Systems and methods for caching in authentication systems

US 7,490,237 B1
Filed: 06/27/2003
Issued: 02/10/2009
Est. Priority Date: 06/27/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A process for verification of a client authentication request by a server which can decrease problems associated with sham authentication requests, the process comprising:

receiving, in the server, a client authentication request including client-specific data;

comparing the client specific data to data stored in a first cache memory coupled to the server to determine whether the client specific data meet a first threshold of validity;

if the client specific data meet the first threshold of validity, proceeding with the authentication process; and

if the client specific data do not meet the first threshold of validity, then storing in a second cache memory a portion of the client specific data and an indication that the client specific data do not correspond to a valid client, wherein the portion of the client specific data and the indication stored in the second cache memory identify a client name associated with the client authentication request and associate the client name with a negative indication of validity regardless of whether the client specific data includes valid proof of knowledge of privileged data, and then terminating the verification process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for requesting authentication includes transmitting a hash digest formed from first client-specific data together with second client specific data and receiving, in response to transmitting, an indication of acceptance when the hash digest and second client-specific data correspond to a valid client authentication request.

Citations

21 Claims

1. A process for verification of a client authentication request by a server which can decrease problems associated with sham authentication requests, the process comprising:
- receiving, in the server, a client authentication request including client-specific data;
  
  comparing the client specific data to data stored in a first cache memory coupled to the server to determine whether the client specific data meet a first threshold of validity;
  
  if the client specific data meet the first threshold of validity, proceeding with the authentication process; and
  
  if the client specific data do not meet the first threshold of validity, then storing in a second cache memory a portion of the client specific data and an indication that the client specific data do not correspond to a valid client, wherein the portion of the client specific data and the indication stored in the second cache memory identify a client name associated with the client authentication request and associate the client name with a negative indication of validity regardless of whether the client specific data includes valid proof of knowledge of privileged data, and then terminating the verification process.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The process of claim 1, wherein:
    - proceeding with the authentication process comprises comparing the client specific data with data stored in the second cache memory to determine whether the client specific data meet a second threshold of validity and whether the client specific data correspond to an identity previously determined to be valid or invalid;
      
      if the client specific data meet the second threshold, transmitting a request for verification to a database containing client specific data; and
      
      if the client specific data correspond to an identity previously determined to be invalid, terminating the authentication request.
  - 3. The process of claim 1, wherein receiving comprises receiving data including one or more of:
    - a name, a NameHash, a truncation of a NameHash, a NameKeyHash, a truncation of a NameKeyHash, a TimedNameKeyHash, a truncation of a TimedNameKeyHash or a time.
  - 4. The process of claim 1, wherein receiving comprises receiving a TimedNameKeyHash.
  - 5. The process of claim 1, wherein receiving comprises receiving a TimedNameKeyHash and a current time.
  - 6. The process of claim 1, wherein comparing the client specific data to data stored in the first cache memory comprises comparing a TimedNameKeyHash contained in the authentication request to a function of a stored NameKeyHash and a current time.
  - 7. The process of claim 1, wherein receiving client specific data includes receiving a current time, and further comprising determining whether the received current time disagrees with another current time used by the authentication server, and if the received current time and the other current time disagree, sending the other current time to an originator of the authentication request.

8. A computer system comprising:
- an authentication server; and
  
  a first cache memory coupled to the authentication server, wherein the authentication server is configured to perform a method, the method comprising;
  
  receiving a client authentication request including client-specific data;
  
  comparing the client specific data to data stored in the first cache memory coupled to the authentication server to determine whether the client specific data meet a first threshold of validity;
  
  if the client specific data do not meet the first threshold of validity, terminating authentication and denying the authentication request;
  
  if the client specific data meet the first threshold of validity, proceeding with authentication by comparing the client specific data with data stored in a second cache memory to determine whether the client specific data meet a second threshold of validity and whether the client specific data correspond to an identity previously determined to be valid or invalid;
  
  if the client specific data meet the second threshold, transmitting a request for verification to a database containing client-specific data; and
  
