Systems and methods for utilizing client side authentication to select services available at a given port number
US-9667619-B1 · May 30, 2017 · US
Systems and methods for utilizing client side authentication to select services available at a given port number
US10645119B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10645119-B2 |
| Application number | US-201715802104-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 2, 2017 |
| Priority date | Oct 14, 2016 |
| Publication date | May 5, 2020 |
| Grant date | May 5, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the service(s) available at a given port number on a client by client basis, enabling access to service(s) for trusted clients unavailable to untrusted clients. Preferably, client trust is based on client authentication via a certificate and a valid, signed transport layer security (TLS) handshake (or similar mechanism in other protocol contexts). In some embodiments, an authorization step can be added following authentication. The systems and methods disclosed herein find wide uses in bundling services on ports, as well as protecting access to services from untrusted and/or malicious clients, among others.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method performed by a host computer, the host computer comprising circuitry forming at least one processor and memory storing computer instructions for execution by the at least one processor to provide (i) a plurality of services to clients, the plurality of services including a first service and a second service, and to provide (ii) an operating system that manages network traffic between clients and the host computer, the network traffic comprising transport layer protocol messages, the method comprising: receiving a first set of one or more transport layer messages from a client specifying a particular destination port number that is assigned to a first service, the first set of one or more transport layer messages including a certificate associated with an end-user of the client; attempting to authenticate the certificate and authorize the user for a second service different than the first service and unassigned to the particular destination port number; based at least in part on the successful authentication and authorization, providing the second service to the client, wherein providing the first service comprises sending the client one or more application layer messages within one or more transport layer messages with a source port number that is the same as the particular destination port number; based at least in part on any of: a failed attempt to authenticate and a failed attempt to authorize, providing the first service to the client, wherein providing the first service comprises sending the client one or more application layer messages within one or more transport layer messages with a source port number that is the same as the particular destination port number. 2. The method of claim 1 , further comprising: based at least in part on any of: a failed attempt to authenticate and a failed attempt to authorize, responding to one or more client requests for the second service with any of: an error message and no response. 3. The method of claim 1 , wherein each of the first and second services is an enterprise service. 4. The method of claim 3 , wherein an enterprise service comprises any of: a VPN service, an IMAP service, an XMPP service, and a Chat service. 5. An apparatus, comprising: a host computer comprising circuitry forming a processor and memory storing computer instructions for execution by the at least one processor to provide (i) a plurality of services to clients, the plurality of services including a first service and a second service, and to provide (ii) an operating system that manages network communication traffic between clients and the host computer, the network communication traffic comprising transport layer protocol messages, the computer instructions comprising instructions that when executed cause the host computer to: receive a first set of one or more transport layer messages from a client specifying a particular destination port number that is assigned to a first service, the first set of one or more transport layer messages including a certificate associated with an end-user of the client; attempt to authenticate the certificate and authorize the user for a second service different than the first service and unassigned to the particular destination port number; based at least in part on the successful authentication and authorization, provide the second service to the client, wherein providing the first service comprises sending the client one or more application layer messages within one or more transport layer messages with a source port number that is the same as the particular destination port number; based at least in part on any of: a failed attempt to authenticate and a failed attempt to authorize, provide the first service to the client, wherein providing the first service comprises sending the client one or more application layer messages within one or more transport layer messages with a source port number that is the same as the particular destination port number. 6. The apparatus of claim 5 , the computer instructions further comprising instructions that when executed cause the host computer to: based at least in part on any of: a failed attempt to authenticate and a failed attempt to authorize, respond to one or more client requests for the second service with any of: an error message and no response. 7. The apparatus of claim 5 , wherein each of the first and second services is an enterprise service. 8. The apparatus of claim 7 , wherein an enterprise service comprises any of: a VPN service, an IMAP service, an XMPP service, and a Chat service.
Assignees
Inventors
Classifications
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
- H04L63/166Primary
at the transport layer · CPC title
Virtual private networks · CPC title
Interlayer communication protocols or service data unit [SDU] definitions; Interfaces between layers · CPC title
involving adaptations of sockets based mechanisms (secure socket layer H04L63/168) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10645119B2 cover?
- Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the …
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/166. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 05 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).