Garret Grajek, CEH, CISSP, CGEIT, CISM

Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

A method and system for mutually authenticating an identity and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server. Thereafter, the method continues with establishing a secure data transfer link. A server certificate is transmitted during the establishment of the secure data transfer link. The method continues with transmitting a response packet to the server, which is validated thereby upon receipt. The… Show more

A method and system for mutually authenticating an identity and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server. Thereafter, the method continues with establishing a secure data transfer link. A server certificate is transmitted during the establishment of the secure data transfer link. The method continues with transmitting a response packet to the server, which is validated thereby upon receipt. The system includes an authentication module that initiates the secure data transfer link and transmits the response packet, and a server authentication module that transmits the token and validates the response packet. Show less

The authentication of a client to multiple server resources with a single sign-on procedure using multiple factors is disclosed. One contemplated embodiment is a method in which a login session is initiated with the authentication system of a primary one of the multiple server resources. A first set of login credentials is transmitted thereto, and validated. A token is stored on the client indicating that the initial authentication was successful, which is then used to transition to a secondary… Show more

The authentication of a client to multiple server resources with a single sign-on procedure using multiple factors is disclosed. One contemplated embodiment is a method in which a login session is initiated with the authentication system of a primary one of the multiple server resources. A first set of login credentials is transmitted thereto, and validated. A token is stored on the client indicating that the initial authentication was successful, which is then used to transition to a secondary one of the multiple resources. A second set of login credentials is also transmitted, and access to the secondary one of the multiple resources is granted on the basis of a validated token and second set of login credentials. Show less

The provisioning of a security token object to a user is disclosed. The security token object is used for accessing a computing resource through a client computer system. A security token object provisioning request may be received from the client computer system. In response, an authentication request may be transmitted. The user is authenticated against a user identity based upon a set of received identity credentials provided by the user. The extraction of a unique token identifier from the… Show more

The provisioning of a security token object to a user is disclosed. The security token object is used for accessing a computing resource through a client computer system. A security token object provisioning request may be received from the client computer system. In response, an authentication request may be transmitted. The user is authenticated against a user identity based upon a set of received identity credentials provided by the user. The extraction of a unique token identifier from the security token object is initiated, and completed without intervention from the user. The unique token identifier received from the client computer system is associated with to the user identity in a data store. By providing the security token object, the user can gain access to the computing resource. Show less

A valid duration period for a digital certificate is established by a process that includes assigning numeric values to certificate term. The numeric value assigned to each certificate term is representative of the valid duration period. The method continues by identifying one certificate term, which may include requesting a user to select a certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate… Show more

A valid duration period for a digital certificate is established by a process that includes assigning numeric values to certificate term. The numeric value assigned to each certificate term is representative of the valid duration period. The method continues by identifying one certificate term, which may include requesting a user to select a certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the numeric value associated with the requested certificate term into a duration counter value. The method may also include a certificate server receiving from the server, the certificate request including the duration counter value. The method may conclude with transmitting the signed certificate request to a client device capable of generating the digital certificate with the requested certificate term. Show less

Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application… Show more

Features are disclosed for authentication of mobile device applications using a native, independent browser using a single-sign-on system. An authentication module within the mobile application can direct the mobile device's native browser to a URL to initiate authentication with an authentication appliance. The mobile browser can receive and store a browser-accessible token to indicate previous authentication performed by the user. The mobile application can receive from the application appliance and store a client application ID token that may be presented to network services for access. A second mobile device application may direct the same browser to the authentication appliance. The authentication appliance may inspect the persistent browser-accessible token and issue a second client application ID identity to the second application without collecting additional authentication information, or collecting additional authentication information that is different from the first authentication information. Show less

A method and system for mutually authenticating a client and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server to the client. Thereafter, the method continues with establishing a secure data transfer link between the server and the client. A server certificate is transmitted to the client during the establishment of the secure data transfer link. The method continues with transmitting a response packet to… Show more

A method and system for mutually authenticating a client and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server to the client. Thereafter, the method continues with establishing a secure data transfer link between the server and the client. A server certificate is transmitted to the client during the establishment of the secure data transfer link. The method continues with transmitting a response packet to the server, which is validated thereby upon receipt. The system includes a client authentication module that initiates the secure data transfer link and transmits the response packet, and a server authentication module that transmits the token and validates the response packet. Show less

A method and system for configuring a valid duration period for a digital certificate. The method includes assigning a positive numeric value for each certificate term. The positive numeric value assigned to each certificate term is representative of the valid duration period. The method continues by prompting a user of the client device to request one certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a… Show more

A method and system for configuring a valid duration period for a digital certificate. The method includes assigning a positive numeric value for each certificate term. The positive numeric value assigned to each certificate term is representative of the valid duration period. The method continues by prompting a user of the client device to request one certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the positive numeric value associated with the requested certificate term into a duration counter. The method may also include a certificate server receiving from the server, the certificate request including the duration counter. The certificate server is configured to digitally sign the certificate request. The method may conclude with the client device generating the digital certificate having the valid duration period correspond to the positive numeric value associated with the requested certificate term. Show less