Method and system for binding kerberos-style authenticators to single clients

US 20030172269A1
Filed: 12/11/2002
Published: 09/11/2003
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a client, comprising:

receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client;

determining a remote address and a local address associated with the client;

decrypting the modified authenticator with the hashed salted password; and

employing the remote address, local address, and decrypted modified authenticator to authenticate the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are directed towards enabling authentication in a distributed environment. The method employs a hashed salted password associated with a user in part to pre-authenticate the user. If the user is pre-authenticated, a ticket is transmitted to a client. The ticket includes a cryptographic digest of a concatenation of the local and remote addresses that is exclusive or'"'"'ed with a timestamp to generate a modified authenticator. The modified authenticator is directed at binding the timestamp to the client to minimize reuse of an authenticator. A packet that includes the authenticator is sent to a server. The server is configured to determine another remote and local IP address associated with the packet. Employing the remote and local addresses, the server extracts the timestamp from the modified authenticator. If the timestamp is within a pre-determined time window, the user may be authenticated.

114 Citations

View as Search Results

31 Claims

1. A method for authenticating a client, comprising:
- receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client;
  
  determining a remote address and a local address associated with the client;
  
  decrypting the modified authenticator with the hashed salted password; and
  
  employing the remote address, local address, and decrypted modified authenticator to authenticate the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein employing the remote address, local address, and decrypted modified authenticator to authenticate the client further comprises:
    - concatenating the remote address with the local address associated with the client;
      
      determining a cryptographic digest associated with the concatenated addresses;
      
      combining the cryptographic digest with a timestamp associated with the modified authenticator; and
      
      if the timestamp is within a pre-determined time window, authenticating the client.
  - 3. The method of claim 2, wherein combining further comprises exclusive or'"'"'ing the cryptographic digest with the timestamp.
  - 4. The method of claim 2, wherein determining the cryptographic digest further comprises determining a hash based on at least one of a Secure Hash Algorithm, Message Digest (MD), Korean Hash Algorithm Standard (KAS), and Tiger.
  - 5. The method of claim 1, wherein employing the remote address, local address, and decrypted modified authenticator to authenticate the client further comprises:
    - determining a timestamp associated with the modified authenticator; and
      
      when the client is behind a network address translator, authenticating the client when the timestamp is equal to a stored timestamp; and
      
      when the client is not behind the network address translator, authenticating the client.
  - 6. The method of claim 1, wherein determining a remote address associated with the client further comprises extracting an address from a packet header associated with the authentication request from the client.
  - 7. The method of claim 6, wherein the packet header is a TCP/IP packet header.
  - 8. The method of claim 6, wherein the remote address is a source IP address in the packet header.
  - 9. The method of claim 1, further comprising providing the authenticated client with a ticket that enables the client to access content, wherein the ticket comprises at least one of a client readable portion, server readable portion, and another modified authenticator.
  - 10. The method of claim 9, wherein other modified authenticator is encrypted employing a session key, wherein the session key is encrypted within the server readable portion of the ticket.
  - 11. The method of claim 9, wherein the client readable portion is encrypted employing the hashed salted password associated with the user.
  - 12. The method of claim 9, wherein the server readable portion is encrypted employing a digital public encryption key.
  - 13. The method of claim 9, wherein the server readable portion is digitally signed.
  - 14. The method of claim 1, wherein the hashed salted password is hashed based on at least one of a Secure Hash Algorithm, Message Digest (MD), Korean Hash Algorithm Standard (KAS), and Tiger.
  - 15. The method of claim 1, wherein receiving an authentication request further comprises forwarding the authentication request through a server.

16. A system for authenticating a client over a network, comprising:
- a client that is configured to communicate an authentication request; and
  
  an application authentication server that is configured to perform actions, including;
  
  receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client;
  
  determining the remote address and the local address associated with the client;
  
  decrypting the modified authenticator with the hashed salted password; and
  
  employing the remote address, local address, and the timestamp to authenticate the client.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The system of claim 16, wherein the application authentication server further comprises:
    - (a) an authentication server, that is configured to employ the remote address, local address, and the timestamp to authenticate the client, and to perform actions, including;
      
      (i) generating a ticket-granting ticket, wherein the ticket-granting ticket includes another modified authenticator that comprises another timestamp, remote address, and the local address associated with the client; and
      
      (b) a ticket-granting server that is enabled to receive the ticket-granting ticket, and to perform actions, including;
      
