US20190052623A1 - Authenticating Applications to a Network Service - Google Patents

Authenticating Applications to a Network Service Download PDF

Info

Publication number
US20190052623A1
US20190052623A1 US16/161,603 US201816161603A US2019052623A1 US 20190052623 A1 US20190052623 A1 US 20190052623A1 US 201816161603 A US201816161603 A US 201816161603A US 2019052623 A1 US2019052623 A1 US 2019052623A1
Authority
US
United States
Prior art keywords
application
service provider
certificate
key
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US16/161,603
Inventor
Kaushik Datta
Sankarlingam Dandabany
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Enterprise Development LP
Original Assignee
Hewlett Packard Enterprise Development LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development LP filed Critical Hewlett Packard Enterprise Development LP
Priority to US16/161,603 priority Critical patent/US20190052623A1/en
Publication of US20190052623A1 publication Critical patent/US20190052623A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • Networks are vulnerable to attacks from malicious users.
  • a firewall is incorporated into the network to prevent unwanted users from having access to the network.
  • anti-virus programs are also installed onto network components that actively seek out and inhibit malicious users. Such programs can search for anomalies in the network's activity to find suspicious behavior. Once found, the programs quarantine the source of the anomalous behavior to reduce its influence on the networks' components.
  • FIG. 1 is a diagram of an example of an authentication engine according to the principles described herein.
  • FIG. 2 is a diagram of an example of a method for authenticating applications to access service providers according to the principles described herein.
  • FIG. 3 is a diagram of an example of a method for obtaining a certificate according to the principles described herein.
  • FIG. 4 is a diagram of an example of a method of authenticating the service provider to the application according to the principles described herein.
  • FIG. 5 is a diagram of an example of a method of authorizing a port with the service provider according to the principles described herein.
  • FIG. 6 is a diagram of an example of a method for validating a packet from the application according to the principles described herein.
  • FIG. 7 is a diagram of an example of an authentication system according to the principles described herein.
  • FIG. 8 is a diagram of an example of an authentication system according to the principles described herein.
  • FIG. 9 is a diagram of an example of a flowchart of a process for generating a certificate according to the principles described herein.
  • FIG. 10 is a diagram of an example of a flowchart of a process for authenticating an application to communicate with a service provider according to the principles described herein.
  • a network can authenticate a user before the user can have access to the network when the user inputs a correct password. If the user fails to input the correct password, the user is not authenticated.
  • passwords can be deciphered or stolen leaving networks that rely on password authentication vulnerable to malicious attacks.
  • the principles describe herein include a method for authenticating applications to a network service.
  • Such a method includes authenticating an application with a valid identity certificate to access a service over a logical connection between the application and the service provider and confirming that the application is using an authorized port to access the network service.
  • FIG. 1 is a diagram of an example of an authentication engine ( 100 ) according to the principles described herein.
  • a service provider ( 102 ) is capable of providing at least one service to an application ( 104 ) on a network.
  • the application ( 104 ) may be administered with a controller, a processor, a computing device, a host, a virtual network component, a physical network component, a microprocessor, another device, or combinations thereof.
  • the service provider ( 102 ) may provide a switching service, a computing service, a routing service, storing service, processing service, a compression service, another service, or combinations thereof.
  • the application ( 104 ) is run with an x86 controller sold by the Intel Corporation, which is headquartered in Santa Clara, Calif., USA, and the service provider ( 102 ) is a switch that provides switching services.
  • the service provider ( 102 ) is a switch that provides switching services.
  • other processors are used in accordance with the principles described herein.
  • an application ( 104 ) wants to avail itself of the services provided by the service provider ( 102 ), the application needs a valid identify certificate. If the application ( 104 ) does not have a valid identify certificate, the application ( 104 ) sends a signing request to initiate a pre-authentication process with the service provider ( 102 ). An authentication engine ( 100 ) in within the service provider ( 102 ) sends the application's request to a network administrator ( 108 ) to determine whether the application ( 104 ) should be allowed to access the services of the service provider ( 102 ).
  • the network administrator ( 108 ) may look at just the request from the application ( 104 ). In other examples, the network administrator looks at additional information sent by the application ( 104 ), the service provider ( 102 ), an external source, another source, or combinations thereof to determine whether the application ( 104 ) should be allowed to access the services of the service provider. In a situation where the service provider is a switch or a router, being authorized to access the service provider's services will include receiving access to additional network components behind the router or switch. Thus, the network administrator ( 108 ) will carefully consider whether to allow access.
  • the network administrator ( 108 ) may base his decision on his own determinations, or the network administrator ( 108 ) may base his decision on a decision policy that has established rules for allowing or disallowing an application ( 104 ) from having access to a service provider ( 102 ) and/or to a network.
  • a processing element follows a set of rules from an approval policy to determine whether to approve the application ( 104 ) for access to the service provider ( 102 ).
  • the authentication engine ( 100 ) uses a certificate engine ( 110 ) to sign the identity certificate to send to the application ( 104 ).
  • the identity certificate may include instructions about how the application ( 104 ) can have access to the service provider's services.
  • the service provider ( 102 ) sends the identity certificate to the application ( 104 ), which is stored at the application ( 104 ). In response to receiving a packet, the service provider ( 102 ) determines whether the application ( 104 ) is using the correct port to communicate with the service provider ( 102 ). The certificate may indicate with which port the application ( 104 ) should communicate with the service provider ( 102 ). Regardless of whether the certificate indicates an authorized port ( 112 ) for communication between the application ( 104 ) and the service provider ( 102 ), the service provider ( 102 ) tracks which applications are authorized for communication with the service provider ( 102 ) over which ports in a port authentication table ( 114 ). The port authorization table ( 114 ) tracks each unique application specific identifier assigned to each application ( 104 ) and the corresponding port that each unique application specific identifier is authorized to communicate with the service provider ( 102 ).
  • the application ( 104 ) creates the data connection with the service provider ( 102 ) by sending a packet to a port selected by the application ( 104 ).
  • the service provider ( 102 ) extracts from the packet the unique application specific identifier assigned to the application ( 104 ) when it was issued a certificate.
  • the service provider ( 102 ) consults with the port authorization table ( 114 ) to determine whether the unique application specific identifier from the packet matches the port in which the data connection is currently established.
  • Each packet sent from the application ( 104 ) to the service provider ( 102 ) will contain an embedded key, which the service provider ( 102 ) extracts in response to receiving the packet. If there is no embedded key, the packet is not processed. Further, if the embedded key is invalid, the packet is also not processed. However, if the packet contains a valid, embedded key, the service provider ( 102 ) will process the packet and avail the application ( 104 ) of the service provider's services. Thus, the principles described herein enforce a per packet authorization to protect the service provider.
