TREA

Methods and System for Storing and Retrieving Identity Mapping Information

Follow

Information

  • Patent Application
  • 20080089520
  • Publication Number
    20080089520
  • Date Filed
    September 20, 2007
    17 years ago
  • Date Published
    April 17, 2008
    16 years ago
Information
Abstract
System and method for storing identity mapping information in an identity management system to enable a user authenticated at a first domain to access a second domain. The method may include digitally signing the identity mapping information by the user; providing the mapping information to an identity management system; and storing the user-signed mapping information after being further digitally signed by the identity management system.
Description

SHORT DESCRIPTION OF THE DRAWINGS

In the following detailed description, presently preferred embodiments of the invention are further described with reference to the following figures:



FIG. 1: A schematic view illustrating user identity mapping, according to one embodiment;



FIG. 2: A schematic presentation of the steps performed in one embodiment of the invention to perform a secure user mapping for storing mapping information so that its integrity is assured;



FIG. 3: A schematic presentation of a first part of the steps performed in one embodiment of the invention for a retrieval and a validation of the outer signature of the user mapping information;



FIG. 4
a: A schematic presentation of the second part of the steps performed for a retrieval and an online validation of the inner signature of the user mapping information, according to one embodiment;



FIG. 4
b: A schematic presentation of an offline validation of the inner signature of the user mapping information, according to one embodiment;



FIG. 5: A schematic presentation of the password (or other private personal information) as protected according to various embodiments; and



FIG. 6: A schematic presentation of the steps necessary to retrieve a password as protected by the embodiment of FIG. 5.





While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and are herein described in detail. It should be understood, however, that the drawings and detailed description thereto are not intended to limit the invention to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope of the present invention as defined by the appended claims.


DETAILED DESCRIPTION OF THE EMBODIMENTS


FIG. 1 presents a schematic view of two domains 10, 20, which require different user ids for accessing data. Domain 10 may for example present a Windows-based corporate network, whereas domain 20 could be a legacy mainframe system comprising one or more applications and/or one or more databases. A user 1 running an application 30 may require data from both domains 10, 20. Accordingly, the user 1 must be authenticated and, if required, prove his authorization in both domains 10, 20. An identity management system 40 comprising a user identity database 50, however, may allow the application 30 to obtain the user id for the second domain 20 based on the user id for the first domain 10. As a result, the user 1 may only provide a single user id. In the example presented in FIG. 1, the user 1 only needs to authenticate himself as “John Doe” at the first domain 10 and the application 30 can, based on the relation stored in the user identity database 50, also authenticate the user at the second domain 20 as “jdoe”.


It is apparent that that the concept of mapping user ids with an identity management system could be extended to more than the two domains 10, 20 shown in the simplified FIG. 1. Further, whereas the methods and systems described in the following are particularly useful, if the two domains 10 and 20 are truly heterogeneous, so that no common security system can be found or created, the present invention may also be applied to less heterogeneous or even homogeneous systems.


If the user identity database 50 is tampered with, a user id of the first domain 10 may no longer be assigned to the correct user id of the second domain 20. As a result, operations could be performed in the second domain 20 under a false identity, without the user 1 being aware of.


To address this problem, some embodiments allow for verification of the mapping information for both the user 1 and the application 30. In one embodiment, a trust centre (PKI, Public Key infrastructure) may be used. However, this is not essential to the invention. In order to assure the integrity of the mapping data stored in the user identity database 50, each user may first agree to the user mapping by signing his mapping data with his private key in step 100 shown in FIG. 2. In the example of FIG. 1, the user “John Doe” in domain 10 is mapped to user “jdoe” in domain 20.


The mapping data and the signature value may be sent in step 110 to the identity management system 40 for storing. To increase the security, a SSL communication (secure socket layer) may be used. In a next step 120, the identity management system 40 may again sign the received information with its own private key and may store, in step 130, the two-fold signed mapping information in the user identity database 50.


At any point later in time, the application 30 can perform the required user mapping by performing the following validation steps: At first, the two-fold signed mapping information may be obtained from the identity management system in steps 150 and 151 (cf. FIG. 3). Again, a SSL communication may be used to further increase the security. Subsequently, in step 160, the method may verify that the mapping information was authenticated by the identity management system 40 by validating its outer signature (cf. FIG. 3). This may typically be an offline process, i.e. can be performed locally by the application 30 using the public key of the identity management system 40.


In the next step 170, the method may verify that the authenticated user 1 has defined and agreed to the mapping by validating the inner signature. If the application 30 is in possession of the user's certificate, it can perform the validation offline by checking that the authenticated user's credentials 80 match the certificate credentials 81 as well as the information from the user mapping data 82 (cf. FIG. 4b).


