Controlling exposure of sensitive data and operation using process bound security tokens in cloud computing environment
First Claim
1. A computer program product for controlling exposure of sensitive data and using process-bound security tokens comprising:
- a tangible, computer-readable memory storage device; and
one or more program codes stored by the tangible, computer-readable memory storage device, for causing a processor to;
send in response to a user logging into an owning process to a targeted server computer a digitally signed owning process token containing an identity and a password of the user and an identity of the owning process, the owning process being executed by a first server computer which is separate from the targeted server, and the user being previously unauthenticated to the owning process;
receive a digitally signed user token from the targeted server computer subsequent to authentication of the user by the targeted server computer;
store the user token by the owning process for future use;
block forwarding of the user token to the user;
issue a single sign on token by the owning process;
send the single-sign-on token to the user from the owning process; and
protect the user token from exposure to the user by forwarding subsequent access requests by the user to the targeted server computer with the stored user token substituted in place of the single-sign-on token.
1 Assignment
0 Petitions
Accused Products
Abstract
Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request. A receiving server accepts a request if (1) the token-owning process endorses the request by signing the request; (2) the token is valid (token is signed by its issuer and the digital signature is verified and unexpired); (3) user entity, which can be a real user or a deployment or a server process, that is represented by the token has the authorization to access the specified resources; and (4) the token-owning process is authorized to endorse the user entity represented by the token to access the specified resources.
35 Citations
2 Claims
-
1. A computer program product for controlling exposure of sensitive data and using process-bound security tokens comprising:
-
a tangible, computer-readable memory storage device; and one or more program codes stored by the tangible, computer-readable memory storage device, for causing a processor to; send in response to a user logging into an owning process to a targeted server computer a digitally signed owning process token containing an identity and a password of the user and an identity of the owning process, the owning process being executed by a first server computer which is separate from the targeted server, and the user being previously unauthenticated to the owning process; receive a digitally signed user token from the targeted server computer subsequent to authentication of the user by the targeted server computer; store the user token by the owning process for future use; block forwarding of the user token to the user; issue a single sign on token by the owning process; send the single-sign-on token to the user from the owning process; and protect the user token from exposure to the user by forwarding subsequent access requests by the user to the targeted server computer with the stored user token substituted in place of the single-sign-on token. - View Dependent Claims (2)
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsChang, John Y-C., Chao, Ching-Yun, Chiu, Bertrand Be-Chung, Park, Ki Hong
-
Primary Examiner(s)TURCHEN, JAMES R
-
Application NumberUS13/745,942Publication NumberTime in Patent Office981 DaysField of Search713/176US Class Current1/1CPC Class CodesH04L 63/08 for authentication of entit...H04L 63/0815 providing single-sign-on or...H04L 63/0823 using certificates cryptogr...H04L 65/61 for supporting one-way stre...H04L 67/01 ProtocolsH04L 9/3213 using tickets or tokens, e....H04L 9/3247 involving digital signatures
