Distributed authentication using persistent stateless credentials
First Claim
1. A method, implemented at least in part by a server environment, for distributed authentication using persistent stateless credentials, the method comprising:
- obtaining, by the server environment, a principal identifier, wherein the principal identifier uniquely identifies a user;
generating, by the server environment, an expiration time;
obtaining, by the server environment, a secret key identifier, wherein the secret key identifier identifies a secret key that is associated with the user;
generating, by the server environment, an initialization vector;
encrypting, by the server environment, the principal identifier and the expiration time using the initialization vector and the secret key identified by the secret key identifier, to produce a ciphertext;
creating, by the server environment, a credential, wherein the credential comprises;
the ciphertext;
the initialization vector; and
the secret key identifier; and
providing, by the server environment, the credential to a client device for persistence at the client device, wherein the credential is a persistent stateless credential that is not associated with a particular server.
6 Assignments
0 Petitions
Accused Products
Abstract
Techniques and tools are described for performing distributed authentication using persistent stateless credentials. Distributed authentication can be performed during egress by obtaining a principal identifier, generating an expiration time, obtaining a secret key identifier that identifies a secret key, generating an initialization vector, encrypting the principal identifier and the expiration time to produce a ciphertext, creating a credential, and providing the credential for persistence at a client device. The credential comprises the ciphertext, the initialization vector, the secret key identifier. Distributed authentication can be performed during ingress by obtaining a credential, extracting a ciphertext, an initialization vector, and a secret key identifier from the credential, obtaining a secret key identified by the secret key identifier, decrypting the ciphertext to produce a principal identifier and an expiration time and authenticating the credential using, at least in part, the principal identifier and the expiration time.
-
Citations
24 Claims
-
1. A method, implemented at least in part by a server environment, for distributed authentication using persistent stateless credentials, the method comprising:
-
obtaining, by the server environment, a principal identifier, wherein the principal identifier uniquely identifies a user; generating, by the server environment, an expiration time; obtaining, by the server environment, a secret key identifier, wherein the secret key identifier identifies a secret key that is associated with the user; generating, by the server environment, an initialization vector; encrypting, by the server environment, the principal identifier and the expiration time using the initialization vector and the secret key identified by the secret key identifier, to produce a ciphertext; creating, by the server environment, a credential, wherein the credential comprises; the ciphertext; the initialization vector; and the secret key identifier; and providing, by the server environment, the credential to a client device for persistence at the client device, wherein the credential is a persistent stateless credential that is not associated with a particular server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method, implemented at least in part by a server environment, for distributed authentication using persistent stateless credentials, the method comprising:
-
obtaining, by the server environment, a credential, wherein the credential is associated with a user of a client device, wherein the credential is a persistent stateless credential that is not associated with a particular server; extracting, by the server environment, from the credential; a ciphertext; an initialization vector; and a secret key identifier; obtaining, by the server environment, a secret key identified by the secret key identifier; decrypting, by the server environment, the ciphertext using the initialization vector and the secret key, to produce a principal identifier and an expiration time, wherein the principal identifier uniquely identifies the user associated with the credential; and authenticating the credential using, at least in part, the principal identifier and the expiration time. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A server environment, the server environment comprising:
a plurality of server systems comprising processing units and memory, the plurality of server systems configured to perform operations for distributed authentication using persistent stateless credentials, comprising; obtaining a principal identifier, wherein the principal identifier uniquely identifies a user; generating an expiration time; obtaining a secret key identifier, wherein the secret key identifier identifies a secret key that is associated with the user; generating an initialization vector; producing a ciphertext by encrypting the principal identifier and the expiration time using the initialization vector and the secret key identified by the secret key identifier; creating a full text composition, wherein the full text composition comprises; the ciphertext; the initialization vector; and the secret key identifier; producing a credential by encoding the full text composition; and providing the credential to a client device for persistence at the client device, wherein the credential is a persistent stateless credential that is not associated with a particular server. - View Dependent Claims (20, 21, 22, 23)
-
24. A computer-readable storage medium storing computer-executable instructions for causing one or more computing devices to perform a method for distributed authentication using persistent stateless credentials, the method comprising:
-
obtaining a credential, wherein the credential is associated with a user of a client device, wherein the credential is a persistent stateless credential that is not associated with a particular server; extracting from the credential; a ciphertext; an initialization vector; and a secret key identifier; obtaining a secret key identified by the secret key identifier; decrypting the ciphertext using the initialization vector and the secret key, to produce a principal identifier and an expiration time, wherein the principal identifier uniquely identifies the user associated with the credential; authenticating the credential using, at least in part, the principal identifier and the expiration time; performing application processing; generating a new expiration time; generating a new initialization vector; encrypting the principal identifier and the new expiration time using the new initialization vector and the secret key identified by the secret key identifier, to produce a new ciphertext; creating a new credential, wherein the new credential comprises; the new ciphertext; the new initialization vector; and the secret key identifier; and providing the new credential to the client device for persistence at the client device, wherein the new credential is a persistent stateless credential that is not associated with a particular server.
-
Specification