CONSTRAINING A LOGIN TO A SUBSET OF ACCESS RIGHTS

US 20100212002A1
Filed: 02/13/2009
Published: 08/19/2010
Est. Priority Date: 02/13/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

sending an authentication request including a constrained password to an entity capable of authenticating a user account, the constrained password based on a general password for the user account and one or more constraints defining a subset of access rights of a full set of access rights associated with the user account; and

receiving, from the entity, access to the subset of access rights.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

23 Citations

View as Search Results

20 Claims

1. A method comprising:
- sending an authentication request including a constrained password to an entity capable of authenticating a user account, the constrained password based on a general password for the user account and one or more constraints defining a subset of access rights of a full set of access rights associated with the user account; and
  
  receiving, from the entity, access to the subset of access rights.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, wherein the access to the subset of access rights grants access to a resource, the access to the resource based on the one or more constraints.
  - 3. The method as recited in claim 1, further comprising generating the constrained password using a one-way-transformation algorithm and based on the one or more constraints and the general password.
  - 4. The method as recited in claim 3, wherein the one-way-transformation algorithm comprises a cryptographic hash.
  - 5. The method as recited in claim 3, wherein the authentication request includes a user identifier (ID) and wherein the act of generating comprises executing the one-way-transformation algorithm also on the user ID and one of more of a time stamp, a random number or bit string, user information, or version information.
  - 6. The method as recited in claim 3, wherein the general password is plain text or a product of a cryptographic algorithm executed on plain text.
  - 7. The method as recited in claim 1, further comprising receiving the general password and the one or more constraints from a remote device.
  - 8. The method as recited in claim 7, wherein the one or more constraints define access rights that are limited by a time or date range in which access is valid, a system or subsystem to which access is limited, a feature of the system or subsystem to which access is limited, or a limitation on the feature to which access is limited.
  - 9. The method as recited in claim 7, wherein the one or more constraints are described in plain text, described in a constraint specification language, an index to another constraint, a handle to another constraint, or a pointer to another constraint.
  - 10. The method as recited in claim 1, wherein the subset of access rights is configured to give at least partial access to one or more protected entities, each of the one or more protected entities being a local site, service, or system.
  - 11. The method as recited in claim 10, wherein the entity is a local authentication module and the one or more protected entities are local.
  - 12. The method as recited in claim 1, wherein the subset of access rights is configured to give at least partial access to one or more protected entities, each of the one or more protected entities being a network-accessible site, service, or system.
  - 13. The method as recited in claim 12, wherein the entity is a local authentication module and the one or more protected entities are remote.

14. A method comprising:
- receiving an authentication request comprising;
  
  a user identifier (ID) associated with a user account; and
  
  a constrained password associated with a subset of access rights of access rights associated with the user account;
  
  determining that the constrained password is valid; and
  
  responsive to determining that the constrained password is valid, granting the subset of access rights.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method as recited in claim 14, wherein the authentication request further comprises one or more constraints defining the subset of access rights.
  - 16. The method as recited in claim 14, wherein the subset of access rights grant at least partial access to one or more protected entities.
  - 17. The method as recited in claim 16, wherein the one or more protected entities comprise a local site, service, or system.
  - 18. The method as recited in claim 16, wherein the one or more protected entities comprise a network-accessible site, service, or system.
  - 19. The method as recited in claim 14, wherein the authentication request is received from a remote computing device.

20. A method comprising:
- receiving input, the input comprising;
  
  a user ID;
  
  a general password that is;
  
  associated with a user account represented by the user ID; and
  
  configured to give access to a full set of rights associated with the user account; and
  
  one or more desired constraints that, when applied to the full set of access rights associated with the user account, define a subset of the full set of access rights;
  
  generating a constrained password, the generating comprising;
  
  executing a one-way cryptographic algorithm on the input; and
  
  receiving the constrained password as output from the one-way cryptographic algorithm;
  
  sending an authentication request, the authentication request including the user ID, the one or more desired constraints, and the constrained password; and
  
  receiving access to the subset of the full set access rights, the subset of the full set of access rights configured to give at least partial access to one or more protected entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ferguson, Niels T, Michener, John R., LaMacchia, Brian A, Ellison, Carl M., Benaloh, Josh

Granted Patent

US 8,381,279 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2149   Restricted operating enviro...

G06Q 10/06   Resources, workflows, human...

G06Q 30/0603   Catalogue ordering

G06Q 40/02   Banking, e.g. interest calc...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/88   Medical equipments

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

CONSTRAINING A LOGIN TO A SUBSET OF ACCESS RIGHTS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONSTRAINING A LOGIN TO A SUBSET OF ACCESS RIGHTS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links