Method and system for binding kerberos-style authenticators to single clients

US 7,392,390 B2
Filed: 12/11/2002
Issued: 06/24/2008
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a client, comprising:

receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by exclusive or'"'"'ing the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address;

determining a remote address and a local address associated with the client;

decrypting the modified authenticator with the hashed salted password; and

employing the remote address, local address, and decrypted modified authenticator to authenticate the client by;

concatenating the remote address with the local address associated with the client;

determining a cryptographic digest associated with the concatenated addresses;

exclusive or'"'"'ing the cryptographic digest with the decrypted modified authenticator to extract the timestamp associated with the modified authenticator; and

if the extracted timestamp is within a pre-determined time window,authenticating the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are directed towards enabling authentication in a distributed environment. The method employs a hashed salted password associated with a user in part to pre-authenticate the user. If the user is pre-authenticated, a ticket is transmitted to a client. The ticket includes a cryptographic digest of a concatenation of the local and remote addresses that is exclusive or'"'"'ed with a timestamp to generate a modified authenticator. The modified authenticator is directed at binding the timestamp to the client to minimize reuse of an authenticator. A packet that includes the authenticator is sent to a server. The server is configured to determine another remote and local IP address associated with the packet. Employing the remote and local addresses, the server extracts the timestamp from the modified authenticator. If the timestamp is within a pre-determined time window, the user may be authenticated.

162 Citations

33 Claims

1. A method for authenticating a client, comprising:
- receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by exclusive or'"'"'ing the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address;
  
  determining a remote address and a local address associated with the client;
  
  decrypting the modified authenticator with the hashed salted password; and
  
  employing the remote address, local address, and decrypted modified authenticator to authenticate the client by;
  
  concatenating the remote address with the local address associated with the client;
  
  determining a cryptographic digest associated with the concatenated addresses;
  
  exclusive or'"'"'ing the cryptographic digest with the decrypted modified authenticator to extract the timestamp associated with the modified authenticator; and
  
  if the extracted timestamp is within a pre-determined time window,authenticating the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein determining the cryptographic digest further comprises determining a hash based on at least one of a Secure Hash Algorithm, Message Digest (MD), Korean Hash Algorithm Standard (KAS), and Tiger.
  - 3. The method of claim 1, wherein employing the remote address, local address, and decrypted modified authenticator to authenticate the client further comprises:
    - determining another timestamp associated with the modified authenticator; and
      
      when the client is behind a network address translator, authenticating the client when the other timestamp is equal to a stored timestamp; and
      
      when the client is not behind the network address translator, authenticating the client.
  - 4. The method of claim 1, wherein determining a remote address associated with the client further comprises extracting an address from a packet header associated with the authentication request from the client.
  - 5. The method of claim 4, wherein the packet header is a TCP/IP packet header.
  - 6. The method of claim 4, wherein the remote address is a source IP address in the packet header.
  - 7. The method of claim 1, further comprising providing the authenticated client with a ticket that enables the client to access content, wherein the ticket comprises at least one of a client readable portion, server readable portion, and another modified authenticator.
  - 8. The method of claim 7, wherein other modified authenticator is encrypted employing a session key, wherein the session key is encrypted within the server readable portion of the ticket.
  - 9. The method of claim 7, wherein the client readable portion is encrypted employing the hashed salted password associated with the user.
  - 10. The method of claim 7, wherein the server readable portion is encrypted employing a digital public encryption key.
  - 11. The method of claim 7, wherein the server readable portion is digitally signed.
  - 12. The method of claim 1, wherein the hashed salted password is hashed based on at least one of a Secure Hash Algorithm, Message Digest (MD), Korean Hash Algorithm Standard (KAS), and Tiger.
  - 13. The method of claim 1, wherein receiving an authentication request further comprises forwarding the authentication request through a server.

