Authentication architecture

US 7,322,040 B1
Filed: 03/27/2001
Issued: 01/22/2008
Est. Priority Date: 03/27/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented system that utilizes a processor and that facilitates an application to produce a response to an authentication challenge, comprising the following computer executable components:

a learning component that determines anticipated authentication challenges to resource requests from applications based upon run-time learning during previous resource requests by applications;

an authentication manager that receives first data associated with the communication challenge and processes the first data into second data of a first type appropriate for a first authentication module, the authentication manager further communicates the second data to at least one authentication module, the authentication manager further communicates the second data to the at least one different authentication module if the first module is unable to process the authentication challenge, the second data is related to the first data and the authentication challenge, the authentication manager also generates one or more pseudo-challenges of its own not in response to the authentication challenge and communicates the data associated with the pseudo-challenges to at least one authentication module;

at least one authentication module that receives the second data from the authentication manager and produces third data related to responding to the authentication challenge; and

a cache that stores one or more third data related to responding to the authentication challenge and the one or more pseudo-challenges.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system enabling an application desiring access to a resource addressable by a URI to produce a response to an authentication challenge to a request to access the URI without including code specific to an authentication system and/or method is provided. The system includes an authentication manager that can pass an authentication challenge to authentication modules and/or objects operable to produce a response to the authentication challenge. The system may also include a cache adapted to store one or more responses to the authentication challenge communicated from the authentication modules, with such cache also being employed to facilitate pre-authenticating test challenges and/or pseudo-challenges.

62 Citations

View as Search Results

25 Claims

1. A computer implemented system that utilizes a processor and that facilitates an application to produce a response to an authentication challenge, comprising the following computer executable components:
- a learning component that determines anticipated authentication challenges to resource requests from applications based upon run-time learning during previous resource requests by applications;
  
  an authentication manager that receives first data associated with the communication challenge and processes the first data into second data of a first type appropriate for a first authentication module, the authentication manager further communicates the second data to at least one authentication module, the authentication manager further communicates the second data to the at least one different authentication module if the first module is unable to process the authentication challenge, the second data is related to the first data and the authentication challenge, the authentication manager also generates one or more pseudo-challenges of its own not in response to the authentication challenge and communicates the data associated with the pseudo-challenges to at least one authentication module;
  
  at least one authentication module that receives the second data from the authentication manager and produces third data related to responding to the authentication challenge; and
  
  a cache that stores one or more third data related to responding to the authentication challenge and the one or more pseudo-challenges.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the authentication manager receives a set of first data associated with a multipart authentication challenge, to process the set of first data into a set of the second data, and communicates the set of second data to at least one authentication module, the set of second data is related to the set of first data and the multipart authentication challenge.
  - 3. The system of claim 2, wherein the at least one authentication module receives the set of second data from the authentication manager and produces a set of third data related to responding to the multipart authentication challenge.
  - 4. The system of claim 3, wherein the cache stores a set of third data related to responding to the multipart authentication challenge.
  - 5. The system of claim 1, wherein:
    - the authentication manager accepts a pre-authentication challenge test message associated with an anticipated authentication challenge, processes the test message into a pre-authentication challenge test data, and communicates the pre-authentication challenge test data to at least one authentication module, the pre-authentication challenge test data related to the pre-authentication challenge test message;
      
      at least one authentication module receives the pre-authentication challenge test data from the authentication manager and produces a pre-authentication challenge test response data related to responding to the pre-authentication challenge test message; and
      
      the cache stores one or more pre-authentication challenge test response data related to responding to the pre-authentication challenge test message, the cache selectively provides the pre-authentication challenge test response data upon request by the authentication manager.
  - 6. The system of claim 5, wherein the authentication modules employ one or more services.
  - 7. The system of claim 1, comprising:
    - a class factory, the class factory selectively instantiates one or more authentication objects based, at least in part, on the first data, andthe class factory makes the one or more instantiated authentication objects callable by the authentication manager.
  - 8. The system of claim 7, comprising:
    - a data store that holds information associated with selectively instantiating the one or more authentication objects, the data store further holds information associated with making the one or more instantiated authentication objects callable by the authentication manager.
  - 9. The system of claim 8, comprising:
    - a registrar that registers an authentication object with the class factory.
  - 10. The system of claim 9, wherein the registrar registers an authentication object with the data store.
  - 11. The system of claim 10, wherein the application does not have to be recoded or recompiled to employ the registered authentication object.
  - 12. The system of claim 1, wherein one or more authentication objects generate the third data associated with responding to an authentication challenge associated with at least one of, a Kerberos authentication system, a Digest authentication system, a Basic authentication system, an NTLM authentication system and a certificate based authentication system.
  - 13. The system of claim 1, wherein the authentication manager and the one or more authentication objects are distributed to one or more computers.
  - 14. The system of claim 10, wherein the class factory, the data store and the registrar are distributed to one or more computers.