  • the keys from the certificate become outdated.
  • the service provider ( 102 ) sends the updated keys to the applications ( 104 ). No re-authentication procedure is performed in conjunction with receiving the updated keys.
  • each of the above described procedures adds a layer of security between the application ( 104 ) and the service provider ( 102 ).
  • the service provider ( 102 ) is a switch or a router
  • each of the procedures adds a layer of protection to the network.
  • the service provider ( 102 ) is protected if the administrator denies the application ( 104 ) approval to use the service provider's services.
  • the service provider ( 102 ) is further protected if the application ( 104 ) chooses to not authenticate the service provider ( 102 ), thereby preventing any malicious infection from the application ( 104 ).
  • the service provider ( 102 ) is protected by not processing packets that come into the wrong port due to the port authorization process.
  • each packet is scrutinized to ensure that even if the packet somehow appears to be coming from the application ( 104 ) that the packet is still coming from an authorized source. Also, the embedded keys become outdated over time, so even if an embedded key mimics an earlier version of the embedded key, malicious users can still be identified and stopped before the packets are processed.
  • FIG. 2 is a diagram of an example of a method ( 200 ) for authorizing applications to access service providers according to the principles described herein.
  • the method ( 200 ) includes authenticating ( 202 ) an application with a certificate to access a service provider over a logical connection between the application and the service provider and confirming ( 204 ) that the application is using an authorized port of the service provider.
  • the method may further include confirming that packets sent from the application have a key generated by authentication process.
  • the key will be extracted from the packet before processing in the service provider, where the key is analyzed to determine whether the key is valid. If the key is valid, the packet will be processed, however, if the key is not valid, the packet will not be processed.
  • the key has a time expiration when the service provider generates a new key. Both service provider and application updates these keys periodically.
  • the key is uniform for each application that is authorized to communicate with the service provider.
  • the key is specific to an application, specific to a port, specific to another feature, or combinations thereof.
  • the application sends a request to the service provider, who in turn sends seeks approval of a network administrator. If permission is granted from the network administrator, a certificate signing engine generates a certificate that is sent to the application.
  • Confirming that the application is using an authorized port can include consulting with a port authorization table that tracks which ports can be used by which applications.
  • the certificate indicates which of multiple ports belonging to the service provider that the application is authorized to use.
  • FIG. 3 is a diagram of an example of a method ( 300 ) for obtaining an identity certificate according to the principles described herein.
  • the method ( 300 ) includes obtaining ( 302 ) a certificate signing request from an application over a logical connection, sending ( 304 ) the certificate signing request with other information about the application to a network administrator for approval, generating ( 306 ) the identity certificate for the application, and sending ( 308 ) the identity certificate to the application along with keys for a later authentication process.
  • the service provider is aware of the application, and initiates the authentication process by sending an invitation to begin the process.
  • the application initiates the process.
  • the additional information about the application is included in a packet that also contains the certificate signing request or the additional information is included in a separate packet.
  • FIG. 4 is a diagram of an example of a method ( 400 ) of authenticating the service provider to the application according to the principles described herein.
  • the method ( 400 ) includes sending ( 402 ) an identity certificate to the application and receiving ( 404 ) authentication from the application.
  • FIG. 5 is a diagram of an example of a method ( 500 ) of authenticating a port with the service provider according to the principles described herein.
  • the method ( 500 ) includes obtaining ( 502 ) a certificate from the application through a port, consulting ( 504 ) with an authorization table, and determining ( 506 ) whether the port information matches with the contents of the authorization table.
  • the certificate information sent from the application may be acquired by the application during an earlier pre-authentication process.
  • the service provider consults with a port authorization table to see whether the port through which the application is communicating is the authorized port for communication between the application and the service provider.
  • the service provider tracks the changes to the port authorization table or at least has access to the table stored at a remote location. If the port being used by the application does not match that which is indicated in the port authorization table, the communication fails
  • FIG. 6 is a diagram of an example of a method ( 600 ) for validating a packet from the application according to the principles described herein.
  • the method ( 600 ) includes receiving ( 602 ) a packet from the application, extracting ( 604 ) a key from the packet, and determining ( 606 ) the key is valid.
  • the key may become outdated over time. In such a situation, the service provider or another device will send an updated key to the application to use in future communication with the service provider.
  • the key is a sequence of binary values that are incorporated into a header or body of a packet.
  • FIG. 7 is a diagram of an example of an authentication system ( 700 ) according to the principles described herein.
  • the authentication system ( 700 ) includes a certificate generation engine ( 702 ) at the application side, a certificate signing engine ( 703 ) at the service provider side, an application authentication engine ( 704 ), a port authorization engine ( 706 ), and a packet authorization engine ( 708 ).
  • the authentication system ( 700 ) additionally includes a key updating engine ( 710 ), and a tracking engine ( 712 ).
  • the engines ( 702 , 703 , 704 , 706 , 708 , 710 , 712 ) refer to a combination of hardware and program instructions to perform a designated function.
  • Each of the engines ( 702 , 703 , 704 , 706 , 708 , 710 , 712 ) may include a processor and memory.
  • the program instructions are stored in the memory and cause the processor to execute the designated function of the engine.
  • the certificate generating engine ( 702 ) generates a certificate for the application requesting certificate if the network administrator approves.
  • the certificate signing engine ( 703 ) signs the engine in response to receiving approval from the network administrator.
  • the application authentication engine ( 704 ) authenticates the service provider to the application.
  • the port confirmation engine ( 706 ) ensures that the application is using the correct port to communicate with the service provider.
  • the packet authorization engine ( 708 ) ensures that the packets that appear to be sent from the application are indeed valid packets that were sent from the indicated source.
  • the packet authorization engine ( 708 ) extracts certificate keys issued from the service provider when the certificate was generated or updated at later time by the service provider from the packets sent from the application.
  • a key updating engine ( 710 ) is used to update the certificate keys as the keys become outdated.
  • the key updating engine ( 710 ) generates the updates to the keys and sends the updated keys to the approved applications.
  • a tracking engine ( 712 ) tracks the identifiers of each approved application and their authorized ports for communicating with the service provider.
  • the tracking engine ( 712 ) may use a port authorization table to track the ports and identifiers.
