Propagation of authentication data in an intermediary service component

US 8,302,160 B2
Filed: 10/17/2006
Issued: 10/30/2012
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an intermediary service component, a message from a sender computing system, the message comprising;

an assertion including first authentication data, an attester signature of the message, and an attester certificate, the attester signature being a digital signature of a first attester; and

second authentication data;

creating, by the intermediary service component, a first digest based at least on an identifier of the message, the first authentication data, and a system secret;

after the creating of the first digest, processing, by the intermediary service component, the message;

after the processing the message, creating, by the intermediary service component, a new digest based at least on the identifier of the message, the first authentication data, and the system secret;

determining, by the intermediary service component, whether the first digest conforms to the new digest;

if it is determined that the first digest conforms to the new digest, creating, by the intermediary service component, a second assertion including the first authentication data, a second attester signature of the processed message and a second attester certificate, the second attester signature being a digital signature of a second attester different than the first attester;

transmitting, by the intermediary service component, the second assertion and the processed message to a receiver computing system;

prior to the processing the message, performing an authentication action based on the second authentication data, determining whether the attester'"'"'s signature is valid, and determining whether the attester certificate is trusted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may include a sender computing system, an intermediary service component, and a receiver computing system. The sender computing system may transmit a message and authentication data, and the intermediary service component may receive the message and the authentication data from the sender computing system, process the message, and transmit the authentication data and the processed message. The receiver computing system may receive the authentication data and the processed message.

37 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving, by an intermediary service component, a message from a sender computing system, the message comprising;
  
  an assertion including first authentication data, an attester signature of the message, and an attester certificate, the attester signature being a digital signature of a first attester; and
  
  second authentication data;
  
  creating, by the intermediary service component, a first digest based at least on an identifier of the message, the first authentication data, and a system secret;
  
  after the creating of the first digest, processing, by the intermediary service component, the message;
  
  after the processing the message, creating, by the intermediary service component, a new digest based at least on the identifier of the message, the first authentication data, and the system secret;
  
  determining, by the intermediary service component, whether the first digest conforms to the new digest;
  
  if it is determined that the first digest conforms to the new digest, creating, by the intermediary service component, a second assertion including the first authentication data, a second attester signature of the processed message and a second attester certificate, the second attester signature being a digital signature of a second attester different than the first attester;
  
  transmitting, by the intermediary service component, the second assertion and the processed message to a receiver computing system;
  
  prior to the processing the message, performing an authentication action based on the second authentication data, determining whether the attester'"'"'s signature is valid, and determining whether the attester certificate is trusted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, further comprising:
    - performing an authentication action based on the second authentication data;
      
      determining whether the attester signature is valid; and
      
      determining whether the attester certificate is trusted.
  - 3. A method according to claim 2, wherein the creating, by the intermediary service component, a first data element associating an identifier of the message, the first authentication data, and a system secret comprises:
    - after the performing the authentication action based on the second authentication data, creating, by the intermediary service component, a first data element associating an identifier of the message, the first authentication data, and a system secret.
  - 4. A method according to claim 3, wherein the creating, by the intermediary service component, a first data element associating an identifier of the message, the first authentication data, and a system secret comprises:
    - after the determining whether the attester signature is valid, creating, by the intermediary service component, a first data element associating an identifier of the message, the first authentication data, and a system secret.
  - 5. A method according to claim 4, wherein the creating, by the intermediary service component, a first data element associating an identifier of the message, the first authentication data, and a system secret comprises:
    - after the determining whether the attester certificate is trusted, creating, by the intermediary service component, a first data element associating an identifier of the message, the first authentication data, and a system secret.
  - 6. A method according to claim 5, wherein the transmitting, by the intermediary service component, the second assertion and the processed message to a receiver computing system comprises:
    - transmitting, by the intermediary service component, the second assertion and the processed message to a receiver computing system configured to perform an authentication action based on the first authentication data included in the second assertion created by the intermediary service component.
  - 7. A method according to claim 3, wherein the transmitting, by the intermediary service component, the second assertion and the processed message to a receiver computing system comprises:
    - transmitting, by the intermediary service component, the second assertion and the processed message to a receiver computing system configured to perform an authentication action based on the first authentication data included in the second assertion created by the intermediary service component.
  - 8. A method according to claim 1, wherein the first digest can be used to unambiguously prove a linkage between the first authentication data and the received message.
  - 9. A method according to claim 1, wherein the determining, by the intermediary service component, whether the first digest conforms to the new digest comprises determining, by the intermediary component, whether the first digest matches the new digest.

