System and method of user authentication for network communication through a policy agent

US 7,039,713 B1
Filed: 11/09/1999
Issued: 05/02/2006
Est. Priority Date: 11/09/1999
Status: Expired due to Term

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions for operating a policy agent of a network for performing steps comprising:

detecting a network connection from a client computer on the network;

composing a challenge for authenticating a user of the client computer associated with said network connection, the challenge being encrypted with a private key of the policy agent;

transmitting the challenge to the client computer;

receiving a response from the client computer;

decrypting the response using a public key of the user to obtain a first message digest value;

receiving network data in a form of packets, through the network connection with the client computer;

calculating a second message digest value based on the challenge and a pre-selected number of packets of the received network data;

comparing the first and second message digest values to determine whether a match is found;

if a match is found, then forwarding the network data to their specified recipient, else not forwarding the network data to their specified recipient.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy agent of a network performs an out-of-band user authentication process to verify the identity of a user of a client computer and associates the network data received from the client computer with the user. When the client computer initiates a network data connection to or through the policy agent, the policy agent sends an encrypted challenge to the client computer. The challenge is encrypted with a private key of the policy agent. When the client computer receives the challenge, it decrypts the challenge and prepares a message digest value based on the challenge and the network data sent by the user. The message digest value is then encrypted with the private key of the user to form a response, and the response is sent to the policy agent. The policy agent decrypts the response with the public key of the user to obtain the message digest value and calculates a digest value based on the challenge and the received network data. The policy agent then compares the calculated digest value with the decrypted digest value. A match between the two digest values indicates that the user is successfully authenticated and that the received network data are associated with the user. The policy agent may then apply network policies based on the credentials of the authenticated user.

295 Citations

13 Claims

1. A computer-readable medium having computer-executable instructions for operating a policy agent of a network for performing steps comprising:
- detecting a network connection from a client computer on the network;
  
  composing a challenge for authenticating a user of the client computer associated with said network connection, the challenge being encrypted with a private key of the policy agent;
  
  transmitting the challenge to the client computer;
  
  receiving a response from the client computer;
  
  decrypting the response using a public key of the user to obtain a first message digest value;
  
  receiving network data in a form of packets, through the network connection with the client computer;
  
  calculating a second message digest value based on the challenge and a pre-selected number of packets of the received network data;
  
  comparing the first and second message digest values to determine whether a match is found;
  
  if a match is found, then forwarding the network data to their specified recipient, else not forwarding the network data to their specified recipient.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A computer-readable medium as in claim 1, wherein the policy agent is a firewall.
  - 3. A computer-readable medium as in claim 1, wherein the step of composing includes encrypting the challenge with a public key of the user.
  - 4. A computer-readable medium as in claim 3, wherein the step of decrypting includes decrypting the response with a private key of the policy agent.
  - 5. A computer-readable medium as in claim 1, wherein the step of composing includes generating a third digest value from data including a time value, and encrypting the third digest value with the private key of the policy agent.
  - 6. A computer-readable medium as in claim 1, having further computer-executable instructions for performing network access policies on the received network data according to the identify of the user after a match between the first and second message digest values is found.

7. A method of authenticating a user using a client computer on a network to transmit network data through a policy agent of the network, comprising the steps of:
- detecting by the policy agent a network connection from the client computer for transmitting network data of the user;
  
  receiving by the policy agent network data in a form of packets, transmitted through the network connection from the client computer;
  
  obtaining, by the policy agent, an identity of the user and a public key of the user;
  
  composing, by the policy agent, a challenge encrypted with a private key of the policy agent;
  
  sending the challenge to the client computer;
  
  decrypting, by the client computer, the challenge;
  
  generating, by the client computer, a first message digest value based on the challenge and a pre-selected number of packets of the network data of the user;
  
  encrypting, by the client computer, the first message digest value with a private key of the user to create a response;
  
  sending the response to the policy agent;
  
  decrypting, by the policy agent, the response to obtain the first message digest value;
  
  calculating a second message digest value based on the challenge and the network data received through network connections from the client computer;
  
  comparing the first and second message digest values to determine whether there is a match there between, andif a match is found, then forwarding, by the policy agent, the network data to their specified recipient, else not forwarding the network data to their specified recipient.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. A method as in claim 7, further including the step of applying network policies by the policy agent on the received network data based on the identity of the user after a match between the first and second message digest values is found.
  - 9. A method as in claim 7, wherein the step of composing the challenge includes encrypting the challenge with the public key of the user.
  - 10. A method as recited in claim 7, wherein the step of encrypting by the client computer includes encrypting the first message digest value with a public key of the policy agent.
  - 11. A method as in claim 7, wherein the step of composing the challenge includes generating a third message digest value based on data including a time value and encrypting the third message digest value to form the challenge.
  - 12. A method as in claim 7, wherein the step of generating by the client computer generates the first message digest value based on a random number, data decrypted from the challenge, and data of the pre-selected packets of the received network data.
  - 13. A method as in claim 7, wherein the policy agent is a firewall of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Van Gunter, David, Waters, Lester L.
Primary Examiner(s)
Wiley, David
Assistant Examiner(s)
Shin, Kyung H.

Application Number

US09/436,135
Time in Patent Office

2,366 Days
Field of Search

713/153, 713/155, 713/168, 713/201, 713/185, 709/224, 709225-229, 709/238
US Class Current

709/229
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/18   using different networks or...

H04L 9/3271   using challenge-response

System and method of user authentication for network communication through a policy agent

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

295 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of user authentication for network communication through a policy agent

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

295 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links