  • FIG. 8 is a diagram of an example of an authorization system ( 800 ) according to the principles described herein.
  • the authorization system ( 800 ) includes processing resources ( 802 ) that are in communication with memory resources ( 804 ).
  • Processing resources ( 802 ) include at least one processor and other resources used to process programmed instructions.
  • the memory resources ( 804 ) represent generally any memory capable of storing data such as programmed instructions or data structures used by the authorization system ( 800 ).
  • the programmed instructions shown stored in the memory resources ( 804 ) include a certificate request receiver ( 806 ), an application approver ( 808 ), a certificate generator ( 810 ), a service provider authenticator ( 814 ), a port authorization table consulter ( 818 ), a port authorizer ( 820 ), a key extractor ( 822 ), a key validator ( 824 ), and a key updater ( 826 ).
  • the data structures shown stored in the memory resources ( 804 ) include a port authorization table ( 816 ).
  • the memory resources ( 804 ) include a computer readable storage medium that contains computer readable program code to cause tasks to be executed by the processing resources ( 802 ).
  • the computer readable storage medium may be tangible and/or non-transitory storage medium.
  • the computer readable storage medium may be any appropriate storage medium that is not a transmission storage medium.
  • a non-exhaustive list of computer readable storage medium types includes non-volatile memory, volatile memory, random access memory, memristor based memory, write only memory, flash memory, electrically erasable program read only memory, or types of memory, or combinations thereof.
  • the certificate request receiver ( 806 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to receive requests for certificates to use the services of the service provider.
  • the application approver ( 808 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to approve the application to receive a certificate.
  • the certificate may be specific to the application or to the type of application. In other examples, the certificate is a general certificate common to all applications that are approved by the application approver ( 808 ).
  • the application approver ( 808 ) relies on input from a human source, such as a network administrator, to approve the application. In other examples, the application approver ( 808 ) follows a set of rules from an approval policy.
  • the certificate generator ( 810 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to generator a certificate for the application in response to approval from the application approver ( 808 ).
  • the service provider ( 814 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to authenticate the service provider to the application in response to receiving a certificate from service provider.
  • the port authorization table consulter ( 818 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to consults with the port authorization table ( 816 ) to determine whether the port that the application is using is the authorized port for the application to use with the service provider.
  • the port authorizer ( 820 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to authorize the port used by the application if the port matches what the port authorization table indicates is the correct port.
  • the key extractor ( 822 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to extract a key from packets that are sent to the service provider from the application.
  • the key validator ( 824 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to validate the key extracted from the packet if the key is a valid key.
  • the key updater ( 816 ) represents programmed instructions that, when executed, cause the processing resources ( 802 ) to update the key if the key becomes outdated by sending the updated version of the key to the application.
  • the memory resources ( 804 ) may be part of an installation package.
  • the programmed instructions of the memory resources ( 804 ) may be downloaded from the installation package's source, such as a portable medium, a server, a remote network location, another location, or combinations thereof.
  • Portable memory media that are compatible with the principles described herein include DVDs, CDs, flash memory, portable disks, magnetic disks, optical disks, other forms of portable memory, or combinations thereof.
  • the program instructions are already installed.
  • the memory resources can include integrated memory such as a hard drive, a solid state hard drive, or the like.
  • the processing resources ( 802 ) and the memory resources ( 804 ) are located within the same physical component, such as a server, or a network component.
  • the memory resources ( 804 ) may be part of the physical component's main memory, caches, registers, non-volatile memory, or elsewhere in the physical component's memory hierarchy.
  • the memory resources ( 804 ) may be in communication with the processing resources ( 802 ) over a network.
  • the data structures, such as the libraries may be accessed from a remote location over a network connection while the programmed instructions are located locally.
  • the authorization system ( 800 ) may be implemented on a user device, on a server, on a collection of servers, or combinations thereof.
  • the authentication system ( 800 ) of FIG. 8 may be part of a general purpose computer. However, in alternative examples, the authentication system ( 800 ) is part of an application specific integrated circuit.
  • FIG. 9 is a diagram of an example of a flowchart of a process for generating a certificate according to the principles described herein.
  • the process includes receiving ( 902 ) a certificate signing request from an application for a certificate and sending ( 904 ) the request to a network administrator for approval.
  • the process includes determining ( 906 ) whether the network administrator grants approval. If not, the process ends ( 908 ).
  • an identity certificate is signed ( 910 ) and the signed identity certificate is sent ( 912 ) to the application.
  • the application stores the certificate
  • FIG. 10 is a diagram of an example of a flowchart ( 1000 ) of a process for authenticating an application to communicate with a service provider according to the principles described herein.
  • the process includes receiving ( 1002 ) a request from the application at a first port of the service provider.
  • the service provider consults ( 1004 ) with an authorization table and determines ( 1006 ) whether the first port is an authorized for the application to use. If the first port is not authorized for the application to use, the request fails ( 1008 ). If the application is authorized to use the first port, then the process includes authenticating ( 1010 ) the data connection between the service provider and the application.
  • the process also includes the service provider receiving ( 1012 ) another packet from the application.
  • a key embedded in the packet is extracted ( 1014 ), and the process includes determining ( 1016 ) whether the key is valid. If the key is not valid, the packet is not authorized ( 1018 ) for processing. If the key is valid, the packet is authorized ( 1020 ) for processing.
  • any appropriate network, network component, service provider, and application may be used in accordance with the principles described herein.
  • the application and the service provider may communicate with each other directly or indirectly through other network components.
  • the network may be a wireless network, and the application and the service provider may communicate with each other over a wireless access point.
  • the logical connection between the application and the service provider is encrypted.
  • any protocol, type of logical connection, or sequence of exchanges may be used in accordance with the principles contained herein.
  • any appropriate mechanism for approving an application may be used in accordance with the principles described herein.
  • any appropriate mechanism for authenticating the service provider may be used. While the examples above have been described with specific reference to mechanisms for approving ports and packets, any appropriate mechanism for approving ports and/or packets may be used in accordance with the principles described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Authenticating applications to a network service includes authenticating an application with a certificate to access a service provider over a logical connection between the application and the service provider and confirming that the application is using an authorized port of the service provider.

Description

    BACKGROUND
  • Networks are vulnerable to attacks from malicious users. To reduce or prevent unwanted users from harming a network, a firewall is incorporated into the network to prevent unwanted users from having access to the network. Further, anti-virus programs are also installed onto network components that actively seek out and inhibit malicious users. Such programs can search for anomalies in the network's activity to find suspicious behavior. Once found, the programs quarantine the source of the anomalous behavior to reduce its influence on the networks' components.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying drawings illustrate various examples of the principles described herein and are a part of the specification. The illustrated examples are merely examples and do not limit the scope of the claims.
  • FIG. 1 is a diagram of an example of an authentication engine according to the principles described herein.
  • FIG. 2 is a diagram of an example of a method for authenticating applications to access service providers according to the principles described herein.
  • FIG. 3 is a diagram of an example of a method for obtaining a certificate according to the principles described herein.
  • FIG. 4 is a diagram of an example of a method of authenticating the service provider to the application according to the principles described herein.
  • FIG. 5 is a diagram of an example of a method of authorizing a port with the service provider according to the principles described herein.
  • FIG. 6 is a diagram of an example of a method for validating a packet from the application according to the principles described herein.
  • FIG. 7 is a diagram of an example of an authentication system according to the principles described herein.
  • FIG. 8 is a diagram of an example of an authentication system according to the principles described herein.
  • FIG. 9 is a diagram of an example of a flowchart of a process for generating a certificate according to the principles described herein.
  • FIG. 10 is a diagram of an example of a flowchart of a process for authenticating an application to communicate with a service provider according to the principles described herein.
    •  DETAILED DESCRIPTION
  • Despite the use of firewalls and anti-virus programs, network security is still a significant issue for network operators. A network can authenticate a user before the user can have access to the network when the user inputs a correct password. If the user fails to input the correct password, the user is not authenticated. However, passwords can be deciphered or stolen leaving networks that rely on password authentication vulnerable to malicious attacks.
  • The principles describe herein include a method for authenticating applications to a network service. Such a method includes authenticating an application with a valid identity certificate to access a service over a logical connection between the application and the service provider and confirming that the application is using an authorized port to access the network service.
  • In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present systems and methods. It will be apparent, however, to one skilled in the art that the present apparatus, systems, and methods may be practiced without these specific details. Reference in the specification to “an example” or similar language means that a particular feature, structure, or characteristic described is included in at least that one example, but not necessarily in other examples.
  • FIG. 1 is a diagram of an example of an authentication engine (100) according to the principles described herein. In this example, a service provider (102) is capable of providing at least one service to an application (104) on a network. The application (104) may be administered with a controller, a processor, a computing device, a host, a virtual network component, a physical network component, a microprocessor, another device, or combinations thereof. The service provider (102) may provide a switching service, a computing service, a routing service, storing service, processing service, a compression service, another service, or combinations thereof. In some examples, the application (104) is run with an x86 controller sold by the Intel Corporation, which is headquartered in Santa Clara, Calif., USA, and the service provider (102) is a switch that provides switching services. In other examples, other processors are used in accordance with the principles described herein.
  • If an application (104) wants to avail itself of the services provided by the service provider (102), the application needs a valid identify certificate. If the application (104) does not have a valid identify certificate, the application (104) sends a signing request to initiate a pre-authentication process with the service provider (102). An authentication engine (100) in within the service provider (102) sends the application's request to a network administrator (108) to determine whether the application (104) should be allowed to access the services of the service provider (102).
  • The network administrator (108) may look at just the request from the application (104). In other examples, the network administrator looks at additional information sent by the application (104), the service provider (102), an external source, another source, or combinations thereof to determine whether the application (104) should be allowed to access the services of the service provider. In a situation where the service provider is a switch or a router, being authorized to access the service provider's services will include receiving access to additional network components behind the router or switch. Thus, the network administrator (108) will carefully consider whether to allow access. The network administrator (108) may base his decision on his own determinations, or the network administrator (108) may base his decision on a decision policy that has established rules for allowing or disallowing an application (104) from having access to a service provider (102) and/or to a network. In other examples, a processing element follows a set of rules from an approval policy to determine whether to approve the application (104) for access to the service provider (102).
  • If the network administrator (108) denies certificate signing request, the application (104) will not have access to the service provider (102) and/or the network. On the other hand, if the network administrator (108) grants permission to allow the application (104) to have access, the authentication engine (100) uses a certificate engine (110) to sign the identity certificate to send to the application (104). The identity certificate may include instructions about how the application (104) can have access to the service provider's services.
  • The service provider (102) sends the identity certificate to the application (104), which is stored at the application (104). In response to receiving a packet, the service provider (102) determines whether the application (104) is using the correct port to communicate with the service provider (102). The certificate may indicate with which port the application (104) should communicate with the service provider (102). Regardless of whether the certificate indicates an authorized port (112) for communication between the application (104) and the service provider (102), the service provider (102) tracks which applications are authorized for communication with the service provider (102) over which ports in a port authentication table (114). The port authorization table (114) tracks each unique application specific identifier assigned to each application (104) and the corresponding port that each unique application specific identifier is authorized to communicate with the service provider (102).
  • The application (104) creates the data connection with the service provider (102) by sending a packet to a port selected by the application (104). In response to receiving the packet, the service provider (102) extracts from the packet the unique application specific identifier assigned to the application (104) when it was issued a certificate. The service provider (102) consults with the port authorization table (114) to determine whether the unique application specific identifier from the packet matches the port in which the data connection is currently established.
  • If the application is using incorrect port, the communication will fail. On the other hand, if the application (104) is using the authorized port (112), then the data connection between the application (104) and the service provider (102) is completed. At this stage, a data connection is completed between the application (104) and the service provider (102
  • Each packet sent from the application (104) to the service provider (102) will contain an embedded key, which the service provider (102) extracts in response to receiving the packet. If there is no embedded key, the packet is not processed. Further, if the embedded key is invalid, the packet is also not processed. However, if the packet contains a valid, embedded key, the service provider (102) will process the packet and avail the application (104) of the service provider's services. Thus, the principles described herein enforce a per packet authorization to protect the service provider.
