WO2018175980A1 - A credential management system for distributed authentication, and related systems and methods - Google Patents

A credential management system for distributed authentication, and related systems and methods Download PDF

Info

Publication number
WO2018175980A1
WO2018175980A1 PCT/US2018/024166 US2018024166W WO2018175980A1 WO 2018175980 A1 WO2018175980 A1 WO 2018175980A1 US 2018024166 W US2018024166 W US 2018024166W WO 2018175980 A1 WO2018175980 A1 WO 2018175980A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
dictionary
request
manager
credentials
Prior art date
Application number
PCT/US2018/024166
Other languages
French (fr)
Inventor
Edgar C. JEREZ
Original Assignee
Comet Enterprises, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Comet Enterprises, Inc. filed Critical Comet Enterprises, Inc.
Publication of WO2018175980A1 publication Critical patent/WO2018175980A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled

Definitions

  • Embodiments of this disclosure relate generally to systems and methods for securely managing user credentials associated with resources, and related systems and methods for securely managing distributed authentication to access such resources.
  • a web browser or client application may request the online resource responsive to, for example, a uniform resource locator (URL) or internet protocol (IP) address provided by a user or predefined (typically predefined in the case of a client application).
  • URL uniform resource locator
  • IP internet protocol
  • the user will then type the web address or the URL (Uniform Resource Locator) of the desired online resource.
  • a resource authentication server may process the request and require the user to input a username and password. After the usemame and password are authenticated, an online resource server may then responds to the online resource request and "serve" the online resource to the web browser or client application.
  • Valuable information accessed over the internet or other networks typically resides behind an authentication layer.
  • a conventional authentication layer protects valuable information through the use of passwords, personal-identification- numbers (PINs), and encryption keys.
  • PINs personal-identification- numbers
  • Countless online services including e-mail, online banking, shopping, healthcare, and social networking sites, require users to provide at least a username and a password to access those online services. More security features may added to the authentication layer, for example, two-factor authentication, biometrics, and more. The world is overwhelmed with the number of passwords, PIN numbers, encryption keys, and authentication processes that need to be managed in order access online services.
  • Password security may be static or dynamic. Static, meaning the data required to authenticate a user does not changed. Dynamic, meaning the data required to authenticate a user changes frequently. Anything static is breakable. Generally, dynamic credentials, if changed frequently enough, are more secure than credentials that are not changed or are changed infrequently. Passwords, PINs, and encryption keys are dynamic, however users often rely on themselves or credential managers (e.g., a browser with built-in usemame and password keeping) to manage their credentials and keep them secure. As a result, passwords, PINs, and encryptions keys are not changed frequently enough, are not complex enough, and are limited by the memory of users.
  • credential managers e.g., a browser with built-in usemame and password keeping
  • the computing device may include a local application and a client application.
  • the local application may be configured to enable the computing device to request, receive, and use a resource.
  • the client application may be configured to enable the computing device to: maintain a list of available resources; receive a resource access request, the resource access request comprising a resource identifier associated with the resource; create a resource authentication service request responsive to the resource access request, the resource authentication service request comprising the resource identifier and a user identifier; communicate the resource authentication service request to an application server configured to manage resource credentials including resource credentials associated with the resource; receive the resource credentials; and provide the resource credentials to the local application to enable the computing device to provide the resource credentials to a resource authentication server.
  • the computing device may include a local application and a client application.
  • the local application may be configured to enable the computing device to request, receive, and use a resource.
  • the client application may be configured to enable the computing device to: maintain a list of available resources; receive a resource access request, the resource access request comprising a resource identifier associated with the resource; create a resource authentication service request responsive to the resource access request, the resource authentication service request comprising the resource identifier and a user identifier; communicate the resource authentication service request to an application server configured to manage credentials including credentials associated with the resource; and enable the local application to receive the resource from a resource server without separately authenticating the user by directly establishing communication between the local application and the resource server.
  • the computer-server may include a dictionary database store having one or more credential dictionaries; a credential-keeping service manager configured to determine and manage resource credentials; an authentication service manager configured to request resource credentials from the credential-keeping service responsive to an resource authentication service request and provide resource credentials to the authentication manager of the resource application server, and a dictionary manager configured to manage the credential dictionaries responsive to dictionary management requirements, wherein the dictionary management requirements comprise instructions adapted to cause the dictionary manager to update credential dictionaries according to a pre-defined schedule.
  • the distributed authentication system may include a resource application server, a multi-level encrypted application server, and a client application.
  • the resource application server may include an authentication manager; and a resource service manager configured to provide a resource responsive to a resource request authenticated by the authentication manager.
  • the multi-level encrypted application server may include: a dictionary database store having one or more credential dictionaries; a credential-keeping service manager configured to determine and manage resource credentials; a dictionary manager configured to manage the credential dictionaries responsive to dictionary management requirements; and an authentication service manager configured to request resource credentials from the credential-keeping service responsive to an resource authentication service request and provide resource credentials to the authentication manager of the resource application server.
  • the client application may be configured to maintain a list of available resources; receive a resource access request initiated at a user interface of the client application, the resource access request associated with a resource of the available resources; create a resource authentication services request responsive to the resource access request; and provide the resource authentication services request to the multi-level encrypted application server.
  • FIG. 1 shows a distributed authentication system, in accordance with an embodiment of the disclosure
  • FIG. 2 shows an authentication process, in accordance with an embodiment of the disclosure
  • FIG. 3 shows a distributed authentication system, in accordance with an embodiment of the disclosure
  • FIG. 4 shows an authentication process, in accordance with an embodiment of the disclosure
  • FIG. 5 shows a distributed authentication system, in accordance with an embodiment of the disclosure
  • FIG. 6 shows an authentication process, in accordance with an embodiment of the disclosure
  • FIG. 7 shows a coded instruction schema, in accordance with an embodiment of the disclosure.
  • FIG. 8 shows a dictionary synchronization process, in accordance with an embodiment of the disclosure.
  • FIG. 9 shows a dictionary synchronization process, in accordance with an embodiment of the disclosure.
  • FIG. 10 shows multi-level server architecture, in accordance with an embodiment of the disclosure
  • FIG. 11 shows a registration process, in accordance with an embodiment of the disclosure.
  • FIG. 1 may illustrate information and signals as a single data packet or single signal for clarity of presentation and description. It will be understood by a person of ordinary skill in the art that the data packet or signal may represent a bus of signals or series of data packets. A bus may have a variety of bit widths and the present disclosure may be implemented on any number of data signals including a single data signal.
  • DSP Digital Signal Processor
  • IC Integrated Circuit
  • ASIC Application Specific Integrated Circuit
  • FPGA Programmable Gate Array
  • a general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
  • a processor may also be implemented as a combination of computing devices, such as a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
  • a general- purpose computer including a processor is considered a special-purpose computer while the general-purpose computer is configured to execute computing instructions (e.g., software code) related to embodiments of the present disclosure. Examples of computers include personal computers, workstations, laptops, tablets, mobile phones, wearable devices, and computer-servers.
  • the embodiments may be described in terms of a process that is depicted as a flowchart, a flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe operational acts as a sequential process, many of these acts can be performed in another sequence, in parallel, or substantially concurrently. In addition, the order of the acts may be re-arranged.
  • a process may correspond to a method, a thread, a function, a procedure, a subroutine, a subprogram, etc.
  • the methods disclosed herein may be implemented in hardware, software, or both. If implemented in software, the functions may be stored or transmitted as one or more instructions or code on computer-readable media.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • Modules may be at least partially
  • a module may be implemented in hardware, in one form or another.
  • a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the- shelf semiconductors such as logic chips, transistors, or other discrete components.
  • a module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, or the like.
  • a server is a computer program that provides functionality or services to other programs, commonly called clients. While a server is a computer program or process (i.e., executing program), the term may also be used to refer to a computer running one or more server programs, and so, unless otherwise indicated, the use of the term server in this description is intended to cover both situations. Examples of types of servers includes, but is not limited to, web servers, application servers, database servers, communication servers, computing servers, file servers, mail servers, game servers, proxy servers, print servers and more. Generally, any general-purpose computer may run a server program, and as such, can run programs and applications that are not server programs.
  • Modules may also be implemented using software or firmware, stored on a physical storage device (e.g., a computer readable storage medium), in memory, or a combination thereof for execution by various types of processors.
  • An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions, which may, for instance, be organized as a thread, object, procedure, or function.
  • the executable of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.
  • a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several storage or memory devices.
  • operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network.
  • the software portions are stored on one or more physical devices, which are referred to herein as computer readable media.
  • a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several storage or memory devices.
  • operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network.
  • the software portions are stored on one or more physical devices, which are referred to herein as computer readable media.
  • the software portions are stored in a non-transitory state such that the software portions, or representations thereof, persist in the same physical location for a period of time. Additionally, in some embodiments, the software portions are stored on one or more non-transitory storage devices, which include hard ware elements capable of storing non-transitory states and/or signals representative of the software portions, even though other portions of the non-transitory storage devices may be capable of altering and/or transmitting the signals. Examples of non-transitory storage devices are flash memory and random-access- memory (RAM). Another example of a non-transitory storage device includes a read-only memory (ROM) which can store signals and/or states representative of the software portions for a period of time.
  • ROM read-only memory
  • a processor may access the ROM to obtain signals that are representative of the stored signals and/or states in order to execute the corresponding software instructions.
  • Data may be stored and managed in a data store, and may be organized as files in a file system, a directory, or organized in a more sophisticate repository like a database that includes a database management system. Data may be encrypted using encryption keys, for example, public and private encryption keys.
  • the term "substantially" in reference to a given parameter, property, or condition means and includes to a degree that one skilled in the art would understand that the given parameter, property, or condition is met with a small degree of variance, such as within acceptable manufacturing tolerances.
  • a parameter that is substantially met may be at least about 90% met, at least about 95% met, or even at least about 99% met.
  • Disclosed embodiments relate generally to systems and methods for distributed authentication.
  • one or more credential managers are configured to manage resource credentials of a user.
  • the resource may be provided by a resource server, however, the disclosure is not so limited and it is specifically contemplated that the distributed authentication techniques described herein may be used in connection with a local resource.
  • a client application requests resource authentication services from a credential manager.
  • the credential manger may provide the local application the resource credentials needed to access the resource.
  • the credential manager may provide the credentials to a resource sever on behalf of the local application.
  • the resource credentials may be generated from custom dictionaries associated with users.
  • a custom dictionary may be updated according to a schedule that is part of the dictionary management requirements of a user.
  • multiple copies of a dictionary may be stored at different locations in a distributed authentication system and synchronized. The synchronized dictionaries and coded instructions may be used recreate resource credentials instead of sending the credentials across potentially unsafe networks.
  • Embodiments of the disclosure provide enhanced security as well as credential management that is convenient for users. The foregoing are merely examples and one of ordinary skill in the art will recognize many features and advantages of the present disclosure.
  • FIG. 1 shows a distributed authentication system 100, according to an embodiment of the disclosure.
