HTTP authentication and authorization management

US 9,003,186 B2
Filed: 07/24/2008
Issued: 04/07/2015
Est. Priority Date: 07/24/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method in a distributed security system, comprising:

receiving authenticated user data at an authority node responsive to an unauthenticated request to a processing node, the authority node and the processing node are part of the distributed security system;

defining a plurality of epochs, each epoch identified by an epoch ID;

modifying the authenticated user data with a current epoch ID for a current epoch to generate associated authenticated user data as a combination of the authenticated user data and the current epoch ID;

obtaining a current epoch key pair for the current epoch, the current epoch key pair comprising a current public epoch key and a current private epoch key, wherein one attribute of the current public epoch key is the current epoch ID;

encrypting the associated authenticated user data with the current private epoch key to generate authentication data, wherein data encrypted by the current private epoch key can only be decrypted by the public epoch key for a same epoch as the current private epoch key;

providing the current public epoch key to an external security service, wherein providing the current public epoch key comprises providing the current public epoch key to the processing node, wherein the processing node receives requests from one or more client browsers and the processing node is separate from the authority node with the processing node and the authority node forming a distributed security system external from a user associated with the authenticated user data and external from a domain being requested by the user; and

providing the authentication data to the external security service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch manager that is used to generate authentication and authorization data that remain valid only for an epoch. The epoch manager can generate an epoch key pair that can be used to encrypt and decrypt the authentication and authorization data during the epoch that the key is valid. The epoch manager can also associate the contents of the data with the epoch in which it was created, so that at decrypting the epoch that the data was generated in can be identified.

46 Citations

View as Search Results

20 Claims

1. A computer implemented method in a distributed security system, comprising:
- receiving authenticated user data at an authority node responsive to an unauthenticated request to a processing node, the authority node and the processing node are part of the distributed security system;
  
  defining a plurality of epochs, each epoch identified by an epoch ID;
  
  modifying the authenticated user data with a current epoch ID for a current epoch to generate associated authenticated user data as a combination of the authenticated user data and the current epoch ID;
  
  obtaining a current epoch key pair for the current epoch, the current epoch key pair comprising a current public epoch key and a current private epoch key, wherein one attribute of the current public epoch key is the current epoch ID;
  
  encrypting the associated authenticated user data with the current private epoch key to generate authentication data, wherein data encrypted by the current private epoch key can only be decrypted by the public epoch key for a same epoch as the current private epoch key;
  
  providing the current public epoch key to an external security service, wherein providing the current public epoch key comprises providing the current public epoch key to the processing node, wherein the processing node receives requests from one or more client browsers and the processing node is separate from the authority node with the processing node and the authority node forming a distributed security system external from a user associated with the authenticated user data and external from a domain being requested by the user; and
  
  providing the authentication data to the external security service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein receiving authenticated user data comprises receiving at an authority node authenticated user data from an access agent.
  - 3. The method of claim 1, wherein the authenticated user data comprises authenticated user credentials.
  - 4. The method of claim 1, wherein an epoch is a period of time.
  - 5. The method of claim 1, wherein an epoch is a number of processed requests.
  - 6. The method of claim 1, wherein associating the authenticated user data with a current epoch ID for a current epoch comprises:
    - identifying a current epoch ID for the current epoch; and
      
      generating an associated authenticated user data, wherein the associated authenticated user data comprises of the authenticated user data and the current epoch ID.
  - 7. The method of claim 1, wherein obtaining a current epoch key pair for the current epoch comprises:
    - generating at the authority node a public key and a private key during the current epoch;
      
      associating the key pair of the public key and private key with the current epoch ID.
  - 8. The method of claim 1, wherein the private epoch key is used to encrypt data.
  - 9. The method of claim 1, wherein the current public epoch key is used to decrypt data encrypted using the current private epoch key.
  - 10. The method of claim 1, wherein the current private epoch key is maintained at the authority node.
  - 11. The method of claim 1, wherein providing the authentication data to the external security service comprises providing a authentication data to a client browser.
  - 12. The method of claim 1, wherein providing the authentication data to the external security service comprises providing a authentication data to an access agent.
  - 13. The method of claim 1, further comprising:
    - determining whether the current epoch has expired;
      