Alternatively it can use an online validation with the trust centre (PKI) 70, as schematically shown in FIG. 4a. This has a further advantage: If the user 1 (or any other authorized party) had previously invalidated the user mapping, the certificate used to sign this mapping would have been revoked and the mapping may then be rendered invalid by a standard mechanism, e.g., Certificate Revocation List (CRL), which is a method to void a certificate and therefore all signatures that are created by the owner of the certificate before the expiration time automatically declares it invalid.



FIGS. 5 and 6 illustrate relate to incorporating information protection. This aspect may be used and, in the following, described in the context of the method and system explained above for the verification of the integrity of user mapping information. It may, however, also be applied in general, e.g., whenever personal private data is stored, so that it is not necessary to enter it every time when this data is required. Accordingly, password protection is just one example of a field of application of the method described in the following, but it can equally be used to protect sensitive financial information such as credit card numbers or any other data to be protected.


If a password is needed to access the second domain 20, it is not sufficient to assure its integrity in the user mapping database 50. On the contrary, it may not only be protected against tampering but also may be kept in a truly secure and encrypted manner, which is, for example, not the case in prior art systems such as Kerberos. Otherwise, there would be a security gap that could be exploited in a malicious attack (e.g. to commit fraud or steal identity). As noted previously, in prior art systems the user has typically no control over how the password is stored or used. Therefore, he is required to give absolute trust to the system that stores and uses his password.


As shown in FIG. 5, before the password 210 is stored together with the user mapping information, an encryption key 220 may be used to encrypt the password 210. The encryption key 220 may be long enough to be divided into two parts 221, 222 (or more parts, not shown in FIG. 5). The first part 221 of the encryption key 220 may be encrypted by the users' public key. The other part 222 may be encrypted by the public key of a special certificate from the trust centre (PKI) 70. The encrypted password 210 may then be stored together with the encrypted two part encryption key and signed together with the mapping information of the user as described above.


When the password 210 is required by the application 30 (e.g. in order to access the resources in domain 20), then the application 30 may first execute all the steps to obtain the validated user mapping information as described previously. In order to decrypt the encrypted password, the application 30 may then perform the following steps (cf. FIG. 6):


In step 310, the first part 221 of the encrypted password key 220 may be sent to the user 1. The user 1 can decrypt the part 221 of the key 220 by using his private key. It is to be noted that neither the password 210, nor the complete key 220 to decrypt the password 210 travels on a communication channel during this step.


The application 30 may take, in step 320, the second half 222 of the encrypted encryption key 220 and send it to the trust centre (PKI) 70 for decryption. The dashed lines in FIGS. 5 and 6 indicate that the trust centre (PKI) 70 can be at any remote location. Now the application 30 holds the complete key 220 that is used to decrypt the password 210.


As a result, the password 210 is under the user's control and can be decrypted without exposing the user's private key. Tampering with the password 210 is no longer possible nor is passing around the password 210 without the user's knowledge and permission. Malicious attacks are therefore better defended, since the complete key 220 required to unlock the password 210 is never transmitted as a whole (e.g. on a single communication path).


The described method can be effectively used in all systems where personal and sensitive data is stored and should be revealed only at the time where all participating parties (user and application) agree. Further, if the encryption key 220 is divided into more than two parts, there could be more parties required to agree before an encrypted encryption key for the encrypted personal and sensitive data can be fully assembled from its various decrypted parts. In fact, this feature may allow for any number of participants. Accordingly, in a scenario like a bank—when private data needs to be protected—a normal transaction might only require two keys, but for ‘higher risk’ transactions, the data could be additionally protected with a third key (for example of an additional supervisor) to unlock the information. It is to be noted that it is easy to change the number of keys required.


An additional security feature (not shown) for providing even more protection against malicious attacks can be realized by providing the application itself with additional credentials, which are also verified, for example by the identity mapping system 40 and/or the trust centre (PKI) 70. This overcomes a remaining security problem, where, if by some means (e.g. Trojan horse), the application is replaced. Since the application may be activated by a user running with administrative privileges, also a (secretly) replaced application would have these privileges. However, in case of an additional verification of a certificate/identity of the application by the trust center (PKI) and/or the IMS, there would be a considerable hurdle for any faked or malicious application to overcome. This feature may be particularly important to financial companies such as banks which create an application once and then have a widely replicated distribution. In such a situation one could envisage a malicious attack on the application at a number of stages in its production, distribution and installation stages. In addition, companies and organizations who provide operating system software, such as Windows or Linux, might well find a use for such a feature in protecting critical access to parts of their O/S as well as critical files. Users of such operating systems might also get added protection to their own files and discs.


