Detection of duplicate client identities in a communication system
First Claim
1. A method for detecting clones (unauthorized duplicate identities) of the client, the method comprising:
- forwarding a first signal from a client to a KDC, the first signal for requesting access to a server;
verifying that the client is authorized to access the server;
transmitting a ticket from the KDC to the client, the ticket for providing access to the server, wherein the ticket is valid for a time T;
receiving a second signal from an entity, the second signal for requesting access to the server, wherein the entity has identifying information identical to the client; and
if the second request is received prior to expiration of the time T, either marking the entity as a possible clone or denying the second request in order to prevent access to the server.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting clones in a communication network. The system of this invention includes a KDC (key distribution center), coupled to clients and application servers through the communication network. When a client wishes to access an application server, it contacts the KDC. The KDC then verifies whether the client is authorized to access the application server. In one aspect, this verification is done by performing an authenticated Diffie-Hellman key exchange. After the client is authenticated by the KDC, it issues a ticket containing a session key. In one aspect, this ticket is valid for a designated duration. In another aspect, the KDC simply records when the ticket was issued. After the ticket is issued, the session key is used by the client for authenticating its access request and accessing the application server. A clone wishing to access the application server, needs to contact the KDC to perform its own authenticated key agreement, to obtain a ticket with a new random session key. The clone having duplicated the identity of the client, now contacts the KDC to request access to the application server. The KDC then checks whether the access request is prior to expiration of the ticket previously issued to the authorized client. If so, the access request is flagged as a possible fraudulent request. In this manner, the present invention grants access to authorized clients while preventing access to unauthorized clients. Note that cloning detection may take place at the KDC. Or, it may occur at the application server to which access is being sought.
106 Citations
26 Claims
-
1. A method for detecting clones (unauthorized duplicate identities) of the client, the method comprising:
-
forwarding a first signal from a client to a KDC, the first signal for requesting access to a server;
verifying that the client is authorized to access the server;
transmitting a ticket from the KDC to the client, the ticket for providing access to the server, wherein the ticket is valid for a time T;
receiving a second signal from an entity, the second signal for requesting access to the server, wherein the entity has identifying information identical to the client; and
if the second request is received prior to expiration of the time T, either marking the entity as a possible clone or denying the second request in order to prevent access to the server. - View Dependent Claims (2, 3, 11, 24, 25)
-
-
4. A system for detecting clones of a client within a communication network, the system comprising:
-
a KDC;
an application server communicably coupled to the KDC;
a client for providing a first request to access the application server;
responsive to the first request, the KDC forwarding a first ticket for accessing the application server, the first ticket being valid for a time duration T;
the KDC receiving a second request to access the application server, the second request being received from an entity having identifying information identical to the client; and
if the second request is received during time T, the KDC denying the second request to prevent the entity from accessing the application server. - View Dependent Claims (5, 6, 7, 8, 9, 10, 12)
-
-
13. A system for detecting clones (duplicate identities) of an authorized computing device in a communication network, the system comprising:
-
a first computing device;
a second computing device authorized to access the first computing device;
a key management means for providing to the second computing device, a session key for accessing the first computing device, the session key being invalid after a period T;
the key management means receiving one or more requests from an entity, to access the first computing device, the entity having identifying information identical to the second computing device; and
the key management means permitting the entity to access the first computing device, provided the number of access requests received during period T, is M or less requests. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A system for detecting clones of a client within a communication network, the system comprising:
-
a KDC;
a server communicably coupled to the KDC;
a client for receiving a ticket from the KDC, wherein the ticket is for accessing the server, and is valid for a time duration T;
the server receiving from the client a first request to access the server, the first request being accompanied by the ticket;
the server recording the time duration T for which ticket is valid;
the server receiving from an entity, a second request to access the server, the entity having identifying information identical to the client and the server either flagging or denying the second request to prevent access to the server, if the second request is received during the time duration T. - View Dependent Claims (19, 20, 21, 26)
-
-
22. A method for detecting clones in a communication network, the method comprising:
-
providing a ticket to an authorized client, the ticket for accessing a KDC, the ticket having a session key valid for a time duration T;
receiving a request to access the KDC, the request being received from an entity with the same identifying information as the authorized client; and
if the request is received during time T, flagging the entity as a possible clone or denying the request to access to the KDC. - View Dependent Claims (23)
-
Specification