WikiPatents - Community Patent Review
Create Free Account  |  License or Sell Your Patent  |  WikiPatents Marketplace  |  WikiPatents Blog
Username:  Password:  
    
Advanced Search
System and method for policy-based inter-realm authentication within a distributed processing system    
United States Patent5544322   
Link to this pagehttp://www.wikipatents.com/5544322.html
Inventor(s)Cheng; Pau-Chen (Yorktown Heights, NY); Luan; Shyh-Wei (San Jose, CA)
AbstractA system and method for defining a platform-independent policy framework for authentication of principals to servers in another realm, within a distributed data processing system. The present invention may be implemented on top of the Kerberos protocol, or any trusted third party network authentication protocol with inter-realm authentication mechanisms.



 Title Information Submit all comments and votes
 
Patent Text Patent PDF Print Page Summary File History
Plain text PDF images Print Summary File History
Drawing from US Patent 5544322
System and method for policy-based inter-realm authentication within a distributed processing system - US Patent 5544322 Drawing
System and method for policy-based inter-realm authentication within a distributed processing system
Inventor     Cheng; Pau-Chen (Yorktown Heights, NY); Luan; Shyh-Wei (San Jose, CA)
Owner/Assignee     International Business Machines Corporation (Armonk, NY)
Patent assignment
All assignments
Publication Date     August 6, 1996
Application Number     08/239,669
PAIR File History     Application Data   Transaction History
Image File Wrapper   Patent Term   Fees
Litigation
Filing Date     May 9, 1994
US Classification     709/229 340/5.8 709/203 713/155
Int'l Classification     G06F 013/14 H04L 009/00 H04L 012/22
Examiner     Bowler; Alyssa H.
Assistant Examiner     Rinehart; Mark H.
Attorney/Law Firm     Ludwin; Richard M. Jenkens & Gilchrist, P.C.
Address
Parent Case    
Priority Data    
USPTO Field of Search     395/200.02 395/200.06 395/200.12 380/49 380/25 380/23 380/4 364/286.5 340/825.31 340/825.34
Patent Tags     policy-based inter-realm authentication within a distributed processing
   
Enter a comma (,) or semicolon (;) between multiple tag words/phrases.
Describe this patent:
 Amusing   
 Clever   
 Complex   
 Efficient   
 Historic   
 Important   
 Innovative   
 Interesting   
 Practical   
 Simple   
[no votes]
Patent WIKI

Share information and news about this patent, including information and news about the technology, inventors, company, ligation and licensing.
 References Submit all comments and votes
 
*references marked with an asterisk below are user-added references
 U.S. References
 
Add a new US reference:  
ReferenceRelevancyCommentsReferenceRelevancyComments
5349643
Cox
713/155
Sep,1994
[0 after 0 votes]		5339403
Parker
711/221
Aug,1994
[0 after 0 votes]
5276735
Boebert
713/167
Jan,1994
[0 after 0 votes]		5276901
Howell
707/9
Jan,1994
[0 after 0 votes]
5276444
McNair
340/5.8
Jan,1994
[0 after 0 votes]		5272754
Boerbert
713/159
Dec,1993
[0 after 0 votes]
5263157
Janis
707/9
Nov,1993
[0 after 0 votes]		5261002
Perlman
380/30
Nov,1993
[0 after 0 votes]
5253295
Saada
713/159
Oct,1993
[0 after 0 votes]		5249230
Mihm, Jr.
380/249
Sep,1993
[0 after 0 votes]
5237614
Weiss
713/159
Aug,1993
[0 after 0 votes]		5237612
Raith
380/247
Aug,1993
[0 after 0 votes]
5235642
Wobber

Aug,1993
[0 after 0 votes]		5226079
Holloway
713/177
Jul,1993
[0 after 0 votes]
5224164
Elsner
380/44
Jun,1993
[0 after 0 votes]		5220604
Gasser
707/9
Jun,1993
[0 after 0 votes]
5220603
Parker
713/156
Jun,1993
[0 after 0 votes]		5208858
Vollert
380/43
May,1993
[0 after 0 votes]
5204961
Barlow
726/1
Apr,1993
[0 after 0 votes]		5204902
Reeds, III
380/248
Apr,1993
[0 after 0 votes]
5202921
Herzberg
713/162
Apr,1993
[0 after 0 votes]		5198806
Lord
726/36
Mar,1993
[0 after 0 votes]
5191650
Kramer
709/227
Mar,1993
[0 after 0 votes]		5181238
Medamana
379/93.03
Jan,1993
[0 after 0 votes]
5175851
Johnson