  • the distributed authentication system 100 may include a client application 103 at a computing device 102, a credential management server 106, a resource authentication manager 108, and a resource server 110, which are coupled to a network 112 and configured to communicate over the network 112.
  • the credential management server 106 may be an application server or web server (e.g. , standalone or virtualized) that includes encrypted levels.
  • the credential management server 106 may be implemented using a multilevel encryption architecture, such as is shown and described with reference to FIG. 10.
  • An authentication manager may use any type of authentication to control access to the credential management server 106.
  • authentication may involve authentication rules applied in conjunction with usernames, passwords, biometrics, device identifiers (e.g., a mac address of a computer, smart phone, etc.), tokens (e.g. , encrypted on a key card or Flash drive) multi-factor authentication processes, etc.
  • accessing each encrypted level may require keyfile(s) and/or encryption keys.
  • the credential management server 106 may include a credential-keeping service manager 118, and a resource authentication service manager 120.
  • the credential-keeping service manager 118 may be configured to manage resource credentials, including, for example, creating, storing, and retrieving resource credentials stored at the resource credential database 114.
  • the credential-keeping service manager 118 may be configured to update credentials stored in the credential database 114.
  • the credential-keeping service manager 118 may be configured to update resource credentials according to credential management rules that are associated with a user account and a resource. For example, for a user 'userl ' and a resource 'banking service', the frequency may be set to 'weekly', and the rules may include a password length, character requirements, exclusions (e.g.
  • the dictionary identifier may be indicative of one or more dictionaries stored at the dictionary database 116. For a given user account, different credential management rules may be associated with, and used for, different resource credentials.
  • the credential-keeping service manager 118 may be configured to interact with a resource server 110 and update user credentials stored at the resource server 110, for example, via the resource authentication manager 108 of the resource server 110.
  • the credential management server 106 may include internal service managers, such as a dictionary manager 122, one or more of which are available to external services of the credential management server 106, but not available to requestors external to the credential management server 106.
  • the dictionary manager 122 may be configured to update dictionaries stored at the dictionary database 116.
  • dictionaries stored at dictionary database 116 may be associated with user accounts. Each user account may have associated custom dictionaries created and maintained by the dictionary manager 122 that meets dictionary management requirements associated with a user account.
  • the dictionary management requirements may include an update frequency, a dictionary size (e.g. , in number of characters, total bits, etc.), dictionary composition (e.g. , symbols, letters, numbers, etc.), sources of character strings, degree of randomness, and more.
  • the dictionary manager 122 may be configured to create dictionaries formed of predefined numbers of garbage character strings having a predefined length.
  • the credential management 106 may host one or more user account databases 124, each of which is configured to store credential management instructions for each user account.
  • the resource management instructions for each user account may include a list of resources registered with the credential management server 106.
  • the list of registered resources may include for each resource: a name, a uniform resource locator, and other information that could be used to identify a particular online resource.
  • the computing device 102 may be, for example, a workstation, personal computer, laptop, tablet, mobile device, or wearable device, upon which a client application 103 and local applications 104 may be installed and run.
  • the client application 103 and local applications 104 may be compatible with the local operating system of the computing device 102, for example, MICROSOFT WINDOWS®, APPLE® OS, iOS, APPLE® WatchOS, ANDROID®, ANDROID® Wear, Tizen, GOOGLE FIT®, JAVA®,
  • a local application 104 may be an operating system of a computing device 102, for example, one of the foregoing operating systems.
  • embodiments of the client application 103 may be configured to facilitate registration with the credential management server 106, manage interaction with the credential management server 106, and manage interaction with the local applications 104.
  • the resource server 110 may be an application server configured to provide resources over the network 112 to requesting applications. Access to the resource server 110 may be controlled by a resource authentication manager 108. In some embodiments, the resource authentication manager 108 may be part of, or execute on the same machine as, the resource server 110. In other embodiments, the resource authentication manager 108 may run on a different computer-server from the resource server 110. In various embodiments, a resource services manager (not shown) may control the provision of requested resources.
  • the network 112 provides a medium through which content and messages flow between various elements of the distributed authentication system 100 such as the client application 103, local application 104, credential management server 106, the resource authentication manager 108, and the resource server 110.
  • the network 112 may be the Internet, but may be implemented as a wired or wireless local area network (LAN) and a wide area network (WAN), wireless personal area network (PAN), a mesh network, and other types of networks, public and private. When used in a LAN networking
  • computers may be coupled to the LAN through a network interface or adapter.
  • computers When used in a WAN networking environment, computers may include a modem or other communication mechanism. Modems may be internal or external, and may be coupled to the system bus via the user-input interface, or other appropriate mechanism.
  • computers In the case of wireless communication, computers may include
  • transport protocols may be used in accordance with embodiments of the disclosure, including, for example, User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Venturi Transport Protocol (VTP), Datagram Congestion Control Protocol (DCCP), Fibre Channel Protocol (FCP), Stream Control Transmission Protocol (SCTP), Reliable User Datagram Protocol (RUDP), and Resource ReSerVation Protocol (RSVP).
  • UDP User Datagram Protocol
  • TCP Transmission Control Protocol
  • VTP Venturi Transport Protocol
  • DCCP Datagram Congestion Control Protocol
  • FCP Fibre Channel Protocol
  • SCTP Stream Control Transmission Protocol
  • RUDP Reliable User Datagram Protocol
  • RSVP Resource ReSerVation Protocol
  • communications protocols may include Bluetooth, Zigbee, IrDa, Near-Field-Communication (NFC), 3 rd generation mobile
  • communication in accordance with embodiments of the disclosure may occur through a combination of wired or wireless paths.
  • FIG. 2 shows a distributed authentication process 200, according to an embodiment of the disclosure, where the resource authentication manager 120 handles the authentication of a user requesting access to the resource server 110.
  • the client application 103 receives a request for a resource.
  • the request may be generated in response to a user interacting with a graphical user interface associated with the client application 103, for example, selecting among a list of resources registered with the credential management server 106.
  • the request may be generated by a local application 104, for example, when the application 104 prompts a user for credentials.
  • the client application 103 may prompt the user for one or more credentials to authenticate at the credential management server 106.
  • the client application 103 In operation 204, the client application 103 generates a request for resource authentication services and sends the request to the credential management server 106.
  • the request may include credentials for authenticating at the credential management server 106, features for multi- factor authentication (e.g. , biometrics, device IDs, etc.), identifiers for the requested resource, and resource credentials for the requested resource (e.g. , a user ID).
  • the credential management server 106 receives the request for authentication services, and authenticates the sender of the request (i.e., the client application 103) in operation 208.
  • the client application 103 may perform authentication instead of, or in addition to, the credential management server 106.
  • the client application 103 may perform a first authentication based on a usemame and a password, and then the credential management server 106 may perform a second authentication based on the results of the authentication performed by the client application 103 and biometrics, device ID, network ID, device presence, etc.
  • the resource authentication service manager 120 processes the request for authentication services and locates and retrieves credentials, for example, based on a user account ID and requested resource.
  • the credential-keeping service manager 118 retrieves the credentials from a secure data store that is encrypted.
  • the credential keeping service manager 118 may be configured to maintain and provide encryption keys to a data store manager (not shown) when it requests resource credentials.
  • the resource authentication service manager 120 generates a resource request and sends the request to the resource server 110.
  • the resource authentication manager 108 receives the resource request, including, for example, a username, password, encryption keys, etc., and authenticates the request in operation 216. If authentication fails then in operation 218 the resource authentication manager 108 sends a failure message to the client application 103. If authentication is successful, then in operation 220 the resource authentication manager 108 provides the resource request to the resource server 110. In operation 222 the resource server 110 provides the resource to the client application 103 responsive to the resource request. In operation 224, the client application 103 receives the resource.
  • the resource may include data or an HTML document, as well as access to data and various services provided by the resource server 110.
  • the client application 103 may hand over the resource to a local application 104 by, for example, passing a token received from the resource server 110 to the local application 104.
  • the resource server 110 may provide the resource directly to the local application 104, for example, based on instructions received with the resource request.
  • FIG. 3 shows a distributed authentication system 300, according to an embodiment of the disclosure.
  • the distributed authentication system 300 is similar to the distributed authentication system 200, but is configured for a different distributed authentication process then the distributed authentication system 200 as shown by dotted line arrows.
  • FIG. 4 shows a distributed authentication process 400, according to an embodiment of the disclosure, wherein the local application 104 handles the authentication of a user requesting access to the resource server 110.
  • the client application 303 receives a request for a resource.
  • the request may be generated in response to a user interacting with a graphical user interface associated with the client application 303, for example, selecting among a list of resources registered with the credential management server 306.
  • the request may be generated by a local application 104, for example, when the application 104 prompts a user for credentials.
  • the client application 303 may prompt the user for one or more credentials to authenticate at the credential management server 306.
  • the client application 303 generates a request for authentication services and sends the request to the credential management server 306.
  • the request may include credentials for authenticating at the credential management server 306, features for multi-factor authentication (e.g. , biometrics, device IDs, etc.), identifiers for the requested resource, and credentials associated with the requested resource (e.g., a user ID).
  • the credential management server 306 receives the request for authentication services, and authenticates the sender of the request (i.e., the client application 303) in operation 408.
  • the client application 303 may perform authentication instead of, or in addition to, the credential management server 306.
  • the client application 303 may perform a first authentication based on a usemame and a password, and then the credential management server 306 may perform a second authentication based on the results of the authentication performed by the client application 303 and biometrics, device ID, network ID, device presence, etc.
  • the resource authentication server manager 320 processes the request for authentication services and locates and retrieves credentials based on a user account and a requested resource.
  • the credential-keeping service manager 318 may be configured to retrieve the credentials from a secure data store that is encrypted.
  • the credential keeping service manager 318 may be configured to maintain and provide encryption keys to the data store manager (not shown) when it requests the resource credentials.
  • the credential management server 306 provides the retrieved resource credentials to the client application 303.
  • the client application 103 receives the credentials and provides the credentials to a local application 104 in operation 416.
  • the local application 104 sends a resource request including the received credentials.
  • the resource authentication manager receives the request and authenticates the request in operation 422. If the authentication fails, then in operation 424 the local application 104 receives a failure notice. If the authentication is successful, then in operation 426 the resource authentication manager 108 provides the resource request to the resource sever 110. In operation 428, the resource server 110 provides the resource request to the local application 104.
  • the local application 104 receives the requested resources in operation 430.
  • FIG. 5 shows a distributed authentication system 500, according to an embodiment of the disclosure.
  • the resource authentication manager 508 is associated with resource credential management server 530, which maintains user dictionaries 532 that match one or more of the user dictionaries 516 stored at the credential management server 506.
  • the resource authentication services manager 520 may be configured to provide coded instructions to the resource credential management server 530, and a resource credential -keeping service manager 536 may use the coded instructions to generate resource credentials, and the network resource authentication service manager 534 may provide the resource credentials to the resource authorization manager 508. Embodiments of coded instructions are described with reference to FIG. 7.
  • the distributed authentication system 500 does not have to store resource credentials because resource credentials may be re-created based on the coded instructions and dictionaries.
  • resource credentials may be stored at a cache for some period of time to avoid system overhead associated with generating the resource credentials.
  • the dictionaries stored at the credential management server 506 and resource credential management server 530 may store organizational dictionaries. Each organizational dictionary may be associated with an organization. The resource credentials of users that belong to an organization may be created from the same organizational dictionary. Organizational dictionaries may be used with other organizational dictionary.
