Bundled authorization requests
US-9699170-B2 · Jul 4, 2017 · US
Multi-party authentication in a zero-trust distributed system
US10110585B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10110585-B2 |
| Application number | US-201615396474-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 31, 2016 |
| Priority date | Dec 31, 2016 |
| Publication date | Oct 23, 2018 |
| Grant date | Oct 23, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A zero-trust network and methods of using same are disclosed. The network includes a plurality of nodes, some of which are user devices, such as mobile phones, some of which are computer servers. One or more of the nodes includes a directory system. When a server receives an access request by a user device or other node, the directory system is notified of the request. The directory system will contact a number of randomly selected nodes, and if any one of the nodes does not recognize the requesting device, the requesting device will be denied access. If every queried node is able to authenticate the requesting device, the directory system creates a session for the first device to access the server. The directory system can grant access by providing the server and device reciprocating keys. After the session ends, the accessed node is assigned a new identifier.
First claim
Opening claim text (preview).
The invention claimed is: 1. A zero-trust network system, comprising: a plurality of nodes, the plurality of nodes including: a plurality of user devices; a plurality of servers; one or more directory servers, the one or more directory servers including a first directory server; and one or more monitor servers, the one or more monitor servers comprising a first monitor server, wherein the first directory server is configured to receive, from a first node, a first request for access to a second node, wherein the first directory server is further configured to, upon receipt of the first request from the first node, send validation requests to at least three randomly selected nodes from amongst a plurality of remaining nodes of the plurality of nodes unless prevented from doing so by the first monitor server based on a determination that no event necessitating the validation requests was previously logged, wherein each of the at least three randomly selected nodes is configured to determine the authenticity of the first node and each other node of the at least three randomly selected nodes, responsive to receipt of a validation request sent to each of the at least three randomly selected nodes by the first directory server, wherein each of the at least three randomly selected nodes is further configured to send a validation message to the first directory server upon such determination, within a predetermined time, and wherein the first directory server is further configured to deny the first node access to the second node in an event that the first directory server does not receive a validation message from each of the at least three randomly selected nodes within the predetermined time. 2. The zero-trust network system of claim 1 , wherein the at least three randomly selected nodes include at least one user device requiring entry of authenticating information via a physical interface, and at least two servers. 3. The zero-trust network system of claim 1 , wherein the first directory server is further configured to confirm that the at least three randomly selected nodes are connected in a live shared session until the predetermined time has elapsed. 4. The zero-trust network system of claim 3 , wherein the first directory server is further configured to cause the at least three randomly selected nodes to cease validating the first node in an event one or more of the at least three randomly selected nodes becomes disconnected from the first directory server, disconnected from one or more other nodes of the at least three randomly selected nodes, or both. 5. The zero-trust network system of claim 1 , wherein the first monitor server is further configured, upon such denial of access, to log the denial. 6. The zero-trust network system of claim 1 , wherein the first directory server is further configured to enable the first node to access the second node in an event the first directory server receives a validation message from each of the at least three randomly selected nodes within the predetermined time. 7. The zero-trust network system of claim 6 , wherein the first directory server being configured to enable the first node to access the second node comprises the first directory server being configured to provide a token to the first node which, upon acceptance of the token by the second node, allows the first node to access the second node during a single session that lasts no longer than a second predetermined amount of time, the single session being impossible to recreate. 8. The zero-trust network system of claim 7 , wherein the first monitor server is further configured to monitor the single session, wherein the first monitor server being configured to monitor the single session includes the first monitor server being configured to ensure that the single session complies with rules associated with the token, the rules comprising a rule that the single session end after a set time. 9. The zero-trust network system of claim 8 , wherein the second node has an identifier, and wherein the first monitor server is further configured to notify the first directory server when single the session ends, wherein the first directory server is further configured to, responsive to such notification, cause the second node to change the second node's identifier, and wherein the first directory server is further configured to update information in a central director and notify the plurality of remaining nodes of the new identifier. 10. The zero-trust network system of claim 1 , wherein at least one of the at least three randomly selected nodes is configured to instantiate a second directory server upon receipt of a validation request from the first directory server. 11. The zero-trust network system of claim 1 , wherein the first directory server is further configured to quarantine the first node in an event that the first directory server does not receive a verification notice from each of the at least three randomly selected nodes within the predetermined time. 12. A method of managing a zero-trust network system, the method comprising: receiving, at a first directory server, a request from a first node to access a second node; sending, by first directory server, validation requests to at least three randomly selected nodes from amongst a plurality of remaining nodes, upon receipt of the request from the first node, unless the first directory server is prevented from doing so by a first monitoring server based on a determination that no event necessitating the validation requests was previously logged; and denying, by first directory server, the first node access to the second node, in an event the first directory server does not receive a validation message from each of the at least three randomly selected nodes within a predetermined time, wherein each of the at least three randomly selected nodes is configured to determine the authenticity of the first node and each other node of the at least three randomly selected nodes responsive to receipt of a validation request sent to each of the at least three randomly selected nodes by the first directory server, and wherein each of the at least three randomly selected nodes is configured to send a validation message to the first directory server upon such determination, within the predetermined time. 13. The method of claim 12 , wherein the at least three randomly selected nodes include at least one user device requiring entry of authenticating information via a physical interface, and at least two servers. 14. The method of claim 12 , further comprising confirming, by the first directory server, that the at least three randomly selected nodes are connected in a live, shared, session until the predetermined time has elapsed. 15. The method of claim 14 , further comprising causing, by the first directory server, the at least three randomly selected nodes to cease validating the first node in an event one or more of the at least three randomly selected nodes becomes disconnected from the first directory server, disconnected from one or more other node of the at least three randomly selected nodes, or both. 16. The method of claim 12 , further comprising logging, by the first monitoring system, a denial of access. 17. The method of claim 12 , further comprising enabling, by the first directory server, the first node to access the second node in an event the first directory server receives a validation message from each of the at least three randomly selected nodes within the predetermined time. 18. The method of claim 17 ,
Assignees
Inventors
Classifications
Termination or inactivation of sessions, e.g. event-controlled end of session · CPC title
- H04L63/08Primary
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Arrangements for multi-party communication, e.g. for conferences (data switching systems for conference H04L12/18; arrangements for connecting several subscribers to a common circuit, i.e. affording conference facilities H04M3/56; television conferencing systems H04N7/15) · CPC title
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
for controlling access to devices or network resources · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10110585B2 cover?
- A zero-trust network and methods of using same are disclosed. The network includes a plurality of nodes, some of which are user devices, such as mobile phones, some of which are computer servers. One or more of the nodes includes a directory system. When a server receives an access request by a user device or other node, the directory system is notified of the request. The directory system will…
- Who is the assignee on this patent?
- Entefy Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/08. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 23 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).