FAST-RECONNECTION OF NEGOTIABLE AUTHENTICATION NETWORK CLIENTS

US 20100228982A1
Filed: 03/06/2009
Published: 09/09/2010
Est. Priority Date: 03/06/2009
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable media comprising computer-executable instructions for generating a token, the computer-executable instructions directed to steps comprising:

receiving, as part of a conversation between a first application program and a second application program, a request to authenticate the first application program to the second application program, the first application program having, as part of the conversation, previously been authenticated to the second application program;

obtaining an identifier of the conversation, the identifier having been generated as part of the previous authentication;

cryptographically signing the identifier using one or more encryption keys generated as part of the previous authentication;

generating the token from the identifier and the cryptographically signed identifier; and

providing the token in response to the receiving the request to authenticate the first application program to the second application program.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.

Citations

20 Claims

1. One or more computer-readable media comprising computer-executable instructions for generating a token, the computer-executable instructions directed to steps comprising:
- receiving, as part of a conversation between a first application program and a second application program, a request to authenticate the first application program to the second application program, the first application program having, as part of the conversation, previously been authenticated to the second application program;
  
  obtaining an identifier of the conversation, the identifier having been generated as part of the previous authentication;
  
  cryptographically signing the identifier using one or more encryption keys generated as part of the previous authentication;
  
  generating the token from the identifier and the cryptographically signed identifier; and
  
  providing the token in response to the receiving the request to authenticate the first application program to the second application program.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable media of claim 1, further comprising computer-executable instructions for negotiating a use of a fast reconnect mechanism for subsequent authentications within a single conversation after an initial full authentication within the single conversation.
  - 3. The computer-readable media of claim 1, further comprising computer-executable instructions for generating the identifier of the conversation and the one or more encryption keys as part of the previous authentication.
  - 4. The computer-readable media of claim 1, wherein the obtaining and the providing are performed through a pre-existing, standardized interface.
  - 5. The computer-readable media of claim 1, further comprising computer-executable instructions for obtaining a sequence number utilized for an immediately preceding communication within the conversation;
    - and incrementing the sequence number;
      
      wherein the generating the token comprises generating the token from the identifier, the cryptographically signed identifier and the incremented sequence number.
  - 6. The computer-readable media of claim 5, wherein the incrementing the sequence number is performed in accordance with an agreed upon formula established as part of the previous authentication.
  - 7. The computer-readable media of claim 1, wherein the receiving the request to authenticate comprises determining that a data request from the first application program to the second application program may result in an explicit request, from the second application program, to authenticate the first application program to the second application program;
    - and wherein further the providing the token comprises providing the token and the data request concurrently.

8. One or more computer-readable media comprising computer-executable instructions for generating an indication of authentication, the computer-executable instructions directed to steps comprising:
- receiving a token in response to an authentication request from a second program to a first program, the receipt of the token and the authentication request occurring as part of a conversation between the first application program and the second application program, the conversation comprising a previous authentication of the first application program to the second application program;
  
  obtaining an identifier of the conversation from the token, the identifier having been generated as part of the previous authentication;
  
  obtaining one or more encryption keys associated with the identifier of the conversation, the one or more encryption keys having been generated as part of the previous authentication;
  
  obtaining a cryptographically signed identifier of the conversation from the token;
  
  verifying the cryptographically signed identifier of the conversation using the one or more encryption keys;
  
  requesting a full authentication if the cryptographically signed identifier of the conversation was not verified using the one or more encryption keys; and
  
  generating the indication of authentication, based on the token, if the cryptographically signed identifier of the conversation was verified using the one or more encryption keys.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable media of claim 8, further comprising computer-executable instructions for determining if an elapsed time since the previous authentication exceeds a predetermined threshold;
    - wherein the requesting the full authentication comprises requesting the full authentication if either the cryptographically signed identifier of the conversation was not verified using the one or more encryption keys or if the elapsed time since the previous authentication exceeds the predetermined threshold; and
      
      wherein further the generating the indication of authentication comprises generating the indication of authentication if both the cryptographically signed identifier of the conversation was verified using the one or more encryption keys and if the elapsed time since the previous authentication does not exceed the predetermined threshold.
  - 10. The computer-readable media of claim 8, further comprising computer-executable instructions for determining if a communicational connection between the first application program and the second application program was interrupted;
    - wherein the requesting the full authentication comprises requesting the full authentication if either the cryptographically signed identifier of the conversation was not verified using the one or more encryption keys or if the communicational connection was interrupted; and
      