  • FIG. 6 shows a distributed authentication process 600, according to an embodiment of the disclosure, where the credential management server 506 does not send credentials.
  • the client application 503 receives a request for a resource.
  • the request may be generated in response to a user interacting with a graphical user interface associated with the client application 503, for example, selecting among a list of resources registered with the credential management server 506.
  • the request may be generated by a local application 104, for example, when the application 104 prompts a user for credentials.
  • the client application 503 may prompt the user for one or more credentials to authenticate at the credential management server 506.
  • the client application 503 In operation 604, the client application 503 generates a request for authentication services and sends the request to the credential management server 506.
  • the request may include one or more of credentials associated with the credential management server 506, features for multi-factor authentication (e.g. , biometrics, device IDs, etc.), identifiers for the requested resource, and credentials associated with the requested resource (e.g. , a user ID).
  • the credential management server 506 receives the request for authentication services, and authenticates the requestor (i.e., the client application 503) in operation 608.
  • the client application 503 may perform
  • the client application 503 may perform a first authentication based on a username and a password, and then the credential management server 506 may perform a second authentication based on the results of the authentication performed by the client application 503 as well as biometrics, device ID, network ID, device presence, etc.
  • the resource authentication services manager 520 processes the request for authentication services and determines coded instructions for creating the resource credentials associated with the requested resource in conjunction with a user dictionary.
  • the credential management server 506 generates a request for authentication services that includes a user ID and the coded instructions, and sends the request to the resource credential management server 530.
  • the request for authentication services may include a dictionary identifier associated with the coded instructions and/or user ID.
  • the resource credential management server 530 receives the resource request that includes the coded instructions.
  • the authentication service manager 520 generates credentials based on the coded instructions and a dictionary.
  • the dictionary may be associated with a user ID or a dictionary identifier.
  • the resource credential management server 530 generates a resource request that includes the credentials and sends the resource request to the resource server 110.
  • the resource authentication manager 508 receives the resource request, and authenticates the request in operation 622. If authentication fails, then in operation 624 the client application 503 receives a failure message from the resource authentication manager 508. If the authentication is successful, then in operation 626 the resource authentication manager 508 provides the resource request to the resource server 110. In operation 628, the resource server 110 provides the resource to the client application 503 in response to the resource request. In operation 630, the client application 503 receives the resource and hands the resource over to the local application 104. In alternative embodiments, the resource server 110 may provide the resource directly to the local application 104.
  • FIG. 7 shows a coded instruction generation scheme 700, according to an embodiment of the disclosure.
  • the coded instructions 728 of scheme 700 comprise X,Y pairs 730, however, other schemes may be used in conjunction with the embodiments of the disclosure.
  • the resource credentials 740 comprise strings of characters.
  • the usemame 744 comprises a string of characters "Abl4! 9xyz”
  • the password 742 comprises a string of characters "?Rx@2r444atu: lxcDz.”
  • each character is translated to an X,Y pair where the "X" corresponds to a string in a dictionary that includes a character and the "Y" corresponds to position in the string that includes the character.
  • the coded instruction 728 is comprised of X,Y pairs 730, including X,Y pairs 730a to 7830d.
  • X,Y pairs 730a to 730d [(1, 1),(20, 2), (9499, 8), (911 , 16)... ] means that for a particular dictionary the "?” may be found at string 1, character 1 ; the "R” may be found at string 20, character 2; the "x” may be found at string 9499, character 8; the "@” may be found at string 911, character 16, and so on.
  • a similar coded instruction scheme may be used for the usemame 744.
  • Resource credentials 740 may be re-created with the correct dictionary and the coded instruction 728.
  • To create accurate resource credentials from coded instructions 728 requires the same dictionary be used to create the resource credentials that was used to create the coded instruction. Proper synchronization of dictionaries between the credential management server 508 and resource credential management server 530 is important.
  • FIG. 8 shows a dictionary synchronization process 800, according to an
  • the dictionary synchronization process 800 may be performed by internal services of the credential management server 506 and resource credential management server 530. While the synchronization process 800 is initiated responsive to a change to the dictionary stored at the credential management server 506. A dictionary may be changed, among other reasons, responsive to a dictionary management requirement that the dictionary be changed according to a set frequency. It is specifically contemplated that a dictionary synchronization process may be initiated at the resource credential management server 530.
  • an event is received at a dictionary manager 522 that triggers a dictionary synchronization service to synchronize one of the dictionaries 532.
  • the event may be generated responsive to a change, including, for example, a new dictionary being created, an update (addition, removal, or re-organization) to an existing dictionary, or deletion of an existing dictionary.
  • the dictionary manager 522 creates a dictionary synchronization request, and in operation 806 the credential management server 806 sends the dictionary synchronization request to the resource credential management server 530.
  • the resource credential management server 530 receives the dictionary synchronization request, and in operation 810 sends a ready to receive message to the credential management server 506.
  • the credential management server 506 receives the ready to receive message.
  • Each of the credential management server 506 and resource credential management server 530 enter a secure state for secure transfer that is suitable for two otherwise internal services - the dictionary manager 522 and resource dictionary manager 538 - to communicate over the network 512.
  • the dictionary manager 522 sends a dictionary update message to the resource dictionary manager 538.
  • the dictionary update message may include, for example, a dictionary identifier and dictionary update instructions for updating the corresponding dictionary at the resource credential management server 530.
  • the dictionary update instructions may include, for example, new content, re-processing instructions (e.g. , performing an XOR operation on each character), deletion instructions (e.g. , identifiers for strings to delete), etc.
  • the new content may be an entire dictionary or instructions for generating the dictionary with certain checks to verify the dictionary's contents.
  • the resource dictionary manager 538 receives the dictionary update message, and in operation 818 the resource dictionary manager 538 updates the dictionary 532 according to the dictionary update instructions.
  • the resource dictionary manager 538 sends the dictionary manager 522 a
  • the dictionary manager 522 receives the synchronization complete message. After completing the synchronization, the credential management server 506 and resource credential management server 510 may end the secure transfer.
  • FIG. 9 shows an alternative dictionary synchronization process 900, according to an embodiment of the disclosure.
  • the difference between the process 900 and the process 800 is that the resource credential management server 530 is configured to download the dictionary update from the credential management sever 516, i.e. , the transfer process is initiated by the resource credential management server 530.
  • an event is received at a dictionary manager 522 that triggers a dictionary synchronization service to synchronize one of the dictionaries 532.
  • the dictionary manager 522 creates a dictionary synchronization request, and in operation 906 the credential management server 506 sends the dictionary synchronization request to the resource credential management server 530.
  • the dictionary synchronization request may include download instructions, including a deadline after which the dictionary update will no longer be available.
  • the dictionary manager 522 may send a token that may be provided by the resource dictionary manager 538 when it requests to download the dictionary update. In one embodiment, the token or its rights may expire at some time.
  • the resource credential management server 530 receives the dictionary synchronization request.
  • the resource credential management server 530 downloads the dictionary update.
  • the dictionary manager 522 may provide the encryption keys to the resource dictionary manager 538.
  • the dictionary manager 538 may request the encryption key(s) when it downloads the dictionary.
  • the resource credential management server 530 may provide a notification to an administrator that logs into the credential management server 530 that new dictionaries (or dictionary updates) are available and need to be encrypted. When the administrator approves or acknowledges the new dictionaries the dictionary manager 538 may request the encryption key(s) from dictionary manager 522.
  • the dictionary manager 522 may include or have access to a KeyStore that stores the public keys, private keys, security certificates, etc., used to encrypt the dictionaries that it provides to the dictionary manager 538.
  • FIG. 10 shows a multi-level encrypted (MEA) server architecture 1000, according to an embodiment of the disclosure.
  • the MEA architecture may include level by level encryption, for example, an encrypted externally available level 1002, an encrypted external services level 1004, an encrypted internal services level 1006, and an encrypted core logic level 1008.
  • the MEA architecture may also include one or more encrypted data store at each level or as a sub-level.
  • Each level of the MEA server architecture 1000 may include level-access security with define roles and permissions. For example, the MEA server architecture 1000 may require multiple levels of security requiring increasing levels of authority or even multiple authorities to change current settings.
  • the external authentication level 1002 may control access to external authentication services.
  • changes at the external authentication level 1002 may be made by a setup administrator, process administrator, server administrator, or system administrator.
  • the external services level 1004 may control access to external services. These external authentication services may comprise retrieving credentials and communicating with resource authentication managers.
  • changes at the external services level 1004 may be made by a process administrator, server administrator, or system administrator.
  • the internal services level 1006 may control access to internal services. These internal services may comprise: storing dictionaries, updating dictionaries, storing user credentials, storing resource lists, and updating resource lists.
  • changes at the internal services level 1006 may be made by a server administrator or system administrator.
  • the core logic level 1008 may control access to the core logic of the MEA server architecture. For example, changes at the core logic level 1008 may be made by a server administrator and/or a system administrator. In some embodiments changes at the core logic level 1008 may require the approval of multiple super users, which is indicative of a vested interest in the system 1000.
  • FIG. 11 shows a registration process 1100 for registering a user with a credential manager 106 via a client application 103. While the registration process 1100 is described with reference to FIG 1 and system 100, one of ordinary skill in the art will recognize the registration process 1100 is application to all embodiments of the disclosure.
  • the client application 103 may receive a request to register with the credential manager 106.
  • the client application 103 creates and sends a registration request to the credential management server 106.
  • the credential manager 106 may request registration information from the client application 103, including for example, username, password, identifying data, biometrics, device information, resource information, and more. In the case of resource information, the credential management server 106 may request initial credentials from the client application 103.
  • the initial credentials may be the credentials that a user manually provides to authenticate with the resources.
  • the resource information may also include rules for managing resource credentials, including rules about the composition of credentials and the frequency that resource credentials should be changed with the resource.
  • Registration information may also include dictionary rules for managing user dictionaries, including rules about the composition of dictionaries
  • the credential management server 106 may store the registration information.
  • an internal service of the credential management server 106 may create and assign a dictionary to a user. In one embodiment, an organizational dictionary is assigned to the user instead of creating a new dictionary.
  • the credential management server 106 may send a registration complete message to the client application 103, which the client application receives in operation 1112.
  • the local resource may be an operating system.
  • a firmware client program running as a thread within the system BIOS (basic input/output system) may be configured to request authentication services from a credential manager server.
  • the client program may be configured to request the authentication services in response to operating system authentication (e.g., WINDOWS® Authentication), and the requested service may be for delivery of operating system credentials.
  • the client program may be configured to provide authentication credentials to the credential management server.
  • the client program may provide the credentials to the operating system for authentication.
  • the client program may have rights to access and use network equipment of the computing device.
  • managing credentials automatically enables more frequent changes. If credentials are compromised the period of time during which a resource is accessible may be very short (e.g., if the frequency of change is set to every day). Even if dictionaries are compromised, a new dictionary will be in place enabling new credential building. More complex passwords, personal-identification-numbers, usernames, etc., may be used that would be impractical or impossible for a human to remember. Finally, very different credentials and authentication rules may be used for different resources.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure relates to a credential management system and distributed authentication systems that use the same. A credential management server may maintain dictionaries usable to generate resource credentials of a user. In some cases, the dictionaries may be updated according to a set frequency and resource credentials updated based on the updated dictionaries.

