Protected resource access control utilizing credentials based on message authentication codes and hash chain values

US 8,984,602 B1
Filed: 06/28/2013
Issued: 03/17/2015
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving authentication information from a user;

generating a message authentication code based at least in part on the received authentication information;

associating intermediate values of a hash chain with respective ones of a plurality of access control intervals;

generating a credential for a particular one of the plurality of access control intervals based at least in part on the message authentication code and the intermediate value of the hash chain associated with the particular access control interval; and

providing the credential to a user in order to allow the user to access a protected resource in the particular access control interval;

wherein the receiving, generating, associating and providing are performed by at least one processing device of an information processing system.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device comprises a processor coupled to a memory and is configured to receive authentication information from a user, to generate a message authentication code based at least in part on the received authentication information, to generate a credential for a particular access control interval based at least in part on the message authentication code and an intermediate value of a hash chain, and to provide the credential to a user in order to allow the user to access a protected resource in the particular access control interval. The message authentication code may be generated over a message payload that includes a password provided by the user. The credential may comprise a combination of the message authentication code and the intermediate value of the hash chain.

342 Citations

28 Claims

1. A method comprising:
- receiving authentication information from a user;
  
  generating a message authentication code based at least in part on the received authentication information;
  
  associating intermediate values of a hash chain with respective ones of a plurality of access control intervals;
  
  generating a credential for a particular one of the plurality of access control intervals based at least in part on the message authentication code and the intermediate value of the hash chain associated with the particular access control interval; and
  
  providing the credential to a user in order to allow the user to access a protected resource in the particular access control interval;
  
  wherein the receiving, generating, associating and providing are performed by at least one processing device of an information processing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein the receiving, generating, associating and providing are performed by a central manager implemented on said at least one processing device.
  - 3. The method of claim 2 further comprising delegating from the central manager to another system entity an ability to generate credentials for one or more other ones of the plurality of access control intervals.
  - 4. The method of claim 1 wherein the authentication information comprises a password provided by the user and wherein access to the protected resource in the particular access control interval requires the user to provide that password and the credential to an access control module associated with the protected resource.
  - 5. The method of claim 1 wherein generating the message authentication code comprises generating the message authentication code using at least one key that is provisioned to the protected resource.
  - 6. The method of claim 5 wherein values of the key used to generate the message authentication code are unique to the protected resource and are periodically rotated.
  - 7. The method of claim 6 wherein the rotated key values comprise respective intermediate values of a hash chain.
  - 8. The method of claim 1 wherein generating the message authentication code comprises:
    - forming a message payload comprising at least a password provided by the user; and
      
      generating the message authentication code over the message payload.
  - 9. The method of claim 8 wherein the message payload further comprises one or more of:
    - at least one field providing an indication of a time period for which the credential is valid;
      
      a version indicator field;
      
      a user identifier field; and
      
      a role and activity field providing information for utilization by the protected resource to determine an appropriate level of access for the user.
  - 10. The method of claim 1 wherein generating the credential comprises:
    - generating the credential in a binary format; and
      
      encoding the credential into an encoded format having a reduced number of digits relative to the binary format;
      
      wherein the credential is provided to the user in at least one of the binary format and the encoded format.
  - 11. The method of claim 1 wherein the credential comprises a combination of the message authentication code and the intermediate value of the hash chain.
  - 12. The method of claim 1 further comprising:
    - providing a final value of the hash chain to an access control module associated with the protected resource; and
      
      storing an initial value of the hash chain in a secure manner.
  - 13. The method of claim 1 wherein a given one of the intermediate values of the hash chain is generated by:
    - applying a hash function to a previous value of the hash chain a designated number of times; and
      
      truncating a resulting value to a designated number of bits to obtain the given intermediate value.
  - 14. The method of claim 1 wherein the credential comprises one or more of:
    - a user identifier field; and
      
      a role and activity field providing information for utilization by the protected resource to determine an appropriate level of access for the user.
  - 15. The method of claim 1 wherein the credential comprises at least one field providing an indication of a time period for which the credential is valid.
  - 16. The method of claim 15 wherein said at least one field providing an indication of the time period for which the credential is valid comprises:
    - a start time field indicating a start time of the particular access control interval; and
      
      a duration field indicating a duration of the particular access control interval.
  - 17. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device cause the method of claim 1 to be performed.
  - 18. The method of claim 1 wherein one or more of the intermediate values of the hash chain associated with respective ones of the plurality of access control intervals comprise truncated values of the hash chain.

19. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
  
  the processing device being configured to receive authentication information from a user, to generate a message authentication code based at least in part on the received authentication information, to associate intermediate values of a hash chain with respective ones of a plurality of access control intervals, to generate a credential for a particular one of the plurality of access control intervals based at least in part on the message authentication code and the intermediate value of the hash chain associated with the particular access control interval, and to provide the credential to a user in order to allow the user to access a protected resource in the particular access control interval.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19 wherein the protected resource comprises a storage array having an associated access control module implemented using said at least one processing device.

21. A method comprising:
- receiving a credential from a user attempting to access a protected resource in a particular one of a plurality of access control intervals;
  
  generating a message authentication code based at least in part on the credential;
  
  utilizing the generated message authentication code to identify an intermediate value of a hash chain in the credential; and
  
  if the identified intermediate value of the hash chain matches an expected intermediate value of the hash chain associated with the particular access control interval, granting the user access to the protected resource in the particular access control interval;
  
  wherein intermediate values of the hash chain are associated with respective ones of the plurality of access control intervals; and
  
  wherein the receiving, generating, utilizing and granting are performed by at least one processing device of an information processing system.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The method of claim 21 wherein if the identified intermediate value of the hash chain matches the expected intermediate value of the hash chain, the identified intermediate value is associated with a high water mark indicator.
  - 23. The method of claim 21 wherein if the identified intermediate value of the hash chain matches the expected intermediate value of the hash chain, a stored final value of the hash chain is updated to the identified intermediate value.
  - 24. The method of claim 21 wherein the receiving, generating, utilizing and granting are performed by an access control module implemented on said at least one processing device.
  - 25. The method of claim 21 further comprising:
    - storing information indicative of a latest access control interval for which a valid credential has been received from a user;
      
      comparing a current access control interval associated with a given received credential with the stored information indicative of the latest access control interval; and
      
      denying access to the protected resource if the current access control interval precedes in time the latest access control interval indicated by the stored information.
  - 26. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device cause the steps of the method of claim 21 to be performed.

27. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
  
  the processing device being configured to receive a credential from a user attempting to access a protected resource in a particular one of a plurality of access control intervals, to generate a message authentication code based at least in part on the credential, to utilize the generated message authentication code to identify an intermediate value of a hash chain in the credential, and if the identified intermediate value of the hash chain matches an expected intermediate value of the hash chain associated with the particular access control interval, granting the user access to the protected resource in the particular access control interval, wherein intermediate values of the hash chain are associated with respective ones of the plurality of access control intervals.
- View Dependent Claims (28)
- - 28. The apparatus of claim 27 wherein the protected resource comprises a storage array having an associated access control module implemented using said at least one processing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Bailey, Daniel V., Duane, William M., Katz, Aaron
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US13/931,083
Time in Patent Office

627 Days
Field of Search

726/2, 726/4, 726/5, 726/6, 726/17, 726/18, 726/19, 726/21, 380/255, 370/254
US Class Current

726/6
CPC Class Codes

G06F 21/35   communicating wirelessly

H04L 63/00   Network architectures or ne...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0846   using time-dependent-passwo...

H04L 9/3228   One-time or temporary data,...

H04L 9/3242   involving keyed hash functi...

H04L 9/50   using hash chains, e.g. blo...

Protected resource access control utilizing credentials based on message authentication codes and hash chain values

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

342 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Protected resource access control utilizing credentials based on message authentication codes and hash chain values

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

342 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others