14. A system for authenticating a client over a network, comprising:
- the client that is configured to communicate an authentication request; and
  
  an application authentication server that is configured to perform actions, including;
  
  receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed saLted password associated with a user, wherein the modified authenticator binds a timestamp to the client by combining the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address;
  
  determining the remote address and the local address associated with the client;
  
  decrypting the modified authenticator with the hashed salted password; and
  
  employing the remote address, local address, and the timestamp to authenticate the client by exclusive or'"'"'ing a cryptographically strong digest of a concatenation of the remote address, and the local address associated with the decrypted modified authenticator to extract the timestamp associated with the client for the user, wherein the application authentication server further comprises;
  
  (a) an authentication server, that is configured to employ the remote address, local address, and the timestamp to authenticate the client, and to perform actions, including;
  
  (i) generating a ticket-granting ticket, wherein the ticket-granting ticket includes another modified authenticator that comprises another timestamp, remote address, and the local address associated with the client; and
  
  (b) a ticket-granting server that is enabled to receive the ticket-granting ticket, and to perform actions, including;
  
  (i) decrypting the other modified authenticator with a session key associated with the ticket-granting ticket;
  
  (ii) authenticating the client based in pad on the remote address, local address, and decrypted other modified authenticator; and
  
  (iii) if the client is authentic, providing a content ticket to the client, wherein the content ticket enables the client to access content.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The system of claim 14, wherein employing the remote address, local address, and timestamp to authenticate the client further comprises:
    - concatenating the remote address with the local address associated with the client;
      
      determining a cryptographic digest associated with the concatenated addresses;
      
      combining the cryptographic digest with another timestamp associated with the modified authenticator; and
      
      if the other timestamp is within a pre-determined time window, authenticating the client.
  - 16. The system of claim 15, wherein combining further comprises exclusive or'"'"'ing the cryptographic digest with the timestamp.
  - 17. The system of claim 14, wherein determining the cryptographic digest further comprises determining a hash based on at least one of a Secure Hash Algorithm, Message Digest (MD), Korean Hash Algorithm Standard (KAS), and Tiger.
  - 18. The system of claim 14, wherein employing the remote address, local address, and decrypted modified authenticator to authenticate the client further comprises:
    - determining a timestamp associated with the modified authenticator; and
      
      when the client is behind a network address translator, authenticating the client when the timestamp is equal to a stored timestamp; and
      
      when the client is not behind the network address translator, authenticating the client.
  - 19. The system of claim 14, wherein determining a remote address associated with the client further comprises extracting an address from a packet header associated with the authentication request from the client.
  - 20. The system of claim 19, wherein the packet header is a TCP/IP packet header.
  - 21. The system of claim 14, wherein the application authentication sewer is configured to perform further actions, including providing the authenticated client with a ticket that enables the client to access content, wherein the ticket comprises at least one of a client readable portion, server readable portion, and another modified authenticator.
  - 22. The system of claim 21, wherein other modified authenticator is encrypted employing a session key, wherein the session key is encrypted within the server readable portion of the ticket.
  - 23. The system of claim 21, wherein the sewer readable portion is encrypted employing a digital public encryption key.

24. A computer-readable medium having stored thereon a data structure comprising data fields including a ticket granting ticket that is issued to a computer for a user, including an authentication data field containing data including a timestamp, a remote IP address, and a local IP address associated with the computer for the user, wherein the data including the IP remote address and the local IP address further comprises the timestamp associated with the user that is exclusive or'"'"'ed with a cryptographically strong digest of a concatenation of the IP remote address and the local IP address associated with the computer for the user, wherein the computer-readable medium includes a component employed to authenticate the computer for the user based on the data structure, and wherein the authentication data field is encrypted with a hashed salted user'"'"'s password and a session key.
- View Dependent Claims (25)
- - 25. The computer-readable medium of claim 24, wherein the data structure further comprising:
    - a client readable data field, wherein the client readable data field is encrypted using a hashed salted password associated with the user;
      
      a server readable data field, wherein the server readable data field includes a session key to decrypt the authentication data field.

