A system and method for secure proxy-based authentication
Abstract
A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged, access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 - 18 . (canceled)
19 . A method of authentication comprising the steps of:
(a) receiving at a proxy an access request, wherein said receiving is via a native protocol and said access request includes client credentials associated with a user; (b) providing target access credentials, wherein said providing is based on said access request, said client credentials, and target authentication information; and (c) sending via said native protocol said target access credentials to a target; wherein said target access credentials are other than said client credentials, and said target access credentials are shared or privileged credentials.
20 . The method of claim 19 wherein said receiving is from a client
21 . The method of claim 19 wherein said providing is contingent on successfully verifying the user based on said client credentials.
22 . The method of claim 19 wherein said client credentials are selected from the group consisting of:
(a) a null set; and
(b) inherent client credentials.
23 . The method of claim 19 wherein said providing of said target access credentials is based on one or more communication features selected from the group including:
(a) communication content;
(b) access request time,
(c) client identity,
(d) target identity,
(e) user identity;
(f) access request time;
(g) communication time;
(h) communication protocol;
(i) communication settings; and
(j) combinations of said communication features.
24 . The method of claim 19 wherein said target authentication information is provided by:
(a) a database; or
(b) an algorithm; or
(c) a privileged access management system (PAMS).
25 . The method of claim 19 wherein a privileged access management solution (PAMS) performs one or more steps selected from the group consisting of:
(a) authenticating said client credentials;
(b) providing said target access credentials;
(c) storing monitoring information;
(d) storing analysis information;
(e) monitoring client communications from a client to said target; and
(f) monitoring target communications from said target to said client.
26 . The method of claim 19 further comprising the step of:
(d) if said target successfully verifies said target access credentials then authorizing communications between a client and said target via said proxy.
27 . The method of claim 19 further comprising:
(d) if said target successfully verifies said target access credentials then said proxy transferring client communications from a client to said target and transferring target communications from said target to said client.
28 . The method of claim 27 further comprising at least one-step selected from the group consisting of
(e) monitoring said client communications and said target communications; and
(f) recording said client communications and said target communications.
29 . The method of claim 28 wherein said monitoring and said recording are of one or more communication features selected from the group consisting of:
(i) a communication content;
(ii) a target identity;
(iii) a client identity;
(iv) a user identity;
(v) a communication time;
(vi) communication protocol; and
(vii) communication metadata.
30 . The method of claim 28 further comprising the step of:
(g) upon detecting a suspicious activity, initiating an alert.
31 . The method of claim 30 further comprising the step of:
(h) upon receiving an alert, terminating said transferring client communications and terminating said transferring target communications.
32 . The method of claim 27 further comprising one or more steps selected from the group consisting of:
(e) interfering with said target communications; and
(f) interfering with said client communications.
33 . The method of claim 32 wherein said interfering is selected from at least one of:
(i) deleting target communications;
(ii) masking target communications;
(iii) replacing target communications;
(iv) deleting client communications;
(v) masking client communications; and
(vi) replacing client communications.
34 . The method of claim 19 wherein a form of said client credentials and a form of said target access credentials are each selected from the group consisting of:
(i) username,
(ii) password,
(iii) access key,
(iv) credential file,
(v) biometric identifier,
(vi) gesture,
(vii) selecting an image,
(viii) physical token,
(ix) certificates,
(x) machine or device identifier,
(xi) application identifier, and
(xii) combinations of forms of credentials.
35 . A system for authentication comprising:
(a) a proxy configured to:
(i) receive an access request, wherein said receiving is via a native protocol and said access request includes client credentials associated with a user;
(ii) provide target access credentials based on said access request, said client credentials and target authentication information; and
(iii) send via said native protocol said target access credentials to a target;
wherein said target access credentials are other than said client credentials, and said target access credentials are shared or privileged credentials.
36 . The system of claim 35 wherein said access request is received from a client.
37 . The system of claim 35 further including a privileged access management solution (PAMS) configured to perform one or more functions selected from the group consisting of:
(a) authenticating said client credentials;
(b) providing said target access credentials;
(c) storing monitoring information;
(d) storing analysis information;
(e) monitoring client communications from a client to said target; and
(f) monitoring target communications from said target to said client.
38 . The system of claim 35 further including one or more modules selected from the group consisting of:
(b) a monitoring module configured for monitoring:
(i) client communications from a client to said target; and
(ii) target communications from said target to said client; and
(c) a recording module configured for recording:
(i) said client communications; and
(ii) said target communications.
39 . The system of claim 35 further including a filtering module configured to implement one or more controls selected from the group consisting of:
(a) interfering with client communications from a client to said target; and
(b) interfering with target communications from said target to said client.
40 . A computer-readable storage medium having embedded thereon computer-readable code for authenticating, the computer-readable code comprising program code for:
(a) receiving at a proxy an access request, wherein said receiving is via a native protocol and said access request includes client credentials associated with a user; (b) providing target access credentials, wherein said providing is based on said access request, said client credentials, and target authentication information; and (c) sending via said native protocol said target access credentials to a target; wherein said target access credentials are other than said client credentials, and said target access credentials are shared or privileged credentials.Join the waitlist — get patent alerts
Track US2015304292A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.