Methods and apparatus for implementing authentication

US 7,958,347 B1
Filed: 02/02/2006
Issued: 06/07/2011
Est. Priority Date: 02/04/2005
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating communications in a respective network environment, the method comprising:

engaging in a first set of communications to establish a first communication link with a client;

engaging in a second set of communications by utilizing security information associated with the client obtained from a resource independent from the client for purposes of establishing a set of second communication links with multiple servers on behalf of the client; and

facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers;

wherein utilizing security information associated with the client from the resource other than the client includes on behalf of the client, communicating with an agent over a secure network connection to obtain the security information managed by a domain controller associated with the respective network environment and wherein the resource further communicates with the domain controller to obtain password based information for the client authorized to communicate with the multiple servers, wherein the password based information is used by one or more of the multiple servers to authorize the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy (e.g., a switch) resides in a respective network environment between one or more clients and multiple servers. One purpose of the proxy is to provide the clients a unified view of a distributed file system having respective data stored amongst multiple remote and disparate storage locations over a network. Another purpose of the proxy is to enable the clients retrieve data stored at the multiple servers. To establish a first connection between the proxy and a respective client, the proxy communicates with an authentication agent (residing at a location other than at the client) to verify a challenge response received from the client. When establishing a set of second connections with the multiple servers, the proxy communicates with the authentication agent to generate challenge responses on behalf of the client. The proxy facilitates a flow of data on the first connection and the set of second connections.

251 Citations

28 Claims

1. A method for authenticating communications in a respective network environment, the method comprising:
- engaging in a first set of communications to establish a first communication link with a client;
  
  engaging in a second set of communications by utilizing security information associated with the client obtained from a resource independent from the client for purposes of establishing a set of second communication links with multiple servers on behalf of the client; and
  
  facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers;
  
  wherein utilizing security information associated with the client from the resource other than the client includes on behalf of the client, communicating with an agent over a secure network connection to obtain the security information managed by a domain controller associated with the respective network environment and wherein the resource further communicates with the domain controller to obtain password based information for the client authorized to communicate with the multiple servers, wherein the password based information is used by one or more of the multiple servers to authorize the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method as in claim 1, wherein engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client.
  - 3. A method as in claim 1, wherein engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers.
  - 4. A method as in claim 1, wherein engaging in the first set of communications includes verifying that a respective message received from the client includes an encrypted value generated by the client indicating that the client is authentic and is able to establish a connection with the multiple servers.
  - 5. A method as in claim 4, wherein engaging in the second set of communications includes:
    - for each server of the multiple servers;
      
      i) generating a message and corresponding encrypted value on behalf of the client based on use of the security information and a respective data value received from a respective server, and ii) forwarding the corresponding encrypted value to the respective server for purposes of establishing and authenticating a respective second communication link with the respective server on behalf of the client.
  - 6. A method as in claim 5 further comprising:
    - generating different encrypted values for each of the multiple servers based on different respective data values received from the multiple servers.
  - 7. A method as in claim 1, wherein engaging in the second set of communications includes:
    - for each respective server of the multiple servers;
      
      i) generating a message and corresponding encrypted value on behalf of the client based on use of the security information and a corresponding data value received from a respective server, and ii) forwarding the corresponding encrypted value to the respective server for purposes of authenticating a respective second communication link with the respective server on behalf of the client.
  - 8. A method as in claim 1, wherein engaging in the first set of communications includes:
    - receiving a username associated with the client;
      
      generating a numerical value;
      
      forwarding the numerical value to the client;
      
      receiving a first encrypted value in response to the client applying a password hash function to the numerical value;
      
      on behalf of the client, forwarding the username associated with the client, the numerical value, and the first encrypted value over a network to an authentication agent that;
      
      i) generates a second encrypted value based on the numerical value and the security information, the security information being a respective password hash function associated with the username of the client, and ii) compares the first encrypted value and the second encrypted value to authenticate the client.
  - 9. A method as in claim 1, wherein engaging in a second set of communications includes:
    - for each respective server of the multiple servers;
      