      (i) decrypting the other modified authenticator with a session key associated with the ticket-granting ticket;
      
      (ii) authenticating the client based in part on the remote address, local address, and decrypted other modified authenticator; and
      
      (iii) if the client is authentic, providing a content ticket to the client, wherein the content ticket enables the client to access content.
  - 18. The system of claim 16, wherein employing the remote address, local address, and timestamp to authenticate the client further comprises:
    - concatenating the remote address with the local address associated with the client;
      
      determining a cryptographic digest associated with the concatenated addresses;
      
      combining the cryptographic digest with a timestamp associated with the modified authenticator; and
      
      if the timestamp is within a pre-determined time window, authenticating the client.
  - 19. The system of claim 18, wherein combining further comprises exclusive or'"'"'ing the cryptographic digest with the timestamp.
  - 20. The system of claim 16, wherein determining the cryptographic digest further comprises determining a hash based on at least one of a Secure Hash Algorithm, Message Digest (MD), Korean Hash Algorithm Standard (KAS), and Tiger.
  - 21. The system of claim 16, wherein employing the remote address, local address, and decrypted modified authenticator to authenticate the client further comprises:
    - determining a timestamp associated with the modified authenticator; and
      
      when the client is behind a network address translator, authenticating the client when the timestamp is equal to a stored timestamp; and
      
      when the client is not behind the network address translator, authenticating the client.
  - 22. The system of claim 16, wherein determining a remote address associated with the client further comprises extracting an address from a packet header associated with the authentication request from the client.
  - 23. The system of claim 22, wherein the packet header is a TCP/IP packet header.
  - 24. The system of claim 16, wherein the application authentication server is configured to perform further actions, including providing the authenticated client with a ticket that enables the client to access content, wherein the ticket comprises at least one of a client readable portion, server readable portion, and another modified authenticator.
  - 25. The system of claim 24, wherein other modified authenticator is encrypted employing a session key, wherein the session key is encrypted within the server readable portion of the ticket.
  - 26. The system of claim 24, wherein the server readable portion is encrypted employing a digital public encryption key.

27. A computer-readable medium having stored thereon a data structure comprising data fields representing a ticket granting ticket that is issued to a computer for a user, including an authentication data field containing data representing a timestamp, a remote IP address, and a local IP address associated with the computer for the user.
- View Dependent Claims (28, 29, 30)
- - 28. The computer-readable medium of claim 27, wherein the data representing an IP remote address and an local IP address further comprises a timestamp associated with the user that is exclusive or'"'"'ed with a cryptographically strong digest of a concatenation of the IP remote address and the local IP address associated with the computer for the user.
  - 29. The computer-readable medium of claim 27, wherein the authentication data field is encrypted with at least one of a hashed salted user'"'"'s password and a session key.
  - 30. The computer-readable medium of claim 27, wherein the data structure further comprising:
    - a client readable data field, wherein the client readable data field is encrypted using a hashed salted password associated with the user;
      
      a server readable data field, wherein the server readable data field includes a session key to decrypt the authentication data field.

31. An apparatus for authenticating a client, comprising:
- a means for receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by a means for combining the timestamp with a remote address and a local address associated with the client;
  
  a means for determining a remote address and a local address associated with the client;
  
  a means for decrypting the modified authenticator with the hashed salted password; and
  
  a means for employing the remote address, local address, and decrypted modified authenticator to authenticate the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valve Corporation
Original Assignee
Valve Corporation
Inventors
Newcombe, Christopher Richard

Granted Patent

US 7,392,390 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 2463/101   applying security measures ...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0896   Bandwidth or capacity manag...

H04L 61/2514   between local and global IP...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0846   using time-dependent-passwo...

H04L 63/123   received data contents, e.g...

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/289   Intermediate processing fun...

H04L 67/306   User profiles

H04L 67/34   involving the movement of s...

H04L 67/51   Discovery or management the...

H04L 67/53   using third party service p...

H04L 67/55 : Push-based network services

H04L 67/564 : Enhancement of application ...

H04L 67/5681 : Pre-fetching or pre-deliver...

H04L 67/62 : Establishing a time schedul...

H04L 69/329 : in the application layer [O...

H04L 9/40 : Network security protocols

View All

Method and system for binding kerberos-style authenticators to single clients

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for binding kerberos-style authenticators to single clients

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links