WO2006107713A1 - System and method for multi-session establishment - Google Patents

System and method for multi-session establishment Download PDF

Info

Publication number
WO2006107713A1
WO2006107713A1 PCT/US2006/011710 US2006011710W WO2006107713A1 WO 2006107713 A1 WO2006107713 A1 WO 2006107713A1 US 2006011710 W US2006011710 W US 2006011710W WO 2006107713 A1 WO2006107713 A1 WO 2006107713A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
supplicant
authentication server
server
key
Prior art date
Application number
PCT/US2006/011710
Other languages
French (fr)
Inventor
Nancy Cam Winget
Mark Krischer
Jeremy Stieglitz
Original Assignee
Cisco Technology, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/098,253 external-priority patent/US7562224B2/en
Application filed by Cisco Technology, Inc. filed Critical Cisco Technology, Inc.
Priority to EP06748958.3A priority Critical patent/EP1869822B1/en
Priority to CN2006800064115A priority patent/CN101129014B/en
Publication of WO2006107713A1 publication Critical patent/WO2006107713A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system and method that allows a device to complete a single complete authentication sequence to a AAA server resulting in as many secure sessions required for the different applications or subsystems determined by the client' s identity and the AAA server's policy. As the device is authenticated, it is determined where there are other sessions for the device. The other sessions are established by generating unique new keying material that is passed to each session. The system and method also supports disjoint authentication server farms and disjoint policy or authorization servers for multi-session establishment. The authentication server can be provided with global knowledge of authenticators for additional sessions for a supplicant and can split authentication requests as needed to different authentication servers.

