Automatic centralized authentication challenge response generation
First Claim
1. A method comprising:
- receiving at a first device a challenge from a second device via a computer network when the first device attempts to log in to access the second device;
transmitting from the first device to an authentication server a first request to generate a response to the received challenge, the authentication server being configured to verify an identity of the first device with respect to the authentication server and determine whether the first device is permitted to access the second device, the authentication server being on a separate computing device from both the first device and the second device, the first request including a name of the first device, a message authenticator for the first device, a name of the second device, and the received challenge from the second device;
receiving at the first device from the authentication server a first reply to the first request, the first reply containing the response to the received challenge, the response comprising a first result of a computation on the challenge performed by the authentication server using a secret associated with the second device, wherein the secret is not transmitted between the first device and the authentication server during an authentication attempt, the secret being recognizable by the authentication server and not shared with potential peer devices including the first device; and
based on the first reply from the authentication server, terminating the authentication attempt at the first device or forwarding from the first device to the second device at least a portion of the first reply containing the response to the received challenge;
when the first device forwards the response to the second device, the second device is configured to;
transmit to the authentication server a second request to validate the first device, the second request comprising at least the response, the challenge, the name of the first device, and the name of the second device;
receive from the authentication server a second result of a computation on the response performed by the authentication server using the challenge and the secret associated with the second device; and
based on the second result from the authentication server, terminate the authentication attempt at the second device or exchange data with the first device to continue the login process to enable the first device to authenticate the second device;
based on a successful validation of the first device;
transmitting a second challenge from the first device to the second device for authentication of the second device by the first device, the second challenge transmitted to the second device to enable the second device to use the authentication server to generate a second response to the second challenge, the authentication server configured to generate the second response by using a first device secret that is associated with the first device and is not shared with the second device;
receiving the second response to the second challenge from the second device;
sending a third request including the second response to the authentication server to verify the second response, the authentication server configured to authenticate the second device against an expected response by using the first device secret associated with the first device;
receiving at the first device a message from the authentication server indicating whether the second device has been authenticated.
2 Assignments
0 Petitions
Accused Products
Abstract
A centralized challenge response verification server such as a RADIUS server is used to generate challenge responses as well as to verify challenge responses. In this way, the requirement for all machines to maintain a set of shared secrets corresponding to all potential peers is eliminated. In an embodiment of the invention, an authentication plug-in extends the RADIUS server to accept a challenge from an authenticatee and to generate a response to that challenge. The RADIUS server also acts to accept a challenge response and to verify that response. In an embodiment of the invention, a name service server maintains information regarding the network, and may also maintain an identification of network zones and storage profiles within which devices may intercommunicate or other network information.
-
Citations
19 Claims
-
1. A method comprising:
-
receiving at a first device a challenge from a second device via a computer network when the first device attempts to log in to access the second device; transmitting from the first device to an authentication server a first request to generate a response to the received challenge, the authentication server being configured to verify an identity of the first device with respect to the authentication server and determine whether the first device is permitted to access the second device, the authentication server being on a separate computing device from both the first device and the second device, the first request including a name of the first device, a message authenticator for the first device, a name of the second device, and the received challenge from the second device; receiving at the first device from the authentication server a first reply to the first request, the first reply containing the response to the received challenge, the response comprising a first result of a computation on the challenge performed by the authentication server using a secret associated with the second device, wherein the secret is not transmitted between the first device and the authentication server during an authentication attempt, the secret being recognizable by the authentication server and not shared with potential peer devices including the first device; and based on the first reply from the authentication server, terminating the authentication attempt at the first device or forwarding from the first device to the second device at least a portion of the first reply containing the response to the received challenge; when the first device forwards the response to the second device, the second device is configured to; transmit to the authentication server a second request to validate the first device, the second request comprising at least the response, the challenge, the name of the first device, and the name of the second device; receive from the authentication server a second result of a computation on the response performed by the authentication server using the challenge and the secret associated with the second device; and based on the second result from the authentication server, terminate the authentication attempt at the second device or exchange data with the first device to continue the login process to enable the first device to authenticate the second device; based on a successful validation of the first device; transmitting a second challenge from the first device to the second device for authentication of the second device by the first device, the second challenge transmitted to the second device to enable the second device to use the authentication server to generate a second response to the second challenge, the authentication server configured to generate the second response by using a first device secret that is associated with the first device and is not shared with the second device; receiving the second response to the second challenge from the second device; sending a third request including the second response to the authentication server to verify the second response, the authentication server configured to authenticate the second device against an expected response by using the first device secret associated with the first device; receiving at the first device a message from the authentication server indicating whether the second device has been authenticated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer readable storage device having stored thereon computer-readable instructions that are executable, and responsive to executing the instructions, cause a first device to perform a method comprising:
-
receiving at the first device a challenge from a second device via a computer network; transmitting from the first device to an authentication server a request to generate a response to the received challenge, the authentication server being on a separate computing device from the first device and the second device, the authentication server being configured to verify an identity of the first device and determine whether the first device is permitted to access the second device, the request including a name of the first device, a message authenticator for the first device, a name of the second device, and the received challenge from the second device; receiving at the first device from the authentication server a reply to the request, the reply containing the response to the received challenge, the response comprising a result of a computation performed by the authentication server using a secret associated with the second device, the secret being recognizable by the authentication server and not shared with potential peer devices including the first device, wherein the secret is not transmitted between the first device and the authentication server during an authentication attempt; based on the reply from the authentication server, terminating the authentication attempt at the first device or forwarding from the first device to the second device at least a portion of the reply containing the response to the received challenge to enable the second device to verify the response to the received challenge by using the authentication server to validate the first device and return a result of a computation on the response, the computation utilizing the challenge and the secret; and based on a successful validation of the response to the challenge, initiating another authentication sequence effective to authenticate the second device to the first device by at least utilizing the authentication server. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method implemented by an authentication server device, the method comprising:
-
receiving a first request at an authentication server from an initiator device via a network, the first request including at least a challenge issued by a target device when the initiator device attempts to login to access the target device, the first request further including a name of the initiator device, a message authenticator of the initiator device, and a name of the target device; verifying an identity of the initiator device with respect to the authentication server; determining that the initiator device is permitted to access the target device; generating a response packet to the challenge from the target device by using a secret associated with the target device, each of the initiator and target devices maintaining a respective secret that is recognizable by the authentication server device and not shared with other potential peer devices; transmitting, to the initiator device, the response packet to the challenge having an attribute to indicate that the initiator device is permitted to access the target device, the initiator device configured to forward the response packet to the target device for authentication of the initiator device by the target device; receiving from the target device a second request that includes at least the challenge, the name of the initiator device, the name of the target device, and the response packet to the challenge, the second request delegating authentication of the initiator device by the target device to the authentication server; authenticating the response packet against an expected response that is based on the challenge and the secret associated with the target device; based on a valid authentication of the response packet, obtaining storage profile information associated with the initiator device and the target device; and transmitting, to the target device, the storage profile information to enable the target device to continue the login process by exchanging data with the initiator device to enable the initiator device to authenticate the target device. - View Dependent Claims (17, 18, 19)
-
Specification