System and method for integrating an authentication service within a network architecture

US 9,736,154 B2
Filed: 09/16/2014
Issued: 08/15/2017
Est. Priority Date: 09/16/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a gateway configured to restrict access to an internal network;

an authentication server communicatively coupled to the gateway;

a client device with an authentication client having a plurality of authentication devices coupled thereto for authenticating a user, the authentication client configured to establish a communication channel with the authentication server and to register one or more of the authentication devices with the authentication server, the authentication devices usable for performing online authentication with the authentication server following registration;

the authentication client to authenticate the user with the authentication server using one or more of the registered authentication devices in response to an attempt to gain access to the internal network via the gateway;

the authentication server to provide the client device with a cryptographic data structure in response to a successful authentication;

the client device to provide the cryptographic data structure to the gateway as proof of the successful authentication; and

the gateway to validate the cryptographic data structure with the authentication server, wherein upon receiving an indication from the authentication server that the cryptographic data structure is valid, the gateway to provide access by the client device to the internal network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are described for integrating an authentication service within an existing network infrastructure. One embodiment of a method comprises: configuring a gateway to restrict access to an internal network; configuring an authentication client of a client device to establish a communication channel with the authentication server and to register one or more authentication devices with the authentication server; authenticating the user with the authentication server using one or more of the registered authentication devices in response to an attempt to gain access to the internal network via the gateway; providing the client device with a cryptographic data structure in response to a successful authentication; providing the cryptographic data structure to the gateway as proof of the successful authentication; validating the cryptographic data structure with the authentication server; providing access to the gateway upon receiving an indication from the authentication server that the cryptographic data structure is valid.

286 Citations

24 Claims

1. A system comprising:
- a gateway configured to restrict access to an internal network;
  
  an authentication server communicatively coupled to the gateway;
  
  a client device with an authentication client having a plurality of authentication devices coupled thereto for authenticating a user, the authentication client configured to establish a communication channel with the authentication server and to register one or more of the authentication devices with the authentication server, the authentication devices usable for performing online authentication with the authentication server following registration;
  
  the authentication client to authenticate the user with the authentication server using one or more of the registered authentication devices in response to an attempt to gain access to the internal network via the gateway;
  
  the authentication server to provide the client device with a cryptographic data structure in response to a successful authentication;
  
  the client device to provide the cryptographic data structure to the gateway as proof of the successful authentication; and
  
  the gateway to validate the cryptographic data structure with the authentication server, wherein upon receiving an indication from the authentication server that the cryptographic data structure is valid, the gateway to provide access by the client device to the internal network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system as in claim 1 further comprising:
    - a browser configured on the client device, wherein in response to an attempt by the user to access the internal network via the browser, the gateway provides browser-executable code which, when executed by the browser, triggers the authentication by establishing a communication channel between the authentication server and the authentication client.
  - 3. The system as in claim 2 wherein the cryptographic data structure comprises a ticket.
  - 4. The system as in claim 3 wherein the gateway is configured to provide the browser with an Hypertext Markup Language (HTML) form which includes the browser-executable code, the HTML form having one or more fields for entry of a user name and one or more passwords.
  - 5. The system as in claim 4 wherein the ticket comprises a random string of digits or other form of one time password (OTP) capable of being submitted to the gateway via a field of the HTML form.
  - 6. The system as in claim 1 wherein the authentication server validates the cryptographic data structure provided by the gateway using a key associated with the authentication device used for authentication.
  - 7. The system as in claim 6 wherein the gateway validates the cryptographic data structure with the authentication server using a Remote Authentication DialIn User Service (RADIUS) protocol.
  - 8. The system as in claim 1 wherein the gateway comprises a secure sockets layer (SSL) virtual private network (VPN) gateway.