  • In some examples, the keys from the certificate become outdated. In such examples, the service provider (102) sends the updated keys to the applications (104). No re-authentication procedure is performed in conjunction with receiving the updated keys.
  • Each of the above described procedures adds a layer of security between the application (104) and the service provider (102). For those examples where the service provider (102) is a switch or a router, each of the procedures adds a layer of protection to the network. For example, the service provider (102) is protected if the administrator denies the application (104) approval to use the service provider's services. Further, the service provider (102) is further protected if the application (104) chooses to not authenticate the service provider (102), thereby preventing any malicious infection from the application (104). Also, the service provider (102) is protected by not processing packets that come into the wrong port due to the port authorization process. Additionally, each packet is scrutinized to ensure that even if the packet somehow appears to be coming from the application (104) that the packet is still coming from an authorized source. Also, the embedded keys become outdated over time, so even if an embedded key mimics an earlier version of the embedded key, malicious users can still be identified and stopped before the packets are processed.
  • To add an additional layer of protection, all of the communications between the application (104) and the service provider (102) occur over encrypted connections. The encrypted connections even apply while the data connection between the application (104) and the service provider (102) are still in a provisional state during the authorization process. Such a security model for data transmission can be used with any appropriate network service infrastructure, including cloud based network service infrastructure, other network service infrastructure, or combinations thereof.
  • FIG. 2 is a diagram of an example of a method (200) for authorizing applications to access service providers according to the principles described herein. In this example, the method (200) includes authenticating (202) an application with a certificate to access a service provider over a logical connection between the application and the service provider and confirming (204) that the application is using an authorized port of the service provider.
  • The method may further include confirming that packets sent from the application have a key generated by authentication process. The key will be extracted from the packet before processing in the service provider, where the key is analyzed to determine whether the key is valid. If the key is valid, the packet will be processed, however, if the key is not valid, the packet will not be processed. In some examples, the key has a time expiration when the service provider generates a new key. Both service provider and application updates these keys periodically. In some examples, the key is uniform for each application that is authorized to communicate with the service provider. In other examples, the key is specific to an application, specific to a port, specific to another feature, or combinations thereof.
  • To receive a certificate the application sends a request to the service provider, who in turn sends seeks approval of a network administrator. If permission is granted from the network administrator, a certificate signing engine generates a certificate that is sent to the application.
  • Confirming that the application is using an authorized port can include consulting with a port authorization table that tracks which ports can be used by which applications. In some examples, the certificate indicates which of multiple ports belonging to the service provider that the application is authorized to use.
  • FIG. 3 is a diagram of an example of a method (300) for obtaining an identity certificate according to the principles described herein. In this example, the method (300) includes obtaining (302) a certificate signing request from an application over a logical connection, sending (304) the certificate signing request with other information about the application to a network administrator for approval, generating (306) the identity certificate for the application, and sending (308) the identity certificate to the application along with keys for a later authentication process.
  • In some examples, the service provider is aware of the application, and initiates the authentication process by sending an invitation to begin the process. In other examples, the application initiates the process. The additional information about the application is included in a packet that also contains the certificate signing request or the additional information is included in a separate packet.
  • FIG. 4 is a diagram of an example of a method (400) of authenticating the service provider to the application according to the principles described herein. In this example, the method (400) includes sending (402) an identity certificate to the application and receiving (404) authentication from the application.
  • FIG. 5 is a diagram of an example of a method (500) of authenticating a port with the service provider according to the principles described herein. In this example, the method (500) includes obtaining (502) a certificate from the application through a port, consulting (504) with an authorization table, and determining (506) whether the port information matches with the contents of the authorization table.
  • The certificate information sent from the application may be acquired by the application during an earlier pre-authentication process. The service provider consults with a port authorization table to see whether the port through which the application is communicating is the authorized port for communication between the application and the service provider. The service provider tracks the changes to the port authorization table or at least has access to the table stored at a remote location. If the port being used by the application does not match that which is indicated in the port authorization table, the communication fails
  • FIG. 6 is a diagram of an example of a method (600) for validating a packet from the application according to the principles described herein. In this example, the method (600) includes receiving (602) a packet from the application, extracting (604) a key from the packet, and determining (606) the key is valid.
  • The key may become outdated over time. In such a situation, the service provider or another device will send an updated key to the application to use in future communication with the service provider. The key is a sequence of binary values that are incorporated into a header or body of a packet.
  • FIG. 7 is a diagram of an example of an authentication system (700) according to the principles described herein. The authentication system (700) includes a certificate generation engine (702) at the application side, a certificate signing engine (703) at the service provider side, an application authentication engine (704), a port authorization engine (706), and a packet authorization engine (708). In some examples, the authentication system (700) additionally includes a key updating engine (710), and a tracking engine (712). The engines (702, 703, 704, 706, 708, 710, 712) refer to a combination of hardware and program instructions to perform a designated function. Each of the engines (702, 703, 704, 706, 708, 710, 712) may include a processor and memory. The program instructions are stored in the memory and cause the processor to execute the designated function of the engine.
  • The certificate generating engine (702) generates a certificate for the application requesting certificate if the network administrator approves. The certificate signing engine (703) signs the engine in response to receiving approval from the network administrator. The application authentication engine (704) authenticates the service provider to the application. The port confirmation engine (706) ensures that the application is using the correct port to communicate with the service provider. Also, the packet authorization engine (708) ensures that the packets that appear to be sent from the application are indeed valid packets that were sent from the indicated source. The packet authorization engine (708) extracts certificate keys issued from the service provider when the certificate was generated or updated at later time by the service provider from the packets sent from the application.
  • Also, a key updating engine (710) is used to update the certificate keys as the keys become outdated. The key updating engine (710) generates the updates to the keys and sends the updated keys to the approved applications. Further, a tracking engine (712) tracks the identifiers of each approved application and their authorized ports for communicating with the service provider. The tracking engine (712) may use a port authorization table to track the ports and identifiers.
  • FIG. 8 is a diagram of an example of an authorization system (800) according to the principles described herein. In this example, the authorization system (800) includes processing resources (802) that are in communication with memory resources (804). Processing resources (802) include at least one processor and other resources used to process programmed instructions. The memory resources (804) represent generally any memory capable of storing data such as programmed instructions or data structures used by the authorization system (800). The programmed instructions shown stored in the memory resources (804) include a certificate request receiver (806), an application approver (808), a certificate generator (810), a service provider authenticator (814), a port authorization table consulter (818), a port authorizer (820), a key extractor (822), a key validator (824), and a key updater (826). The data structures shown stored in the memory resources (804) include a port authorization table (816).
  • The memory resources (804) include a computer readable storage medium that contains computer readable program code to cause tasks to be executed by the processing resources (802). The computer readable storage medium may be tangible and/or non-transitory storage medium. The computer readable storage medium may be any appropriate storage medium that is not a transmission storage medium. A non-exhaustive list of computer readable storage medium types includes non-volatile memory, volatile memory, random access memory, memristor based memory, write only memory, flash memory, electrically erasable program read only memory, or types of memory, or combinations thereof.
  • The certificate request receiver (806) represents programmed instructions that, when executed, cause the processing resources (802) to receive requests for certificates to use the services of the service provider. The application approver (808) represents programmed instructions that, when executed, cause the processing resources (802) to approve the application to receive a certificate. The certificate may be specific to the application or to the type of application. In other examples, the certificate is a general certificate common to all applications that are approved by the application approver (808). In some examples, the application approver (808) relies on input from a human source, such as a network administrator, to approve the application. In other examples, the application approver (808) follows a set of rules from an approval policy.
  • The certificate generator (810) represents programmed instructions that, when executed, cause the processing resources (802) to generator a certificate for the application in response to approval from the application approver (808). The service provider (814) represents programmed instructions that, when executed, cause the processing resources (802) to authenticate the service provider to the application in response to receiving a certificate from service provider.
  • The port authorization table consulter (818) represents programmed instructions that, when executed, cause the processing resources (802) to consults with the port authorization table (816) to determine whether the port that the application is using is the authorized port for the application to use with the service provider. The port authorizer (820) represents programmed instructions that, when executed, cause the processing resources (802) to authorize the port used by the application if the port matches what the port authorization table indicates is the correct port.
  • The key extractor (822) represents programmed instructions that, when executed, cause the processing resources (802) to extract a key from packets that are sent to the service provider from the application. The key validator (824) represents programmed instructions that, when executed, cause the processing resources (802) to validate the key extracted from the packet if the key is a valid key. The key updater (816) represents programmed instructions that, when executed, cause the processing resources (802) to update the key if the key becomes outdated by sending the updated version of the key to the application.
  • Further, the memory resources (804) may be part of an installation package. In response to installing the installation package, the programmed instructions of the memory resources (804) may be downloaded from the installation package's source, such as a portable medium, a server, a remote network location, another location, or combinations thereof. Portable memory media that are compatible with the principles described herein include DVDs, CDs, flash memory, portable disks, magnetic disks, optical disks, other forms of portable memory, or combinations thereof. In other examples, the program instructions are already installed. Here, the memory resources can include integrated memory such as a hard drive, a solid state hard drive, or the like.
  • In some examples, the processing resources (802) and the memory resources (804) are located within the same physical component, such as a server, or a network component. The memory resources (804) may be part of the physical component's main memory, caches, registers, non-volatile memory, or elsewhere in the physical component's memory hierarchy. Alternatively, the memory resources (804) may be in communication with the processing resources (802) over a network. Further, the data structures, such as the libraries and may be accessed from a remote location over a network connection while the programmed instructions are located locally. Thus, the authorization system (800) may be implemented on a user device, on a server, on a collection of servers, or combinations thereof.
  • The authentication system (800) of FIG. 8 may be part of a general purpose computer. However, in alternative examples, the authentication system (800) is part of an application specific integrated circuit.
  • FIG. 9 is a diagram of an example of a flowchart of a process for generating a certificate according to the principles described herein. In this example, the process includes receiving (902) a certificate signing request from an application for a certificate and sending (904) the request to a network administrator for approval. The process includes determining (906) whether the network administrator grants approval. If not, the process ends (908).
  • If the network administrator approves, an identity certificate is signed (910) and the signed identity certificate is sent (912) to the application. In response to receiving the certificate, the application stores the certificate
  • FIG. 10 is a diagram of an example of a flowchart (1000) of a process for authenticating an application to communicate with a service provider according to the principles described herein. In this example the process includes receiving (1002) a request from the application at a first port of the service provider. The service provider consults (1004) with an authorization table and determines (1006) whether the first port is an authorized for the application to use. If the first port is not authorized for the application to use, the request fails (1008). If the application is authorized to use the first port, then the process includes authenticating (1010) the data connection between the service provider and the application.
  • The process also includes the service provider receiving (1012) another packet from the application. A key embedded in the packet is extracted (1014), and the process includes determining (1016) whether the key is valid. If the key is not valid, the packet is not authorized (1018) for processing. If the key is valid, the packet is authorized (1020) for processing.
  • While the examples above have been described with reference to specific networks, network components, service providers, and applications, any appropriate network, network component, service provider, and application may be used in accordance with the principles described herein. The application and the service provider may communicate with each other directly or indirectly through other network components. Further, the network may be a wireless network, and the application and the service provider may communicate with each other over a wireless access point. To ensure security during the authorization process, the logical connection between the application and the service provider is encrypted.
  • Further, while the examples above have been described with reference to specific protocols, types of logical connections, and sequences of exchanges between the application and the service provider, any protocol, type of logical connection, or sequence of exchanges may be used in accordance with the principles contained herein. Also, while the examples above have been described with reference to specific mechanisms for approving an application to receive a certificate, any appropriate mechanism for approving an application may be used in accordance with the principles described herein. Further, while the examples above have been described with reference to specific ways to authenticate the service provider, any appropriate mechanism for authenticating the service provider may be used. While the examples above have been described with specific reference to mechanisms for approving ports and packets, any appropriate mechanism for approving ports and/or packets may be used in accordance with the principles described herein.
  • The preceding description has been presented only to illustrate and describe examples of the principles described. This description is not intended to be exhaustive or to limit these principles to any precise form disclosed. Many modifications and variations are possible in light of the above teaching.

Claims (15)

What is claimed is:
1. A method, comprising:
authenticating an application with a certificate to access a service provider over a logical connection between said application and said service provider; and
confirming that said application is using an authorized port of said service provider.
2. The method of claim 1, further comprising confirming that packets sent from said application comprise a key from said service provider.
3. The method of claim 2, wherein said key has a time expiration.
4. The method of claim 2, further comprising sending to said application updated key information in response to said key becoming outdated.
5. The method of claim 1, further comprising receiving a request from said application to obtain said certificate from said service provider.
6. The method of claim 5, further comprising generating said certificate for said application in response to gaining approval from said network administrator.
7. The method of claim 1, wherein said application is authorized to use a subset of ports belonging to said service provider.
8. The method of claim 1, wherein said logical connection is encrypted.
9. The method of claim 1, further comprising maintaining a table of which of multiple ports belonging to said service provider are authorized for use to said application and other applications requesting services of said service provider.
10. A system; comprising:
a certificate generation engine to generate a certificate for an application;
a certificate signing engine to sign the certificate;
an application authentication engine to authenticate said application to use said service provider;
a port engine to confirm that said application is authorized to use a port of said service provider; and
a packet authorization engine to authorize packets at said service provider from said application.
11. The system of claim 10, wherein said certificate generation engine seeks approval from a network administrator before generating said certificate.
12. The system of claim 10, further comprising a key updating engine to update said application with updated keys as older keys from said service provider to be embedded into packets from said application become outdated.
13. The system of claim 10, further comprising a tracking engine to track which of multiple applications are authorized to use which of multiple ports belonging to said service provider.
14. A computer program product, comprising:
a non-transitory computer readable storage medium, said non-transitory computer readable storage medium comprising computer readable program code embodied therewith, said computer readable program code comprising program instructions that, when executed, causes a processor to:
confirm that an application has a certificate to access a service provider over a logical connection between said application and said service provider;
confirm that said application is using an authorized port of said service provider; and
confirm that packets sent from said application comprise a key from said service provider.
15. The computer program product of claim 14, further comprising computer readable program code comprising program instructions that, when executed, causes said processor to send an update for said key to said application in response to said key becoming outdated.
US16/161,603 2013-01-30 2018-10-16 Authenticating Applications to a Network Service Abandoned US20190052623A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/161,603 US20190052623A1 (en) 2013-01-30 2018-10-16 Authenticating Applications to a Network Service

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/754,126 US10104060B2 (en) 2013-01-30 2013-01-30 Authenticating applications to a network service
US16/161,603 US20190052623A1 (en) 2013-01-30 2018-10-16 Authenticating Applications to a Network Service

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/754,126 Division US10104060B2 (en) 2013-01-30 2013-01-30 Authenticating applications to a network service

Publications (1)

Publication Number Publication Date
US20190052623A1 true US20190052623A1 (en) 2019-02-14

Family

ID=51224574

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/754,126 Active 2035-05-13 US10104060B2 (en) 2013-01-30 2013-01-30 Authenticating applications to a network service
US16/161,603 Abandoned US20190052623A1 (en) 2013-01-30 2018-10-16 Authenticating Applications to a Network Service

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/754,126 Active 2035-05-13 US10104060B2 (en) 2013-01-30 2013-01-30 Authenticating applications to a network service

Country Status (1)

Country Link
US (2) US10104060B2 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9344404B2 (en) * 2013-01-31 2016-05-17 Dell Products L.P. System and method for synchronizing connection credentials
US10757105B2 (en) * 2017-06-12 2020-08-25 At&T Intellectual Property I, L.P. On-demand network security system
US11677727B2 (en) * 2020-03-16 2023-06-13 Microchip Technology Incorporated Low-latency MACsec authentication
US11558183B2 (en) * 2020-05-15 2023-01-17 Bank Of America Corporation System for exchanging symmetric cryptographic keys using computer network port knocking

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050012021A1 (en) * 2001-12-21 2005-01-20 Erik Middelman Profiled photovoltaic roofing panel
US20050240997A1 (en) * 2004-04-27 2005-10-27 Kenichi Shimooka ID collection and management apparatus, method and program of computer
US20060024099A1 (en) * 2004-08-02 2006-02-02 Takashi Suzuki Cleaning device for image forming apparatus
US20070001144A1 (en) * 2005-04-04 2007-01-04 Hoeptner Herbert W Faucet sealing
US20080008676A1 (en) * 2006-07-06 2008-01-10 The Procter & Gamble Company Deodorant composition comprising metallic deodorizing agent
US20080189774A1 (en) * 2006-12-29 2008-08-07 Prodea Systems, Inc. Activation, Initialization, Authentication, and Authorization for a Multi-Services Gateway Device at User Premises