Description

A CREDENTIAL MANAGEMENT SYSTEM FOR
DISTRIBUTED AUTHENTICATION, AND
RELATED SYSTEMS AND METHODS
PRIORITY CLAIM
This application claims the benefit under 35 U.S.C. § 119(e) of U.S. Provisional Patent Application Serial No. 62/476,319, filed March 24, 2017, the entire contents and disclosure of which are incorporated herein by this reference.
TECHNICAL FIELD
Embodiments of this disclosure relate generally to systems and methods for securely managing user credentials associated with resources, and related systems and methods for securely managing distributed authentication to access such resources.
BACKGROUND
Conventionally, to access resources via the internet or another network, users will generally run a web browser application or a client application installed on a computing device, for example, a workstation, personal computer, laptop, tablet or smart phone. A web browser or client application may request the online resource responsive to, for example, a uniform resource locator (URL) or internet protocol (IP) address provided by a user or predefined (typically predefined in the case of a client application). The user will then type the web address or the URL (Uniform Resource Locator) of the desired online resource. A resource authentication server may process the request and require the user to input a username and password. After the usemame and password are authenticated, an online resource server may then responds to the online resource request and "serve" the online resource to the web browser or client application.
Valuable information accessed over the internet or other networks typically resides behind an authentication layer. By way of example, a conventional authentication layer protects valuable information through the use of passwords, personal-identification- numbers (PINs), and encryption keys. Countless online services, including e-mail, online banking, shopping, healthcare, and social networking sites, require users to provide at least a username and a password to access those online services. More security features may added to the authentication layer, for example, two-factor authentication, biometrics, and more. The world is overwhelmed with the number of passwords, PIN numbers, encryption keys, and authentication processes that need to be managed in order access online services. This is partly due to inconsistent rules, e.g., services may have different rules regarding password length, password composition, update frequency, and social-engineering susceptibility (e.g., password elements discoverable through social engineering such as a date-of-birth or child's name). Even with overwhelming use of passwords, PIN number, and encryption keys, valuable information on the internet is still vulnerable to attack.
Password security may be static or dynamic. Static, meaning the data required to authenticate a user does not changed. Dynamic, meaning the data required to authenticate a user changes frequently. Anything static is breakable. Generally, dynamic credentials, if changed frequently enough, are more secure than credentials that are not changed or are changed infrequently. Passwords, PINs, and encryption keys are dynamic, however users often rely on themselves or credential managers (e.g., a browser with built-in usemame and password keeping) to manage their credentials and keep them secure. As a result, passwords, PINs, and encryptions keys are not changed frequently enough, are not complex enough, and are limited by the memory of users.
DISCLOSURE
Some embodiments of the present disclosure relate to a computing device. The computing device may include a local application and a client application. The local application may be configured to enable the computing device to request, receive, and use a resource. The client application may be configured to enable the computing device to: maintain a list of available resources; receive a resource access request, the resource access request comprising a resource identifier associated with the resource; create a resource authentication service request responsive to the resource access request, the resource authentication service request comprising the resource identifier and a user identifier; communicate the resource authentication service request to an application server configured to manage resource credentials including resource credentials associated with the resource; receive the resource credentials; and provide the resource credentials to the local application to enable the computing device to provide the resource credentials to a resource authentication server.
Other embodiments of the present disclosure relate to a computer device. The computing device may include a local application and a client application. The local application may be configured to enable the computing device to request, receive, and use a resource. The client application may be configured to enable the computing device to: maintain a list of available resources; receive a resource access request, the resource access request comprising a resource identifier associated with the resource; create a resource authentication service request responsive to the resource access request, the resource authentication service request comprising the resource identifier and a user identifier; communicate the resource authentication service request to an application server configured to manage credentials including credentials associated with the resource; and enable the local application to receive the resource from a resource server without separately authenticating the user by directly establishing communication between the local application and the resource server.
Other embodiments of the present disclosure relate to a computer-server for credential management. The computer-server may include a dictionary database store having one or more credential dictionaries; a credential-keeping service manager configured to determine and manage resource credentials; an authentication service manager configured to request resource credentials from the credential-keeping service responsive to an resource authentication service request and provide resource credentials to the authentication manager of the resource application server, and a dictionary manager configured to manage the credential dictionaries responsive to dictionary management requirements, wherein the dictionary management requirements comprise instructions adapted to cause the dictionary manager to update credential dictionaries according to a pre-defined schedule.
Other embodiments of the present disclosure relate to a distributed authentication system. The distributed authentication system may include a resource application server, a multi-level encrypted application server, and a client application. The resource application server may include an authentication manager; and a resource service manager configured to provide a resource responsive to a resource request authenticated by the authentication manager. The multi-level encrypted application server may include: a dictionary database store having one or more credential dictionaries; a credential-keeping service manager configured to determine and manage resource credentials; a dictionary manager configured to manage the credential dictionaries responsive to dictionary management requirements; and an authentication service manager configured to request resource credentials from the credential-keeping service responsive to an resource authentication service request and provide resource credentials to the authentication manager of the resource application server. The client application may be configured to maintain a list of available resources; receive a resource access request initiated at a user interface of the client application, the resource access request associated with a resource of the available resources; create a resource authentication services request responsive to the resource access request; and provide the resource authentication services request to the multi-level encrypted application server.
BRIEF DESCRIPTION OF THE DRAWINGS
While this disclosure concludes with claims particularly pointing out and distinctly claiming specific embodiments, various features and advantages of embodiments within the scope of this disclosure may be more readily ascertained from the following description when read in conjunction with the accompanying drawings, in which:
FIG. 1 shows a distributed authentication system, in accordance with an embodiment of the disclosure;
FIG. 2 shows an authentication process, in accordance with an embodiment of the disclosure;
FIG. 3 shows a distributed authentication system, in accordance with an embodiment of the disclosure;
FIG. 4 shows an authentication process, in accordance with an embodiment of the disclosure;
FIG. 5 shows a distributed authentication system, in accordance with an embodiment of the disclosure;
FIG. 6 shows an authentication process, in accordance with an embodiment of the disclosure;
FIG. 7 shows a coded instruction schema, in accordance with an embodiment of the disclosure;
FIG. 8 shows a dictionary synchronization process, in accordance with an embodiment of the disclosure;
FIG. 9 shows a dictionary synchronization process, in accordance with an embodiment of the disclosure;
FIG. 10 shows multi-level server architecture, in accordance with an embodiment of the disclosure; FIG. 11 shows a registration process, in accordance with an embodiment of the disclosure.
MODE(S) FOR CARRYING OUT THE INVENTION In the following detailed description, reference is made to the accompanying drawings, which form a part hereof, and in which are shown, by way of illustration, specific examples of embodiments in which the present disclosure may be practiced. These embodiments are described in sufficient detail to enable a person of ordinary skill in the art to practice the present disclosure. However, other embodiments may be utilized, and structural, system, and process changes may be made without departing from the scope of the disclosure. The illustrations presented herein are not meant to be actual views of any particular process, system, device, or structure, but are merely idealized representations that are employed to describe the embodiments of the present disclosure. The drawings presented herein are not necessarily drawn to scale. Similar structures or components in the various drawings may retain the same or similar numbering for the convenience of the reader; however, the similarity in numbering does not mean that the structures or components are necessarily identical in size, composition, structure, configuration, logic, or any other property.
The following description may include examples to help enable one of ordinary skill in the art to practice the disclosed embodiments. The use of the terms "exemplary," "by example," and "for example," means that the related description is explanatory, and though the scope of the disclosure is intended to encompass the examples and legal equivalents, the use of such terms is not intended to limit the scope of an embodiment or this disclosure to the specified components, steps, features, functions, or the like.
Furthermore, specific implementations shown and described are only examples and should not be construed as the only way to implement the present disclosure unless specified otherwise herein. Elements, connections, circuits, and functions may be shown in block diagram form in order not to obscure the present disclosure in unnecessary detail.
Additionally, block definitions and partitioning of logic between various blocks is exemplary of a specific implementation. It will be readily apparent to one of ordinary skill in the art that the present disclosure may be practiced by numerous other partitioning solutions. For the most part, details concerning timing considerations, and the like, have been omitted. Such details are not necessary to obtain a complete understanding of the present disclosure and are within the abilities of persons of ordinary skill in the relevant art. Those of ordinary skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout this description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof. Some drawings may illustrate information and signals as a single data packet or single signal for clarity of presentation and description. It will be understood by a person of ordinary skill in the art that the data packet or signal may represent a bus of signals or series of data packets. A bus may have a variety of bit widths and the present disclosure may be implemented on any number of data signals including a single data signal.
The various illustrative logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a special purpose processor, a Digital Signal Processor (DSP), an
Integrated Circuit (IC), an Application Specific Integrated Circuit (ASIC), a Field
Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein.
A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, such as a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration. A general- purpose computer including a processor is considered a special-purpose computer while the general-purpose computer is configured to execute computing instructions (e.g., software code) related to embodiments of the present disclosure. Examples of computers include personal computers, workstations, laptops, tablets, mobile phones, wearable devices, and computer-servers.
The embodiments may be described in terms of a process that is depicted as a flowchart, a flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe operational acts as a sequential process, many of these acts can be performed in another sequence, in parallel, or substantially concurrently. In addition, the order of the acts may be re-arranged. A process may correspond to a method, a thread, a function, a procedure, a subroutine, a subprogram, etc. Furthermore, the methods disclosed herein may be implemented in hardware, software, or both. If implemented in software, the functions may be stored or transmitted as one or more instructions or code on computer-readable media. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
