Patent Grant
7685630
The present invention relates to authentication in a computing environment. More specifically, the invention relates to providing scalable authentication in a distributed computing environment.
In a large collaboration conducted via computers connected to networks, such as a webinar or on-line meeting, ensuring end-to-end security requires that each end-user (participant) be authenticated in an end-to-end fashion. The authentication cannot be done by the underlying infrastructure otherwise the end-users must trust the underlying infrastructure which is usually operated by a third party. This leads to the problem of scalability since one participant's computer resources are usually insufficient to authenticate a large number of participants in a reasonable amount of time.
In one aspect, the invention prevents overloading of any participant's computer due to authentication. To achieve this multiple endpoints are designated as authenticators and requests for authentication are load balanced amongst the authenticators. Some of the advantages include, but are not limited to, preventing the overloading of any authenticator, and preventing the overloading of the infrastructure of the distributed computing system. Additionally, authentication is nearly as fast as the underlying protocol used for end-to-end authentication. The invention supports using secure authentication protocols such as Secure Remote Password (SRP). Also, in some embodiments authenticators are protected from denial of service attacks via authentication.
In one embodiment, the invention features a method of authenticating a plurality of users for access to an on-line group activity. The method includes assigning a first authenticator for the on-line group activity and promoting another member of the plurality of users to an authenticator after being authenticated by the first authenticator.
In one embodiment, promoting includes determining that more authenticators are needed and promoting one of the plurality of users in response to that determination. In further embodiments, the determinations occurs on at least one of a periodic basis or at a random time interval.
In additional embodiments, the determination that one or more authenticators are needed includes determining that the number of authenticators does not exceed a predetermined threshold. In yet another embodiment, the determination that one or more authenticators are needed includes determining that the number of authenticators is less than a ratio of authenticators to the number of participants or the number of members of the on-line group activity requesting authentication by the first authenticator exceeds a predetermined threshold.
In still another embodiment, determining occurs responsive to an event. Examples of events include the addition of a participant and authenticator transitioning to an idle status.
In other embodiment, the promoting occurs when the number of members of the on-line group activity requesting authentication by the first authenticator exceeds a predetermined threshold. In some embodiments promoting includes selecting a random one of the members authenticated by the first authenticator, sending a message to a plurality of the users and promoting the first user to respond to the message, and sending a message to a plurality of the user and promoting the last user to respond to the message.
In another aspect, the invention features a system for authenticating a plurality of users for access to an on-line group activity The system includes a server and a promoter. The server assigns a first authenticator for the on-line group activity. The authenticator is one of the plurality of users. The promoter promotes another member of the plurality of users to an authenticator after being authenticated by the first authenticator.
The foregoing discussion will be understood more readily from the following detailed description of the invention, when taken in conjunction with the accompanying drawings, in which:
With reference to
The participant 110 can be any personal computer, server, Windows-based terminal, network computer, wireless device, information appliance, RISC Power PC, X-device, workstation, minicomputer, personal digital assistant (PDA), main frame computer, cellular telephone or other computing device that provides sufficient faculties to execute participant software and an operating system. Participant software executing on the participant 110 provides, alone or in combination with other software modules, the ability to determine, by a participant, which authenticator to authenticate against, determine that there is a sufficient number of authenticators are present within the distributed computing environment 100 and determine which participant 100 to make an authenticator.
The server 150 can be any type of computing device that is capable of communication with one or more participants 110. For example, the server 150 can be a traditional server computing device, a web server, an application server, a DNS server, or other type of server. In addition, the server 150 can be any of the computing devices that are listed as participant devices. In addition, the server 150 can be any other computing device that provides sufficient faculties to execute server software and an operating system. Server software executing on the server 150 provides the functionality, alone or in combination with other software modules, the ability determine that there is a sufficient number of authenticators are present within the distributed computing environment 100 and determine which participant 100 to make an authenticator.
The network 140 can be a local-area network (LAN), a medium-area network (MAN), or a wide area network (WAN) such as the Internet or the World Wide Web. In another embodiment, the network 140 can be a peer-to-peer network or an ad-hoc wireless network. Users of the participants 110 connect to the network 140 via communications link 120 using any one of a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections. The connections can be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, and direct asynchronous connections).
In other embodiments, the participants 110 communicate with the server 150 through a second network 140′, through a communication link 180 that connects network 140 to the second network 140′. The protocols used to communicate through communications link 180 can include any variety of protocols used for long haul or short transmission. For example, TCP/IP, IPX, SPX, NetBIOS, NetBEUI, SONET and SDH protocols. The combination of the networks 140, 140′ can be conceptually thought of as the Internet. As used herein, Internet refers to the electronic communications network that connects computer networks and organizational computer facilities around the world.
The participants 110 can communicate directly with each other in a peer-to-peer fashion or through the server 150. For example, in some embodiments a communication server 150 facilitates communications among the participants 110. The server 150 provides a secure channel using any number of encryption schemes to provide secure communications among the participants. In one embodiment, different channels carry different types of communications among the participants 110 and the server 150. For example in an on-line meeting environment, a first communication channel carries screen data from a presenting participant 110 to the server 150, which, in turn, distributes the screen data to the other participants 110. A second communications channel is shared, as described in more detail below, to provide real-time, low-level or low-bandwidth communications (e.g., chat information, electronic business cards, contact information, and the like) among the participants.
The participant software 212 is in communication with various components (e.g., the operating system 208) of the participant 110. As a general overview, the participant software 212 promotes other participants to authenticators. In some embodiments, the participant software 212 determines if additional authenticators are needed and determines which other participant to promote as an authenticator. In other embodiments, the participant software determines which authenticator to authenticate against and performs the authentication process. Additionally, the participant software 212 provides denial of service (DOS) protection for an authenticator. The participant software 212 limits the number of concurrent authentication requests an authenticator can service.
With reference to
The server software 312 is in communication with various components (e.g., the operating system 308) of the server 150 to provide features of the invention. As a general overview, the server software 312 determines the first authenticator. In some embodiments, the server software 312 can also determine if additional authenticators are needed.
With reference to
With reference to
Still referring to
In one embodiment, the participant 110 receives (STEP 520) the list of known authenticators from the server 150. In another embodiment, from another one of the participants 110 of the on-line meeting. In yet another embodiment, the participant 110 receives the list of know authenticators from a designated holder of the list.
In one embodiment, the participant 110 selects (STEP 530) a random one of the authenticators in the list to authenticate against to gain access to the online meeting. In another embodiment, the participant 110 uses a deterministic approach to select which authenticator to authenticate against. For example, an algorithm which load balances amongst the available authenticators, such as choosing the kth authenticator (arranged in ParticipantId order), where k represents the ParticipantId of the participant 110 modulo with the total number of available authenticators. Expressed mathematically, the equation can be represented as chosen authenticator=((participantID) mod (total number of authenticators)).
In another embodiment, the participant 110 “pings” a number of authenticators and chooses the one that responds the quickest to authenticate against. In another embodiment, the participant 110 starts authenticating concurrently to multiple authenticators, and stop once any one of the authenticators authenticates the participant 110.
If the authentication process does not complete for any number of reasons (e.g., a time-out occurs and the like), the participant 110 can choose (STEP 540) another authenticator to authenticate against. In one embodiment, the first authenticator is marked as unable to authenticate and is excluded from the selection of the next authenticator to authenticate against. In one embodiment, a random one of the authenticators in the list is selected to authenticate against to gain access to the online meeting. In another embodiment, the participant 110 uses a deterministic approach to select which authenticator to authenticate against. In another embodiment, the participant 110 “pings” a number of authenticators and chooses the one that responds the quickest to authenticate against. In another embodiment, the participant 110 starts authenticating concurrently to multiple authenticators, and stop once any one of the authenticators authenticates the participant 110.
With reference to
In one embodiment, a list of authenticators is kept by one or more participants 110 or the server 150 and used to determine (STEP 610) the actual number of authenticators present in the distributed computing environment 100. In another embodiment, a running total of the number authenticators of the distributed computing environment 100 is kept by at least one of the participants 110.
In one embodiment, determining (STEP 620) who promoted the participant 110 occurs by storing data about the promotion process. For example, when a participant 110 becomes an authenticator and is added to the list of authenticators data describing who authorized or promoted the authenticator is stored in the list as well. In another embodiment, a separate list of the authenticators that promoted or authorized the promotion of a participant 110 is kept.
Various method can be applied to determine (STEP 630) that there are enough authenticators. In one embodiment, it is assumed that there is never enough authenticators in the distributed computing environment 100; therefore, each participant 110 is promoted to an authenticator to ensure that there is the maximum number of authenticators. In another embodiment, the happening of an event triggers the determination (STEP 630) if there is a sufficient number of authenticators. Examples of events can include, but are not limited to, the addition of a participant, the subtraction of an authenticator, the completion of a participant 110 being authenticated, an authenticator leaving the on-line activity, and an authenticator's status transitioning to idle.
