Password constraint enforcement used in external site authentication

US 9,590,979 B2
Filed: 02/11/2016
Issued: 03/07/2017
Est. Priority Date: 05/31/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor encrypted network communications between a client and an external site;

process the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and

determine whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username, a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials for the user authentication on the external site violates the policy for password constraint enforcement comprises to;

determine whether the user credentials of the external site match other user credentials for user authentication on another external site, the other user credentials including a username, a password, or a combination thereof; and

in the event that the user credentials of the external site match the other user credentials for user authentication on the other external site, determine that the request violates the policy for password constraint enforcement; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for password constraint enforcement used in external site authentication are disclosed. In some embodiments, password constraint enforcement used in external site authentication includes monitoring encrypted network communications between a client and an external site (e.g., a remote server), in which the encrypted network communications are encrypted using a first protocol (e.g., Secure Sockets Layer (SSL) protocol, HTTPS protocol, or another protocol for encrypted network communications); and determining if the client sends a request to create user credentials for an external site authentication. In some embodiments, password constraint enforcement used in external site authentication further includes performing password constraint enforcement used in the external site authentication.

14 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor encrypted network communications between a client and an external site;
  
  process the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and
  
  determine whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username, a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials for the user authentication on the external site violates the policy for password constraint enforcement comprises to;
  
  determine whether the user credentials of the external site match other user credentials for user authentication on another external site, the other user credentials including a username, a password, or a combination thereof; and
  
  in the event that the user credentials of the external site match the other user credentials for user authentication on the other external site, determine that the request violates the policy for password constraint enforcement; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system recited in claim 1, wherein:
    - the policy further includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use a user'"'"'s enterprise password on external sites, or a combination thereof; and
      
      the policy includes a username constraint, a password constraint, or both a username constraint and a password constraint.
  - 3. The system recited in claim 1, wherein the request relates to creating a new user account on the external site, the request including a new password associated with the new user account.
  - 4. The system recited in claim 1, wherein the processor is further configured to:
    - perform an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.
  - 5. The system recited in claim 1, wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site; and
      
      send a request to establish the encrypted session on behalf of the client to the external site.
  - 6. The system recited in claim 1, wherein the system is a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site; and
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device.
  - 7. The system recited in claim 1, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; and
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site.
  - 8. The system recited in claim 1, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel; and
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies that include the policy for password constraint enforcement for user authentication on external sites.
  - 9. The system recited in claim 1, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      block the session traffic if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 10. The system recited in claim 1, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      generate an alert if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 11. The system recited in claim 1, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      block the client from accessing the external site if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 12. The system recited in claim 1, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      send a message to the client if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 13. The system recited in claim 1, wherein the system includes a firewall appliance, wherein the encrypted network communications are encrypted using a first protocol, and wherein the first protocol is a Secure Sockets Layer (SSL) protocol or an HTTPS protocol.
  - 14. The system recited in claim 1, wherein:
    - the policy further includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use a user'"'"'s enterprise password on external sites, or a combination thereof; and
      
      the password complexity constraints for the internal users include a minimum password character length, use of at least one uppercase alphanumeric character, use of at least one number, use of at least one symbol, or any combination thereof.
  - 15. The system recited in claim 1, wherein:
    - the policy further includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use a user'"'"'s enterprise password on external sites, or a combination thereof; and
      
      the password complexity constraints for the internal users creating a new user account on the external site include a minimum password character length, use of at least one uppercase alphanumeric character, use of at least one number, use of at least one symbol, or any combination thereof.
  - 16. The system recited in claim 1, wherein the processor is further configured to:
    - determine that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites; and
      
      perform an action in response to determining that that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites, wherein the action includes blocking client access to the external site, logging a vulnerability, discarding the request to create user credentials, sending a message to the client indicating that the request violates the policy for password constraint enforcement for user authentication on external sites, sending a message to the client indicating at least one compliant password option, or any combination thereof.

17. A method, comprising:
- monitoring encrypted network communications between a client and an external site;
  
  processing the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and
  
  determining whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username, a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials for the user authentication on the external site violates the policy for password constraint enforcement comprises;
  
  determining whether the user credentials of the external site match other user credentials for user authentication on another external site, the other user credentials including a username, a password, or a combination thereof; and
  
  in the event that the user credentials of the external site match the other user credentials for user authentication on the other external site, determining that the request violates the policy for password constraint enforcement.
- View Dependent Claims (18)
- - 18. The method of claim 17, further comprising:
    - performing an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.

19. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring encrypted network communications between a client and an external site;
  
  processing the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and
  
  determining whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username, a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials for the user authentication on the external site violates the policy for passsword constraint enforcement comprises;
  
  determining whether the user credentials of the external site match other user credentials for user authentication on another external site, the other user credentials including a username, a password, or a combination thereof; and
  
  in the event that the user credentials of the external site match the other user credentials for user authentication on the other external site, determining that the request violates the policy for password constraint enforcement.
- View Dependent Claims (20)
- - 20. The computer program product recited in claim 19, further comprising computer instructions for:
    - performing an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Jahr, Jeffrey Stephen
Primary Examiner(s)
Powers, William
Assistant Examiner(s)
LE, THANH H

Application Number

US15/042,117
Publication Number

US 20160248754A1
Time in Patent Office

390 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Password constraint enforcement used in external site authentication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Password constraint enforcement used in external site authentication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links