Many of the functional units described may be illustrated, described or labeled as modules, threads, or other segregations of programming code, in order to more particularly emphasize their implementation independence. Modules may be at least partially
implemented in hardware, in one form or another. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the- shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, or the like.
Some embodiments of the disclosure include server. A server is a computer program that provides functionality or services to other programs, commonly called clients. While a server is a computer program or process (i.e., executing program), the term may also be used to refer to a computer running one or more server programs, and so, unless otherwise indicated, the use of the term server in this description is intended to cover both situations. Examples of types of servers includes, but is not limited to, web servers, application servers, database servers, communication servers, computing servers, file servers, mail servers, game servers, proxy servers, print servers and more. Generally, any general-purpose computer may run a server program, and as such, can run programs and applications that are not server programs.
Modules may also be implemented using software or firmware, stored on a physical storage device (e.g., a computer readable storage medium), in memory, or a combination thereof for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions, which may, for instance, be organized as a thread, object, procedure, or function.
Nevertheless, the executable of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several storage or memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network. Where a module or portions of a module are implemented in software, the software portions are stored on one or more physical devices, which are referred to herein as computer readable media.
Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several storage or memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network. Where a module or portions of a module are implemented in software, the software portions are stored on one or more physical devices, which are referred to herein as computer readable media.
In some embodiments, the software portions are stored in a non-transitory state such that the software portions, or representations thereof, persist in the same physical location for a period of time. Additionally, in some embodiments, the software portions are stored on one or more non-transitory storage devices, which include hard ware elements capable of storing non-transitory states and/or signals representative of the software portions, even though other portions of the non-transitory storage devices may be capable of altering and/or transmitting the signals. Examples of non-transitory storage devices are flash memory and random-access- memory (RAM). Another example of a non-transitory storage device includes a read-only memory (ROM) which can store signals and/or states representative of the software portions for a period of time. However, the ability to store the signals and/or states is not diminished by further functionality of transmitting signals that are the same as or representative of the stored signals and/or states. For example, a processor may access the ROM to obtain signals that are representative of the stored signals and/or states in order to execute the corresponding software instructions. Data may be stored and managed in a data store, and may be organized as files in a file system, a directory, or organized in a more sophisticate repository like a database that includes a database management system. Data may be encrypted using encryption keys, for example, public and private encryption keys.
As used in this specification, the term "substantially" in reference to a given parameter, property, or condition means and includes to a degree that one skilled in the art would understand that the given parameter, property, or condition is met with a small degree of variance, such as within acceptable manufacturing tolerances. For example, a parameter that is substantially met may be at least about 90% met, at least about 95% met, or even at least about 99% met.
Disclosed embodiments relate generally to systems and methods for distributed authentication. In various embodiments, one or more credential managers are configured to manage resource credentials of a user. In the embodiments described in this disclosure, the resource may be provided by a resource server, however, the disclosure is not so limited and it is specifically contemplated that the distributed authentication techniques described herein may be used in connection with a local resource.
In the disclosed embodiments, generally, when a local application desires access to a resource, a client application requests resource authentication services from a credential manager. In one embodiment, the credential manger may provide the local application the resource credentials needed to access the resource. In an alternative embodiment, the credential manager may provide the credentials to a resource sever on behalf of the local application. The resource credentials may be generated from custom dictionaries associated with users. A custom dictionary may be updated according to a schedule that is part of the dictionary management requirements of a user. In some embodiments, multiple copies of a dictionary may be stored at different locations in a distributed authentication system and synchronized. The synchronized dictionaries and coded instructions may be used recreate resource credentials instead of sending the credentials across potentially unsafe networks. Embodiments of the disclosure provide enhanced security as well as credential management that is convenient for users. The foregoing are merely examples and one of ordinary skill in the art will recognize many features and advantages of the present disclosure.
FIG. 1 shows a distributed authentication system 100, according to an embodiment of the disclosure. The distributed authentication system 100 may include a client application 103 at a computing device 102, a credential management server 106, a resource authentication manager 108, and a resource server 110, which are coupled to a network 112 and configured to communicate over the network 112.
Generally, the credential management server 106 may be an application server or web server (e.g. , standalone or virtualized) that includes encrypted levels. In one embodiment, the credential management server 106 may be implemented using a multilevel encryption architecture, such as is shown and described with reference to FIG. 10.
An authentication manager (not shown) may use any type of authentication to control access to the credential management server 106. For example, authentication may involve authentication rules applied in conjunction with usernames, passwords, biometrics, device identifiers (e.g., a mac address of a computer, smart phone, etc.), tokens (e.g. , encrypted on a key card or Flash drive) multi-factor authentication processes, etc. Further, accessing each encrypted level may require keyfile(s) and/or encryption keys.
The credential management server 106 may include a credential-keeping service manager 118, and a resource authentication service manager 120. The credential-keeping service manager 118 may be configured to manage resource credentials, including, for example, creating, storing, and retrieving resource credentials stored at the resource credential database 114. The credential-keeping service manager 118 may be configured to update credentials stored in the credential database 114. In one embodiment, the credential-keeping service manager 118 may be configured to update resource credentials according to credential management rules that are associated with a user account and a resource. For example, for a user 'userl ' and a resource 'banking service', the frequency may be set to 'weekly', and the rules may include a password length, character requirements, exclusions (e.g. , password elements susceptible to social engineering), and a dictionary identifier. The dictionary identifier may be indicative of one or more dictionaries stored at the dictionary database 116. For a given user account, different credential management rules may be associated with, and used for, different resource credentials.
The credential-keeping service manager 118 may be configured to interact with a resource server 110 and update user credentials stored at the resource server 110, for example, via the resource authentication manager 108 of the resource server 110.
The credential management server 106 may include internal service managers, such as a dictionary manager 122, one or more of which are available to external services of the credential management server 106, but not available to requestors external to the credential management server 106. The dictionary manager 122 may be configured to update dictionaries stored at the dictionary database 116. In one embodiment, dictionaries stored at dictionary database 116 may be associated with user accounts. Each user account may have associated custom dictionaries created and maintained by the dictionary manager 122 that meets dictionary management requirements associated with a user account. The dictionary management requirements may include an update frequency, a dictionary size (e.g. , in number of characters, total bits, etc.), dictionary composition (e.g. , symbols, letters, numbers, etc.), sources of character strings, degree of randomness, and more. In one embodiment the dictionary manager 122 may be configured to create dictionaries formed of predefined numbers of garbage character strings having a predefined length.
The credential management 106 may host one or more user account databases 124, each of which is configured to store credential management instructions for each user account. The resource management instructions for each user account may include a list of resources registered with the credential management server 106. The list of registered resources may include for each resource: a name, a uniform resource locator, and other information that could be used to identify a particular online resource.
The computing device 102 may be, for example, a workstation, personal computer, laptop, tablet, mobile device, or wearable device, upon which a client application 103 and local applications 104 may be installed and run. The client application 103 and local applications 104 may be compatible with the local operating system of the computing device 102, for example, MICROSOFT WINDOWS®, APPLE® OS, iOS, APPLE® WatchOS, ANDROID®, ANDROID® Wear, Tizen, GOOGLE FIT®, JAVA®,
APACHE®, UNIX-based, or the like. In one embodiment, a local application 104 may be an operating system of a computing device 102, for example, one of the foregoing operating systems.
As will be more fully described below, embodiments of the client application 103 may be configured to facilitate registration with the credential management server 106, manage interaction with the credential management server 106, and manage interaction with the local applications 104.
The resource server 110 may be an application server configured to provide resources over the network 112 to requesting applications. Access to the resource server 110 may be controlled by a resource authentication manager 108. In some embodiments, the resource authentication manager 108 may be part of, or execute on the same machine as, the resource server 110. In other embodiments, the resource authentication manager 108 may run on a different computer-server from the resource server 110. In various embodiments, a resource services manager (not shown) may control the provision of requested resources.
The network 112 provides a medium through which content and messages flow between various elements of the distributed authentication system 100 such as the client application 103, local application 104, credential management server 106, the resource authentication manager 108, and the resource server 110. The network 112 may be the Internet, but may be implemented as a wired or wireless local area network (LAN) and a wide area network (WAN), wireless personal area network (PAN), a mesh network, and other types of networks, public and private. When used in a LAN networking
environment, computers may be coupled to the LAN through a network interface or adapter. When used in a WAN networking environment, computers may include a modem or other communication mechanism. Modems may be internal or external, and may be coupled to the system bus via the user-input interface, or other appropriate mechanism. In the case of wireless communication, computers may include
Any number of transport protocols may be used in accordance with embodiments of the disclosure, including, for example, User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Venturi Transport Protocol (VTP), Datagram Congestion Control Protocol (DCCP), Fibre Channel Protocol (FCP), Stream Control Transmission Protocol (SCTP), Reliable User Datagram Protocol (RUDP), and Resource ReSerVation Protocol (RSVP). For wireless communications, communications protocols may include Bluetooth, Zigbee, IrDa, Near-Field-Communication (NFC), 3rd generation mobile
telecommunications technology (3G), 4th generation mobile telecommunications technology (4G), 5th generation mobile telecommunications technology (5G), internet-of- things technology (IoT), or other suitable protocols. Furthermore, communication in accordance with embodiments of the disclosure may occur through a combination of wired or wireless paths.
