Selective authorization based on authentication input attributes

US 8,621,561 B2
Filed: 01/04/2008
Issued: 12/31/2013
Est. Priority Date: 01/04/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

issuing an authentication input according to an issuance policy, the issuance policy dictating one or more identification verification procedures that are performed prior to the issuing the authentication input;

receiving the authentication input provided by a client device at an authentication authority using an authentication protocol;

identifying a strength attribute of the authentication input that represents a permutational complexity or a cryptographic complexity of the authentication input;

identifying an amount of trust in the authentication input, the amount of trust corresponding to a strictness of administrative rules under which the authentication input was issued;

representing the strength attribute of the authentication input, the amount of trust in the authentication input, and an identifier of the issuance policy with one or more representations; and

returning a token to the client device that includes the one or more representations using the authentication protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input.

129 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- issuing an authentication input according to an issuance policy, the issuance policy dictating one or more identification verification procedures that are performed prior to the issuing the authentication input;
  
  receiving the authentication input provided by a client device at an authentication authority using an authentication protocol;
  
  identifying a strength attribute of the authentication input that represents a permutational complexity or a cryptographic complexity of the authentication input;
  
  identifying an amount of trust in the authentication input, the amount of trust corresponding to a strictness of administrative rules under which the authentication input was issued;
  
  representing the strength attribute of the authentication input, the amount of trust in the authentication input, and an identifier of the issuance policy with one or more representations; and
  
  returning a token to the client device that includes the one or more representations using the authentication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving an access request from the client device at a server, the access request including the token having the one or more representations;
      
      comparing the one or more representations against an authorization policy accessible to the server; and
      
      granting access to a resource if the one or more representations meet requirements of the authorization policy.
  - 3. The computer-implemented method of claim 1, wherein the authentication input is a password or an identity certificate.
  - 4. The computer-implemented method of claim 3, wherein the authentication authority includes a Kerberos Key Distribution Center (KDC) in a Windows-based network and the token includes a Kerberos ticket granting ticket (TGT), and wherein the one or more representations are contained in a Privilege Attribute Certificate (PAC) of the Kerberos TGT.
  - 5. The computer-implemented method of claim 1, wherein the representing includes assigning the one or more representations to the strength attribute based on a mapping table that correlates a plurality of attributes to a plurality of corresponding representations.
  - 6. The computer-implemented method of claim 2, further comprising notifying the client device of the access granted to the resource.
  - 7. The computer-implemented method of claim 2, wherein the authorization policy provides different access levels based on representations, and wherein the granting access to the resource includes granting a specific access level based on one or more attributes represented by the one or more representations.
  - 8. The computer-implemented method of claim 1, wherein the identifying further includes identifying a type attribute of the authentication input, and wherein the representing includes representing the strength attribute of the authentication input, the type attribute of the authentication input, and the amount of trust in the authentication input with the one or more representations.
  - 9. The computer-implemented method of claim 1, wherein the one or more representations include at least one representation that is one of an Object Identifier (OID), a Globally Unique Identifier (GUI D), a Security Identifier (SID), or a strong representation.
  - 10. The computer-implemented method of claim 8, wherein the type attribute is configured to identify the authentication input as being obtained by one of a face-to-face request, a local network request, or a remote network request.
  - 11. The computer-implemented method of claim 2, wherein the authorization policy is stored in one of a local location or a networked remote location.
  - 12. The computer-implemented method of claim 11, wherein the local location is an Active Directory.
  - 13. The computer-implemented method of claim 2, wherein the resource is one of an operating system, an application, or a service on a resource server.
  - 14. The computer-implemented method of claim 2, wherein the comparing the one or more representations includes using at least one of an application, an operating system, a resource manager, or an authorization system to compare the one or more representations against the authorization policy.
  - 15. The computer-implemented method of claim 2, wherein at least one of the representations and the authorization policy is formatted in one of Abstract Syntax Notation number One (ASN.1), Extensible Markup Language (XML), or eXtensible rights Markup Language (XrML).

16. A computer readable memory having computer-executable instructions that, when executed, perform acts comprising:
- issuing an authentication input according to an issuance policy, the issuance policy dictating one or more identification verification procedures that are performed prior to the issuing the authentication input;
  
  receiving the authentication input at an authentication authority using an authentication protocol, the authentication input being sent from a client device associated with a user;
  
  identifying at least one of a strength attribute or a type attribute of the authentication input;
  
  identifying an amount of trust in the authentication input, the amount of trust corresponding to a strictness of administrative rules under which the authentication input was issued;
  
  representing an identifier of the issuance policy, the strength attribute or the type attribute of the authentication input, and the amount of trust in the authentication input with one or more representations selected from a plurality of representations; and
  
  returning a token that includes the one or more representations to the client device using the authentication protocol.
- View Dependent Claims (17, 18, 19)
- - 17. The computer readable memory of claim 16, wherein the plurality of representations include at least one representation that is one of an Object Identifier (OID), a Globally Unique Identifier (GUID), a Security Identifier (SID), or a strong representation.
  - 18. The computer readable memory of claim 16, wherein the token is an authorization token, a service token, or a Security Assertion Markup Language (SAML) token.
  - 19. The computer readable memory of claim 16, wherein the authentication protocol is a NT LAN Manager (NTLM) protocol, a Kerberos protocol, a Web Services (WS)-security protocol, a Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) protocol, a Secure Sockets Layer (SSL) protocol, or a Transport Layer Security (TLS) protocol.

20. A system, the system comprising:
- one or more processors; and
  
  memory to store a plurality of computer-executable instructions for execution by the one or more processors, the computer-executable instructions comprising;
  
  receiving an authentication input provided by a client device at an authentication authority using an authentication protocol, the authentication input being inputted into the client device to identify a user that requests access to a resource;
  
  identifying a strength attribute of the authentication input that is different than a type attribute of the authentication input, the strength attribute representing a permutational complexity or a cryptographic complexity of the authentication input;
  
  comparing the strength attribute of the authentication input with a directory that includes a plurality of predefined representations, each representation providing a corresponding level of access to one or more resources;
  
  selecting a matching predefined representation from the plurality of predefined representations when the matching predefined representation matches the strength attribute of the authentication input that identifies the user that requests the access to the resource;
  
  selecting a default predefined representation from the plurality of predefined representations when no other predefined representation matches the strength attribute of the authentication input that identifies the user; and
  
  providing the matching predefined representation or the default predefined representation to the client device in a token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cross, David B., Novak, Mark F., Shekel, Oded Ye, Leach, Paul J., Luther, Andreas, Jones, Thomas C.
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US11/969,456
Publication Number

US 20090178129A1
Time in Patent Office

2,188 Days
Field of Search

726 1- 21, 726 26- 30, 713155-159, 713168-175, 713182-186, 705 64- 80, 709217-229
US Class Current

726/2
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

Selective authorization based on authentication input attributes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Selective authorization based on authentication input attributes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links