Server pool Kerberos authentication scheme

US 8,984,613 B2
Filed: 01/05/2007
Issued: 03/17/2015
Est. Priority Date: 10/28/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

one or more processing devices;

one or more non-transitory computer readable media having executable instructions thereon that, in response to execution of the instructions by the one or more processing devices, cause the apparatus to;

authenticate, with an authentication service of the apparatus, whether a client device is eligible to access a key distributor;

issue to the client device, with the authentication service, a grant ticket if the client device is authenticated;

accept, with a ticket granting service of the apparatus, the grant ticket from the client device;

determine, with the ticket granting service, whether a plurality of servers are available to provide the requested network service;

generate, with the ticket granting service, an unencrypted session key;

encrypt, with the ticket granting service, a text with the unencrypted session key;

determine, with the ticket granting service, a number of servers available to provide the network service requested by the client device;

for each determined server, encrypt, with the ticket granting service, the unencrypted session key with a secret key of the corresponding server;

create, with the ticket granting service, a service ticket that includes the encrypted text and the plurality of encrypted session keys associated with respective ones of the plurality of servers; and

transmit, with the ticket granting service, the service ticket to the client device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to the authenticating a client against a pool of servers utilizing a secure authentication protocol, and, more specifically, to the authenticating a client against a pool of servers providing a common service, utilizing the Kerberos secure authentication protocol.

Citations

9 Claims

1. An apparatus comprising:
- one or more processing devices;
  
  one or more non-transitory computer readable media having executable instructions thereon that, in response to execution of the instructions by the one or more processing devices, cause the apparatus to;
  
  authenticate, with an authentication service of the apparatus, whether a client device is eligible to access a key distributor;
  
  issue to the client device, with the authentication service, a grant ticket if the client device is authenticated;
  
  accept, with a ticket granting service of the apparatus, the grant ticket from the client device;
  
  determine, with the ticket granting service, whether a plurality of servers are available to provide the requested network service;
  
  generate, with the ticket granting service, an unencrypted session key;
  
  encrypt, with the ticket granting service, a text with the unencrypted session key;
  
  determine, with the ticket granting service, a number of servers available to provide the network service requested by the client device;
  
  for each determined server, encrypt, with the ticket granting service, the unencrypted session key with a secret key of the corresponding server;
  
  create, with the ticket granting service, a service ticket that includes the encrypted text and the plurality of encrypted session keys associated with respective ones of the plurality of servers; and
  
  transmit, with the ticket granting service, the service ticket to the client device.
- View Dependent Claims (2, 3)
- - 2. The apparatus of claim 1, wherein authenticate the client device includes utilize a protocol in compliance with the Kerberos protocol.
  - 3. The apparatus of claim 1, wherein determine the number of servers available to provide the requested network service includes:
    - use a database to map a generic server name to one or more specific server names; and
      
      set the number of providing servers equal to the number of specific servers mapped to the generic server that provides the same network service requested by the client device.

4. A system comprising:
- one or more processing devices; and
  
  one or more non-transitory computer readable media haying executable instructions thereon that, in response to execution of the instructions by the one or more processing devices, cause the system to;
  
  authenticate, with a key distribution center of the system, whether a client device is eligible to access the key distribution center;
  
  issue to the client device, with the key distribution center, a grant ticket, if the client device is authenticated, for use to access the requested network service;
  
  accept, with the key distribution center, the grant ticket from the client device; and
  
  determine, with the key distribution center, whether a plurality of servers are available to provide the requested network service;
  
  generate, with the key distribution center, an unencrypted session key;
  
  encrypt, with the key distribution center, a text with the unencrypted session key;
  
  determine, with the key distribution center, a number of servers available to provide the requested network service;
  
  for each determined server, encrypt, with the key distribution center, the unencrypted session key with a secret key of the corresponding server;
  
  create, with the key distribution center, a service ticket that includes the encrypted text and the plurality of encrypted session keys associated with respective ones of the providing servers; and
  
  transmit, with the key distribution center, the service ticket to the client device.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The system of claim 4, wherein the executable instructions, in response to execution by the one or more processing devices, cause the system to:
    - utilize, with the key distribution center, a protocol in compliance with the Kerberos protocol.
  - 6. The system of claim 4, wherein determine the number of servers available to provide the requested service includes:
    - utilize a database that maps a generic server name to one or more specific server names; and
      
      set the numbers of servers available to provide the service equal to the number of specific servers mapped to the generic server that provides the requested service.
  - 7. The system of claim 4, wherein the plurality of servers are configured to work together as a single system.
  - 8. The system of claim 4, further comprising:
    - the plurality of servers;
      
      wherein at least one of the plurality of servers includes a second one or more processing devices and one or more non-transitory computer readable media having instructions thereon that, in response to execution of the instructions by the second one or more processing devices, cause the at least one of the plurality of servers to;
      
      receive the service ticket having the plurality of encrypted session keys and the encrypted text;
      
      decrypt one or more of the encrypted session keys in the service ticket with the secret key of the corresponding associated server to recover the one or more decrypted session keys;
      
      decrypt the encrypted text with one of the one or more decrypted session keys; and
      
      provide the network service to the client device, if the encrypted text is successfully decrypted.

9. An apparatus comprising:
- one or more processing devices;
  
  one or more non-transitory computer readable media having instructions thereon that, in response to execution of the instructions by the one or more processing devices, cause the apparatus to;
  
  authenticate, with an authentication service of the apparatus, whether a client device is eligible to access a key distributor;
  
  issue to the client device, with the authentication service, a grant ticket if the client device is authenticated;
  
  accept, with a ticket granting service of the apparatus, the grant ticket from the client device;
  
  generate, with the ticket granting service, the unencrypted session key;
  
  encrypt, with the ticket granting service, a text with the unencrypted session key;
  
  use, with the ticket granting service, a database to map a generic server name to one or more specific server names;
  
  determine, with the ticket granting service, a plurality of servers available to provide the network service requested by the client device by setting a number of providing servers equal to the number of specific servers mapped to the generic server that provides the same network service requested by the client device.for each determined server, encrypt, with the ticket granting service, the unencrypted session key with the secret key of the corresponding server;
  
  create, with the ticket granting service, a service ticket that includes the encrypted text and the plurality of encrypted session keys associated with respective ones of the plurality of servers; and
  
  transmit, with the ticket granting service, the service ticket to the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Grobman, Steven L.
Primary Examiner(s)
Kim, Steven
Assistant Examiner(s)
HALE, TIM B

Application Number

US11/650,225
Publication Number

US 20070127723A1
Time in Patent Office

2,993 Days
Field of Search

705 64- 79, 726/2
US Class Current

726/10
CPC Class Codes

G06F 21/33   using certificates

G06Q 20/382   insuring higher security of...

H04L 63/045   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

Server pool Kerberos authentication scheme

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Server pool Kerberos authentication scheme

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links