Secure Key Distribution to Internet Clients

US 20090265772A1
Filed: 04/16/2008
Published: 10/22/2009
Est. Priority Date: 04/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a first request for evidence of authentication from a client device, said request being received through a wide area network;

analyzing said first request to determine that said first request meets a predefined guideline;

transfer said first request to a credential server within a local area network;

receiving a set of evidence of authentication from said credential server; and

transferring said set of evidence of authentication to said client, said set of evidence of authentication being usable to establish an authenticated connection to a service provided from within said local area network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server may bridge between a wide area network, such as the Internet, and a local area network and may process authentication requests from clients on the wide area network. The server may filter the requests to enable specific types of requests to pass, and may forward the requests to a credential server within the local area network and pass any responses back to the client. The server may be configured with some or all of a set of domain services objects, but such objects may be stored in a read only format. The server may further contain a minimum of or no sensitive data such that, if compromised, an attacker may gain little advantage. The client may request evidence of authentication available to devices within the local area network and may use the evidence of authentication to access services made available to the wide area network.

Citations

20 Claims

1. A method comprising:
- receiving a first request for evidence of authentication from a client device, said request being received through a wide area network;
  
  analyzing said first request to determine that said first request meets a predefined guideline;
  
  transfer said first request to a credential server within a local area network;
  
  receiving a set of evidence of authentication from said credential server; and
  
  transferring said set of evidence of authentication to said client, said set of evidence of authentication being usable to establish an authenticated connection to a service provided from within said local area network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, said wide area network comprising the Internet.
  - 3. The method of claim 1, said predefined guideline comprising requests created with a hardware based credential.
  - 4. The method of claim 1, said first request comprising a Kerberos Ticket Granting Ticket request.
  - 5. The method of claim 1 further comprising:
    - receiving a second request from said client, said second request comprising a non-smart card authentication; and
      
      rejecting said second request.
  - 6. The method of claim 1, said credential server comprising a set of domain services objects.
  - 7. The method of claim 6 further comprising:
    - receiving a copy of said domain services objects.
  - 8. The method of claim 7, said copy of said domain services objects being stored in a read only fashion.
  - 9. The method of claim 1 further comprising:
    - caching said set of evidence of authentication as a set of cached evidence of authentication.
  - 10. The method of claim 9, said cached evidence of authentication having an expiration time.
  - 11. The method of claim 9 further comprising:
    - receiving a second request from said client device; and
      
      responding to said second request using said cached evidence of authentication.
  - 12. The method of claim 9 further comprising:
    - determining that credential caching is enabled for said client device.

13. A system comprising:
- a connection to the Internet;
  
  a connection to a local area network;
  
  an authentication request processor configured to;
  
  receive a first request for evidence of authentication from a client device, said request being received through said Internet;
  
  analyze said first request to determine that said first request meets a predefined guideline;
  
  transfer said first request to a credential server within a local area network;
  
  receive a set of evidence of authentication from said credential server; and
  
  transfer said set of evidence of authentication to said client, said set of evidence of authentication being usable to establish an authenticated connection to a service provided from said local area network.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, said predefined guidelines comprising requests made with a hardware based credential.
  - 15. The system of claim 14, said hardware credential comprising a smart card.
  - 16. The system of claim 13 further comprising a cache configured to store said set of evidence of authentication as a set of cached set of evidence of authentication.
  - 17. The system of claim 13, said evidence of authentication being Kerberos evidence of authentication.
  - 18. The system of claim 13 further comprising:
    - a read only set of domain services objects, said domain services objects being copied from said credential server.

19. A method comprising:
- connecting to a credential server on a local area network;
  
  receiving a copy of a set of domain services objects from said credential server;
  
  making said copy of a set of domain services objects available to a wide area network;
  
  receiving a first request for evidence of authentication from a client device, said request being received through said wide area network;
  
  analyzing said first request to determine that said first request meets a predefined guideline;
  
  transfer said first request to a credential server within a local area network;
  
  receiving a set of evidence of authentication from said credential server; and
  
  transferring said set of evidence of authentication to said client, said set of evidence of authentication being usable to establish an authenticated connection to a service provided from said local area network.
- View Dependent Claims (20)
- - 20. The method of claim 19, said request comprising a Kerberos Ticket Granting Ticket request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bhai, Siddarth, Hitchcock, Daniel W., Puhl, Brian W., Muggli, Nathan D., Walker, Lee F.

Granted Patent

US 8,074,264 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

Secure Key Distribution to Internet Clients

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Key Distribution to Internet Clients

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links