US20020078243A1 - Method and apparatus for time synchronization in a network data processing system - Google Patents
Method and apparatus for time synchronization in a network data processing systemDownload PDFInfo
- Publication number
- US20020078243A1 US20020078243A1US09/738,244US73824400AUS2002078243A1US 20020078243 A1US20020078243 A1US 20020078243A1US 73824400 AUS73824400 AUS 73824400AUS 2002078243 A1US2002078243 A1US 2002078243A1
- Authority
- US
- United States
- Prior art keywords
- data processing
- processing system
- time
- target
- reply
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000012545processingMethods0.000titleclaimsabstractdescription93
- 238000000034methodMethods0.000titleclaimsabstractdescription47
- 238000004891communicationMethods0.000claimsdescription11
- 238000004590computer programMethods0.000claims4
- 230000008569processEffects0.000description25
- 230000007246mechanismEffects0.000description9
- 238000010586diagramMethods0.000description8
- 230000004044responseEffects0.000description7
- 238000013459approachMethods0.000description4
- 230000002093peripheral effectEffects0.000description4
- 230000005540biological transmissionEffects0.000description2
- 238000012986modificationMethods0.000description2
- 230000004048modificationEffects0.000description2
- 230000003287optical effectEffects0.000description2
- 230000008859changeEffects0.000description1
- 238000005516engineering processMethods0.000description1
- 239000000835fiberSubstances0.000description1
- 230000002452interceptive effectEffects0.000description1
- 230000000737periodic effectEffects0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04J—MULTIPLEX COMMUNICATION
- H04J3/00—Time-division multiplex systems
- H04J3/02—Details
- H04J3/06—Synchronising arrangements
- H04J3/0635—Clock or time synchronisation in a network
- H04J3/0638—Clock or time synchronisation among nodes; Internode synchronisation
- H04J3/0658—Clock or time synchronisation among packet nodes
- H04J3/0661—Clock or time synchronisation among packet nodes using timestamps
- H04J3/0667—Bidirectional timestamps, e.g. NTP or PTP for compensation of clock drift and for compensation of propagation delays
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
Definitions
- the present inventionrelates generally to an improved data processing system, and in particular to a method and apparatus for synchronizing time. Still more particularly, the present invention relates to a method and apparatus for synchronizing time for an authentication system in a network data processing system.
- Kerberosis a distributed authentication services that allows a client process running on behalf of a principal (e.g., a user) to prove its identity to a remote server without transmitting passwords over a potentially insecure network.
- Kerberosrequires principals to have secret keys registered with key distribution center (KDC) on the Kerberos server.
- KDCkey distribution center
- a principalobtains a “ticket” from KDC to access the service on a remote server.
- an authenticatorwhich includes a time stamp and other principal information, is presented along with the ticket in the request message to remote server.
- the reason for time stamping the authenticatoris to prevent a “replay attack”.
- a replay attacka hacker eavesdrops on an authentication packet. The hacker can try to replay this packet to pretend that the hacker has the ticket and authority to access this service.
- Kerberosallows the server to accept the authenticator only if the time stamp in the authenticator is within a limited time difference from the server's own clock, such as 5 minutes earlier or later than server's clock. This range provides a 10 minute time window. Therefore, in order to allow principals successfully being authenticated as well as to prevent replay attack, it is necessary to maintain a time synchronization (a margin of a few minutes is allowable) among principals and the Kerberos server.
- Kerberosdoes not provide a time synchronization mechanism. Synchronization is assumed to be achieved outside the Kerberos system.
- the current approachis that the clocks of workstations and servers that participate Kerberos authentication are adjusted with the clock on Kerberos server manually or automatically using special time servers through another protocol such a simple network time protocol (SNTP).
- SNTPsimple network time protocol
- This approachhas a couple of drawbacks. As Kerberos technology is being pushed to the Internet arena, it is more difficult to achieve clock synchronization among machines on different networks or in different geographical locations. Also, Kerberos supports cross-realm authentication. Cross-realm authentication allows a user to access services in other realms. This brings the necessity to be able to dynamically synchronize a principal's time with different servers' times. The current approach does not address this requirement.
- a security holemay be introduced into the Kerberos system because this current approach relies on the clock settings of workstations.
- One example of a possible scenariois if a hacker changes clock settings on the hacker's workstation to move the time a few hours ahead, then the hacker waits for somebody to try authenticating from this machine and intercepts the authentication package sent. A few hours later, the hacker replays the intercepted package. Since the server will think that time stamp is within allowed boundaries of a few minutes, it accepts the service request, and the hacker successfully gains access to the service.
- the present inventionprovides a method, apparatus, and computer implemented instructions for synchronizing time in a network data processing system.
- a request for time synchronization from a source data processing systemis received at a target data processing system.
- a current target time at the target data processing systemis placed in a reply.
- the replyis sent to the source data processing system.
- a current source time from when the reply is received at the source data processing systemis compared to the current target time to generate a comparison.
- a synchronization factoris generated using the comparison.
- FIG. 1is a pictorial representation of a network of data processing systems in which the present invention may be implemented
- FIG. 2is a block diagram of a data processing system that may be implemented as a server in accordance with a preferred embodiment of the present invention
- FIG. 3is a block diagram illustrating a data processing system in which the present invention may be implemented
- FIGS. 4 A- 4 Care diagrams illustrating data flow used in authentication system in accordance with a preferred embodiment of the present invention.
