Updating stored passwords

US 10,075,432 B2
Filed: 07/13/2016
Issued: 09/11/2018
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A client device comprising:

an input/output device;

a processor communicatively coupled to the input/output device;

a memory storing executable instructions that, when executed by the processor,instantiate an authentication client module and a re-authentication client module, the authentication client module configured to;

generate a plain-text password;

generate a first hash value based on the plain-text password, the first hash value generated according to a first hash generating scheme, the first hash generating scheme defining a first hash function that generates a first hash value based on an input value;

request, via the input/output device, access to a network comprising a network access device according to an authentication protocol;

send, via the input/output device, the first hash value to the network access device;

modify the first hash generating scheme to produce a second hash generating scheme, the second hash generating scheme defining a second hash function different than the first hash function that generates a second hash value based on the input value; and

generate a second hash value based on the plain-text password according to the second hash generating scheme; and

the re-authentication client module configured to;

in response to a policy server operating on the network receiving both the first hash value and the second hash value from the client device and failing to authenticate both the first hash value and the second hash value, establish, via the input/output device, a secure HTTP connection between the client device and the policy server; and

transmit, via the input/output device, the plain-text password from the client device to the policy server over the secure HTTP connection.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

82 Citations

21 Claims

1. A client device comprising:
- an input/output device;
  
  a processor communicatively coupled to the input/output device;
  
  a memory storing executable instructions that, when executed by the processor,instantiate an authentication client module and a re-authentication client module, the authentication client module configured to;
  
  generate a plain-text password;
  
  generate a first hash value based on the plain-text password, the first hash value generated according to a first hash generating scheme, the first hash generating scheme defining a first hash function that generates a first hash value based on an input value;
  
  request, via the input/output device, access to a network comprising a network access device according to an authentication protocol;
  
  send, via the input/output device, the first hash value to the network access device;
  
  modify the first hash generating scheme to produce a second hash generating scheme, the second hash generating scheme defining a second hash function different than the first hash function that generates a second hash value based on the input value; and
  
  generate a second hash value based on the plain-text password according to the second hash generating scheme; and
  
  the re-authentication client module configured to;
  
  in response to a policy server operating on the network receiving both the first hash value and the second hash value from the client device and failing to authenticate both the first hash value and the second hash value, establish, via the input/output device, a secure HTTP connection between the client device and the policy server; and
  
  transmit, via the input/output device, the plain-text password from the client device to the policy server over the secure HTTP connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 21)
- - 2. The client device of claim 1, wherein the processor comprises a microprocessor or a hardware processing logic, and wherein the memory includes any one of a static memory, a dynamic memory, and an onboard cache for storing data and machine-readable instructions.
  - 3. The client device of claim 2, further comprising a network interface device comprising any one of a wired local area network interface device, a wired wide area network device, a wireless local area network interface device, a wireless wide area network interface device, and a cellular network interface device.
  - 4. The client device of claim 1, wherein generating the plain-text password comprises one of:
    - prompting a user of the client device to enter the plain-text password, retrieving the plain-text password from the memory, and retrieving the plain-text password from another module operating on the client device.
  - 5. The client device of claim 1, wherein the authentication protocol is any one of a challenge-handshake authentication protocol (CHAP), a Microsoft (MS) CHAP (MSCHAP) authentication protocol, or a MSCHAP Version 2 (MSCHAPv2) authentication protocol.
  - 6. The client device of claim 1, wherein the re-authentication client module is further configured to transmit the plain-text password from the client device to the policy server in either one of the Hyper-Text Markup Language (HTML) or the Hyper-Text Transfer Language (HTTP).
  - 7. The client device of claim 1, wherein the authentication client module is configured to generate the second hash value based on the plain-text password according to the second hash generating scheme by downloading to the client device and installing on the client device a software update of the authentication client module.
  - 8. The client device of claim 1, wherein the authentication client module is further configured to:
    - receive a challenge string from the policy server;
      
