System and method for secured network access
First Claim
Patent Images
1. A method for authenticating a client and a network resource comprising:
- receiving on the network resource an initialization command from the client over an unsecured data transfer link;
transmitting a token from the network resource to the client in response to the initialization command;
establishing a secure data transfer link between the network resource and the client, a network resource certificate being transmitted to the client during the establishment of the secure data transfer link;
receiving on the network resource a response packet including a full requested network address identifier, a client certificate, the network resource certificate, the token, and an authenticity identifier corresponding to a client private key, the client private key being associated with the client certificate; and
validating the response packet.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for secured network access is provided in accordance with the present invention. The method begins with receiving a login request from a client on a router. Thereafter, a certificate transfer instruction for the router to an authentication appliance is generated where the client lacks a copy of a client certificate. The client is authenticated with a challenge-response sequence, the response to which is deliverable through an out-of-band communications channel. Upon authentication, the client certificate and the client private key are transmitted to the client, which are used to authenticate the client to the network.
74 Citations
22 Claims
-
1. A method for authenticating a client and a network resource comprising:
-
receiving on the network resource an initialization command from the client over an unsecured data transfer link; transmitting a token from the network resource to the client in response to the initialization command; establishing a secure data transfer link between the network resource and the client, a network resource certificate being transmitted to the client during the establishment of the secure data transfer link; receiving on the network resource a response packet including a full requested network address identifier, a client certificate, the network resource certificate, the token, and an authenticity identifier corresponding to a client private key, the client private key being associated with the client certificate; and validating the response packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of issuing a client certificate for SSL VPN access, the method comprising:
-
receiving a login request from a client on a VPN router; generating a certificate transfer instruction from the VPN router to an authentication appliance where the client lacks a pre-existing copy of the client certificate; authenticating the client with a primary challenge-response sequence in response to receiving the certificate transfer instruction from the VPN router, an authoritative response to the primary challenge-response sequence being deliverable through an out-of-band communications channel; generating the client certificate and a client private key; and transmitting the client certificate and the client private key to the client for storage thereon. - View Dependent Claims (12, 13, 14)
-
-
15. A system for bi-directionally authenticating a client and a network resource comprising:
-
an authentication appliance in communication with the network resource and the client, for issuing a client certificate and a client private key to the client upon a successful authentication thereof; wherein the network resource validates the client certificate against a network resource certificate, the client certificate being received from the client upon the establishment of a secure data transfer link between the network resource and the client. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. An article of manufacture comprising a program storage medium readable by a data processing device, the medium tangibly embodying one or more programs of instructions executable by the data processing device to perform a method for authenticating a client and a network resource, the method comprising:
-
receiving a login request from a client on a VPN router; generating a certificate transfer instruction from the VPN router to an authentication appliance where the client lacks a pre-existing copy of the client certificate; authenticating the client with a primary challenge-response sequence in response to receiving the certificate transfer instruction from the VPN router, an authoritative response to the primary challenge-response sequence being delivered through an out-of-band communications channel; generating the client certificate and client private key pair; transmitting the client certificate and client private key pair to the client for storage thereon.
-
Specification