Distributed authentication using persistent stateless credentials

US 9,118,645 B2
Filed: 12/19/2012
Issued: 08/25/2015
Est. Priority Date: 12/19/2012
Status: Active Grant

First Claim

Patent Images

1. A method, implemented at least in part by a server environment, for distributed authentication using persistent stateless credentials, the method comprising:

obtaining, by the server environment, a principal identifier, wherein the principal identifier uniquely identifies a user;

generating, by the server environment, an expiration time;

obtaining, by the server environment, a secret key identifier, wherein the secret key identifier identifies a secret key that is associated with the user;

generating, by the server environment, an initialization vector;

encrypting, by the server environment, the principal identifier and the expiration time using the initialization vector and the secret key identified by the secret key identifier, to produce a ciphertext;

creating, by the server environment, a credential, wherein the credential comprises;

the ciphertext;

the initialization vector; and

the secret key identifier; and

providing, by the server environment, the credential to a client device for persistence at the client device, wherein the credential is a persistent stateless credential that is not associated with a particular server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and tools are described for performing distributed authentication using persistent stateless credentials. Distributed authentication can be performed during egress by obtaining a principal identifier, generating an expiration time, obtaining a secret key identifier that identifies a secret key, generating an initialization vector, encrypting the principal identifier and the expiration time to produce a ciphertext, creating a credential, and providing the credential for persistence at a client device. The credential comprises the ciphertext, the initialization vector, the secret key identifier. Distributed authentication can be performed during ingress by obtaining a credential, extracting a ciphertext, an initialization vector, and a secret key identifier from the credential, obtaining a secret key identified by the secret key identifier, decrypting the ciphertext to produce a principal identifier and an expiration time and authenticating the credential using, at least in part, the principal identifier and the expiration time.

7 Citations

View as Search Results

24 Claims

1. A method, implemented at least in part by a server environment, for distributed authentication using persistent stateless credentials, the method comprising:
- obtaining, by the server environment, a principal identifier, wherein the principal identifier uniquely identifies a user;
  
  generating, by the server environment, an expiration time;
  
  obtaining, by the server environment, a secret key identifier, wherein the secret key identifier identifies a secret key that is associated with the user;
  
  generating, by the server environment, an initialization vector;
  
  encrypting, by the server environment, the principal identifier and the expiration time using the initialization vector and the secret key identified by the secret key identifier, to produce a ciphertext;
  
  creating, by the server environment, a credential, wherein the credential comprises;
  
  the ciphertext;
  
  the initialization vector; and
  
  the secret key identifier; and
  
  providing, by the server environment, the credential to a client device for persistence at the client device, wherein the credential is a persistent stateless credential that is not associated with a particular server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - obtaining the secret key, wherein the secret key is obtained from shared secret key storage, and wherein the shared secret key storage is used for distributed authentication by a plurality of computing devices of the server environment.
  - 3. The method of claim 1, wherein encrypting the principal identifier and the expiration time comprises:
    - generating a plaintext composition comprising the principal identifier and the expiration time; and
      
      encrypting the plaintext composition using the initialization vector and the secret key identified by the secret key identifier.
  - 4. The method of claim 1, wherein creating the credential comprises:
    - generating a full text composition comprising the ciphertext, the initialization vector, and the secret key identifier; and
      
      encoding the full text composition to produce the credential.
  - 5. The method of claim 4, wherein the full text composition is encoded in a textual format for transmission to the client device over a network connection.
  - 6. The method of claim 1, wherein the secret key is associated with a secret key expiration value that indicates when the secret key will expire.
  - 7. The method of claim 1, wherein the principal identifier and the expiration time are encrypted using authenticated encryption.
  - 8. The method of claim 1, wherein the secret key is only persisted at the server environment, and wherein the credential is only persisted at the client device.
  - 9. The method of claim 1, wherein, for each of plurality of authenticated requests from the client device to the server environment, a new initialization vector is generated for the authenticated request.

10. A method, implemented at least in part by a server environment, for distributed authentication using persistent stateless credentials, the method comprising:
- obtaining, by the server environment, a credential, wherein the credential is associated with a user of a client device, wherein the credential is a persistent stateless credential that is not associated with a particular server;
  
  extracting, by the server environment, from the credential;
  
  a ciphertext;
  
  an initialization vector; and
  
  a secret key identifier;
  
  obtaining, by the server environment, a secret key identified by the secret key identifier;
  
  decrypting, by the server environment, the ciphertext using the initialization vector and the secret key, to produce a principal identifier and an expiration time, wherein the principal identifier uniquely identifies the user associated with the credential; and
  
