Electrical computers and digital processing systems: support – System access control based on user identification by... – Pin/password generator device
Reexamination Certificate
1999-05-05
2004-03-23
Morse, Gregory (Department: 2134)
Electrical computers and digital processing systems: support
System access control based on user identification by...
Pin/password generator device
C713S166000, C713S168000, C713S182000, C713S183000, C713S184000, C713S185000, C707S793000, C709S225000, C709S227000, C709S229000
Reexamination Certificate
active
06711681
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to use of one or more authentication mechanisms in secure communications.
BACKGROUND OF THE INVENTION
During the last decade of the Twentieth Century, the Internet has become a vital communication medium for a variety of application domains, including simple e-mail, home banking, electronic trading of stocks, net-based telephonic communications and many other electronic commerce applications. Authentication of a user is becoming a key requirement in allowing or authorizing a legitimate user to execute the user's privileges in a particular network or sub-network.
Presently, many user authentication mechanisms are available, including simple user name/password, one-time password (e.g., S/Key), RSA-based digital signature authentication, Kerberos, challenge-and-response, and Secure Socket Layer SSL v3.0 with user/client authentication. Bruce Schneier, in Applied Cryptographv, John Wiley & Sons, Inc., New York, Second Edition, 1996, pp. 34-74 and 566-572, discusses and characterizes several user and/or key authentication tests that are often based on, or associated with, an underlying encryption procedure.
One interesting authentication scheme is the Sun Pluggable Authentication Mechanism (PAM), discussed in more detail in the following, which facilitates integration of several authentication packages or tests without requiring change of the underlying application (e.g., login). Although a system such as PAM provides a framework for integration, such a system often deals with the plurality of authentication mechanisms as if all have the same cryptographic or authentication strength or priority. For example, one enterprise might require both Kerberos (relatively strong) and user password (relatively weak) to be used for user authentication. Use of several authentication modules can be accommodated within PAM, through the use of stacking. If the user fails to pass one of the authentication tests, among many that are applied in stacking, authentication is denied, without indicating which of the many tests the user has failed to pass. PAM treats all authentication tests in an integrated package as equally strong and equally suitable.
What is needed is a system that integrates one or more authentication tests but allows assignment of a priority or strength to each of such tests and allows authentication to be treated as a necessary, but not a sufficient, condition for user authorization. Preferably, where authentication tests are integrated, these tests should be executed based on an indicium that is a measure of priority and/or strength for each authentication test. Preferably, the system should allow identification of, and take account of, which authentication test or tests the user has failed to pass and should grant or withhold access to selected subsets of a resource, depending upon which tests are passed. Preferably, the system should be flexible enough to allow assignment of different priorities and/or strengths to tests within an integrated authentication package, based on the application and the current circumstances.
SUMMARY OF THE INVENTION
These needs are met by the invention, which provides a system that integrates one or more authentication tests and allows assignment of arbitrary (and changeable) relative priority and/or relative strength to each of these tests. In one embodiment, the system allows an integrated electronic authentication system to accept physical objects, such as drivers licenses, birth certificates, passports, social security cards and the like for partial or full authentication of a user, although each of these documents is used for a different primary purpose, and the purposes seldom overlap.
In a first embodiment, the system applies one or more authentication tests with increasing or differing numerical priority or strength and grants access to a resource or selected subset thereof (which may be the empty set), depending upon which test or tests are satisfied. In another embodiment, the system withdraws access to a selected subset (which may be the empty set) of a resource for each authentication test the user fails to satisfy.
The invention has the following advantages: (1) the invention strengthens an association or linkage between authentication and the authorization process; (2) the invention allows identification of which authentication test(s) is being used; (3) the invention extends an integration procedure, such as PAM, without distorting the procedure; (4) the invention enhances total security of the authorization process; (5) the invention preserves and deals with authentication mechanisms based on their relative merits and can allocate relative priority based on relative cryptographic strength; and (6) the invention allows an entity to classify those with whom it deals (customers, suppliers, etc.) for authorization purposes.
REFERENCES:
patent: 5710817 (1998-01-01), Sjooquist
patent: 5774551 (1998-06-01), Wu et al.
patent: 5848412 (1998-12-01), Rowland et al.
patent: 6023762 (2000-02-01), Dean et al.
patent: 6035406 (2000-03-01), Moussa et al.
patent: 6105132 (2000-08-01), Fritch et al.
patent: 6304973 (2001-10-01), Williams
Making Login Services Independent of Authentication Technologies, Vipin Samar, Charlie Lai, SunSoft Inc.; Conference on Computer and Communications Security, Mar. 1996.*
Application of a Multilevel Access Model in the Development of a Security Infrastructure for a Clinical Information System, 1994 AMIA, Inc.*
Davis, R: “Network Authentication Tokens” Computer Security Applications Conference 1989 Fifth Annual Tucson AZ, Dec. 4-8, 1998 Los Alamitos, CA USA, IEEE Comput. Soc. US Page(s) 234-238 XP010017880, ISBN: 0-8186-2006-4, p. 236, right-hand column., line 19, paragraphs ACCESS control p. 237 right-hand column, line 2, p. 234, left-hand column line 44, paragraph AUTHENTICATION p. 235, right-hand column, line 26.
Samar, V: Unified Login with Pluggable Authentication Modules (PAM), 3rd ACM Conference on Computer and Communications Security, Proceedings of 3rdACM Conference on Computer and Communications Security, New Delhi, India, Mar. 14-16, 1996, New York, NY, USA , AM, USA Page(s) 1-10 XP000620972 ISBN: 0-89791-829-0, p. 42, left-hand column, line 11, paragraphs Configuration Management, p. 5 right-hand column line 31, p. 5, right-hand column line 39-, p. 5, right-hand column, line 42, p. 6, right-hand column, line 1 p. 6, right-hand column line 7.
Al-Salqan Yayha
Ranganathan Aravindan
Varma Sangeeta
Brown Christopher J
Morse Gregory
Sun Microsystems Inc.
LandOfFree
Cryptographic authorization with prioritized authentication does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Cryptographic authorization with prioritized authentication, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Cryptographic authorization with prioritized authentication will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3265003