- FIGS. 5 A- 5 Dare diagrams illustrating data structures used in FIGS. 4 A- 4 C in accordance with a preferred embodiment of the present invention
- FIG. 6is a flowchart of a process used for generating time synchronization information in accordance with a preferred embodiment of the present invention
- FIG. 7is a flowchart of a process used for generating a time stamp in accordance with a preferred embodiment of the present invention.
- FIG. 8is a flowchart of a process for authenticating the use of a service in accordance with a preferred embodiment of the present invention.
- FIG. 9is a flowchart illustrating a high level cross-realm operation in accordance with a preferred embodiment with the present invention.
- FIG. 1depicts a pictorial representation of a network of data processing systems in which the present invention may be implemented.
- Network data processing system 100is a network of computers in which the present invention may be implemented.
- Network data processing system 100contains a network 102 , which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100 .
- Network 102may include connections, such as wire, wireless communication links, or fiber optic cables.
- a server 104is connected to network 102 along with storage unit 106 .
- clients 108 , 110 , and 112also are connected to network 102 . These clients 108 , 110 , and 112 may be, for example, personal computers or network computers.
- server 104is a file server and provides data, such as boot files, operating system images, and applications to clients 108 - 112 .
- Clients 108 , 110 , and 112are clients to server 104 .
- Server 114is a key distribution center (KDC) server used to obtain keys for authentication by server 104 .
- KDCkey distribution center
- clients 108 , 110 , and 112send requests to server 114 to generate synchronization factors used in authentication processes with server 104 .
- Network data processing system 100may include additional servers, clients, and other devices not shown.
- network data processing system 100is the Internet with network 102 representing a worldwide collection of networks and gateways that use the TCP/IP suite of protocols to communicate with one another.
- network 102representing a worldwide collection of networks and gateways that use the TCP/IP suite of protocols to communicate with one another.
- At the heart of the Internetis a backbone of high-speed data communication lines between major nodes or host computers, consisting of thousands of commercial, government, educational and other computer systems that route data and messages.
- network data processing system 100also may be implemented as a number of different types of networks, such as for example, an intranet, a local area network (LAN), or a wide area network (WAN).
- FIG. 1is intended as an example, and not as an architectural limitation for the present invention.
- Data processing system 200may be a symmetric multiprocessor (SMP) system including a plurality of processors 202 and 204 connected to system bus 206 . Alternatively, a single processor system may be employed. Also connected to system bus 206 is memory controller/cache 208 , which provides an interface to local memory 209 . I/O bus bridge 210 is connected to system bus 206 and provides an interface to I/O bus 212 . Memory controller/cache 208 and I/O bus bridge 210 may be integrated as depicted.
- SMPsymmetric multiprocessor
- Peripheral component interconnect (PCI) bus bridge 214connected to I/O bus 212 provides an interface to PCI local bus 216 .
- PCI bus 216A number of modems may be connected to PCI bus 216 .
- Typical PCI bus implementationswill support four PCI expansion slots or add-in connectors.
- Communications links to network computers 108 - 112 in FIG. 1may be provided through modem 218 and network adapter 220 connected to PCI local bus 216 through add-in boards.
- Additional PCI bus bridges 222 and 224provide interfaces for additional PCI buses 226 and 228 , from which additional modems or network adapters may be supported. In this manner, data processing system 200 allows connections to multiple network computers.
- a memory-mapped graphics adapter 230 and hard disk 232may also be connected to I/O bus 212 as depicted, either directly or indirectly.
- FIG. 2may vary.
- other peripheral devicessuch as optical disk drives and the like, also may be used in addition to or in place of the hardware depicted.
- the depicted exampleis not meant to imply architectural limitations with respect to the present invention.
- the data processing system depicted in FIG. 2may be, for example, an IBM RISC/System 6000 system, a product of International Business Machines Corporation in Armonk, N.Y., running the Advanced Interactive Executive (AIX) operating system.
- IBM RISC/System 6000 systema product of International Business Machines Corporation in Armonk, N.Y., running the Advanced Interactive Executive (AIX) operating system.
- AIXAdvanced Interactive Executive
- Data processing system 300is an example of a client computer.
- Data processing system 300employs a peripheral component interconnect (PCI) local bus architecture.
- PCIperipheral component interconnect
- AGPAccelerated Graphics Port
- ISAIndustry Standard Architecture
- Processor 302 and main memory 304are connected to PCI local bus 306 through PCI bridge 308 .
- PCI bridge 308also may include an integrated memory controller and cache memory for processor 302 . Additional connections to PCI local bus 306 may be made through direct component interconnection or through add-in boards.
- local area network (LAN) adapter 310SCSI host bus adapter 312 , and expansion bus interface 314 are connected to PCI local bus 306 by direct component connection.
- audio adapter 316graphics adapter 318 , and audio/video adapter 319 are connected to PCI local bus 306 by add-in boards inserted into expansion slots.
- Expansion bus interface 314provides a connection for a keyboard and mouse adapter 320 , modem 322 , and additional memory 324 .
- Small computer system interface (SCSI) host bus adapter 312provides a connection for hard disk drive 326 , tape drive 328 , and CD-ROM drive 330 .
- Typical PCI local bus implementationswill support three or four PCI expansion slots or add-in connectors.
- An operating systemruns on processor 302 and is used to coordinate and provide control of various components within data processing system 300 in FIG. 3.
- the operating systemmay be a commercially available operating system, such as Windows 2000, which is available from Microsoft Corporation.
