One time passwords with IPsec and IKE version 1 authentication
First Claim
1. A method of operating a computing device to establish an IPsec session, the method comprising:
- sending a first communication to an authentication service, the first communication containing a one-time-password;
receiving, from a one-time password service, in response to the first commutation a reply comprising an indication that the one-time-password was successfully validated;
sending a second communication to a certificate authority, the second communication containing the indication that the one-time-password was successfully validated by the one-time password service in response to the first communication;
receiving, from the certificate authority, in response to the second communication a certificate, the certificate comprising the indication that the one-time-password successfully validated; and
establishing the IPsec session with the certificate provided by the certificate authority.
2 Assignments
0 Petitions
Accused Products
Abstract
A system adapted to condition access to a network over an IPsec session to clients providing a proper one-time-password, even though the network access control uses IKEv1, which does not support one-time-passwords. An authentication service receives from a client an access request including the one-time-password, and provides the one-time-password to a service that checks the password. The one-time-password service returns a cookie when the password is successfully validated and the client is properly authenticated. The cookie is passed on to the client computer, which uses the cookie as part of a request for a certificate. A certificate authority generates a certificate if a request for a certificate is received from an authenticated client, which in turn may be used to form the IPsec session for access to the network.
-
Citations
20 Claims
-
1. A method of operating a computing device to establish an IPsec session, the method comprising:
-
sending a first communication to an authentication service, the first communication containing a one-time-password; receiving, from a one-time password service, in response to the first commutation a reply comprising an indication that the one-time-password was successfully validated; sending a second communication to a certificate authority, the second communication containing the indication that the one-time-password was successfully validated by the one-time password service in response to the first communication; receiving, from the certificate authority, in response to the second communication a certificate, the certificate comprising the indication that the one-time-password successfully validated; and establishing the IPsec session with the certificate provided by the certificate authority. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
at least one processor coupled to a network, the at least one processor implementing; an authentication service a one-time-password service; a certificate authority; wherein; the authentication service is adapted to receive over the network a first communication from a client, the first communication containing credentials associated with the client and a one-time-password, the authentication service is adapted to validate the credentials associated with the client and convey the one-time-password to the one-time-password service; the one-time-password service is adapted to validate the one-time-password and return to the authentication service an indication of results of validation of the one-time-password; the certificate authority is adapted to receive over the network a second communication from the client, the second communication including the indication of results of validation of the one-time-password from the client and to selectively issue a certificate when the results received from the client indicate that the one-time-password was successfully validated by the one-time password service wherein the certificate includes an indication that the one-time password was successfully validated. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. At least one non-transitory computer-readable storage medium comprising computer-executable instructions that, when executed by a processor of a client computer, perform a method of forming an IPsec session, the method comprising:
-
sending a first communication to an authentication service, the first communication containing credentials of a user of the client computer and a one-time-password; receiving from the authentication service in response to the first commutation a reply comprising an indication that the one-time-password was successfully validated; sending a second communication to the authentication service, the second communication comprising a request for a certificate from a certificate authority and containing the indication that the one-time password was successfully validated in the first communication; receiving from the authentication service in response to the second communication the certificate, the certificate comprising an indication that the one-time-password successfully validated; and establishing the IPsec session with the certificate used in an Internet Key Exchange version 1 (IKEv1) protocol. - View Dependent Claims (17, 18, 19, 20)
-
Specification