Apparatus and method for automatically authenticating a network client

US 7,231,517 B1
Filed: 03/03/2000
Issued: 06/12/2007
Est. Priority Date: 03/03/2000
Status: Expired due to Term

First Claim

Patent Images

1. An authentication system suitable for automatically providing authentication to a user at a client node, the user providing a user secret and requesting access to network resources resident at one or more server nodes in a distributed network system, said authentication system comprising:

a local application program interface for receiving the user secret, said local application program interface in communication with a requested network resource and the client node;

a cryptography service node including means for providing a common key and algorithm, and means for providing a client/server session key and algorithm, wherein the session key is associated with a single session during a single logon of the user and if the session terminates the session key becomes invalid; and

an authentication database in communication with said local application program interface and with said cryptography service node, said authentication database includingan authentication secret associated with the user;

means for encrypting said authentication secret using said common key and algorithm; and

means for encrypting said common key using said client/server session key and algorithm;

wherein the local application program interface sends an encrypted authentication secret, an encrypted common key, and the session key to the client node for use with the requested network resource, and wherein the common key is a shared and same key, and wherein the use occurs during the single session of the user and expires when the single session expires.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed authentication system includes a cryptography service node, and a client node interface coupled to a network authentication database, for providing automatic authentication to enable the client node to access network resources, such as applications or services, resident in one or more network server nodes. Authentication secrets corresponding to the network resources are each encrypted with a respective strong key and stored in the authentication database. Authentication of the client node is accomplished with the retrieval of an authentication secret corresponding to a requested network resource. The retrieval process includes: i) decrypting the authentication secret using the strong key and encrypting the secret using a second key, and ii) sending a copy of the second key encrypted with a third key along with the encrypted secret to the requesting client node via a communication medium.

107 Citations

View as Search Results

20 Claims

1. An authentication system suitable for automatically providing authentication to a user at a client node, the user providing a user secret and requesting access to network resources resident at one or more server nodes in a distributed network system, said authentication system comprising:
- a local application program interface for receiving the user secret, said local application program interface in communication with a requested network resource and the client node;
  
  a cryptography service node including means for providing a common key and algorithm, and means for providing a client/server session key and algorithm, wherein the session key is associated with a single session during a single logon of the user and if the session terminates the session key becomes invalid; and
  
  an authentication database in communication with said local application program interface and with said cryptography service node, said authentication database includingan authentication secret associated with the user;
  
  means for encrypting said authentication secret using said common key and algorithm; and
  
  means for encrypting said common key using said client/server session key and algorithm;
  
  wherein the local application program interface sends an encrypted authentication secret, an encrypted common key, and the session key to the client node for use with the requested network resource, and wherein the common key is a shared and same key, and wherein the use occurs during the single session of the user and expires when the single session expires.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The authentication system of claim 1 further comprising means for encrypting and decrypting said authentication secret using a secret store key and algorithm.
  - 3. The authentication system of claim 1 further comprising,a network resource identifier associated with said requested network resource;
    - anda network policy associated with the user and with said network resource identifier.
  - 4. The authentication system of claim 3 wherein said authentication database further comprises,a second network resource identifier associated with a second network resource;
    - a second authentication secret associated with the user; and
      
      a second network policy associated with the user and with said second network resource identifier.
  - 5. The authentication system of claim 4 wherein said authentication database further comprises means for encrypting and decrypting said second authentication secret using said secret store key and algorithm.
  - 6. The authentication system of claim 4 wherein said authentication database further comprises means for encrypting and decrypting said second authentication secret using a second secret store key and algorithm.
  - 7. The authentication system of claim 1 wherein said cryptography service further comprises means for generating an authentication secret from the user secret.
  - 8. The authentication system of claim 1 wherein said common key comprises a symmetric key.

9. A method for automatically authenticating a user at a network client node in a distributed network system in response to a user request for access to network resources resident in one or more server nodes, said authentication method comprising the steps of:
- providing a network resource identifier, a network resource policy, and an authentication secret to an authentication database, said network resource identifier associated with the requested network resource;
  
  retrieving said authentication secret in response to said user request, said authentication secret associated with the user and with said network resource identifier;
  
  encrypting said authentication secret with a common key and algorithm, wherein the common key is a shared and same key;
  
  encrypting said common key and algorithm with a client/server session key and algorithm, wherein the session key is associated with a single a session of a logon of the user and when the session terminates the session key becomes invalid; and
  
  sending said encrypted authentication secret and said encrypted common key to the client node for use by the client during the single session, and wherein the use expires when the single session expires.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9 further comprising the steps of:
    - decrypting said encrypted common key using said client/server session key;
      
      decrypting said encrypted authentication secret using said decrypted common key and algorithm; and
      
      providing said decrypted authentication secret to the requested network resource.
  - 11. The method of claim 9 further comprising the step of accessing said network resource policy prior to said step of retrieving said authentication secret, said network resource policy associated with the user and with said network resource identifier.
  - 12. The method of claim 9 further comprising the steps of:
    - obtaining a list of client algorithms supported by the client node;
      
      obtaining a list of server algorithms supported by the server node;
      
      comparing said list of client algorithms with said list of server algorithms so as to determine the strongest algorithm common to both said list of client algorithms and said list of server algorithms; and
      
      using said strongest algorithm as said common key and algorithm.
  - 13. The method of claim 9 wherein said common key comprises a symmetric key.
  - 14. The method of claim 9 further comprising the steps of:
    - negotiating the strongest common algorithm between server and client node; and
      
      using said strongest algorithm as said client/server session key and algorithm.

15. A method for authenticating a client to a network resource, comprising:
- receiving a client request for a network resource;
  
  authenticating the client and creating a secure session;
  
  creating an authentication secret for access to the network resource;
  
  encrypting the authentication secret within a common key, wherein the common key is a shared and same key;
  
  encrypting the common key with a session key associated with the secure session, wherein the session key becomes invalid when the secure session terminates and wherein the secure session is associated with a single login session of the client; and
  
  transmitting to the client the encrypted common key, the encrypted authentication secret, and the session key for use in accessing the network resource during the single login session, and wherein the use expires when the single login session expires.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 further comprising, determining a strongest encryption and decryption algorithm supported by the client when encrypting the authentication secret within the common key.
  - 17. The method of claim 15 further comprising receiving, by the network resource, a decrypted version of the authentication secret from the client and authenticating the client for access to the network resource based on the decrypted authentication secret.
  - 18. The method of claim 15 further comprising associating policies with the authentication secret, wherein the policies define access rights of the client to the network resource.
  - 19. The method of claim 15 negotiating with the client encryption and decryption algorithms for use in encrypting the authentication secret and the common key.
  - 20. The method of claim 15 associating the authentication secret with the client and the network resource and housing the association in a secret store for additional secure sessions established by the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Mashayekhi, Cameron
Primary Examiner(s)
Barrón, Jr.; Gilberto
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/518,664
Time in Patent Office

2,657 Days
Field of Search

713/155, 713/153, 713/202, 713/161, 713/169, 713/183, 713/184, 713/171, 380/229, 380/259, 380/281, 380/283, 380/284, 380/282, 380/29, 705/67, 705/18, 455/410
US Class Current

713/167
CPC Class Codes

H04L 63/045   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Apparatus and method for automatically authenticating a network client

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for automatically authenticating a network client

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links