  if the client specific data correspond to an identity previously determined to be invalid, terminating the authentication request.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computer system of claim 8, wherein the authentication server is configured to employ a first, plaintext portion of the client-specific data as a cache key to obtain related encrypted client-specific data from the first cache memory.
  - 10. The computer system of claim 8, wherein the authentication server is further configured to perform steps comprising:
    - storing at least a portion of the client specific data in the second cache memory along with an indication that the client specific data do not correspond to a valid client if the client specific data do not meet the first threshold.
  - 11. The computer system of claim 8, wherein the client-specific data includes a NameKeyHash that is also a function of time.
  - 12. The computer system of claim 8, wherein the client-specific data includes TimedNameKeyHash.
  - 13. The computer system of claim 8, wherein the client specific data includes a TimedNameKeyHash and a current time is included with the client-specific data.
  - 14. The computer system of claim 8, wherein the client specific data stored in the first cache memory comprises a NameKeyHash, and wherein the authentication server is further configured to perform steps comprising:
    - forming a TimedNameKeyHash from the NameKeyHash and comparing the formed TimedNameKeyHash to a portion of the client-specific data.
  - 15. The computer system of claim 8, wherein the client specific data includes a current time, and wherein the authentication server is further configured to perform steps comprising:
    - determining whether the received current time disagrees with another current time, the other current time being used by the authentication server, and if the received current time and the other current time disagree, sending the other current time to an originator of the authentication request.

16. A process for verification of a client authentication request by a server which can decrease problems associated with sham authentication requests, the process comprising:
- receiving, in the server, a client authentication request including client-specific data comprising a name or hash of the name along with a client key or a proof of knowledge which identifies the client key;
  
  comparing the client-specific data to data stored in a first cache memory coupled to the server to determine whether the client-specific data meet a first threshold of validity, wherein the first cache memory stores names and keys of valid clients, and wherein the first cache memory uses the name or the hash of the name as a cache key to access the first cache memory;
  
  if the client-specific data meet the first threshold of validity, the first threshold of validity being met when the name and the client key identified in the client authentication request correspond to a valid entry in the first cache memory, proceeding with the authentication process; and
  
  if the client-specific data do not meet the first threshold of validity, then storing the name, the client key, and validity/invalidity indicators in a second cache memory, wherein the name stored in the second cache memory is associated with a validity indication regardless of whether the client key or the proof of knowledge for the client key matches data in an associated authentication database, and terminating the verification process.

17. A process for authenticating a user which can decrease problems associated with sham authentication requests, the process comprising:
- receiving an authentication request including first client specific data comprising at least one of a client name and proof of knowledge of a client key;
  
  computing a NameHash using the received client name and a random session key;
  
  using data corresponding to the NameHash as a cache key to access first validity threshold data from a first cache memory;
  
  comparing the first validity threshold data to the first client specific data; and
  
  if the first client specific data do not meet the first threshold of validity, then storing a portion of the client specific data in a second cache memory along with an indication that the client specific data do not correspond to a valid client, the portion of the client specific data stored in the second cache memory identifying a client name associated with the client authentication request and associating the client name with a validity indication regardless of whether the client specific data included valid proof of knowledge of privileged data, and then terminating the verification process.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The process of claim 17, further comprising, when the first validity data do not match the first client data, storing the client key and a CredentialInvalidFlag in the second cache memory.
  - 19. The process of claim 17, further comprising, when the first validity data do match the first client data, employing the client name as a cache key to access second client validity data from the second cache memory.
  - 20. The process of claim 17, further comprising, when the first validity data do match the first client data, employing the client name as a cache key to access second client validity data from the second cache memory, wherein the second client validity data comprise a stored copy of a client key.
  - 21. The process of claim 17, wherein using data corresponding to the NameHash as a cache key comprises using a truncation of the NameHash to access first validity threshold data from the first cache memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Thompson, Gary A., Chen, Ling Tony, Multerer, Boyd C., VanAntwerp, Mark D., Morais, Dinarte R.
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
Davis; Zachary A

Application Number

US10/608,653
Time in Patent Office

2,055 Days
Field of Search

713/161, 713/168, 713/170, 713/181, 726/2, 726/21, 726 27- 29, 726/5
US Class Current

713/170
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/1458 Denial of Service

Systems and methods for caching in authentication systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for caching in authentication systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links