Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-04-30
2001-08-14
Lee, Thomas (Department: 2182)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C709S229000
Reexamination Certificate
active
06275944
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to accessing heterogeneous networks and reducing costs by increasing productivity for end-users and system administrators in an enterprise computer environment.
2. Description of the Related Art
With sprawling client-server systems growing daily, applications and information are spread across many PC networks, mainframes and minicomputers. In a distributed system environment connected by networks, a user must access many database systems, network systems, operating systems and mainframe applications. To use these systems and applications, the user must issue separate sign-on commands for each specific system or application. Indeed, it is not unusual for a user to encounter ten or more different login sessions during a working shift, and these often are different interfaces with different userid and authentication information, usually passwords. This places the user under a significant burden to remember and maintain this information.
It would be quite beneficial to provide a single sign-on (SSO) tool to enable authorized users to perform one initial sign-on to access a variety of networks, systems and applications. A single sign-on system should provide secure storage of user passwords, support for more than one user password, as well as support for multiple target logon methods. Each of these issues presents varying design considerations.
With respect to the first issue, there are multiple approaches to storing and managing passwords. One approach is to use the same password for all accessible systems/applications. This technique may weaken system security, however, because a compromised password in any of the systems or applications compromises the user's privileges on these systems and applications at the same time. Further, different sign-on mechanisms may have their own distinctive password requirements and, thus, it is problematic to use the same password for multiple targets.
Another approach to storing and managing passwords is password-mapping, which refers to using the user's primary password to encrypt all the user's secondary passwords. The encrypted passwords are stored in a local storage space accessible to the user (e.g., a local file, a readable/writable smartcard, and the like). Once the primary password is verified, the local system authentication module obtains the passwords for other sign-on systems and applications by decrypting the mechanism-specific encrypted password with the primary password. The security of this password-mapping scheme assumes that the primary password is the user's strongest password, and it also depends on the security of the local storage for the secondary passwords. If the secondary passwords are stored in an untrusted publicly accessible machine, an intruder is provided with opportunities for potential attacks. Moreover, although this approach is simple, the password file must be moved from machine to machine by the user to logon to more than one machine.
The target logon alternatives also influence the single sign-on system design. In particular, the method used for storing a user password heavily influences the design of target logon code. It is known to embed passwords in target specific logon scripts. This is how many “homegrown” single sign-on systems work today. This technique is the least extendible design because it ties passwords (and logon target code) to each machine the user uses. It is also hard to maintain passwords in this design because passwords need to be changed both in the applications and in the logon scripts. For a mobile user, the scripts need to be present on all machines the user might use. The overall security of this approach is thus very weak.
Another target logon alternative involves building in all the logon methods for every possible target to which any user may desire to logon. This “hardcoded” approach assumes that all workstations and applications are configured similarly and do not change. Because the logon methods are built into the solution, changes made to the logon methods require changes to the actual solution itself. This approach is costly and also is not very extensible.
Irrespective of their design, known SSO systems such as those described above require the user to have one and only one program to sign on to a target, and that program must be installed on all SSO clients. This restriction is very undesirable. Thus, for example, a user may have a preferred program installed on his or her office system to access a given application, and that same user may have -a laptop machine that he or she uses out of the office that preferably accesses the same application with different software.
It would be desirable to provide a mechanism by which a given user does not have to specify a particular program on the client when using SSO to log on to a particular target. It is also desirable to provide a mechanism by which the SSO user does not have to specify the operating system used by the client. The present invention addresses this need.
BRIEF SUMMARY OF THE INVENTION
A primary object of this invention is to provide “free seating” support in a single sign-on environment. Free seating means that a user does not have to specify a particular program on the client, or have a particular operating system on that client, when using SSO to log on to a particular target.
This object is preferably achieved using a data model where information used to sign on to applications is kept in two separate databases. One database is a global database that keeps user configuration information, and the second database is a local database that keeps local application specific information.
More specifically, this invention provides a single sign-on (SSO) framework that allow users to sign on to a client system one time entering one password. The SSO framework then signs on to other applications on the user's behalf.
The SSO framework supports storage of all passwords and keys belonging to a user in secure storage (e.g., either in local storage, a centralized password service, a smartcard, or the like), so that the user needs to remember only one ID and password. Upon authentication, the SSO mechanism securely retrieves all the passwords for a user from the secure storage and automatically (i.e. without additional user intervention) issues sign-ons to each system/application the user is authorized to access.
The system framework preferably includes a number of modules including a configuration information manager (CIM), which includes information on how to logon to the applications configured on a given machine, a personal key manager (PKM), which includes information about users, systems and passwords they use to logon to those systems, and a logon coordinator (LC), which retrieves the user's passwords from PKM and uses them in conjunction with target-specific logon code to log users onto all their systems, preferably without any additional user intervention.
The CIM facilitates adding new logon methods as needed. Information is preferably stored in the CIM using “templates” referred to a program template files (PTFs). A given PTF thus is used to create entries in the CIM. This template mechanism enables an application vendor to specify how to logon to a given application. Thus, independent software vendors and others can easily plug their applications into the SSO framework without writing a large amount of code.
The SSO framework implements a “data model” where information used to sign on to applications is kept in the separate PKM and CIM databases. The PKM is globally accessible and stores user-specific information, and the CIM is locally accessible and stores application-specific information derived from PTF files. In operation, the logon coordinator (LC) accesses the PKM to obtain the user's information (e.g., which target systems and applications to which the user can sign-on), as well as the passwords and keys for those systems/applications. The LC then uses these passwords/keys, together w
Kao I-Lung
Milman Ivan Matthew
Burwell Joseph R.
International Business Machines - Corporation
Judson David
LaBaw Jeffrey S.
Lee Thomas
LandOfFree
Method and system for single sign on using configuration... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for single sign on using configuration..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for single sign on using configuration... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2540729