Authentication delegation based on re-verification of cryptographic evidence
First Claim
1. A method of authentication delegation between a client/user accessing a service provider through a gateway, the method comprising the steps of:
- performing a Transport Layer Security (TLS) handshake with client authentication between the client/user and the gateway, said TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages;
recording at least a sufficient portion of messages of the TLS handshake to indicate that the client/user is authenticated to the gateway, wherein said at least the sufficient portion includes messages specified in the protocol and all messages specified in the protocol up to and including a certificate verify message, wherein said at least the sufficient portion of the messages of the TLS handshake are exchanged between the client/user and the gateway; and
providing the recording of all messages up to and including the certificate verify message, from the gateway to the service provider, wherein all messages provided are digitally signed,wherein access to the service provider is based on the at least the sufficient portion of the messages of the TLS handshake that are exchanged between the client/user and the gateway.
3 Assignments
0 Petitions
Accused Products
Abstract
The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.
27 Citations
20 Claims
-
1. A method of authentication delegation between a client/user accessing a service provider through a gateway, the method comprising the steps of:
-
performing a Transport Layer Security (TLS) handshake with client authentication between the client/user and the gateway, said TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages; recording at least a sufficient portion of messages of the TLS handshake to indicate that the client/user is authenticated to the gateway, wherein said at least the sufficient portion includes messages specified in the protocol and all messages specified in the protocol up to and including a certificate verify message, wherein said at least the sufficient portion of the messages of the TLS handshake are exchanged between the client/user and the gateway; and providing the recording of all messages up to and including the certificate verify message, from the gateway to the service provider, wherein all messages provided are digitally signed, wherein access to the service provider is based on the at least the sufficient portion of the messages of the TLS handshake that are exchanged between the client/user and the gateway. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
at least one processor and at least one memory; the at least one memory including instructions that when executed on the at least one processor perform actions including; performing a Transport Layer Security (TLS) handshake with client authentication, the TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages; recording at least a sufficient portion of messages of the TLS handshake to indicate authentication to a gateway, wherein the at least sufficient portion of messages includes messages specified in the protocol up to and including a certificate verify message, wherein the at least sufficient portion of the messages of the TLS handshake are exchanged between a user and the gateway; and providing the recording of the at least sufficient portion of messages to a service provider, wherein all messages provided are digitally signed, wherein access to the service provider is based on the at least sufficient portion of the messages. - View Dependent Claims (13, 14, 15)
-
-
16. A machine-readable storage medium, not comprising a signal per se, storing herein at least one computer program that when executed performs actions comprising:
-
performing a Transport Layer Security (TLS) handshake with client authentication, the TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages; recording at least a sufficient portion of messages of the TLS handshake to indicate authentication to a gateway, wherein the at least sufficient portion of messages includes messages specified in the protocol up to and including a certificate verify message, wherein the at least sufficient portion of the messages of the TLS handshake are exchanged between a user and the gateway; and providing the recording of the at least sufficient portion of messages to a service provider, wherein all messages provided are digitally signed, wherein access to the service provider is based on the at least sufficient portion of the messages. - View Dependent Claims (17, 18, 19, 20)
-
Specification