Method and system for preventing impersonation of a computer system user

US 8,443,426 B2
Filed: 06/11/2008
Issued: 05/14/2013
Est. Priority Date: 06/11/2007
Status: Active Grant

First Claim

Patent Images

1. A method of changing a user password on a target system, the method comprising:

receiving a first request from a user at an access control system to change a user password of the user for a target system to a new password;

storing at the access control system the new password;

changing, by the access control system, the user password on the target system to the new password;

receiving, at the access control system, a second request from the target system to grant access to a sensitive resource at the target system to the user, the second request responsive to a prior request received at the target system from the user for access to the sensitive resource, the prior request including an input user password and wherein the second request includes information associated with the input user password;

comparing, by the access control system, the information associated with the input user password and the stored new password; and

responsive to a determination by the access control system that the information associated with the input user password is not consistent with the stored new password, denying access to the sensitive resource to the user.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for preventing an administrator impersonating a user from accessing sensitive resources on a target system is provided. The method comprises receiving a first request from a user to change the user'"'"'s password on a target system to be changed, sending a “change password” request for the user to the target system, storing the user'"'"'s new password, receiving a second request from the target system on behalf of the user for access to a sensitive resource, wherein the second request contains information about the user'"'"'s password, and denying the second request if the information about the user'"'"'s password is not consistent with the user'"'"'s stored new password.

Citations

18 Claims

1. A method of changing a user password on a target system, the method comprising:
- receiving a first request from a user at an access control system to change a user password of the user for a target system to a new password;
  
  storing at the access control system the new password;
  
  changing, by the access control system, the user password on the target system to the new password;
  
  receiving, at the access control system, a second request from the target system to grant access to a sensitive resource at the target system to the user, the second request responsive to a prior request received at the target system from the user for access to the sensitive resource, the prior request including an input user password and wherein the second request includes information associated with the input user password;
  
  comparing, by the access control system, the information associated with the input user password and the stored new password; and
  
  responsive to a determination by the access control system that the information associated with the input user password is not consistent with the stored new password, denying access to the sensitive resource to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - authenticating, by the access control system, the identity of the user prior to changing the user password on the target system.
  - 3. The method of claim 2, wherein authenticating the identity of the user comprises:
    - receiving, from the user at the access control system, a second user password for the access control system; and
      
      determining whether the user is authorized to change the user password at the target system based on the received second user password.
  - 4. The method of claim 1, wherein the information associated with the input user password comprises the input user password in plain text.
  - 5. The method of claim 1, wherein information associated with the input user password comprises the input user password in encrypted text.
  - 6. The method of claim 1, wherein information associated with the input user password comprises a hash value of the input user password.
  - 7. The method of claim 1, wherein the sensitive resource is encrypted data.
  - 8. The method of claim 1, wherein the target system is a database.
  - 9. The method of claim 1, wherein the target system is a file system.
  - 10. The method of claim 1, wherein the target system is an application.
  - 11. The method of claim 1, wherein the target system is a network.
  - 12. The method of claim 1, wherein the target system is a data at rest system.
  - 13. The method of claim 1, further comprising:
    - responsive to a determination by the access control system that the information associated with the input user password is consistent with the stored new password, granting access to the sensitive resource to the user.
  - 14. The method of claim 13, wherein the sensitive resource at the target system comprises data stored at the target system, and further comprising:
    - encrypting, by the access control system, the data stored at the target system.
  - 15. The method of claim 14, wherein granting access to the sensitive resource comprises transmitting an encryption key to the target system.
  - 16. The method of claim 14, wherein granting access to the sensitive resource comprises decrypting, by the access control system, the encrypted data.

17. A non-transitory computer-readable medium whose contents cause a computer to perform a method of changing a user password on a target system by the steps of:
- receiving a first request from a user at an access control system to change a user password of the user for a target system to a new password;
  
  storing at the access control system the new password;
  
  changing, by the access control system, the user password on the target system to the new password;
  
  receiving, at the access control system, a second request from the target system to grant access to a sensitive resource at the target system to the user, the second request responsive to a prior request received at the target system from the user for access to the sensitive resource, the prior request including an input user password and wherein the second request includes information associated with the input user password;
  
  comparing, by the access control system, the information associated with the input user password and stored new password; and
  
  responsive to a determination by the access control system that the information associated with the input user password is not consistent with the stored new password, denying access to the sensitive resource to the user.

18. A system for changing a user password on a target system, the system comprising:
- a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for;
  
  receiving a first request from a user to change a user password of the user on a target system server to a new password;
  
  storing the new password;
  
  receiving a second request from the target system server to grant access to a sensitive resource at the target system to the user, the second request responsive to a prior request received at the target system from the user for the sensitive resource, the prior request including an input user password and wherein the second request includes information associated with the input user password;
  
  comparing the information associated with the input user password and stored new password; and
  
  responsive to a determination that the information associated with the input user password is not consistent with the stored new password, denying access to the sensitive resource to the user; and
  
  a processor for executing the computer program instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity US Holding LLC
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Mattsson, Ulf
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US12/451,847
Publication Number

US 20100192208A1
Time in Patent Office

1,798 Days
Field of Search

726/6
US Class Current

726/6
CPC Class Codes

G06F 16/217   Database tuning G06F16/2282...

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

Method and system for preventing impersonation of a computer system user

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for preventing impersonation of a computer system user

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links