Secure dynamic authority delegation

US 8,776,204 B2
Filed: 03/12/2010
Issued: 07/08/2014
Est. Priority Date: 03/12/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

in a communication network wherein a first computing device represents a resource owner and a second computing device represents a resource requestor, the resource owner detecting an occurrence of an event, wherein the event occurrence represents a request to access one or more resources of the resource owner stored in a resource residence; and

the resource owner sending an authorization token to the resource requestor in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence;

wherein the authorization token comprises a verifiable structure comprising;

one or more fields, the one or more fields comprising at least one of;

a method to be used by the resource residence for authenticating the resource requestor; and

a strength of the method to be used by the resource residence for authenticating the resource requestor; and

a signature computed over the one or more fields, the signature being computed utilizing a private key of the resource owner.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a communication network wherein a first computing device represents a resource owner and a second computing device represents a resource requestor, the resource owner detects an occurrence of an event, wherein the event occurrence represents a request to access one or more resources of the resource owner stored in a resource residence. The resource owner sends an authorization token to the resource requestor in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence.

Citations

31 Claims

1. A method, comprising:
- in a communication network wherein a first computing device represents a resource owner and a second computing device represents a resource requestor, the resource owner detecting an occurrence of an event, wherein the event occurrence represents a request to access one or more resources of the resource owner stored in a resource residence; and
  
  the resource owner sending an authorization token to the resource requestor in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence;
  
  wherein the authorization token comprises a verifiable structure comprising;
  
  one or more fields, the one or more fields comprising at least one of;
  
  a method to be used by the resource residence for authenticating the resource requestor; and
  
  a strength of the method to be used by the resource residence for authenticating the resource requestor; and
  
  a signature computed over the one or more fields, the signature being computed utilizing a private key of the resource owner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 29, 30, 31)
- - 2. The method of claim 1, wherein the event occurrence is receipt of a resource request by the resource owner from the resource requestor such that the resource requestor and the resource owner exchange a request and a response via a pull communication method.
  - 3. The method of claim 1, wherein the event occurrence is an occurrence of a triggering event associated with an application program rather than an explicit request from the resource requestor such that a communication method between the resource requestor and the resource owner is a push communication method.
  - 4. The method of claim 1, wherein the resource residence resides in a third computing device.
  - 5. The method of claim 1, wherein obtaining the authorization token and presentation of the authorization token to gain access to the one or more requested resources is bound to an existing application protocol.
  - 6. The method of claim 1, wherein the authorization token has a limited lifetime, the limited lifetime comprising a length of time and a maximum number of uses of the authorization token.
  - 7. The method of claim 1, wherein the authorization token specifies a method for authenticating the resource requestor or a level of assurance for authenticating the resource requestor.
  - 8. The method of claim 1, wherein the authorization token specifies one or more actions that are permitted to be performed in accordance with the one or more requested resources.
  - 9. The method of claim 1, wherein the resource requestor obtains the authorization token from the resource owner in one round trip.
  - 10. The method of claim 1, wherein the proof of authorization delegated by the resource owner is transferable from the resource requestor to at least another resource requestor without further communicating with the resource owner such that another authorization token is presentable by the at least another resource requestor to the resource residence so as to permit the at least another resource requestor to access the one or more requested resources stored in the resource residence.
  - 11. The method of claim 10, wherein the other authorization token obtained by the at least another resource requestor specifies an action permission scope that is a subset of an action permission scope specified in the authorization token obtained directly from the resource owner by the resource requestor.
  - 12. The method of claim 10, wherein the other authorization token obtained by the other resource requestor does not change a method for authenticating the resource requestor or a level of assurance for authenticating the resource requestor originally specified in the authorization token.
  - 13. The method of claim 10, wherein the other authorization token obtained by the at least another resource requestor comprises a signature of a previous resource requestor.
  - 14. The method of claim 10, wherein the other authorization token is a modified form of the authorization token originally received and wherein the previous resource requestor performs the modification prior to sending the modified form of the authorization token to the at least another resource requestor.
  - 15. The method of claim 1, further comprising the resource owner authenticating the resource requestor before sending the authorization token to the resource requestor.
  - 16. An article of manufacture comprising a non-transitory processor-readable storage medium storing one or more software programs which when executed by a processor associated with the resource owner perform at least the steps of the method of claim 1.
  - 29. The method of claim 1, wherein the one or more fields comprise the method to be used by the resource residence for authenticating the resource requestor and the strength of the method to be used by the resource residence of authentication the resource requestor.
  - 30. The method of claim 29, wherein the one or more fields further comprise:
    - a list of resource rights;
      
      an expiration time;
      
      a maximum number of uses; and
      
      a degree of transferability, the degree of transferability indicating a number of resource requestors to which the proof of authorization is permitted to be transferred.
  - 31. The method of claim 30, wherein the degree of transferability indicates a length of a series of resource requesters along which the proof of authorization is permitted to be transferred.

