HTTP authentication and authorization management

US 8,806,201 B2
Filed: 07/24/2008
Issued: 08/12/2014
Est. Priority Date: 07/24/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

receiving at a processing node a current public epoch key of a current epoch key pair, wherein one attribute of the current public epoch key is a current key epoch ID that identifies the current epoch of the current public epoch key;

receiving at the processing node authorized user data associated with a request for content from an external system from a user, the external system is external from the user and the processing node, the authorized user data comprises authentication data and authorization data from the user, wherein the authentication data relates to validation the user'"'"'s identity, and wherein the authorization data relates to eligibility of the user to complete an action;

decrypting at the processing node the authorized user data using the public epoch key;

determining if the decryption of the authorized user data was successful;

if the decryption of the authorized user data was successful, identifying at the processing node a user epoch ID from the decrypted authorized user data;

comparing at the processing node the user epoch ID to the current key epoch ID of the current public epoch key;

determining at the processing node whether the user epoch ID is a valid epoch ID to determine validity of the authentication data and authorization data;

if the user epoch ID is a valid epoch ID, processing the decrypted user data and the request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch processor that is used to validate authentication and authorization data that is valid only for an epoch. The epoch processor can maintain a public key that can be used to decrypt the authentication and authorization data during the epoch that the key is valid. The epoch processor can receive a new public key during each epoch. The epoch processor can also determine if the authentication or authorization data was fraudulently generated based on the contents of the data, and verifying whether the data is valid for the epoch in which it was decrypted.

40 Citations

View as Search Results

20 Claims

1. A computer implemented method, comprising:
- receiving at a processing node a current public epoch key of a current epoch key pair, wherein one attribute of the current public epoch key is a current key epoch ID that identifies the current epoch of the current public epoch key;
  
  receiving at the processing node authorized user data associated with a request for content from an external system from a user, the external system is external from the user and the processing node, the authorized user data comprises authentication data and authorization data from the user, wherein the authentication data relates to validation the user'"'"'s identity, and wherein the authorization data relates to eligibility of the user to complete an action;
  
  decrypting at the processing node the authorized user data using the public epoch key;
  
  determining if the decryption of the authorized user data was successful;
  
  if the decryption of the authorized user data was successful, identifying at the processing node a user epoch ID from the decrypted authorized user data;
  
  comparing at the processing node the user epoch ID to the current key epoch ID of the current public epoch key;
  
  determining at the processing node whether the user epoch ID is a valid epoch ID to determine validity of the authentication data and authorization data;
  
  if the user epoch ID is a valid epoch ID, processing the decrypted user data and the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the authorized user data is based on authentication data.
  - 3. The method of claim 1, wherein an epoch is a period of time.
  - 4. The method of claim 1, wherein the epoch public key is used to decrypt data encrypted using the epoch private key.
  - 5. The method of claim 1, wherein the request is an http request.
  - 6. The method of claim 1, wherein the authorized user data is in the form of an http cookie.
  - 7. The method of claim 1, further comprising:
    - if the decryption of the authorized user data is not successful, requesting user authorization from a client browser.
  - 8. The method of claim 1, further comprising:
    - if the user epoch ID is not a valid epoch ID, requesting user authorization from the client browser.
  - 9. The method of claim 1, wherein processing the decrypted user data and the request comprises:
    - determining at the processing node if the request is authorized based on the user data;
      
      if the request is authorized, allowing the request.
  - 10. The method of claim 1, wherein determining at a processing node whether the user epoch ID is a valid epoch ID comprises determining at the processing node if the user epoch ID is the current epoch ID.
  - 11. The method of claim 1, wherein determining at a processing node whether the user epoch ID is a valid epoch ID comprises determining at the processing node if the user epoch ID is determined to be in a range of valid epoch IDs.
  - 12. The method of claim 10, wherein the range of valid epoch IDs comprises the current epoch ID, and an epoch ID of an epoch prior to the current epoch.
  - 13. The method of claim 1, wherein processing the decrypted user data and the request comprises:
    - determining whether user epoch ID is the current epoch ID;
      