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5548646A (en) * 1994-09-15 1996-08-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US6182146B1 (en) 1997-06-27 2001-01-30 Compuware Corporation Automatic identification of application protocols through dynamic mapping of application-port associations
US6674764B1 (en) 1999-02-24 2004-01-06 Lucent Technologies Inc. Communications system and method with telemetry device identification capabilities
US6463474B1 (en) * 1999-07-02 2002-10-08 Cisco Technology, Inc. Local authentication of a client at a network device
WO2001047232A2 (en) * 1999-12-22 2001-06-28 Transnexus, Inc. Secure enrollment of a device with a clearinghouse server for internet telephony system
WO2001063567A2 (en) * 2000-02-25 2001-08-30 Identix Incorporated Secure transaction system
US20020004901A1 (en) * 2000-07-10 2002-01-10 See-Wai Yip Systems and methods for PKI-enabling applications using application-specific certificates
US20020031230A1 (en) * 2000-08-15 2002-03-14 Sweet William B. Method and apparatus for a web-based application service model for security management
US6986040B1 (en) * 2000-11-03 2006-01-10 Citrix Systems, Inc. System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel
JP4145118B2 (en) * 2001-11-26 2008-09-03 松下電器産業株式会社 Application authentication system
US7434254B1 (en) * 2002-10-25 2008-10-07 Cisco Technology, Inc. Method and apparatus for automatic filter generation and maintenance
US7587598B2 (en) * 2002-11-19 2009-09-08 Toshiba America Research, Inc. Interlayer fast authentication or re-authentication for network communication
US20050152305A1 (en) * 2002-11-25 2005-07-14 Fujitsu Limited Apparatus, method, and medium for self-organizing multi-hop wireless access networks
US7222360B1 (en) 2002-11-27 2007-05-22 Sprint Communications Company L.P. Continuous biometric authentication using frame preamble for biometric data
US7962954B2 (en) 2003-01-15 2011-06-14 Cisco Technology, Inc. Authenticating multiple network elements that access a network through a single network switch port
US7568098B2 (en) * 2003-12-02 2009-07-28 Microsoft Corporation Systems and methods for enhancing security of communication over a public network
US7624431B2 (en) * 2003-12-04 2009-11-24 Cisco Technology, Inc. 802.1X authentication technique for shared media
US8094821B2 (en) * 2004-08-06 2012-01-10 Qualcomm Incorporated Key generation in a communication system
WO2007140487A2 (en) * 2006-06-01 2007-12-06 Verifides Technology Corp. Data access control systems and methods
US8316430B2 (en) * 2006-10-06 2012-11-20 Ricoh Company, Ltd. Preventing network traffic blocking during port-based authentication
JP5006388B2 (en) * 2007-04-19 2012-08-22 パナソニック株式会社 Data management device
US8238357B2 (en) * 2007-04-23 2012-08-07 Nec Corporation VLAN communication inspection system, method and program
JP5270937B2 (en) * 2008-03-17 2013-08-21 キヤノン株式会社 COMMUNICATION DEVICE AND ITS CONTROL METHOD
US8726382B2 (en) * 2008-08-20 2014-05-13 The Boeing Company Methods and systems for automated detection and tracking of network attacks
US8621203B2 (en) * 2009-06-22 2013-12-31 Nokia Corporation Method and apparatus for authenticating a mobile device
KR20120002836A (en) * 2010-07-01 2012-01-09 삼성전자주식회사 Apparatus and method for controlling access to combined services
US20120209976A1 (en) 2011-02-15 2012-08-16 Mcquade Philip A Remote management and control using common internet protocols
US8677471B2 (en) * 2011-12-12 2014-03-18 Mcafee, Inc. Port allocation in a firewall cluster
US8600355B1 (en) * 2012-05-17 2013-12-03 Cellco Partnership Systems and methods for authenticating applications for access to secure data using identity modules

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050012021A1 (en) * 2001-12-21 2005-01-20 Erik Middelman Profiled photovoltaic roofing panel
US20050240997A1 (en) * 2004-04-27 2005-10-27 Kenichi Shimooka ID collection and management apparatus, method and program of computer
US20060024099A1 (en) * 2004-08-02 2006-02-02 Takashi Suzuki Cleaning device for image forming apparatus
US20070001144A1 (en) * 2005-04-04 2007-01-04 Hoeptner Herbert W Faucet sealing
US20080008676A1 (en) * 2006-07-06 2008-01-10 The Procter & Gamble Company Deodorant composition comprising metallic deodorizing agent
US20080189774A1 (en) * 2006-12-29 2008-08-07 Prodea Systems, Inc. Activation, Initialization, Authentication, and Authorization for a Multi-Services Gateway Device at User Premises

Also Published As

Publication number Publication date
US20140215572A1 (en) 2014-07-31
US10104060B2 (en) 2018-10-16

Similar Documents

Publication Publication Date Title
US10110585B2 (en) Multi-party authentication in a zero-trust distributed system
US9729531B2 (en) Accessing a computer resource using an access control model and policy
US20170302644A1 (en) Network user identification and authentication
CN106034104B (en) Verification method, device and system for network application access
US8074264B2 (en) Secure key distribution to internet clients
CN106888084B (en) Quantum fort machine system and authentication method thereof
US7640430B2 (en) System and method for achieving machine authentication without maintaining additional credentials
US20190052623A1 (en) Authenticating Applications to a Network Service
US20090031399A1 (en) Method and Apparatus for Content Based Authentication for Network Access
KR20210133985A (en) Systems and methods for assuring new authenticators
US20070157313A1 (en) Autonomic self-healing network
US20160171187A1 (en) Registration of devices in a digital rights management environment
US11210387B2 (en) Detecting and preventing unauthorized credential change
JP2019536157A (en) System and method for transparent multi-factor authentication and security approach posture check
US20220417028A1 (en) Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
CN113572791B (en) Video Internet of things big data encryption service method, system and device
CN115333840B (en) Resource access method, system, equipment and storage medium
CN115277168A (en) Method, device and system for accessing server
US20220086142A1 (en) Detecting and preventing unauthorized credential change
US11616780B2 (en) Security protection against threats to network identity providers
US11177958B2 (en) Protection of authentication tokens
Ferretti et al. Authorization transparency for accountable access to IoT services
CN106576050B (en) Three-tier security and computing architecture
US20230351028A1 (en) Secure element enforcing a security policy for device peripherals
Kim et al. Security analysis and bypass user authentication bound to device of windows hello in the wild

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION