Many client-server systems use authentication tokens to uniquely identify clients to the server. Such tokens are provided by the server, and are stored on the clients, e.g., in system memory or on disk. An authentication token can be leased to a client for a period of time, or used by the client indefinitely. Examples of formats in which authentication tokens can be implemented are browser cookies and key stores.
Providing services through a cloud-based computing environment is becoming more prevalent today. In cloud computing, dynamically scalable resources are provided to users (e.g., clients) as a service over a cloud, which is typically the Internet or another large network. Cloud computing provides infrastructure and functionality as a service, mapping resources to individual users based on their real-time computing needs. Cloud computing services are typically provided to multiple users from one or more servers, accessed from a web browser or other interface, while the application(s) and corresponding data are stored on the servers. Users need not have knowledge of the underlying technology infrastructure “in the cloud” that supports them.
Like other computer networks, cloud computing environments are vulnerable to malicious users. Malicious users can query a cloud-based system excessively, trying to glean proprietary and/or confidential back-end data. Malicious users can also submit improper data to a cloud-based system, attempting to corrupt the back-end data store. To alleviate such concerns, a cryptographically secure, verifiable authentication token can be used. Such a token is generated by a server “in the cloud,” and distributed to clients.
When used by either client-server systems or cloud computing environments, authentication tokens are subject to theft, both when in transit, and while at rest on clients. If malicious software were to inspect or copy an authentication token, the malicious software could fraudulently simulate the authorized client, and engage in the very types of unauthorized back-end access the token is designed to prevent. It would be desirable to address these issues.