      originating a request to a respective server of the multiple servers for establishing a respective second communication link;
      
      receiving a numerical value associated with a challenge from the respective server;
      
      forwarding the numerical value associated with the challenge as well as username information associated with the client over a network to an authentication agent that;
      
      i) obtains a password hash function associated with the username, ii) applies the password hash function to the numerical value to generate an encrypted value;
      
      receiving the encrypted value from the authentication agent over the network;
      
      forwarding the encrypted value to the respective server in response to the challenge from the respective server; and
      
      receiving confirmation from the respective server indicating whether the respective second communication link has been authenticated for conveying communications on behalf of the client.
  - 10. A method as in claim 1, wherein engaging in the first set of communications includes initiating and forwarding a challenge to the client for purposes of authenticating that the client is authorized to establish the first communication link, the challenge being a request generated by a proxy on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client.
  - 11. A method as in claim 1, wherein engaging in the second set of communications includes receiving a unique challenge value from each of the multiple servers and replying to multiple unique challenge values from the multiple servers with different respective responses on behalf of the client for purposes of authenticating that a respective proxy acting on behalf of the client is authorized to establish the second communication links with the multiple servers.
  - 12. A method as in claim 1 further comprising:
    - enabling the agent to obtain a memory dump from the domain controller associated with the respective network environment, the memory dump including username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers.
  - 13. A method as in claim 12 further comprising:
    - initiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value, the numerical value also provided to the client as part of an authentication challenge.
  - 14. A method as in claim 1 further comprising:
    - after establishing the first communication link and the multiple second communication links, utilizing at least one access control list associated with the multiple servers to i) enable the client to retrieve at least some of the information stored in the multiple servers and ii) prevent other clients from accessing at least some of the information stored in the multiple servers.
  - 15. A method as in claim 1, wherein facilitating the flow of traffic includes:
    - managing how information is stored in the multiple servers; and
      
      after establishing the first communication link and the set of second communication links, providing the client a unified view of accessible information stored in the multiple servers.
  - 16. A method as in claim 1, wherein facilitating the flow of traffic between the first communication link and the set of second communication links includes:
    - receiving an access request from the client over the first communication link;
      
      in response to receiving the access request, communicating with the multiple servers over the second communication links to retrieve requested information associated with the access request; and
      
      forwarding the requested information retrieved from the multiple servers to the client over the first communication link.

17. A computer system that performs authentication procedures on behalf of a client for purposes of accessing multiple servers, the computer system comprising:
- a processor;
  
  a memory unit that stores instructions associated with an application executed by the processor; and
  
  an interconnect coupling the processor and the memory unit, enabling the processor to execute the application and perform operations comprising;
  
  engaging in a first set of communications to establish a first communication link with the client;
  
  engaging in a second set of communications by utilizing security information associated with the client obtained from a resource independent from the client for purposes of establishing a set of second communication links with the multiple servers on behalf of the client; and
  
  facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers;
  
  wherein utilizing security information associated with the client from the resource other than the client includes on behalf of the client, communicating with an agent over a secure network connection to obtain the security information managed by a domain controller associated with the respective network environment and wherein the resource further communicates with the domain controller to obtain password based information for the client authorized to communicate with the multiple servers, wherein the password based information is used by one or more of the multiple servers to authorize the client.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. A computer system as in claim 17, wherein engaging in the first set of communications includes verifying that a respective message received from the client includes an encrypted value generated by the client indicating that the client is authentic and is able to establish a connection with the multiple servers.
  - 19. A computer system as in claim 18, wherein engaging in the second set of communications includes:
    - for each server of the multiple servers;
      
      i) generating a message and corresponding encrypted value on behalf of the client based on use of the security information and a respective data value received from a respective server, and ii) forwarding the corresponding encrypted value to the respective server for purposes of establishing and authenticating a respective second communication link with the respective server on behalf of the client.
  - 20. A computer system as in claim 19 that supports further operations of:
    - generating different encrypted values for each of the multiple servers based on different respective data values received from the multiple servers.
  - 21. A computer system as in claim 17, wherein engaging in the second set of communications includes:
    - for each respective server of the multiple servers;
      