10. A non-transitory medium storing processor-executable program code, the program code comprising:
- code to receive, by an intermediary service component, a message from a sender computing system, the message comprising;
  
  an assertion including first authentication data, an attester signature of the message, and an attester certificate, the attester signature being a digital signature of a first attester; and
  
  second authentication data;
  
  code to create, by the intermediary service component, a first digest based at least on an identifier of the message, the first authentication data, and a system secret;
  
  code to process the message after the creation of the first digest;
  
  code to, after the processing of the message, create, by the intermediary service component, a new digest based at least on the identifier of the message, the first authentication data, and the system secret;
  
  code to determine whether the first digest conforms to the new digest;
  
  code to create, if it is determined that the first digest conforms to the new digest, a second assertion including the first authentication data, a second attester signature of the processed message and a second attester certificate, the second attester signature being a digital signature of a second attester different than the first attester;
  
  code to transmit the second assertion and the processed message to a receiver computing system; and
  
  code to, prior to the processing of the message, perform an authentication action based on the second authentication data, determine whether the attester signature is valid and determine whether the attester certificate is trusted.
- View Dependent Claims (11, 12, 13)
- - 11. A non-transitory medium according to claim 10, wherein the first digest can be used to unambiguously prove a linkage between the first authentication data and the received message.
  - 12. A non-transitory medium according to claim 10, the program code further comprising:
    - code to perform, prior to processing of the message, an authentication action based on the second authentication data;
      
      code to determine, prior to processing the message, whether the attester signature is valid; and
      
      code to determine, prior to processing the message, whether the attester certificate is trusted.
  - 13. A non-transitory medium according to claim 10, Claim wherein the code to determine whether the first digest conforms to the new digest comprises code to determine whether the first digest matches the new digest.

14. A system comprising:
- a sender computing system to transmit a message, the sender computing system including a memory to store program code, the message comprising;
  
  an assertion including first authentication data, an attester signature of the message, and an attester certificate, the attester signature being a digital signature of a first attester; and
  
  second authentication data;
  
  an intermediary service component including a processor to execute program code, the intermediary service component to receive the message from the sender computing system and further to;
  
  create a first digest based at least on an identifier of the message, the first authentication data, and a system secret;
  
  process the message after the creation of the first digest;
  
  after the processing of the message, create a new digest based at least on the identifier of the message, the first authentication data, and the system secret;
  
  determine whether the first digest conforms to the new digest;
  
  create, if it is determined that the first digest conforms to the new digest, a second assertion including the first authentication data, a second attester signature of the processed message and a second attester certificate, the second attester signature being a digital signature of a second attester different than the first attester;
  
  transmit the second assertion and the processed message; and
  
  prior to processing of the message, perform an authentication action based on the second authentication data, determine whether the attester signature is valid and determine whether the attester certificate is trusted; and
  
  a receiver computing system to receive the second assertion and the processed message.
- View Dependent Claims (15, 16, 17)
- - 15. A system according to claim 14, the intermediary service component further to:
    - perform an authentication action based on the second authentication data;
      
      determine whether the attester signature is valid; and
      
      determine whether the attester certificate is trusted.
  - 16. A system according to claim 14, wherein the first digest can be used to unambiguously prove a linkage between the first authentication data and the received message.
  - 17. A system according to claim 14, wherein the intermediary component to determine whether the first digest conforms to the new digest comprises an intermediary element to determine whether the first digest matches the new digest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Hofmann, Christoph H., De Boer, Martijn
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SIMS, JING F

Application Number

US11/582,066
Publication Number

US 20080091949A1
Time in Patent Office

2,205 Days
Field of Search

713155-159, 713168-174, 713182-186, 713/202, 709/225, 709/229, 726/8, 726 2- 5, 726/10, 726 26- 27
US Class Current

726/3
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Propagation of authentication data in an intermediary service component

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Propagation of authentication data in an intermediary service component

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others