Updating stored passwords

US 9,001,999 B2
Filed: 12/06/2011
Issued: 04/07/2015
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A device comprising:

a memory to store instructions; and

a processor to execute the instructions to;

determine that a first form of a password received from a client device differs from a value associated with the client device,the value associated with the client device being derived from a second form of the password,establish, based on determining that the first form of the password differs from the value associated with the client device, a secure connection between the device and the client device via a quarantine network,receive, via the secure connection, a plain-text password from the client device,compare a value derived from the plain-text password with the value associated with the client device to determine whether the value derived from the plain-text password matches the value associated with the client device,associate a third form of the password with the client device when the value derived from the plain-text password matches the value associated with the client device,receive, after associating the third form of the password, a subsequent first form of the password from the client device, andauthenticate the client device using the first form of the password and the third form of the password.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client in accordance with an authentication protocol, and authenticate the client based on a comparison of the first form to a value derived from a second form of the password stored in a password database. The comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client over the secure connection, authenticate the client by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client when the authentication server receives the first form.

Citations

20 Claims

1. A device comprising:
- a memory to store instructions; and
  
  a processor to execute the instructions to;
  
  determine that a first form of a password received from a client device differs from a value associated with the client device,the value associated with the client device being derived from a second form of the password,establish, based on determining that the first form of the password differs from the value associated with the client device, a secure connection between the device and the client device via a quarantine network,receive, via the secure connection, a plain-text password from the client device,compare a value derived from the plain-text password with the value associated with the client device to determine whether the value derived from the plain-text password matches the value associated with the client device,associate a third form of the password with the client device when the value derived from the plain-text password matches the value associated with the client device,receive, after associating the third form of the password, a subsequent first form of the password from the client device, andauthenticate the client device using the first form of the password and the third form of the password.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, where the first form of the password is the same as the third form of the password.
  - 3. The device of claim 1, where the processor is to execute the instructions further to:
    - apply a function to the second form of the password and a challenge string to obtain the value associated with the client device.
  - 4. The device of claim 3, where, when comparing the value derived from the plain-text password with the value associated with the client device, the processor executes the instructions to:
    - apply the function to the plain-text password and the challenge string to obtain the value derived from the plain-text password.
  - 5. The device of claim 1, where the processor further executes the instructions to:
    - transmit, prior to receiving the first form of the password, a challenge string to the client device,where the first form of the password is based on applying a hash to the plain-text password and the challenge string.
  - 6. The device of claim 1, where, when establishing the secure connection, the processor executes the instructions to:
    - establish a secure hypertext transfer protocol (HTTPS) connection.
  - 7. The device of claim 1, where the quarantine network includes:
    - a virtual local area network (VLAN).

8. A method comprising:
- transmitting, by a device, a first form of a plain-text password to a server to establish a first connection to a network,the first form of the plain-text password being based on a first scheme;
  
  establishing, by the device, the first connection to the network based on transmitting the first form of the plain-text password,the first connection being established based on the server authenticating the device based on the first form of the plain-text password;
  
  transmitting, by the device, a second form of the plain-text password to the server to establish a second connection to the network,the second form of the plain-text password being based on a second scheme that is different from the first scheme, andthe second form of the plain-text password being different from the first form of the plain-text password;
  
  determining, by the device, that an authentication associated with establishing the second connection to the network failed,the authentication being based on the second form of the plain-text password;
  
  establishing, by the device, a secure connection with the server, via a quarantine network, based on determining that the authentication failed;
  
  transmitting, by the device and via the secure connection, the plain-text password based on establishing the secure connection; and
  
  establishing, by the device, the second connection to the network based on transmitting the plain-text password,the second connection being established based on the server authenticating the device based on the plain-text password.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - transmitting the second form of the plain-text password to the server to establish a third connection to the network,where the third connection is established after establishing the second connection; and
      
      establishing, by the device, the third connection to the network,where the third connection is established based on the server authenticating the device based on the second form of the plain-text password.
  - 10. The method of claim 8, further comprising:
    - requesting the second connection to the network;
      
      receiving a challenge string based on requesting the second connection to the network; and
      
      determining the second form of the plain-text password based on the second scheme and the challenge string.
  - 11. The method of claim 8, further comprising:
    - modifying the first scheme to form the second scheme based on upgrading a component of the device,where the component is associated with generating forms of the plain-text password used to authenticate the device.
  - 12. The method of claim 8, further comprising:
    - receiving an upgrade associated with generating forms of the plain-text password used to establish connections to the network; and
      
      generating the second form of the plain-text password using the second scheme based on the upgrade.
  - 13. The method of claim 8, where the quarantine network includes a logical network within the network.
  - 14. The method of claim 8, where the secure connection is established based on an access control list provided by the server.

15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by one or more processors, cause the one or more processors to determine not to authenticate a device based on a first form of a password, received from the device, differing from a value associated with a second form of the password;
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to establish, based on determining not to authenticate the device, a secure connection with the device via a quarantine network;
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to receive, via the secure connection, a plain-text password from the device;
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to compare a value derived from the plain-text password with the value associated with the second form of the password to determine whether the value derived from the plain-text password matches the value associated with the second form of the password;
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to authenticate the device when the value derived from the plain-text password matches the value associated with the second form of the password;
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to associate a third form of the password with the device when the value derived from the plain-text password matches the value associated with the second form of the password;
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to receive, after authenticating the device, a subsequent first form of the password from the device; and
  
  one or more instructions which, when executed by the one or more processors, cause the one or more processors to authenticate the device using the first form of the password and the third form of the password.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, where the first form of the password is the same as the third form of the password.
  - 17. The computer-readable medium of claim 15, where the instructions further comprise:
    - one or more instructions to apply a function to the second form of the password and a challenge string to determine the value associated with the second form of the password.
  - 18. The computer-readable medium of claim 17, where the one or more instructions to authenticate the device include:
    - one or more instructions to apply the function to the plain-text password and the challenge string to determine the value derived from the plain-text password.
  - 19. The computer-readable medium of claim 15, where the instructions further comprise:
    - one or more instructions to transmit, prior to receiving the first form of the password, a challenge string to the device based on receiving a request to establish a connection to a network from the device,where the first form of the password is based on a hash of the plain-text password and the challenge string.
  - 20. The computer-readable medium of claim 15, where the one or more instructions to receive the plain-test password include:
    - one or more instructions to establish a secure connection to a quarantine network based on determining not to authenticate the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Tsang, Andy, Chickering, Roger A., Kahn, Clifford E., Venable, Jeffrey C. Sr.
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US13/312,062
Publication Number

US 20120144471A1
Time in Patent Office

1,218 Days
Field of Search

380/28, 380/21, 380/22, 380/25, 380/27, 380/29, 380/277, 726/5, 726/19, 726/26, 713/159, 713/172, 713/183, 713/184
US Class Current

380/28
CPC Class Codes

G06F 16/137   Hash-based content-based in...

H04L 63/083   using passwords cryptograph...

H04L 63/126   the source of the received ...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

Updating stored passwords

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Updating stored passwords

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links