Nonce generation

US 8,924,721 B2
Filed: 10/06/2009
Issued: 12/30/2014
Est. Priority Date: 09/03/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for an authentication protocol, the method performed by data processing apparatus and comprising:

identifying a host device attempting to connect to a network;

transmitting one or more of a plurality of probes to the host device in a host information collection phase, wherein the plurality of probes includes an agent probe, the agent probe including a query of one or more agents installed on the host device, and the one or more agents are configured to determine a health level of the host device;

generating, by the data processing apparatus, a source value;

hashing, by the data processing apparatus, the source value to generate a nonce;

providing, by the data processing apparatus, the nonce with the query of the one or more agents on the host device;

receiving, in response to the query, reply data and an authentication code, wherein the reply data includes a unique agent identifier of at least one agent installed on the host device, the authentication code comprises a hash of the reply data and the nonce, and the host device is identifiable from the unique agent identifier;

determining that the host device is a managed host device based on the receipt of the unique agent identifier;

ending the host information collection phase prior to receiving a reply to at least one of the plurality of probes of the host device based on determining that the host device is a managed host device;

hashing a combination of at least a portion of the reply data and the nonce to generate a digest;

determining the reply is authentic based at least in part on a determination that the digest matches the authentication code;

receiving, during a user detection preadmission state, a user identifier corresponding to the host device; and

transitioning from the user detection preadmission state to a host detection preadmission state based on identifying that the user identifier is mapped to a user role and identifying that network access control for the role is enabled;

wherein determining that a host device is an unmanaged host device causes the host information collection phase to persist at least until a reply is received or a timeout determined for each of the one or more of the plurality of probes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating a nonce. In one aspect, a method includes generating, by a data processing apparatus, a source value, and hashing, by the data processing apparatus, the source value to generate the nonce.

101 Citations

View as Search Results

19 Claims

1. A method for an authentication protocol, the method performed by data processing apparatus and comprising:
- identifying a host device attempting to connect to a network;
  
  transmitting one or more of a plurality of probes to the host device in a host information collection phase, wherein the plurality of probes includes an agent probe, the agent probe including a query of one or more agents installed on the host device, and the one or more agents are configured to determine a health level of the host device;
  
  generating, by the data processing apparatus, a source value;
  
  hashing, by the data processing apparatus, the source value to generate a nonce;
  
  providing, by the data processing apparatus, the nonce with the query of the one or more agents on the host device;
  
  receiving, in response to the query, reply data and an authentication code, wherein the reply data includes a unique agent identifier of at least one agent installed on the host device, the authentication code comprises a hash of the reply data and the nonce, and the host device is identifiable from the unique agent identifier;
  
  determining that the host device is a managed host device based on the receipt of the unique agent identifier;
  
  ending the host information collection phase prior to receiving a reply to at least one of the plurality of probes of the host device based on determining that the host device is a managed host device;
  
  hashing a combination of at least a portion of the reply data and the nonce to generate a digest;
  
  determining the reply is authentic based at least in part on a determination that the digest matches the authentication code;
  
  receiving, during a user detection preadmission state, a user identifier corresponding to the host device; and
  
  transitioning from the user detection preadmission state to a host detection preadmission state based on identifying that the user identifier is mapped to a user role and identifying that network access control for the role is enabled;
  
  wherein determining that a host device is an unmanaged host device causes the host information collection phase to persist at least until a reply is received or a timeout determined for each of the one or more of the plurality of probes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein generating a source value comprises:
    - selecting a counter value of a counter as the source value; and
      
      incrementing the counter in response to the selection;
      
      wherein counter values of the counter are used for source values for generating nonces.
  - 3. The method of claim 1, wherein generating a source value comprises:
    - selecting a clock value of a system clock of the data processing apparatus as the source value.
  - 4. The method of claim 1, wherein hashing the source value to generate the nonce comprises hashing the source value to generate an 8-byte hash value, the 8-byte hash value being the nonce value.
  - 5. The method of claim 1, wherein hashing the source value to generate the nonce comprises hashing two or more related source values to generate two or more respective hash values and generating the nonce from a concatenation of the two or more respective hash values.
  - 6. The method of claim 1, wherein the response to the query further comprises an indication of the health level of the host device.
  - 7. The method of claim 1, further comprising transitioning the host device to a post admission state based at least in part on determining that the host device is a managed host device.
  - 8. The method of claim 1, further comprising determining whether the unique agent identifier matches a value for the unique agent identifier in a host table record corresponding to the host device, wherein the host table record is one of a plurality of host table records in a host table and each host table record describes attributes of a respective one of a plurality of host devices.

9. A method for an authentication protocol, the method performed by data processing apparatus and comprising:
- identifying a host device attempting to connect to a network;
  
  generating, by the data processing apparatus, a plurality of source values;
  
  hashing, by the data processing apparatus, each of the plurality of source values to generate hash values;
  
  generating, by the data processing apparatus, a nonce from the hash values;
  
  transmitting one or more of a plurality of probes to the host device in a host information collection phase, wherein the plurality of probes includes an agent probe, the agent probe including the nonce and a query of whether agents configured to determine a health level of the host device are installed on the host device;
  
  receiving, in response to the query, reply data and an authentication code, wherein the reply data includes a unique agent identifier of at least one agent installed on the host device, the authentication code comprises a hash of the reply data and the nonce, and the host device is identifiable from the unique agent identifier;
  
  determining that the host device is a managed host device based on the receipt of the unique agent identifier;
  
  ending the host information collection phase prior to receiving a reply to at least one of the plurality of probes of the host device based on determining that the host device is a managed host device;
  
  hashing, by the data processing apparatus, a combination of at least a portion of the reply data and the nonce to generate a digest;
  
