EP2708004A1 - Procédé d'authentification entre un fournisseur de service de réseau de distribution de contenu et un propriétaire de contenu - Google Patents
Procédé d'authentification entre un fournisseur de service de réseau de distribution de contenu et un propriétaire de contenuInfo
- Publication number
- EP2708004A1 EP2708004A1 EP12722697.5A EP12722697A EP2708004A1 EP 2708004 A1 EP2708004 A1 EP 2708004A1 EP 12722697 A EP12722697 A EP 12722697A EP 2708004 A1 EP2708004 A1 EP 2708004A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- authentication
- content
- end user
- end point
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Definitions
- ISP DNS Resolver Residential users connect to an ISP. Any request to resolve an address is sent to a DNS resolver maintained by the ISP. The ISP DNS resolver will send the DNS request to one or more DNS servers within the ISP's administrative domain.
- CDI Content Distribution Internetworking
- Nonce It is a pseudo-random number generated in an authentication protocol to ensure that old communication cannot form the basis of replay attacks. Nounces are used in HTTP digest access authentication to calculate MD5 digest of the password. The nounces are different each time a 401-authentication challenge response is presented.
- Cookie A cookie refers to the state information that is passed between a server and a client. The state information is stored at the client. Cookies have several applications: remember information about the user who visited a website, session management, remembering the content of a shopping cart as a user navigates a website, personalizing preferences etc., among others.
- the web-server When a user makes a request for a protected content, the web-server returns an error HTTP 401 together with Authorization required. The web server also returns a dialog box requesting a username and password. Once the client returns the username and password, the server validates the credentials, and if successful, the server gives the client access to the protected content.
- the username is appended with a colon and concatenated with the password.
- the resulting string is encoded with the Base64 algorithm before transmission [6].
- the Base64-encoding while unreadable to the naked eye, is easy to encode and decode. This makes the basic authentication mechanism a non secure one.
- a cookie consists of one or more name-value pairs containing bits of information.
- the cookie is sent as an HTTP header by a web server to an end user's web browser and then sent back unchanged by the browser each time it accesses that server.
- a cookie may also be encrypted for security and to protect the privacy of end users [9] [10].
- the content bucket may be defined as supporting either basic or digest authentication.
- the content owner provides the appropriate username and password. So, when an end point gets a request for content that requires basic or digest authentication, the origin server behaves as a web server to authenticate the request.
- the HTTP communication for the authentication occurs between the origin server and the end point that is chosen to serve the end user.
- the end points returns the tuple ⁇ username:password> to the origin server with Base64 encoding or with MD5 encryption depending on whether the bucket supports Basic or Digest authentication [4] [6] [7].
- the present invention relates to a method for authentication between a Content Delivery Network service provider and a content owner, comprising: a) establishing a TCP connection between an end point of said CDN service provider and an authentication server of said content owner:
- the method of the invention comprises, in a characteristic manner, maintaining said established TCP connection open between the end point and the authentication server of the content owner and performing subsequent connection authentication requests through said maintained open TCP connection.
- said subsequent authentication requests are performed for different end users, said steps b) to d) being performed for each of said subsequent authentication requests.
- the method of the invention will be denominated as a method for fast authentication, as it provides an authentication process which is faster compared to the prior art proposals.
- the method of the invention comprises using buckets with associated meta-data to indicate said fast authentication support for said content.
- Figure 1 shows how content owners authenticate request to content when using a CDN according to a conventional authentication method
- Figure 2 shows how content owners authenticate their requests using the method of the invention, for an embodiment
- Tracker The tracker is the key entity that enables intelligence and coordination of the CDN service provider's infrastructure. In order to do this, a tracker maintains (1 ) detailed information about content at each end point and (2) collects resource usage statistics periodically from each end point. It maintains information like number of outbound bytes, number of inbound bytes, number of active connections for each bucket, size of content being served etc.
- EP-2 sends the requested content to the requesting end user(s) if the authentication succeeds.
- the end point implements all of the request messages defined below.
- the end point returns HTTP code 200 (OK, authorized) and sends the requested object to the end point (here, harrypotter.flv file).
- the end point closes the socket to the end user.
- This token may be created when an end user logs into a content owner's page. Ensure that when a piece of content is requested by an end user, the token is part of the URL request that is sent to the CDN service provider. - Support to process the request messages received from the CDN service provider.
- the CDN customers have the flexibility to redirect the end users (who are their customers) to newer version of the content based on policies they choose to implement.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
L'invention porte sur un procédé d'authentification entre un fournisseur de service de réseau de distribution de contenu et un propriétaire de contenu. Le procédé consiste à : a) établir une connexion TCP entre un point d'extrémité d'un fournisseur de service de réseau de distribution de contenu (CDN) et un serveur d'authentification du propriétaire de contenu ; b) pour un contenu demandé par un utilisateur final sur ladite connexion TCP établie, envoyer, par le point d'extrémité, une requête d'authentification au serveur d'authentification du propriétaire de contenu ; c) recevoir, par le serveur d'authentification, la requête d'authentification et réaliser une authentification de celle-ci, pour l'utilisateur final ; et d) envoyer, par le serveur d'authentification, une réponse au point d'extrémité, par l'intermédiaire de la connexion TCP, indiquant si la requête d'authentification a été ou non accordée. Le procédé consiste en outre à maintenir la connexion TCP établie ouverte entre le point d'extrémité et le serveur d'authentification du propriétaire de contenu et à réaliser des requêtes d'authentification de connexion ultérieures par l'intermédiaire de ladite connexion TCP ouverte maintenue.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ES201130759A ES2401900B1 (es) | 2011-05-12 | 2011-05-12 | Método de autenticación entre un proveedor de servicios de red de distribución de contenido y un propietario de contenido |
PCT/EP2012/058507 WO2012152813A1 (fr) | 2011-05-12 | 2012-05-09 | Procédé d'authentification entre un fournisseur de service de réseau de distribution de contenu et un propriétaire de contenu |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2708004A1 true EP2708004A1 (fr) | 2014-03-19 |
Family
ID=46147423
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP12722697.5A Withdrawn EP2708004A1 (fr) | 2011-05-12 | 2012-05-09 | Procédé d'authentification entre un fournisseur de service de réseau de distribution de contenu et un propriétaire de contenu |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP2708004A1 (fr) |
AR (1) | AR086341A1 (fr) |
BR (1) | BR112013028995A2 (fr) |
CL (1) | CL2013003222A1 (fr) |
ES (1) | ES2401900B1 (fr) |
WO (1) | WO2012152813A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106411823B (zh) | 2015-07-31 | 2019-07-12 | 华为技术有限公司 | 一种基于cdn的访问控制方法及相关设备 |
US11546235B2 (en) | 2016-03-08 | 2023-01-03 | Hewlett Packard Enterprise Development Lp | Action based on advertisement indicator in network packet |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7363361B2 (en) * | 2000-08-18 | 2008-04-22 | Akamai Technologies, Inc. | Secure content delivery system |
CA2405478C (fr) * | 2000-04-07 | 2010-07-06 | Movielink, Llc | Systeme et procede de distribution de contenu sur un reseau |
EP1654701A4 (fr) * | 2003-08-06 | 2008-04-23 | Motorola Inc | Methode et appareil pour permettre une authentification de fournisseur de contenu |
US8145908B1 (en) * | 2004-10-29 | 2012-03-27 | Akamai Technologies, Inc. | Web content defacement protection system |
US8453229B2 (en) * | 2006-06-14 | 2013-05-28 | Anamorphic Systems, Inc. | Push type communications system |
-
2011
- 2011-05-12 ES ES201130759A patent/ES2401900B1/es not_active Withdrawn - After Issue
-
2012
- 2012-05-09 EP EP12722697.5A patent/EP2708004A1/fr not_active Withdrawn
- 2012-05-09 WO PCT/EP2012/058507 patent/WO2012152813A1/fr active Application Filing
- 2012-05-09 BR BR112013028995A patent/BR112013028995A2/pt not_active IP Right Cessation
- 2012-05-10 AR ARP120101652A patent/AR086341A1/es not_active Application Discontinuation
-
2013
- 2013-11-11 CL CL2013003222A patent/CL2013003222A1/es unknown
Non-Patent Citations (2)
Title |
---|
None * |
See also references of WO2012152813A1 * |
Also Published As
Publication number | Publication date |
---|---|
ES2401900R1 (es) | 2013-07-30 |
BR112013028995A2 (pt) | 2017-02-07 |
ES2401900A2 (es) | 2013-04-25 |
CL2013003222A1 (es) | 2014-08-01 |
ES2401900B1 (es) | 2014-03-05 |
AR086341A1 (es) | 2013-12-04 |
WO2012152813A1 (fr) | 2012-11-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TW578417B (en) | Unique on-line provisioning of user terminals allowing user authentication | |
US9380028B2 (en) | Proxy server operation | |
CN1656772B (zh) | 用于相关流协议集合的保密参数关联 | |
WO2008033552A2 (fr) | Système et procédé de répartition et acheminement distribués de média | |
WO2003045036A2 (fr) | Protocole de gestion des cles et systeme d'authentification destines a l'architecture de gestion des droits de protocole internet securise | |
CN109792433B (zh) | 用于将设备应用绑定到网络服务的方法和装置 | |
US20030217163A1 (en) | Method and system for assessing a right of access to content for a user device | |
US9875371B2 (en) | System and method related to DRM | |
US9553863B2 (en) | Computer implemented method and system for an anonymous communication and computer program thereof | |
US20030059053A1 (en) | Key management interface to multiple and simultaneous protocols | |
US20220337590A1 (en) | Mitigating multiple authentications for a geo-distributed security service using an authentication cache | |
WO2012152813A1 (fr) | Procédé d'authentification entre un fournisseur de service de réseau de distribution de contenu et un propriétaire de contenu | |
EP2605477A1 (fr) | Fonctionnement de serveur proxy | |
Jeong et al. | A study on the xml-based single sign-on system supporting mobile and ubiquitous service environments | |
EP2792119B1 (fr) | Fonctionnement de serveur proxy | |
Sánchez et al. | An access control system for multimedia content distribution | |
EP2605479A1 (fr) | Validation de terminal de réseau | |
EP2605478A1 (fr) | Redirection de récupération des données |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20131121 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20181129 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20190410 |