- An object oriented programming systemsuch as Java may run in conjunction with the operating system and provide calls to the operating system from Java programs or applications executing on data processing system 300 . “Java” is a trademark of Sun Microsystems, Inc. Instructions for the operating system, the object-oriented operating system, and applications or programs are located on storage devices, such as hard disk drive 326 , and may be loaded into main memory 304 for execution by processor 302 .
- FIG. 3may vary depending on the implementation.
- Other internal hardware or peripheral devicessuch as flash ROM (or equivalent nonvolatile memory) or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIG. 3.
- the processes of the present inventionmay be applied to a multiprocessor data processing system.
- data processing system 300may be a stand-alone system configured to be bootable without relying on some type of network communication interface, whether or not data processing system 300 comprises some type of network communication interface.
- data processing system 300may be a Personal Digital Assistant (PDA) device, which is configured with ROM and/or flash ROM in order to provide non-volatile memory for storing operating system files and/or user-generated data.
- PDAPersonal Digital Assistant
- data processing system 300also may be a notebook computer or hand held computer in addition to taking the form of a PDA.
- data processing system 300also may be a kiosk or a Web appliance.
- the present inventionprovides a method, apparatus, and computer implemented instructions for synchronizing time.
- This synchronization mechanismis useful in authenticating a client in which the authentication mechanism uses a time stamp.
- the clientsends a request for synchronization information from a target, such as a server.
- the serveris a KDC server.
- the clientcalculates a clock skew between the KDC server and the client.
- the clientmay request a user credential from another server, such as an authentication server using the calculated clock skew to adjust the time value or time stamp generated by the client.
- the file server and the KDC servermay be located on the same physical computer or in different computers. Thus, this mechanism avoids having to change physical clock settings on a client.
- FIGS. 4 A- 4 Cdiagrams illustrating data flow used in authentication system are depicted in accordance with a preferred embodiment of the present invention.
- client 400may be implemented using data processing system 300 in FIG. 3 while KDC 402 may be implemented using data processing system 200 in FIG. 2.
- client 400sends a request 404 to KDC server 402 .
- Request 404includes a time stamp, containing the current time, T 1 , at client 400 when request 404 is generated and sent.
- KDC server 402generates a reply 406 , which contains the current time, T 2 , at KDC server 402 .
- This replyis encoded and the checksum is calculated over the encoding data.
- This checksumis added to the reply and the reply is re-encoded.
- the checksumis calculated use a secret key for the client. This allows the client to verify the data integrity of the reply.
- the datais DER encoded.
- DERstands for Distinguished Encoding Rules.
- reply 406also includes the current time, T 1 , from reply 404 as well as encoded data structures containing session keys for client 400 and a file server.
- Client 400receives the reply message and identifies another current time, T 3 . Additionally, in the depicted examples, this reply is decoded and the checksum is calculated to verify data integrity. A time difference for skew also referred to as TimeSync is identified. If the difference between T 3 and T 1 is less than a threshold value, such as 1 minute or 2 minutes, then the variable TimeSync is equal to T 3 ⁇ T 2 . If the difference is equal to or greater than the threshold value, then TimeSync is set equal to T 3 ⁇ T 2 ⁇ (T 3 ⁇ T 1 )/2. This calculation provides a time synchronization. This synchronization factor is used to generate time stamps in which a time stamp is set equal to the current time—TimeSync.
- a threshold valuesuch as 1 minute or 2 minutes
- time stampmay be adjusted.
- This time stampis placed in a request 408 sent by client 400 to another server, such as file server 410 in FIG. 4C. Additionally, the encoded data structure containing the session key for the file server is placed into request 408 .
- FIGS. 5 A- 5 Ddiagrams illustrating data structures used in FIGS. 4 A- 4 C are depicted in accordance with a preferred embodiment of the present invention.
- request 404includes an encoded data structure 500 containing current time 502 , T 1 , from the client and a client identifier 504 .
- This replyis encrypted using the client's secret key 506 .
- KDC 402 in FIG. 4generates reply 406 in FIG. 4B, which contains data structure 508 in FIG. 5B and data structure 510 in FIG. 5C.
- Data structure 508includes a session key 512 .
- this data structureincludes current time 514 , T 2 , at KDC 402 as well as time 502 , T 1 .
- Data structure 508is encrypted using key 506 .
- Data structure 510includes a session key 516 for a file server, which is encoded with other information encoded in data structure 510 using key 518 , which is the secret key of the file server. The client will be unable to decrypt structure 510 and will include this data structure in request 408 to file server 410 in FIG. 4.
- data structure 520is a data structure placed in request 408 in FIG. 4, which is sent to file server 410 .
- Data structure 520includes client ID 522 and time stamp 524 .
- This data structureis encrypted using session key 512 from data structure 508 .
- This data structuremay be decrypted by file server 510 once file server 410 retrieves sessions key 512 from data structure 510 by decrypting the data structure using its key.
- FIG. 6a flowchart of a process used for generating time synchronization information is depicted in accordance with a preferred embodiment of the present invention.
- the process in FIG. 6may be implemented in a server, such as KDC server 402 in FIG. 4.
- the processbegins by receiving a time synchronization request message (step 600 ).
- the requestis received from clients, which may generate time stamps for other requests or messages.
- the current time, T 1from the originator of the request is retrieved (step 602 ).
- the current time, T 2at the server is retrieved (step 604 ).
