Security Assertion Revocation

US 20080066170A1
Filed: 09/08/2006
Published: 03/13/2008
Est. Priority Date: 09/08/2006
Status: Active Grant

First Claim

Patent Images

1. One or more processor-accessible media comprising processor-executable instructions that include a security token (204), the security token comprising multiple respective assertion (602) that are associated with multiple respective assertion identifiers (604);

wherein an individual assertion of the multiple respective assertions may be independently revoked using a particular assertion identifier that is associated with the individual assertion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implemenation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.

Citations

20 Claims

1. One or more processor-accessible media comprising processor-executable instructions that include a security token (204), the security token comprising multiple respective assertion (602) that are associated with multiple respective assertion identifiers (604);
- wherein an individual assertion of the multiple respective assertions may be independently revoked using a particular assertion identifier that is associated with the individual assertion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The one or more processor-accessible media as recited in claim 1, wherein at least one assertion of the multiple assertions is associated with more than one assertion identifier.
  - 3. The one or more processor-accessible media as recited in claim 1, wherein the security token further comprises a digital signature that signs the multiple assertions.
  - 4. The one or more processor-accessible media as recited in claim 1, wherein the multiple assertions comprise:
    - a first assertion that is associated with a first assertion identifier of the multiple assertion identifiers; and
      
      a second assertion that is associated with a second assertion identifier of the multiple assertion identifiers;
      
      wherein the first assertion may be revoked with reference to the first assertion identifier.
  - 5. The one or more processor-accessible media as recited in claim 4, wherein the second assertion remains valid when the first assertion is revoked by referencing the first assertion identifier.
  - 6. The one or more processor-accessible media as recited in claim 4, wherein the first assertion may be revoked using a revocation assertion that includes the first assertion identifier.
  - 7. The one or more processor-accessible media as recited in claim 1, wherein the multiple assertions comprise:
    - a first assertion that is associated with a first assertion identifier of the multiple assertion identifiers, the first assertion identifier including a first value and a fourth value;
      
      a second assertion that is associated with a second assertion identifier of the multiple assertion identifiers, the second assertion identifier including a second value and the fourth value; and
      
      a third assertion that is associated with a third assertion identifier of the multiple assertion identifiers, the third assertion identifier including a third value and the fourth value;
      
      wherein the first, second, or third assertion may be independently revoked by referencing the first, second, or third value, respectively; and
      
      wherein the first, second, and third assertion may be jointly revoked by referencing the fourth value.
  - 8. The one or more processor-accessible media as recited in claim 1, wherein the multiple assertions comprise:
    - a first assertion that is associated with a first assertion identifier of the multiple assertion identifiers, the first assertion identifier including a first value and a second value;
      
      a second assertion that is associated with a second assertion identifier of the multiple assertion identifiers, the second assertion identifier including the second value and a third value; and
      
      a third assertion that is associated with a third assertion identifier of the multiple assertion identifiers, the third assertion identifier including the first value and the third value;
      
      wherein the first and second assertions may be revoked without revoking the third assertion by referencing the second value;
      
      wherein the second and third assertions may be revoked without revoking the first assertion by referencing the third value; and
      
      wherein the third and first assertions may be revoked without revoking the second assertion by referencing the first value.

9. A method for creating a security token having independently-revocable assertions, the method comprising:
- generating (802) a first assertion wit an associated first assertion identifier;
  
  generating (804) a second assertion with an associated second assertion identifier;
  
  combining (806) the first assertion and the second assertion into the security token; and
  
  digitally signing (808) the security token after the combining.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method as recited in claim 9, wherein the generating a first assertion with an associated first assertion identifier comprises:
    - generating the first assertion with the associated first assertion identifier, wherein the first assertion identifier comprises a set of values.
  - 11. The method as recited in claim 9, wherein:
    - the generating a first assertion with an associated first assertion identifier comprises generating the first assertion with the associated first assertion identifier, wherein the first assertion identifier comprises a first value and a third value; and
      
      the generating a second assertion with an associated second assertion identifier comprises generating the second assertion with the associated second assertion identifier, wherein the second assertion identifier comprises a second value and the third value.
  - 12. The method as recited in claim 9, wherein the generating a first assertion with an associated first assertion identifier comprises:
    - generating the first assertion with the associated first assertion identifier, wherein the first assertion comprises a security assertion that is logically of the form;
      
