Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1997-10-28
2001-10-30
Maung, Zarni (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S225000, C709S226000, C709S227000, C709S228000, C713S152000
Reexamination Certificate
active
06311218
ABSTRACT:
BACKGROUND OF THE INVENTION
The current invention relates to the field of electronic circuits. More particularly, the current invention relates to improvements in networked computer environments and has particular applications to the transmission of information between digital devices over a communications medium. A wide variety of computer systems and networks exist, each having variations in particular implementations. The present invention will be described with reference to particular types of systems for clarity but this should not be taken to limit the invention, and it will be apparent to those of skill in the art that the invention has applications in many different types of computer systems. The invention therefore should not be seen as limited except as specifically herein provided.
Relevant and well-known network background information is discussed in parent application Ser. No. 08/866,818, U.S. Pat. No. 6,021,495 as incorporated above by reference and will not be repeated in detail here. As discussed in that application, network modularity and flexibility have created increased security concerns and a need to require more complete authentication of a user on a node before allowing that node to see or transmit network traffic. The parent application discusses mechanisms of providing increased network security using link-beat detection at a star intermediate system and a variety of authentication schemes that are called whenever an unauthenticated user connects or reconnects to the star device. One aspect of that invention involves a star system requiring a user to supply some type of password to the star system for authentication.
However, in some applications it will be desirable to provide a system wherein a user's password is not transmitted over the network so that the password cannot be captured by a sniffing device. What is needed, therefore, is a user authentication system that does not require that a user password be transmitted on the network but prevents unauthorized equipment or an unauthorized person from connecting to a network and listening-in on network traffic and verifies the identity of a user prior to allowing the user to send or receive data on a network.
SUMMARY OF THE INVENTION
In general terms, the present invention comprises techniques and devices for a computer network with improved security. According to the invention, network intermediate systems (IS) that are connected in a star or similar topology, such as repeaters or switches, that provide point-to-point connections to one or more ESs are enabled to authenticate a user at the first connection point the user makes with the network. The intermediate systems provide an authentication routine every time an ES makes a new connection on a port. According to the invention, an IS will limit the forwarding of packets down its port to an ES and will limit forwarding data from an ES until an authentication process is complete.
A new connection to a point-to-point port on an IS may be detected by the presence or resumption of a link-beat (sometimes referred to as heart-beat) signal that is maintained at the physical layer on the point-to-point connection whenever there is an active node/ES on a port. Authentication is accomplished at a user level through a challenge/response exchange as described below.
Authentication according to the invention is controlled by a first network intermediate system (star device) to which an end system connects. Some parts of the authentication may be performed locally and, in an alternative embodiment, the star device may communicate with one or more other devices on the network to complete authentication of a new user.
According to a further embodiment of the invention, at power up or when a star device detects a new connection on a port, the star device initiates an authentication routine to reliably verify a user. To do this, a star device, according to one embodiment, may use a directory server existing somewhere on the network to retrieve a certificate or a certification path for the user based on an identification supplied by a user. The certificate or certification path is decoded into a public key for a particular user. The invention uses a modified public key cryptography and a challenge response scheme to authenticate a user.
In one embodiment, once a public key for a particular user has been decoded, a challenge is generated and is encrypted with the user's public key. The encrypted challenge is then sent to the end system. The user must then supply his private key to decrypt the challenge at the end system and the end system returns the decrypted challenge to the star device. The invention compares the response with the challenge it originally generated and based on the results of the match, authenticates the port.
In an alternative embodiment, a challenge is generated and presented to the user, and the user then encrypts the challenge using his private key and returns the encrypted challenge as a response. A public key for a particular user is then used to decrypt the challenge, either at the star device or the security server. The invention compares the decrypted response with the challenge it originally generated and based on the results of the match, authenticates the port.
In a further embodiment, if the star device is restricted in terms of the computation power it can devote to authentication, a security server performs the computation-intensive cryptography functions. The star device in this case receives the user name from the end system and requests the security server to compute the challenge for the user. The security server gets the user certification path, generates a challenge, encrypts it using the user's public key and sends both the challenge and encrypted challenge to the star device. The star device then sends only the encrypted challenge to the end system for decryption. When the end system responds with the decrypted challenge, the star device compares the returned challenge with the unencrypted original challenge supplied by the security server and allows or disallows network access to the user based on the comparison results. In this embodiment, it is important that the connection between the star device and security server be secure such that an intruder cannot capture the challenge and encrypted challenge. This may be done by having the security server directly coupled or integrated with the star device. Alternatively, messages using message integrity and confidentiality mechanisms, as are known in the art, can be used to ensure that the message from the security server to the star device is generated by the security server.
Specific aspects of the invention will be better understood upon reference to the following detailed description and in conjunction with the drawings.
REFERENCES:
patent: 4896319 (1990-01-01), Lidinsky et al.
patent: 5222140 (1993-06-01), Beller et al.
patent: 5278904 (1994-01-01), Servi
patent: 5537099 (1996-07-01), Liang
patent: 5546463 (1996-08-01), Caputo et al.
patent: 5563950 (1996-10-01), Easter et al.
patent: 5694471 (1997-12-01), Chen et al.
patent: 5778072 (1998-07-01), Samar
patent: 5805801 (1998-09-01), Holloway et al.
patent: 5815664 (1998-09-01), Asano
patent: 5936149 (1999-08-01), Fischer
Jain Vipin Kumar
Nessett Danny M.
Sherer William Paul
3Com Corporation
El-Hady Nabil
Maung Zarni
Wagner , Murabito & Hao LLP
LandOfFree
Method and apparatus for providing security in a star... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for providing security in a star..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for providing security in a star... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2610448