This relates generally to authentication, and more particularly, to secure and automatic configuration of an authentication server with device names and secrets.
An authentication server is a server that provides authentication for various devices. For example, an authentication server may provide authentication for devices on a network. Each device on the network may be assigned a unique name that identifies that device on the network. For authentication purposes, each device may also be assigned a secret (such as a password). Each device may provide its name and secret in order to authenticate itself (i.e., prove that it is in fact the device it purports to be). An authentication server may store the assigned names and secrets of the various devices and use them to determine whether authentications taking place on the network are successful. Authentication servers are generally known in the art. For example, two known types of authentication servers are Remote Authentication Dial In User Service (RADIUS) and DIAMETER servers. RADIUS and DIAMETER are also names of the protocols these servers follow. While RADIUS refers to “Dial In” it is no longer exclusively used for dial in networks and may apply to other types of networks.
As noted above, an authentication server must have the correct name and secret of a device it is to authenticate before it attempts to authenticate it. In many types of networks (such as for example, storage area networks or SANs) the authentication server is loaded with these names and secrets manually (e.g., by a user typing the names and secrets in an authentication server interface). This process can be time consuming, expensive, insecure and susceptible to user errors.
Embodiments of the invention are directed to automatically populating a database of names and secrets in an authentication server by sending one or more lists of one or more names and secrets by a network management software to an authentication server. Furthermore, some embodiments provide that the lists being sent are encrypted and/or embedded in otherwise inconspicuous files.
In the following description of preferred embodiments, reference is made to the accompanying drawings which form a part hereof, and in which it is shown by way of illustration specific embodiments in which the invention can be practiced. It is to be understood that other embodiments can be used and structural changes can be made without departing from the scope of the embodiments of this invention.
Embodiments of the invention are directed to automatically populating a database of names and secrets in an authentication server by sending one or more lists of one or more names and secrets by a network management software to an authentication server. Furthermore, some embodiments provide that the lists being sent are encrypted and/or embedded in otherwise inconspicuous files.
While the following description centers on Fibre Channel (FC) storage area networks, embodiments to the present invention are not limited to these networks. Accordingly, embodiments of the invention can be used in conjunction with other types of storage network such as, for example, iSCSI networks, Fibre Channel over Ethernet (FCoE), serial attached SCSI (SAS) networks, etc. Furthermore, embodiments of the present invention can be used with various non-SAN networks that may use similar authentication mechanisms as the networks discussed above.
A plurality of nodes may be connected to network 100. These can include various types of computers or network enabled electronic devices such as, for example, storage servers and/or redundant array of inexpensive drives (RAID) controllers connected to a storage area network. The nodes can be configured to communicate with each other according to a protocol that may require or allow authentication. For example, in the case of a Fibre Channel network, the nodes can communicate through the Fibre Channel protocol and use the DH CHAP protocol for authentication. In an iSCSI network, the CHAP protocol can be used for authentication. Each node of nodes 102-104 can store a name and secret associated with itself and use it when authenticating itself to other nodes.
Authentication server 105 can be server used to assist nodes 102-104 in authentication. Server 105 can be, for example, a RADIUS or a DIAMETER server. It should be noted that RADIUS and DIAMETER are designations of protocols according to which server 105 can operate, and not designations of specific implementations. For example, there are several different types of RADIUS server software available today from different vendors, such as the Internet Authentication Service provided by Microsoft, Alepo Radius Server, FreeRADIUS, etc. The authentication server 105 can be a generally programmable computer executing an authentication server software (such as one of the software products listed above) or an application specific hardware appliance (such as, for example, the Infoblox RADIUSone). The authentication server may also be implemented at one of the network elements of network 100, such as, for example, as software running at a switch in network 100.
The authentication server may store the names and secrets of the nodes and verify authentications of the nodes. For example, if node 102 needs to authenticate node 103, it can send a challenge to node 103. Node 103 can respond to the challenge with a message including its name and a response that is the results of cryptographic hash of the secret and other values including the challenge value back to node 102. (In some cases, the challenge can include a random number, and node 103 can use the random number in building the response that is a cryptographic hash value (i.e. one way encryption) of the secret before sending it across the network). Node 102 can then send node 103's name and secret to the authentication server 105. The authentication server 105 can check the received name and secret of node 103 against respective values stored in its local database, and determine if there is a match. If there is a match the authentication is successful. If there is no match, the authentication has failed. The authentication server can send a message back to node 102 indicating whether the authentication was successful. Based on this message, node 102 can determine whether node 103 is really the node it purports to be.
