Electrical computers and digital processing systems: support – System access control based on user identification by... – Using record or token
Reexamination Certificate
1999-01-29
2003-11-18
Barrón, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
System access control based on user identification by...
Using record or token
C713S182000, C713S155000
Reexamination Certificate
active
06651168
ABSTRACT:
FIELD OF THE INVENTION
The invention disclosed broadly relates to computer systems and more particularly relates to security features in computer systems.
BACKGROUND OF THE INVENTION
There are many processes for initial authentication of a user to verify the identity of the user or the user's eligibility to access particular resources in a stand alone computer system or in a computer network. Different system administrators may have different security requirements according to the business needs of the systems they administer and they may require different types of authentication mechanisms. For example, some systems may only require presenting a simple userid and password. Other systems may be more sophisticated and require the user to employ authentication mechanisms such as a smart card, a token card, or a fingerprint scanner.
Other examples of user authentication processes include presenting an ATM debit card number and PIN, presenting a smart card's account number and a symmetric Message Authentication Code (MAC), presenting a smart card's account number and an asymmetric digital signature, presenting a user's digital signature and digital certificate, presenting a user's digital certificate and matching asymmetric digital signature, presenting a user's account number and a symmetric MAC or asymmetric digital signature, presenting a user's account number and an asymmetric digital signature.
Biometric authentication processes include finger print scanning, graphical signature scanning, dynamic hand-force sensing while executing a signature, iris and retinal scanning, voice print scanning, and many other techniques. Fingerprint scanning is currently the most proven form of biometric authentication. Other developing biometric authentication processes include retina and iris scanning, hand and face geometry scanning, body odor profiling, and vein scanning. Computerized facial recognition converts a face into a sequence of numbers by component analysis and three-dimensional imaging technology. The iris is rich in features such as fibers, striations, freckles, rifts, pits and other details which contribute to an identity which is more complex than a fingerprint. Body odor profiling recognizes the chemicals that make up a person's individual smell, and separates them to build up a template. Behavioral biometrics measure how a person does something. The two most advanced behavioral biometric authentication processes are signature and voice recognition. Signature recognition authentication is used in credit card and other banking applications. Voice recognition or voice print authentication processes work by isolating characteristics that produce speech, rather than by recognizing the tone of the voice itself.
Such diverse authentication mechanisms require different kinds of authentication data from the user. Different authentication mechanisms have distinctive logic and interface requirements to handle the authentication data. What is needed is a flexible way to provide diverse user authentication mechanisms and processes for a stand alone computer system or for a computer network.
This need becomes particularly acute for a user attempting to logon to a large, distributed system. In typical distributed system environments, a user must access many database systems, network systems, operating systems and mainframe applications. In order to use these systems and applications, the user must typically issue a separate sign-on command for each specific system or application. Each of these sign-ons may, in turn, have a different pair of user ids and passwords, or different smart card authentication processes, or different biometric authentication processes. The problem of coordinating multiple system sign-on requirements has been addressed by the single sign-on (SSO) invention disclosed in the above-referenced patent applications. The single sign-on (SSO) system described in the above referenced patent applications, enables authorized users to perform one initial sign-on to access a variety of networks, systems and applications. However, what is needed now is a flexible way to provide diverse initial authentication mechanisms and processes for such a single sign-on system.
SUMMARY OF THE INVENTION
The invention is a system, method, program, and method of doing business for flexibly providing diverse user authentication mechanisms and processes for a stand alone computer system or for a distributed computer network. An authentication framework subsystem is disclosed for enabling a computer system to authenticate a user with a selected one of a plurality of authentication processes. Each of the authentication processes has a distinct sequence of steps and a unique input/output (I/O) interface for exchanging authentication information with the computer system.
The invention includes an authentication framework in the computer system. An application program interface in the authentication framework provides an interface to an I/O component, such as a graphical user interface (GUI), of the computer system.
A first authentication module interfaces with the framework. It has a first conversation function driver defining a first programmed sequence of steps to authenticate a user with a first authentication process, which could be, for example, a simple userid and password process. A second authentication module also interfaces with the framework. It has a second conversation function driver defining a second programmed sequence of steps different from the first sequence, to authenticate a user with a second authentication process, which could be, for example, a smart card process.
The first conversation function driver in the first authentication module, has access to first information, such as display panels for menus, help screens, and error messages. This information is used during the first authentication process, to configure the I/O component for the first authentication process. The second conversation function driver in the second authentication module, has access to second information, such as a different set of display panels for menus, help screens, and error messages. This second information is used during the second authentication process, to configure the I/O component for the second authentication process.
A conversation function in the application program interface, defines a programmed sequence of steps for controlling the I/O component in response to generic instructions that have the same format, whether or not they are received from the first conversation driver or from the second conversation driver. The conversation function can selectively receive generic instructions and the first information from the first conversation driver, to perform suitable I/O functions for the first authentication process. Alternately, the conversation function can selectively receive a different sequence of generic instructions and the second information from the second conversation driver, to perform suitable I/O functions for the second authentication process.
The generic conversation function provides a generic instruction format for diverse authentication processes, which is adapted to control the unique operational characteristics of multiple types of I/O components. Each instance of the generic conversation function is implemented in a corresponding external API that controls a particular I/O component. The implementation of the generic conversation function for a GUI, for example, contains all of the details pertaining to the unique display characteristics of that component. Unique implementations of the generic conversation function can be applied to control a graphical user interface, a local object interface, a network object interface, a command line interface, and the like. The generic conversation function is invoked by a conversation function driver within each authentication module, the driver being customized for each respective authentication process. Instruction tokens are passed from a conversation function driver for a particular aut
Kao I-Lung
Milman Ivan Matthew
Schneider David J.
Willard Ronald Gene
Barrón Gilberto
International Business Machines Corp.
Meislahn Doug
Morgan & Finnegan , LLP
Redmond, Jr. Joseph C.
LandOfFree
Authentication framework for multiple authentication... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authentication framework for multiple authentication..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authentication framework for multiple authentication... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3177776