System and method for policy-based inter-realm authentication within a distributed processing system

US 5,544,322 A
Filed: 05/09/1994
Issued: 08/06/1996
Est. Priority Date: 05/09/1994
Status: Expired due to Term

First Claim

Patent Images

1. In a distributed computing system wherein individual computers are linked together by a communication network, a method for inter-realm authentication comprising the steps of:

a) requesting, by a client, an application server policy for an application server from a policy server;

b) when a policy reply from the policy server contains an authentication policy of the application server, requesting, by the client, an authentication path to the application server from an authentication routing server;

c) determining, by the authentication routing server, whether the authentication path is compliant with the authentication policy and authentication routing information;

d) when the authentication path is compliant with the authentication policy and the authentication routing information, providing, by the authentication routing server, verification of the authentication path to the client;

e) upon receiving the verification of the authentication path, requesting, by the client, an authentication certificate from an authentication server;

f) providing, by the authentication server, the authentication certificate to the client, wherein the authentication certificate is based on the authentication path;

g) upon receiving the authentication certificate, sending, by the client, a request to the application server, wherein the request includes the authentication certificate; and

h) verifying, by the application server, the client based on the authentication certificate.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for defining a platform-independent policy framework for authentication of principals to servers in another realm, within a distributed data processing system. The present invention may be implemented on top of the Kerberos protocol, or any trusted third party network authentication protocol with inter-realm authentication mechanisms.

536 Citations

9 Claims

1. In a distributed computing system wherein individual computers are linked together by a communication network, a method for inter-realm authentication comprising the steps of:
- a) requesting, by a client, an application server policy for an application server from a policy server;
  
  b) when a policy reply from the policy server contains an authentication policy of the application server, requesting, by the client, an authentication path to the application server from an authentication routing server;
  
  c) determining, by the authentication routing server, whether the authentication path is compliant with the authentication policy and authentication routing information;
  
  d) when the authentication path is compliant with the authentication policy and the authentication routing information, providing, by the authentication routing server, verification of the authentication path to the client;
  
  e) upon receiving the verification of the authentication path, requesting, by the client, an authentication certificate from an authentication server;
  
  f) providing, by the authentication server, the authentication certificate to the client, wherein the authentication certificate is based on the authentication path;
  
  g) upon receiving the authentication certificate, sending, by the client, a request to the application server, wherein the request includes the authentication certificate; and
  
  h) verifying, by the application server, the client based on the authentication certificate.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1 wherein step (b) further comprises the steps of:
    - determining, by the policy server, whether a policy database contains the authentication policy for the application server; and
      
      when the policy database contains the authentication policy, generating the policy reply to include the authentication policy.
  - 3. The method as recited in claim 2 wherein step (b) further comprises the step of:
    - generating the policy reply to include a message to address another policy server when the policy database does not include the authentication policy.
  - 4. The method as recited in claim 2 wherein step (b) further comprises the of:
    - generating the policy reply to include an error message when the policy database does not include the authentication policy.
  - 5. The method as recited in claim 1 wherein step (d) further comprises the steps of:
    - when the authentication path is not compliant with the authentication policy and the authentication routing information, providing, by the authentication routing server, an error message or a referral message to another authentication routing server.
  - 6. The method as recited in claim 1 further comprises the steps of:
    - providing, by the client, a client authentication policy to the authentication routing server; and
      
      determining, by the authentication routing server, whether the authentication path is compliant with the authentication policy, the client authentication policy, and the authentication routing information.

7. An inter-realm authentication apparatus for use in a distributed data processing system, the inter-realm authentication apparatus comprises:
- an authentication server that includes;
  
  authentication information database for storing authentication routing information of the distributed data processing system;
  
  processing means, operably coupled to the authentication information database, for providing the authentication routing information upon request and for processing certificate requests by clients affiliated with the distributed data processing system;
  
  a policy server that includes;
  
  policy database for storing authentication policies of application servers;
  
  processing means, operably coupled to the policy database, for entering an authentication policy of an application server into the policy database and for processing requests for policy information by the clients; and
  
  an authentication routing server that is operably coupled to the authentication server and the policy server, wherein the authentication routing server, upon an authentication path request from a client to a target application server, determines whether the authentication path is compliant with the authentication routing information and the authentication policy of the target application server.
- View Dependent Claims (8)
- - 8. The apparatus of claim 7, wherein the policy server further comprises:
    - client policy database for storing client determined authentication policies.

9. A computer readable storage medium for storing program instructions that, when read by at least one computer, causes the at least one computer to providing inter-realm authentication, the computer readable storage medium comprises:
- first storage means for storing program instructions that cause the at least one computer to receive an application server policy request for an application server from a client;
  
  second storage means for storing program instructions that cause the at least one computer to generate a policy reply, and, when the policy reply contains an authentication policy of the application server, to receive an authentication path request between the application server and the client from the client;
  
  third storage means for storing program instructions that cause the at least one computer to determine whether the authentication path is compliant with the authentication policy and authentication routing information;
  
  fourth storage means for storing program instructions that cause the at least one computer to provide verification of the authentication path to the client when the authentication path is compliant with the authentication policy and the authentication routing information;
  
  fifth storage means for storing program instructions that cause the at least one computer to receive a request from the client, in response to the verification of the authentication path, for an authentication certificate; and
  
  sixth storage means for storing program instructions that cause the at least one computer to provide the authentication certificate to the client, wherein the authentication certificate is based on the authentication path.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Luan, Shyh-Wei, Cheng, Pau-Chen
Primary Examiner(s)
Bowler, Alyssa H.
Assistant Examiner(s)
Rinehart, Mark H.

Application Number

US08/239,669
Time in Patent Office

820 Days
Field of Search

395/200.02, 395/200.06, 395/200.12, 380/49, 380/25, 380/23, 380/4, 364/286.5, 340/825.31, 340/825.34
US Class Current

709/229
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

System and method for policy-based inter-realm authentication within a distributed processing system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

536 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for policy-based inter-realm authentication within a distributed processing system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

536 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links