Thus, nodes 102-104 can authenticate each other without necessitating that each node store all the authentication data of all other nodes (which would make authentication very insecure). Therefore, nodes 102-104 can be referred to as clients of authentication server 105 and can include hardware or software that performs authentication client functionality according to a relevant protocol (such as, for example, RADIUS or DIAMETER).
Computer 106 may also be connected to network 100. Computer 106 may run an authentication management application 107. Application 107 can be an application that manages the authentication of a set of network connected devices, such as nodes 102-104. The authentication management application may also provide additional network management functionalities and may be referred to as a network management application. Alternatively, computer 106 can be an application specific appliance that is configured to perform the authentication management function.
In some embodiments, the authentication management application 107 may be implemented at one of the network elements of network 100, such as, for example, as software running at a switch in network 100. In some embodiments, the authentication management application may be implemented at the authentication server 105, or may be executed at the same computer as the authentication server.
The authentication management application may obtain the names of the node it manages. It may perform this by using standard discovery protocols of network 100, or it may allow a user to enter the names of the nodes to be managed. Having obtained the names, the authentication management application can assign or otherwise establish secrets to the nodes it manages (i.e., nodes 102-104), and associate each secret with the name of the node it is assigned to. After assigning or establishing the secrets, the authentication management application may send to each node its assigned secret. The secrets may be encrypted during transmission. The authentication management application can assign secrets automatically, by a predefined algorithm by the use of random number generation or other key agreement protocols. Alternatively it may allow a user of the application to enter the secrets. In some embodiments, nodes 102-104 can assign their own secrets and send their secrets to the authentication management application 107 through network 100. The authentication management application may store the secrets assigned to devices 102-104 locally.
In some embodiments, the authentication management application may also perform a policy check of the assigned secrets. In some embodiments, there may exist rules for what types of secrets may be used. These rules may be used to prevent the assignment of “weak” secrets (i.e., secrets or passwords that are easy to compromise). Thus, the rules may specify that the secrets must be of a predefined length, a predefined complexity, that they must exclude dictionary words, etc. If a given secret entered by a user or provided by a node fails the policy check, the authentication management application may refuse to assign that secret and may request the user or the node to provide another secret.
Once the authentication management application has assigned all secrets, it may assemble the secrets and the respective names of their associated nodes in a single data structure (such as, for example, a file) and send them to the authentication server. The authentication server can load the secrets and associated names in its local database and use them for authentication of nodes 102-104 as discussed above. In order to send the file of names and secrets to the authentication server, the authentication management application may also include authentication client functionality (such as, for example, RADIUS or DIAMETER client functionality).
The authentication management application may encrypt the file before it sends it to the authentication server. Alternatively, or in addition, the authentication management application may also use steganography to embed the file with names and secrets in another file. Steganography is a known technique of embedding a first set of data in a second set of data. Thus, the file with names and secrets can be embedded in a more inauspicious looking file, such as a video or an audio file. Accordingly, steganography may be used to provide additional security by preventing any rogue device that may be monitoring network communications from flagging the transmitted file as important. The authentication server can extract the file with names and secrets from the other file and/or decrypt it.
The clients of authentication server (such as nodes 102-104 and authentication management software 107) may be required to provide an authentication server password to communicate with the authentication server. In some embodiments, that same password or derivation thereof may be used to encrypt the file of secrets sent by the authentication management application 107 to the authentication server.
In some embodiments, the file including the list of names and secrets can be arranged in a predefined interoperable format. The format can be referred to as interoperable because it may be readable and processable by different types of authentication servers offered by different vendors.
In some embodiments, additional software 108 (such as, for example, one or more scripts) may reside at the authentication server 105 or possibly on the computer 106. The additional software 108 may be used to send or receive or translate the file including the names and secrets of the nodes, perform any necessary decryptions and/or extraction and load the file into a database for authentication server 105. Thus, additional software 108 may allow embodiments of the present invention to be used with various existing authentication server software products, without having to further modify them for the purposes of the present invention.
Furthermore, different versions of additional software 108 may be developed for different versions of existing authentication servers. The different versions may be configured to operate with a single format of the file comprising the names and secrets of the nodes which is to be generated and sent by the authentication management application. Thus, embodiments of the present invention may provide for that a single authentication management application may be interoperable with different types of authentication servers. In some embodiments, once added to the authentication server, the additional software 108 may be considered to be part of the authentication server or the authentication management application.
Network 202 can be a local area network (LAN) or a wide area network (WAN). LAN/WAN 202 can be, for example, an Ethernet network. Gateway 201 can be a device for interconnecting to different types of networks such as SAN 200 and LAN/WAN 202.