FIG. 2 shows a distributed authentication process 200, according to an embodiment of the disclosure, where the resource authentication manager 120 handles the authentication of a user requesting access to the resource server 110. In operation 202, the client application 103 receives a request for a resource. In one embodiment, the request may be generated in response to a user interacting with a graphical user interface associated with the client application 103, for example, selecting among a list of resources registered with the credential management server 106. In another embodiment, the request may be generated by a local application 104, for example, when the application 104 prompts a user for credentials. In one embodiment, the client application 103 may prompt the user for one or more credentials to authenticate at the credential management server 106. In operation 204, the client application 103 generates a request for resource authentication services and sends the request to the credential management server 106. The request may include credentials for authenticating at the credential management server 106, features for multi- factor authentication (e.g. , biometrics, device IDs, etc.), identifiers for the requested resource, and resource credentials for the requested resource (e.g. , a user ID).
In operation 206, the credential management server 106 receives the request for authentication services, and authenticates the sender of the request (i.e., the client application 103) in operation 208. In other embodiments, the client application 103 may perform authentication instead of, or in addition to, the credential management server 106. For example, the client application 103 may perform a first authentication based on a usemame and a password, and then the credential management server 106 may perform a second authentication based on the results of the authentication performed by the client application 103 and biometrics, device ID, network ID, device presence, etc.
In operation 210, the resource authentication service manager 120 processes the request for authentication services and locates and retrieves credentials, for example, based on a user account ID and requested resource. In one embodiment, the credential-keeping service manager 118 retrieves the credentials from a secure data store that is encrypted. The credential keeping service manager 118 may be configured to maintain and provide encryption keys to a data store manager (not shown) when it requests resource credentials. In operation 212, the resource authentication service manager 120 generates a resource request and sends the request to the resource server 110.
In operation 214, the resource authentication manager 108 receives the resource request, including, for example, a username, password, encryption keys, etc., and authenticates the request in operation 216. If authentication fails then in operation 218 the resource authentication manager 108 sends a failure message to the client application 103. If authentication is successful, then in operation 220 the resource authentication manager 108 provides the resource request to the resource server 110. In operation 222 the resource server 110 provides the resource to the client application 103 responsive to the resource request. In operation 224, the client application 103 receives the resource. In various embodiments, the resource may include data or an HTML document, as well as access to data and various services provided by the resource server 110. In one embodiment, the client application 103 may hand over the resource to a local application 104 by, for example, passing a token received from the resource server 110 to the local application 104. In another embodiment, the resource server 110 may provide the resource directly to the local application 104, for example, based on instructions received with the resource request.
FIG. 3 shows a distributed authentication system 300, according to an embodiment of the disclosure. The distributed authentication system 300 is similar to the distributed authentication system 200, but is configured for a different distributed authentication process then the distributed authentication system 200 as shown by dotted line arrows.
FIG. 4 shows a distributed authentication process 400, according to an embodiment of the disclosure, wherein the local application 104 handles the authentication of a user requesting access to the resource server 110.
In operation 402, the client application 303 receives a request for a resource. In one embodiment, the request may be generated in response to a user interacting with a graphical user interface associated with the client application 303, for example, selecting among a list of resources registered with the credential management server 306. In another embodiment, the request may be generated by a local application 104, for example, when the application 104 prompts a user for credentials. In one embodiment, the client application 303 may prompt the user for one or more credentials to authenticate at the credential management server 306. In operation 404, the client application 303 generates a request for authentication services and sends the request to the credential management server 306. The request may include credentials for authenticating at the credential management server 306, features for multi-factor authentication (e.g. , biometrics, device IDs, etc.), identifiers for the requested resource, and credentials associated with the requested resource (e.g., a user ID).
In operation 406, the credential management server 306 receives the request for authentication services, and authenticates the sender of the request (i.e., the client application 303) in operation 408. In other embodiments, the client application 303 may perform authentication instead of, or in addition to, the credential management server 306. For example, the client application 303 may perform a first authentication based on a usemame and a password, and then the credential management server 306 may perform a second authentication based on the results of the authentication performed by the client application 303 and biometrics, device ID, network ID, device presence, etc.
In operation 410, the resource authentication server manager 320 processes the request for authentication services and locates and retrieves credentials based on a user account and a requested resource. In one embodiment, the credential-keeping service manager 318 may be configured to retrieve the credentials from a secure data store that is encrypted. The credential keeping service manager 318 may be configured to maintain and provide encryption keys to the data store manager (not shown) when it requests the resource credentials. In operation 412, the credential management server 306 provides the retrieved resource credentials to the client application 303.
In operation 414, the client application 103 receives the credentials and provides the credentials to a local application 104 in operation 416. In operation 418, the local application 104 sends a resource request including the received credentials. In operation 420, the resource authentication manager receives the request and authenticates the request in operation 422. If the authentication fails, then in operation 424 the local application 104 receives a failure notice. If the authentication is successful, then in operation 426 the resource authentication manager 108 provides the resource request to the resource sever 110. In operation 428, the resource server 110 provides the resource request to the local application 104. The local application 104 receives the requested resources in operation 430.
FIG. 5 shows a distributed authentication system 500, according to an embodiment of the disclosure. In this embodiment, the resource authentication manager 508 is associated with resource credential management server 530, which maintains user dictionaries 532 that match one or more of the user dictionaries 516 stored at the credential management server 506. In one embodiment, the resource authentication services manager 520 may be configured to provide coded instructions to the resource credential management server 530, and a resource credential -keeping service manager 536 may use the coded instructions to generate resource credentials, and the network resource authentication service manager 534 may provide the resource credentials to the resource authorization manager 508. Embodiments of coded instructions are described with reference to FIG. 7. Notably, the distributed authentication system 500 does not have to store resource credentials because resource credentials may be re-created based on the coded instructions and dictionaries. Although, in one embodiment, resource credentials may be stored at a cache for some period of time to avoid system overhead associated with generating the resource credentials.
In one embodiment, the dictionaries stored at the credential management server 506 and resource credential management server 530 may store organizational dictionaries. Each organizational dictionary may be associated with an organization. The resource credentials of users that belong to an organization may be created from the same organizational dictionary. Organizational dictionaries may be used with other
embodiments of the disclosure, as well.
FIG. 6 shows a distributed authentication process 600, according to an embodiment of the disclosure, where the credential management server 506 does not send credentials. In operation 602, the client application 503 receives a request for a resource. In one embodiment, the request may be generated in response to a user interacting with a graphical user interface associated with the client application 503, for example, selecting among a list of resources registered with the credential management server 506. In another embodiment, the request may be generated by a local application 104, for example, when the application 104 prompts a user for credentials. In one embodiment, the client application 503 may prompt the user for one or more credentials to authenticate at the credential management server 506. In operation 604, the client application 503 generates a request for authentication services and sends the request to the credential management server 506. The request may include one or more of credentials associated with the credential management server 506, features for multi-factor authentication (e.g. , biometrics, device IDs, etc.), identifiers for the requested resource, and credentials associated with the requested resource (e.g. , a user ID).
In operation 606, the credential management server 506 receives the request for authentication services, and authenticates the requestor (i.e., the client application 503) in operation 608. In other embodiments, the client application 503 may perform
authentication instead of, or in addition to, the credential management server 506. For example, the client application 503 may perform a first authentication based on a username and a password, and then the credential management server 506 may perform a second authentication based on the results of the authentication performed by the client application 503 as well as biometrics, device ID, network ID, device presence, etc.
In operation 610, the resource authentication services manager 520 processes the request for authentication services and determines coded instructions for creating the resource credentials associated with the requested resource in conjunction with a user dictionary.
In operation 612, the credential management server 506 generates a request for authentication services that includes a user ID and the coded instructions, and sends the request to the resource credential management server 530. In one embodiment, the request for authentication services may include a dictionary identifier associated with the coded instructions and/or user ID.
In operation 614, the resource credential management server 530 receives the resource request that includes the coded instructions. In operation 616, the authentication service manager 520 generates credentials based on the coded instructions and a dictionary. In various embodiments, the dictionary may be associated with a user ID or a dictionary identifier. In operation 618, the resource credential management server 530 generates a resource request that includes the credentials and sends the resource request to the resource server 110.
In operation 620, the resource authentication manager 508 receives the resource request, and authenticates the request in operation 622. If authentication fails, then in operation 624 the client application 503 receives a failure message from the resource authentication manager 508. If the authentication is successful, then in operation 626 the resource authentication manager 508 provides the resource request to the resource server 110. In operation 628, the resource server 110 provides the resource to the client application 503 in response to the resource request. In operation 630, the client application 503 receives the resource and hands the resource over to the local application 104. In alternative embodiments, the resource server 110 may provide the resource directly to the local application 104.