      If the user epoch ID is not the current epoch ID, requesting current authorized user data associated with the current epoch ID;
      
      providing the current authorized user data to the client browser.
  - 14. The method of claim 1, wherein identifying at the processing node a user epoch ID from the decrypted authorized user data comprises:
    - identifying from the decrypted authorized user data a predetermined allocation of the authorized user data to user credentials; and
      
      identifying the user credentials from the decrypted authorized user data.
  - 15. The method of claim 14, further comprising:
    - Identifying a user epoch ID from the portion of the decrypted authorized user data not allocated to the user credentials.

16. A system comprising software stored in a non-transitory computer readable medium and comprising instructions executable by a data processing system and upon such execution cause the data processing system to perform operations comprising:
- receiving a current public epoch key of a current epoch key pair, wherein one attribute of the current public epoch key is a current key epoch ID that identifies the current epoch of the current public epoch key;
  
  receiving, from a user, a request for content from an external system relative to the data processing system and authorized user data associated with the request, the authorized user data comprises authentication data and authorization data from the user, wherein the authentication data relates to validation the user'"'"'s identity, and wherein the authorization data relates to eligibility of the user to complete an action;
  
  decrypting the authorized user data using the public epoch key;
  
  identifying a user epoch ID from the decrypted authorized user data;
  
  determining if the user epoch ID is a valid epoch ID to determine validity of the authentication data and authorization data; and
  
  if the user epoch ID is a valid epoch ID, processing the decrypted user data and the request.
- View Dependent Claims (17, 18, 19)
- - 17. The software of claim 16, wherein a valid epoch ID is the current epoch ID.
  - 18. The software of claim 16, wherein a valid epoch ID is an epoch ID that is within an acceptable range of the current epoch ID.
  - 19. The software of claim 16, further comprising instructions executable by the data processing system and upon such execution cause the data processing system to perform operations comprising:
    - determining whether user epoch ID is the current epoch ID;
      
      If the user epoch ID is not the current epoch ID, and if the user epoch ID is a valid epoch ID, requesting current authorized user data associated with the current epoch ID;
      
      providing the current authorized user data to the client browser.

20. A system, comprising:
- one or more authority nodes;
  
  one or more processing nodes communicatively coupled to a network and to the one or more authority nodes;
  
  wherein the one or more processing nodes are configured to;
  
  receive, from the one or more authority nodes, a current public epoch key of a current epoch key pair, wherein one attribute of the current public epoch key is a current key epoch ID that identifies the current epoch of the current public epoch key;
  
  receive, from a user over the network, a request for content from an external system relative to the authority nodes and the processing nodes and authorized user data associated with the request, the authorized user data comprises authentication data and authorization data from the user, wherein the authentication data relates to validation the user'"'"'s identity, and wherein the authorization data relates to eligibility of the user to complete an action;
  
  decrypt the authorized user data using the public epoch key;
  
  identify a user epoch ID from the decrypted authorized user data;
  
  determine if the user epoch ID is a valid epoch ID to determine validity of the authentication data and authorization data; and
  
  if the user epoch ID is a valid epoch ID, process the decrypted user data and the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Kailash, Kailash, Nanjundaswamy, Shashidhara Mysore, Mullick, Amarnath, Raphel, Jose
Primary Examiner(s)
SCOTT, RANDY A

Application Number

US12/179,377
Publication Number

US 20100023762A1
Time in Patent Office

2,210 Days
Field of Search

380/45
US Class Current

713/168
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2463/121   Timestamp cryptographic mec...

H04L 61/4523   using lightweight directory...

H04L 63/0442   wherein the sending and rec...

H04L 63/068   using time-dependent keys, ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 67/02   based on web technology, e....

H04L 9/3234   involving additional secure...

H04L 9/3297   involving time stamps, e.g....

HTTP authentication and authorization management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP authentication and authorization management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links