In some embodiments, each time there is an event each participant 110 is required execute a test to determine if there is a sufficient number of authenticators. In another embodiment, only a subset of the participants 110 makes the determination. One method to ensure a portion of the participants 110 performs the determination is to use a fractional subset selection algorithm. The algorithm guarantees that only a fraction of the participants 110 performs the test. In one embodiment, the algorithm includes choosing a random number, by each participant 110, on the interval [0,1] of the real line. If the chosen number is less than a static threshold or a dynamic threshold then the participant 110 performs the test. This ensures that only a fraction of the participants 110 perform the test. In other words, this algorithm provides for the selection of a fraction (on average) of a set of participants 110 by running a local algorithm at each participant 110.
In yet another embodiment, the determining (STEP 630) that there is a sufficient number of authenticators is done on a periodic basis by at least one participant 110. In one embodiment, only a single participants 110 performs the determination each time period. For example, assume that the required number of authenticators is given by the following pseudo code:
Where size is equal to the number of active participants 110.
Using a polling algorithm which helps reduce the load on the infrastructure of the distributed computing environment 110 by ensuring that on average only one authenticator out of the set of authenticators performs the determination that there is a sufficient number of authenticators every “TestInterval” amount of time. In one embodiment, the polling algorithm is specified as follows: Poll(NumPollers, TestInterval, TestAndDesignate( )).
Referring back to
In another embodiment, the authenticators 110 “pings” a number of participants 110 and chooses the participant 110 that responds the quickest to promote to authenticator. In another embodiment, the authenticator starts promoting multiple participants 110 concurrently, and stop once any one of the participants 110 completes the promotion setup.
One exemplary implementation of the described invention is used in an on-line collaboration product to perform on-line meetings or webinars. An on-line meeting consists of one or more participants 110 that communicate through a communication server 150. It should be understood that multiple communications server 150 can used if the number of participants 110 (also referred to a first organizer, which is the participant authorized to create and/or start a meeting) require more than a single communication server 150. In an webinar, the first participant 110 to join the webinar is designated as an authenticator by the server 150. As additional participants 110 request authentication to attend the webinar, the authentication requests are serviced by the first participant 110. As the number of requests for authentication grows, additional participants 110 that were previously authenticated are promoted to authenticators using the above-described principles.
There are numerous on-line collaboration products that can operate in the distributed computing environment 100. Exemplary products include, but are not limited to GOTOMEETING and GOTOWEBINAR offered by Citrix Online, LLC of Santa Barbara Calif. Certain aspects and features described below can be embodied in such a product. Other products include WEBEX EMX, WEBEX ENTERPRISE EDITION, WEBEX EVENT CENTER, WEBEX GLOBALWATCH, WEBEX MEETING CENTER, WEBEX MEETMENOW, WEBEX PRESENTATION STUDIO, WEBEX SALES CENTER, WEBEX TRAINING CENTER, WEBEX WEBOFFICE, AND WEBEX WORKSPACE offered by WebEx Communications, Inc. of Santa Clara Calif. Also included is LIVEMEETING offered by Microsoft Corporation of Redmond, Wash.
The previously described embodiments may be implemented as a method, apparatus or article of manufacture using programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof. The term “article of manufacture” as used herein is intended to encompass code or logic accessible from and embedded in one or more computer-readable devices, firmware, programmable logic, memory devices (e.g., EEPROMs, ROMs, PROMs, RAMs, SRAMs, etc.), hardware (e.g., integrated circuit chip, Field Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC), etc.), electronic devices, a computer readable non-volatile storage unit (e.g., CD-ROM, floppy disk, hard disk drive, etc.), a file server providing access to the programs via a network transmission line, wireless transmission media, signals propagating through space, radio waves, infrared signals, etc. The article of manufacture includes hardware logic as well as software or programmable code embedded in a computer readable medium that is executed by a processor. Of course, those skilled in the art will recognize that many modifications may be made to this configuration without departing from the scope of the present invention.