  authenticating the credential using, at least in part, the principal identifier and the expiration time.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising:
    - decoding the credential prior to the extracting, wherein the credential is decoded from a textual format.
  - 12. The method of claim 10, wherein the expiration time indicates a time when the credential will expire.
  - 13. The method of claim 10, wherein authenticating the credential comprises:
    - determining whether the expiration time of the credential has past.
  - 14. The method of claim 10, wherein authenticating the credential comprises:
    - determining that the expiration time of the credential has past; and
      
      in response to the determining, directing the user to log in to the server environment.
  - 15. The method of claim 10, wherein authenticating the credential comprises:
    - determining that the expiration time of the credential has not past;
      
      in response to the determining, granting authenticated access to the user.
  - 16. The method of claim 10, further comprising:
    - upon egress;
      
      determining whether to create a new credential for persistence at the client device, wherein the determining is based at least in part upon an authentication refresh delay.
  - 17. The method of claim 10, further comprising:
    - upon egress;
      
      determining whether the credential is older than an authentication refresh delay;
      
      when the credential is older than the authentication refresh delay;
      
      generating a new credential with an updated expiration time; and
      
      providing, by the server environment, the new credential to the client device for persistence at the client device; and
      
      when then credential is not older than the authentication refresh delay;
      
      skipping the generating the new credential and the providing the new credential, wherein the obtained credential remains persisted at the client device.
  - 18. The method of claim 17, wherein the generating the new credential comprises:
    - generating, by the server environment, the updated expiration time;
      
      generating, by the server environment, a new initialization vector;
      
      encrypting, by the server environment, the principal identifier and the updated expiration time using the new initialization vector and the secret key, to produce a new ciphertext; and
      
      creating, by the server environment, the new credential, wherein the credential comprises;
      
      the new ciphertext;
      
      the new initialization vector; and
      
      the secret key identifier.

19. A server environment, the server environment comprising:
- a plurality of server systems comprising processing units and memory, the plurality of server systems configured to perform operations for distributed authentication using persistent stateless credentials, comprising;
  
  obtaining a principal identifier, wherein the principal identifier uniquely identifies a user;
  
  generating an expiration time;
  
  obtaining a secret key identifier, wherein the secret key identifier identifies a secret key that is associated with the user;
  
  generating an initialization vector;
  
  producing a ciphertext by encrypting the principal identifier and the expiration time using the initialization vector and the secret key identified by the secret key identifier;
  
  creating a full text composition, wherein the full text composition comprises;
  
  the ciphertext;
  
  the initialization vector; and
  
  the secret key identifier;
  
  producing a credential by encoding the full text composition; and
  
  providing the credential to a client device for persistence at the client device, wherein the credential is a persistent stateless credential that is not associated with a particular server.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The server environment of claim 19, wherein the server environment comprises shared secret key storage that is used for distributed authentication by the plurality of server systems, and wherein the secret key is obtained from the shared secret key storage.
  - 21. The server environment of claim 19, wherein the secret key is associated with a secret key expiration value that indicates when the secret key will expire.
  - 22. The server environment of claim 19, wherein the principal identifier and the expiration time are encrypted using authenticated encryption.
  - 23. The server environment of claim 19, wherein the secret key is only persisted at the server environment, and wherein the credential is only persisted at the client device.

24. A computer-readable storage medium storing computer-executable instructions for causing one or more computing devices to perform a method for distributed authentication using persistent stateless credentials, the method comprising:
- obtaining a credential, wherein the credential is associated with a user of a client device, wherein the credential is a persistent stateless credential that is not associated with a particular server;
  
  extracting from the credential;
  
  a ciphertext;
  
  an initialization vector; and
  
  a secret key identifier;
  
  obtaining a secret key identified by the secret key identifier;
  
  decrypting the ciphertext using the initialization vector and the secret key, to produce a principal identifier and an expiration time, wherein the principal identifier uniquely identifies the user associated with the credential;
  
  authenticating the credential using, at least in part, the principal identifier and the expiration time;
  
  performing application processing;
  
  generating a new expiration time;
  
  generating a new initialization vector;
  
  encrypting the principal identifier and the new expiration time using the new initialization vector and the secret key identified by the secret key identifier, to produce a new ciphertext;
  
  creating a new credential, wherein the new credential comprises;
  
  the new ciphertext;
  
  the new initialization vector; and
  
  the secret key identifier; and
  
  providing the new credential to the client device for persistence at the client device, wherein the new credential is a persistent stateless credential that is not associated with a particular server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jive Software Incorporated (Wave Systems Corporation)
Original Assignee
Jive Software Incorporated (Wave Systems Corporation)
Inventors
Manning, Zack
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US13/720,422
Publication Number

US 20140173705A1
Time in Patent Office

979 Days
Field of Search

726/6
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/32   including means for verifyi...

Distributed authentication using persistent stateless credentials

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed authentication using persistent stateless credentials

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links