- Times T 1 and T 2are both place in a reply message (step 606 ).
- other informationmay also be placed into the reply message, such as, a session key.
- the reply messageis then encoded (step 608 ).
- a checksumis calculated for the encoded message (step 610 ).
- the checksumis added to the reply message (step 612 ).
- the reply messageis then re-encoded (step 614 ). This reply is then sent back to the client originating the request (step 616 ) with the process terminating thereafter.
- FIG. 7a flowchart of a process used for generating a time stamp is depicted in accordance with a preferred embodiment of the present invention.
- the process illustrated in FIG. 7may be implemented in a client, such as client 400 in FIG. 4.
- the processbegins by sending a request for time synchronization information (step 700 ).
- a reply messageis received in response to the request (step 702 ).
- a current time, T 3at the client is retrieved (step 704 ).
- the reply messageis then decoded (step 706 ).
- a checksumis calculated over the reply message using a client key (step 708 ).
- a client keyis used because the reply message was encrypted by the KDC server using the client key. This step is used to verify the authenticity of the reply.
- a time difference between current time, T 3 , and the time, T 2 , in the reply messageis calculated (step 710 ).
- This threshold valuemay be, for example, 1 minute or 2 minutes. Kerberos uses time stamps to guarantee that a ticket request is fresh and not replayed from a long time ago. By default, Kerberos defines “a long time ago” as 5 minutes, although this time is configurable. If the time difference is not less than the threshold, then the value TimeSync is set equal to T 3 ⁇ T 2 ⁇ (T 3 ⁇ T 1 )/2 (step 714 ). Then, the time stamp as generate as being equal to the current time at the client minus the value for TimeSync (step 716 ) with the process terminating thereafter.
- TimeSyncis set equal to T 3 ⁇ T 2 (step 718 ) with the process then proceeding to step 716 as described above.
- FIG. 8a flowchart of a process for authenticating the use of a service is depicted in accordance with a preferred embodiment of the present invention.
- the process illustrated in FIG. 8may be implemented for use in gaining access to a server that provides a service, such as an application, e-mail, or a print service.
- the time synchronization process implemented by such a serveris similar to that used in a client as described above. The difference is that the server performs time synchronization after it receives a server request from a client, while the client typically performs time synchronization prior to sending a credential request to a KDC.
- the processbegins by a client performing time synchronization with a KDC (step 800 ).
- Clientrequests a credential from the KDC (step 802 ).
- Clientrequests an application service on a server by presenting its credential to the server (step 804 ).
- serverperforms time synchronization with a KDC server (step 806 ).
- Serververifies client's credential (step 808 ).
- step 810a determination is made whether the client credential is authenticated. If the credential is authenticated, the server grants the service to the client (step 812 ) with the process terminating thereafter. Otherwise, the process terminates without granting the service.
- networksare divided into realms to provide scalability in the Kerberos system. These divisions are often made on organizational boundaries, although they need not be.
- Each realmhas its own KDC. Every principal registered with the same KDC belong to the same realm. The KDC for each realm is trusted by all principals registered in that realm to store a secret key in confidence.
- Principalis another term used in Kerberos. Kerberos principals are of several types: users, application services, such as a File server provides file access service, a printer provides print service, KDC. Cross-realm authentication allows a Kerberos user to access services in other realms.
- time synchronization subroutinedetects a KDC different from the current one, so it is invoked to do synchronization with the target KDC.
- the new time synchronization valueis calculated, and the time stamp value is adjusted based on the new time synchronization value.
- FIG. 9a flowchart illustrating a high level cross-realm operation is depicted in accordance with a preferred embodiment with the present invention.
- the processbegins by the client performing time synchronization with KDC of its own realm (step 900 ).
- the clientrequests a credential from KDC (step 902 ).
- the clientperforms time synchronization with KDC of remote realm (step 904 ).
- the clientpresents its credential to KDC of remote realm (step 906 ).
- the clientobtains a new credential from KDC of remote realm (step 908 ).
- the clientrequests an application service on a server of remote realm by presenting its new credential to the server (step 910 ).
- the server of remote realmperforms time synchronization with KDC of remote realm (step 912 ).
- the serververifies the client's credential (step 914 ).
- step 916a determination is made whether the client credential is authenticated. If the credential is authenticated, the server grants the service to the to the remote client (step 918 ) with the process terminating thereafter. Otherwise, the process terminates without granting the service.