Dec,1992
[0 after 0 votes]		5173589
Diehl
235/375
Dec,1992
[0 after 0 votes]
5115466
Presttun
380/257
May,1992
[0 after 0 votes]		5109483
Baratz
709/227
Apr,1992
[0 after 0 votes]
5032979
Hecht
726/25
Jul,1991
[0 after 0 votes]		5001755
Skret
380/46
Mar,1991
[0 after 0 votes]
4919545
Yu
713/167
Apr,1990
[0 after 0 votes]		4918653
Johri
726/23
Apr,1990
[0 after 0 votes]
4755940
Brachtl
705/44
Jul,1988
[0 after 0 votes]		4725719
Oncken
235/487
Feb,1988
[0 after 0 votes]
4672572
Alsberg
726/11
Jun,1987
[0 after 0 votes]		4661658
Matyas
713/185
Apr,1987
[0 after 0 votes]
4500750
Elander
705/72
Feb,1985
[0 after 0 votes]		4423287
Zeidler
705/71
Dec,1983
[0 after 0 votes]
4326098
Bouricius
713/155
Apr,1982
[0 after 0 votes]		4317957
Sendrow
705/71
Mar,1982
[0 after 0 votes]
4309569
Merkle
713/177
Jan,1982
[0 after 0 votes]		5020105
Rosen
705/66
Dec,1969
[0 after 0 votes]
 Foreign References
 Other References
 Market Review Submit all comments and votes
   
Market Size
Estimate the gross annual revenues of the relevant market sector:
> $10B
$5B - $10B
$2B - $5B
$500M - $2B
$100M - $500M
$10M - $100M
$1M - $10M
$500K - $1M
$100K - $500K
< $100K
[No votes]
$0
 
$0   $2.5B   $5B   $7.5B   $10B
Market Share
Estimate the percentage of the relevant market sector this invention will capture:
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Reasonable Royalty
What percentage of gross sales should the inventor or assignee be paid?
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Public's "Guesstimation" of Royalty Value
Market SizeN/A[No votes]
xMarket ShareN/A[No votes]
xReasonable RoyaltyN/A[No votes]
N/A
License Availablity
If you are NOT the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
License Availablity
If you ARE the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
Competitive Advantage
Does this invention have a significant competitive advantage over similar technologies?
Yes

No



 [No votes]
Most helpful competitive advantage comment
[No comments]
Commercial Alternatives
Are there viable commercial alternatives for this invention?
Yes

No



 [No votes]
Most helpful commercial alternative comment
[No comments]
 Technical Review Submit all comments and votes
 Claims Submit all comments and votes
 


What is claimed is:

1. In a distributed computing system wherein individual computers are linked together by a communication network, a method for inter-realm authentication comprising the steps of:

a) requesting, by a client, an application server policy for an application server from a policy server;

b) when a policy reply from the policy server contains an authentication policy of the application server, requesting, by the client, an authentication path to the application server from an authentication routing server;

c) determining, by the authentication routing server, whether the authentication path is compliant with the authentication policy and authentication routing information;

d) when the authentication path is compliant with the authentication policy and the authentication routing information, providing, by the authentication routing server, verification of the authentication path to the client;

e) upon receiving the verification of the authentication path, requesting, by the client, an authentication certificate from an authentication server;

f) providing, by the authentication server, the authentication certificate to the client, wherein the authentication certificate is based on the authentication path;

g) upon receiving the authentication certificate, sending, by the client, a request to the application server, wherein the request includes the authentication certificate; and

h) verifying, by the application server, the client based on the authentication certificate.

2. The method as recited in claim 1 wherein step (b) further comprises the steps of:

determining, by the policy server, whether a policy database contains the authentication policy for the application server; and

when the policy database contains the authentication policy, generating the policy reply to include the authentication policy.

3. The method as recited in claim 2 wherein step (b) further comprises the step of:

generating the policy reply to include a message to address another policy server when the policy database does not include the authentication policy.

4. The method as recited in claim 2 wherein step (b) further comprises the of:

generating the policy reply to include an error message when the policy database does not include the authentication policy.

5. The method as recited in claim 1 wherein step (d) further comprises the steps of:

when the authentication path is not compliant with the authentication policy and the authentication routing information, providing, by the authentication routing server, an error message or a referral message to another authentication routing server.