      store the challenge string on the memory; and
      
      generate each of a first cryptographic hash value of the challenge string and the plain-text password and a second cryptographic hash value of the challenge string and the plain-text password based on one of the first hash generating scheme and the second hash generating scheme.
  - 9. The client device of claim 8, wherein the authentication client module is further configured to transmit each of the first cryptographic hash value and the second cryptographic hash value to the policy server.
  - 10. The client device of claim 1, wherein the secure HTTP connection between the client device and a policy server is a temporary connection.
  - 11. The client device of claim 1, wherein the policy server is further configured to configure the secure HTTP connection between the client device and the policy server to prevent the network access device from modifying the plain-text password.
  - 12. The client device of claim 1, wherein the policy server is further configured to configure the secure HTTP connection between the client device and a policy server by establishing a virtual local area network (VLAN) between the authentication client module and the policy server.
  - 13. The client device of claim 1, wherein the policy server is further configured to configure the secure HTTP connection between the client device and the policy server by transmitting an access control list to the network access device.
  - 21. The client device of claim 1, wherein the second hash function is a function of the first hash function.

14. A method comprising:
- generating, by an authentication client module of a client device comprising at least one hardware processor, a plain-text password;
  
  generating, by the authentication client module, a first hash value based on the plain-text password according to a first hash generating scheme, the first hash generating scheme defining a first hash function that generates a first hash value based on an input value;
  
  requesting, via an input/output device of the client device, access to a network comprising a network access device according to an authentication protocol;
  
  sending, via the input/output device, the first hash value to the network access device;
  
  modifying, by the authentication client module, the first hash generating scheme to produce a second hash generating scheme, the second hash generating scheme defining a second hash function different than the first hash function that generates a second hash value based on the input value;
  
  generating, by the authentication client module, a second hash value based on the plain-text password according to the second hash generating scheme;
  
  establishing, by a policy server communicatively coupled to the client device via a network, a secure HTTP connection between a re-authentication module of the client device and the policy server in response to the policy server receiving both the first hash value and the second hash value and failing to authenticate both the first hash value and the second hash value from the client device; and
  
  transmitting, by the re-authentication client module via the input/output device, the plain-text password from the client device to the policy server over the secure HTTP connection.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein generating the plain-text password comprises one of:
    - prompting a user of the client device to enter the plain-text password, retrieving the plain-text password from the memory, and retrieving the plain-text password from another module operating on the client device.
  - 16. The method of claim 14, wherein the authentication protocol is any one of a challenge-handshake authentication protocol (CHAP), a Microsoft (MS) CHAP (MSCHAP) authentication protocol, or a MSCHAP Version 2 (MSCHAPv2) authentication protocol.
  - 17. The method of claim 14, wherein the plain-text password is transmitted from the client device to the policy server in either one of the Hyper-Text Markup Language (HTML) or the Hyper-Text Transfer Language (HTTP).
  - 18. The method of claim 14, wherein the second hash value is generated based on the plain-text password according to the second hash generating scheme by downloading to the client device and installing on the client device a software update of the authentication client module.
  - 19. The method of claim 14, wherein the secure HTTP connection between the client device and a policy server is a temporary connection.
  - 20. The method of claim 14, wherein the secure HTTP connection between the client device and a policy server is configured to prevent the network access device from modifying the plain-text password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Tsang, Andy, Chickering, Roger A., Kahn, Clifford E., Venable, Sr., Jeffrey C.
Primary Examiner(s)
Sholeman, Abu

Application Number

US15/208,735
Publication Number

US 20160323263A1
Time in Patent Office

790 Days
Field of Search

713185
US Class Current
CPC Class Codes

G06F 16/137   Hash-based content-based in...

H04L 63/083   using passwords cryptograph...

H04L 63/126   the source of the received ...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

Updating stored passwords

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Updating stored passwords

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others