FAST-RECONNECTION OF NEGOTIABLE AUTHENTICATION NETWORK CLIENTS
First Claim
1. One or more computer-readable media comprising computer-executable instructions for generating a token, the computer-executable instructions directed to steps comprising:
- receiving, as part of a conversation between a first application program and a second application program, a request to authenticate the first application program to the second application program, the first application program having, as part of the conversation, previously been authenticated to the second application program;
obtaining an identifier of the conversation, the identifier having been generated as part of the previous authentication;
cryptographically signing the identifier using one or more encryption keys generated as part of the previous authentication;
generating the token from the identifier and the cryptographically signed identifier; and
providing the token in response to the receiving the request to authenticate the first application program to the second application program.
3 Assignments
0 Petitions
Accused Products
Abstract
Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.
-
Citations
20 Claims
-
1. One or more computer-readable media comprising computer-executable instructions for generating a token, the computer-executable instructions directed to steps comprising:
-
receiving, as part of a conversation between a first application program and a second application program, a request to authenticate the first application program to the second application program, the first application program having, as part of the conversation, previously been authenticated to the second application program; obtaining an identifier of the conversation, the identifier having been generated as part of the previous authentication; cryptographically signing the identifier using one or more encryption keys generated as part of the previous authentication; generating the token from the identifier and the cryptographically signed identifier; and providing the token in response to the receiving the request to authenticate the first application program to the second application program. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more computer-readable media comprising computer-executable instructions for generating an indication of authentication, the computer-executable instructions directed to steps comprising:
-
receiving a token in response to an authentication request from a second program to a first program, the receipt of the token and the authentication request occurring as part of a conversation between the first application program and the second application program, the conversation comprising a previous authentication of the first application program to the second application program; obtaining an identifier of the conversation from the token, the identifier having been generated as part of the previous authentication; obtaining one or more encryption keys associated with the identifier of the conversation, the one or more encryption keys having been generated as part of the previous authentication; obtaining a cryptographically signed identifier of the conversation from the token; verifying the cryptographically signed identifier of the conversation using the one or more encryption keys; requesting a full authentication if the cryptographically signed identifier of the conversation was not verified using the one or more encryption keys; and generating the indication of authentication, based on the token, if the cryptographically signed identifier of the conversation was verified using the one or more encryption keys. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for reducing authentication overhead in network communications comprising:
-
a first computing device comprising;
a first application program, a first security package for performing a full authentication and a first fast reconnect component for generating a token comprising an identifier of a conversation between the first application program and a second application program and a cryptographic signature of the identifier of the conversation; anda second computing device communicationally coupled to the first computing device, the second computing device comprising;
the second application program, a second security package for performing the full authentication with the first security package and a second fast reconnect component for validating the token and thereby authenticating the first application program to the second application program during the conversation and after the full authentication within the conversation. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification