Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1998-09-29
2003-08-12
Jaroenchonwanit, Bunjob (Department: 2152)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C705S025000, C713S152000
Reexamination Certificate
active
06606663
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to the field of wireless data communication systems. In particular the present invention discloses a method and apparatus for caching credentials in proxy servers used by wireless client devices when accessing protected resources.
BACKGROUND OF THE INVENTION
To enable commercial transactions on the global Internet, the parties communicating with each other must be able to authenticate each other. Specifically, each party in a transaction must be certain that the person at the other end of the transaction is who that party claims to be. One method of authenticating a client system that is attempting to connect to a server system is to require that the client system provide a credential. A credential is the authentication information used to authenticate a user who wants to access a protected resource such as a server.
A typical credential is a userid (user identifier) and password pair. Another common credential is a derived form of the userid and password pair such as a base-64 encoded userid and password pair. For example, in the Internet environment, a base-64 encoded userid and password pair credential is widely used by World Wide Web servers to authenticate client users before access to the desired server is allowed. Each World Wide Web server communicates with the well-known HTTP protocol [RFC2068] and provides varieties of resources such as HTML documents. Each resource is identified by URI or URL[RFC2068].
To protect a group of Internet resources from unauthorized access, those resources are grouped into “realms”. Each realm consists of a set of Internet resources that define a protected space. When a user wants to access any resource within a particular realm, the user must provide a credential that authenticates the user as an entity that is authorized to access resources within the realm.
HTTP protocol defines a standardized manner for a user agent to submit a credential to an Internet server known as Basic Authentication. Basic Authentication is defined in the IETF's RFC 2068. In the basic authentication system, a user agent, also known as the web client or the web browser, first accesses a protected resource as identified by the URL without providing any credentials within the initial request. The Internet server denies access and sends back a status code
401
along with an HTTP header “WWW-Authenticate:” that requests a credential to access the protected realm. The response with the “WWW-Authenticate:” header comprises a challenge response that includes a text string identifying the realm the user agent is attempting to access.
The user agent (the web client or web browser) may then prompt the user to enter the credential information (a userid and password). After receiving credential information, the user agent then resubmits the denied request along with the required credential information in an HTTP header “Authorization:” field. If the credential authenticates the user as an entity that is allowed to access resources within the realm, then the Internet server grants access to the protected resources within the realm. The user agent (the web client or web browser) may cache the credential so that user agent will automatically attach the credential in any subsequent requests to any other resources within the same realm without the need for user intervention.
In a wireless environment, the user agent (a thin client or a micro browser) exists on a wireless client device such as a cellular phone or a personal digital assistant (PDA) with wireless communication capabilities. In such an environment, the user agent has the limited processing power and limited memory. Furthermore, the amount of communication bandwidth is low and the cost of the communication bandwidth is high. Since the basic authentication systems defined in RFC2068 requires the credentials to be continually passed with each request, the basic authentication system is not efficient for a wireless environment wherein the wireless client devices have limited processing power and limited memory and the wireless infrastructure has limited data communication bandwidth.
SUMMARY OF THE INVENTION
The present invention introduces a proxy server that handles credential caching for a set of wireless client devices that wish to access protected resources on a second network where the protected resources require credentials. In one embodiment, the proxy server intercepts and caches a wireless client's credentials when a credential is first sent from the wireless user agent to a protected server on the Internet. To intercept the credential, the proxy server locates the credential in the headers of messages from wireless client devices wherein the examined credential headers are equivalent to the HTTP “Authorization:” header. Once a credential for a particular realm is found, the proxy server caches it in the memory (short term or long term) of the proxy server. The cached credential will then be used for all requests to resources within the same realm. Thus, after first sending a first credential for accessing the resource in a particular realm, the wireless user agent does not need to attach the credential for all the subsequent requests for any other resources belong to the same realm.
In an alternate embodiment, when the proxy server needs a credential (perhaps due to a refused request), the proxy server sends a special request to the wireless client device requesting a credential for a particular resource. The special request may take the form of a simple preformatted display page such that a “dumb terminal” wireless client device can be used to communicate with protected Internet resources even though the “dumb” wireless client device has no concept of authentication and authorization.
The teachings of the present invention provide several advantages. One of the most important advantages of the present invention is that the present invention reduces the number of bits and bytes that must be transmitted over the low bandwidth and expensive wireless communication infrastructure since a credential does not need to be sent for every request into a protected realm. Furthermore, the present invention reduces the amount of memory used within each wireless client device since the wireless user agent does not have to implement the mechanism for saving the credentials nor does the wireless client device need to reserve memory to store the credentials. The present invention also relieves the wireless client device user from entering the credentials over and over again for accessing protected resources that belong to the same protected realm.
REFERENCES:
patent: 5077790 (1991-12-01), D'amico et al.
patent: 5235642 (1993-08-01), Wobber et al.
patent: 5586260 (1996-12-01), Hu
patent: 5608909 (1997-03-01), Atkinson et al.
patent: 5673322 (1997-09-01), Pepe et al.
patent: 5675629 (1997-10-01), Raffel et al.
patent: 5740361 (1998-04-01), Brown
patent: 5764887 (1998-06-01), Kells et al.
patent: 5826021 (1998-10-01), Mastors et al.
patent: 5892905 (1999-04-01), Brandt et al.
patent: 5911120 (1999-06-01), Jarett et al.
patent: 5923756 (1999-07-01), Shambroom
patent: 6006018 (1999-12-01), Burnett et al.
patent: 6052785 (2000-04-01), Lin et al.
patent: 6065120 (2000-05-01), Laursen et al.
patent: 6075860 (2000-06-01), Ketcham
patent: 6148405 (2000-11-01), Liao et al.
patent: 6263437 (2001-07-01), Liao et al.
patent: 2002/0007317 (2002-01-01), Callaghan et al.
patent: 2002/0019985 (2002-02-01), Fuccello et al.
patent: WO 98/37661 (1998-08-01), None
Patiyoot et al., “Techniques for Authentication Protocols and Key Distribution on Wireless ATM Networks”, Oct. 1998, ACM SIGOPS Operating Systems Review, vol. 32, Iss. 4, pp. 25-32.*
Geng et al., “Defending Wireless Infrastructure Against the Challenge of DDoS Attacks”, Jan. 2002, Mobile Networks and Applications, vol. 7, Iss. 3, pp. 213-223.*
Molva et al., “An authentication protocol for mobile users”, 1994, IEE, pp. 4/1-4/7.*
Lin et al., “A Wireless-based Authentication and Anoymous Channels for
Greer Russell S.
King Peter F.
Liao Hanqing
Blakely , Sokoloff, Taylor & Zafman LLP
Jaroenchonwanit Bunjob
Openwave Systems Inc.
LandOfFree
Method and apparatus for caching credentials in proxy... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for caching credentials in proxy..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for caching credentials in proxy... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3113017