As shown, nodes 102-104 as well as the computer 106 hosting the authentication management application 107 can be connected to SAN 200. Thus, they may communicate with authentication server 105 through gateway 201. In some embodiments, computer 106 may be alternatively connected to LAN/WAN 202. Alternatively, computer 106 may be simultaneously be connected to both networks 200 and 202.
As shown, authentication server 105 may be connected to network 202. The embodiment of
As noted above, the combination of network 200, gateway 201 and network 202 may be considered to be a single heterogeneous network.
At step 306, the authentication management application generates a data structure including a list of the assigned secrets and the names of the devices the respective secrets are associated with. As noted above, the data structure may, but need not necessarily be a file. At step 308, the file is encrypted and/or embedded in another file using steganography. At step 310, the file is sent to the authentication server.
Continuing to
Thus, authentication can be performed without having to manually enter nodes' names and secrets into an authentication server. This may greatly improve the ease of administration of a network. This may also improve the security and reliability of a network, as manual entry of names and secrets into an authentication server may be considered to be a security vulnerability as well as a source of inadvertent entry errors.
Various devices discussed herein, such as authentication server 105, computer 106, and nodes 102-104 may run on programmable computers, or other types of programmable electronic devices. A programmable device may include a processor, such as a central processing unit (CPU) and a memory. The processor may operate by executing instructions stored in the memory. These instructions may comprise, for example, the authentication management application 107, one of various authentication server software products executing at authentication server 105, and/or scripts 108. The memory can also store data, such as the authentication server's local database, the file of node names and secrets, etc.
The various devices can also include networking hardware. The networking hardware may include, for example, a network interface card (NIC—often used for connecting to Ethernet networks) and/or a host bus adapter (HBA—often used for connecting to FC or iSCSI networks). Some devices may include both a NIC and an HBA. For example, in the embodiment in which the computer 106 is connected to both SAN 200 and LAN/WAN 202, computer 106 may include a NIC for connecting to LAN/WAN 202 and an HBA and its associated driver software for connecting to SAN 200.
Although embodiments of this invention have been fully described with reference to the accompanying drawings, it is to be noted that various changes and modifications will become apparent to those skilled in the art. Such changes and modifications are to be understood as being included within the scope of embodiments of this invention as defined by the appended claims.
This application is a continuation of application Ser. No. 13/970,500, filed on Aug. 19, 2013, which is a continuation of application Ser. No. No. 12/123,401, filed on May 19, 2008, now U.S. Pat. No. 8,515,996. The above-referenced United States patent applications are all hereby incorporated by reference herein in their entirety.
Number | Name | Date | Kind |
---|---|---|---|
5825891 | Levesque et al. | Oct 1998 | A |
5944794 | Okamoto et al. | Aug 1999 | A |
6192472 | Garay et al. | Feb 2001 | B1 |
6308268 | Audebert | Oct 2001 | B1 |
6338138 | Raduchel et al. | Jan 2002 | B1 |
6490679 | Tumblin et al. | Dec 2002 | B1 |
6493825 | Blumenau et al. | Dec 2002 | B1 |
6847948 | Paolini et al. | Jan 2005 | B1 |
6931549 | Ananda | Aug 2005 | B1 |
6978378 | Koretz | Dec 2005 | B1 |
7021534 | Kiliccote | Apr 2006 | B1 |
7170999 | Kessler et al. | Jan 2007 | B1 |
7222228 | Stephens et al. | May 2007 | B1 |
