Automatic centralized authentication challenge response generation

US 20060212701A1
Filed: 03/18/2005
Published: 09/21/2006
Est. Priority Date: 03/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a first device to a second device in a computer network comprising at least the first and second devices and an authentication server, the method comprising:

receiving at the first device a challenge from the second device;

transmitting from the first device to the authentication server a request to generate a response to the received challenge;

receiving from the authentication server a reply to the request; and

terminating the authentication attempt or forwarding at least a portion of the reply containing a response to the second device based on the reply from the authentication server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A centralized challenge response verification server such as a RADIUS server is used to generate challenge responses as well as to verify challenge responses. In this way, the requirement for all machines to maintain a set of shared secrets corresponding to all potential peers is eliminated. In an embodiment of the invention, an authentication plug-in extends the RADIUS server to accept a challenge from an authenticatee and to generate a response to that challenge. The RADIUS server also acts to accept a challenge response and to verify that response. In an embodiment of the invention, a name service server maintains information regarding the network, and may also maintain an identification of network zones and storage profiles within which devices may intercommunicate or other network information.

45 Citations

View as Search Results

20 Claims

1. A method of authenticating a first device to a second device in a computer network comprising at least the first and second devices and an authentication server, the method comprising:
- receiving at the first device a challenge from the second device;
  
  transmitting from the first device to the authentication server a request to generate a response to the received challenge;
  
  receiving from the authentication server a reply to the request; and
  
  terminating the authentication attempt or forwarding at least a portion of the reply containing a response to the second device based on the reply from the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein transmitting from the first device to the authentication server a request to generate a response to the received challenge comprises forwarding the challenge to the authentication server.
  - 3. The method of claim 2 further comprising the first device providing authentication information to authenticate itself to the authentication server.
  - 4. The method according to claim 1, further comprising prior to receiving at the first device a challenge from the second device, the step of transmitting from the first device to the second device an access request.
  - 5. The method of claim 1, wherein at least one of the first and second devices is a data storage device.
  - 6. The method of claim 1, wherein the network comprises a storage area network, and receiving at the first device a challenge from the second device comprises receiving a CHAP challenge from the second device.
  - 7. The method of claim 1, wherein terminating the authentication attempt or forwarding at least a portion of the reply containing a response to the second device based on the reply from the authentication server comprises forwarding a response to the second device if the reply from the server includes a response to the challenge, and otherwise terminating the authentication attempt.
  - 8. The method of claim 1, further comprising:
    - transmitting a challenge from the first device to the second device;
      
      receiving a challenge response from the second device;
      
      forwarding the challenge response from the second device to the authentication server;
      
      receiving a reply from the authentication server; and
      
      based on the reply from the authentication server, determining whether the second device is authenticated.

9. A computer-readable medium having thereon computer-readable instruction for performing a method of authenticating a first device to a second device in a computer network comprising at least the first and second devices and an authentication server, the instructions comprising instructions for:
- receiving at the first device a challenge from the second device;
  
  transmitting from the first device to the authentication server a request to generate a response to the received challenge;
  
  receiving from the authentication server a reply to the request; and
  
  terminating the authentication attempt or forwarding at least a portion of the reply containing a response to the second device based on the reply from the authentication server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium according to claim 9, wherein the instructions for transmitting from the first device to the authentication server a request to generate a response to the received challenge comprise instructions for forwarding the challenge to the authentication server.
  - 11. The computer-readable medium of claim 10 further comprising instructions for the first device providing authentication information to authenticate itself to the authentication server.
  - 12. The computer-readable medium according to claim 9, the instructions further comprising instructions for transmitting from the first device to the second device an access request prior to receiving at the first device a challenge from the second device.
  - 13. The computer-readable medium of claim 9, wherein at least one of the first and second devices is a data storage device.
  - 14. The computer-readable medium of claim 9, wherein the network comprises a storage area network, and the instructions for receiving at the first device a challenge from the second device comprise instructions for receiving a CHAP challenge from the second device.
  - 15. The computer-readable medium of claim 9, wherein the instructions for terminating the authentication attempt or forwarding at least a portion of the reply containing a response to the second device based on the reply from the authentication server comprise instructions for forwarding a response to the second device if the reply from the server includes a response to the challenge, and otherwise terminating the authentication attempt.
  - 16. The computer-readable medium of claim 9, further comprising instructions for:
    - transmitting a challenge from the first device to the second device;
      
      receiving a challenge response from the second device;
      
      forwarding the challenge response from the second device to the authentication server;
      
      receiving a reply from the authentication server; and
      
      based on the reply from the authentication server, determining whether the second device is authenticated.

17. A method of mutual authentication of at least two devices in a network, at least one having data storage facilities, so that at least one device is granted access to at least a portion of the storage facilities of the other device, the method comprising:
- sending a challenge from a first device to a second device based on a secret known to the first device and not to the second device;
  
  at the second device, forwarding the challenge to a first authentication server;
  
  receiving at the second device from the authentication server a response to the challenge;
  
  forwarding from the second device to the first device the response to the challenge;
  
  at the first device forwarding the response to a second authentication server;
  
  at the first device receiving a reply from the second authentication server indicating that the response is valid; and
  
  allowing access to the first device by the second device.
- View Dependent Claims (18, 19, 20)
- - 18. The method according to claim 17, wherein the challenge is a CHAP challenge.
  - 19. The method according to claim 17, further comprising receiving at the first device a connection request from the second device prior to sending the challenge from the first device to the second device.
  - 20. The method according to claim 17, wherein the network is a SAN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Warwick, Alan M.

Granted Patent

US 8,086,853 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 9/321   involving a third party or ...

H04L 9/3273   for mutual authentication n...

Automatic centralized authentication challenge response generation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic centralized authentication challenge response generation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links