UPDATING STORED PASSWORDS

US 20160323263A1
Filed: 07/13/2016
Published: 11/03/2016
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A client device comprising:

a processor and a memory associated with the processor;

an input/output device;

a processor communicatively coupled to the input/output device;

a memory storing executable instructions that, when executed by the processor,instantiate an authentication client module and a re-authentication client module,the authentication client module configured to;

generate a plain-text password;

generate a first hash based on the plain-text password, the first hash is generated according to a first hash generating scheme;

request, via the input/output device, access to a network comprising a network access device according to an authentication protocol;

send, via the input/output device, the first hash to the network access device;

modify the first hash generating scheme; and

generate a second hash based on the plain-text password according to a second hash generating scheme; and

the re-authentication client module configured to;

in response to a policy server operating on the network failing to authenticate the client device, establish, via the input/output device, a secure HTTP connection between the client device and the policy server; and

transmit, via the input/output device, the plain-text password from the client device to the policy server over the secure HTTP connection.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

20 Citations

20 Claims

1. A client device comprising:
- a processor and a memory associated with the processor;
  
  an input/output device;
  
  a processor communicatively coupled to the input/output device;
  
  a memory storing executable instructions that, when executed by the processor,instantiate an authentication client module and a re-authentication client module,the authentication client module configured to;
  
  generate a plain-text password;
  
  generate a first hash based on the plain-text password, the first hash is generated according to a first hash generating scheme;
  
  request, via the input/output device, access to a network comprising a network access device according to an authentication protocol;
  
  send, via the input/output device, the first hash to the network access device;
  
  modify the first hash generating scheme; and
  
  generate a second hash based on the plain-text password according to a second hash generating scheme; and
  
  the re-authentication client module configured to;
  
  in response to a policy server operating on the network failing to authenticate the client device, establish, via the input/output device, a secure HTTP connection between the client device and the policy server; and
  
  transmit, via the input/output device, the plain-text password from the client device to the policy server over the secure HTTP connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The client device of claim 1, wherein the processor comprises a microprocessor or a hardware processing logic, and wherein the memory includes any one of a static memory, a dynamic memory, and an onboard cache for storing data and machine-readable instructions.
  - 3. The client device of claim 2, further comprising a network interface device comprising any one of a wired local area network interface device, a wired wide area network device, a wireless local area network interface device, a wireless wide area network interface device, and a cellular network interface device.
  - 4. The client device of claim 1, wherein generating the plain-text password comprises one of:
    - prompting a user of the client device to enter the plain-text password, retrieving the plain-text password from the memory, and retrieving the plain-text password from another module operating on the client device.
  - 5. The client device of claim 1, wherein the authentication protocol is any one of a challenge-handshake authentication protocol (CHAP), a Microsoft (MS) CHAP (MSCHAP) authentication protocol, or a MSCHAP Version 2 (MSCHAPv2) authentication protocol.
  - 6. The client device of claim 1, wherein the re-authentication client module is further configured to transmit the plain-text password from the client device to the policy server in either one of the Hyper-Text Markup Language (HTML) or the Hyper-Text Transfer Language (HTTP).
  - 7. The client device of claim 1, wherein the authentication client module is configured to generate the second hash based on the plain-text password according to the second hash generating scheme by downloading to the client device and installing on the client device a software update of the authentication client module.
  - 8. The client device of claim 1, wherein the authentication client module is further configured to:
    - receive a challenge string from the policy server;
      
      store the challenge string on the memory; and
      
      generate each of a first cryptographic hash of the plain-text password and a second cryptographic hash of the plain-text password based on one of the first hash generating scheme and the second hash generating scheme.
  - 9. The client device of claim 8, wherein the authentication client module is further configured to transmit each of the first cryptographic hash and the second cryptographic hash to the policy server.
  - 10. The client device of claim 1, wherein the secure HTTP connection between the client device and a policy server is a temporary connection.
  - 11. The client device of claim 1, wherein the authentication client module is further configured to configure the secure HTTP connection between the client device and a policy server to prevent the network access device from modifying the plain-text password.
  - 12. The client device of claim 1, wherein the authentication client module is further configured to configure the secure HTTP connection between the client device and a policy server by establishing a virtual local area network (VLAN) between the authentication client module and the policy server.
  - 13. The client device of claim 1, wherein the authentication client module is further configured to configure the secure HTTP connection between the client device and a policy server by transmitting an access control list to the network access device.

14. A method comprising:
- generating, by an authentication client module of a client device comprising at least one hardware processor, a plain-text password;
  
  generating, by the authentication client module, a first hash based on the plain-text password according to a first hash generating scheme;
  
  requesting, via an input/output device of the client device, access to a network comprising a network access device according to an authentication protocol;
  
  sending, via the input/output device, the first hash to the network access device;
  
  modifying, by the authentication client module, the first hash generating scheme;
  
  generating, by the authentication client module, a second hash based on the plain-text password according to a second hash generating scheme;
  
  establishing, by a re-authentication client module of the client device, a secure HTTP connection between the client device and a policy server operating on the network in response to the policy server failing to authenticate the client device; and
  
  transmitting, by the re-authentication client module via the input/output device, the plain-text password from the client device to the policy server over the secure HTTP connection.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein generating the plain-text password comprises one of:
    - prompting a user of the client device to enter the plain-text password, retrieving the plain-text password from the memory, and retrieving the plain-text password from another module operating on the client device.
  - 16. The method of claim 14, wherein the authentication protocol is any one of a challenge-handshake authentication protocol (CHAP), a Microsoft (MS) CHAP (MSCHAP) authentication protocol, or a MSCHAP Version 2 (MSCHAPv2) authentication protocol.
  - 17. The method of claim 14, wherein the plain-text password is transmitted from the client device to the policy server in either one of the Hyper-Text Markup Language (HTML) or the Hyper-Text Transfer Language (HTTP).
  - 18. The method of claim 14, wherein the second hash is generated based on the plain-text password according to the second hash generating scheme by downloading to the client device and installing on the client device a software update of the authentication client module.
  - 19. The method of claim 14, wherein the secure HTTP connection between the client device and a policy server is a temporary connection.
  - 20. The method of claim 14, wherein the secure HTTP connection between the client device and a policy server is configured to prevent the network access device from modifying the plain-text password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Tsang, Andy, Chickering, Roger A., Kahn, Clifford E., Venable, Jeffrey C. Sr.

Granted Patent

US 10,075,432 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/137   Hash-based content-based in...

H04L 63/083   using passwords cryptograph...

H04L 63/126   the source of the received ...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

UPDATING STORED PASSWORDS

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

UPDATING STORED PASSWORDS

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links