Automatic centralized authentication challenge response generation

US 8,086,853 B2
Filed: 03/18/2005
Issued: 12/27/2011
Est. Priority Date: 03/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving at a first device a challenge from a second device via a computer network when the first device attempts to log in to access the second device;

transmitting from the first device to an authentication server a first request to generate a response to the received challenge, the authentication server being configured to verify an identity of the first device with respect to the authentication server and determine whether the first device is permitted to access the second device, the authentication server being on a separate computing device from both the first device and the second device, the first request including a name of the first device, a message authenticator for the first device, a name of the second device, and the received challenge from the second device;

receiving at the first device from the authentication server a first reply to the first request, the first reply containing the response to the received challenge, the response comprising a first result of a computation on the challenge performed by the authentication server using a secret associated with the second device, wherein the secret is not transmitted between the first device and the authentication server during an authentication attempt, the secret being recognizable by the authentication server and not shared with potential peer devices including the first device; and

based on the first reply from the authentication server, terminating the authentication attempt at the first device or forwarding from the first device to the second device at least a portion of the first reply containing the response to the received challenge;

when the first device forwards the response to the second device, the second device is configured to;

transmit to the authentication server a second request to validate the first device, the second request comprising at least the response, the challenge, the name of the first device, and the name of the second device;

receive from the authentication server a second result of a computation on the response performed by the authentication server using the challenge and the secret associated with the second device; and

based on the second result from the authentication server, terminate the authentication attempt at the second device or exchange data with the first device to continue the login process to enable the first device to authenticate the second device;

based on a successful validation of the first device;

transmitting a second challenge from the first device to the second device for authentication of the second device by the first device, the second challenge transmitted to the second device to enable the second device to use the authentication server to generate a second response to the second challenge, the authentication server configured to generate the second response by using a first device secret that is associated with the first device and is not shared with the second device;

receiving the second response to the second challenge from the second device;

sending a third request including the second response to the authentication server to verify the second response, the authentication server configured to authenticate the second device against an expected response by using the first device secret associated with the first device;

receiving at the first device a message from the authentication server indicating whether the second device has been authenticated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A centralized challenge response verification server such as a RADIUS server is used to generate challenge responses as well as to verify challenge responses. In this way, the requirement for all machines to maintain a set of shared secrets corresponding to all potential peers is eliminated. In an embodiment of the invention, an authentication plug-in extends the RADIUS server to accept a challenge from an authenticatee and to generate a response to that challenge. The RADIUS server also acts to accept a challenge response and to verify that response. In an embodiment of the invention, a name service server maintains information regarding the network, and may also maintain an identification of network zones and storage profiles within which devices may intercommunicate or other network information.

Citations

19 Claims

1. A method comprising:
- receiving at a first device a challenge from a second device via a computer network when the first device attempts to log in to access the second device;
  
  transmitting from the first device to an authentication server a first request to generate a response to the received challenge, the authentication server being configured to verify an identity of the first device with respect to the authentication server and determine whether the first device is permitted to access the second device, the authentication server being on a separate computing device from both the first device and the second device, the first request including a name of the first device, a message authenticator for the first device, a name of the second device, and the received challenge from the second device;
  
  receiving at the first device from the authentication server a first reply to the first request, the first reply containing the response to the received challenge, the response comprising a first result of a computation on the challenge performed by the authentication server using a secret associated with the second device, wherein the secret is not transmitted between the first device and the authentication server during an authentication attempt, the secret being recognizable by the authentication server and not shared with potential peer devices including the first device; and
  
  based on the first reply from the authentication server, terminating the authentication attempt at the first device or forwarding from the first device to the second device at least a portion of the first reply containing the response to the received challenge;
  
  when the first device forwards the response to the second device, the second device is configured to;
  
  transmit to the authentication server a second request to validate the first device, the second request comprising at least the response, the challenge, the name of the first device, and the name of the second device;
  
  receive from the authentication server a second result of a computation on the response performed by the authentication server using the challenge and the secret associated with the second device; and
  
  based on the second result from the authentication server, terminate the authentication attempt at the second device or exchange data with the first device to continue the login process to enable the first device to authenticate the second device;
  
  based on a successful validation of the first device;
  
  transmitting a second challenge from the first device to the second device for authentication of the second device by the first device, the second challenge transmitted to the second device to enable the second device to use the authentication server to generate a second response to the second challenge, the authentication server configured to generate the second response by using a first device secret that is associated with the first device and is not shared with the second device;
  
  receiving the second response to the second challenge from the second device;
  
  sending a third request including the second response to the authentication server to verify the second response, the authentication server configured to authenticate the second device against an expected response by using the first device secret associated with the first device;
  
  receiving at the first device a message from the authentication server indicating whether the second device has been authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein transmitting from the first device to the authentication server the first request to generate the response to the received challenge comprises forwarding the challenge to the authentication server.
  - 3. The method of claim 2, wherein the message authenticator is provided by the first device to authenticate the first device to the authentication server.
  - 4. The method according to claim 1, further comprising prior to receiving at the first device the challenge from the second device, transmitting from the first device to the second device an access request.
  - 5. The method of claim 1, wherein the first and second devices are data storage devices in a storage area network.
  - 6. The method of claim 1, wherein the network comprises a storage area network, and receiving at the first device the challenge from the second device comprises receiving a Challenge Handshake Authentication Protocol (CHAP) challenge from the second device.
  - 7. The method of claim 1, wherein terminating the authentication attempt at the first device or forwarding from the first device to the second device at least the portion of the first reply containing the response to the received challenge comprises forwarding from the first device to the second device the response if the first reply from the server includes the response to the received challenge, and otherwise terminating the authentication attempt at the first device.
  - 8. The method of claim 1, wherein:
    - the first and second devices are data storage devices in a storage area network;
      
      the authentication server is an access control server for the storage area network;
      
      the authentication service is configured with an authentication plug-in; and
      
      the first computation and second compilation are performed under control of the authentication plug-in.