7328260 | Muthiyan et al. | Feb 2008 | B1 |
7380708 | Kiliccote | Jun 2008 | B1 |
7472283 | Angelo et al. | Dec 2008 | B2 |
7506040 | Rabe et al. | Mar 2009 | B1 |
7551915 | Manning et al. | Jun 2009 | B1 |
7577729 | Umbehocker et al. | Aug 2009 | B1 |
7631193 | Hoffman | Dec 2009 | B1 |
7660475 | Bossen | Feb 2010 | B2 |
7685261 | Marinelli et al. | Mar 2010 | B1 |
7685269 | Thrasher et al. | Mar 2010 | B1 |
7802109 | Gouguenheim et al. | Sep 2010 | B2 |
7861097 | Smeets et al. | Dec 2010 | B2 |
8078876 | Brickell et al. | Dec 2011 | B2 |
8479002 | Miyazawa | Jul 2013 | B2 |
8515996 | Hofer | Aug 2013 | B2 |
8892602 | Hofer | Nov 2014 | B2 |
20020012433 | Haverinen et al. | Jan 2002 | A1 |
20020095589 | Keech | Jul 2002 | A1 |
20020144148 | Hashem et al. | Oct 2002 | A1 |
20030099358 | Michael et al. | May 2003 | A1 |
20030163577 | Moon et al. | Aug 2003 | A1 |
20030177393 | Ishiguro | Sep 2003 | A1 |
20030217263 | Sakai | Nov 2003 | A1 |
20030233440 | Nakamura et al. | Dec 2003 | A1 |
20040091114 | Carter et al. | May 2004 | A1 |
20040228492 | Park | Nov 2004 | A1 |
20050091487 | Cross et al. | Apr 2005 | A1 |
20050138350 | Hariharan | Jun 2005 | A1 |
20050154884 | Van Den Tillaart | Jul 2005 | A1 |
20050172333 | Kim | Aug 2005 | A1 |
20050289655 | Tidwell et al. | Dec 2005 | A1 |
20060036856 | Kok | Feb 2006 | A1 |
20060101288 | Smeets et al. | May 2006 | A1 |
20060159268 | Jung et al. | Jul 2006 | A1 |
20060174018 | Zhu et al. | Aug 2006 | A1 |
20060236095 | Smith et al. | Oct 2006 | A1 |
20060277598 | Ahn | Dec 2006 | A1 |
20070016771 | Allison et al. | Jan 2007 | A1 |
20070033399 | Takeda | Feb 2007 | A1 |
20070060106 | Haverinen et al. | Mar 2007 | A1 |
20070106714 | Rothbarth | May 2007 | A1 |
20070118735 | Cherrington et al. | May 2007 | A1 |
20070130071 | Suzuki | Jun 2007 | A1 |
20070226488 | Lin et al. | Sep 2007 | A1 |
20070234043 | Miyazawa | Oct 2007 | A1 |
20080065878 | Hutson et al. | Mar 2008 | A1 |
20080095369 | Lucidarme | Apr 2008 | A1 |
20080209221 | Vennelakanti et al. | Aug 2008 | A1 |
20080215667 | Rothbarth et al. | Sep 2008 | A1 |
20080235509 | Laberteaux et al. | Sep 2008 | A1 |
20080267395 | Deishi | Oct 2008 | A1 |
20080270786 | Brickell et al. | Oct 2008 | A1 |
20090034522 | Hayes et al. | Feb 2009 | A1 |
20090049307 | Lin | Feb 2009 | A1 |
20090129587 | Zhou et al. | May 2009 | A1 |
20090132821 | Matsuzaki | May 2009 | A1 |
20090187757 | Kerschbaum | Jul 2009 | A1 |
20090204806 | Kanemura et al. | Aug 2009 | A1 |
20090235068 | Song et al. | Sep 2009 | A1 |
20100017599 | Sellars et al. | Jan 2010 | A1 |
20100088515 | Nishimoto et al. | Apr 2010 | A1 |
20100185852 | Ogawa et al. | Jul 2010 | A1 |
20100228980 | Falk et al. | Sep 2010 | A1 |
Entry |
---|
Eisenhauer, D. et al. (2008) “Fibre Channel over Convergence Enhanced Ethernet Enterprise Data Center Use Cases,” ITC 21, pp. 1-7. |
Final Office Action mailed Jul. 19, 2011, for U.S. Appl. No. 12/123,401, filed May 19, 2008, 14 pages. |
Final Office Action mailed Sep. 27, 2012, for U.S. Appl. No. 12/123,401, filed May 19, 2008, 11 pages. |
Non-Final Office Action mailed Sep. 3, 2010, for U.S. Appl. No. 12/123,401, filed May 19, 2008, 15 pages. |
Non-Final Office Action mailed Feb. 23, 2011, for U.S. Appl. No. 12/123,401, filed May 29, 2008, 15 pages. |
Non-Final Office Action mailed Oct. 31, 2011, for U.S. Appl. No. 12/123,401, filed May 19, 2008, 10 pages. |
Non-Final Office Action mailed Apr. 5, 2012, for U.S. Appl. No. 12/123,401, filed May 19, 2008, 10 pages. |
Non-Final Office Action mailed Apr. 15, 2013, for U.S. Appl. No. 12/123,401, filed May 19, 2008, 10 pages. |
Non-Final Office Action mailed Mar. 14, 2014, for U.S. Appl. No. 13/970,500, filed Aug. 19, 2013, 19 pages. |
Number | Date | Country | |
---|---|---|---|
20150039884 A1 | Feb 2015 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 13970500 | Aug 2013 | US |
Child | 14516205 | US | |
Parent | 12123401 | May 2008 | US |
Child | 13970500 | US |