Server pool kerberos authentication scheme

US 9,602,275 B2
Filed: 10/28/2003
Issued: 03/21/2017
Est. Priority Date: 10/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method of generating a Service Ticket for a requested network service, comprising:

receiving, by a granting computing device, the granting computing device being different and distinct from a client computing device, a request for a Service Ticket for a requested network service from the client computing device;

in response to receiving the request for the Service Ticket from the client computing device, querying, by the granting computing device, a database that indicates which of one or more servers provides the requested network service;

determining, by the granting computing device based on the querying, that the requested network service is provided by a server pool comprising a plurality of servers, the plurality servers being to allow access by the client computing device to the requested network service only when presented with the Service Ticket and only when the Service Ticket includes a session key;

generating, by the granting computing device, the session key, to facilitate access of the requested network service by the client computing device to the plurality of servers;

for each respective server of the plurality of servers of the server pool, encrypting, by the granting computing device, a copy of the session key with a respective secret key associated with a respective one of the plurality of the servers of the server pool to create a set of respective encrypted session keys, wherein each respective encrypted session key in the set of respective encrypted session keys corresponds to one of the respective servers of the server pool;

creating, by the granting computing device, the Service Ticket that includes the set of respective encrypted session keys; and

transmitting, by the granting computing device, the created Service Ticket to the client computing device to allow the client computing device to access the requested network service at the plurality of servers, the access by the client computing device including provision, by the client computing device to one or more of the plurality of servers of the server pool, of the Service Ticket to access the requested network service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to the authenticating a client against a pool of servers utilizing a secure authentication protocol, and, more specifically, to the authenticating a client against a pool of servers providing a common service, utilizing the Kerberos secure authentication protocol.

Citations

12 Claims

1. A method of generating a Service Ticket for a requested network service, comprising:
- receiving, by a granting computing device, the granting computing device being different and distinct from a client computing device, a request for a Service Ticket for a requested network service from the client computing device;
  
  in response to receiving the request for the Service Ticket from the client computing device, querying, by the granting computing device, a database that indicates which of one or more servers provides the requested network service;
  
  determining, by the granting computing device based on the querying, that the requested network service is provided by a server pool comprising a plurality of servers, the plurality servers being to allow access by the client computing device to the requested network service only when presented with the Service Ticket and only when the Service Ticket includes a session key;
  
  generating, by the granting computing device, the session key, to facilitate access of the requested network service by the client computing device to the plurality of servers;
  
  for each respective server of the plurality of servers of the server pool, encrypting, by the granting computing device, a copy of the session key with a respective secret key associated with a respective one of the plurality of the servers of the server pool to create a set of respective encrypted session keys, wherein each respective encrypted session key in the set of respective encrypted session keys corresponds to one of the respective servers of the server pool;
  
  creating, by the granting computing device, the Service Ticket that includes the set of respective encrypted session keys; and
  
  transmitting, by the granting computing device, the created Service Ticket to the client computing device to allow the client computing device to access the requested network service at the plurality of servers, the access by the client computing device including provision, by the client computing device to one or more of the plurality of servers of the server pool, of the Service Ticket to access the requested network service.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - generating, by the granting computing device, a Ticket-Granting-Ticket in compliance with the Kerberos protocol;
      
      wherein receiving, by the granting computing device, the request for the Service Ticket from the client computing device includes the granting computing device receiving the Ticket-Granting-Ticket from the client computing device.
  - 3. The method of claim 1, wherein the method further comprises, after determining, by the granting computing device, that the requested network service is provided by the server pool:
    - determining, by the granting computing device, a number of the plurality of servers of the server pool designated to provide the requested network service; and
      
      encrypting, by the granting computing device, a cipher text with the session key;
      
      wherein querying the database that indicates which of one or more servers provides the requested network service includes;
      
