Method and system for binding kerberos-style authenticators to single clients
First Claim
1. A method for authenticating a client, comprising:
- receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client;
determining a remote address and a local address associated with the client;
decrypting the modified authenticator with the hashed salted password; and
employing the remote address, local address, and decrypted modified authenticator to authenticate the client.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system are directed towards enabling authentication in a distributed environment. The method employs a hashed salted password associated with a user in part to pre-authenticate the user. If the user is pre-authenticated, a ticket is transmitted to a client. The ticket includes a cryptographic digest of a concatenation of the local and remote addresses that is exclusive or'"'"'ed with a timestamp to generate a modified authenticator. The modified authenticator is directed at binding the timestamp to the client to minimize reuse of an authenticator. A packet that includes the authenticator is sent to a server. The server is configured to determine another remote and local IP address associated with the packet. Employing the remote and local addresses, the server extracts the timestamp from the modified authenticator. If the timestamp is within a pre-determined time window, the user may be authenticated.
114 Citations
31 Claims
-
1. A method for authenticating a client, comprising:
-
receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client;
determining a remote address and a local address associated with the client;
decrypting the modified authenticator with the hashed salted password; and
employing the remote address, local address, and decrypted modified authenticator to authenticate the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for authenticating a client over a network, comprising:
-
a client that is configured to communicate an authentication request; and
an application authentication server that is configured to perform actions, including;
receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client;
determining the remote address and the local address associated with the client;
decrypting the modified authenticator with the hashed salted password; and
employing the remote address, local address, and the timestamp to authenticate the client. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
- 27. A computer-readable medium having stored thereon a data structure comprising data fields representing a ticket granting ticket that is issued to a computer for a user, including an authentication data field containing data representing a timestamp, a remote IP address, and a local IP address associated with the computer for the user.
-
31. An apparatus for authenticating a client, comprising:
-
a means for receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by a means for combining the timestamp with a remote address and a local address associated with the client;
a means for determining a remote address and a local address associated with the client;
a means for decrypting the modified authenticator with the hashed salted password; and
a means for employing the remote address, local address, and decrypted modified authenticator to authenticate the client.
-
Specification