FIG. 7 shows a coded instruction generation scheme 700, according to an embodiment of the disclosure. The coded instructions 728 of scheme 700 comprise X,Y pairs 730, however, other schemes may be used in conjunction with the embodiments of the disclosure. The resource credentials 740 comprise strings of characters. For example, the usemame 744 comprises a string of characters "Abl4! 9xyz," and the password 742 comprises a string of characters "?Rx@2r444atu: lxcDz." For the coded instruction 728, each character is translated to an X,Y pair where the "X" corresponds to a string in a dictionary that includes a character and the "Y" corresponds to position in the string that includes the character. Using part of the password 742 as an example, the coded instruction 728 is comprised of X,Y pairs 730, including X,Y pairs 730a to 7830d. For the X,Y pairs 730a to 730d, [(1, 1),(20, 2), (9499, 8), (911 , 16)... ] means that for a particular dictionary the "?" may be found at string 1, character 1 ; the "R" may be found at string 20, character 2; the "x" may be found at string 9499, character 8; the "@" may be found at string 911, character 16, and so on. A similar coded instruction scheme may be used for the usemame 744.
Resource credentials 740 may be re-created with the correct dictionary and the coded instruction 728. To create accurate resource credentials from coded instructions 728 requires the same dictionary be used to create the resource credentials that was used to create the coded instruction. Proper synchronization of dictionaries between the credential management server 508 and resource credential management server 530 is important.
FIG. 8 shows a dictionary synchronization process 800, according to an
embodiment of the disclosure. In one embodiment, the dictionary synchronization process 800 may be performed by internal services of the credential management server 506 and resource credential management server 530. While the synchronization process 800 is initiated responsive to a change to the dictionary stored at the credential management server 506. A dictionary may be changed, among other reasons, responsive to a dictionary management requirement that the dictionary be changed according to a set frequency. It is specifically contemplated that a dictionary synchronization process may be initiated at the resource credential management server 530.
In operation 802, an event is received at a dictionary manager 522 that triggers a dictionary synchronization service to synchronize one of the dictionaries 532. In various embodiments, the event may be generated responsive to a change, including, for example, a new dictionary being created, an update (addition, removal, or re-organization) to an existing dictionary, or deletion of an existing dictionary. In operation 804, the dictionary manager 522 creates a dictionary synchronization request, and in operation 806 the credential management server 806 sends the dictionary synchronization request to the resource credential management server 530. In operation 808, the resource credential management server 530 receives the dictionary synchronization request, and in operation 810 sends a ready to receive message to the credential management server 506. In operation 812, the credential management server 506 receives the ready to receive message. Each of the credential management server 506 and resource credential management server 530 enter a secure state for secure transfer that is suitable for two otherwise internal services - the dictionary manager 522 and resource dictionary manager 538 - to communicate over the network 512. In operation 814, the dictionary manager 522 sends a dictionary update message to the resource dictionary manager 538. The dictionary update message may include, for example, a dictionary identifier and dictionary update instructions for updating the corresponding dictionary at the resource credential management server 530. The dictionary update instructions may include, for example, new content, re-processing instructions (e.g. , performing an XOR operation on each character), deletion instructions (e.g. , identifiers for strings to delete), etc. In the case of a new dictionary, the new content may be an entire dictionary or instructions for generating the dictionary with certain checks to verify the dictionary's contents.
In operation 816, the resource dictionary manager 538 receives the dictionary update message, and in operation 818 the resource dictionary manager 538 updates the dictionary 532 according to the dictionary update instructions. Optionally, in operation 820, the resource dictionary manager 538 sends the dictionary manager 522 a
synchronization complete message, for example, after verifying the contents of the updated dictionary 532. In operation 822, the dictionary manager 522 receives the synchronization complete message. After completing the synchronization, the credential management server 506 and resource credential management server 510 may end the secure transfer.
FIG. 9 shows an alternative dictionary synchronization process 900, according to an embodiment of the disclosure. The difference between the process 900 and the process 800 is that the resource credential management server 530 is configured to download the dictionary update from the credential management sever 516, i.e. , the transfer process is initiated by the resource credential management server 530.
In operation 902, an event is received at a dictionary manager 522 that triggers a dictionary synchronization service to synchronize one of the dictionaries 532. In operation 904, the dictionary manager 522 creates a dictionary synchronization request, and in operation 906 the credential management server 506 sends the dictionary synchronization request to the resource credential management server 530. In one embodiment, the dictionary synchronization request may include download instructions, including a deadline after which the dictionary update will no longer be available. In one embodiment, the dictionary manager 522 may send a token that may be provided by the resource dictionary manager 538 when it requests to download the dictionary update. In one embodiment, the token or its rights may expire at some time. In operation 908, the resource credential management server 530 receives the dictionary synchronization request. In operation 910, the resource credential management server 530 downloads the dictionary update.
If the dictionary (or the update and/or update instructions) is encrypted, then in one embodiment, the dictionary manager 522 may provide the encryption keys to the resource dictionary manager 538. In one embodiment, the dictionary manager 538 may request the encryption key(s) when it downloads the dictionary. In another embodiment, the resource credential management server 530 may provide a notification to an administrator that logs into the credential management server 530 that new dictionaries (or dictionary updates) are available and need to be encrypted. When the administrator approves or acknowledges the new dictionaries the dictionary manager 538 may request the encryption key(s) from dictionary manager 522. In one embodiment, the dictionary manager 522 may include or have access to a KeyStore that stores the public keys, private keys, security certificates, etc., used to encrypt the dictionaries that it provides to the dictionary manager 538.
FIG. 10 shows a multi-level encrypted (MEA) server architecture 1000, according to an embodiment of the disclosure. Various embodiments of the credential management servers and resource credential management servers described herein may be implemented using the MEA architecture 1000. The MEA architecture may include level by level encryption, for example, an encrypted externally available level 1002, an encrypted external services level 1004, an encrypted internal services level 1006, and an encrypted core logic level 1008. The MEA architecture may also include one or more encrypted data store at each level or as a sub-level. Each level of the MEA server architecture 1000 may include level-access security with define roles and permissions. For example, the MEA server architecture 1000 may require multiple levels of security requiring increasing levels of authority or even multiple authorities to change current settings.
In one embodiment, the external authentication level 1002 may control access to external authentication services. For example, changes at the external authentication level 1002 may be made by a setup administrator, process administrator, server administrator, or system administrator. The external services level 1004 may control access to external services. These external authentication services may comprise retrieving credentials and communicating with resource authentication managers. For example, changes at the external services level 1004 may be made by a process administrator, server administrator, or system administrator. The internal services level 1006 may control access to internal services. These internal services may comprise: storing dictionaries, updating dictionaries, storing user credentials, storing resource lists, and updating resource lists. For example, changes at the internal services level 1006 may be made by a server administrator or system administrator. The core logic level 1008 may control access to the core logic of the MEA server architecture. For example, changes at the core logic level 1008 may be made by a server administrator and/or a system administrator. In some embodiments changes at the core logic level 1008 may require the approval of multiple super users, which is indicative of a vested interest in the system 1000.
FIG. 11 shows a registration process 1100 for registering a user with a credential manager 106 via a client application 103. While the registration process 1100 is described with reference to FIG 1 and system 100, one of ordinary skill in the art will recognize the registration process 1100 is application to all embodiments of the disclosure. In operation 1102, the client application 103 may receive a request to register with the credential manager 106. In operation 1104, the client application 103 creates and sends a registration request to the credential management server 106. The credential manager 106 may request registration information from the client application 103, including for example, username, password, identifying data, biometrics, device information, resource information, and more. In the case of resource information, the credential management server 106 may request initial credentials from the client application 103. The initial credentials may be the credentials that a user manually provides to authenticate with the resources. The resource information may also include rules for managing resource credentials, including rules about the composition of credentials and the frequency that resource credentials should be changed with the resource. Registration information may also include dictionary rules for managing user dictionaries, including rules about the composition of dictionaries
(including any sources of characters), and the frequency at which the dictionaries should be changed. In operation 1106, the credential management server 106 may store the registration information. In operation 1108, an internal service of the credential management server 106 may create and assign a dictionary to a user. In one embodiment, an organizational dictionary is assigned to the user instead of creating a new dictionary. In operation 1110, the credential management server 106 may send a registration complete message to the client application 103, which the client application receives in operation 1112.
It is specifically contemplated that a distributed authentication techniques and systems may be used in connection with a local resource. In one embodiment, the local resource may be an operating system. For example, when a computing device boots up, a firmware client program running as a thread within the system BIOS (basic input/output system) may be configured to request authentication services from a credential manager server. The client program may be configured to request the authentication services in response to operating system authentication (e.g., WINDOWS® Authentication), and the requested service may be for delivery of operating system credentials. The client program may be configured to provide authentication credentials to the credential management server. Upon receiving the credentials for authenticating with the operating system, the client program may provide the credentials to the operating system for authentication. In some embodiments, the client program may have rights to access and use network equipment of the computing device.
One of ordinary skill in the art will recognize that there are many advantages and benefits to the embodiments described in this disclosure. For example, managing credentials automatically enables more frequent changes. If credentials are compromised the period of time during which a resource is accessible may be very short (e.g., if the frequency of change is set to every day). Even if dictionaries are compromised, a new dictionary will be in place enabling new credential building. More complex passwords, personal-identification-numbers, usernames, etc., may be used that would be impractical or impossible for a human to remember. Finally, very different credentials and authentication rules may be used for different resources.
While certain illustrative embodiments have been described in connection with the figures, those of ordinary skill in the art will recognize and appreciate that the scope of this disclosure is not limited to those embodiments explicitly shown and described in this disclosure. Rather, many additions, deletions, and modifications to the embodiments described in this disclosure may be made to produce embodiments within the scope of this disclosure, such as those specifically claimed, including all legal equivalents thereof. In addition, features from one disclosed embodiment may be combined with features of another disclosed embodiment while still being within the scope of this disclosure, as contemplated by the inventor.

