Authentication delegation based on re-verification of cryptographic evidence

US 9,055,107 B2
Filed: 12/01/2006
Issued: 06/09/2015
Est. Priority Date: 12/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method of authentication delegation between a client/user accessing a service provider through a gateway, the method comprising the steps of:

performing a Transport Layer Security (TLS) handshake with client authentication between the client/user and the gateway, said TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages;

recording at least a sufficient portion of messages of the TLS handshake to indicate that the client/user is authenticated to the gateway, wherein said at least the sufficient portion includes messages specified in the protocol and all messages specified in the protocol up to and including a certificate verify message, wherein said at least the sufficient portion of the messages of the TLS handshake are exchanged between the client/user and the gateway; and

providing the recording of all messages up to and including the certificate verify message, from the gateway to the service provider, wherein all messages provided are digitally signed,wherein access to the service provider is based on the at least the sufficient portion of the messages of the TLS handshake that are exchanged between the client/user and the gateway.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.

27 Citations

View as Search Results

20 Claims

1. A method of authentication delegation between a client/user accessing a service provider through a gateway, the method comprising the steps of:
- performing a Transport Layer Security (TLS) handshake with client authentication between the client/user and the gateway, said TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages;
  
  recording at least a sufficient portion of messages of the TLS handshake to indicate that the client/user is authenticated to the gateway, wherein said at least the sufficient portion includes messages specified in the protocol and all messages specified in the protocol up to and including a certificate verify message, wherein said at least the sufficient portion of the messages of the TLS handshake are exchanged between the client/user and the gateway; and
  
  providing the recording of all messages up to and including the certificate verify message, from the gateway to the service provider, wherein all messages provided are digitally signed,wherein access to the service provider is based on the at least the sufficient portion of the messages of the TLS handshake that are exchanged between the client/user and the gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the service provider is not involved in the authentication between the client/user and the gateway.
  - 3. The method of claim 1, wherein said providing step provides the recording directly from the gateway to the service provider.
  - 4. The method of claim 1, further comprising the step of embedding timestamp data in messages in the TLS handshake.
  - 5. The method of claim 4, wherein the client/user embeds the timestamp data.
  - 6. The method of claim 4, wherein the gateway embeds the timestamp data.
  - 7. The method of claim 1, further comprising the step of embedding a nonce provided by the service provider in a message from the gateway to the client/user as part of the TLS handshake.
  - 8. The method of claim 1, wherein the service provider maintains a memory of all received recordings and confirms that a same recording is not used more than once.
  - 9. The method of claim 1, wherein the step of performing the TLS handshake further comprises:
    - performing a first handshake without client authentication; and
      
      upon successful completion of said performing a first handshake, performing a second handshake with client authentication.
  - 10. The method of claim 9, wherein said second handshake between the client/user and gateway is encrypted by a session key derived from said first handshake.
  - 11. The method of claim 10, wherein the recording provided to the service provider is unencrypted.

12. A system, comprising:
- at least one processor and at least one memory;
  
  the at least one memory including instructions that when executed on the at least one processor perform actions including;
  
  performing a Transport Layer Security (TLS) handshake with client authentication, the TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages;
  
  recording at least a sufficient portion of messages of the TLS handshake to indicate authentication to a gateway, wherein the at least sufficient portion of messages includes messages specified in the protocol up to and including a certificate verify message, wherein the at least sufficient portion of the messages of the TLS handshake are exchanged between a user and the gateway; and
  
  providing the recording of the at least sufficient portion of messages to a service provider, wherein all messages provided are digitally signed,wherein access to the service provider is based on the at least sufficient portion of the messages.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein performing a TLS handshake further comprises:
    - performing a first handshake without client authentication; and
      
      upon successful completion of said performing a first handshake, performing a second handshake with client authentication.
  - 14. The system of claim 13, wherein the second handshake is encrypted by a session key derived from said second handshake.
  - 15. The system of claim 12, wherein timestamp data is embedded in at least one of the messages of the TLS handshake and the wherein access to the service provider is based on the timestamp data and the at least sufficient portion of the messages.

16. A machine-readable storage medium, not comprising a signal per se, storing herein at least one computer program that when executed performs actions comprising:
- performing a Transport Layer Security (TLS) handshake with client authentication, the TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages;
  
  recording at least a sufficient portion of messages of the TLS handshake to indicate authentication to a gateway, wherein the at least sufficient portion of messages includes messages specified in the protocol up to and including a certificate verify message, wherein the at least sufficient portion of the messages of the TLS handshake are exchanged between a user and the gateway; and
  
  providing the recording of the at least sufficient portion of messages to a service provider, wherein all messages provided are digitally signed,wherein access to the service provider is based on the at least sufficient portion of the messages.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The machine-readable storage medium of claim 16, wherein the service provider re-verifies the validity of the TLS handshake in order to provide access.
  - 18. The machine-readable storage medium of claim 16, wherein performing a TLS handshake further comprises:
    - performing a first handshake without client authentication; and
      
      upon successful completion of said performing a first handshake, performing a second handshake with client authentication.
  - 19. The machine-readable storage medium of claim 18, wherein the second handshake is encrypted by a session key derived from said second handshake.
  - 20. The machine-readable storage medium of claim 16, wherein timestamp data is embedded in at least one of the messages of the TLS handshake and the wherein access to the service provider is based on the timestamp data and the at least sufficient portion of the messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Medvinsky, Gennady, Nice, Nir, Shiran, Tomer, Teplitsky, Alexander, Leach, Paul, Neystadt, John
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Branske, Hilary

Application Number

US11/607,720
Publication Number

US 20080134311A1
Time in Patent Office

3,112 Days
Field of Search

380/259, 380/260, 380/262, 380/272, 380/277, 380/278, 380/279, 380/286, 713/150, 713/151, 713/153, 713/155, 713/156, 713/157, 713/158, 713/159, 713/168, 713/170, 713/171, 713/175, 713/176, 713/178, 713/180, 726/2, 726/3, 726/4, 726/5, 726/6, 726/7, 726/8, 726/10, 726/11, 726/12, 726/14, 726/26, 726/27, 726/28, 726/29, 726/30
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2115   Third party

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/50   using hash chains, e.g. blo...

Authentication delegation based on re-verification of cryptographic evidence

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication delegation based on re-verification of cryptographic evidence

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links