Although the present invention has been described with reference to specific details, it is not intended that such details should be regarded as limitations upon the scope of the invention, except as and to the extent that they are included in the accompanying claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4736369 | Barzilai et al. | Apr 1988 | A |
| 5455953 | Russell | Oct 1995 | A |
| 5491750 | Bellare et al. | Feb 1996 | A |
| 5557748 | Norris | Sep 1996 | A |
| 5564016 | Korenshtein | Oct 1996 | A |
| 5586260 | Hu | Dec 1996 | A |
| 5644720 | Boll et al. | Jul 1997 | A |
| 5671354 | Ito et al. | Sep 1997 | A |
| 5689708 | Regnier et al. | Nov 1997 | A |
| 5745573 | Lipner et al. | Apr 1998 | A |
| 5774660 | Brendel et al. | Jun 1998 | A |
| 5787175 | Carter | Jul 1998 | A |
| 5794207 | Walker et al. | Aug 1998 | A |
| 5812784 | Watson et al. | Sep 1998 | A |
| 5864678 | Riddle | Jan 1999 | A |
| 5938733 | Heimsoth et al. | Aug 1999 | A |
| 5951694 | Choquier et al. | Sep 1999 | A |
| 5958009 | Friedrich et al. | Sep 1999 | A |
| 5987611 | Freund | Nov 1999 | A |
| 6023722 | Colyer et al. | Feb 2000 | A |
| 6038596 | Baldwin et al. | Mar 2000 | A |
| 6055564 | Phaal | Apr 2000 | A |
| 6058480 | Brown | May 2000 | A |
| 6199113 | Alegre et al. | Mar 2001 | B1 |
| 6256739 | Skopp et al. | Jul 2001 | B1 |
| 6266418 | Carter et al. | Jul 2001 | B1 |
| 6272632 | Carman et al. | Aug 2001 | B1 |
| 6308281 | Hall, Jr. et al. | Oct 2001 | B1 |
| 6393484 | Massarani | May 2002 | B1 |
| 6523027 | Underwood | Feb 2003 | B1 |
| 6567813 | Zhu et al. | May 2003 | B1 |
| 6601233 | Underwood | Jul 2003 | B1 |
| 6606708 | Devine et al. | Aug 2003 | B1 |
| 6606744 | Mikurak | Aug 2003 | B1 |
| 6609128 | Underwood | Aug 2003 | B1 |
| 6629081 | Cornelius et al. | Sep 2003 | B1 |
| 6633878 | Underwood | Oct 2003 | B1 |
| 6671818 | Mikurak | Dec 2003 | B1 |
| 6691232 | Wood et al. | Feb 2004 | B1 |
| 6704873 | Underwood | Mar 2004 | B1 |
| 6711409 | Zavgren et al. | Mar 2004 | B1 |
| 6718535 | Underwood | Apr 2004 | B1 |
| 6826696 | Chawla et al. | Nov 2004 | B1 |
| 6850252 | Hoffberg | Feb 2005 | B1 |
| 7035240 | Balakrishnan et al. | Apr 2006 | B1 |
| 7051036 | Rosnow et al. | May 2006 | B2 |
| 7065500 | Singh et al. | Jun 2006 | B2 |
| 7069234 | Cornelius et al. | Jun 2006 | B1 |
| 7100195 | Underwood | Aug 2006 | B1 |
| 7124101 | Mikurak | Oct 2006 | B1 |
| 7130807 | Mikurak | Oct 2006 | B1 |
| 7167844 | Leong et al. | Jan 2007 | B1 |
| 7225244 | Reynolds et al. | May 2007 | B2 |
| 7231657 | Honarvar et al. | Jun 2007 | B2 |
| 20020055989 | Stringer-Calvert et al. | May 2002 | A1 |
| 20020129134 | Leighton et al. | Sep 2002 | A1 |
| 20020129135 | Delany et al. | Sep 2002 | A1 |
| 20020143944 | Traversat et al. | Oct 2002 | A1 |
| 20020198992 | Stutz et al. | Dec 2002 | A1 |
| 20040073512 | Maung | Apr 2004 | A1 |
| 20040111639 | Schwartz et al. | Jun 2004 | A1 |
| 20040264697 | Gavrilescu et al. | Dec 2004 | A1 |
| Number | Date | Country |
|---|---|---|
| 1351467 | Oct 2003 | EP |
| 1385311 | Jan 2004 | EP |
| WO-9935783 | Jul 1999 | WO |
| WO-03050706 | Jun 2003 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20070261101 A1 | Nov 2007 | US |
