ADDING CLIENT AUTHENTICATION TO NETWORKED COMMUNICATIONS

US 20090133113A1
Filed: 11/15/2007
Published: 05/21/2009
Est. Priority Date: 11/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request from a client, the request to be passed through to a target server;

constructing a challenge for the client, the challenge based on the request;

transmitting the challenge to the client;

receiving a response to the challenge from the client;

verifying the response; and

if the response is valid, forwarding the request to the target server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pass-through agent receives a request from a client and authenticates the client before forwarding the request to a target server that lacks client authentication capability. The target server is configured to accept requests from the pass-through agent, and may be configured to reject requests that do not come from the pass-through agent.

70 Citations

View as Search Results

22 Claims

1. A method comprising:
- receiving a request from a client, the request to be passed through to a target server;
  
  constructing a challenge for the client, the challenge based on the request;
  
  transmitting the challenge to the client;
  
  receiving a response to the challenge from the client;
  
  verifying the response; and
  
  if the response is valid, forwarding the request to the target server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the target server is incapable of constructing the challenge and verifying the response.
  - 3. The method of claim 1 wherein the target server is incapable of transmitting the challenge and receiving the response.
  - 4. The method of claim 1 wherein forwarding the request to the server comprises transmitting the request via an intra-machine communication channel.
  - 5. The method of claim 4 wherein the intra-machine communication channel is one of a Unix-domain socket, a shared memory area, or a localhost network socket.
  - 6. The method of claim 1 wherein the request includes an identifier of the target server, the method further comprising:
    - receiving a message from the client; and
      
      posting a corresponding message to a message queue of the target server at a system where the target server operates.
  - 7. The method of claim 6 wherein the message received from the client is a message describing a user interface event.
  - 8. The method of claim 6 wherein the corresponding message is a message describing a user interface event.

9. A method comprising:
- intercepting a request directed to a software agent;
  
  authenticating a sender of the request; and
  
  if the authenticating is successful, forwarding the request to the software agent.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 wherein the software agent responds to requests presented according to a first protocol, and wherein the authentication operation occurs pursuant to a second, different protocol that is incompatible with the first protocol.
  - 11. The method of claim 9 wherein the authenticating operation comprises:
    - transmitting a challenge to the sender of the request;
      
      receiving a response to the challenge from the sender of the request; and
      
      validating the response.
  - 12. The method of claim 11 wherein the challenge comprises a random number and an encoded form of the request.
  - 13. The method of claim 11 wherein the response comprises a Message Authentication Code (“
    - MAC”
      
      ) of the challenge computed using a shared symmetric encryption key.

14. A system comprising:
- a service provider to execute a request received via an unauthenticated channel; and
  
  a security agent to receive a request from a client, validate the client and pass the request to the service provider via the unauthenticated channel.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14 wherein the service provider and the security agent are processes executing on a programmable processor.
  - 16. The system of claim 15 wherein the service provider and the security agent are processes executing under control of a Microsoft Windows operating system.
  - 17. The system of claim 15 wherein the service provider and the security agent are processes executing under control of a Unix operating system.
  - 18. The system of claim 14 wherein passing the request to the service provider comprises:
    - forwarding the request via a message queue, a local-domain socket or a loopback socket.

19. A machine-readable medium storing data and instructions to cause a programmable processor to perform operations comprising:
- accepting a Transmission Control Protocol/Internet Protocol (“
  
  TCP/IP”
  
  ) connection from a client;
  
  receiving a request from the client over the TCP/IP connection;
  
  sending a challenge based on the request to the client over the TCP/IP connection;
  
  receiving a response to the challenge from the client over the TCP/IP connection;
  
  validating the response; and
  
  if the response is successfully validated, sending the request to a target server.
- View Dependent Claims (20, 21, 22)
- - 20. The machine-readable medium of claim 19, containing additional data and instructions to cause the programmable processor to perform operations comprising:
    - negotiating a Secure Sockets Layer (“
      
      SSL”
      
      ) connection after accepting the TCP/IP connection and before receiving the request from the client.
  - 21. The machine-readable medium of claim 19, containing additional data and instructions to cause the programmable processor to perform operations comprising:
    - receiving a reply to the request from the target server; and
      
      sending the reply to the client over the TCP/IP connection.
  - 22. The machine-readable medium of claim 19 wherein sending the request to the target server comprises posting a synthetic event to an event queue of the target server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James P.

Granted Patent

US 8,347,374 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 2221/2103   Challenge-response

H04L 63/0435   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

ADDING CLIENT AUTHENTICATION TO NETWORKED COMMUNICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

ADDING CLIENT AUTHENTICATION TO NETWORKED COMMUNICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others