Description

SYSTEM AND METHOD FOR MULTI-SESSION ESTABLISHMENT
BACKGROUND OF THE INVENTION
The present invention relates generally to network security and more specifically for a system and method to enable a single device to establish multiple sessions with a single login.
Network security has become a business critical issue. As a result, there is a need for different applications and systems to authenticate to one another. These authentications occur in an isolated context and result in the establishment of multiple, secure, authenticated sessions. For example, in the wireless context, an access point may run several different applications or subsystems. As a result, there is a need for the access point to authenticate several times. When multiplied across a network comprising hundreds of access points, this can significantly load the AAA (Authentication, Authorization and Accounting) servers. Existing single sign-on systems tend to be an optimization on the user side, eliminating the need for the user to continuously log into different applications by hiding subsequent authentications from the user. Typically, the user performs a single login to "unlock" access to secure credentials. These credentials are then used by the single sign- on system to authenticate the user to other applications as required. For example, Kerberos, available from the Massachusetts Institute of Technology and many other commercial products, authenticate a user to a ticketing server. The user requests tickets for each application the user would like to use. When the user starts an application, the tickets are used to establish a secure session with each application by the single sign-on system. The user's device submits the ticket to the authenticator for the application, the authenticator then authenticates the ticket with the ticketing server. Thus, the device is still performing multiple authentications, even though authentications to applications are hidden from the user by the single sign-on system.
BRIEF SUMMARY OF THE INVENTION In accordance with an aspect of the present invention, there is described herein a system and method that allows a device to complete a single successful authentication sequence to a AAA server or multiple AAA servers, resulting in as many secure sessions for the different applications or subsystems, for example as determined by either the client's identity, the AAA server's policy, the client's (e.g., AP's) configuration at the time of initialization or any combination thereof.
In accordance with an aspect of the present invention, there is disclosed herein a system and method that enables multi-session authentication requests to be split as needed between different authentication servers. In one embodiment the authentication server acts as a proxy for the other authenticators and sends requests to the disjoint authentication servers. Alternatively, the authentication server has global knowledge of other authenticators and can split the requests as needed to different authentication servers. Aggregation of the split requests can be used if any of the authentication servers are capable of handling multiple requests.
In accordance with an aspect of the present invention, there is described herein a method to optimize authenticated multi-session establishment for a single supplicant. The method comprises authenticating the supplicant with an authentication server and determining at least one other session for the supplicant. The authentication server initiates the at least one other session for the supplicant with an authenticator for the at least one other session. Aspects of the present invention include systems and computer readable medium of instructions for implementing a methodology described herein.
An aspect of the present invention is that it allows an additional subsystem on a device to immediately begin operating over the authenticated, secure session without the need for a full authentication exchange, thus reducing AAA server traffic.
In accordance with an aspect of the present invention, there is disclosed herein a method for multi-session establishment by an authentication server. The method comprises receiving an authentication request for a supplicant from an authenticator for the supplicant. A determination is made whether there is at least one other session for the supplicant. The at least one other session for the supplicant with is initiated with a server for the at least one other session.
In accordance with an aspect of the present invention, there is disclosed herein an authentication server configured in accordance with an aspect of the present invention. The authentication server is configured for receiving an authentication request for a supplicant from an authenticator for the supplicant. The authentication server is configured to be responsive to the authentication request to initiate at least one other session for the supplicant with a server for the at least one other session. In accordance with an aspect of the present invention, there is disclosed herein an authentication server. The authentication server comprising means for receiving an authentication request for a supplicant from an authenticator for the supplicant. The authentication server further comprising means for determining at least one other session for the supplicant and means for initiating the at least one other session for the supplicant with a server for the at least one other session.
Still other objects of the present invention will become readily apparent to those skilled in this art from the following description wherein there is shown and described a preferred embodiment of this invention, simply by way of illustration of one of the best modes best suited for to carry out the invention. As it will be realized, the invention is capable of other different embodiments and its several details are capable of modifications in various obvious aspects all without departing from the invention. Accordingly, the drawing and descriptions will be regarded as illustrative in nature and not as restrictive.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING
The accompanying drawings incorporated in and forming a part of the specification, illustrates several aspects of the present invention, and together with the description serve to explain the principles of the invention.
FIG. 1 is a block diagram of a system in accordance with an aspect of the present invention.
FIG. 2 is a block diagram of a wireless local area network in accordance with a preferred embodiment of the present invention.
FIG. 3 is an exemplary network wherein an authentication server proxies authentication requests to additional authentication servers. FIG. 4 is an exemplary network employing a server farm of authentication servers.
FIG. 5 is an exemplary network employing an authentication server and multiple authorization servers.
FIG. 6 is a block diagram of a computer system for implementing an aspect of the present invention. FIG. 7 is a block diagram of a methodology in accordance with an aspect of the present invention.
FIG. 8 is a detailed block diagram of a methodology in accordance with an aspect of the present invention. FIG. 9 is a block diagram of a methodology for multi-session establishment.
DETAILED DESCRIPTION OF INVENTION
Throughout this description, the preferred embodiment and examples shown should be considered as exemplars, rather than limitations, of the present invention. The present invention provides a solution for providing securely authenticated multi-session establishment for a single device, eliminating the need for several redundant authentication exchanges. A device completes a single complete authentication sequence to a AAA server resulting in as many secure sessions required for the different applications or subsystems determined by the client's identity and the AAA server's policy. As the device is authenticated, the AAA server determines other sessions for the device. The AAA server generates session keys for the other sessions, sending one key to the other session and a corresponding key to the deyice, enabling the device to begin operating over the authenticated secure session without the need for a full authentication exchange. The supplicant device is configured with logic to make it aware of the different subsystems it maintains, some of which may require authentication, as well as their relative priorities. "Logic", as used herein, includes but is not limited to hardware, firmware, software and/or combinations of each to perform a function(s) or an action(s), and/or to cause a function or action from another component. For example, based on a desired application or need, logic may include a software controlled microprocessor, discrete logic such as an application specific integrated circuit (ASIC), a programmable/programmed logic device, memory device containing instructions, or the like, or combinational logic embodied in hardware. Logic may also be fully embodied as software. When the supplicant begins the authenticated session establishment for the predefined "initial" subsystem, a list of additional authenticated sessions is employed to indicate the additional sessions. In one embodiment, the list is appended by the supplicant during login to the authentication server. In another embodiment, the list is stored at the authentication server. The AAA server is configured with logic to recognize the list of additional sessions for the supplicant. The AAA server is responsive to the list to send additional session keys to the authenticator for the additional sessions. The AAA server will also send a session key to the supplicant and initial authenticator, which may be sent concurrently or separately from the session keys for the additional sessions.