17. A method, comprising:
- in a communication network wherein a first computing device represents a resource owner and a second computing device represents a resource requestor, and wherein the resource owner having detected an occurrence of an event and the event occurrence represents a request to access one or more resources of the resource owner stored in a resource residence; and
  
  the resource requestor receiving an authorization token sent by the resource owner in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence;
  
  wherein the authorization token comprises a verifiable structure comprising;
  
  one or more fields, the one or more fields comprising at least one of;
  
  a method to be used by the resource residence for authenticating the resource requestor; and
  
  a strength of the method to be used by the resource residence for authenticating the resource requestor; and
  
  a signature computed over the one or more fields, the signature being computed utilizing a private key of the resource owner.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, further comprising the resource residence authenticating the resource requestor prior to the resource requestor presenting the authorization token to the resource residence.
  - 19. The method of claim 17, further comprising the resource residence verifying the authorization token presented by the resource requestor prior to acting on the one or more requested resources.
  - 20. The method of claim 17, further comprising the resource residence authenticating the resource requestor after the resource requestor presents the authorization token to the resource residence.
  - 21. The method of claim 17, further comprising the resource requestor transferring the proof of authorization delegated by the resource owner to at least another resource requestor.
  - 22. The method of claim 21, wherein the transferring step further comprises the resource requestor sending another authorization token to the at least another resource requestor without further communicating with the resource owner such that the other authentication token is presentable by the at least another resource requestor to the resource residence so as to permit the at least another resource requestor to access the one or more requested resources stored in the resource residence.
  - 23. An article of manufacture comprising a non-transitory processor-readable storage medium storing one or more software programs which when executed by a processor associated with the resource requestor perform one or more steps of the method of claim 17.

24. A method, comprising:
- in a communication network wherein a first computing device represents a resource owner and a second computing device represents a resource requestor, and wherein the resource owner having detected an occurrence of an event and the event occurrence represents a request to access one or more resources of the resource owner stored in a resource residence, and wherein the resource requestor having received an authorization token sent by the resource owner in response to the event occurrence; and
  
  the resource residence receiving the authorization token, the authorization token serving as a proof of authorization delegated by the resource owner for presentation by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence;
  
  wherein the authorization token comprises a verifiable structure comprising;
  
  one or more fields, the one or more fields comprising at least one of;
  
  a method to be used by the resource residence for authenticating the resource requestor; and
  
  a strength of the method to be used by the resource residence for authenticating the resource requestor; and
  
  a signature computed over the one or more fields, the signature being computed utilizing a private key of the resource owner.
- View Dependent Claims (25)
- - 25. An article of manufacture comprising a non-transitory processor-readable storage medium storing one or more software programs which when executed by a processor associated with the resource residence perform one or more steps of the method of claim 24.

26. An apparatus, comprising:
- a computing device in a communication network representing a resource owner, wherein the communication network also includes a resource requestor and a resource residence, the computing device comprising a memory and a processor coupled to the memory and configured to;
  
  detect an occurrence of an event, wherein the event occurrence represents a request to access one or more resources of the resource owner stored in the resource residence; and
  
  send an authorization token to the resource requestor in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence;
  
  wherein the authorization token comprises a verifiable structure comprising;
  
  one or more fields, the one or more fields comprising at least one of;
  
  a method to be used by the resource residence for authenticating the resource requestor; and
  
  a strength of the method to be used by the resource residence for authenticating the resource requestor; and
  
  a signature computed over the one or more fields, the signature being computed utilizing a private key of the resource owner.

27. An apparatus, comprising:
- a computing device in a communication network representing a resource requestor, wherein the communication network also includes a resource owner and a resource residence wherein the resource owner having detected an occurrence of an event and the event occurrence represents a request to access one or more resources of the resource owner stored in the resource residence, the computing device comprising a memory and a processor coupled to the memory and configured to receive an authorization token sent by the resource owner in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence;
  
  wherein the authorization token comprises a verifiable structure comprising;
  
  one or more fields, the one or more fields comprising at least one of;
  
  a method to be used by the resource residence for authenticating the resource requestor; and
  
  a strength of the method to be used by the resource residence for authenticating the resource requestor; and
  
  a signature computed over the one or more fields, the signature being computed utilizing a private key of the resource owner.

28. An apparatus, comprising:
- a computing device in a communication network representing a resource residence, wherein the communication network also includes a resource owner and a resource requestor wherein the resource owner having detected an occurrence of an event and the event occurrence represents a request to access one or more resources of the resource owner stored in the resource residence, and wherein the resource requestor having received an authorization token sent by the resource owner in response to the event occurrence, the computing device comprising a memory and a processor coupled to the memory and configured to receive the authorization token, the authorization token serving as a proof of authorization delegated by the resource owner for presentation by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence;
  
  wherein the authorization token comprises a verifiable structure comprising;
  
  one or more fields, the one or more fields comprising at least one of a method to be used by the resource residence for authenticating the resource requestor; and
  
  a strength of the method to be used by the resource residence for authenticating the resource requestor; and
  
  a signature computed over the one or more fields, the signature being computed utilizing a private key of the resource owner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Faynberg, Igor, Lu, Hui-Lan
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US12/723,049
Publication Number

US 20110225643A1
Time in Patent Office

1,579 Days
Field of Search

713155-159, 713164-186, 726 1- 10, 726 26- 31, 726/21, 705 50- 59, 709217-229
US Class Current

726/10
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 2221/2103   Challenge-response

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

Secure dynamic authority delegation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Secure dynamic authority delegation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links