Constraining a login to a subset of access rights

US 8,875,258 B2
Filed: 02/18/2013
Issued: 10/28/2014
Est. Priority Date: 02/13/2009
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage memories comprising instructions that, responsive to execution by a computing device, cause the computing device to:

generate a constrained password by executing a cryptographic one-way-transformation algorithm on a general password of a user account, the general password being associated with a full set of access rights to resources associated with the user account, the execution of the cryptographic one-way-transformation algorithm providing an output that includes the constrained password, the constrained password being based on a constraint defining a subset of the full set of access rights associated with the user account; and

send an authentication request that includes the constrained password to another computing device configured to use the authentication request to access a resource based on the subset of access rights.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

22 Citations

View as Search Results

20 Claims

1. One or more computer-readable storage memories comprising instructions that, responsive to execution by a computing device, cause the computing device to:
- generate a constrained password by executing a cryptographic one-way-transformation algorithm on a general password of a user account, the general password being associated with a full set of access rights to resources associated with the user account, the execution of the cryptographic one-way-transformation algorithm providing an output that includes the constrained password, the constrained password being based on a constraint defining a subset of the full set of access rights associated with the user account; and
  
  send an authentication request that includes the constrained password to another computing device configured to use the authentication request to access a resource based on the subset of access rights.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. One or more computer-readable storage memories as recited in claim 1, wherein the authentication request includes a user identifier (ID) associated with the user account.
  - 3. One or more computer-readable storage memories as recited in claim 1, wherein the cryptographic one-way transformation algorithm is executed on a product of another cryptographic algorithm executed on the general password.
  - 4. One or more computer-readable storage memories as recited in claim 1, wherein the authentication request includes a user identifier (ID) and wherein the constrained password is generated by executing the cryptographic one-way-transformation algorithm also on the user ID and a time stamp, a random number or bit string, user information, or version information.
  - 5. One or more computer-readable storage memories as recited in claim 1, wherein the general password is plain text or a product of another cryptographic algorithm executed on plain text.
  - 6. One or more computer-readable storage memories as recited in claim 1, wherein the instructions are executable to further cause the computing device to receive the general password and the constraint from a remote device.
  - 7. One or more computer-readable storage memories as recited in claim 6, wherein the constraint defines access rights that are limited by a time or date range in which access is valid, a system or subsystem to which access is limited, a feature of the system or subsystem to which access is limited, or a limitation on the feature to which access is limited.
  - 8. One or more computer-readable storage memories as recited in claim 6, wherein the constraint is described in plain text, described in a constraint specification language, an index to another constraint, a handle to another constraint, or a pointer to another constraint.
  - 9. One or more computer-readable storage memories as recited in claim 1, wherein the subset of the full set of access rights is configured to give at least partial access to one or more protected entities, each of the one or more protected entities being a local site, service, or system.
  - 10. One or more computer-readable storage memories as recited in claim 9, wherein the other computing device is a local authentication module and the one or more protected entities are local.
  - 11. One or more computer-readable storage memories as recited in claim 1, wherein the subset of the full set of access rights is configured to give at least partial access to one or more protected entities, each of the one or more protected entities being a network-accessible site, service, or system.
  - 12. One or more computer-readable storage memories as recited in claim 11, wherein the other computing device includes a local authentication module and the one or more protected entities are remote.

13. A system comprising:
- memory and one or more processors configured to utilize instructions in the memory to implement an authentication request module, the authentication request module configured to;
  
  receive an authentication request comprising;
  
  a user identifier (ID) associated with a user account; and
  
  a constrained password that is based on one or more constraints that define a subset of a full set of access rights associated with the user account; and
  
  perform a cryptographic algorithm on at least the user ID to generate a new constrained password; and
  
  compare the new constrained password to the constrained password received in the authentication request to determine a match; and
  
  responsive to determining that the constrained password is valid based on the match, granting the subset of access rights.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system as recited in claim 13, wherein the authentication request further comprises the one or more constraints that define the subset of access rights.
  - 15. The system as recited in claim 13, wherein the subset of access rights grant at least partial access to one or more protected entities.
  - 16. The system as recited in claim 15, wherein the one or more protected entities comprise a local site, service, or system.
  - 17. The system as recited in claim 15, wherein the one or more protected entities comprise a network-accessible site, service, or system.

18. A computing device comprising:
- one or more computer-readable storage memories comprising instructions that, responsive to execution by the computing device, cause the computing device to;
  
  execute a one-way-transformation algorithm on data associated with a general password of a user account, the data comprising a product of a cryptographic algorithm on the general password, the general password being associated with a full set of access rights to resources associated with the user account, the execution of the one-way-transformation algorithm providing an output that includes a constrained password, the constrained password being based on one or more constraints that define a subset of the full set of access rights associated with the user account; and
  
  send an authentication request that includes the constrained password to another computing device configured to use the authentication request to access a resource based on the subset of access rights.
- View Dependent Claims (19, 20)
- - 19. The computing device as recited in claim 18, wherein the instructions are executable to further cause the computing device to access the subset of the full set of access rights based on authentication of the user account and the access being provided by the other computing device.
  - 20. The computing device as recited in claim 18, wherein the authentication request includes a user identifier (ID) and wherein the output that includes the constrained password is provided based on execution of the one-way-transformation algorithm also on the user ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Michener, John R., Ferguson, Niels T., Ellison, Carl M., Benaloh, Josh D., LaMacchia, Brian A.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US13/769,767
Publication Number

US 20130167205A1
Time in Patent Office

617 Days
Field of Search

726/4, 726/5, 726/7, 726 17- 19, 726/21, 713182-184
US Class Current

726/5
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2149   Restricted operating enviro...

G06Q 10/06   Resources, workflows, human...

G06Q 30/0603   Catalogue ordering

G06Q 40/02   Banking, e.g. interest calc...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/88   Medical equipments

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

Constraining a login to a subset of access rights

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Constraining a login to a subset of access rights

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links