One time passwords with IPsec and IKE version 1 authentication

US 8,799,649 B2
Filed: 05/13/2010
Issued: 08/05/2014
Est. Priority Date: 05/13/2010
Status: Active Grant

First Claim

Patent Images

1. A method of operating a computing device to establish an IPsec session, the method comprising:

sending a first communication to an authentication service, the first communication containing a one-time-password;

receiving, from a one-time password service, in response to the first commutation a reply comprising an indication that the one-time-password was successfully validated;

sending a second communication to a certificate authority, the second communication containing the indication that the one-time-password was successfully validated by the one-time password service in response to the first communication;

receiving, from the certificate authority, in response to the second communication a certificate, the certificate comprising the indication that the one-time-password successfully validated; and

establishing the IPsec session with the certificate provided by the certificate authority.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system adapted to condition access to a network over an IPsec session to clients providing a proper one-time-password, even though the network access control uses IKEv1, which does not support one-time-passwords. An authentication service receives from a client an access request including the one-time-password, and provides the one-time-password to a service that checks the password. The one-time-password service returns a cookie when the password is successfully validated and the client is properly authenticated. The cookie is passed on to the client computer, which uses the cookie as part of a request for a certificate. A certificate authority generates a certificate if a request for a certificate is received from an authenticated client, which in turn may be used to form the IPsec session for access to the network.

16 Citations

View as Search Results

20 Claims

1. A method of operating a computing device to establish an IPsec session, the method comprising:
- sending a first communication to an authentication service, the first communication containing a one-time-password;
  
  receiving, from a one-time password service, in response to the first commutation a reply comprising an indication that the one-time-password was successfully validated;
  
  sending a second communication to a certificate authority, the second communication containing the indication that the one-time-password was successfully validated by the one-time password service in response to the first communication;
  
  receiving, from the certificate authority, in response to the second communication a certificate, the certificate comprising the indication that the one-time-password successfully validated; and
  
  establishing the IPsec session with the certificate provided by the certificate authority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein:
    - establishing an IPsec session comprises establishing an IPsec session for remote access to a corporate network.
  - 3. The method of claim 1, wherein:
    - the indication that the one-time-password was successfully validated comprises a cookie in the reply.
  - 4. The method of claim 1, wherein:
    - sending the second communication comprises sending a parameter encrypted with a private key of the computing device.
  - 5. The method of claim 1, further comprising:
    - generating a value in the second communication with a private key of the computing device.
  - 6. The method of claim 1, wherein:
    - sending the first communication comprises sending the first communication addressed to an authentication service; and
      
      sending the second communication comprises sending the second communication addressed to the authentication service.
  - 7. The method of claim 6, wherein:
    - receiving the reply comprises receiving a message containing a cookie generated by a one-time-password service; and
      
      receiving the certificate comprises receiving a certificate generated by a certificate authority.
  - 8. The method of claim 1, wherein:
    - sending the first communication comprises sending the first communication addressed to an authentication gateway; and
      
      sending the second communication comprises sending the second communication addressed to the authentication gateway.

9. A system comprising:
- at least one processor coupled to a network, the at least one processor implementing;
  
  an authentication servicea one-time-password service;
  
  a certificate authority;
  
  wherein;
  
  the authentication service is adapted to receive over the network a first communication from a client, the first communication containing credentials associated with the client and a one-time-password,the authentication service is adapted to validate the credentials associated with the client and convey the one-time-password to the one-time-password service;
  
  the one-time-password service is adapted to validate the one-time-password and return to the authentication service an indication of results of validation of the one-time-password;
  
  the certificate authority is adapted to receive over the network a second communication from the client, the second communication including the indication of results of validation of the one-time-password from the client and to selectively issue a certificate when the results received from the client indicate that the one-time-password was successfully validated by the one-time password service wherein the certificate includes an indication that the one-time password was successfully validated.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the authentication service, the one-time-password service and the certificate authority comprise an authentication gateway.
  - 11. The system of claim 9, wherein:
    - the credentials associated with the client comprise credentials of a user of the client; and
      
      the authentication service is adapted to authenticate the credentials of the user.
  - 12. The system of claim 9, wherein:
    - the system further comprises a corporate network, the corporate network comprising an access control gateway; and
      
      the access control gateway is adapted to selectively form IPsec sessions granting access to the corporate network to client computers having certificates issued by the certificate authority.
  - 13. The system of claim 12, wherein:
    - the corporate network does not support remote access control based on one-time-password authentication.
  - 14. The system of claim 13, wherein the corporate network uses IKEv1 access control.
  - 15. The system of claim 9, wherein:
    - the certificate authority is adapted to perform a public key encryption based authentication of the client; and
      
      the certificate authority selectively issues the certificate when the client successfully authenticates using the public key encryption based authentication and the results indicate that the one-time-password was successfully validated.

16. At least one non-transitory computer-readable storage medium comprising computer-executable instructions that, when executed by a processor of a client computer, perform a method of forming an IPsec session, the method comprising:
- sending a first communication to an authentication service, the first communication containing credentials of a user of the client computer and a one-time-password;
  
  receiving from the authentication service in response to the first commutation a reply comprising an indication that the one-time-password was successfully validated;
  
  sending a second communication to the authentication service, the second communication comprising a request for a certificate from a certificate authority and containing the indication that the one-time password was successfully validated in the first communication;
  
  receiving from the authentication service in response to the second communication the certificate, the certificate comprising an indication that the one-time-password successfully validated; and
  
  establishing the IPsec session with the certificate used in an Internet Key Exchange version 1 (IKEv1) protocol.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The at least one non-transitory computer-readable storage medium of claim 16, wherein the method further comprises formulating at least a portion of the second communication based on an a private key of a private key/public key pair of which the public key is shared with the certification authority.
  - 18. The at least one non-transitory computer-readable storage medium of claim 16, wherein:
    - the indication that the one-time-password was successfully validated comprises receiving a cookie generated by a one-time-password service; and
      
      sending the second communication comprises sending the cookie as part of the second communication.
  - 19. The at least one non-transitory computer-readable storage medium of claim 18, wherein:
    - establishing the IPsec session comprises performing two-factor authentication, with the certificate providing one authentication factor.
  - 20. The at least one non-transitory computer-readable storage medium of claim 16, wherein the method for comprises remotely accessing a corporate network using the IPsec session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Eyal, Anat, Bernstein, Ben, Bar-Anan, Anat, Vered, Nimrod
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US12/779,457
Publication Number

US 20110283103A1
Time in Patent Office

1,545 Days
Field of Search

713/156, 713/155, 713/168, 726/5, 726/10, 370/235
US Class Current

713/156
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 9/321   involving a third party or ...

H04L 9/3228   One-time or temporary data,...

H04L 9/3263   involving certificates, e.g...

One time passwords with IPsec and IKE version 1 authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

One time passwords with IPsec and IKE version 1 authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links