US2014013390A1PendingUtilityA1

System and method for out-of-band application authentication

51
Assignee: CYBER ARK SOFTWARE LTDPriority: Jul 5, 2012Filed: Jun 6, 2013Published: Jan 9, 2014
Est. expiryJul 5, 2032(~6 yrs left)· nominal 20-yr term from priority
G06F 21/42H04L 63/08G06F 21/44G06F 21/52H04L 63/10
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Application-to-Application authentication features using a second communication channel for out-of-band authentication separate from a communication channel of a request from a client to a server. Authentication information is associated with a component of the system such as the request or the client application, while being collected independent of interaction with the client application initiating the request. Implementations provide improved security over existing solutions using in-band or other means of collecting authentication information.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A system for authentication comprising:
 (a) a server machine configured to:
 (i) receive, via a first channel, a request from a client machine, said request associated with a client application on said client machine; 
 (ii) connect, via a second channel that is separate from said first channel, to said client machine to request authentication information; 
 (iii) receive, via said second channel, said authentication information; 
 (iv) validate, based on said authentication information, said request, and 
   (b) a client machine configured to:
 (i) collect said authentication information
 wherein said authentication information is associated with a component of the system selected from the group consisting of: 
 (A) said request; and 
 (B) said client application, and 
 wherein said authentication information is collected independently of interaction with said client application. 
 
   
     
     
         2 . The system of  claim 1  wherein said server machine is further configured to effect a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation. 
     
     
         3 . The system of  claim 1  wherein said request is for access credentials to network resources or other server machines. 
     
     
         4 . The system of  claim 1  wherein said server machine is further configured to:
 (v) initiate a transmission, in response to said request from the client machine, of an authentication agent to said client machine; and 
 (vi) receive said authentication information from said authentication agent. 
 
     
     
         5 . The system of  claim 1  wherein said server machine is further configured to receive said authentication information from an authentication agent selected from the group consisting of:
 (a) an agent pre-installed on said client machine; 
 (b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and 
 (c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine. 
 
     
     
         6 . The system of  claim 1  wherein said authentication information is provided by an operating system of said client machine. 
     
     
         7 . The system of  claim 1  wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application. 
     
     
         8 . The system of  claim 1  wherein said authentication information is provided from one or more query responses to one or more corresponding queries to components of said client machine other than said client application. 
     
     
         9 . A system for authentication comprising:
 (a) a server machine configured to:
 (i) receive, via a first channel, a request from a client machine, said request associated with a client application on said client machine; 
 (ii) receive, via a second channel that is separate from said first channel, authentication information;
 wherein said authentication information is associated with a component of the system selected from the group consisting of: 
 (A) said request; and 
 (B) said client application, and 
 wherein said authentication information is collected independently of interaction with said client application. 
 
   
     
     
         10 . The system of  claim 9  wherein said server machine is further configured to
 (iii) connect, via said second channel, between said server machine and said client. 
 
     
     
         11 . The system of  claim 9  wherein said server machine is further configured to connect from said server machine to said client machine via said second channel to request said authentication information. 
     
     
         12 . The system of  claim 9  wherein said server machine is further configured to effect a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation 
     
     
         13 . The system of  claim 9  wherein said request is for access credentials to network resources or other server machines. 
     
     
         14 . The system of  claim 9  wherein said server machine is further configured to:
 (iii) initiate a transmission, in response to said request from the client machine, of an authentication agent to said client machine; and 
 (iv) receive said authentication information from said authentication agent. 
 
     
     
         15 . The system of  claim 9  wherein said server machine is further configured to receive said authentication information from an authentication agent selected from the group consisting of:
 (a) an agent pre-installed on said client machine; 
 (b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and 
 (c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine. 
 
     
     
         16 . The system of  claim 9  wherein said authentication information is provided by an operating system of said client machine. 
     
     
         17 . The system of  claim 9  wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application. 
     
     
         18 . The system of  claim 9  wherein said server machine is further configured to validate, based on said authentication information, said request. 
     
     
         19 . A system for authentication comprising:
 (a) a client machine configured to collect authentication information for authenticating a request sent from a client application,
 (i) wherein said client machine is configured to send said request via a first channel; 
 (ii) wherein said client machine is configured to send said authentication information via a second channel; 
 (iii) wherein said authentication information is associated with a component of the system selected from the group consisting of:
 (A) said request sent from said client machine; and 
 (B) said client application on said client machine, and 
 
 (iv) wherein said authentication information is collected independent of interaction with said client application. 
   
     
     
         20 . The system of  claim 19  wherein authentication information is collected by an authentication agent selected from the group consisting of:
 (a) an agent pre-installed on said client machine; 
 (b) an agent transmitted to and executed on said client machine, following a connection from a server machine to said client machine, said agent remaining on said client machine after said agent sends said authentication information to said server machine; and 
 (c) an agent transmitted to and executed on said client machine, following a connection from a server machine to said client machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine. 
 
     
     
         21 . The system of  claim 19  wherein said authentication information is provided by an operating system of said client machine. 
     
     
         22 . The system of  claim 19  wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application. 
     
     
         23 . The system of  claim 19  wherein said authentication information is provided from one or more query responses to one or more corresponding queries to components of said client machine other than said client application 
     
     
         24 . The system of  claim 19  wherein said request is for access credentials to network resources or other server machines. 
     
     
         25 . A method for authentication comprising the steps of:
 (a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine;   (b) connecting, via a second channel that is separate from said first channel, between said server machine and said client machine;   (c) collecting said authentication information on said client machine;   (d) sending said authentication information from said client machine via said second channel to said server machine; and   (e) receiving at said server machine, via said second channel, authentication information from said client machine,
 wherein said authentication information is associated with a component of the system selected from the group consisting of:
 (i) said request; and 
 (ii) said client application, and 
 
 wherein said authentication information is collected independently of interaction with said client application. 
   
     
     
         26 . The method of  claim 25  wherein connecting is from said server machine to said client machine to request said authentication information. 
     
     
         27 . The method of  claim 25  further including the step of:
 (f) effecting a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation. 
 
     
     
         28 . The method of  claim 25  wherein said request is for access credentials to network resources or other server machines. 
     
     
         29 . The method of  claim 25  further including the step of:
 (f) initiating a transmission, in response to said receiving of said request from the client machine, of an authentication agent to said client machine;
 wherein said receiving of said authentication information is from said authentication agent. 
 
 
     
     
         30 . The method of  claim 25  wherein receiving said authentication information is from an authentication agent selected from the group consisting of:
 (a) an agent pre-installed on said client machine; 
 (b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and 
 (c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine. 
 
     
     
         31 . The method of  claim 25  wherein said authentication information is provided by an operating system of said client machine. 
     
     
         32 . The method of  claim 25  wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application. 
     
     
         33 . The method of  claim 25  further including the step of:
 (f) validating said request based on said authentication information. 
 
     
     
         34 . A method for authentication comprising the steps of:
 (a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine; and   (b) receiving at said server machine, via a second channel that is separate from said first channel, from said client machine, authentication information;
 wherein said authentication information is associated with a component of the system selected from the group consisting of:
 (i) said request; and 
 (ii) said client application, and 
 
 wherein said authentication information is collected independently of interaction with said client application. 
   
     
     
         35 . The method of  claim 34  further including the step of:
 (c) connecting, via said second channel, between said server machine and said client machine. 
 
     
     
         36 . The method of  claim 35  wherein connecting is from said server machine to said client machine to request said authentication information. 
     
     
         37 . The method of  claim 34  further including the step of:
 (c) effecting a preliminary request validation of said request prior to connecting via said second channel to said client machine, said connecting being contingent on a success of said preliminary request validation. 
 
     
     
         38 . The method of  claim 34  wherein said request is for access credentials to network resources or other server machines. 
     
     
         39 . The method of  claim 34  further including the steps of:
 (c) initiating a transmission, in response to said receiving of said request from the client machine, of an authentication agent to said client machine; and 
 (d) receiving said authentication information from said authentication agent. 
 
     
     
         40 . The method of  claim 34  wherein receiving said authentication information is from an authentication agent selected from the group consisting of:
 (a) an agent pre-installed on said client machine; 
 (b) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent remaining on said client machine after said agent transmits said authentication information to said server machine; and 
 (c) an agent transmitted to and executed on said client machine, following said connection from said server machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine. 
 
     
     
         41 . The method of  claim 34  wherein said authentication information is provided by an operating system of said client machine. 
     
     
         42 . The method of  claim 34  wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application. 
     
     
         43 . The method of  claim 34  further including the step of: validating said request based on said authentication information. 
     
     
         44 . A method for authentication comprising the steps of:
 (a) sending a request from a client application on a client machine via a first channel to a server machine; and   (b) sending authentication information from said client machine via a second channel to said server machine,
 wherein said authentication information is associated with a component selected from the group consisting of:
 (i) said request; and 
 (ii) said client application, and 
 
 wherein said authentication information is collected independent of interaction with said client application. 
   
     
     
         45 . The method of  claim 44  wherein said authentication information is provided by an authentication agent selected from the group consisting of:
 (a) an agent pre-installed on said client machine; 
 (b) an agent transmitted to and executed on said client machine, following a connection from said server machine to said client machine, said agent remaining on said client machine after said agent sends said authentication information to said server machine; and 
 (c) an agent transmitted to and executed on said client machine, following a connection from said server machine to said client machine, said agent removed from said client machine after said agent transmits said authentication information to said server machine. 
 
     
     
         46 . The method of  claim 44  wherein said authentication information is provided by an operating system of said client machine. 
     
     
         47 . The method of  claim 44  wherein said authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with said client application. 
     
     
         48 . The method of  claim 44  wherein said authentication information is provided from one or more query responses to one or more corresponding queries to components of said client machine other than said client application. 
     
     
         49 . The method of  claim 44  wherein said request is for access credentials to network resources or other server machines. 
     
     
         50 . A computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code comprising program code for:
 (a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine;   (b) connecting, via a second channel that is separate from said first channel, between said server machine and said client machine;   (c) collecting said authentication information on said client machine;   (d) sending said authentication information from said client machine via said second channel to said server machine; and   (e) receiving at said server machine, via said second channel, authentication information from said client machine,
 wherein said authentication information is associated with a component of the system selected from the group consisting of:
 (i) said request; and 
 (ii) said client application, and 
 
 wherein said authentication information is collected independently of interaction with said client application. 
   
     
     
         51 . A computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code comprising program code for:
 (a) receiving at a server machine, via a first channel, a request from a client machine, said request associated with a client application on said client machine; and   (b) receiving at said server machine, via a second channel that is separate from said first channel, from said client machine, authentication information;
 wherein said authentication information is associated with a component of the system selected from the group consisting of:
 (i) said request; and 
 (ii) said client application, and 
 
 wherein said authentication information is collected independently of interaction with said client application. 
   
     
     
         52 . A computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code comprising program code for:
 (a) sending a request from a client application on a client machine via a first channel to a server machine; and   (b) sending authentication information from said client machine via a second channel to said server machine,
 wherein said authentication information is associated with a component selected from the group consisting of:
 (i) said request; and 
 (ii) said client application, and 
 
 wherein said authentication information is collected independent of interaction with said client application.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.