PASSWORD CONSTRAINT ENFORCEMENT USED IN EXTERNAL SITE AUTHENTICATION

US 20160248754A1
Filed: 02/11/2016
Published: 08/25/2016
Est. Priority Date: 05/31/2013
Status: Active Grant

First Claim

Patent Images

1. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for password constraint enforcement used in external site authentication are disclosed. In some embodiments, password constraint enforcement used in external site authentication includes monitoring encrypted network communications between a client and an external site (e.g., a remote server), in which the encrypted network communications are encrypted using a first protocol (e.g., Secure Sockets Layer (SSL) protocol, HTTPS protocol, or another protocol for encrypted network communications); and determining if the client sends a request to create user credentials for an external site authentication. In some embodiments, password constraint enforcement used in external site authentication further includes performing password constraint enforcement used in the external site authentication.

11 Citations

21 Claims

1. (canceled)

2. A system, comprising:
- a processor configured to;
  
  monitor encrypted network communications between a client and an external site;
  
  process the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and
  
  determine whether the request from the client to create user credentials for user authentication on the external site does violates a policy for password constraint enforcement for user authentication on external sites, wherein the policy includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use identical passwords on a plurality of external sites, a rule not to use a user'"'"'s enterprise password on external sites, or any combination thereof; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 3. The system recited in claim 2, wherein the policy includes a username constraint, a password constraint, or both a username constraint and a password constraint.
  - 4. The system recited in claim 2, wherein the request relates to creating a new user account on the external site, the request including a new password associated with the new user account.
  - 5. The system recited in claim 2, wherein the processor is further configured to:
    - perform an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.
  - 6. The system recited in claim 2, wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site; and
      
      send a request to establish the encrypted session on behalf of the client to the external site.
  - 7. The system recited in claim 2, wherein the system is a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site; and
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device.
  - 8. The system recited in claim 2, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; and
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site.
  - 9. The system recited in claim 2, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel; and
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies that include the policy for password constraint enforcement for user authentication on external sites.
  - 10. The system recited in claim 2, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      block the session traffic if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 11. The system recited in claim 2, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      generate an alert if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 12. The system recited in claim 2, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      block the client from accessing the external site if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 13. The system recited in claim 2, wherein the system includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from the client to the external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      send a message to the client if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.
  - 14. The system recited in claim 2, wherein the system includes a firewall appliance, wherein the encrypted network communications are encrypted using a first protocol, and wherein the first protocol is a Secure Sockets Layer (SSL) protocol or an HTTPS protocol.
  - 15. The system recited in claim 2, wherein the password complexity constraints for the internal users include a minimum password character length, use of at least one uppercase alphanumeric character, use of at least one number, use of at least one symbol, or any combination thereof.
  - 16. The system recited in claim 2, wherein the password complexity constraints for the internal users creating a new user account on the external site include a minimum password character length, use of at least one uppercase alphanumeric character, use of at least one number, use of at least one symbol, or any combination thereof.
  - 17. The system recited in claim 2, wherein the processor is further configured to:
    - determine that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites; and
      
      perform an action in response to determining that that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites, wherein the action includes blocking client access to the external site, logging a vulnerability, discarding the request to create user credentials, sending a message to the client indicating that the request violates the policy for password constraint enforcement for user authentication on external sites, sending a message to the client indicating at least one compliant password option, or any combination thereof.

18. A method, comprising:
- monitoring encrypted network communications between a client and an external site;
  
  processing the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and
  
  determining whether the request from the client to create user credentials for user authentication on the external site does violates a policy for password constraint enforcement for user authentication on external sites, wherein the policy includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use identical passwords on a plurality of external sites, a rule not to use a user'"'"'s enterprise password on external sites, or any combination thereof.
- View Dependent Claims (19)
- - 19. The method of claim 18, further comprising:
    - performing an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.

20. A computer program product, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
- monitoring encrypted network communications between a client and an external site;
  
  processing the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and
  
  determining whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, wherein the policy includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use identical passwords on a plurality of external sites, a rule not to use a user'"'"'s enterprise password on external sites, or any combination thereof.
- View Dependent Claims (21)
- - 21. The computer program product recited in claim 20, further comprising computer instructions for:
    - performing an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Jahr, Jeffrey Stephen

Granted Patent

US 9,590,979 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

PASSWORD CONSTRAINT ENFORCEMENT USED IN EXTERNAL SITE AUTHENTICATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

PASSWORD CONSTRAINT ENFORCEMENT USED IN EXTERNAL SITE AUTHENTICATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links