9. A computer readable storage device having stored thereon computer-readable instructions that are executable, and responsive to executing the instructions, cause a first device to perform a method comprising:
- receiving at the first device a challenge from a second device via a computer network;
  
  transmitting from the first device to an authentication server a request to generate a response to the received challenge, the authentication server being on a separate computing device from the first device and the second device, the authentication server being configured to verify an identity of the first device and determine whether the first device is permitted to access the second device, the request including a name of the first device, a message authenticator for the first device, a name of the second device, and the received challenge from the second device;
  
  receiving at the first device from the authentication server a reply to the request, the reply containing the response to the received challenge, the response comprising a result of a computation performed by the authentication server using a secret associated with the second device, the secret being recognizable by the authentication server and not shared with potential peer devices including the first device, wherein the secret is not transmitted between the first device and the authentication server during an authentication attempt;
  
  based on the reply from the authentication server, terminating the authentication attempt at the first device or forwarding from the first device to the second device at least a portion of the reply containing the response to the received challenge to enable the second device to verify the response to the received challenge by using the authentication server to validate the first device and return a result of a computation on the response, the computation utilizing the challenge and the secret; and
  
  based on a successful validation of the response to the challenge, initiating another authentication sequence effective to authenticate the second device to the first device by at least utilizing the authentication server.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer readable storage device according to claim 9, wherein the instructions for transmitting from the first device to the authentication server the request to generate the response to the received challenge comprise instructions for forwarding the challenge to the authentication server.
  - 11. The computer readable storage device of claim 10 further comprising instructions for providing authentication information to authenticate the first device to the authentication server.
  - 12. The computer readable storage device according to claim 9, the instructions further comprising instructions for transmitting from the first device to the second device an access request prior to receiving at the first device the challenge from the second device.
  - 13. The computer readable storage device of claim 9, wherein the first and second devices comprise data storage devices in a storage area network.
  - 14. The computer readable storage device of claim 9, wherein the network comprises a storage area network, and the instructions for receiving at the first device the challenge from the second device comprise instructions for receiving a Challenge Handshake Authentication Protocol (CHAP) challenge from the second device.
  - 15. The computer readable storage device of claim 9, wherein the instructions for terminating the authentication attempt at the first device or forwarding from the first device to the second device at least the portion of the reply containing the response to the received challenge comprise instructions for forwarding from the first device to the second device the response to the second device if the reply from the server includes the response to the received challenge, and otherwise terminating the authentication attempt at the first device.

16. A method implemented by an authentication server device, the method comprising:
- receiving a first request at an authentication server from an initiator device via a network, the first request including at least a challenge issued by a target device when the initiator device attempts to login to access the target device, the first request further including a name of the initiator device, a message authenticator of the initiator device, and a name of the target device;
  
  verifying an identity of the initiator device with respect to the authentication server;
  
  determining that the initiator device is permitted to access the target device;
  
  generating a response packet to the challenge from the target device by using a secret associated with the target device, each of the initiator and target devices maintaining a respective secret that is recognizable by the authentication server device and not shared with other potential peer devices;
  
  transmitting, to the initiator device, the response packet to the challenge having an attribute to indicate that the initiator device is permitted to access the target device, the initiator device configured to forward the response packet to the target device for authentication of the initiator device by the target device;
  
  receiving from the target device a second request that includes at least the challenge, the name of the initiator device, the name of the target device, and the response packet to the challenge, the second request delegating authentication of the initiator device by the target device to the authentication server;
  
  authenticating the response packet against an expected response that is based on the challenge and the secret associated with the target device;
  
  based on a valid authentication of the response packet, obtaining storage profile information associated with the initiator device and the target device; and
  
  transmitting, to the target device, the storage profile information to enable the target device to continue the login process by exchanging data with the initiator device to enable the initiator device to authenticate the target device.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, further comprising:
    - receiving a third request at the authentication server from the target device requesting generation of a second response packet to a second challenge issued by the initiator device for authentication of the target device;
      
      generating the second response packet to the second challenge by using a secret associated with the initiator device;
      
      transmitting the second response packet to the second challenge to enable the target device to forward the second response packet to the initiator device;
      
      receiving from the initiator device a fourth request including at least the second challenge and the second response packet to the second challenge, the fourth request delegating the authentication of the target device by the initiator device to the authentication server;
      
      verifying the second response packet against a second expected response based on the second challenge and the secret associated with the initiator device;
      
      based on the second response packet being validated, transmitting a reply to the fourth request to the initiator device to indicate that the target device has been authenticated.
  - 18. The method of claim 16, wherein the challenge is a Challenge Handshake Authentication Protocol (CHAP) challenge, and wherein the authentication server device is a Remote Authentication Dial-In User Service (RADIUS) server.
  - 19. The method of claim 16, wherein the initiating device and the target device each comprise a data storage device in a storage area network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Warwick, Alan M.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Su, Sarah

Application Number

US11/084,622
Publication Number

US 20060212701A1
Time in Patent Office

2,475 Days
Field of Search

713/168, 713/155, 713/169, 710/15, 710/8
US Class Current

713/168
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 9/321   involving a third party or ...

H04L 9/3273   for mutual authentication n...

Automatic centralized authentication challenge response generation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic centralized authentication challenge response generation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links