Secure and anonymous distributed authentication
First Claim
1. A method of providing access to storage of a central entity, the method comprising:
- at a computing device of the central entity, sharing a secret with a tenant server of a tenant organization of a plurality of tenant organizations, the tenant server being configured to provide authentication services for accessing the storage at the central entity, the central entity being remote from the tenant server;
at the computing device of the central entity, receiving a storage request from an end client device, the end client device being remote from the central entity;
at the computing device of the central entity, extracting an identification of the tenant organization from a core portion of the storage request, the core portion including the identification of the tenant and inner lease terms identifying an inner lease between the tenant organization and a client of the tenant organization;
at the computing device of the central entity, selecting the shared secret of the tenant organization identified by the extracted identification of the tenant organization;
at the computing device of the central entity, cryptographically combining the core portion and the selected shared secret to generate a preliminary test signature;
at the computing device of the central entity, performing a computation using the preliminary test signature and a body portion of the storage request to generate a final test signature, the body portion including the core portion and an object identifier;
at the computing device of the central entity, comparing the final test signature with a signature from the storage request; and
at the computing device of the central entity, selectively permitting the end client device to access an object identified by the object identifier depending on a result of a selection operation, the selection operation indicating a lack of permission when the comparison is negative and the selection operation indicating permission only when the comparison is positive.
9 Assignments
0 Petitions
Accused Products
Abstract
A method performed at a central entity includes (a) sharing a secret with a remote tenant server of one of a plurality of tenant organizations, the tenant server being configured to provide authentication services for accessing storage of the central entity, (b) receiving a storage request from a remote client device, (c) extracting an identification of the tenant organization from a core portion of the request, (d) selecting the shared secret of the identified tenant organization, (e) cryptographically combining the core portion and the shared secret to generate a preliminary signature, (f) performing a computation using the preliminary signature and a body portion of the request to generate a test signature, the body portion including the core portion and an object identifier, (g) comparing the test signature with a signature from the request, and (h) permitting the client device to access an identified object only when the comparison is positive.
14 Citations
20 Claims
-
1. A method of providing access to storage of a central entity, the method comprising:
-
at a computing device of the central entity, sharing a secret with a tenant server of a tenant organization of a plurality of tenant organizations, the tenant server being configured to provide authentication services for accessing the storage at the central entity, the central entity being remote from the tenant server; at the computing device of the central entity, receiving a storage request from an end client device, the end client device being remote from the central entity; at the computing device of the central entity, extracting an identification of the tenant organization from a core portion of the storage request, the core portion including the identification of the tenant and inner lease terms identifying an inner lease between the tenant organization and a client of the tenant organization; at the computing device of the central entity, selecting the shared secret of the tenant organization identified by the extracted identification of the tenant organization; at the computing device of the central entity, cryptographically combining the core portion and the selected shared secret to generate a preliminary test signature; at the computing device of the central entity, performing a computation using the preliminary test signature and a body portion of the storage request to generate a final test signature, the body portion including the core portion and an object identifier; at the computing device of the central entity, comparing the final test signature with a signature from the storage request; and at the computing device of the central entity, selectively permitting the end client device to access an object identified by the object identifier depending on a result of a selection operation, the selection operation indicating a lack of permission when the comparison is negative and the selection operation indicating permission only when the comparison is positive. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
network interface circuitry for communicating with a remote end client device and a plurality of remote tenant servers of respective tenant organizations over a network; persistent storage; and processing circuitry coupled to memory configured to; share a secret with a tenant server of a tenant organization of the plurality of tenant organizations, the tenant server being configured to provide authentication services for accessing the persistent storage; receive a storage request from the end client device; extract an identification of the tenant organization from a core portion of the storage request, the core portion including the identification of the tenant and inner lease terms identifying an inner lease between the tenant organization and a client of the tenant organization; select the shared secret of the tenant organization identified by the extracted identification of the tenant organization; cryptographically combine the core portion and the selected shared secret to generate a preliminary test signature; perform a computation using the preliminary test signature and a body portion of the storage request to generate a final test signature, the body portion including the core portion and an object identifier; compare the final test signature with a signature from the storage request; and selectively permit the end client device to access an object identified by the object identifier depending on a result of a selection operation, the selection operation indicating a lack of permission when the comparison is negative and the selection operation indicating permission only when the comparison is positive. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product comprising a non-transitory computer-readable storage medium storing instructions, which, when executed by a computing device, cause the computing device to perform the following operations:
-
sharing a secret with a tenant server of a tenant organization of a plurality of tenant organizations, the tenant server being configured to provide authentication services for accessing persistent storage at the computing device, the computing device being remote from the tenant server; receiving a storage request from an end client device, the end client device being remote from the computing device; extracting an identification of the tenant organization from a core portion of the storage request, the core portion including the identification of the tenant and lease terms identifying an inner lease between the tenant organization and a client of the tenant organization; selecting the shared secret of the tenant organization identified by the extracted identification of the tenant organization; cryptographically combining the core portion and the selected shared secret to generate a preliminary test signature; performing a computation using the preliminary test signature and a body portion of the storage request to generate a final test signature, the body portion including the core portion and an object identifier; comparing the final test signature with a signature from the storage request; and selectively permitting the end client device to access an object identified by the object identifier depending on a result of a selection operation, the selection operation indicating a lack of permission when the comparison is negative and the selection operation indicating permission only when the comparison is positive. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification