System and method for secured network access

US 20080077791A1
Filed: 07/23/2007
Published: 03/27/2008
Est. Priority Date: 09/27/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for authenticating a client and a network resource comprising:

receiving on the network resource an initialization command from the client over an unsecured data transfer link;

transmitting a token from the network resource to the client in response to the initialization command;

establishing a secure data transfer link between the network resource and the client, a network resource certificate being transmitted to the client during the establishment of the secure data transfer link;

receiving on the network resource a response packet including a full requested network address identifier, a client certificate, the network resource certificate, the token, and an authenticity identifier corresponding to a client private key, the client private key being associated with the client certificate; and

validating the response packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for secured network access is provided in accordance with the present invention. The method begins with receiving a login request from a client on a router. Thereafter, a certificate transfer instruction for the router to an authentication appliance is generated where the client lacks a copy of a client certificate. The client is authenticated with a challenge-response sequence, the response to which is deliverable through an out-of-band communications channel. Upon authentication, the client certificate and the client private key are transmitted to the client, which are used to authenticate the client to the network.

74 Citations

View as Search Results

22 Claims

1. A method for authenticating a client and a network resource comprising:
- receiving on the network resource an initialization command from the client over an unsecured data transfer link;
  
  transmitting a token from the network resource to the client in response to the initialization command;
  
  establishing a secure data transfer link between the network resource and the client, a network resource certificate being transmitted to the client during the establishment of the secure data transfer link;
  
  receiving on the network resource a response packet including a full requested network address identifier, a client certificate, the network resource certificate, the token, and an authenticity identifier corresponding to a client private key, the client private key being associated with the client certificate; and
  
  validating the response packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the network resource is a Secure Sockets Layer (SSL) Virtual Private Network (VPN).
  - 3. The method of claim 2, further comprising:
    - authenticating the client to a server accessible through the SSL VPN with a challenge-response sequence specific to the server.
  - 4. The method of claim 1, further comprising:
    - enabling access of the client to the network resource in accordance with security policies of the network resource.
  - 5. The method of claim 1, wherein prior to establishing the secure data transfer link between the network resource and the client, the method includes:
    - generating a certificate transfer instruction from the network resource to an authentication appliance, wherein the client lacks the client certificate;
      
      authenticating the client with a primary challenge-response sequence; and
      
      issuing the client certificate and the corresponding client private key to the client from the authentication appliance.
  - 6. The method of claim 5, wherein a response to the primary challenge-response sequence is transmitted out-of-band to a predetermined data communication device independent of the client and associated with a user of the client.
  - 7. The method of claim 5, wherein a response to the primary challenge-response sequence is transmitted out-of-band to a predetermined e-mail address associated with a user of the client.
  - 8. The method of claim 5, wherein a response to the primary challenge-response sequence is predefined by a user of the client.
  - 9. The method of claim 5, wherein prior to issuing the client certificate, the method further includes:
    - authenticating the client with a secondary challenge-response sequence associated with a server accessible through the network resource.
  - 10. The method of claim 5, wherein prior to issuing the client certificate and the client private key, the method includes:
    - generating the client certificate and the client private key on an independent certificate authority server.

11. A method of issuing a client certificate for SSL VPN access, the method comprising:
- receiving a login request from a client on a VPN router;
  
  generating a certificate transfer instruction from the VPN router to an authentication appliance where the client lacks a pre-existing copy of the client certificate;
  
  authenticating the client with a primary challenge-response sequence in response to receiving the certificate transfer instruction from the VPN router, an authoritative response to the primary challenge-response sequence being deliverable through an out-of-band communications channel;
  
  generating the client certificate and a client private key; and
  
  transmitting the client certificate and the client private key to the client for storage thereon.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein the authoritative response is a one-time-password.
  - 13. The method of claim 11, wherein the authoritative response is predefined according to knowledge particular to a user of the client.
  - 14. The method of claim 11, wherein prior to generating the client certificate and the client private key, the method further includes:
    - authenticating the client with a secondary challenge-response sequence associated with a server resource on the SSL VPN.

15. A system for bi-directionally authenticating a client and a network resource comprising:
- an authentication appliance in communication with the network resource and the client, for issuing a client certificate and a client private key to the client upon a successful authentication thereof;
  
  wherein the network resource validates the client certificate against a network resource certificate, the client certificate being received from the client upon the establishment of a secure data transfer link between the network resource and the client.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the network resource is an SSL VPN.
  - 17. The system of claim 15, further comprising:
    - an out-of-band authentication server for transmitting a challenge response to a communications device associated with a user of the client, the client being authenticated upon the challenge response being validated by the authentication appliance.
  - 18. The system of claim 17, further comprising:
    - a server accessible through the network resource, the client being validated against a secondary challenge-response sequence associated with an access control of the server.
  - 19. The system of claim 15, further comprising:
    - a certificate authority server for generating the client certificate and the client private key.
  - 20. The system of claim 15, further comprising:
    - a client authentication module associated with the client and including a memory for storing the client certificate and the client private key, the client authentication module being in communication with the authentication appliance.
  - 21. The system of claim 20, wherein the client authentication module is a browser-executable code downloaded from the authentication appliance.

22. An article of manufacture comprising a program storage medium readable by a data processing device, the medium tangibly embodying one or more programs of instructions executable by the data processing device to perform a method for authenticating a client and a network resource, the method comprising:
- receiving a login request from a client on a VPN router;
  
  generating a certificate transfer instruction from the VPN router to an authentication appliance where the client lacks a pre-existing copy of the client certificate;
  
  authenticating the client with a primary challenge-response sequence in response to receiving the certificate transfer instruction from the VPN router, an authoritative response to the primary challenge-response sequence being delivered through an out-of-band communications channel;
  
  generating the client certificate and client private key pair;
  
  transmitting the client certificate and client private key pair to the client for storage thereon.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MultiFactor Corporation (SecureAuth Incorporated)
Original Assignee
MultiFactor Corporation (SecureAuth Incorporated)
Inventors
Moore, Stephen, Grajek, Garret, Lund, Craig

Application Number

US11/880,599
Publication Number

US 20080077791A1
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/3215   using a plurality of channe...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

System and method for secured network access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secured network access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links