System and method for delivering a challenge response in an authentication protocol

US 8,892,885 B2
Filed: 08/31/2012
Issued: 11/18/2014
Est. Priority Date: 08/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user comprising:

receiving an access-request of a network protocol at a challenge-response server, wherein the network protocol is a client/server protocol running in the application layer and using a user datagram protocol as transport;

determining if an access-challenge message is required;

configuring an active script component to modify an existing static authentication interface of a user device;

delivering the active script component through a parameter of an access-challenge message of the network protocol when an access-challenge is required;

receiving a challenge-response of a user;

validating the challenge-response; and

selectively sending an access-accept response for a valid challenge-response and sending an access-denied response for an invalid challenge-response.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating a user that includes receiving an access-request of a network protocol at a challenge-response server; determining if an access-challenge message is required; delivering an active script component through a parameter of an access-challenge message of the network protocol when an access-challenge is required; receiving a challenge-response of a user; validating the challenge-response; and selectively sending an access-accept response for a valid challenge-response and sending an access-denied response for an invalid challenge-response.

33 Citations

14 Claims

1. A method for authenticating a user comprising:
- receiving an access-request of a network protocol at a challenge-response server, wherein the network protocol is a client/server protocol running in the application layer and using a user datagram protocol as transport;
  
  determining if an access-challenge message is required;
  
  configuring an active script component to modify an existing static authentication interface of a user device;
  
  delivering the active script component through a parameter of an access-challenge message of the network protocol when an access-challenge is required;
  
  receiving a challenge-response of a user;
  
  validating the challenge-response; and
  
  selectively sending an access-accept response for a valid challenge-response and sending an access-denied response for an invalid challenge-response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein determining if an access-challenge message is required includes processing the access-request to verify credentials;
    - and the challenge response server selectively replying with an access-accepted message for verified credentials, an access-denied message if credentials are denied, and an access-challenge message if the credentials require a challenge to verify the credentials.
  - 3. The method of claim 1, wherein the network protocol is a Remote Authentication Dial In User Service (RADIUS) protocol.
  - 4. The method of claim 3, wherein delivering the active script component through a parameter of an access-challenge message of the network protocol includes delivering the active script component embedded in the reply-message field of the of the access-challenge message.
  - 5. The method of claim 4, wherein the active script component is user executable code, and delivering an active script includes configuring the executable code to update an interface of a user device.
  - 6. The method of claim 5, wherein configuring the executable code includes configuring the executable code to update the document object model of a browser window.
  - 7. The method of claim 6, wherein configuring the executable code includes configuring the executable code to update an interface of a user device that collects input for the challenge-response.
  - 8. The method of claim 7, further comprising receiving and processing secondary authentication communication from a rendered challenge interface.
  - 9. The method of claim 3, wherein the active script component is an active script identifier;
    - the method further comprising configuring user device executable code to detect the active script identifier and modify the interface of the user device; and
      
      delivering the user device executable code.

10. A method for authenticating network access comprising:
- receiving an access-request of a network protocol at a challenge response server, wherein the network protocol is a client server protocol running in the application layer and using the User Datagram Protocol (UDP) as transport;
  
  processing the access-request to verify credentials;
  
  the challenge response server selectively replying with an access-accepted message for verified credentials, an access-denied message if credentials are denied, and an access-challenge message if the credentials require a challenge to verify the credentials;
  
  configuring an active script component to transform an authentication interface of a user device;
  
  wherein replying with an access-challenge message includes embedding the active script component in a parameter of the access-challenge;
  
  receiving a challenge-response of a user;
  
  validating the challenge-response; and
  
  selectively sending an access-accept response for a valid challenge-response and sending an access-denied response for an invalid challenge-response.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the network protocol is a Remote Authentication Dial In User Service (RADIUS) protocol.
  - 12. The method of claim 11, further comprising at a user device, rendering the active script component in the reply-message parameter of the access-challenge message in the context of a browser.
  - 13. The method of claim 12, wherein the active script component is user executable code, and delivering an active script.
  - 14. The method of claim 11, wherein the active script component is an active script identifier;
    - the method further comprising at a user device detecting the active script identifier and modifying the interface of the user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Douglas, Goodman, Adam
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US13/601,431
Publication Number

US 20130212387A1
Time in Patent Office

809 Days
Field of Search

713/151, 713/168
US Class Current

713/168
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/168   above the transport layer

H04L 9/32   including means for verifyi...

System and method for delivering a challenge response in an authentication protocol

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

System and method for delivering a challenge response in an authentication protocol

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others