Access point—authentication server combination

US 9,306,943 B1
Filed: 03/29/2013
Issued: 04/05/2016
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a protected resource, the method comprising:

providing, by a SOHO (small office/home office) device connected to a private network and to a public network, a tokencode prompt to a user device roaming on the public network, the tokencode prompt requesting a tokencode from an electronic token possessed by a user of the user device, the SOHO device including a database containing a set of token seeds from which expected one-time use passcodes (OTPs) are derived;

receiving, by the SOHO device from the user device, a current tokencode from the electronic token possessed by the user; and

performing, by the SOHO device, an authentication operation based on the current tokencode, a result of the authentication operation (i) permitting the user to access the protected resource when the authentication operation determines that the user is legitimate and (ii) denying the user access to the protected resource when the authentication operation determines that the user is not legitimate;

wherein the SOHO device is a network firewall unit having (i) network ports and (ii) a controller which performs network firewall operations to control network traffic between the network ports; and

wherein performing the authentication operation includes;

running, by the controller of the network firewall unit, a tokencode authentication server; and

locally comparing, by the tokencode authentication server run by the controller of the network firewall unit, the current tokencode to an expected tokencode to determine whether the user is legitimate,and wherein the method further comprises;

providing, by the SOHO device, a token seed from the database to the electronic token possessed by the user to configure the electronic token to provide, as tokencodes, current OTPs for comparison with the expected OTPs during authentication; and

providing the user device roaming on the public network with control of a home appliance on the private network when the user is legitimate.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique controls access to a protected resource. The technique involves providing a tokencode prompt to a user. The tokencode prompt requests a tokencode from an electronic token in possession of the user. The technique further involves receiving, in response to the tokencode prompt, a current tokencode from the electronic token in possession of the user. The technique further involves performing, by a SOHO device having an embedded tokencode authentication server, an authentication operation based on the current tokencode. A result of the authentication operation (i) permits the user to access the protected resource when the authentication operation determines that the user is legitimate and (ii) denies the user access to the protected resource when the authentication operation determines that the user is not legitimate. For example, the SOHO device may be a NAS device or a firewall device which with tokencode authentication capabilities.

86 Citations

View as Search Results

15 Claims

1. A method of controlling access to a protected resource, the method comprising:
- providing, by a SOHO (small office/home office) device connected to a private network and to a public network, a tokencode prompt to a user device roaming on the public network, the tokencode prompt requesting a tokencode from an electronic token possessed by a user of the user device, the SOHO device including a database containing a set of token seeds from which expected one-time use passcodes (OTPs) are derived;
  
  receiving, by the SOHO device from the user device, a current tokencode from the electronic token possessed by the user; and
  
  performing, by the SOHO device, an authentication operation based on the current tokencode, a result of the authentication operation (i) permitting the user to access the protected resource when the authentication operation determines that the user is legitimate and (ii) denying the user access to the protected resource when the authentication operation determines that the user is not legitimate;
  
  wherein the SOHO device is a network firewall unit having (i) network ports and (ii) a controller which performs network firewall operations to control network traffic between the network ports; and
  
  wherein performing the authentication operation includes;
  
  running, by the controller of the network firewall unit, a tokencode authentication server; and
  
  locally comparing, by the tokencode authentication server run by the controller of the network firewall unit, the current tokencode to an expected tokencode to determine whether the user is legitimate,and wherein the method further comprises;
  
  providing, by the SOHO device, a token seed from the database to the electronic token possessed by the user to configure the electronic token to provide, as tokencodes, current OTPs for comparison with the expected OTPs during authentication; and
  
  providing the user device roaming on the public network with control of a home appliance on the private network when the user is legitimate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15)
- - 2. A method as in claim 1 wherein the SOHO device is in communication with a network attached storage (NAS) unit having (i) a set of storage drives and (ii) a controller which performs data storage operations to store data into and load data from the set of storage drives, the data being the protected resource;
    - and wherein performing the authentication operation includes;
      
      providing a security control signal to the NAS unit to operate the NAS unit as a policy enforcement point.
  - 3. A method as in claim 2, further comprising:
    - storing personal data of the user on the set of storage drives of the NAS unit, the controller of the NAS unit working to secure the personal data by performance of tokencode authentication operations.
  - 4. A method as in claim 1, further comprising:
    - providing the user device roaming on the public network with access to an access point device on the private network when a second tokencode from the user device matches a second expected tokencode,wherein the access point device on the private network includes a data storage apparatus; and
      
      wherein providing the user device with access to the access point device includes;
      
