US2015304292A1PendingUtilityA1

A system and method for secure proxy-based authentication

Assignee: CYBER ARK SOFTWARE LTDPriority: Oct 24, 2012Filed: Oct 22, 2013Published: Oct 22, 2015
Est. expiryOct 24, 2032(~6.3 yrs left)· nominal 20-yr term from priority
H04L 63/10G06F 21/31H04L 63/0884H04L 63/08H04L 63/0281
50
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged, access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 - 18 . (canceled) 
     
     
         19 . A method of authentication comprising the steps of:
 (a) receiving at a proxy an access request, wherein said receiving is via a native protocol and said access request includes client credentials associated with a user;   (b) providing target access credentials, wherein said providing is based on said access request, said client credentials, and target authentication information; and   (c) sending via said native protocol said target access credentials to a target;   wherein said target access credentials are other than said client credentials, and said target access credentials are shared or privileged credentials.   
     
     
         20 . The method of  claim 19  wherein said receiving is from a client 
     
     
         21 . The method of  claim 19  wherein said providing is contingent on successfully verifying the user based on said client credentials. 
     
     
         22 . The method of  claim 19  wherein said client credentials are selected from the group consisting of:
 (a) a null set; and 
 (b) inherent client credentials. 
 
     
     
         23 . The method of  claim 19  wherein said providing of said target access credentials is based on one or more communication features selected from the group including:
 (a) communication content; 
 (b) access request time, 
 (c) client identity, 
 (d) target identity, 
 (e) user identity; 
 (f) access request time; 
 (g) communication time; 
 (h) communication protocol; 
 (i) communication settings; and 
 (j) combinations of said communication features. 
 
     
     
         24 . The method of  claim 19  wherein said target authentication information is provided by:
 (a) a database; or 
 (b) an algorithm; or 
 (c) a privileged access management system (PAMS). 
 
     
     
         25 . The method of  claim 19  wherein a privileged access management solution (PAMS) performs one or more steps selected from the group consisting of:
 (a) authenticating said client credentials; 
 (b) providing said target access credentials; 
 (c) storing monitoring information; 
 (d) storing analysis information; 
 (e) monitoring client communications from a client to said target; and 
 (f) monitoring target communications from said target to said client. 
 
     
     
         26 . The method of  claim 19  further comprising the step of:
 (d) if said target successfully verifies said target access credentials then authorizing communications between a client and said target via said proxy. 
 
     
     
         27 . The method of  claim 19  further comprising:
 (d) if said target successfully verifies said target access credentials then said proxy transferring client communications from a client to said target and transferring target communications from said target to said client. 
 
     
     
         28 . The method of  claim 27  further comprising at least one-step selected from the group consisting of
 (e) monitoring said client communications and said target communications; and 
 (f) recording said client communications and said target communications. 
 
     
     
         29 . The method of  claim 28  wherein said monitoring and said recording are of one or more communication features selected from the group consisting of:
 (i) a communication content; 
 (ii) a target identity; 
 (iii) a client identity; 
 (iv) a user identity; 
 (v) a communication time; 
 (vi) communication protocol; and 
 (vii) communication metadata. 
 
     
     
         30 . The method of  claim 28  further comprising the step of:
 (g) upon detecting a suspicious activity, initiating an alert. 
 
     
     
         31 . The method of  claim 30  further comprising the step of:
 (h) upon receiving an alert, terminating said transferring client communications and terminating said transferring target communications. 
 
     
     
         32 . The method of  claim 27  further comprising one or more steps selected from the group consisting of:
 (e) interfering with said target communications; and 
 (f) interfering with said client communications. 
 
     
     
         33 . The method of  claim 32  wherein said interfering is selected from at least one of:
 (i) deleting target communications; 
 (ii) masking target communications; 
 (iii) replacing target communications; 
 (iv) deleting client communications; 
 (v) masking client communications; and 
 (vi) replacing client communications. 
 
     
     
         34 . The method of  claim 19  wherein a form of said client credentials and a form of said target access credentials are each selected from the group consisting of:
 (i) username, 
 (ii) password, 
 (iii) access key, 
 (iv) credential file, 
 (v) biometric identifier, 
 (vi) gesture, 
 (vii) selecting an image, 
 (viii) physical token, 
 (ix) certificates, 
 (x) machine or device identifier, 
 (xi) application identifier, and 
 (xii) combinations of forms of credentials. 
 
     
     
         35 . A system for authentication comprising:
 (a) a proxy configured to:
 (i) receive an access request, wherein said receiving is via a native protocol and said access request includes client credentials associated with a user; 
 (ii) provide target access credentials based on said access request, said client credentials and target authentication information; and 
 (iii) send via said native protocol said target access credentials to a target; 
   wherein said target access credentials are other than said client credentials, and said target access credentials are shared or privileged credentials.   
     
     
         36 . The system of  claim 35  wherein said access request is received from a client. 
     
     
         37 . The system of  claim 35  further including a privileged access management solution (PAMS) configured to perform one or more functions selected from the group consisting of:
 (a) authenticating said client credentials; 
 (b) providing said target access credentials; 
 (c) storing monitoring information; 
 (d) storing analysis information; 
 (e) monitoring client communications from a client to said target; and 
 (f) monitoring target communications from said target to said client. 
 
     
     
         38 . The system of  claim 35  further including one or more modules selected from the group consisting of:
 (b) a monitoring module configured for monitoring:
 (i) client communications from a client to said target; and 
 (ii) target communications from said target to said client; and 
 
 (c) a recording module configured for recording:
 (i) said client communications; and 
 (ii) said target communications. 
 
 
     
     
         39 . The system of  claim 35  further including a filtering module configured to implement one or more controls selected from the group consisting of:
 (a) interfering with client communications from a client to said target; and 
 (b) interfering with target communications from said target to said client. 
 
     
     
         40 . A computer-readable storage medium having embedded thereon computer-readable code for authenticating, the computer-readable code comprising program code for:
 (a) receiving at a proxy an access request, wherein said receiving is via a native protocol and said access request includes client credentials associated with a user;   (b) providing target access credentials, wherein said providing is based on said access request, said client credentials, and target authentication information; and   (c) sending via said native protocol said target access credentials to a target;   wherein said target access credentials are other than said client credentials, and said target access credentials are shared or privileged credentials.

Join the waitlist — get patent alerts

Track US2015304292A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.