- the present inventiona method, apparatus, and computer implemented instructions for synchronizing time between different data processing systems. Physical adjustments to clocks within a data processing system is unnecessary using the mechanism of the present invention. This mechanism avoids the dependency upon other systems or protocols to achieve synchronization of time on different processing systems. This mechanism does not rely on a time server and is dynamic in adjusting time. Further, when a client contacts servers in different network or geographic locations, time synchronization may be perform with each server being contact providing cross-realm synchronization. When a client detects a different “realm”, time synchronization may be automatically initiated in which a new TimeSync value is calculated. Further, new TimeSync value may also be calculated in response to other events, such as, a periodic event signaled by a timer. In this way, potential security holes produced by altering clock settings are minimized.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
- 1. Technical Field[0001]
- The present invention relates generally to an improved data processing system, and in particular to a method and apparatus for synchronizing time. Still more particularly, the present invention relates to a method and apparatus for synchronizing time for an authentication system in a network data processing system.[0002]
- 2. Description of Related Art[0003]
- In a multi-user computer system, identification and authentication mechanisms are essential for identifying and authenticating each individual who requests any usage of system resources. One solution is known as “Kerberos”. Originally developed at the Massachusetts Institute of Technology, Kerberos is a distributed authentication services that allows a client process running on behalf of a principal (e.g., a user) to prove its identity to a remote server without transmitting passwords over a potentially insecure network.[0004]
- Kerberos requires principals to have secret keys registered with key distribution center (KDC) on the Kerberos server. A principal obtains a “ticket” from KDC to access the service on a remote server. To prevent attackers from intercepting and reusing the ticket, an authenticator, which includes a time stamp and other principal information, is presented along with the ticket in the request message to remote server.[0005]
- The reason for time stamping the authenticator is to prevent a “replay attack”. In a replay attack, a hacker eavesdrops on an authentication packet. The hacker can try to replay this packet to pretend that the hacker has the ticket and authority to access this service. To prevent this kind of attack, Kerberos allows the server to accept the authenticator only if the time stamp in the authenticator is within a limited time difference from the server's own clock, such as 5 minutes earlier or later than server's clock. This range provides a 10 minute time window. Therefore, in order to allow principals successfully being authenticated as well as to prevent replay attack, it is necessary to maintain a time synchronization (a margin of a few minutes is allowable) among principals and the Kerberos server.[0006]
- Kerberos does not provide a time synchronization mechanism. Synchronization is assumed to be achieved outside the Kerberos system. The current approach is that the clocks of workstations and servers that participate Kerberos authentication are adjusted with the clock on Kerberos server manually or automatically using special time servers through another protocol such a simple network time protocol (SNTP). This approach has a couple of drawbacks. As Kerberos technology is being pushed to the Internet arena, it is more difficult to achieve clock synchronization among machines on different networks or in different geographical locations. Also, Kerberos supports cross-realm authentication. Cross-realm authentication allows a user to access services in other realms. This brings the necessity to be able to dynamically synchronize a principal's time with different servers' times. The current approach does not address this requirement.[0007]
- Furthermore, a security hole may be introduced into the Kerberos system because this current approach relies on the clock settings of workstations. One example of a possible scenario is if a hacker changes clock settings on the hacker's workstation to move the time a few hours ahead, then the hacker waits for somebody to try authenticating from this machine and intercepts the authentication package sent. A few hours later, the hacker replays the intercepted package. Since the server will think that time stamp is within allowed boundaries of a few minutes, it accepts the service request, and the hacker successfully gains access to the service.[0008]
- Therefore, it would be advantageous to have an improved method and apparatus for an improved time synchronization mechanism.[0009]
- The present invention provides a method, apparatus, and computer implemented instructions for synchronizing time in a network data processing system. A request for time synchronization from a source data processing system is received at a target data processing system. A current target time at the target data processing system is placed in a reply. The reply is sent to the source data processing system. A current source time from when the reply is received at the source data processing system is compared to the current target time to generate a comparison. A synchronization factor is generated using the comparison.[0010]
- The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein:[0011]
- FIG. 1 is a pictorial representation of a network of data processing systems in which the present invention may be implemented;[0012]
- FIG. 2 is a block diagram of a data processing system that may be implemented as a server in accordance with a preferred embodiment of the present invention;[0013]
- FIG. 3 is a block diagram illustrating a data processing system in which the present invention may be implemented;[0014]
- FIGS.[0015]4A-4C are diagrams illustrating data flow used in authentication system in accordance with a preferred embodiment of the present invention;
- FIGS.[0016]5A-5D are diagrams illustrating data structures used in FIGS.4A-4C in accordance with a preferred embodiment of the present invention;
- FIG. 6 is a flowchart of a process used for generating time synchronization information in accordance with a preferred embodiment of the present invention;[0017]
- FIG. 7 is a flowchart of a process used for generating a time stamp in accordance with a preferred embodiment of the present invention;[0018]
- FIG. 8 is a flowchart of a process for authenticating the use of a service in accordance with a preferred embodiment of the present invention; and[0019]
- FIG. 9 is a flowchart illustrating a high level cross-realm operation in accordance with a preferred embodiment with the present invention.[0020]
- With reference now to the figures, FIG. 1 depicts a pictorial representation of a network of data processing systems in which the present invention may be implemented. Network[0021]
data processing system 100 is a network of computers in which the present invention may be implemented. Networkdata processing system 100 contains anetwork 102, which is the medium used to provide communications links between various devices and computers connected together within networkdata processing system 100. Network102 may include connections, such as wire, wireless communication links, or fiber optic cables. - In the depicted example, a[0022]
