Updating stored passwords

US 8,094,812 B1
Filed: 09/28/2007
Issued: 01/10/2012
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an authentication server device to;

receive a first form of a password from a client device according to an authentication protocol, andauthenticate the client device based on a comparison of the first form of the password to a value, derived from a second form of the password and stored in a password database, where the authentication server fails to authenticate the client device when the first form of the password is different than the value derived from the second form of the password; and

a server device to;

establish, when, based on the comparison, the authentication server device fails to authenticate the client device, a secure connection between a quarantine network and the client device,receive a plain-text password from the client device over the secure connection,authenticate the client device based on comparing a value derived from the plain-text password with the value derived from the second form of the password,update, when the client device is authenticated, the password database with a third form of the password that enables the authentication server device to successfully authenticate the client device based on the first form of the password,receive, after updating the password database with the third form of the password, a subsequent first form of the password, from the client device,retrieve the third form of the password from the password databasederive a second value from the third form of the password,compare the subsequent first form of the password to the second value, andauthenticate the client device based on comparing the subsequent first form of the password to the second value.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Citations

18 Claims

1. A system comprising:
- an authentication server device to;
  
  receive a first form of a password from a client device according to an authentication protocol, andauthenticate the client device based on a comparison of the first form of the password to a value, derived from a second form of the password and stored in a password database, where the authentication server fails to authenticate the client device when the first form of the password is different than the value derived from the second form of the password; and
  
  a server device to;
  
  establish, when, based on the comparison, the authentication server device fails to authenticate the client device, a secure connection between a quarantine network and the client device,receive a plain-text password from the client device over the secure connection,authenticate the client device based on comparing a value derived from the plain-text password with the value derived from the second form of the password,update, when the client device is authenticated, the password database with a third form of the password that enables the authentication server device to successfully authenticate the client device based on the first form of the password,receive, after updating the password database with the third form of the password, a subsequent first form of the password, from the client device,retrieve the third form of the password from the password databasederive a second value from the third form of the password,compare the subsequent first form of the password to the second value, andauthenticate the client device based on comparing the subsequent first form of the password to the second value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, where the first form of the password is the same as the third form of the password.
  - 3. The system of claim 1, where one or more of the first form of the password and the third form of the password include one of:
    - a cryptographic hash of the plain-text password;
      
      ora cryptographic hash of a combination of the plain-text password and a challenge string.
  - 4. The system of claim 1, where the authentication server device is further to:
    - derive the value from the second form of the password, where when deriving the value, the authentication server device is to compute a cryptographic hash of a combination of the second form of the password and a challenge string.
  - 5. The system of claim 1,where the server device includes:
    - a web server to receive the plain-text password from a browser of the client device.
  - 6. The system of claim 1, where the authentication server device includes one of:
    - a remote authentication dial-in user service (RADIUS) authentication server;
      
      ora Diameter authentication server.
  - 7. The system of claim 1, where the authentication server device is further to:
    - receive a request for a communication link to a network from the client device; and
      
      send a password challenge in response to the request, where the first form of the password is received in response to the password challenge.
  - 8. The system of claim 7, where the communication link includes:
    - a point-to-point communication link.
  - 9. The system of claim 1, where the authentication protocol includes:
    - an extensible authentication protocol (EAP).
  - 10. The system of claim 1, where the secure connection includes:
    - a secure hypertext transfer protocol (HTTPS) connection.

11. A method comprising:
- receiving a first form of a password from a client device;
  
  retrieving a second form of the password from a password database;
  
  deriving a value from the second form of the password;
  
  comparing the first form of the password to the derived value;
  
  establishing, when, based on the comparing, the first form of the password and the derived value are determined to be different, a secure connection between the client device and a quarantine network;
  
  receiving a plain-text password, from the client device, over the secure connection;
  
  authenticating the client device based on comparing a value derived from the plain-text password with the value derived from the second form of the password;
  
  replacing, when the client device is authenticated, the second form of the password in the password database with a third form of the password that enables the client device to be authenticated based on the first form of the password;
  
  receiving, after replacing the second form of the password with the third form of the password, a subsequent first form of the password, from the client device;
  
  retrieving the third form of the password from the password database;
  
  deriving a second value from the third form of the password;
  
  comparing the subsequent first form of the password to the second value; and
  
  authenticating the client device based on comparing the subsequent first form of the password to the second value.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising:
    - receiving a request from the client device to access a point-to-point connection to a network.
  - 13. The method of claim 11, where receiving the subsequent first form of the password includes:
    - receiving the subsequent first form of the password from a network access device that receives the plain-text password from the client device.
  - 14. The method of claim 11, where the subsequent first form of the password comprises a cryptographic hash of the plain-text password and a challenge string.
  - 15. The method of claim 14, where the cryptographic hash is computed by the client device.
  - 16. The method of claim 14, where the cryptographic hash is computed by a network access device.
  - 17. The method of claim 11, where receiving the first form of the password includes:
    - receiving the first form of the password based on an extensible authentication protocol (EAP).

18. A non-transitory computer-readable medium containing instructions executable by one or more devices, the computer-readable medium comprising:
- one or more instructions to receive a first form of a password,one or more instructions to determine, based on comparing a value derived from the first form of the password with a value derived from a second form of the password, whether to authenticate the client device, where the second form is stored in a memory associated with the device,one or more instructions to establish a connection between the client device and a quarantine network when the client device is not authenticated based on comparing the first form of the password to the value derived from the second form of the password,one or more instructions to receive, in response to establishing the connection, a plain-text password from the client device over the connection,one or more instructions to authenticate the client device based on comparing a value derived from the plain-text password with the value derived from the second form of the password,one or more instructions to overwrite, when the client device is authenticated, the second form of the password, in the memory, with a third form of the password,one or more instructions to subsequently receive the first form of the password,one or more instructions to compare the subsequently received first form of the password to a value derived from the third form of the password, andone or more instructions to authenticate the client device based on comparing the subsequently received first form of the password to the value derived from the third form of the password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Tsang, Andy, Chickering, Roger A., Kahn, Clifford E., Venable, Jeffrey C. Sr.
Primary Examiner(s)
Pyzocha, Michael
Assistant Examiner(s)
SHOLEMAN, ABU S

Application Number

US11/864,598
Time in Patent Office

1,565 Days
Field of Search

380/28, 380/59, 726/2, 726/5, 726/27, 713/182, 713/183, 713/184, 713/185
US Class Current

380/28
CPC Class Codes

G06F 16/137   Hash-based content-based in...

H04L 63/083   using passwords cryptograph...

H04L 63/126   the source of the received ...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

Updating stored passwords

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Updating stored passwords

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links