Parameter based key derivation
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving a delegation request from a first entity, fulfilment of which involves granting a second entity an access privilege to a computing resource;
generating a session key based at least in part on;
(a) an encoding of a restriction that indicates a limitation on access to be granted to the second entity; and
(b) a secret credential shared with the first entity;
providing the session key to the first entity;
receiving, from the second entity, an access request to access the computing resource, the access request including information that indicates access to the session key;
validating the access request based at least in part on the session key; and
granting, to the second entity, access to the computing resource subject to the restriction.
1 Assignment
0 Petitions
Accused Products
Abstract
A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving a delegation request from a first entity, fulfilment of which involves granting a second entity an access privilege to a computing resource; generating a session key based at least in part on; (a) an encoding of a restriction that indicates a limitation on access to be granted to the second entity; and (b) a secret credential shared with the first entity; providing the session key to the first entity; receiving, from the second entity, an access request to access the computing resource, the access request including information that indicates access to the session key; validating the access request based at least in part on the session key; and granting, to the second entity, access to the computing resource subject to the restriction. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system, comprising:
-
one or more processors; and memory including instructions that, when executed by the one or more processors, cause the system to; receive a delegation request from a first entity, fulfilment of which involves granting a second entity an access privilege to a computing resource; in response to receipt of the delegation request; generate a session key, based at least in part on a secret credential, shared between the first entity and the one or more computer systems, and an encoding of a session restriction through a cryptographic hash algorithm, the session restriction indicating a limitation on access to be granted to the second entity; and provide the session key to the first entity; receive an access request from the second entity to access the computing resource, the access request associated with the session key; and in response to receipt of the access request; validate the access request based at least in part on the encoding of the session key; and grant, to the second entity, access to the computing resource subject to the session restriction. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
receive a first request from a first entity, fulfilment of which involving granting a second entity an access privilege to a computing resource; generate a session key based at least in part on an encoding of a restriction and a secret credential shared between the first entity and the computer system, the restriction indicating a limitation on access to be granted to the second entity; provide the session key, usable at least in part to prove possession of an access privilege to a computing resource, to the first entity; receive a second request to access the computing resource, fulfilment of which involves providing a second entity access to the computing resource, the second request associated with the session key; validate the second request based at least in part on the session key; and fulfill the second request by providing access, subject to the restriction, to the computing resource depending at least in part on validation of the session key. - View Dependent Claims (18, 19, 20)
-
Specification