26. An apparatus for authenticating a client, comprising:
- a means for receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by a means for combining the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address;
  
  a means for determining a remote address and a local address associated with the client;
  
  a means for decrypting the modified authenticator with the hashed salted password; and
  
  a means for employing the remote address, local address, and decrypted modified authenticator to authenticate the client by exclusive or'"'"'ing a cryptographically strong digest of a concatenation of the remote address, and the local address associated with the decrypted modified authenticator to extract the timestamp associated with the client for the user.

27. A method for authenticating a client, comprising:
- determining an authentication data including a timestamp, a remote IP address, and a local IP address associated with a client for a user, wherein the authentication data including the IP remote address and the local IP address further comprises the timestamp associated with the user that is exclusive or'"'"'ed with a cryptographically strong digest of a concatenation of the IP remote address and the local IP address associated with the client for the user, wherein the authentication data is encrypted with at least a hashed salted user'"'"'s password; and
  
  authenticating the client for the user based on the authentication data; and
  
  issuing to the client for the user, a ticket granting ticket, wherein the ticket granting ticket includes the authentication data.
- View Dependent Claims (28, 29)
- - 28. The method of claim 27, wherein the authentication data is encrypted with at least a session key.
  - 29. The method of claim 27, further comprising:
    - encrypting a client readable data field using a hashed salted password associated with the user; and
      
      decrypting the authentication data using a session key.

30. A system for authenticating a client, comprising:
- the client that is configured to communicate an authentication request; and
  
  an application authentication server in communication with the client and configured to perform actions, including;
  
  receiving the authentication request, wherein the authentication request is encrypted with a hashed salted password;
  
  determining, in response to the authentication request, data including a timestamp, a remote IP address, and a local IP address associated with the client for a user, wherein the data including the IP remote address and the local IP address further comprises the timestamp associated with the user that is exclusive or'"'"'ed with a cryptographically strong digest of a concatenation of the IP remote address and the local IP address associated with the client for the user; and
  
  authenticating the client based on the data.
- View Dependent Claims (31, 32)
- - 31. The system of claim 30, wherein the application authentication server is further configured to issue to the client, a ticket granting ticket, wherein the ticket granting ticket includes the authentication data.
  - 32. The system of claim 30, wherein the application authentication server is further configured to determine the remote IP address by extracting an address from a packet header associated with the authentication request.

33. A processor readable media that includes components for authenticating a client, the components performing actions, including:
- a first component for receiving an authentication request from the client that includes a modified authenticator encrypted with a hashed salted password associated with a user, wherein the modified authenticator binds a timestamp to the client by a means for combining the timestamp with a remote address and a local address associated with the client, wherein the remote address is a remote IP address, and wherein the local address is a local IP address;
  
  a second component for determining a remote address and a local address associated with the client;
  
  a third component for decrypting the modified authenticator with the hashed salted password; and
  
  a fourth component for employing the remote address, local address, and decrypted modified authenticator to authenticate the client by exclusive or'"'"'ing a cryptographically strong digest of a concatenation of the remote address, and the local address associated with the decrypted modified authenticator to extract the timestamp associated with the client for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valve Corporation
Original Assignee
Valve Corporation
Inventors
Newcombe, Christopher Richard
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Brown; Christopher J

Application Number

US10/318,349
Publication Number

US 20030172269A1
Time in Patent Office

2,022 Days
Field of Search

726/10, 713/155, 713/170, 713/178
US Class Current

713/170
CPC Class Codes

H04L 2463/101   applying security measures ...

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/0896   Bandwidth or capacity manag...

H04L 61/2514   between local and global IP...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0846   using time-dependent-passwo...

H04L 63/123   received data contents, e.g...

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/289   Intermediate processing fun...

H04L 67/306   User profiles

H04L 67/34   involving the movement of s...

H04L 67/51   Discovery or management the...

H04L 67/53   using third party service p...

H04L 67/55 : Push-based network services

H04L 67/564 : Enhancement of application ...

H04L 67/5681 : Pre-fetching or pre-deliver...

H04L 67/62 : Establishing a time schedul...

H04L 69/329 : in the application layer [O...

H04L 9/40 : Network security protocols

View All

Method and system for binding kerberos-style authenticators to single clients

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

162 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for binding kerberos-style authenticators to single clients

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links