Method and system for binding kerberos-style authenticators to single clients
First Claim
1. A method for authenticating a client, comprising:
- receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by exclusive or'"'"'ing the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address;
determining a remote address and a local address associated with the client;
decrypting the modified authenticator with the hashed salted password; and
employing the remote address, local address, and decrypted modified authenticator to authenticate the client by;
concatenating the remote address with the local address associated with the client;
determining a cryptographic digest associated with the concatenated addresses;
exclusive or'"'"'ing the cryptographic digest with the decrypted modified authenticator to extract the timestamp associated with the modified authenticator; and
if the extracted timestamp is within a pre-determined time window,authenticating the client.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system are directed towards enabling authentication in a distributed environment. The method employs a hashed salted password associated with a user in part to pre-authenticate the user. If the user is pre-authenticated, a ticket is transmitted to a client. The ticket includes a cryptographic digest of a concatenation of the local and remote addresses that is exclusive or'"'"'ed with a timestamp to generate a modified authenticator. The modified authenticator is directed at binding the timestamp to the client to minimize reuse of an authenticator. A packet that includes the authenticator is sent to a server. The server is configured to determine another remote and local IP address associated with the packet. Employing the remote and local addresses, the server extracts the timestamp from the modified authenticator. If the timestamp is within a pre-determined time window, the user may be authenticated.
162 Citations
33 Claims
-
1. A method for authenticating a client, comprising:
-
receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by exclusive or'"'"'ing the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address; determining a remote address and a local address associated with the client; decrypting the modified authenticator with the hashed salted password; and employing the remote address, local address, and decrypted modified authenticator to authenticate the client by; concatenating the remote address with the local address associated with the client; determining a cryptographic digest associated with the concatenated addresses; exclusive or'"'"'ing the cryptographic digest with the decrypted modified authenticator to extract the timestamp associated with the modified authenticator; and if the extracted timestamp is within a pre-determined time window, authenticating the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for authenticating a client over a network, comprising:
-
the client that is configured to communicate an authentication request; and an application authentication server that is configured to perform actions, including; receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed saLted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address; determining the remote address and the local address associated with the client; decrypting the modified authenticator with the hashed salted password; and employing the remote address, local address, and the timestamp to authenticate the client by exclusive or'"'"'ing a cryptographically strong digest of a concatenation of the remote address, and the local address associated with the decrypted modified authenticator to extract the timestamp associated with the client for the user, wherein the application authentication server further comprises; (a) an authentication server, that is configured to employ the remote address, local address, and the timestamp to authenticate the client, and to perform actions, including; (i) generating a ticket-granting ticket, wherein the ticket-granting ticket includes another modified authenticator that comprises another timestamp, remote address, and the local address associated with the client; and (b) a ticket-granting server that is enabled to receive the ticket-granting ticket, and to perform actions, including; (i) decrypting the other modified authenticator with a session key associated with the ticket-granting ticket; (ii) authenticating the client based in pad on the remote address, local address, and decrypted other modified authenticator; and (iii) if the client is authentic, providing a content ticket to the client, wherein the content ticket enables the client to access content. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
- 24. A computer-readable medium having stored thereon a data structure comprising data fields including a ticket granting ticket that is issued to a computer for a user, including an authentication data field containing data including a timestamp, a remote IP address, and a local IP address associated with the computer for the user, wherein the data including the IP remote address and the local IP address further comprises the timestamp associated with the user that is exclusive or'"'"'ed with a cryptographically strong digest of a concatenation of the IP remote address and the local IP address associated with the computer for the user, wherein the computer-readable medium includes a component employed to authenticate the computer for the user based on the data structure, and wherein the authentication data field is encrypted with a hashed salted user'"'"'s password and a session key.
-
26. An apparatus for authenticating a client, comprising:
-
a means for receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by a means for combining the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address; a means for determining a remote address and a local address associated with the client; a means for decrypting the modified authenticator with the hashed salted password; and a means for employing the remote address, local address, and decrypted modified authenticator to authenticate the client by exclusive or'"'"'ing a cryptographically strong digest of a concatenation of the remote address, and the local address associated with the decrypted modified authenticator to extract the timestamp associated with the client for the user.
-
-
27. A method for authenticating a client, comprising:
-
determining an authentication data including a timestamp, a remote IP address, and a local IP address associated with a client for a user, wherein the authentication data including the IP remote address and the local IP address further comprises the timestamp associated with the user that is exclusive or'"'"'ed with a cryptographically strong digest of a concatenation of the IP remote address and the local IP address associated with the client for the user, wherein the authentication data is encrypted with at least a hashed salted user'"'"'s password; and authenticating the client for the user based on the authentication data; and issuing to the client for the user, a ticket granting ticket, wherein the ticket granting ticket includes the authentication data. - View Dependent Claims (28, 29)
-
-
30. A system for authenticating a client, comprising:
-
the client that is configured to communicate an authentication request; and an application authentication server in communication with the client and configured to perform actions, including; receiving the authentication request, wherein the authentication request is encrypted with a hashed salted password; determining, in response to the authentication request, data including a timestamp, a remote IP address, and a local IP address associated with the client for a user, wherein the data including the IP remote address and the local IP address further comprises the timestamp associated with the user that is exclusive or'"'"'ed with a cryptographically strong digest of a concatenation of the IP remote address and the local IP address associated with the client for the user; and authenticating the client based on the data. - View Dependent Claims (31, 32)
-
-
33. A processor readable media that includes components for authenticating a client, the components performing actions, including:
-
a first component for receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by a means for combining the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address; a second component for determining a remote address and a local address associated with the client; a third component for decrypting the modified authenticator with the hashed salted password; and a fourth component for employing the remote address, local address, and decrypted modified authenticator to authenticate the client by exclusive or'"'"'ing a cryptographically strong digest of a concatenation of the remote address, and the local address associated with the decrypted modified authenticator to extract the timestamp associated with the client for the user.
-
Specification