Claims

CLAIMS What is claimed is:
1. A computing device, the computing device comprising:
a local application configured to enable the computing device to request, receive, and use a resource; and
an authentication client application configured to enable the computing device to:
maintain a list of available resources;
authenticate a user of the computing device;
receive a resource access request, the resource access request comprising a resource identifier associated with the resource;
create a resource authentication service request responsive to the resource access request, the resource authentication service request comprising the resource identifier and a user identifier;
communicate the resource authentication service request to an application server configured to manage resource credentials including resource credentials associated with the resource;
receive the resource credentials; and
provide the resource credentials to the local application to enable the computing device to provide the resource credentials to a resource authentication server.
2. The computing device of claim 1, wherein the local application i browser or a user application.
3. The computing device of claim 1, wherein providing the resource credentials to the local application comprises inserting the resource credentials into authentication prompt provided by the local application.
4. A computing device, the computing device comprising:
a local application configured to enable the computing device to request, receive, and use a resource; and
an authentication client application configured to enable the computing device to:
maintain a list of available resources;
receive a resource access request, the resource access request comprising a resource identifier associated with the resource;
create a resource authentication service request responsive to the resource access request, the resource authentication service request comprising the resource identifier and a user identifier;
communicate the resource authentication service request to an application server configured to manage credentials including credentials associated with the resource; and
enable the local application to receive the resource from a resource server without separately authenticating the user by directly establishing communication between the local application and the resource server.
5. The computing device of claim 4, wherein directly establishing
communication between the local application and the resource server comprises handing over the requested resource to the local application.
6. The computing device of claim 5, wherein handing over the requested resource to the local application comprises providing a resource token to the local application, wherein the resource token is configured to authenticate resource requests.
7. A computer-server for credential management, comprising:
a dictionary database store having one or more credential dictionaries;
a credential-keeping service manager configured to determine and manage resource
credentials;
an authentication service manager configured to request resource credentials from the credential-keeping service responsive to an resource authentication service request and provide resource credentials to the authentication manager of the resource application server, and
a dictionary manager configured to manage the credential dictionaries responsive to
dictionary management requirements, wherein the dictionary management requirements comprise instructions adapted to cause the dictionary manager to update credential dictionaries according to a pre-defined schedule.
8. The computer-server of claim 7, wherein updating the credential dictionaries comprises changing credential dictionaries according to the dictionary management credentials.
9. The computer-server of claim 7, wherein the credential-keeping service manager is configured to determine new resource credentials responsive to an updated credential dictionary.
10. The computer-server of claim 9, wherein the authentication service manager is configured to send a request to update user credentials to a resource server, the request to update user credentials comprising the new resource credentials.
11. The computer-server of claim 7, wherein the dictionary manager is configured to send a dictionary synchronization request to a resource credential manager responsive to updating credential dictionaries.
12. The computer-server of claim 11, wherein the dictionary manager is configured to provide dictionary updates to a resource dictionary manager responsive to receiving a ready to receive message.
13. The computer-server of claim 7, wherein the dictionary manager is configured to send a dictionary synchronization request to a resource credential manager responsive to updating credential dictionaries, wherein the dictionary synchronization request comprises a token configured to authorize a user of the token to download dictionary updates from the dictionary manager.
14. The computer-server of claim 13, wherein the dictionary manager is configured to provide dictionary updates to a resource dictionary manager responsive to authenticating the token.
15. The computer-server of claim 7, wherein the dictionary manager is a resource dictionary manager and, responsive to a dictionary synchronization request, is configured to send a ready to receive message and receive dictionary updates.
16. The computer-server of claim 7, wherein the dictionary manager is a resource dictionary manager and, responsive to a dictionary synchronization request that includes a token, is configured to send a request to download dictionary updates that includes the token, and download dictionary updates.
17. A distributed authentication system, comprising:
a resource application server comprising:
an authentication manager; and
a resource service manager configured to provide a resource responsive to a
resource request authenticated by the authentication manager, a multi-level encrypted application server, the multi-level encrypted application server comprising:
a dictionary database store having one or more credential dictionaries;
a credential-keeping service manager configured to determine and manage resource credentials;
a dictionary manager configured to manage the credential dictionaries responsive to dictionary management requirements; and an authentication service manager configured to request resource credentials from the credential-keeping service responsive to a resource authentication service request and provide resource credentials to the authentication manager of the resource application server, and
a client application configured to:
maintain a list of available resources;
receive a resource access request initiated at a user interface of the client
application, the resource access request associated with a resource of the available resources;
create a resource authentication services request responsive to the resource access request; and
provide the resource authentication services request to the multi-level encrypted application server.
PCT/US2018/024166 2017-03-24 2018-03-23 A credential management system for distributed authentication, and related systems and methods WO2018175980A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762476319P 2017-03-24 2017-03-24
US62/476,319 2017-03-24

Publications (1)

Publication Number Publication Date
WO2018175980A1 true WO2018175980A1 (en) 2018-09-27

Family

ID=63585815

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/024166 WO2018175980A1 (en) 2017-03-24 2018-03-23 A credential management system for distributed authentication, and related systems and methods

Country Status (1)

Country Link
WO (1) WO2018175980A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116647A1 (en) * 2001-02-20 2002-08-22 Hewlett Packard Company Digital credential monitoring
US20020169876A1 (en) * 2001-03-06 2002-11-14 Curie Jeffrey C. Method and system for third party resource provisioning management
US20050257072A1 (en) * 2004-04-09 2005-11-17 Microsoft Corporation Credential roaming
US20050254514A1 (en) * 2004-05-12 2005-11-17 James Lynn Access control of resources using tokens
US20060053080A1 (en) * 2003-02-03 2006-03-09 Brad Edmonson Centralized management of digital rights licensing
US20070143835A1 (en) * 2005-12-19 2007-06-21 Microsoft Corporation Security tokens including displayable claims

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116647A1 (en) * 2001-02-20 2002-08-22 Hewlett Packard Company Digital credential monitoring
US20020169876A1 (en) * 2001-03-06 2002-11-14 Curie Jeffrey C. Method and system for third party resource provisioning management
US20060053080A1 (en) * 2003-02-03 2006-03-09 Brad Edmonson Centralized management of digital rights licensing
US20050257072A1 (en) * 2004-04-09 2005-11-17 Microsoft Corporation Credential roaming
US20050254514A1 (en) * 2004-05-12 2005-11-17 James Lynn Access control of resources using tokens
US20070143835A1 (en) * 2005-12-19 2007-06-21 Microsoft Corporation Security tokens including displayable claims

Similar Documents

Publication Publication Date Title
US11265307B2 (en) Credential-free user login to remotely executed applications
US11303449B2 (en) User device validation at an application server
US10038695B2 (en) Remotely deauthenticating a user from a web-based application using a centralized login server
KR102117584B1 (en) Local device authentication
US10461939B2 (en) Secure device registration for multi-factor authentication
US11153284B2 (en) Systems and methods for transparent SaaS data encryption and tokenization
US9531714B2 (en) Enterprise authentication via third party authentication support
US11601414B2 (en) Contact consolidation across multiple services
US20200104478A1 (en) Systems and methods for offline usage of saas applications
US9584515B2 (en) Enterprise system authentication and authorization via gateway
CN107743702B (en) Single sign-on for hosting mobile devices
US11477188B2 (en) Injection of tokens or client certificates for managed application communication
US10320771B2 (en) Single sign-on framework for browser-based applications and native applications
US8898450B2 (en) Hardware identity in multi-factor authentication at the application layer
US20170223012A1 (en) System and method for transferring device identifying information
US20080276098A1 (en) One-time password access to password-protected accounts
US20180152440A1 (en) Single sign-on framework for browser-based applications and native applications
EP3132562A1 (en) Device registration, authentication, and authorization system and method
JP2015537269A (en) LDAP-based multi-tenant in-cloud identity management system
US8132017B1 (en) Method and apparatus for securely synchronizing password systems
US9967248B1 (en) System for authenticating and processing service requests
WO2018175980A1 (en) A credential management system for distributed authentication, and related systems and methods
US12132723B2 (en) Security profile management for multi-cloud agent registration with multi-tenant, multi-cell service
US20230171241A1 (en) Security profile management for multi-cloud agent registration with multi-tenant, multi-cell service
Suchon Android in the enterprise

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18772048

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 20.12.2019)

122 Ep: pct application non-entry in european phase

Ref document number: 18772048

Country of ref document: EP

Kind code of ref document: A1