server 104 is connected tonetwork 102 along withstorage unit 106. In addition,clients network 102. Theseclients server 104 is a file server and provides data, such as boot files, operating system images, and applications to clients108-112.Clients Server 114 is a key distribution center (KDC) server used to obtain keys for authentication byserver 104. In the depicted examples,clients server 114 to generate synchronization factors used in authentication processes withserver 104. - Network[0023]
data processing system 100 may include additional servers, clients, and other devices not shown. In the depicted example, networkdata processing system 100 is the Internet withnetwork 102 representing a worldwide collection of networks and gateways that use the TCP/IP suite of protocols to communicate with one another. At the heart of the Internet is a backbone of high-speed data communication lines between major nodes or host computers, consisting of thousands of commercial, government, educational and other computer systems that route data and messages. Of course, networkdata processing system 100 also may be implemented as a number of different types of networks, such as for example, an intranet, a local area network (LAN), or a wide area network (WAN). FIG. 1 is intended as an example, and not as an architectural limitation for the present invention. - Referring to FIG. 2, a block diagram of a data processing system that may be implemented as a server, such as[0024]
server 104 in FIG. 1, is depicted in accordance with a preferred embodiment of the present invention.Data processing system 200 may be a symmetric multiprocessor (SMP) system including a plurality ofprocessors system bus 206. Alternatively, a single processor system may be employed. Also connected tosystem bus 206 is memory controller/cache 208, which provides an interface tolocal memory 209. I/O bus bridge 210 is connected tosystem bus 206 and provides an interface to I/O bus 212. Memory controller/cache 208 and I/O bus bridge 210 may be integrated as depicted. - Peripheral component interconnect (PCI) bus bridge[0025]214 connected to I/
O bus 212 provides an interface to PCIlocal bus 216. A number of modems may be connected toPCI bus 216. Typical PCI bus implementations will support four PCI expansion slots or add-in connectors. Communications links to network computers108-112 in FIG. 1 may be provided throughmodem 218 andnetwork adapter 220 connected to PCIlocal bus 216 through add-in boards. - Additional PCI bus bridges[0026]222 and224 provide interfaces for
additional PCI buses data processing system 200 allows connections to multiple network computers. A memory-mappedgraphics adapter 230 andhard disk 232 may also be connected to I/O bus 212 as depicted, either directly or indirectly. - Those of ordinary skill in the art will appreciate that the hardware depicted in FIG. 2 may vary. For example, other peripheral devices, such as optical disk drives and the like, also may be used in addition to or in place of the hardware depicted. The depicted example is not meant to imply architectural limitations with respect to the present invention.[0027]
- The data processing system depicted in FIG. 2 may be, for example, an IBM RISC/System 6000 system, a product of International Business Machines Corporation in Armonk, N.Y., running the Advanced Interactive Executive (AIX) operating system.[0028]
- With reference now to FIG. 3, a block diagram illustrating a data processing system is depicted in which the present invention may be implemented.[0029]
Data processing system 300 is an example of a client computer.Data processing system 300 employs a peripheral component interconnect (PCI) local bus architecture. Although the depicted example employs a PCI bus, other bus architectures such as Accelerated Graphics Port (AGP) and Industry Standard Architecture (ISA) may be used.Processor 302 andmain memory 304 are connected to PCIlocal bus 306 throughPCI bridge 308.PCI bridge 308 also may include an integrated memory controller and cache memory forprocessor 302. Additional connections to PCIlocal bus 306 may be made through direct component interconnection or through add-in boards. In the depicted example, local area network (LAN) adapter310, SCSI host bus adapter312, andexpansion bus interface 314 are connected to PCIlocal bus 306 by direct component connection. In contrast,audio adapter 316,graphics adapter 318, and audio/video adapter 319 are connected to PCIlocal bus 306 by add-in boards inserted into expansion slots.Expansion bus interface 314 provides a connection for a keyboard and mouse adapter320,modem 322, andadditional memory 324. Small computer system interface (SCSI) host bus adapter312 provides a connection forhard disk drive 326, tape drive328, and CD-ROM drive330. Typical PCI local bus implementations will support three or four PCI expansion slots or add-in connectors. - An operating system runs on[0030]
processor 302 and is used to coordinate and provide control of various components withindata processing system 300 in FIG. 3. The operating system may be a commercially available operating system, such as Windows 2000, which is available from Microsoft Corporation. An object oriented programming system such as Java may run in conjunction with the operating system and provide calls to the operating system from Java programs or applications executing ondata processing system 300. “Java” is a trademark of Sun Microsystems, Inc. Instructions for the operating system, the object-oriented operating system, and applications or programs are located on storage devices, such ashard disk drive 326, and may be loaded intomain memory 304 for execution byprocessor 302. - Those of ordinary skill in the art will appreciate that the hardware in FIG. 3 may vary depending on the implementation. Other internal hardware or peripheral devices, such as flash ROM (or equivalent nonvolatile memory) or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIG. 3. Also, the processes of the present invention may be applied to a multiprocessor data processing system.[0031]
- As another example,[0032]
data processing system 300 may be a stand-alone system configured to be bootable without relying on some type of network communication interface, whether or notdata processing system 300 comprises some type of network communication interface. As a further example,data processing system 300 may be a Personal Digital Assistant (PDA) device, which is configured with ROM and/or flash ROM in order to provide non-volatile memory for storing operating system files and/or user-generated data. - The depicted example in FIG. 3 and above-described examples are not meant to imply architectural limitations. For example,[0033]