      if the current epoch is determined to have expired, associating the authenticated user data with a new epoch ID for a new epoch;
      
      obtaining a new epoch key pair for the new epoch, the new epoch key pair comprising a new public epoch key and a new private epoch key, wherein one attribute of the new public epoch key is the new epoch ID;
      
      encrypting the associated authenticated user data with the new private epoch key for the new epoch to generate a new authentication data;
      
      providing the new public epoch key for the new epoch to the external security service; and
      
      providing the new authentication data to the external security service.
  - 14. The method of claim 13, wherein providing the new authentication data to the external security service comprises providing the new authentication data to the processing node.
  - 15. The method of claim 1, wherein the user is communicatively coupled to the processing node over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the processing node;
    - andwherein all HTTP communications from the user to the Internet are monitored by the processing node.

16. Software stored in a non-transitory computer readable medium and comprising instructions executable by a data processing system and upon such execution cause the data processing system to perform operations comprising:
- receiving authenticated user data responsive to an unauthenticated request to a processing node, an authority node and the processing node are part of a distributed security system;
  
  identifying a current epoch;
  
  identifying a current epoch ID associated with the current epoch;
  
  modifying the authenticated user data with a current epoch ID to generate associated authenticated user data as a combination of the authenticated user data and the current epoch ID;
  
  obtaining a current epoch key pair for the current epoch, the current epoch key pair comprising a current public epoch key and a current private epoch key, wherein one attribute of the current public epoch key is the current epoch ID;
  
  encrypting the associated authenticated user data with the current private epoch key to generate authentication data, wherein data encrypted by the current private epoch key can only be decrypted by the public epoch key for a same epoch as the current private epoch key; and
  
  providing the current public epoch key and the authentication data to an external security service, wherein the providing the authentication data to the external security service comprises providing the authentication data to a processing node separate from the authority node with the processing node and the authority node forming a distributed security system external from a user associated with the authenticated user data and external from a domain being requested by the user.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The software of claim 16, further comprising instructions executable by the data processing system and upon such execution cause the data processing system to perform operations comprising:
    - determining whether the current epoch has expired;
      
      if the current epoch is determined to have expired, identifying a new epoch ID for the new epoch;
      
      generating a new associated authenticated user data, wherein the new associated authenticated user data comprises of the authenticated user data and the new epoch ID;
      
      obtaining a new epoch key pair for the new epoch, the new epoch key pair comprising a new public epoch key and a new private epoch key, wherein one attribute of the new public epoch key is the new epoch ID;
      
      encrypting the new associated authenticated user data with the new private epoch key for the new epoch to generate a new authentication data;
      
      providing the new public epoch key for the new epoch to the external security service; and
      
      providing the new authentication data to the external security service.
  - 18. The software of claim 16, wherein the providing the authentication data to the external security service comprises providing the authentication data to a access agent.
  - 19. The software of claim 16, wherein the new epoch key pair is obtained from the authority node.
  - 20. The software of claim 16, wherein the user is communicatively coupled to the processing node over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the processing node;
    - andwherein all HTTP communications from the user to the Internet are monitored by the processing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Kailash, Kailash, Nanjundaswamy, Shashidhara Mysore, Mullick, Amarnath, Raphel, Jose
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US12/179,441
Publication Number

US 20100020967A1
Time in Patent Office

2,448 Days
Field of Search

713/168, 713/172, 713/173, 713/178, 726 4- 6
US Class Current

713/168
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 9/3234   involving additional secure...

H04L 9/3297   involving time stamps, e.g....

HTTP authentication and authorization management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP authentication and authorization management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links