      conveying communications signals between user device and the data storage apparatus to enable the user device to access data on the data storage apparatus.
  - 5. A method as in claim 4 wherein providing the user device with access to the access point device further includes:
    - in response to performance of an initialization operation, registering a current network address of the network firewall unit with a dynamic domain name system (DDNS) service to enable the user device to communicate with the network firewall unit using a device name which the DDNS service resolves into the current network address.
  - 6. A method as in claim 1 wherein the method further comprises:
    - providing the user device with access to an access point device on the public network when a second tokencode matches a second expected tokencode, andpreventing the user device from accessing the access point device on the public network when the second tokencode does not match the second expected tokencode.
  - 7. A method as in claim 1, further comprising:
    - sending a communication to the electronic token possessed by the user to authenticate the SOHO device to the electronic token.
  - 8. A method as in claim 1, further comprising:
    - managing the set of token seeds within the database to manage access to multiple access point devices using OTP authentication from the SOHO device.
  - 9. A method as in claim 1 wherein providing the tokencode prompt to the user includes:
    - supplying the user with a challenge code which is a random number generated by the SOHO device, the user entering the challenge code into the electronic token to derive the current tokencode.
  - 10. The method of claim 1, wherein the protected resource is disposed on a device, separate from the network firewall unit, and connected to the network firewall unit over the private network.
  - 15. The method of claim 10, wherein the tokencode authentication server run by the controller of the network firewall unit provides tokencode authentication for multiple protected resources disposed on multiple devices connected to the network firewall unit over the private network.

11. A small office/home office (SOHO) apparatus, comprising:
- a network interface connected to a private network and to a public network;
  
  memory, the memory storing a database containing a set of token seeds from which expected one-time use passcodes (OTPs) are derived; and
  
  control circuitry coupled to the network interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to;
  
  provide, through the network interface, a tokencode prompt to a user device roaming on the network, the tokencode prompt requesting a tokencode from an electronic token possessed by a user,receive a current tokencode from the electronic token possessed by the user through the network interface, andperform an authentication operation based on the current tokencode, a result of the authentication operation (i) permitting the user to access the protected resource when the authentication operation determines that the user is legitimate and (ii) denying the user access to the protected resource when the authentication operation determines that the user is not legitimate;
  
  wherein the network interface includes network ports;
  
  wherein the control circuitry is constructed and arranged to perform network firewall operations to control network traffic between the network ports; and
  
  wherein the control circuitry, when performing the authentication operation, is constructed and arranged to;
  
  run a tokencode authentication server; and
  
  locally compare, by the tokencode authentication server, the current tokencode to an expected tokencode to determine whether the user is legitimate, andwherein the control circuitry is further constructed and arranged to;
  
  provide, by the SOHO device, a token seed from the database to the electronic token possessed by the user to configure the electronic token to provide, as tokencodes, current OTPs for comparison with the expected OTPs during authentication; and
  
  provide the user device roaming on the public computer network with control of a home appliance on the private network when the user is legitimate.
- View Dependent Claims (12, 13)
- - 12. A SOHO apparatus as in claim 11 wherein the network interface is constructed and arranged to communicate with a network attached storage unit which includes a set of storage drives;
    - wherein the control circuitry is constructed and arranged to perform data storage operations to store data into and load data from the set of storage drives.
  - 13. A SOHO apparatus as in claim 11 wherein the instructions further cause the control circuitry to:
    - send a communication through the network interface to the electronic token possessed by the user to authenticate the SOHO device to the electronic token.

14. A computer program product having a non-transitory computer readable medium which stores a set of instructions tocontrol access to a protected resource, the set of instructions, when carried out by computerized circuitry of a set of small office/home office (SOHO) devices on a private network, causing the computerized circuitry of the set of SOHO devices to perform a method of:
- providing, via communication over the private network and over a public network, a tokencode prompt to a user device roaming on the public network, the tokencode prompt requesting a tokencode from an electronic token possessed by a user, the SOHO device including a database containing a set of token seeds from which expected one-time use passcodes (OTPs) are derived;
  
  receiving, from the user device, a current tokencode from the electronic token possessed by the user; and
  
  performing an authentication operation based on the current tokencode, a result of the authentication operation (i) permitting the user to access the protected resource when the authentication operation determines that the user is legitimate and (ii) denying the user access to the protected resource when the authentication operation determines that the user is not legitimate;
  
  wherein the set of SOHO devices includes a network firewall unit having (i) network ports and (ii) a controller which performs network firewall operations to control network traffic between the network ports; and
  
  wherein performing the authentication operation includes;
  
  running, by the controller of the network firewall unit, a tokencode authentication server; and
  
  locally comparing, by the tokencode authentication server run by the controller of the network firewall unit, the current tokencode to an expected tokencode to determine whether the user is legitimate,and wherein the method further comprises;
  
  providing, by the SOHO device, a token seed from the database to the electronic token possessed by the user to configure the electronic token to provide, as tokencodes, current OTPs for comparison with the expected OTPs during authentication; and
  
  providing the user device roaming on the public network with control of a home appliance on the private network when the user is legitimate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Bailey, Daniel V., Duane, William M.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Lynch, Sharon

Application Number

US13/853,653
Time in Patent Office

1,103 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04W 12/06   Authentication

H04W 12/088   using filters or firewalls

Access point—authentication server combination

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Access point—authentication server combination

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links