Federated credentialing system and method

US 8,689,287 B2
Filed: 08/17/2006
Issued: 04/01/2014
Est. Priority Date: 08/17/2006
Status: Active Grant

First Claim

Patent Images

1. A federated credentialing system in which a plurality of credential issuers interact with a plurality of relying parties to provide system users with access to protected resources within the system, the system being executed on a computer including a memory and a processor, the system comprising:

a relying party federated domain server including means for identifying users and authenticating user access credentials using the processor;

a credential issuer domain server including means for verifying user identities and access credentials using the processor, wherein the access credentials comprise a single homeland security presidential directive 12(HSPD-12) compliant smart card that includes a signature panel to obtain an actual signature from a user, and wherein the single HSPD-12 compliant smart card are operative to provide user access to both logical and physical protected resources of the relying party; and

a federated trust broker in communication with the relying party and credential issuer federated domain servers, wherein the trust broker receives authorization requests from the relying party, routes the received requests to the credential issuer and receives in return authorization responses from the credential issuer and routes the responses to the relying party, and wherein the relying party grants users access to the physical and the logical protected resources based on information contained in the responses.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A federated credentialing system, and a correspond method, includes credential issuers that interact with relying parties to provide system users with access to protected resources within the system. The system includes a relying party federated domain server including devices for identifying users and authenticating user access credentials and a credential issuer domain server including devices for verifying user identities and access credentials. The access credentials may be single smart cards. The single smart cards are operative to provide user access to both logical and physical protected resources of the relying party. The system also includes a federated trust broker in communication in communication with the relying party and credential issuer federated domain servers. The trust broker receives authorization requests from the relying party, routes the received requests to the credential issuer and receives in return authorization responses from the credential issuer and routes the responses to the relying party. The relying party grants users access to the physical and the logical protected resources based on information contained in the responses.

79 Citations

View as Search Results

34 Claims

1. A federated credentialing system in which a plurality of credential issuers interact with a plurality of relying parties to provide system users with access to protected resources within the system, the system being executed on a computer including a memory and a processor, the system comprising:
- a relying party federated domain server including means for identifying users and authenticating user access credentials using the processor;
  
  a credential issuer domain server including means for verifying user identities and access credentials using the processor, wherein the access credentials comprise a single homeland security presidential directive 12(HSPD-12) compliant smart card that includes a signature panel to obtain an actual signature from a user, and wherein the single HSPD-12 compliant smart card are operative to provide user access to both logical and physical protected resources of the relying party; and
  
  a federated trust broker in communication with the relying party and credential issuer federated domain servers, wherein the trust broker receives authorization requests from the relying party, routes the received requests to the credential issuer and receives in return authorization responses from the credential issuer and routes the responses to the relying party, and wherein the relying party grants users access to the physical and the logical protected resources based on information contained in the responses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The federated credentialing system of claim 1, wherein the single HSPD-12 compliant smart card comprises a virtual smart card that replicates information stored on a contact smart card or a contactless smart card, the information being stored in a memory on the credential issuer domain server.
  - 3. The federated credentialing system of claim 1, wherein the single HSPD-12 compliant smart card comprises an enhanced bar code, the enhanced barcode comprising a background bar code, and a graphic superimposed over the background barcode.
  - 4. The federated credentialing system of claim 3, wherein the enhanced bar code includes reference marks to account for possible misalignment of the enhanced bar code during an encoding process.
  - 5. The federated credentialing system of claim 3, wherein the graphic comprises a user signature based on a digital bit map.
  - 6. The federated credentialing system of claim 1, wherein the trust broker comprises means for translating user identification and access credential information into formats recognized by the federated domain servers.
  - 7. The federated credentialing system of claim 1, wherein the trust broker provides an indirect trust relationship between a relying party and a credential issuer, and wherein the relying party accepts the credential issuer'"'"'s assertion of user identification and access credential authentication.
  - 8. The federated credentialing system of claim 7, further comprising a credential issuer trust proxy and a relying party trust proxy, wherein the trust proxies are operative to transmit trusted authorization request and response messages thereby establishing a direct trust relationship between the relying party and the credential issuer.
  - 9. The federated credentialing system of claim 8, wherein the trust proxies are operative to translate an assertion received from the credential issuer into a format that is understood by the relying party.
  - 10. The federated credentialing system of claim 1, wherein the single HSPD-12 compliant smart card further comprises:
    - biometric data operative to verify and identification of a user; and
      
      a Card Holder Unique Identifier (CHUID), wherein the CHUID is tied to the biometric data such that the CHLTID uniquely identifies the user.
  - 11. The federated credentialing system of claim 1, wherein the single HSPD-12 compliant smart card further comprises digital signature data operative to authenticate the single HSPD-12 compliant smart card.
  - 12. The federated credentialing system of claim 1, further comprising means to read data from the single HSPD-12 compliant smart card, and wherein the single HSPD-12 compliant smart card is activated upon entry of a user PIN.
  - 13. The federated credentialing system of claim 1, further comprising a set of operating rules, wherein the relying parties and the credential issuers agree to conform to the operating rules, the operating rules governing use of the single HSPD-12 compliant smart card for authorizing access to the physical and logical protected resources.
  - 14. The federated credentialing system of claim 13, wherein the operating rules specify procedure for user identification and access credential authentication.
  - 15. The federated credentialing system of claim 13, wherein the operating rules govern enrollment of users into the federated credentialing system.
  - 16. The federated credentialing system of claim 1, wherein the users are subject to periodic review and revalidation.
  - 17. The federated credentialing system of claim 1, wherein the federated trust broker provides virtual access to the protected resources of the relying party using an authentication client.
  - 18. The federated credentialing system of claim 1, wherein the federated trust broker maintains a set of control tables to share and update member organization names, characteristics, and a list of acceptable authentication devices and tokens.
  - 19. The federated credentialing system of claim 1, wherein the users can remotely access a logical protected resource of the reply party.
  - 20. The federated credentialing system of claim 1, further comprising a federation for identity and cross-credentialing systems (FiXs) network that routes the authentication requests from the relying parties to the credential issuers, and transmits the corresponding responses.