Although the embodiments above have been described in considerable detail, numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.

Claims
  • 1. Method for storing identity mapping information in an identity management system for enabling a user authenticated at a first domain to access a second domain, the method comprising: digitally signing the identity mapping information by the user;providing the mapping information to the identity management system; andstoring the user-signed mapping information after being further digitally signed by the identity management system.
  • 2. The method of claim 1, wherein said digitally signing comprising using a private key of the user.
  • 3. The method of claim 1, wherein said storing the user-signed mapping information comprises using a private key of the identity management system.
  • 4. The method of claim 1, wherein the mapping information further comprises a password required to access the second domain and wherein the method further comprises: encrypting at least the password with an encryption key, wherein the encryption key can be divided into at least a first and a second part;encrypting the first part of the encryption key with a public key of the user;encrypting the second part of the encryption key with a public key obtained from a trust center, andstoring the encrypted password and the encrypted encryption key in the identity managing system.
  • 5. A method for retrieving identity mapping information from an identity management system for enabling a user authenticated at a first domain to access a second domain, the method comprising: retrieving user-signed mapping information, which has further been digitally signed by the identity management system;validating the digital signature of the identity management system; andvalidating the digital signature of the user;wherein after said validating the digital signature of the identity management system and said validating the digital signature of the user, the user may be authenticated to access the second domain.
  • 6. The method of claim 5, wherein said validating the digital signature of the identity management system comprises using a public key of the identity management system.
  • 7. The method of claim 5, wherein said validating the digital signature of the user comprises using a public key of the user.
  • 8. The method of claim 7, wherein said validating the digital signature of the user comprises using a certificate of the user comprising the public key of the user.
  • 9. The method of claim 8, wherein the user certificate is obtained from a trust center.
  • 10. The method of claim 5, wherein said retrieving further comprises retrieving a password, wherein the password is required to access the second domain and is encrypted by an encryption key comprising at least a first part encrypted by a public key of the user and a second part encrypted by a public key obtained from a trust center, wherein the method further comprises: sending the first encrypted part of the encryption key to the user for decryption with his private key;sending the second encrypted part to the trust center for decryption; anddecrypting the password with the encryption key assembled from the decrypted first and second part.
  • 11. A computer accessible memory medium comprising program instructions for storing identity mapping information in an identity management system for enabling a user authenticated at a first domain to access a second domain, wherein the program instructions are executable by a processor to: digitally sign the identity mapping information by the user;provide the mapping information to the identity management system; andstore the user-signed mapping information after being further digitally signed by the identity management system.
  • 12. The memory medium of claim 11, wherein said digitally signing comprising using a private key of the user.
  • 13. The memory medium of claim 11, wherein said storing the user-signed mapping information comprises using a private key of the identity management system.
  • 14. The memory medium of claim 11, wherein the mapping information further comprises a password required to access the second domain and wherein the program instructions are further executable to: encrypt at least the password with an encryption key, wherein the encryption key can be divided into at least a first and a second part;encrypt the first part of the encryption key with a public key of the user;encrypt the second part of the encryption key with a public key obtained from a trust center, andstore the encrypted password and the encrypted encryption key in the identity managing system.
  • 15. A memory medium comprising program instructions for retrieving identity mapping information from an identity management system for enabling a user authenticated at a first domain to access a second domain, wherein the program instructions are executable by a processor to: retrieve user-signed mapping information, which has further been digitally signed by the identity management system;validate the digital signature of the identity management system; andvalidate the digital signature of the user;wherein after said validating the digital signature of the identity management system and said validating the digital signature of the user, the user may be authenticated to access the second domain.
  • 16. The memory medium of claim 15, wherein said validating the digital signature of the identity management system comprises using a public key of the identity management system.
  • 17. The memory medium of claim 15, wherein said validating the digital signature of the user comprises using a public key of the user.
  • 18. The memory medium of claim 17, wherein said validating the digital signature of the user comprises using a certificate of the user comprising the public key of the user.
  • 19. The memory medium of claim 18, wherein the user certificate is obtained from a trust center.
  • 20. The memory medium of claim 15, wherein said retrieving further comprises retrieving a password, wherein the password is required to access the second domain and is encrypted by an encryption key comprising at least a first part encrypted by a public key of the user and a second part encrypted by a public key obtained from a trust center, and wherein the program instructions are further executable to: send the first encrypted part of the encryption key to the user for decryption with his private key;send the second encrypted part to the trust center for decryption; anddecrypt the password with the encryption key assembled from the decrypted first and second part.
Priority Claims (1)
Number Date Country Kind
06 021 701.5 Oct 2006 EP regional