      principal says ID fact if fact₁, . . . , fact_n, c₁, . . . c_m,with the first assertion identifier represented by ID and any constraints represented by c₁, . . . , c_m, with “
      
      m”
      
      being an integer of zero or greater.
  - 13. The method as recited in claim 9, further comprising:
    - extracting the first assertion and the second assertion from the digitally signed security token;
      
      comparing the first assertion identifier and the second assertion identifier to a set of revoked assertion identifiers that are associated with revoked assertions;
      
      responsive to the comparing, rejecting the first assertion if the first assertion identifier matches a revoked assertion identifier in the set; and
      
      responsive to the comparing, rejecting the second assertion if the second assertion identifier matches a revoked assertion identifier in the set.

14. A method for filtering revoked assertions, the method comprising:
- acquiring (902) multiple assertions from a security token, each respective assertion of the multiple assertions associated with a respective assertion identifier of multiple assertion identifiers;
  
  comparing (904) the multiple assertion identifiers to a set of revoked assertion identifiers;
  
  determining (906) if at least one assertion identifier of the multiple assertion identifiers matches a revoked assertion identifier of the set of revoked assertion identifiers; and
  
  if at least one assertion identifier of the multiple assertion identifiers is determined to match a revoked assertion identifier of the set of revoked assertion identifiers, rejecting (910) at least one assertion that is associated with the at least one assertion identifier that is determined to match the revoked assertion identifier.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method as recited in claim 14, wherein the acquiring multiple assertions from a security token comprises at least one of:
    - accepting the multiple assertions of the security token as part of an assertion context;
      
      orextracting the multiple assertions from the security token;
      
      wherein the security token includes a digital signature covering at least the multiple assertions.
  - 16. The method as recited in claim 14, further comprising:
    - applying any assertions of the multiple assertions that remain after the rejecting action to an evaluation algorithm involving an authorization query.
  - 17. The method as recited in claim 14, further comprising:
    - ascertaining if one or more conditional revocation assertions are valid; and
      
      if one or more conditional revocation assertions are ascertained to be valid, including assertion identifiers from the one or more valid conditional revocation assertions in the set of revoked assertion identifiers for the comparing and the determining actions.
  - 18. The method as recited in claim 14, wherein the multiple assertion identifiers comprise a first assertion identifier having a particular value and a second assertion identifier having the particular value;
    - and wherein a particular revoked assertion identifier of the set of revoked assertion identifiers also has the particular value; and
      
      wherein;
      
      the determining comprises determining that the first assertion identifier and the second assertion identifier of the multiple assertion identifiers match the particular revoked assertion identifier of the set of revoked assertion identifiers; and
      
      the rejecting comprises rejecting a first assertion of the multiple assertions that is associated with the first assertion identifier and a second assertion of the multiple assertions that is associated with the second assertion identifier.
  - 19. The method as recited in claim 14, wherein the multiple assertion identifiers comprise a first assertion identifier having a first value and a second assertion identifier having a second value;
    - and wherein a particular revoked assertion identifier of the set of revoked assertion identifiers also has the first value; and
      
      wherein;
      
      the determining comprises determining that the first assertion identifier of the multiple assertion identifiers matches the particular revoked assertion identifier of the set of revoked assertion identifiers; and
      
      the rejecting comprises rejecting a first assertion of the multiple assertions that is associated with the first assertion identifier and not rejecting a second assertion of the multiple assertions that is associated with the second assertion identifier.
  - 20. The method as recited in claim 14, further comprising:
    - processing a revocation assertion that includes a revoked assertion identifier;
      
      wherein the revocation assertion comprises a security assertion and is logically of the form;
      
      principal says fact,in which fact corresponds to;
      
      principal revoke ID=value if c₁, . . . , c_m,with the revoked assertion identifier represented by ID=value and any constraints represented by c₁, . . . , c_m, with “
      
      m”
      
      being an integer of zero or greater.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B., LaMacchia, Brian A., Becker, Moritz Y., Gordon, Andrew D., Fournet, Cedric

Granted Patent

US 8,095,969 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

H04L 63/10 for controlling access to d...

H04L 63/20 for managing network securi...

Security Assertion Revocation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security Assertion Revocation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links