21. A method for granting access to protected logical and physical resources in a federated credentialing network comprising a plurality of relying parties and a plurality of credential issuers, the method being executed on a computer including a memory and a processor, the method comprising:
- at a relying party;
  
  receiving a request from a user to access a protected resource, the user providing a user access credential including digital data related to the user, wherein the user access credential is a single HSPD-12 compliant smart card that includes a signature panel to obtain an actual signature from a user, the single HSPD-12 compliant smart card operative to provide access to both the logical and the physical protected resources;
  
  identifying a credential issuer responsible for the user using the processor;
  
  formulating an authorization request using the processor; and
  
  sending the authorization request to a trust broker operating on the federated credentialing network;
  
  at the trust broker;
  
  translating the authorization request into a format required by the credential issuer; and
  
  sending the translated authorization request to the identified credential issuer; and
  
  at the credential issuer;
  
  providing information, according to agreed-upon operating rules, sufficient to verify an identity of the user and to authenticate the user access credential; and
  
  sending the information to the relying party through the trust broker in an authorization response, wherein the relying party grants access to the protected resource based on comparing information in the authorization response to information provided from the access credential.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21, further comprising reading the single HSPD-12 compliant smart card at the relying party, the single HSPD-12 compliant smart card providing user biometric information and a user digital signature.
  - 23. The method of claim 22, wherein reading the single HSPD-12 compliant smart card comprises receiving a user PIN, wherein the single HSPD-12 compliant smart card is activated to supply digital data contained on the single HSPD-12 compliant smart card.
  - 24. The method of claim 21, wherein the HSPD-12 compliant smart card comprises one of a contact smart card, a contactless smart card, and a virtual smart card.
  - 25. The method of claim 21, wherein the single HSPD-12 compliant smart card comprises an enhanced bar code, the enhanced barcode comprising a background bar code, and a graphic superimposed over the background barcode.
  - 26. The method of claim 25, wherein the graphic comprises a user signature based on a digital bit map.
  - 27. The method of claim 21, further comprising providing a set of operating rules, wherein the relying parties and the credential issuers agree to conform to the operating rules, the operating rules governing use of the single HSPD-12 compliant smart card for authorizing access to the physical and logical protected resources.
  - 28. The method of claim 21, wherein the operating rules specify procedure for user identification and access credential authentication.
  - 29. The method of claim 21, wherein the operating rules govern enrollment of users into the federated credentialing system.
  - 30. The method of claim 21, wherein the federated credentialing network is a federation for identity and cross-credentialing systems (FiXs) network that routes the authentication request from the relying party to the credential issuer, and transmits the authentication response.

31. A method for granting access to protected resources in a federated network of unrelated enterprises, the method being executed on a computer including a memory and a processor, the method comprising:
- establishing a set of operating rules using the processor, wherein each enterprise agrees to conform to the operating rules;
  
  establishing a trust relationship among the enterprises using the processor, the trust relationship allowing the enterprises to communicate protected resource access authorization requests and corresponding responses according to the operating rules, wherein information supplied in the responses can be trusted for granting access to the protected resources; and
  
  presenting an access request to an enterprise, the access request specifying a logical or a physical protected resource, the access request presented in conjunction with presentation of a single HSPD-12 compliant smart card that conforms to the operating rules and that operates to allow access to both the physical and the logical protected resources, wherein the single HSPD-12 compliant smart card includes a signature panel to obtain an actual signature from a user.
- View Dependent Claims (32, 33, 34)
- - 32. The method of claim 31, further comprising, in response to the access request:
    - scanning digital data contained in the single HSPD-12 compliant smart card;
      
      comparing the scanned data to corresponding data provided with an authorization response; and
      
      basing an access grant on the comparison.
  - 33. The method of claim 32, wherein the comparing step compares one or more of biometric information, digital signature, and visual information.
  - 34. The method of claim 31, wherein the federated network is a federation for identity and cross-credentialing systems (FiXs) network that routes the protected resource access authorization requests from the enterprises to a credential issuer, and transmits the corresponding responses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Inventors
Bohmer, Iana Livia, Radzikowski, John Stephen
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US11/505,333
Publication Number

US 20080046984A1
Time in Patent Office

2,784 Days
Field of Search

235/491, 235/462.1, 707/2, 707/10, 709/225, 726/1, 726/5, 726/8, 726/10, 726/2
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 9/3234   involving additional secure...

Federated credentialing system and method

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Federated credentialing system and method

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links