device, if at least one assertion identifier of the multiple assertion identifiers matches a revoked assertion identifier of the set of revoked assertion identifiers; and
  
  if at least one assertion identifier of the multiple assertion identifiers is determined to match a revoked assertion identifier of the set of revoked assertion identifiers, rejecting at least one assertion that is associated with the at least one assertion identifier that is determined to match the revoked assertion identifier; and
  
  processing a revocation assertion that includes a revoked assertion identifier, wherein the revocation assertion comprises a security assertion and is logically of the form;
  
  principal says fact,in which fact corresponds to;
  
  applying the plurality of assertions to the evaluation algorithm that evaluates the authorization query when no none of the at least one assertion identifier is determined to match any revoked assertion identifier of the set of revoked assertion identifiers.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The computer-implemented method as recited in claim 5, wherein the acquiring multiple assertions from a security token comprises at least one of:
    - accepting the multiple assertions of the security token as part of an assertion context;
      
      orextracting the multiple assertions from the security token;
      
      wherein the security token includes a digital signature covering at least the multiple assertions.
  - 7. The computer-implemented method as recited in claim 5, further comprising:
    - applying any assertions of the multiple assertions that remain after the rejecting action to an evaluation algorithm involving an authorization query.
  - 8. The computer-implemented method as recited in claim 5, further comprising:
    - ascertaining if one or more conditional revocation assertions are valid; and
      
      if one or more conditional revocation assertions are ascertained to be valid, including assertion identifiers from the one or more valid conditional revocation assertions in the set of revoked assertion identifiers for the comparing and the determining actions.
  - 9. The computer-implemented method as recited in claim 5, wherein the multiple assertion identifiers comprise a first assertion identifier having a particular value and a second assertion identifier having the particular value;
    - and wherein a particular revoked assertion identifier of the set of revoked assertion identifiers also has the particular value; and
      
      wherein;
      
      the determining comprises determining that the first assertion identifier and the second assertion identifier of the multiple assertion identifiers match the particular revoked assertion identifier of the set of revoked assertion identifiers; and
      
      the rejecting comprises rejecting a first assertion of the multiple assertions that is associated with the first assertion identifier and a second assertion of the multiple assertions that is associated with the second assertion identifier.
  - 10. The computer-implemented method as recited in claim 5, wherein the multiple assertion identifiers comprise a first assertion identifier having a first value and a second assertion identifier having a second value;
    - and wherein a particular revoked assertion identifier of the set of revoked assertion identifiers also has the first value; and
      
      wherein;
      
      the determining comprises determining that the first assertion identifier of the multiple assertion identifiers matches the particular revoked assertion identifier of the set of revoked assertion identifiers; and
      
      the rejecting comprises rejecting a first assertion of the multiple assertions that is associated with the first assertion identifier and not rejecting a second assertion of the multiple assertions that is associated with the second assertion identifier.

11. One or more computer-readable memory storing computer-executable instructions that, when executed by a processor, configures the processor to perform acts comprising:
- generating a plurality of assertions such that each assertion has an associated assertion identifier;
  
  comparing each assertion identifier to a set of revoked assertion identifiers;
  
  determining whether the each assertion identifier has a matching revoked assertion identifier from the set of revoked assertion identifiers;
  
  when at least one assertion identifier is determined to match a revoked assertion identifier of the set of revoked assertion identifiers, rejecting a corresponding assertion of each assertion identifier that is matched with a corresponding revoked assertion identifier, and applying one or more remaining assertions to an evaluation algorithm that evaluates an authorization query; and
  
  when no assertion identifier is determined to match any revoked assertion identifier of the set of revoked assertion identifiers, applying the plurality of assertions of the evaluation algorithm that evaluates the authorization query.
- View Dependent Claims (12, 13)
- - 12. The one or more computer memory as recited in claim 11, wherein an assertion identifier comprises a set of values.
  - 13. The one or more computer memory as recited in claim 11, wherein an assertion is a security assertion that is logically of the form:
    - principal says ID fact if fact₁, . . . , fact_n, c₁, . . . , c_m,with a corresponding assertion identifier represented by ID and any constraints represented by c₁, . . . , c_m, with “
      
      m”
      
      being an integer of zero or greater.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B., Becker, Moritz Y., Gordon, Andrew D., Fournet, Cedric, LaMacchia, Brian A.
Primary Examiner(s)
Cervetti, David García
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US11/530,443
Publication Number

US 20080066170A1
Time in Patent Office

1,950 Days
Field of Search

713/155, 713/158, 713/165, 713/167, 713/185, 726/1, 726/2, 726/3, 726/4, 726/5, 726/6, 726/7, 726/14, 709/219, 709/225, 709/226, 709/229
US Class Current

726/6
CPC Class Codes

H04L 63/10 for controlling access to d...

H04L 63/20 for managing network securi...

Security assertion revocation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Security assertion revocation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others