Image analysis – Applications – Personnel identification
Reexamination Certificate
1998-12-11
2003-01-21
Werner, Brian (Department: 2621)
Image analysis
Applications
Personnel identification
C713S186000, C713S152000
Reexamination Certificate
active
06510236
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to the field of distributed computer networks and, in particular, to providing an authentication framework for use in authenticating clients having a plurality of permitted authentication device types.
2. Description of the Related Art
It is commonplace today for computer users to connect their machines to other computers, known as “servers,” throughout a network. The network may be a private network, such as a corporate intranet of networked computers that is accessible only to computer users within that corporation, or it may be a public network, such as the Internet. The Internet is a vast collection of computing resources, interconnected as a network, from sites around the world.
A user may connect his computer to a server using a “wireline” connection or a “wireless” connection. Wireline connections are those that use physical media such as cables or telephone lines, whereas wireless connections use media such as satellite links, radio frequency waves, and infrared waves. Many connection techniques can be used with these various media, including: using the computer's modem to establish a connection over a telephone line; using a local area network (LAN) card such as Token Ring or Ethernet; using a cellular modem to establish a wireless connection, and the like. The user's computer may be any type of computer processor having processing and communication capabilities. Traditionally, such devices include desktop, laptop and handheld computers.
Conventional user id and password schemes for controlling user access to network resources are well-known. Recently, it has been proposed to provide client workstations in a network with so-called “alternative” authentication devices for access control purposes. Such devices include, for example, “token cards” and “biometric” (e.g., finger, eye or voice print) scanners. Representative token card systems are available commercially from Security Dynamics (SecureID™) and Axent (Defender™). Numerous third parties provide biometric scanning systems. A representative patent illustrating a biometric personal identification system based on iris analysis is U.S. Pat. No. 5,291,560. While these devices provide significant advantages, each authentication device vendor has a different way of encoding input information and validating the user's identity. Thus, it has not been possible to enable existing client/server and Internet-based applications to incorporate such alternate authentication devices into their current authentication schemes without compromising server trust policies.
The present invention solves this problem.
BRIEF SUMMARY OF THE INVENTION
An object of the present invention is to provide an authentication framework for use in authenticating clients having a plurality of permitted authentication device types.
Another object of this invention is to provide an authentication architecture that enables client-server and Internet-based applications to use alternate authentication devices, e.g., token cards and biometric devices.
It is a more specific object to provide an application server with the capability of managing authentication request traffic from a variety of clients having disparate authentication devices or schemes.
A still further object of this invention is to enable the application server to manage such authentication request traffic without having to verify specific authentication device data, which typically varies depending on the device type and vendor.
Yet another object of this invention is to provide an architecture by which current and future applications may support varied authentication devices without necessarily having to be rewritten.
Still another more general object of this invention is to provide a pluggable framework for authentication services.
In the preferred embodiment, the authentication framework of the present invention has three (3) basic elements. First, a given application client has an authentication device attached to it, and the device is one of a plurality of permitted authentication device types. Thus, for example, the device is a token card or a biometric reader. Second, an application server of the framework knows what types of devices and servers it trusts. Third, given device authentication servers merely verify that authentication device data is acceptable for authentication. The device authentication servers may comprise part of the framework or operate in association with the framework.
In operation, each given application client passes to the application server a request for authentication. The request includes a user id and device id identifying a respective client and an authentication device coupled thereto. The application server (if it trusts the device and has support for it) determines which device authentication server the request is intended, and then routes given authentication data to that server. If the device authentication server verifies that the authentication data is acceptable for authentication, an authorization token is returned to the client.
The foregoing has outlined some of the more pertinent objects and features of the present invention. These objects should be construed to be merely illustrative of some of the more prominent features and applications of the invention. Many other beneficial results can be attained by applying the disclosed invention in a different manner or modifying the invention as will be described. Accordingly, other objects and a fuller understanding of the invention may be had by referring to the following Detailed Description of the Preferred Embodiment.
REFERENCES:
patent: 556000 (1896-03-01), Bramer et al.
patent: 5237614 (1993-08-01), Weiss
patent: 5291560 (1994-03-01), Duagman
patent: 5347580 (1994-09-01), Molva et al.
patent: 5544322 (1996-08-01), Cheng et al.
patent: 5615277 (1997-03-01), Hoffman
patent: 5689708 (1997-11-01), Regnier et al.
patent: 5706349 (1998-01-01), Aditham et al.
patent: 5706427 (1998-01-01), Tabuki
patent: 5732137 (1998-03-01), Aziz
patent: 5740361 (1998-04-01), Brown
patent: 5761309 (1998-06-01), Ohashi et al.
patent: 5778065 (1998-07-01), Hauser et al.
patent: 5784463 (1998-07-01), Chen et al.
patent: 5784464 (1998-07-01), Akiyamo et al.
patent: 5784566 (1998-07-01), Viavant et al.
patent: 5841970 (1998-11-01), Tabuki
patent: 6087955 (2000-07-01), Gray
patent: 1049495 (1996-07-01), None
patent: 0154977 (1996-11-01), None
patent: 9827688 (1997-12-01), None
IBM Technical Disclosure Bulletin (Dec. 1997), vol. 40, No. 12, pp. 65-72.
IBM Technical Disclosure Bulletin (Oct. 1997), vol. 40, No. 10, pp. 99-100.
Crane Michael A.
Milman Ivan Matthew
Burwell Joseph R.
Judson David H.
LaBaw Jeffrey S.
Werner Brian
LandOfFree
Authentication framework for managing authentication... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authentication framework for managing authentication..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authentication framework for managing authentication... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3036423