9. A system comprising:
- a network security infrastructure to provide network security services for an internal network;
  
  an authentication server communicatively coupled to the existing network security infrastructure;
  
  a client device with an authentication client having a plurality of authentication devices coupled thereto for authenticating a user, the authentication client configured to establish a communication channel with the authentication server and to register one or more of the authentication devices with the authentication server, the authentication devices usable for performing online authentication with the authentication server following registration;
  
  the authentication client to authenticate the user with the authentication server using one or more of the registered authentication devices in response to an attempt to gain access to the internal network;
  
  the authentication server to provide the client device with a cryptographic data structure in response to a successful authentication;
  
  the client device to use the cryptographic data structure to authenticate with the network security infrastructure; and
  
  the network security infrastructure to validate the cryptographic data structure based on a trust relationship established with the authentication server, the network security infrastructure to provide access by the client device to the internal network upon validation of the cryptographic data structure.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system as in claim 9 wherein the cryptographic data structure comprises a digital certificate signed with a root certificate held by the authentication server, wherein the trust relationship comprises the network security infrastructure trusting signatures generated using the root certificate.
  - 11. The system as in claim 10 wherein the digital certificate comprises a public/private key pair generated by the authentication server.
  - 12. The system as in claim 11 wherein the digital certificate includes a timestamp or other data indicating a length of time for which the digital certificate is valid.
  - 13. The system as in claim 12 wherein to use the digital certificate to authenticate with the network security infrastructure, the authentication client is to sign a challenge provided by the network security infrastructure.
  - 14. The system as in claim 13 wherein the network security infrastructure is configured to validate the signature on the digital certificate using a public key of the root certificate provided by the authentication server with which it has the trust relationship;
    - and is further configured to validate the signature over the challenge using a public key from the digital certificate.
  - 15. The system as in claim 9 wherein the network security infrastructure comprises a Microsoft Active Directory and Kerberos infrastructure.
  - 16. The system as in claim 9 further comprising:
    - a gateway coupling the authentication client to the authentication server.

17. A method comprising:
- configuring a gateway to restrict access to an internal network;
  
  communicatively coupling an authentication server to the gateway;
  
  configuring an authentication client of a client device to establish a communication channel with the authentication server and to register one or more authentication devices with the authentication server, the authentication devices usable for performing online authentication with the authentication server following registration;
  
  the authentication client to authenticate the user with the authentication server using one or more of the registered authentication devices in response to an attempt to gain access to the internal network via the gateway;
  
  the authentication server to provide the client device with a cryptographic data structure in response to a successful authentication;
  
  the client device to provide the cryptographic data structure to the gateway as proof of the successful authentication; and
  
  the gateway to validate the cryptographic data structure with the authentication server, wherein upon receiving an indication from the authentication server that the cryptographic data structure is valid, the gateway to provide access by the client device to the internal network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The method as in claim 17 wherein a browser is configured on the client device, wherein in response to an attempt by the user to access the internal network via the browser, the gateway provides browser-executable code which, when executed by the browser, triggers the authentication by establishing a communication channel between the authentication server and the authentication client.
  - 19. The method as in claim 18 wherein the cryptographic data structure comprises a ticket.
  - 20. The method as in claim 19 wherein the gateway is configured to provide the browser with an Hypertext Markup Language (HTML) form which includes the browser-executable code, the HTML form having one or more fields for entry of a user name and one or more passwords.
  - 21. The method as in claim 20 wherein the ticket comprises a random string of digits or other form of one time password (OTP) capable of being submitted to the gateway via a field of the HTML form.
  - 22. The method as in claim 17 wherein the authentication server validates the cryptographic data structure provided by the gateway using a key associated with the authentication device used for authentication.
  - 23. The method as in claim 22 wherein the gateway validates the cryptographic data structure with the authentication server using a Remote Authentication Dial In User Service (RADIUS) protocol.
  - 24. The method as in claim 17 wherein the gateway comprises a secure sockets layer (SSL) virtual private network (VPN) gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Wilson, Brendon J., Baghdasaryan, Davit
Primary Examiner(s)
DOAN, TRANG T

Application Number

US14/487,992
Publication Number

US 20170034168A1
Time in Patent Office

1,064 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

System and method for integrating an authentication service within a network architecture

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

System and method for integrating an authentication service within a network architecture

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others