      utilizing, by the granting computing device, a database that maps generic server names to specific server names, andsetting, by the granting computing device, the numbers of servers designated to provide the network service equal to a number of specific server names mapped to a generic server name that provides the requested network service.
  - 4. The method of claim 3, wherein the database that maps generic server names to specific server names is selected from a group consisting essentially of:
    - a domain name server database,a database associated with a Key Distribution Center, anda Kerberos database.
  - 5. The method of claim 1, wherein the respective secret keys associated with respective providing servers of the server pool are not synchronized across the respective providing servers.
  - 6. The method of claim 3, wherein the created Service Ticket includes:
    - (1) a header that designates the Service Ticket as a format that includes multiple respective encrypted session keys,(2) a field that expressly designates the number of respective encrypted session keys,(3) the set of respective encrypted session keys, and(4) the cipher text.

7. One or more non-transitory computer readable media having instructions thereon that, when executed by one or more processing devices of a computing device, cause the computing device to:
- receive a request for a Service Ticket for a requested network service from a client computing device, the client computing device being different and distinct from the computing device;
  
  in response to reception of the request for the Service Ticket from the client computing device, query a database that indicates which of one or more servers provides the requested network service;
  
  determine, based on the query, that the requested network service is provided by a server pool comprising a plurality of servers, the plurality of servers being to allow access by the client computing device to the requested network service only when presented with the Service Ticket and only when the Service Ticket includes a session key;
  
  generate the session key to facilitate access of the requested network service by the client computing device to the plurality of servers;
  
  for each respective server of the plurality of servers of the server pool, encrypt a copy of the session key with a respective secret key associated with a respective one of the plurality of servers of the server pool to create a set of respective encrypted session keys, wherein each respective encrypted session key in the set of respective encrypted session keys corresponds to one of the respective servers of the server pool;
  
  create the Service Ticket that includes each of the set of respective encrypted session keys; and
  
  transmit the created Service Ticket to the client computing device to allow the client computing device to access the requested network service at the plurality of servers, the access by the client computing device including provision, by the client computing device to one or more of the plurality of servers of the server pool, of the Service Ticket to access the requested network service.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The one or more computer readable media of claim 7, further comprising instructions thereon that, when executed by the one or more processing devices of the computing device, cause the computing device to:
    - generate a Ticket-Granting-Ticket in compliance with a Kerberos protocol;
      
      wherein receive the request for the Service Ticket from the client computing device includes receive the Ticket-Granting-Ticket from the client computing device.
  - 9. The one or more computer readable media of claim 7, further comprising instructions thereon that, when executed by the one or more processing devices of the computing device, cause the computing device to, after determination that the requested network service is provided by a server pool:
    - determine a number of the plurality of servers of the server pool designated to provide the requested network service; and
      
      encrypt a cipher text with the session key;
      
      wherein query the database that indicates which of one or more servers provides the requested network service includes;
      
      utilize a database that maps generic server names to specific server names, andset the numbers of servers designated to provide the requested network service equal to a number of specific server names mapped to a generic server name that provides the requested network service.
  - 10. The one or more computer readable media of claim 9, wherein the database that maps generic server names to specific server names is selected from a group consisting essentially of:
    - a domain name server database,a database associated with a Key Distribution Center, anda Kerberos database.
  - 11. The one or more computer readable media of claim 9, wherein the created Service Ticket includes:
    - (1) a header that designates the Service Ticket as a format that includes multiple respective encrypted session keys,(2) a field that expressly designates a number of respective encrypted session keys,(3) the set of respective encrypted session keys, and(4) the cipher text.
  - 12. The one or more computer readable media of claim 7, wherein the respective secret keys associated with respective providing servers are not synchronized across the respective providing servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Grobman, Steven L.
Primary Examiner(s)
Hayes, John
Assistant Examiner(s)
Winter, John M

Application Number

US10/696,443
Publication Number

US 20050091171A1
Time in Patent Office

4,893 Days
Field of Search

726/50, 726/9, 726/10
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06Q 20/382   insuring higher security of...

H04L 63/045   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

Server pool kerberos authentication scheme

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Server pool kerberos authentication scheme

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links