      i) generating a message and corresponding encrypted value on behalf of the client based on use of the security information and a corresponding data value received from a respective server, and ii) forwarding the corresponding encrypted value to the respective server for purposes of authenticating a respective second communication link with the respective server on behalf of the client.
  - 22. A computer system as in claim 17, wherein engaging in the first set of communications includes initiating and forwarding a challenge to the client for purposes of authenticating that the client is authorized to establish the first communication link, the challenge being a request generated by a proxy on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client.
  - 23. A computer system as in claim 17, wherein engaging in the second set of communications includes receiving a unique challenge value from each of the multiple servers and replying to multiple unique challenge values from the multiple servers with different respective responses on behalf of the client for purposes of authenticating that a respective proxy acting on behalf of the client is authorized to establish the second communication links with the multiple servers.
  - 24. A computer system as in claim 17, wherein facilitating the flow of traffic includes:
    - i) managing how information is stored in the multiple servers, and ii) after establishing the first communication link and the set of second communication links, providing the client a unified view of accessible information stored in the multiple servers, the method further comprising;
      
      enabling the agent to obtain a memory dump from the domain controller associated with the respective network environment, the memory dump including username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers; and
      
      initiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value, the numerical value also provided to the client as part of an authentication challenge.

25. A network system comprising:
- a client;
  
  a first set of multiple servers;
  
  a first proxy device disposed in a respective network environment between the client and the first set of multiple servers, the first proxy device supporting operations of;
  
  engaging in a first set of communications to establish a first communication link with a client;
  
  engaging in a second set of communications by utilizing security information associated with the client obtained from a resource independent from the client for purposes of establishing a set of second communication links with multiple servers on behalf of the client; and
  
  facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers;
  
  wherein utilizing security information associated with the client from the resource other than the client includes on behalf of the client, communicating with an agent over a secure network connection to obtain the security information managed by a domain controller associated with the respective network environment and wherein the resource further communicates with a domain controller to obtain password based information for the client authorized to communicate with the multiple servers, wherein the password based information is used by one or more of the multiple servers to authorize the client.
- View Dependent Claims (26, 27)
- - 26. A network system as in claim 25, wherein the client, the multiple servers, and the first proxy device rely on at least partial use of the NTLM (Windows NT LAN Manager) protocol to authenticate the first communication link and the set of second communication links.
  - 27. A network system as in claim 25 further comprising:
    - a second proxy device;
      
      wherein the first proxy establishes at least one communication link with the second proxy device, the second proxy device supporting operations of;
      
      engaging in a third set of communications to;
      
      i) obtain security information associated with the client from the resource independent from the client, and ii) utilize the security information on behalf of the client to authenticate a set of third communication links between the second proxy device and a second set of multiple servers such that the client is able to access data from the second set of multiple servers via a path including the first communication link, the at least one communication link, and the set of third communication links from the second proxy device to the second set of multiple servers.

28. A non-transitory computer program product including a computer-readable medium having instructions stored thereon for processing data information, such that the instructions, when carried out by a processing device, enable the processing device to perform the steps comprising:
- engaging in a first set of communications to authenticate and establish a first communication link associated with a client;
  
  engaging in a second set of communications by obtaining and utilizing security information on behalf of the client obtained from a resource independent from the client to authenticate and establish a set of second communication links with multiple servers; and
  
  facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers;
  
  wherein utilizing security information associated with the client from the resource other than the client includes on behalf of the client, communicating with an agent over a secure network connection to obtain the security information managed by a domain controller associated with the respective network environment and the resource further communicates with a domain controller to obtain password based information for the client authorized to communicate with the multiple servers, wherein the password based information is used by one or more of the multiple servers to authorize the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Ferguson, J C
Primary Examiner(s)
Simitoski, Michael J

Application Number

US11/346,415
Time in Patent Office

1,951 Days
Field of Search

713/155, 726/8, 726/12, 726/15
US Class Current

713/155
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/3271   using challenge-response

Methods and apparatus for implementing authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

251 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for implementing authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

251 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links