  determining, by the data processing apparatus, the reply is authentic based at least in part on a determination that the digest matches the authentication code;
  
  receiving, during a user detection preadmission state, a user identifier corresponding to the host device; and
  
  transitioning from the user detection preadmission state to a host detection preadmission state based on identifying that the user identifier is mapped to a user role and identifying that network access control for the role is enabled;
  
  wherein determining that a host device is an unmanaged host device causes the host information collection phase to persist at least until a reply is received or a timeout determined for each of the one or more of the plurality of probes.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein generating a plurality of source values comprises:
    - selecting a counter value of a counter as a first one of the source values;
      
      incrementing the counter in response to the selection; and
      
      selecting the incremented counter value of the counter as a second one of the source values.
  - 11. The method of claim 10, wherein generating the nonce from the hash values comprises concatenating hash values to form the nonce value.
  - 12. The method of claim 9, wherein generating a plurality of source values comprises:
    - selecting a first clock value of a system clock of the data processing apparatus as a first one of the source values;
      
      incrementing the first clock value to generate a second one of the source values.
  - 13. The method of claim 9, wherein:
    - hashing the source values to generate the nonce comprises hashing each source value to generate a 4-byte hash value; and
      
      generating the nonce from the hash values comprises concatenating the 4-byte hash values to generate the nonce.

14. A non-transitory, computer storage medium encoded with a computer program, the program comprising instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
- identifying a host device attempting to connect to a network;
  
  transmitting a plurality of probes to the host device in host information collection phase, wherein the plurality of probes includes an agent probe, the agent probe including a query of one or more agents installed on the host device configured to determine a health level of the host device;
  
  generating a plurality of source values;
  
  hashing each of the plurality of source values to generate hash values;
  
  generating a nonce from the hash values;
  
  transmitting an agent probe to the host device, the agent probe including the nonce and a query of one or more agents installed on the host device configured to determine a health level of the host device;
  
  receiving reply data and an authentication code, wherein the reply data includes a unique agent identifier of at least one agent installed on the host device, the authentication code comprises a hash of the reply data and the nonce, and the host device is identifiable from the unique agent identifier;
  
  determining that the host device is a managed host device based on the receipt of the unique agent identifier;
  
  ending the host information collection phase prior to receiving a reply to at least one of the plurality of probes of the host device based on determining that the host device is a managed host device;
  
  hashing a combination of at least a portion of the reply data and the nonce to generate a digest;
  
  determining the reply is authentic based at least in part on a determination that the digest matches the authentication code;
  
  receiving, during a user detection preadmission state, a user identifier corresponding to the host device; and
  
  transitioning from the user detection preadmission state to a host detection preadmission state based on identifying that the user identifier is mapped to a user role and identifying that network access control for the role is enabled;
  
  wherein determining that a host device is an unmanaged host device causes the host information collection phase to persist at least until a reply is received or a timeout determined for each of the one or more of the plurality of probes.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer storage medium of claim 14, wherein generating a plurality of source values comprises:
    - selecting a counter value of a counter as a first one of the source values;
      
      incrementing the counter in response to the selection; and
      
      selecting the incremented counter value of the counter as a second one of the source values.
  - 16. The computer storage medium of claim 14, wherein generating the nonce from the hash values comprises concatenating hash values to form the nonce value.
  - 17. The computer storage medium of claim 14, wherein generating a plurality of source values comprises:
    - selecting a first clock value of a system clock of the data processing apparatus as a first one of the source values;
      
      incrementing the first clock value to generate a second one of the source values.
  - 18. The computer storage medium of claim 14, wherein:
    - hashing the source values to generate the nonce comprises hashing each source value to generate a 4-byte hash value; and
      
      generating the nonce from the hash values comprises concatenating the 4-byte hash values to generate the nonce.

19. A non-transitory, computer storage medium encoded with a computer program, the program comprising instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
- identifying a host device attempting to connect to a network;
  
  generating, by the data processing apparatus, a plurality of source values;
  
  hashing, by the data processing apparatus, each of the plurality of source values to generate hash values;
  
  generating, by the data processing apparatus, a nonce from the hash values;
  
  transmitting one or more of a plurality of probes to the host device in a host information collection phase, wherein the plurality of probes includes an agent probe, the agent probe including the nonce and a query of whether agents configured to determine a health level of the host device are installed on the host device;
  
  receiving, in response to the query, reply data and an authentication code, wherein the reply data includes a unique agent identifier of at least one agent installed on the host device, the authentication code comprises a hash of the reply data and the nonce, and the host device is identifiable from the unique agent identifier;
  
  determining that the host device is a managed host device based on the receipt of the unique agent identifier;
  
  ending the host information collection phase prior to receiving a reply to at least one of the plurality of probes of the host device based on determining that the host device is a managed host device;
  
  hashing, by the data processing apparatus, a combination of at least a portion of the reply data and the nonce to generate a digest;
  
  determining, by the data processing apparatus, the reply is authentic based at least in part on a determination that the digest matches the authentication code;
  
  receiving, during a user detection preadmission state, a user identifier corresponding to the host device; and
  
  transitioning from the user detection preadmission state to a host detection preadmission state based on identifying that the user identifier is mapped to a user role and identifying that network access control for the role is enabled;
  
  wherein determining that a host device is an unmanaged host device causes the host information collection phase to persist at least until a reply is received or a timeout determined for each of the one or more of the plurality of probes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Narasimhan, Srinivasan
Primary Examiner(s)
Poltorak, Peter

Application Number

US12/574,090
Publication Number

US 20110055580A1
Time in Patent Office

1,911 Days
Field of Search

None
US Class Current

713/168
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 43/0811   by checking connectivity

Nonce generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Nonce generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links