6. The method as recited in claim 1 further comprises the steps of:

providing, by the client, a client authentication policy to the authentication routing server; and

determining, by the authentication routing server, whether the authentication path is compliant with the authentication policy, the client authentication policy, and the authentication routing information.

7. An inter-realm authentication apparatus for use in a distributed data processing system, the inter-realm authentication apparatus comprises:

an authentication server that includes:

authentication information database for storing authentication routing information of the distributed data processing system;

processing means, operably coupled to the authentication information database, for providing the authentication routing information upon request and for processing certificate requests by clients affiliated with the distributed data processing system;

a policy server that includes:

policy database for storing authentication policies of application servers;

processing means, operably coupled to the policy database, for entering an authentication policy of an application server into the policy database and for processing requests for policy information by the clients; and

an authentication routing server that is operably coupled to the authentication server and the policy server, wherein the authentication routing server, upon an authentication path request from a client to a target application server, determines whether the authentication path is compliant with the authentication routing information and the authentication policy of the target application server.

8. The apparatus of claim 7, wherein the policy server further comprises:

client policy database for storing client determined authentication policies.

9. A computer readable storage medium for storing program instructions that, when read by at least one computer, causes the at least one computer to providing inter-realm authentication, the computer readable storage medium comprises:

first storage means for storing program instructions that cause the at least one computer to receive an application server policy request for an application server from a client;

second storage means for storing program instructions that cause the at least one computer to generate a policy reply, and, when the policy reply contains an authentication policy of the application server, to receive an authentication path request between the application server and the client from the client;

third storage means for storing program instructions that cause the at least one computer to determine whether the authentication path is compliant with the authentication policy and authentication routing information;

fourth storage means for storing program instructions that cause the at least one computer to provide verification of the authentication path to the client when the authentication path is compliant with the authentication policy and the authentication routing information;

fifth storage means for storing program instructions that cause the at least one computer to receive a request from the client, in response to the verification of the authentication path, for an authentication certificate; and

sixth storage means for storing program instructions that cause the at least one computer to provide the authentication certificate to the client, wherein the authentication certificate is based on the authentication path.
 Description Submit all comments and votes
 


TECHNICAL FIELD OF THE INVENTION

This invention relates to data processing networks, and more particularly, to a system and method for providing a network authentication protocol.

BACKGROUND OF THE INVENTION

Large distributed computing systems often partition their computational and administrative resources into autonomous units called realms. An entity with its own identity, called a principal, registers its identity with a realm. Examples of principals are a human user of distributed computing systems, a program running on a computer system, a computer system, or a realm itself.

A principal can provide services to other principals, usually through a program running on a computer system. In this case, the principal is called a server and the principals requesting/receiving services are called clients.

Each realm has a server called an authentication server. Suppose two principals, A and B, both register with realm X; and principal A wishes to authenticate (the process of identifying and verifying a principal on the network) itself to principal B. Principal A can do so by requesting realm X's authentication server to generate a certificate. Pertaining to the certificate, a key is also sent to principal A secretly by the authentication server. The knowledge of the key is required to use the certificate correctly. Thus, when principal B is presented with the certificate from principal A, principal B can prove principal A's identity. Realm X's authentication server can generate such a certificate because both principals A and B have registered with realm X, and a realm's authentication server is trusted to certify its registered principals. The Kerberos network authentication protocol, as described within The Kerberos Network Authentication Service (V5), by John Kohl and B. Clifford Neuman, Internet Draft, September 1992, is an example of protocols carrying out such authentication.

A problem arises when principal B is registered with realm Y and not realm X. In this case, neither realm X's nor realm Y's authentication server can generate a certificate for principal A to authenticate itself to principal B. The following references, which are incorporated by reference herein, are all descriptions of prior art attempts to solve this problem: The Kerberos Network Authentication Service (V5), by John Kohl and B. Clifford Neuman, Internet Draft, September 1992; Authentication in Distributed Systems: Theory and Practice, by Butler Lampson, Martin Abadi, Michael Burrows, and Edward Wober, ACM Trans. on Computer Systems, 10(4), November 1992; On Inter-realm Authentication of Large Distributed Systems, by Virgil D. Gligor, Shyh-Wei Luan and Joseph N. Pato, In Proc. of IEEE Computer Society Symposium on Research in Security and Privacy, May 1992; and Hierarchial Trust Relationship for Inter-Cell Authentication, by Joseph N. Pato, OSF/DC