15. A computer implemented method that utilizes a processor for enabling an application to produce a response to an authentication challenge, comprising:
- anticipating an authentication challenge to a resource request from an application based upon run-time machine learning during previous resource requests by applications;
  
  pre-authenticating the resource request by generating and storing an authentication response to the anticipated authentication challenge;
  
  generating a pseudo-challenge not in response to the authentication challenge and storing a response to the pseudo-challenge;
  
  employing a component implemented on a computer readable medium to accept the authentication challenge;
  
  passing a first data associated with the authentication challenge to an authentication manager, where the authentication manager processes the first data into second data of a first type appropriate for a first authentication module, further where the authentication manager processes the first data into second data of a second type appropriate for a second authentication module if the first module is unable to process the authentication challenge, the first and second authentication modules having different requirements for the second data;
  
  passing at least one of the second data associated with the authentication challenge or pseudo-challenge to one or more authentication modules, where the authentication modules are registered with the authentication manager, registering the modules includes informing the authentication manager of which system authentication challenges the module is capable of processing and where the authentication modules are operatively connected to the authentication manager;
  
  producing one or more responses to the authentication challenge and the pseudo challenge; and
  
  using a cache to store one or more third data related to responding to the authentication challenge and the one or more pseudo-challenges.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, comprising:
    - caching one or more responses to the authentication challenge; and
      
      retrieving a response from the cached responses.
  - 17. The method of claim 15, wherein the authentication challenge is generated by at least one of a Kerberos authentication system, a Digest authentication system, a Basic authentication system, an NTLM authentication system and a certificate based authentication system.
  - 18. The method of claim 15, wherein one or more authentication modules can be created and registered after the receipt of one or more authentication challenges.
  - 19. A computer readable medium, comprising:
    - computer executable instructions that perform the method of claim 18.

20. A computer implemented method that utilizes a processor for enabling an application to produce a response to an authentication challenge, comprising:
- generating a pre-authentication challenge test message based upon anticipating an authentication challenge to a resource request from an application based upon run-time learning during previous resource requests by applications;
  
  generating a pseudo-challenge message not in response to the authentication challenge and storing a response to the pseudo-challenge;
  
  utilizing a component implemented on a computer readable medium to pass a first data associated with the pre-authentication challenge test message to an authentication manager, where the authentication manager processes the first data into second data of a first type appropriate for a first authentication module, further where the authentication manager processes the first data into second data of a second type appropriate for a second authentication module, the first and second authentication modules having different requirements for second data;
  
  passing at least one of the second data associated with the pre-authentication challenge test message to an appropriate authentication module, if the module is unable to process the challenge passing the at least one of the second data to the at least one different authentication module, where the authentication modules are registered with the authentication manager, and where the authentication modules are operatively connected to the authentication manager;
  
  producing one or more responses to the pre-authentication challenge test message; and
  
  caching the one or more responses to the pre-authentication challenge test message and one or more pseudo-challenges.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, wherein the pre-authentication challenge test message is related to an authentication challenge generated by at least one of a Kerberos authentication system, a Digest authentication system, a Basic authentication system, an NTLM authentication system and a certificate based authentication system.
  - 22. The method of claim 20, wherein one or more authentication modules can be created and registered after the generation of one or more pre-authentication challenge test messages.
  - 23. The method of claim 20, wherein the application does not have to be recoded or recompiled to employ the one or more created and registered authentication modules.

24. A computer readable medium having computer executable instructions operable to perform a method comprising:
- generating a pre-authentication challenge test message based upon anticipating an authentication challenge to a resource request from an application based upon run-time learning during previous resource requests by applications;
  
  generating a pseudo-challenge not in response to the authentication challenge and storing a response to the pseudo-challenge;
  
  passing a first data associated with the pre-authentication challenge test message to an authentication manager, where the authentication manager processes the first data into second data of a first type appropriate for a first authentication module, further where the authentication manager processes the first data into second data of a second type appropriate for a second authentication module, the first and second authentication modules having different requirements for second data;
  
  employing a component implemented on a computer readable medium to pass at least one of the second data associated with the pre-authentication challenge test message to an appropriate authentication module, if the module is unable to process the challenge, passing the test message to one or more authentication modules, where the authentication modules are registered with the authentication manager, and where the authentication modules are operatively connected to the authentication manager;
  
  producing one or more responses to the pre-authentication challenge test message; and
  
  caching the one or more responses to the pre-authentication challenge test message and the one or more pseudo challenges.

25. A system that utilizes a processor enabling an application to respond to a challenge to a request to access a resource addressable by a URI, comprising:
- means for anticipating an authentication challenge to a resource request from an application based upon run-time learning during previous resource requests by applications;
  
  means for receiving the challenge, the receiving means separate from the application;
  
  means for processing data associated with the challenge into second data of a first type appropriate for a first authentication module and second data of a second type appropriate for a second authentication module and distributing at least one of the second data to appropriate producing means, if the first producing means is unable to process the challenge, distributing the at least one of the second data to one or more producing means, the distributing means being separate from the application, the first and second authentication modules having different requirements for second data, the means for processing data generates one or more of its own pseudo challenges not in response to the authentication challenge;
  
  means for producing a response to the challenge the producing means being separate from the application;
  
  means for storing a response to the challenge; and
  
  means for storing one or more third data related to responding to the authentication challenge and the one or more pseudo-challenges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Nielsen, Henrik Frystyk, Paya, Cem, Olson, Lance E.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US09/818,358
Time in Patent Office

2,492 Days
Field of Search

713/1, 726/2
US Class Current

726/8
CPC Class Codes

G06F 21/31   User authentication

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 63/08   for authentication of entit...

H04L 63/205   involving negotiation or de...

H04L 9/3271   using challenge-response

Authentication architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links