Adding client authentication to networked communications

US 8,347,374 B2
Filed: 11/15/2007
Issued: 01/01/2013
Est. Priority Date: 11/15/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a request from a client at a security agent node, the request to be passed through to a target server, the security agent node providing client authentication functionality for the target server that lacks the client authentication functionality;

constructing, by a processing device, a challenge for the client, the challenge comprising a nonce and an encrypted copy of the request;

transmitting the challenge to the client;

receiving a response to the challenge from the client, the response comprising a message authentication code (MAC) computed using the encrypted copy of the request and a shared key;

verifying the response; and

when the response is valid, forwarding, by the security agent node, the request received from the client to the target server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pass-through agent receives a request from a client and authenticates the client before forwarding the request to a target server that lacks client authentication capability. The target server is configured to accept requests from the pass-through agent, and may be configured to reject requests that do not come from the pass-through agent.

49 Citations

View as Search Results

22 Claims

1. A computer-implemented method comprising:
- receiving a request from a client at a security agent node, the request to be passed through to a target server, the security agent node providing client authentication functionality for the target server that lacks the client authentication functionality;
  
  constructing, by a processing device, a challenge for the client, the challenge comprising a nonce and an encrypted copy of the request;
  
  transmitting the challenge to the client;
  
  receiving a response to the challenge from the client, the response comprising a message authentication code (MAC) computed using the encrypted copy of the request and a shared key;
  
  verifying the response; and
  
  when the response is valid, forwarding, by the security agent node, the request received from the client to the target server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1 wherein the target server is incapable of constructing the challenge and verifying the response.
  - 3. The computer-implemented method of claim 1 wherein the target server is incapable of transmitting the challenge and receiving the response.
  - 4. The computer-implemented method of claim 1 wherein forwarding the request to the server comprises transmitting the request via an intra-machine communication channel.
  - 5. The computer-implemented method of claim 4 wherein the intra-machine communication channel is one of Unix-domain socket, a shared memory area, or a localhost network socket.
  - 6. The computer-implemented method of claim 1 wherein the request includes an identifier of the target server, the method further comprising:
    - receiving a message from the client; and
      
      posting a corresponding message to a message queue of the target server at a system where the target server operates.
  - 7. The computer-implemented method of claim 6 wherein the message received from the client is a message describing a user interface event.
  - 8. The computer-implemented method of claim 6 wherein the corresponding message is a message describing a user interface event.

9. A computer-implemented method comprising:
- intercepting, at a security agent node, a request directed to a software agent, the security agent node providing authentication functionality for the software agent that lacks the authentication functionality;
  
  authenticating, by a processing device of the security agent node, a sender of the request by sending a challenge to the sender, the challenge comprising a nonce and an encrypted copy of the request, and verifying a response from the sender, the response comprising a message authentication code (MAC) computed using the encrypted copy of the request and a shared key; and
  
  when the authenticating is successful, forwarding the request intercepted at the security agent node to the software agent.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer-implemented method of claim 9 wherein the software agent responds to requests presented according to a first protocol, and wherein the authentication operation occurs pursuant to a second, different protocol that is incompatible with the first protocol.
  - 11. The computer-implemented method of claim 9 wherein the authenticating operation comprises:
    - transmitting a challenge to the sender of the request;
      
      receiving a response to the challenge from the sender of the request; and
      
      validating the response.
  - 12. The computer-implemented method of claim 11 wherein the challenge comprises a random number and an encoded form of the request.
  - 13. The computer-implemented method of claim 11 wherein the shared key comprises a shared symmetric encryption key.

14. A system comprising:
- a memory;
  
  a processing device, coupled to the memory; and
  
  a security agent, executed from the memory by the processing device, to receive a request from a client, validate the client and pass the request to a service provider via an unauthenticated channel by sending a challenge to the client, the challenge comprising a nonce and an encrypted copy of the request, and verifying a response from the client, the response comprising a message authentication code (MAC) computed using the encrypted copy of the request and a shared key, wherein the security agent provides client authentication functionality for the service provider that lacks the client authentication functionality.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14 wherein the service provider and the security agent are processes executing on a programmable processing device.
  - 16. The system of claim 15 wherein the service provider and the security agent are processes executing under control of a Microsoft Windows operating system.
  - 17. The system of claim 15 wherein the service provider and the security agent are processes executing under control of a Unix operating system.
  - 18. The system of claim 14 wherein passing the request to the service provider comprises:
    - forwarding the request via a message queue, a local-domain socket or a loopback socket.

19. A non-transitory machine-readable medium storing data and instructions to cause a programmable processing device to perform operations comprising:
- accepting a Transmission Control Protocol/Internet Protocol (“
  
  TCP/IP”
  
  ) connection from a client at a security agent;
  
  receiving, by the processing device of the security agent, a request from the client over the TCP/IP connection;
  
  sending a challenge to the client over the TCP/IP connection, the challenge comprising a nonce and an encrypted copy of the request;
  
  receiving a response to the challenge from the client over the TCP/IP connection, the response comprising a message authentication code (MAC) computed using the encrypted copy of the request and a shared key;
  
  validating the response; and
  
  when the response is successfully validated, sending, by the security agent the request to a target server, wherein the security agent provides client authentication functionality for the target server that lacks the client authentication functionality.
- View Dependent Claims (20, 21, 22)
- - 20. The non-transitory machine-readable medium of claim 19, containing additional data and instructions to cause the programmable processing device to perform operations comprising:
    - negotiating a Secure Sockets Layer (“
      
      SSL”
      
      ) connection after accepting the TCP/IP connection and before receiving the request from the client.
  - 21. The non-transitory machine-readable medium of claim 19, containing additional data and instructions to cause the programmable processing device to perform operations comprising:
    - receiving a reply to the request from the target server; and
      
      sending the reply to the client over the TCP/IP connection.
  - 22. The non-transitory machine-readable medium of claim 19 wherein sending the request to the target server comprises posting a synthetic event to an event queue of the target server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James P.
Primary Examiner(s)
Gergiso, Techane

Application Number

US11/940,951
Publication Number

US 20090133113A1
Time in Patent Office

1,874 Days
Field of Search

726/12
US Class Current

726/12
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 2221/2103   Challenge-response

H04L 63/0435   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

Adding client authentication to networked communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Adding client authentication to networked communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links