What technology area does this patent fall under?

Primary CPC classification H04L63/0884. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jan 02 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

System and method for secure proxy-based authentication

US9860249B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9860249-B2
Application number	US-201615192623-A
Country	US
Kind code	B2
Filing date	Jun 24, 2016
Priority date	Oct 24, 2012
Publication date	Jan 2, 2018
Grant date	Jan 2, 2018

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access credentials for proxy-target authentication, thereby giving the client access to the target through the proxy. The invention facilitates connection between the client and the target without requiring the client to be in possession of the target access credentials. The proxy can optionally be connected to a privileged access management system which can provide and/or store target access credentials. Proxy-provided target access credentials facilitate preventing a client security breech from exposing target access credentials.

First claim

Opening claim text (preview).

What is claimed is: 1. A proxy system comprising: at least one processor configured to: receive from a client, via a native protocol, a first access request requesting access by the client to a target application; determine target application access credentials based at least in part on the first access request and a policy enforced by the proxy system, wherein the target application access credentials are effective to authenticate the proxy system to the target application; provide to the target application a second access request requesting access to the target application, wherein the second access request comprises the target application access credentials; and responsive to the proxy system being authenticated to the target application based on the target application access credentials, establish access for the client to the target application through the proxy system and via the native protocol, wherein the access is consistent with the policy and is established based on the target application access credentials, and the client is not exposed to the target application access credentials. 2. The proxy system of claim 1 , wherein the first access request comprises client access credentials associated with a user, and the client access credentials comprise a communication feature associated with the first access request. 3. The proxy system of claim 1 , wherein providing the second access request comprises providing the second access request via the native protocol. 4. The proxy system of claim 1 , wherein: the first access request comprises a plurality of communication features; and determining the target application access credentials comprises determining the target application access credentials based on at least some of the plurality of communication features. 5. The proxy system of claim 4 , wherein determining the target application access credentials based on at least some of the plurality of communication features comprises identifying the target application access credentials in a database based on at least some of the plurality of communication features. 6. The proxy system of claim 4 , wherein determining the target application access credentials based on at least some of the plurality of communication features comprises transforming at least some of the plurality of communication features according to an algorithm to produce the target application access credentials. 7. The proxy system of claim 1 , wherein establishing access for the client to the target application comprises establishing a first logical communication link between the client and the proxy system and establishing a second logical communication link between the proxy system and the target application. 8. The proxy system of claim 1 , wherein the proxy system comprises a privileged access management system. 9. The proxy system of claim 1 , wherein the at least one processor is further configured to monitor the access to the target application through the proxy system. 10. The proxy system of claim 9 , wherein the at least one processor is further configured to: based on the monitoring, detect suspicious activity; and in response to detecting suspicious activity, issue an alert. 11. A non-transitory computer readable medium including instructions that, when executed by at least one processor of a proxy system, cause the at least one processor to perform operations comprising: receiving from a client, via a native protocol, a first access request requesting access by the client to a target application; determining target application access credentials based at least in part on the first access request and a policy enforced by the proxy system, wherein the target application access credentials are effective to authenticate the proxy system to the target application; providing to the target application a second access request requesting access to the target application, wherein the second access request comprises the target application access credentials; and responsive to the proxy system being authenticated to the target application based on the target application access credentials, establishing access for the client to the target application via the native protocol, wherein the access is consistent with the policy and is established based on the target application access credentials, and the client is not exposed to the target application access credentials. 12. The non-transitory computer readable medium of claim 11 , wherein providing the second access request comprises providing the second access request via the native protocol. 13. The non-transitory computer readable medium of claim 11 , wherein: the first access request comprises a plurality of communication features; and determining the target application access credentials comprises determining the target application access credentials based on at least some of the plurality of communication features. 14. The non-transitory computer readable medium of claim 13 , wherein determining the target application access credentials based on at least some of the plurality of communication features comprises identifying the target application access credentials in a database based on at least some of the plurality of communication features. 15. The non-transitory computer readable medium of claim 13 , wherein determining the target application access credentials based on at least some of the plurality of communication features comprises transforming at least some of the plurality of communication features according to an algorithm to produce the target application access credentials. 16. The non-transitory computer readable medium of claim 13 , wherein the plurality of communication features comprise one or more of a content of the first access request; an access request time of the first access request; an identity of the client; an identity of the target application; and the native protocol. 17. The non-transitory computer readable medium of claim 11 , wherein establishing access for the client to the target application comprises establishing a first logical communication link between the client and the proxy system and establishing a second logical communication link between the proxy system and the target application. 18. The non-transitory computer readable medium of claim 11 , wherein the operations further comprise monitoring the access to the target application. 19. The non-transitory computer readable medium of claim 18 , wherein the operations further comprise: based on the monitoring, detecting suspicious activity; and in response to detecting suspicious activity, issuing an alert. 20. The non-transitory computer readable medium of claim 19 , wherein the operations further comprise, further in response to detecting suspicious activity, terminating the access to the target application. 21. A computer-implemented method comprising: receiving from a client, by a proxy system via a native protocol, a first access request requesting access by the client to a target application; determining target application access credentials based at least in part on the first access request and a policy enforced by the proxy system, wherein the target application access credentials are effective to authenticate the proxy system to the target application; providing to the target application a second access request requesting access to the target application, wherein the second access request comprises the target application access credentials; and responsive

Assignees

Cyberark Software Ltd

Inventors

Classifications

G06F21/31
User authentication · CPC title
H04L63/0884Primary
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
H04L63/0281
Proxies · CPC title
H04L63/10
for controlling access to devices or network resources · CPC title
H04L63/08
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title

Patent family

Related publications grouped by family.

View patent family 50544118

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9860249B2 cover?: A system and method for secure authentication facilitates improving the security of authentication between a client and a target by using an innovative authentication module on a proxy. The client can connect to the proxy using a native protocol and provides client credentials to the proxy. The proxy uses an authentication module to authenticate the client and then to provide target access cred…
Who is the assignee on this patent?: Cyberark Software Ltd
What technology area does this patent fall under?: Primary CPC classification H04L63/0884. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jan 02 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).