System for seamlessly updating service keys with automatic recovery

US 20020146132A1
Filed: 04/05/2002
Published: 10/10/2002
Est. Priority Date: 04/05/2001
Status: Active Grant

First Claim

Patent Images

1. A method for maintaining security in a communication system that provides a service to a client, the method comprising:

receiving an error message with an authenticator in response to an access request.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Application servers are programmed such that when an application server changes a compromised service key, the compromised key is saved by the application server until all tickets that may have been issued under the compromised key expire. Whenever the application server receives a ticket from a client issued under the compromised key, it generates an authenticator for an error message using the session key extracted from the ticket and sends the error message with this authenticator to the client. Clients are programmed to be able to receive error messages from application servers that have changed their service keys. Because the error messages include an authenticator generated by the application server using the session key extracted from the compromised ticket, the client is able to rely on the error message. The client is able to automatically request a new ticket from a key distribution center in response to a successful authentication of the error message.

59 Citations

View as Search Results

18 Claims

1. A method for maintaining security in a communication system that provides a service to a client, the method comprising:
- receiving an error message with an authenticator in response to an access request.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The method of claim 1 wherein the acts of receiving, decrypting and generating an authenticator are performed by a Kerberos application server.
  - 4. The method of claim 1 further comprising retaining the compromised service key until all tickets encrypted with the compromised service key have expired.
  - 5. The method of claim 1 further comprising the client receiving the error message with the authenticator from an application server;
    - authenticating the error message; and
      
      requesting a new ticket from a key distribution center, the new ticket for accessing the application server.
  - 6. The method of claim 5 wherein the ticket encrypted with a service key is a Ticket Granting Ticket (TGT) and the application server is a Key Distribution Center (KDC).
  - 7. The method of claim 5 further comprising encrypting the new ticket with a new application server service key.
  - 8. The method of claim 7 further comprising requesting access to the application server using the new ticket encrypted with the new application server service key;
    - and the application server authenticating the access request using the new application server service key.

2. A method for automatically recovering from a service key change in a communication system, the method comprising:
- receiving a ticket from a client, the ticket being encrypted with a service key;
  
  determining that the service key has been compromised;
  
  decrypting the ticket using the compromised service key;
  
  generating an error message; and
  
  generating an authenticator for the error message, the authenticator being keyed with a session key obtained from the ticket.

9. A method for seamlessly updating a compromised service key, the method comprising:
- providing a session key from the a client to an application server, the session key being encrypted by the compromised service key;
  
  using the compromised service key to derive the session key; and
  
  sending an error message from the application server to the client, the error message being accompanied by an authenticator keyed with the session key.
- View Dependent Claims (10, 11, 12, 13, 15, 16)
- - 10. The method of claim 9 further comprising authenticating the error message at the client.
  - 11. The method of claim 9 further comprising automatically requesting a new session key after the error message is received by the client.
  - 12. The method of claim 11 further comprising providing the new session key from the a client to the application server.
  - 13. The method of claim 12 further comprising encrypting the new session key with a new service key.
  - 15. The method of claim 14 wherein the acts of receiving, authenticating, and requesting are performed by a Kerberos client.
  - 16. The method of claim 14 wherein the new ticket is requested from a key distribution center.

14. A method for allowing a client to recover from a change in an application server service key, the method comprising:
- receiving an authenticated error message from an application server;
  
  authenticating the error message; and
  
  in response to a successful authentication of the error message, requesting a new ticket for accessing the application server.

17. A processor readable storage medium, having encoded thereon processor readable program code, such that said processor readable program code is operable to cause a processor to perform a method for allowing a client to recover from a change in an application server service key, the method comprising:
- receiving an authenticated error message from an application server;
  
  authenticating the error message; and
  
  in response to a successful authentication of the error message, requesting a new ticket from a key distribution center for the application server.

18. A processor readable storage medium, having encoded thereon processor readable program code, such that said processor readable program code is operable to cause a processor to perform a method for allowing a client to recover from a change in an application server service key from a compromised service key to a new service key, the method comprising:
- receiving a ticket from a client encrypted with a compromised service key;
  
  decrypting the ticket using the compromised service key; and
  
  sending to the client an authenticator along with an error message, where the authenticator is keyed with a session key from the ticket encrypted with the compromised service key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Medvinsky, Alexander

Granted Patent

US 7,421,083 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/3213   using tickets or tokens, e....

System for seamlessly updating service keys with automatic recovery

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

System for seamlessly updating service keys with automatic recovery

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others