      wherein further the generating the indication of authentication comprises generating the indication of authentication if both the cryptographically signed identifier of the conversation was verified using the one or more encryption keys and if the communicational connection was not interrupted.
  - 11. The computer-readable media of claim 8, wherein the obtaining and the generating are performed through a pre-existing, standardized interface.
  - 12. The computer-readable media of claim 8, further comprising computer-executable instructions for obtaining an incremented sequence number from the token;
    - comparing the incremented sequence number to a sequence number utilized for an immediately preceding communication; and
      
      determining if the incremented sequence number is appropriate based on the comparing;
      
      wherein the requesting the full authentication comprises requesting the full authentication if the cryptographically signed identifier of the conversation was not verified using the one or more encryption keys, if the cryptographically signed identifier of the conversation was received before, or if the incremented sequence number is not appropriate; and
      
      wherein further the generating the indication of authentication comprises generating the indication of authentication if both the cryptographically signed identifier of the conversation was verified using the one or more encryption keys and if the incremented sequence number is appropriate.
  - 13. The computer-readable media of claim 12, wherein the determining if the incremented sequence number is appropriate comprises determining that the incremented sequence is appropriate if the comparing indicates that the incremented sequence number is appropriately greater than the sequence number utilized for the immediately preceding communication.
  - 14. The computer-readable media of claim 12, wherein the comparing the incremented sequence number to the sequence number utilized for the immediately preceding communication comprises independently generating another incremented sequence number from the sequence number utilized for the immediately preceding communication based on an agreed upon formula established as part of the previous authentication, and comparing the other incremented sequence number to the incremented sequence number;
    - and wherein further the determining if the incremented sequence number is appropriate comprises determining that the incremented sequence is appropriate if the other incremented sequence number is equivalent to the incremented sequence number.

15. A system for reducing authentication overhead in network communications comprising:
- a first computing device comprising;
  
  a first application program, a first security package for performing a full authentication and a first fast reconnect component for generating a token comprising an identifier of a conversation between the first application program and a second application program and a cryptographic signature of the identifier of the conversation; and
  
  a second computing device communicationally coupled to the first computing device, the second computing device comprising;
  
  the second application program, a second security package for performing the full authentication with the first security package and a second fast reconnect component for validating the token and thereby authenticating the first application program to the second application program during the conversation and after the full authentication within the conversation.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the first fast reconnect component is an extension to a first security package negotiation component and wherein the second fast reconnect component is an extension to a second security package negotiation component;
    - the first security package negotiation component and the second security package negotiation components negotiating between them an authentication mechanism and a fast reconnect mechanism for subsequent authentications within a single conversation after an initial full authentication, in accordance with the negotiated authentication mechanism, within the single conversation.
  - 17. The system of claim 15, wherein the cryptographic signature of the identifier of the conversation is generated by the first fast reconnect component using one or more encryption keys generated as part of the full authentication;
    - and wherein further the validating the token comprises verifying the cryptographic signature of the identifier using the one or more encryption keys.
  - 18. The system of claim 15, wherein the token further comprises an incremented sequence number generated by the first fast reconnect component from an immediately preceding sequence number;
    - and wherein further the validating the token comprises determining, by the second fast reconnect component if the incremented sequence number is appropriate.
  - 19. The system of claim 18, wherein the incremented sequence number is generated by the first fast reconnect component in accordance with an agreed upon formula established as part of the full authentication;
    - and wherein further the determining, by the second fast reconnect component, if the incremented sequence number is appropriate is performed with reference to the agreed upon formula.
  - 20. The system of claim 15, wherein the second fast reconnect component requires another full authentication if it does not validate the token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Zhu, Liqiang, McPherson, David, Damour, Kevin Thomas, Leach, Paul J., Dutta, Tanmoy

Granted Patent

US 8,555,069 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/175
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04W 12/062   Pre-authentication

FAST-RECONNECTION OF NEGOTIABLE AUTHENTICATION NETWORK CLIENTS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FAST-RECONNECTION OF NEGOTIABLE AUTHENTICATION NETWORK CLIENTS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links