data processing system 300 also may be a notebook computer or hand held computer in addition to taking the form of a PDA.Data processing system 300 also may be a kiosk or a Web appliance. - The present invention provides a method, apparatus, and computer implemented instructions for synchronizing time. This synchronization mechanism is useful in authenticating a client in which the authentication mechanism uses a time stamp. The client sends a request for synchronization information from a target, such as a server. In this example, the server is a KDC server. In response to receiving a time synchronization response, the client calculates a clock skew between the KDC server and the client. Then, the client may request a user credential from another server, such as an authentication server using the calculated clock skew to adjust the time value or time stamp generated by the client. The file server and the KDC server may be located on the same physical computer or in different computers. Thus, this mechanism avoids having to change physical clock settings on a client.[0034]
- Turning next to FIGS.[0035]4A-4C, diagrams illustrating data flow used in authentication system are depicted in accordance with a preferred embodiment of the present invention. In the depicted examples,
client 400 may be implemented usingdata processing system 300 in FIG. 3 whileKDC 402 may be implemented usingdata processing system 200 in FIG. 2. - In this example, in FIG. 4A,[0036]
client 400 sends arequest 404 toKDC server 402.Request 404 includes a time stamp, containing the current time, T1, atclient 400 whenrequest 404 is generated and sent. In FIG.4B KDC server 402 generates areply 406, which contains the current time, T2, atKDC server 402. This reply is encoded and the checksum is calculated over the encoding data. This checksum is added to the reply and the reply is re-encoded. These examples, the checksum is calculated use a secret key for the client. This allows the client to verify the data integrity of the reply. In these examples, the data is DER encoded. DER stands for Distinguished Encoding Rules. It is a standard encoding rule used to encode the structure of ASN.1 (Abstract Syntax Notation 1) data to be transferred between the Application Layer and the Presentation Layer of the Open Systems Interconnection (OSI). It provides a means whereby the Presentation Layer can reliably exchange any arbitrary data structure with other computer systems, while the Application Layer can map the encoded data into any type of representation or language that is appropriate for the end user. In this example, reply406 also includes the current time, T1, fromreply 404 as well as encoded data structures containing session keys forclient 400 and a file server. - [0037]
Client 400 receives the reply message and identifies another current time, T3. Additionally, in the depicted examples, this reply is decoded and the checksum is calculated to verify data integrity. A time difference for skew also referred to as TimeSync is identified. If the difference between T3 and T1 is less than a threshold value, such as 1 minute or 2 minutes, then the variable TimeSync is equal to T3−T2. If the difference is equal to or greater than the threshold value, then TimeSync is set equal to T3−T2−(T3−T1)/2. This calculation provides a time synchronization. This synchronization factor is used to generate time stamps in which a time stamp is set equal to the current time—TimeSync. In this manner, instead of changing physical clock settings the time stamp may be adjusted. This time stamp is placed in arequest 408 sent byclient 400 to another server, such asfile server 410 in FIG. 4C. Additionally, the encoded data structure containing the session key for the file server is placed intorequest 408. - Turning next to FIGS.[0038]5A-5D, diagrams illustrating data structures used in FIGS.4A-4C are depicted in accordance with a preferred embodiment of the present invention. In FIG. 5A,
request 404 includes an encodeddata structure 500 containingcurrent time 502, T1, from the client and aclient identifier 504. This reply is encrypted using the client'ssecret key 506.KDC 402 in FIG. 4 generatesreply 406 in FIG. 4B, which containsdata structure 508 in FIG. 5B anddata structure 510 in FIG. 5C.Data structure 508 includes asession key 512. Additionally, this data structure includescurrent time 514, T2, atKDC 402 as well astime 502, T1.Data structure 508 is encrypted using key506.Data structure 510 includes a session key516 for a file server, which is encoded with other information encoded indata structure 510 using key518, which is the secret key of the file server. The client will be unable to decryptstructure 510 and will include this data structure inrequest 408 tofile server 410 in FIG. 4. - In FIG. 5D,[0039]
data structure 520 is a data structure placed inrequest 408 in FIG. 4, which is sent tofile server 410.Data structure 520 includesclient ID 522 andtime stamp 524. This data structure is encrypted using session key512 fromdata structure 508. This data structure may be decrypted byfile server 510 oncefile server 410 retrieves sessions key512 fromdata structure 510 by decrypting the data structure using its key. - Turning next to FIG. 6, a flowchart of a process used for generating time synchronization information is depicted in accordance with a preferred embodiment of the present invention. The process in FIG. 6 may be implemented in a server, such as[0040]
KDC server 402 in FIG. 4. - The process begins by receiving a time synchronization request message (step[0041]600). In the depicted examples, the request is received from clients, which may generate time stamps for other requests or messages. Next, the current time, T1, from the originator of the request is retrieved (step602). Also, the current time, T2, at the server is retrieved (step604). Times T1 and T2 are both place in a reply message (step606). Of course, other information may also be placed into the reply message, such as, a session key.
- The reply message is then encoded (step[0042]608). A checksum is calculated for the encoded message (step610). The checksum is added to the reply message (step612). The reply message is then re-encoded (step614). This reply is then sent back to the client originating the request (step616) with the process terminating thereafter.
- With reference now to FIG. 7, a flowchart of a process used for generating a time stamp is depicted in accordance with a preferred embodiment of the present invention. The process illustrated in FIG. 7 may be implemented in a client, such as[0043]
client 400 in FIG. 4. - The process begins by sending a request for time synchronization information (step[0044]700). A reply message is received in response to the request (step702). In response to receive the response message a current time, T3, at the client is retrieved (step704). The reply message is then decoded (step706). Next, a checksum is calculated over the reply message using a client key (step708). A client key is used because the reply message was encrypted by the KDC server using the client key. This step is used to verify the authenticity of the reply. A time difference between current time, T3, and the time, T2, in the reply message is calculated (step710).
- Then, a determination is made as to whether the time difference is greater than some selected threshold values (step[0045]712). This threshold value may be, for example, 1 minute or 2 minutes. Kerberos uses time stamps to guarantee that a ticket request is fresh and not replayed from a long time ago. By default, Kerberos defines “a long time ago” as 5 minutes, although this time is configurable. If the time difference is not less than the threshold, then the value TimeSync is set equal to T3−T2−(T3−T1)/2 (step714). Then, the time stamp as generate as being equal to the current time at the client minus the value for TimeSync (step716) with the process terminating thereafter.
