Token-Based Client To Server Authentication Of A Secondary Communication Channel By Way Of Primary Authenticated Communication Channels

US 20100138905A1
Filed: 11/25/2009
Published: 06/03/2010
Est. Priority Date: 11/28/2008
Status: Active Grant

First Claim

Patent Images

1. A method for authentication in a system having a client application, a server application, a resource location, an authenticated primary communication channel between the client application and the resource location, and an authenticated primary communication channel between the server application and the resource location, the method comprising:

creating a secondary communication channel with the server application, submitting a request to the server application for granting access by way of the secondary communication channel,granting access to the client application by way of the secondary communication channel when the authentication has been successful,initiating the generation of an authentication token to be stored at the resource location, the authentication token being accessible to the client application by way of the authenticated primary communication channel between the client application and the resource location,retrieving the authentication token from the resource location by way of the authenticated primary communication channel between the client application and the resource location,returning the authentication token to the server application by way of the secondary communication channel,authenticating the client application by checking that the authentication token returned by the client application to the server application matches the generated authentication token stored at the resource location upon initiation of the server application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to authenticating a secondary communication channel between a client application and a server application when an authenticated primary communication channel has already been established between the client application and a resource application, on which the server application can store a generated authentication token that only privileged users including the client application user can read-access and send back to the server application by way of the secondary communication channel.

48 Citations

View as Search Results

17 Claims

1. A method for authentication in a system having a client application, a server application, a resource location, an authenticated primary communication channel between the client application and the resource location, and an authenticated primary communication channel between the server application and the resource location, the method comprising:
- creating a secondary communication channel with the server application, submitting a request to the server application for granting access by way of the secondary communication channel,granting access to the client application by way of the secondary communication channel when the authentication has been successful,initiating the generation of an authentication token to be stored at the resource location, the authentication token being accessible to the client application by way of the authenticated primary communication channel between the client application and the resource location,retrieving the authentication token from the resource location by way of the authenticated primary communication channel between the client application and the resource location,returning the authentication token to the server application by way of the secondary communication channel,authenticating the client application by checking that the authentication token returned by the client application to the server application matches the generated authentication token stored at the resource location upon initiation of the server application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, wherein the authentication token is only accessible to privileged users including the client application who requested access to the server application.
  - 3. The method according to claim 1, wherein the authentication token stored at the resource location has been generated for a single establishment of the secondary communication channel between the client application and the server application.
  - 4. The method according to claim 1, wherein the generated authentication token is a statistically random bit pattern.
  - 5. The method according to claim 1, wherein the resource location is a file system.
  - 6. The method according to claim 5, wherein the file system is a local file system of at least one of the server application and the client application.
  - 7. The method according to claim 5, wherein at least one of the primary communication channel between the client application and the resource location and the primary communication channel between the server application and the resource location uses the authentication mechanism provided by the operating system services of the file system.
  - 8. The method according to claim 5, wherein the file system is a remote file system for at least one of the client application and the server application, and at least one of the primary communication channel between the client application and the resource location and the primary communication channel between the server application and the resource location, respectively, use the mounting of the remote file system for connection and authentication of at least one of the client application and the server application, respectively.
  - 9. The method according to claim 1, wherein at least one of the primary communication channel between the client application and the resource location and the primary communication channel between the server application and the resource location uses an authenticated network communication protocol.
  - 10. The method according to claim 9, wherein the network communication protocol is secure socket layer (SSL) and the authentication token stored at the resource location is identified by a uniform resource locator (URL).
  - 11. The method according to claim 1, wherein the secondary communication channel has been established before the generated authentication token is stored at the resource location.
  - 12. The method according to claim 1, wherein the primary communication channel between the client application and the resource location and the primary communication channel between the server application and the resource location are encrypted, and the generated authentication token is stored at the resource location before the client application creates the secondary communication channel with the server application.
  - 13. The method according to claim 1, wherein the client application is the client component of a database driver and the server application is the server component of the database driver.
  - 14. The method according to claim 1, wherein the client application is replaced by the server application and vice versa;
    - and the primary communication channel between the client application and the resource location is replaced with the primary communication channel between the server application and the resource location and vice versa.

15. A system for authentication having a client device running a client application, a server device running a server application, a resource location, an authenticated primary communication channel between the client device and the resource location and an authenticated primary communication channel between the server device and the resource location, the system comprising a computer usable medium embodying computer program code, the computer program code comprising instructions executable by a processor and configured for:
- creating a secondary communication channel with the server application,submitting a request to the server application for granting access by way of the secondary communication channel,granting access to the client application by way of the secondary communication channel when the authentication has been successful,initiating the generation of an authentication token to be stored at the resource location, the authentication token being accessible to the client application by way of the authenticated primary communication channel between the client application and the resource location,retrieving the authentication token from the resource location by way of the authenticated primary communication channel between the client application and the resource location,returning the authentication token to the server application by way of the secondary communication channel,authenticating the client application by checking that the authentication token returned by the client application to the server application matches the generated authentication token stored at the resource location upon initiation of the server application.
- View Dependent Claims (16, 17)
- - 16. The system according to claim 15, wherein the client application and the server application are running in the same device.
  - 17. The system according to claim 15, wherein at least one of the server device and the client device further comprises the resource location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kass, Eric

Granted Patent

US 8,332,920 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/18   using different networks or...

Token-Based Client To Server Authentication Of A Secondary Communication Channel By Way Of Primary Authenticated Communication Channels

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Token-Based Client To Server Authentication Of A Secondary Communication Channel By Way Of Primary Authenticated Communication Channels

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links