Authenticators are configured with logic to handle session establishment when prompted by the AAA server, such as in the form of a session key, rather than in the form
5 of an authentication request from the supplicant. This allows additional subsystems on the device to immediately begin operating using an authenticated, secure session while obviating the need for a full authentication exchange.
An aspect of the present invention is that it reduces the load to the device performing the authentications as well as the load on the AAA server, which must perform io the authentication for each session. The present invention also reduces the number of messages required to handle all the authentication sequences thereby reducing network traffic as well.
Referring now to FIG. 1, there is illustrated a block diagram of a system 100 in accordance with an aspect of the present invention. Supplicant 102 communicates bi-
15 directionally with authenticator 104. In a preferred embodiment, supplicant 102 is a client desiring access to a network via authenticator 104. Authenticator 104 communicates bi- directionally with authentication server 106. In a preferred embodiment, authentication server 106 is an AAA (Authentication, Authorization and Accounting) server, such as a RADIUS (Remote Authentication Dial-In User Service, RFC 2865) server. In addition,
20 either authenticator 104, authentication server 106 or both bi-directionally communicates with authenticators 108, 112 ... and 116 for additional application 1, 110, application 2, 114 ... and application N, 118 respectively. From a logical perspective, each application has its own authenticator. However, for applications that are co-located on the same device it is possible, but not necessary, for the authenticators to be the same code running on the
25 same box, having individual contexts for each separate authentication session.
When supplicant 102 first connects with the network, authenticator 104 has logic that only allows authentication request messages to be passed between supplicant 102 and authentication server 106. Until supplicant 102 is authenticated, sessions with application 1, 108, application 2, 110, ... , application N, 112, are inhibited by logic in wireless switch
30 204. When authentication server 106 authenticates supplicant 102, logic in the authentication server sends keying material for the session to authenticator 104 and supplicant 102.
Page 5 i In addition, either concurrent with the authentication process or as a separate process, logic in authentication server 106 determines at least one other session for supplicant 102, e.g., application 1, 108, application 2, 110, ... , application N, 112. In one embodiment, logic in supplicant sends a list of additional sessions to the authentication server 106, for example added as Information Elements (IEs) as part of the message. Alternatively, authentication server 106 utilizes logic to retrieve a database entry for the server from a database accessible to the authentication server. The database preferably resides on authentication server 106, but can reside elsewhere.
There are several ways in which the sessions are generated from a single authentication contemplated by the present invention. The present invention contemplates that the method and means employed are understood by both the supplicant and the network infrastructure. Thus, the supplicant signals either authenticator 104 or authentication server 106 that it desires to establish these multiple sessions. Alternative embodiments are based upon whether the policy decision is made by authenticator 104 or the authentication server 106. But the logic is the same, that is, in the case of the supplicant being the AP, the AP must signal agreement of this through an added element to the 802. IX EAP authentication, the EAP method itself or it can be implicitly understood that all it's authentications will yield the multiple sessions. Authenticator 104 or authentication server 106 confirm that the AP is authorized to establish the multiple sessions before it initiates the multi-session establishment.
As authentication server 106 determines there is at least one other session for supplicant 102, authentication server 106 initiates a session with an authenticator for the at least one other session, such as an authenticator 108 for application 1, 110, authenticator 112 for application 2, 114, ... , and authenticator 116 for application N, 118. The sessions are established by generating unique new keying material that is passed to each session. This can be accomplished by (a) the authenticator 104 or authentication server 106 issues the keys and distributes them to both the supplicant and applications (via their authenticators); or (b) authenticator 104 or authentication server 106 mutually generate the session unique keys with the supplicant (for example an AP as shown in Figure 2) that are then distributed to the applications (via their authenticators).
For the former case where keys are derived by an endpoint, the endpoint may be supplicant 102, authentication server 106 {e.g., an AS) or authenticator 104 {e.g., a WDS). For the case where the endpoint is the supplicant 102, the supplicant 102 will signal after a successful authentication the keys it wishes to use with each application. An example of how this may be achieved with, for example, using EAP-FAST, would be to further ensue in EAP-TLV request response exchanges between the supplicant 102 and the authentication server 106 wherein the EAP-TLV request the supplicant provide all the session keys, each mapped to the specific application. Each key shall be keywrapped using the "master session key" or keying material mutually derived by the supplicant 102 and authentication server 106. Note that the EAP-TLV exchange is protected by the EAP- FAST tunnel. The authentication server 106 then decrypts the EAP-TLV as well as the applications and corresponding session keys. For each application, authentication server 106 shall then keywrap its corresponding session key for that supplicant using a shared secret it holds with the application and distribute the key. It shall do this for each application for which the supplicant has defined and the authentication server 106 has verified is authorized to establish the initiate session.
For the case where authentication server 106 generates the session keys for both supplicant 102 and authenticator 104, then authentication server 106 and supplicant 102 must retain the conversation used to authenticate to further provision these keys to the supplicant 102. Authentication server 106 will use the shared secret it shares with each application to keywrap the generated session key corresponding to the particular application and supplicant and distribute it to the application. Similarly, it shall keywrap the session key and application identifier and distribute this information in the conversation it still holds (for authenticating) with the supplicant.
For the latter case where keys are mutually derived, as an example, when using EAP authentication with methods such as EAP-TLS, PEAP and EAP-FAST where keying material is generated, this keying material can be used to generate cryptographically unique keys for each session, hi these methods, the master secret key (per RFC 3748) or the EMSK (per draft-ietf-eap-keying-01.txt) to generate cryptographically unique keys for each application as follows:
- Given a master shared secret (MSK) from the resulting successful EAP method for each application including the "master" or originating application, named appl thru appn, their session keys can be generated as follows:
- Appl -session-key = hmac-shal( msk, "Unique <unique application name here> session key derivation" || Appl-identity || Supplicant-identity || <length of concatenated string>) - Appn-session-key = hniac-shal ( msk, "Unique <name the application n> session key derivation" [j Appl -identity || Supplicant-identity <length of concatenated string>)
- Where || denotes concatenation - Where <unique application name here> is a unique lable identifier for that application and must be distinct from all other applications
- Where <length of concatenated string> is the total length of the string generated by the concatenations.
FIG. 2 is a block diagram of a wireless local area network 200 in accordance with a preferred embodiment of the present invention. As shown, access point 202 is the supplicant and switch port 204 is the authenticator for access point 202. Switch port 204 communicates bi-directionally with access point 202. Switch port 204 couples access point 202 to the backbone network 212. Backbone network 212 is suitably any wired network topology, wireless network topology, or combination thereof. When access point 202 first desires to connect to network 212, it is authenticated by switch port 204 with authentication server 206. Until access point 202 is authenticated, switch port 204 exchanges authentication messages between access point 202 and authentication server 206 and blocks access point 202 from communicating with anything else connected to network 212. Upon successfully authenticating access point 202, authentication server 206 generates a session key for communications between wireless switch 204 and access point 202. In a preferred embodiment, authentication server 206 also generates session keys for communications between access point 202 and wireless domain server 208.
Additionally, in accordance with an aspect of the present invention, authentication server 206 determines whether access point 202 should be authenticated with other applications coupled to network 212, such as application 212, which is authenticated by additional authenticator 210.
In operation, the 'central' or main authenticator, which is in this example is authentication server 206, determines which "applications" it may also need to establish sessions for access point 202. Access point 202 is first authenticated to WDS (wireless domain server, or controller) 208. However access point 202 is also authenticated to the switch port 204 that it is connected to as well as other servers it may need to establish sessions (such as a call manager or DHCP server, etc). In a preferred embodiment, authentication server 206 is responsive to receive a list of additional sessions from access point 202, e.g., via an IE. In another preferred embodiment, authentication server 206 accesses a database to determine additional sessions. For example, when authentication server 206 determines that access point 202 should establish a session with additional authenticator 210, authentication server 206 generates a session key the session between access point 202 and additional authenticator 210. Preferably, authentication server 206 determines the session between access point 202 and additional authenticator 210 during the authentication of access point 202. This would enable authentication server to send a single communication to access point 202 comprising a session key for switch port 204, a session key for wireless domain server 208, and a session key for additional authenticator 210. Authentication server 206 also sends session keys to switch port 204, wireless domain server 208 and additional authenticator 210 for access point 202. Additional authenticator 210 is configured with logic that is responsive to receiving a session key from authentication server 206 to establish an authenticated, secure session with access point 202. This allows additional subsystems on access point 202 to immediately begin operating using an authenticated, secure session while obviating the need for a full authentication exchange with additional authenticator 210. Although the above example illustrates the process for establishing multiple sessions for an access point, those skilled in the art can readily appreciate that the same process is adaptable for establishing multiple sessions for any device utilizing network 212. For example, the process can be used by a client (not shown) associating with access point 202, wherein access point 202 acts as the authenticator. As another example, the process can be used when authenticating switch port 204, or wireless domain server 208. An aspect of the present invention is that it supports disjoint authentication server farms and disjoint policy or authorization servers. An aspect of the present invention is that it supports a system where different authenticators are actually supported by disjoint authentication servers, allowing the initial authentication server receiving the request to act as a proxy where a different authentication server services the request. An aspect of the present invention is that it supports a system where the authentication server is actually a server farm and for load balancing purposes the aggregated requests can be split among different individual servers. An aspect of the present invention supports a system where
Page 9 ■ the authentication server obtains specific policy information from other (single or multiple) authorization server(s) from the different authenticators.
For example, Cisco Access Points, available from Cisco Technology, Inc., 170 West Tasman Drive, San Jose, CA 95134, contain multiple subsystems which need to
5 authenticate to different authenticators. In large vertical environments, where large number of access points may come online simultaneously, this creates a huge burden on the AAA server infrastructure.
FIG. 3 is an exemplary network 300 wherein an authentication server 306 proxies authentication requests to additional authentication servers 316, 326, 336. Supplicant 302 o initiates a session by sending a request to authenticator 304. Supplicant 302 communicates bi-directionally with authenticator 304. In a preferred embodiment, supplicant 302 is a client desiring access to a network 306 (e.g. a distribution network) via authenticator 304. Authenticator 304 communicates bi-directionally with authentication server 306. In a preferred embodiment, authentication server 306 is a AAA s (Authentication, Authorization and Accounting) server, such as a RADIUS (Remote Authentication Dial-in User Service, RFC 2865) server.
When supplicant 302 first connects with the network, authenticator 304 has logic that only allows authentication request messages to be passed between supplicant 302 and authentication server 306. "Logic", as used herein, includes but is not limited to hardware, o firmware, software and/or combinations of each to perform a function(s) or an action(s), and/or to cause a function or action from another component. For example, based on a desired application or need, logic may include a software controlled microprocessor, discrete logic such as an application specific integrated circuit (ASIC), a programmable/programmed logic device, memory device containing instructions, or the 5 like, or combinational logic embodied in hardware. Logic may also'be fully embodied as software. Until supplicant 302 is authenticated, sessions with application 1, 310, application 2, 320, ... , application N, 330, are inhibited by logic in authenticator 304. When authentication server 306 authenticates supplicant 302, logic in authentication server 306 sends keying material for the session to authenticator 304 and supplicant 302. 0 In addition, either concurrent with the authentication process or as a separate process, logic in authentication server 306 determines at least one other session for supplicant 302, e.g., application 1, 310, application 2, 320, ... , application N, 330. In one embodiment, logic in supplicant 302 sends a list of additional sessions to the authentication server 306, for example added as Information Elements (IEs) as part of the message. Alternatively, authentication server 306 utilizes logic to retrieve a database entry for the server from a database accessible to the authentication server. The database preferably resides on authentication server 306, but can reside elsewhere as long as it is accessible by authentication server 306.
There are several ways in which the sessions are generated from a single authentication contemplated by the present invention. The present invention contemplates that the method and means employed are understood by both the supplicant and the network infrastructure. Thus, the supplicant signals either authenticator 304 or authentication server 306 that it desires to establish these multiple sessions. Alternative embodiments are based upon whether the policy decision is made by authenticator 304 or the authentication server 306. But the logic is the same, that is, for example in the case of the supplicant being an AP, the AP must signal agreement of this through an added element to the 802. IX EAP authentication, the EAP method itself or it can be implicitly understood that all it's authentications will yield the multiple sessions. Authenticator 304 or authentication server 306 confirm that the AP is authorized to establish the multiple sessions before it initiates the multi-session establishment.
As authentication server 306 determines there is at least one other session for supplicant 302, authentication server 306 acts as a proxy and initiates a session with an authenticator server for the at least one other session, such as an authentication server 316 for application 1, 310, authentication server 326 for application 2, 320, ... , and authentication server 336 for application N, 330. Thus, to establish the at least one other session with one or more of applications 310, 320, 330, authentication server 306 communicates with the corresponding authentication server 316, 326, 336 as opposed to the authenticator 314, 324, 334.
The sessions are established by generating unique new keying material that is passed to each session. This can be accomplished by any one of several suitable techniques. For example, authentication server 306 can issue the keys and distribute them to both the supplicant 304 and applications 310, 320, 330 via their authentication servers 316, 326, 336 respectively. As another example, the keys can be derived by the authentication server 316, 326, 336 for the corresponding application 310, 320, 330, which would then distribute the key for the supplicant to authentication server 306 and the corresponding key for the application 310, 320, 330 to the application 310, 320, 330. The following is an example of how network 300 can be utilized to support a large network. In this example supplicant 302 is a wireless access point (AP) and authenticator 304 is a wireless switch. When the supplicant (AP) 302 powers up, it contacts authenticator 304 to access distribution network 308. Authenticator 304 forwards the access request to authentication server 306. Authentication server 306 authenticates supplicant 302 (i.e. verifies who supplicant is) and determines whether supplicant 302 is authorized to access network 308.
In addition, if supplicant (AP) 302 needs to access additional applications (e.g. applications 310, 320, 330) then either supplicant (AP) sends a list of applications to authentication server 306 (e.g. via IEs coupled to the access request) or authentication server 306 determines what other applications supplicant 302 is authorized to access. Authentication server 306 then communicates with the authentication server associated with the application(s) (e.g. authentication servers 316, 326, 336 for applications 310, 320, 330 respectively). Keying material for the sessions between supplicant 302 and one or more of applications 310, 320, 330 can be generated by either authentication server 306, the authentication server 316, 326, 336 associated with the application 310, 320, 330, or can be mutually derived between authentication server 306 and the authentication server 316, 326, 336 associated with the application 310, 320, 330 respectively.
FIG. 4 is an exemplary network 400 employing a server farm 402 of authentication servers. In this example, supplicant 302 sends a request to access a network to authenticator 304. Authenticator 304 forwards the request to server farm 402, where one of authentication servers 306, 316, 326, 336 handles the request. Optionally, server farm 402 can employ a load balancer 404. Load balancer 404 comprises logic for determining the load on authentication servers 306, 316, 326, 336 and directs the authentication request to one of authentication servers 306, 326, 326, 336 based on their current load.
In the server farm example, any one of authentication servers 306, 316, 326, 336 can act as an authentication server for authenticator 304 and/or for applications 310, 320, 330. Furthermore, if an authentication server 306, 3116, 326, 336 determines that its load is at a threshold level (e.g. at capacity or a certain percentage of capacity), it can pass off the request from supplicant 302 to another authentication server 306, 316, 326, 336. In addition, the authentication server 306, 316, 326, 336 handling the authentication request for supplicant 302 does not have to be the same server that initiates the session with one or more of applications 310, 320, 330.
Page 12 i As an example, if supplicant 302 is attempting to access network 400 and requires access to application N 330, authenticator 304 passes the request to server farm 402 where one of authentication servers 306, 316, 326, and 336 process the request from supplicant 302. For example, authentication server 306 can handle the request from supplicant 302.
5 Authentication server 306 can determine that supplicant 302 has to establish a session with one of applications 310, 320, 330 (application 330 in this example). Authentication server 306 can determine this either by examining the request sent by supplicant 302 (e.g. a list can be attached, for example using TLVs) or using other means (e.g. a database accessible by authentication server 306). Authentication server 103 can initiate the session with o supplicant 302 and application 330, or authentication server 306 can communicate with one of authentication serves 316, 326, 336 to initiate the session. Once the session has been initiated, keys can be exchanged between supplicant 302 and application 330. If authentication server 306 initiated the session, it can exchange both keys. If another authentication server, e.g. one of servers 316, 326, 336, initiated the session, that server s can pass one key to the application 330 and the other key to authentication server 306 which forwards it to supplicant 302.
FIG. 5 is an exemplary network 500 employing an authentication server and multiple authorization (or policy) servers 516, 526, 536. In this example, supplicant 302 contacts authenticator 304 to request access to network 500. Authenticator 304, which o authenticates supplicant 302, authenticates supplicant 302 with authentication server 306. Authentication server 306 then determines whether to establish additional sessions for supplicant 302, for example with one or more of applications 310, 320, 330. However, in this example, authentication server 306 authenticates supplicant 302, but authorization (or policy) servers 516, 526, 536 are employed to determine whether supplicant 302 is 5 authorized for applications 310, 320, 330 respectively.
Thus, when authentication server 306 determines that additional sessions are being requested with one or more of applications 310, 320, 330 for supplicant 302, authentication server 306 determines via the corresponding authorization (or policy) server 516, 526, 536 whether supplicant 302 is authorized to access the application 310, 320, 330. 0 Supplicant 302 can request access to applications 310, 320, 330 via a TLV or a list attached to its request to access network 500. Alternatively, authentication server 306 can maintain (or have access to) a database for determining additional sessions for supplicant 302. FIG. 6 is a block diagram of a computer system 600 for implementing an aspect of the present invention. For example, computer system 600 is suitable to be employed by at least one of supplicant 102, authenticator 104, authentication server 106, application 1, 108, application 2, 110, ..., and application N, 112 of Figure 1, and, access point 202, switch port 204, authentication server 206, wireless domain server 208 and additional authenticator 210 of Figure 2. For example, computer system 600 is suitable to be employed by at least one of supplicant 302, authenticator 304, authentication servers 306, 316, 326, 336 application 1, 310, application 2, 320, ..., and application N, 330 of Figure 3, and , load balancer 402 of Figure 4 and/or authorization servers 516, 526, 536 of Figure 5.
Computer system 600 includes a bus 602 or other communication mechanism for communicating information and a processor 604 coupled with bus 602 for processing information. Computer system 600 also includes a main memory 606, such as random access memory (RAM) or other dynamic storage device coupled to bus 602 for storing information and instructions to be executed by processor 604. Main memory 606 also may be used for storing a temporary variable or other intermediate information during execution of instructions to be executed by processor 604. Computer system 600 further includes a read only memory (ROM) 608 or other static storage device coupled to bus 602 for storing static information and instructions for processor 604. A storage device 610, such as a magnetic disk or optical disk, is provided and coupled to bus 602 for storing information and instructions.
An aspect of the invention is related to the use of computer system 600 for multi- session establishment for a single client. According to one embodiment of the invention, multi-session establishment for a single device is provided by computer system 600 in response to processor 604 executing one or more sequences of one or more instructions contained in main memory 606. Such instructions may be read into main memory 606 from another computer-readable medium, such as storage device 610. Execution of the sequence of instructions contained in main memory 606 causes processor 604 to perform the process steps described herein. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 606. In alternative embodiments, hard-wired circuitry or an ASIC may be used in place of or in combination with software instructions to implement the invention. Thus, embodiments of the invention are not limited to any specific combination of hardware circuitry and software.
The term "computer-readable medium" as used herein refers to any medium that participates in providing instructions to processor 604 for execution. Such a medium may 5 take many forms, including but not limited to non-volatile media, volatile media, and transmission media. Non-volatile media include for example optical or magnetic disks, such as storage device 610. Volatile media include dynamic memory such as main memory 606. Transmission media include coaxial cables, copper wire and fiber optics, including the wires that comprise bus 602. Transmission media can also take the form of o acoustic or light waves such as those generated during radio frequency (RJF) and infrared (IR) data communications. Common forms of computer-readable media include for example floppy disk, a flexible disk, hard disk, magnetic cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, an EPROM, a FLASHPROM, any other memory chip or cartridge, a carrier wave as described hereinafter, or any other s medium from which a computer can read.
Computer system 600 also includes a communication interface 618 coupled to bus 602. Communication interface 618 provides a two-way data communication coupling to a network link 620 that is connected to a local network 622. For example, communication interface 618 may be an integrated services digital network (ISDN) card or a modem to 0 provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 618 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation, communication interface 618 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams 5 representing various types of information.
Network link 620 typically provides data communication through one or more networks to other data devices. For example, network link 620 may provide a connection through local network 622 to other computers (not shown).
In view of the foregoing structural and functional features described above, a o methodology in accordance with various aspects of the present invention will be better appreciated with reference to Figures 7-9. While, for purposes of simplicity of explanation, the methodology of Figures 7-9 are shown and described as executing serially, it is to be understood and appreciated that the present invention is not limited by the illustrated order, as some aspects could, in accordance with the present invention, occur in different orders and/or concurrently with other aspects from that shown and described herein. Moreover, not all illustrated features may be required to implement a methodology in accordance with an aspect the present invention. Embodiments of the present invention are suitably adapted to implement the methodology in hardware, software, or a combination thereof.
FIG. 7 is a block diagram of a methodology 700 to optimize authenticated multi- session establishment for a single supplicant in accordance with an aspect of the present invention. At 702, the supplicant is authenticated with an authentication server. For example, a supplicant initiates a session with an authenticator, the authenticator passing authentication messages between the supplicant and the authentication server to enable the supplicant to be authenticated by the authentication server.
At 704, it is determined whether there are any additional sessions for the supplicant. To determine the additional sessions, the supplicant may send a list of potential additional sessions to the authentication server, or the authentication server accesses a database containing session information for the supplicant.
At 706, the authentication server initiates the additional session for the supplicant with an authenticator for the additional session. The initiating comprises generating a session key pair for the session between the supplicant and the additional session, sending one of the session key pair to the supplicant and the other to the authenticator for the additional session. The authenticator for the additional session is responsive to receiving the key from the authentication server to establish an authenticated, secure session with the supplicant without additional authentication steps.
In a preferred embodiment, the authenticator for the additional session has already been authenticated with the authentication server. Otherwise, the authentication server authenticates the authenticator for the additional session.
In a preferred embodiment, the supplicant receives the key for its authenticator and the authenticator for the additional session at the same time. This minimizes the amount of traffic between the supplicant and the authentication server. FIG. 8 is a detailed block diagram of a methodology 800 to optimize authenticated multi-session establishment for a single device in accordance with an aspect of the present invention. Methodology 800 begins at 802 when the device initiates login with its authenticator. The authenticator enables communication between the device and an authentication server, and inhibits the device from other communications until the device is authenticated. If at 804 it is determined that the logon was not successful (NO), processing returns to 802. Otherwise, at 804 logon was successful (YES), the processing continues to 806.
5 At 806, the session between the device and the original authenticator is established and session keys are generated for the session between the device and the original authenticator. At 808, a session key is sent to the original authenticator.
At 810, the authentication server determines that there is another session for the device. One technique for determining whether there is another session for the device is o for the device to send a list to the authentication server of additional sessions, or potential additional sessions. Another technique for determining whether there is another session for the device is to access a database or other record storage system by the authentication server. In one embodiment, the database resides on the authentication server, in another embodiment it resides elsewhere on the network. s At 812, session keys for the other session are generated. At 814, the session key for the other session is sent to the authenticator for the other session. In accordance with an aspect of the present invention, the authenticator for the other session is responsive to receipt of the session key to establishing an authenticated, secure session with the device. This enables the device to immediately communicate with the other session without any o additional authentication between the device and the authenticator of the other session. After the session key for the other session has been delivered, the device communicates with the authenticator for the other session using its corresponding session key for the other session. For added security, the authenticator for the other session should be authenticated with the authentication server. This allows the authenticator to ensure that 5 the key received from the authentication server is from a trusted source. Preferably, the authenticator for the other session is authenticated before the device logs on, so that only the key exchange occurs; otherwise, the authentication server would also authenticate the authenticator for the other session before sending the key.
At 816, the session key corresponding to the session key for the device's original o authenticator and the session key corresponding to the session key sent to the authenticator for the other session are sent to the device. In a preferred embodiment, the keys are sent at the same time to reduce the number of communications between the device and the authentication server. However, even if the keys are sent separately, the present invention still provides a benefit over prior art systems because the device does not have to perform authentications with the authenticator of the other session, which would entail additional communications between the authenticator of the other session, the authentication server and the device. It should be noted that steps 812-816 are executed for each session. For multiple sessions they may be executed concurrently.
FIG. 9 is a block diagram of a methodology 900 for multi-session establishment involving disjoint authentication and/or authorization servers. At 902, the supplicant is authenticated. The supplicant is authenticated by an authentication server that receives a request from an authenticator to authenticate the supplicant.
At 904, a determination is made whether the supplicant requires additional sessions. There are several techniques that can be employed to make this determination.
For example, the supplicant can request that the additional sessions be initiated, e.g., via a list attached to its request to access the network, or via an IE. As another example, the network infrastructure can store a list of applications for the supplicant, e.g., a database accessible by the authentication server.
At 906, the authentication server determines whether it needs (or should) communicate with another server. For example, if the authentication server is part of a server farm and the authentication server's load is reaching a critical load point, the authentication between the supplicant and the additional session can be off loaded and performed by another authentication server. Alternatively, if the authentication server is part of a server farm and reaching a critical load point, another authentication server in the server farm can perform the authentications for the supplicant and for the additional sessions. In other embodiments, one or more of the application for additional sessions may have an associated authentication server. A remote application for example would likely have its own authentication server.
Furthermore, in other embodiments, one or more of the applications for additional sessions may have associated authorization or policy servers. In these embodiments, the authentication server verifies (authenticates) the supplicant. The authentication server then verifies with the authorization or policy servers whether the supplicant is authorized to access the application.
If at 908 it is determined that at least one other server is needed for the additional session (YES), at 908 the authentication server proxies to the other server and communicates with the other server for the supplicant. Except for when authentication servers are changed for load balancing, communication with the other server for authentication and/or authorization for the supplicant are exchanged between the servers.
5 Otherwise (NO), 910 is performed.
At 910, the additional session is initiated. This may entail authentication of the supplicant, authorization of the supplicant or both. If the additional session requires keys, they are then generated by the appropriate authentication and/or authorization server. At 912, the keys for the additional session are obtained by the authentication server for the o supplicant.
At 914, the keys are distributed. If an additional or disjoint server is involved in the additional session, the additional or disjoint server can distribute keys to the application and to the authentication server for the supplicant. The authentication server for the supplicant would then forward the session key for the additional application to the 5 supplicant. The authentication server for the supplicant can forward the key for the additional application to the supplicant along with the session keys established by the authentication server for the supplicant, or the keys can be sent separately.
What has been described above includes exemplary implementations of the present invention. It is, of course, not possible to describe every conceivable combination of o components or methodologies for purposes of describing the present invention, but one of ordinary skill in the art will recognize that many further combinations and permutations of the present invention are possible. Accordingly, the present invention is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims interpreted in accordance with the breadth to which they are 5 fairly, legally and equitably entitled.

Claims

CLAIM(S)
1. A method to optimize authenticated multi-session establishment for a single supplicant, comprising: authenticating the supplicant with an authentication server; 5 determining at least one other session for the supplicant; and initiating the at least one other session for the supplicant with an authenticator for the at least one other session.
2. A method according to claim 1, the determining at least one other session o further comprises sending a list of the at least one other session from the supplicant to the authentication server.
3. A method according to claim 1, wherein the determining at least one other session further comprises determining that the supplicant is authorized to be initiated with s the at least one other session.
4. A method according to claim 1, the determining at least one other session further comprises retrieving a database entry for the supplicant by the authentication server from a database accessible to the authentication server. o
5. A method according to claim 1, the initiating at least one other session further comprises: distributing a first session key for establishing a session between the supplicant and the authenticator; 5 the initiating the at least one other session for the supplicant further comprises distributing a second session key to the authenticator of the at least one other session; and distributing a set of keys to the supplicant; wherein the set of keys comprises a first key corresponding to the first 0 session key and a second key corresponding to the second session key.
6. A method according to claim 1, wherein the at least one other session is authenticated with the authentication server before the supplicant is authenticated.
7. A method according to claim 1, wherein the supplicant is a wireless access point, the authenticator is a switch port coupling the access point to a backbone network coupling the switch port to the authentication server.
5
8. A method according to claim 7, wherein the a one of the at least one other session is established with a wireless domain server for the access point
9. A method according to claim 8, further comprising: o distributing a first session key by the authentication server to the switch port for establishing a session between the access point and the switch port; the initiating the at least one other with the wireless domain server further comprises distributing a second session key by the authentication server to the wireless domain server; and s distributing a set of keys to the access point by the authentication server; wherein the set of keys comprises a first key corresponding to the first session key and a second key corresponding to the second session key.
10. A system, comprising: 0 means for authenticating a supplicant with an authentication server; means for determining at least one other session for the supplicant; and means for initiating the at least one other session for the supplicant by the authentication server with an authenticator for the at least one other session.
5 11. A system according to claim 10, the means for determining at least one other session further comprises means for sending a list of the at least one other session from the supplicant to the authentication server
12. A system according to claim 10, the means for determining at least one o other session further comprises means for retrieving a database entry for the supplicant by the authentication server from a database accessible to the authentication server.
13. A system according to claim 10, the means for initiating at least one other session further comprises: means for distributing a first key for the at least one other session to an authenticator of the at least one other session; and
5 means for distributing a second key corresponding to the first key for the at least one other session to the supplicant.
14. A system according to claim 10, the means for initiating at least one other session further comprises:
I0 means for distributing a first session key for establishing a session between the supplicant and the authenticator; the means for initiating the at least one other session for the supplicant further comprises means for distributing a second session key to the authenticator of the at least one other session; and is means for distributing a set of keys to the supplicant; wherein the set of keys comprises a first key corresponding to the first session key and a second key corresponding to the second session key.
15. A system according to claim 10, wherein the supplicant is a wireless access 20 point, the authenticator is a switch port coupling the access point to a backbone network coupling the switch port to the authentication server.
16. A system according to claim 15, wherein the a one of the at least one other session is established with a wireless domain server for the access point
25
17. A system according to claim 16, further comprising: means for distributing a first session key by the authentication server to the switch port for establishing a session between the access point and the switch port; the means for initiating the at least one other with the wireless domain 3o server further comprises means for distributing a second session key by the authentication server to the wireless domain server; and means for distributing a set of keys to the access point by the authentication server; wherein the set of keys comprises a first key corresponding to the first session key and a second key corresponding to the second session key.
18. A computer-readable medium of instructions, comprising: 5 means for receiving a login request from a device; means for authenticating the device responsive to the means for receiving a login request; means for determining at least one other session for the device; means for generating a session key pair for the at least one other session; I0 means for distributing one key of the session key pair to an authenticator for the at least one other session; and means for sending a second key of the session key pair to the device.
19. A computer-readable medium according to claim 18, further comprising: is means for generating a second session key pair to establish a session between the device and an authenticator for the device; and means for distributing a first key of the second session key pair to the authenticator for the device; wherein the means for sending a key of the session key pair to the device is 20 responsive to the means for generating a second session key pair to send a second key of the second session key pair with the second key of the session key pair for the at least the authenticator of the at least one other session.
20. A method for multi-session establishment by an authentication server, 25 comprising: receiving an authentication request for a supplicant from an authenticator for the supplicant; determining at least one other session for the supplicant; and initiating the at least one other session for the supplicant with an 30 authentication server for the at least one other session.
21. A method according to claim 1, wherein the authentication request for the supplicant comprises a list of the at least one other session.
22. A method according to claim 1, further comprising determining that the supplicant is authorized for the at least one other session.
23. A method according to claim 1, the determining at least one other session 5 further comprising retrieving a database entry for the supplicant, the database entry comprising a list of at least one other session for the supplicant.
24. A method according to claim 1, the initiating at least one other session further comprises: o receiving keying data from the server for the at least one other session; and forwarding the keying data to the supplicant.
25. A method according to claim 5, the forwarding keying data to the supplicant further comprises forwarding keying data for establishing a session between the s supplicant and the authenticator for the supplicant with the keying data for the at least one other session.
26. A method according to claim 1, wherein the supplicant is a wireless access point and the authenticator for the supplicant is a wireless switch coupling the access point 0 to a distribution network.
27. A method according to claim 1, further comprising forwarding the authentication request to another authentication server.
5 28. A method according to claim 1, wherein the server for the at least one other session is one of the group consisting of an authentication server and an authorization server.
29. An authentication server, comprising: o the authentication server configured for receiving an authentication request for a supplicant from an authenticator for the supplicant; and the authentication server is configured to be responsive to the authentication request to initiate at least one other session for the supplicant with a server for the at least one other session.
30. An authentication server to claim 10, wherein the authentication server is configured to obtain from the authentication request a list of the at least one other session.
31. An authentication server according to claim 10, further comprising the authentication server configured for determining that the supplicant is authorized for the at least one other session.
32. An authentication server according to claim 12, the determining at least one other session further comprising retrieving a database entry for the supplicant, the database entry comprising a list of at least one other session for the supplicant.
33. An authentication server according to claim 12, the authentication server is further configured to verify the supplicant is authorized for the at least one other session by accessing an authorization server for the at least one other session.
34. An authentication server according to claim 10, further comprising the authentication server configured to forward the authentication request to another authentication server based on a predetermined condition.
35. An authentication server according to claim 10, wherein the server for the at least one other session is one of the group consisting of an authentication server and an authorization server.
36. An authentication server, comprising: means for receiving an authentication request for a supplicant from an authenticator for the supplicant; means for determining at least one other session for the supplicant; and means for initiating the at least one other session for the supplicant with a server for the at least one other session.
37. An authentication server according to claim 17, further comprising means for determining that the supplicant is authorized for the at least one other session.
38. An authentication server according to claim 17, the means for initiating at least one other session further comprises: means for receiving keying data from the server for the at least one other session; and means for forwarding the keying data to the supplicant.
39. An authentication server according to claim 17, wherein the server for the at least one other session is one of the group consisting of an authentication server and an authorization server.
PCT/US2006/011710 2005-04-04 2006-03-31 System and method for multi-session establishment WO2006107713A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP06748958.3A EP1869822B1 (en) 2005-04-04 2006-03-31 Method and device for multi-session establishment
CN2006800064115A CN101129014B (en) 2005-04-04 2006-03-31 System and method for multi-session establishment

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US11/098,253 US7562224B2 (en) 2005-04-04 2005-04-04 System and method for multi-session establishment for a single device
US11/098,253 2005-04-04
US11/283,554 US7631347B2 (en) 2005-04-04 2005-11-18 System and method for multi-session establishment involving disjoint authentication and authorization servers
US11/283,554 2005-11-18

Publications (1)

Publication Number Publication Date
WO2006107713A1 true WO2006107713A1 (en) 2006-10-12

Family

ID=37073786

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/011710 WO2006107713A1 (en) 2005-04-04 2006-03-31 System and method for multi-session establishment

Country Status (3)

Country Link
US (1) US7631347B2 (en)
EP (1) EP1869822B1 (en)
WO (1) WO2006107713A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2082539A1 (en) * 2006-11-27 2009-07-29 Huawei Technologies Co Ltd System for using an authorization token to separate authentication and authorization services
EP2314090A2 (en) * 2008-08-14 2011-04-27 Microsoft Corporation Portable device association
US8099597B2 (en) 2007-01-09 2012-01-17 Futurewei Technologies, Inc. Service authorization for distributed authentication and authorization servers
WO2012027840A1 (en) * 2010-08-31 2012-03-08 Research In Motion Limited Network access
US8285990B2 (en) 2007-05-14 2012-10-09 Future Wei Technologies, Inc. Method and system for authentication confirmation using extensible authentication protocol
CN102857484A (en) * 2011-07-01 2013-01-02 阿里巴巴集团控股有限公司 Method, system and device for implementing single sign-on
CN103546293A (en) * 2013-10-08 2014-01-29 任少华 Third party certification system or method
CN103546290A (en) * 2013-10-08 2014-01-29 任少华 Third party certification system with user groups or third party certification method
US10447705B2 (en) 2008-08-14 2019-10-15 Microsoft Technology Licensing, Llc Cloud-based device information storage

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7916663B2 (en) * 2006-09-18 2011-03-29 Marvell International Ltd. Establishment of ad-hoc networks between multiple devices
US7747740B2 (en) * 2007-10-30 2010-06-29 Cisco Technology, Inc. Troubleshooting of Wireless Client Connectivity Problems in Wireless Networks
US8341702B2 (en) * 2007-11-01 2012-12-25 Bridgewater Systems Corp. Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol
US8793782B1 (en) * 2010-05-27 2014-07-29 Crimson Corporation Enforcing a health policy in a local area network
US20120185920A1 (en) * 2011-01-13 2012-07-19 International Business Machines Corporation Serialized authentication and authorization services
JP5614340B2 (en) * 2011-03-16 2014-10-29 富士通株式会社 System, authentication information management method, and program
US9172546B2 (en) 2012-01-25 2015-10-27 Cisco Technology, Inc. Network mediated multi-device shared authentication
US9077772B2 (en) 2012-04-20 2015-07-07 Cisco Technology, Inc. Scalable replay counters for network security
CN103546291A (en) * 2013-10-08 2014-01-29 任少华 Third party certification system with specific registration processes or third party certification method
US9712514B2 (en) * 2015-02-08 2017-07-18 Cyber-Ark Software Ltd. Super-session access to multiple target services
CN107888546B (en) * 2016-09-29 2021-10-01 腾讯科技(深圳)有限公司 Network attack defense method, device and system
US20230015789A1 (en) * 2021-07-08 2023-01-19 Vmware, Inc. Aggregation of user authorizations from different providers in a hybrid cloud environment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030163733A1 (en) * 2002-02-28 2003-08-28 Ericsson Telefon Ab L M System, method and apparatus for federated single sign-on services
EP1343345A2 (en) 2002-03-04 2003-09-10 Microsoft Corporation Mobile authentication system with reduced authentication delay
US20030204608A1 (en) 2002-04-26 2003-10-30 Markus Isomaki Authentication and protection for IP application protocols based on 3GPP IMS procedures

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7213145B2 (en) * 2002-01-10 2007-05-01 Avaya Technology Corp. Method and apparatus for secure internet protocol communication in a call processing system
JP4304362B2 (en) * 2002-06-25 2009-07-29 日本電気株式会社 PKI-compliant certificate confirmation processing method and apparatus, and PKI-compliant certificate confirmation processing program
US20040054905A1 (en) * 2002-09-04 2004-03-18 Reader Scot A. Local private authentication for semi-public LAN
WO2005027560A1 (en) * 2003-09-12 2005-03-24 Ntt Docomo, Inc. Secure intra- and inter-domain handover
US7447775B1 (en) * 2003-11-07 2008-11-04 Cisco Technology, Inc. Methods and apparatus for supporting transmission of streaming data
DE102006015033B4 (en) * 2005-12-16 2016-07-07 Siemens Aktiengesellschaft Mobile station as a gateway for mobile terminals to an access network and method for network registration of the mobile station and the mobile terminals

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030163733A1 (en) * 2002-02-28 2003-08-28 Ericsson Telefon Ab L M System, method and apparatus for federated single sign-on services
EP1343345A2 (en) 2002-03-04 2003-09-10 Microsoft Corporation Mobile authentication system with reduced authentication delay
US20030204608A1 (en) 2002-04-26 2003-10-30 Markus Isomaki Authentication and protection for IP application protocols based on 3GPP IMS procedures

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2082539A4 (en) * 2006-11-27 2011-01-05 Huawei Tech Co Ltd System for using an authorization token to separate authentication and authorization services
EP2082539A1 (en) * 2006-11-27 2009-07-29 Huawei Technologies Co Ltd System for using an authorization token to separate authentication and authorization services
US8539559B2 (en) 2006-11-27 2013-09-17 Futurewei Technologies, Inc. System for using an authorization token to separate authentication and authorization services
US8099597B2 (en) 2007-01-09 2012-01-17 Futurewei Technologies, Inc. Service authorization for distributed authentication and authorization servers
US8285990B2 (en) 2007-05-14 2012-10-09 Future Wei Technologies, Inc. Method and system for authentication confirmation using extensible authentication protocol
EP2314090A4 (en) * 2008-08-14 2015-01-07 Microsoft Corp Portable device association
EP2314090A2 (en) * 2008-08-14 2011-04-27 Microsoft Corporation Portable device association
US10447705B2 (en) 2008-08-14 2019-10-15 Microsoft Technology Licensing, Llc Cloud-based device information storage
WO2012027840A1 (en) * 2010-08-31 2012-03-08 Research In Motion Limited Network access
US8607316B2 (en) 2010-08-31 2013-12-10 Blackberry Limited Simplified authentication via application access server
CN102857484A (en) * 2011-07-01 2013-01-02 阿里巴巴集团控股有限公司 Method, system and device for implementing single sign-on
CN103546290A (en) * 2013-10-08 2014-01-29 任少华 Third party certification system with user groups or third party certification method
CN103546290B (en) * 2013-10-08 2019-06-18 任少华 Third Party Authentication system or method with user group
CN103546293A (en) * 2013-10-08 2014-01-29 任少华 Third party certification system or method

Also Published As

Publication number Publication date
US7631347B2 (en) 2009-12-08
US20060236383A1 (en) 2006-10-19
EP1869822A1 (en) 2007-12-26
EP1869822B1 (en) 2017-09-06
EP1869822A4 (en) 2014-07-02

Similar Documents

Publication Publication Date Title
EP1869822B1 (en) Method and device for multi-session establishment
US7562224B2 (en) System and method for multi-session establishment for a single device
US7640430B2 (en) System and method for achieving machine authentication without maintaining additional credentials
US6993652B2 (en) Method and system for providing client privacy when requesting content from a public server
RU2417422C2 (en) Single network login distributed service
AU2005204576B2 (en) Enabling stateless server-based pre-shared secrets
JP6571145B2 (en) Digital identity
US20070165582A1 (en) System and method for authenticating a wireless computing device
WO2017016252A1 (en) Token generation and authentication method, and authentication server
US9178870B2 (en) User authentication method using self-signed certificate of web server, client device and electronic device including web server performing the same
WO2009059535A1 (en) An authentication method, system, server and user node
US20070118886A1 (en) Updating security data
KR100714100B1 (en) Method and system for user authentication in home network system
WO2022143935A1 (en) Blockchain-based method and system for sdp access control
US9118487B1 (en) Asymmetric encryption scheme with expiring revocable certificates having a predefined validity period
JP2009217722A (en) Authentication processing system, authentication device, management device, authentication processing method, authentication processing program and management processing program
WO2022143898A1 (en) Blockchain-based sdp access control method and apparatus
US10015286B1 (en) System and method for proxying HTTP single sign on across network domains
KR20220163704A (en) Tls session recovery method using paired token
CN117077114A (en) Communication optimization method, device, equipment and medium for kernel layer and application layer

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200680006411.5

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2006748958

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2006748958

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: RU