What technology area does this patent fall under?

Primary CPC classification H04L63/10. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Oct 30 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Privileged access to target services

US10116658B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10116658-B2
Application number	US-201514698956-A
Country	US
Kind code	B2
Filing date	Apr 29, 2015
Priority date	Apr 29, 2015
Publication date	Oct 30, 2018
Grant date	Oct 30, 2018

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.

First claim

Opening claim text (preview).

What is claimed is: 1. A credentials management system for managing privileged credentials for use in a ticket-based authentication protocol, comprising: at least one hardware processor configured to: receive a request issued by a client to access a target service in a network; determine that the request requires privileged access at the target service; determine, based at least in part on the request, a privileged credential accessible to the credentials management system, the privileged credential being associated with the client but not accessible to the client; communicate with an authentication service using the privileged credential to obtain a privileged access ticket on behalf of the client based on the privileged credential; receive the privileged access ticket from the authentication service, responsive to the authentication service authenticating the credentials management system based on the privileged credential; and forward the privileged access ticket to the client thereby enabling the client to access the target service using the privileged access ticket. 2. A credentials management system according to claim 1 , wherein the at least one hardware processor is further configured to determine the privileged credential based on at least one of a group comprising: an authentication credential included in the request issued by the client, information included in the request identifying the target service, and parameters of the request indicating a request for privileged access to the target service. 3. A credentials management system according to claim 1 , wherein the at least one hardware processor is further configured to: use the privileged credential to acquire a privileged provisioning ticket from the authentication service; request the privileged access ticket from the authentication service using the privileged provisioning ticket; and receive the privileged access ticket from the authentication service, responsive to the authentication service authenticating the credentials management system based on the privileged provisioning ticket. 4. A credentials management system according to claim 1 , wherein the at least one hardware processor is further configured to perform at least one of: i) authenticate the client based on an authentication credential included in the request; ii) use said authentication credential to determine at least one of: an authorization of the client to access the target service and an authorization of the client to request the privileged access ticket; and iii) audit client activity on the credentials management system. 5. A credentials management system according to claim 1 , wherein the credentials management system resides on one of: i) a server communicating over the network with an endpoint on which the client resides; ii) an endpoint machine on which the client resides; and iii) a server hosting the authentication service. 6. A credentials management system according to claim 1 , wherein the request includes at least one credential accessible to the client and distinct from the privileged credential. 7. A credentials management system according to claim 6 , wherein the at least one credential accessible to the client is associated with first operation permissions for the target service and the privileged credential is associated with second operation permissions for the target service that are more privileged than the first operation permissions. 8. A credentials management system according to claim 1 , wherein the request includes a request for privileged access to the target service in the network. 9. The credentials management system of claim 1 , wherein the at least one hardware processor is further configured to control access to the target service by another client using the privileged access ticket. 10. The credentials management system of claim 1 , wherein the at least one hardware processor is further configured to determine whether the credentials management system has access to a privileged credential required for enabling the client to obtain privileged access at the target service. 11. A non-transitory computer readable medium storing instructions that, when executed by a processor associated with a credentials management service, cause the processor to perform operations for providing a client with a privileged access ticket to access a target service, the operations comprising: receiving a request issued by the client to access a target service in a network; determining that the request requires privileged access at the target service; determining, based at least in part on said request, a privileged credential accessible to the credentials management service, the privileged credential being associated with the client but not accessible to the client; acquiring, using the privileged credential, a privileged access ticket from an authentication service on behalf of the client; and forwarding the privileged access ticket to the client thereby enabling the client to access the target service using the privileged access ticket. 12. A computer readable medium according to claim 11 , the operations further comprising acquiring, by the credentials management service, using the privileged credential, a privileged provisioning ticket from the authentication service. 13. A computer readable medium according to claim 12 , the operations further comprising: i) sending a request for the privileged access ticket to the authentication service, wherein the request for the privileged access ticket includes the privileged provisioning ticket; and ii) receiving the privileged access ticket from the authentication service, responsive to the authentication service authenticating the credentials management service based on the privileged provisioning ticket. 14. A computer readable medium according to claim 11 , wherein the request includes at least one credential accessible to the client and distinct from the privileged credential. 15. A computer readable medium according to claim 14 , wherein the at least one credential accessible to the client is associated with first operation permissions for the target service and the privileged credential is associated with second operation permissions for the target service that are more privileged than the first operation permissions. 16. A computer readable medium according to claim 14 , wherein the privileged credential is determined based on the at least one credential accessible to the client. 17. A computer readable medium according to claim 11 , wherein the request includes a request for privileged access to the target service in the network. 18. A computer-implemented method for performing privileged authentication operations comprising: receiving, at a credential management service in a network, a client request issued by a client to access a target service in the network; determining that the request requires privileged access at the target service; determining, based at least in part on the client request, a privileged credential accessible to the credential management service, the privileged credential being associated with the client but not accessible to the client; communicating with an authentication service using the privileged credential to obtain a privileged access ticket on behalf of the client based on the privileged credential; receiving the privileged access ticket from the authentication service, responsive to the authentication service authenticating the credential management service based on the privileged credential; an

Assignees

Cyberark Software Ltd

Inventors

Classifications

H04L63/062
for key distribution, e.g. centrally by trusted party (cryptographic mechanisms or cryptographic arrangements for key distribution involving a central third party H04L9/0819) · CPC title
H04L63/10Primary
for controlling access to devices or network resources · CPC title
H04L63/0807
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title

Patent family

Related publications grouped by family.

View patent family 57190271

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10116658B2 cover?: A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication …
Who is the assignee on this patent?: Cyberark Software Ltd
What technology area does this patent fall under?: Primary CPC classification H04L63/10. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Oct 30 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).