HTTP authentication and authorization management
First Claim
Patent Images
1. A computer implemented method in a distributed security system, comprising:
- receiving authenticated user data at an authority node responsive to an unauthenticated request to a processing node, the authority node and the processing node are part of the distributed security system;
defining a plurality of epochs, each epoch identified by an epoch ID;
modifying the authenticated user data with a current epoch ID for a current epoch to generate associated authenticated user data as a combination of the authenticated user data and the current epoch ID;
obtaining a current epoch key pair for the current epoch, the current epoch key pair comprising a current public epoch key and a current private epoch key, wherein one attribute of the current public epoch key is the current epoch ID;
encrypting the associated authenticated user data with the current private epoch key to generate authentication data, wherein data encrypted by the current private epoch key can only be decrypted by the public epoch key for a same epoch as the current private epoch key;
providing the current public epoch key to an external security service, wherein providing the current public epoch key comprises providing the current public epoch key to the processing node, wherein the processing node receives requests from one or more client browsers and the processing node is separate from the authority node with the processing node and the authority node forming a distributed security system external from a user associated with the authenticated user data and external from a domain being requested by the user; and
providing the authentication data to the external security service.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch manager that is used to generate authentication and authorization data that remain valid only for an epoch. The epoch manager can generate an epoch key pair that can be used to encrypt and decrypt the authentication and authorization data during the epoch that the key is valid. The epoch manager can also associate the contents of the data with the epoch in which it was created, so that at decrypting the epoch that the data was generated in can be identified.
-
Citations
20 Claims
-
1. A computer implemented method in a distributed security system, comprising:
-
receiving authenticated user data at an authority node responsive to an unauthenticated request to a processing node, the authority node and the processing node are part of the distributed security system; defining a plurality of epochs, each epoch identified by an epoch ID; modifying the authenticated user data with a current epoch ID for a current epoch to generate associated authenticated user data as a combination of the authenticated user data and the current epoch ID; obtaining a current epoch key pair for the current epoch, the current epoch key pair comprising a current public epoch key and a current private epoch key, wherein one attribute of the current public epoch key is the current epoch ID; encrypting the associated authenticated user data with the current private epoch key to generate authentication data, wherein data encrypted by the current private epoch key can only be decrypted by the public epoch key for a same epoch as the current private epoch key; providing the current public epoch key to an external security service, wherein providing the current public epoch key comprises providing the current public epoch key to the processing node, wherein the processing node receives requests from one or more client browsers and the processing node is separate from the authority node with the processing node and the authority node forming a distributed security system external from a user associated with the authenticated user data and external from a domain being requested by the user; and providing the authentication data to the external security service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. Software stored in a non-transitory computer readable medium and comprising instructions executable by a data processing system and upon such execution cause the data processing system to perform operations comprising:
-
receiving authenticated user data responsive to an unauthenticated request to a processing node, an authority node and the processing node are part of a distributed security system; identifying a current epoch; identifying a current epoch ID associated with the current epoch; modifying the authenticated user data with a current epoch ID to generate associated authenticated user data as a combination of the authenticated user data and the current epoch ID; obtaining a current epoch key pair for the current epoch, the current epoch key pair comprising a current public epoch key and a current private epoch key, wherein one attribute of the current public epoch key is the current epoch ID; encrypting the associated authenticated user data with the current private epoch key to generate authentication data, wherein data encrypted by the current private epoch key can only be decrypted by the public epoch key for a same epoch as the current private epoch key; and providing the current public epoch key and the authentication data to an external security service, wherein the providing the authentication data to the external security service comprises providing the authentication data to a processing node separate from the authority node with the processing node and the authority node forming a distributed security system external from a user associated with the authenticated user data and external from a domain being requested by the user. - View Dependent Claims (17, 18, 19, 20)
-
Specification