Methods and apparatus for implementing authentication

US 8,397,059 B1
Filed: 06/02/2011
Issued: 03/12/2013
Est. Priority Date: 02/04/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authenticating communications in a network environment, the method comprising:

engaging, with a proxy device, in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to a resource independent of the client, and receiving a notification from the resource that the client has been authenticated, the notification generated using security information associated with the client;

engaging, with the proxy device, in a second set of communications to establish a set of second communication links with multiple servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource, receiving a second challenge response for each of the servers from the resource, each of the second challenge responses generated using a respective one of the second challenges and the security information, and forwarding a respective one of the second challenge responses to each of the servers; and

facilitating, with the proxy device, a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy (e.g., a switch) resides in a respective network environment between one or more clients and multiple servers. One purpose of the proxy is to provide the clients a unified view of a distributed file system having respective data stored amongst multiple remote and disparate storage locations over a network. Another purpose of the proxy is to enable the clients to retrieve data stored at the multiple servers. To establish a first connection between the proxy and a respective client, the proxy communicates with an authentication agent (residing at a location other than at the client) to verify a challenge response received from the client. When establishing a set of second connections with the multiple servers, the proxy communicates with the authentication agent to generate challenge responses on behalf of the client. The proxy facilitates a flow of data on the first connection and the set of second connections.

Citations

32 Claims

1. A method for authenticating communications in a network environment, the method comprising:
- engaging, with a proxy device, in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to a resource independent of the client, and receiving a notification from the resource that the client has been authenticated, the notification generated using security information associated with the client;
  
  engaging, with the proxy device, in a second set of communications to establish a set of second communication links with multiple servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource, receiving a second challenge response for each of the servers from the resource, each of the second challenge responses generated using a respective one of the second challenges and the security information, and forwarding a respective one of the second challenge responses to each of the servers; and
  
  facilitating, with the proxy device, a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as in claim 1, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client.
  - 3. A method as in claim 1, wherein engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers.
  - 4. A method as in claim 1, wherein the first challenge is a request generated by the proxy device on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value.
  - 5. A method as in claim 1, wherein the engaging in the second set of communications includes:
    - receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; and
      
      replying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client.
  - 6. A method as in claim 1, wherein the resource is an authentication agent and the security information associated with the client is obtained from a domain controller associated with the network environment, the method further comprising:
    - enabling, with the proxy device, the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers; and
      
      initiating, with the proxy device, the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge.
  - 7. A method as in claim 1 wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers.
  - 8. A method as in claim 1, wherein the facilitating the flow of traffic comprises:
    - managing how information is stored in the multiple servers; and
      
      providing the client a unified view of accessible information stored in the multiple servers.

9. A proxy device, comprising:
- one or more processors, a network interface controller, and a memory, at least one of the processors or the network interface controller configured to be capable of executing instructions to implement;
  
  engaging in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to a resource independent of the client, and receiving a notification from the resource that the client has been authenticated, the notification generated using security information associated with the client;
  
  engaging in a second set of communications to establish a set of second communication links with multiple servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource, receiving a second challenge response for each of the servers from the resource, each of the second challenge responses generated using a respective one of the second challenges and the security information, and forwarding a respective one of the second challenge responses to each of the servers;
  
  andfacilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A proxy device as in claim 9, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client.
  - 11. A proxy device as in claim 9, wherein the engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers.
  - 12. A proxy device as in claim 9, wherein the first challenge is a request generated on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value.
  - 13. A proxy device as in claim 9, wherein the engaging in the second set of communications includes:
    - receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; and
      
      replying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client.
  - 14. A proxy device as in claim 9, wherein the resource is an authentication agent and the security information associated with the client is obtained from a domain controller associated with the network environment and the at least one of the processors or the network interface controller is further configured to be capable of executing instructions to implement:
    - enabling the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers; and
      
      initiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge.
  - 15. A proxy device as in claim 9, wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers.
  - 16. A proxy device as in claim 9, wherein the facilitating the flow of traffic includes:
    - managing how information is stored in the multiple servers; and
      
      providing the client a unified view of accessible information stored in the multiple servers.

17. A non-transitory computer readable medium having instructions stored thereon for authenticating communications in a network environment comprising machine executable code which when executed by a processing device, causes the processing device to perform steps comprising:
- engaging in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to a resource independent of the client, and receiving a notification from the resource that the client has been authenticated, the notification generated using security information associated with the client;
  
  engaging in a second set of communications to establish a set of second communication links with multiple servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource, receiving a second challenge response for each of the servers from the resource, each of the second challenge responses generated using a respective one of the second challenges and the security information, forwarding a respective one of the challenge responses to each of the servers;
  
  facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer readable medium as in claim 17, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client.
  - 19. The computer readable medium as in claim 17, wherein the engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers.
  - 20. The computer readable medium as in claim 17, wherein the first challenge is a request generated on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value.
  - 21. The computer readable medium as in claim 17, wherein the engaging in the second set of communications further comprises:
    - receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; and
      
      replying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client.
  - 22. The computer readable medium as in claim 17, wherein the resource is an authentication agent and the security information associated with the client is obtained from a domain controller associated with the network environment, the medium further having stored thereon machine executable code which when executed by a processing device, causes the processing device to perform steps further comprisingenabling the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers;
    - andinitiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge.
  - 23. The computer readable medium as in claim 17, wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers.
  - 24. The computer readable medium as in claim 17, wherein the facilitating the flow of traffic further comprises:
    - managing how information is stored in the multiple servers; and
      
      providing the client a unified view of accessible information stored in the multiple servers.

25. A system for authenticating communications in a network environment, the system comprising:
- a plurality of servers, a resource device, and a proxy device, the proxy device comprises one or more processors, a network interface controller configured to communicate with the plurality of servers and the resource device, and a memory, at least one of the processors or the network interface controller configured to implement;
  
  engaging in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to the resource device, the resource device independent of the client, and receiving a notification from the resource device that the client has been authenticated, the notification generated using security information associated with the client;
  
  engaging in a second set of communications to establish a set of second communication links with the servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource device, receiving a second challenge response for each of the servers from the resource device, each of the second challenge responses generated using a respective one of the second challenges and the security information, and forwarding a respective one of the second challenge responses to each of the servers; and
  
  facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the servers.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The system as in claim 25, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client.
  - 27. The system as in claim 25, wherein the engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers.
  - 28. The system as in claim 25, wherein the first challenge is a request generated on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value.
  - 29. The system as in claim 25, wherein the engaging in the second set of communications further comprises:
    - receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; and
      
      replying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client.
  - 30. The system as in claim 25, further comprising a domain controller and wherein the resource device is an authentication agent and the security information associated with the client is obtained from the domain controller, the medium further having stored thereon machine executable code which when executed by a processing device, causes the processing device to perform steps further comprisingenabling the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers;
    - andinitiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge.
  - 31. The system as in claim 25, wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers.
  - 32. The system as in claim 25, wherein the facilitating the flow of traffic further comprises:
    - managing how information is stored in the multiple servers; and
      
      providing the client a unified view of accessible information stored in the multiple servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Ferguson, JC
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US13/152,097
Time in Patent Office

649 Days
Field of Search

713/155, 713/168, 726/8, 726/12, 726/15
US Class Current

713/155
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/3271   using challenge-response

Methods and apparatus for implementing authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for implementing authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links