System and method for secure proxy-based authentication

US 9,860,249 B2
Filed: 06/24/2016
Issued: 01/02/2018
Est. Priority Date: 10/24/2012
Status: Active Grant

First Claim

Patent Images

1. A proxy system comprising:

at least one processor configured to;

receive from a client, via a native protocol, a first access request requesting access by the client to a target application;

determine target application access credentials based at least in part on the first access request and a policy enforced by the proxy system, wherein the target application access credentials are effective to authenticate the proxy system to the target application;

provide to the target application a second access request requesting access to the target application, wherein the second access request comprises the target application access credentials; and

responsive to the proxy system being authenticated to the target application based on the target application access credentials, establish access for the client to the target application through the proxy system and via the native protocol, wherein the access is consistent with the policy and is established based on the target application access credentials, and the client is not exposed to the target application access credentials.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.

Citations

25 Claims

1. A proxy system comprising:
- at least one processor configured to;
  
  receive from a client, via a native protocol, a first access request requesting access by the client to a target application;
  
  determine target application access credentials based at least in part on the first access request and a policy enforced by the proxy system, wherein the target application access credentials are effective to authenticate the proxy system to the target application;
  
  provide to the target application a second access request requesting access to the target application, wherein the second access request comprises the target application access credentials; and
  
  responsive to the proxy system being authenticated to the target application based on the target application access credentials, establish access for the client to the target application through the proxy system and via the native protocol, wherein the access is consistent with the policy and is established based on the target application access credentials, and the client is not exposed to the target application access credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The proxy system of claim 1, wherein the first access request comprises client access credentials associated with a user, and the client access credentials comprise a communication feature associated with the first access request.
  - 3. The proxy system of claim 1, wherein providing the second access request comprises providing the second access request via the native protocol.
  - 4. The proxy system of claim 1, wherein:
    - the first access request comprises a plurality of communication features; and
      
      determining the target application access credentials comprises determining the target application access credentials based on at least some of the plurality of communication features.
  - 5. The proxy system of claim 4, wherein determining the target application access credentials based on at least some of the plurality of communication features comprises identifying the target application access credentials in a database based on at least some of the plurality of communication features.
  - 6. The proxy system of claim 4, wherein determining the target application access credentials based on at least some of the plurality of communication features comprises transforming at least some of the plurality of communication features according to an algorithm to produce the target application access credentials.
  - 7. The proxy system of claim 1, wherein establishing access for the client to the target application comprises establishing a first logical communication link between the client and the proxy system and establishing a second logical communication link between the proxy system and the target application.
  - 8. The proxy system of claim 1, wherein the proxy system comprises a privileged access management system.
  - 9. The proxy system of claim 1, wherein the at least one processor is further configured to monitor the access to the target application through the proxy system.
  - 10. The proxy system of claim 9, wherein the at least one processor is further configured to:
    - based on the monitoring, detect suspicious activity; and
      
      in response to detecting suspicious activity, issue an alert.

11. A non-transitory computer readable medium including instructions that, when executed by at least one processor of a proxy system, cause the at least one processor to perform operations comprising:
- receiving from a client, via a native protocol, a first access request requesting access by the client to a target application;
  
  determining target application access credentials based at least in part on the first access request and a policy enforced by the proxy system, wherein the target application access credentials are effective to authenticate the proxy system to the target application;
  
  providing to the target application a second access request requesting access to the target application, wherein the second access request comprises the target application access credentials; and
  
  responsive to the proxy system being authenticated to the target application based on the target application access credentials, establishing access for the client to the target application via the native protocol, wherein the access is consistent with the policy and is established based on the target application access credentials, and the client is not exposed to the target application access credentials.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer readable medium of claim 11, wherein providing the second access request comprises providing the second access request via the native protocol.
  - 13. The non-transitory computer readable medium of claim 11, wherein:
    - the first access request comprises a plurality of communication features; and
      
      determining the target application access credentials comprises determining the target application access credentials based on at least some of the plurality of communication features.
  - 14. The non-transitory computer readable medium of claim 13, wherein determining the target application access credentials based on at least some of the plurality of communication features comprises identifying the target application access credentials in a database based on at least some of the plurality of communication features.
  - 15. The non-transitory computer readable medium of claim 13, wherein determining the target application access credentials based on at least some of the plurality of communication features comprises transforming at least some of the plurality of communication features according to an algorithm to produce the target application access credentials.
  - 16. The non-transitory computer readable medium of claim 13, wherein the plurality of communication features comprise one or more of a content of the first access request;
    - an access request time of the first access request;
      
      an identity of the client;
      
      an identity of the target application; and
      
      the native protocol.
  - 17. The non-transitory computer readable medium of claim 11, wherein establishing access for the client to the target application comprises establishing a first logical communication link between the client and the proxy system and establishing a second logical communication link between the proxy system and the target application.
  - 18. The non-transitory computer readable medium of claim 11, wherein the operations further comprise monitoring the access to the target application.
  - 19. The non-transitory computer readable medium of claim 18, wherein the operations further comprise:
    - based on the monitoring, detecting suspicious activity; and
      
      in response to detecting suspicious activity, issuing an alert.
  - 20. The non-transitory computer readable medium of claim 19, wherein the operations further comprise, further in response to detecting suspicious activity, terminating the access to the target application.

21. A computer-implemented method comprising:
- receiving from a client, by a proxy system via a native protocol, a first access request requesting access by the client to a target application;
  
  determining target application access credentials based at least in part on the first access request and a policy enforced by the proxy system, wherein the target application access credentials are effective to authenticate the proxy system to the target application;
  
  providing to the target application a second access request requesting access to the target application, wherein the second access request comprises the target application access credentials; and
  
  responsive to the proxy system being authenticated to the target application based on the target application access credentials, establishing access for the client to the target application via the native protocol, wherein the access is consistent with the policy and is established based on the target application access credentials, and the client is not exposed to the target application access credentials.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer-implemented method of claim 21, wherein providing the second access request comprises providing the second access request via the native protocol.
  - 23. The computer-implemented method of claim 21, wherein:
    - the first access request comprises a plurality of communication features; and
      
      determining the target application access credentials comprises determining the target application access credentials based on at least some of the plurality of communication features.
  - 24. The computer-implemented method of claim 23, wherein determining the target application access credentials based on at least some of the plurality of communication features comprises identifying the target application access credentials in a database based on at least some of the plurality of communication features.
  - 25. The computer-implemented method of claim 23, wherein determining the target application access credentials based on at least some of the plurality of communication features comprises transforming at least some of the plurality of communication features according to an algorithm to produce the target application access credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
CyberArk Software Ltd.
Inventors
Dulkin, Andrey, Sade, Yair
Primary Examiner(s)
McNally, Michael S

Application Number

US15/192,623
Publication Number

US 20160308868A1
Time in Patent Office

557 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

System and method for secure proxy-based authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure proxy-based authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links