Authentication delegation based on re-verification of cryptographic evidence

摘要

The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.

主权项

1. A method of authentication delegation between a client/user accessing a service provider through a gateway, the method comprising the steps of:
performing a Transport Layer Security (TLS) handshake with client authentication between the client/user and the gateway, said TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages; recording at least a sufficient portion of messages of the TLS handshake to indicate that the client/user is authenticated to the gateway, wherein said at least the sufficient portion includes messages specified in the protocol and all messages specified in the protocol up to and including a certificate verify message, wherein said at least the sufficient portion of the messages of the TLS handshake are exchanged between the client/user and the gateway; and providing the recording of all messages up to and including the certificate verify message, from the gateway to the service provider, wherein all messages provided are digitally signed, wherein access to the service provider is based on the at least the sufficient portion of the messages of the TLS handshake that are exchanged between the client/user and the gateway.