- With reference again the[0046]
step 712, if the time difference is less than the threshold, then the value TimeSync is set equal to T3−T2 (step718) with the process then proceeding to step716 as described above. - Turning next to FIG. 8, a flowchart of a process for authenticating the use of a service is depicted in accordance with a preferred embodiment of the present invention. The process illustrated in FIG. 8 may be implemented for use in gaining access to a server that provides a service, such as an application, e-mail, or a print service. The time synchronization process implemented by such a server is similar to that used in a client as described above. The difference is that the server performs time synchronization after it receives a server request from a client, while the client typically performs time synchronization prior to sending a credential request to a KDC.[0047]
- The process begins by a client performing time synchronization with a KDC (step[0048]800). Client then requests a credential from the KDC (step802). Client requests an application service on a server by presenting its credential to the server (step804). Next, server performs time synchronization with a KDC server (step806). Server verifies client's credential (step808).
- Next, a determination is made whether the client credential is authenticated (step[0049]810). If the credential is authenticated, the server grants the service to the client (step812) with the process terminating thereafter. Otherwise, the process terminates without granting the service.
- In these examples, networks are divided into realms to provide scalability in the Kerberos system. These divisions are often made on organizational boundaries, although they need not be. Each realm has its own KDC. Every principal registered with the same KDC belong to the same realm. The KDC for each realm is trusted by all principals registered in that realm to store a secret key in confidence. Principal is another term used in Kerberos. Kerberos principals are of several types: users, application services, such as a File server provides file access service, a printer provides print service, KDC. Cross-realm authentication allows a Kerberos user to access services in other realms. Before the user presents its credential to remote realm's KDC, time synchronization subroutine detects a KDC different from the current one, so it is invoked to do synchronization with the target KDC. The new time synchronization value is calculated, and the time stamp value is adjusted based on the new time synchronization value.[0050]
- Turning now to FIG. 9, a flowchart illustrating a high level cross-realm operation is depicted in accordance with a preferred embodiment with the present invention.[0051]
- The process begins by the client performing time synchronization with KDC of its own realm (step[0052]900). The client requests a credential from KDC (step902). Next, the client performs time synchronization with KDC of remote realm (step904). After performing time synchronization, the client presents its credential to KDC of remote realm (step906). The client obtains a new credential from KDC of remote realm (step908). Thereafter, the client requests an application service on a server of remote realm by presenting its new credential to the server (step910). In response to the presentation of the credential, the server of remote realm performs time synchronization with KDC of remote realm (step912). The server verifies the client's credential (step914).
- Next, a determination is made whether the client credential is authenticated (step[0053]916). If the credential is authenticated, the server grants the service to the to the remote client (step918) with the process terminating thereafter. Otherwise, the process terminates without granting the service.
- Thus, the present invention a method, apparatus, and computer implemented instructions for synchronizing time between different data processing systems. Physical adjustments to clocks within a data processing system is unnecessary using the mechanism of the present invention. This mechanism avoids the dependency upon other systems or protocols to achieve synchronization of time on different processing systems. This mechanism does not rely on a time server and is dynamic in adjusting time. Further, when a client contacts servers in different network or geographic locations, time synchronization may be perform with each server being contact providing cross-realm synchronization. When a client detects a different “realm”, time synchronization may be automatically initiated in which a new TimeSync value is calculated. Further, new TimeSync value may also be calculated in response to other events, such as, a periodic event signaled by a timer. In this way, potential security holes produced by altering clock settings are minimized.[0054]
- It is important to note that while the present invention has been described in the context of a fully functioning data processing system, those of ordinary skill in the art will appreciate that the processes of the present invention are capable of being distributed in the form of a computer readable medium of instructions and a variety of forms and that the present invention applies equally regardless of the particular type of signal bearing media actually used to carry out the distribution. Examples of computer readable media include recordable-type media, such as a floppy disk, a hard disk drive, a RAM, CD-ROM's, DVD-ROMs, and transmission-type media, such as digital and analog communications links, wired or wireless communications links using transmission forms, such as, for example, radio frequency and light wave transmissions. The computer readable media may take the form of coded formats that are decoded for actual use in a particular data processing system.[0055]
- The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiment was chosen and described in order to best explain the principles of the invention, the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.[0056]
Claims (34)
1. A method for synchronizing time in a network data processing system comprising the data processing system implemented steps of:
receiving a request for time synchronization at a target data processing system, wherein the request is received from a source data processing system;
placing a current target time at the target data processing system in a reply;
sending the reply to the source data processing system;
comparing a current source time from when the reply is received at the source data processing system to the current target time to generate a comparison; and
generating a synchronization factor using the comparison.
2. The method of claim Al, wherein the synchronization factor is determined as follows:
SF=T3−T2
wherein SF is the synchronization factor, T2 is the current target time, and T3 is the current source time when the reply is received.
3. The method of claim Al, wherein the synchronization factor is determined as follows:
SF=T3−T2−(T3−T1)/2
wherein SF is the synchronization factor, Tl is a source time when the request is sent, T2 is the current source time, and T3 is the current source time when the reply is received.
4. The method of claim A1 further comprising:
generating a time stamp for a message using the synchronization factor and a current time in the target data processing system.
5. The method of claim A1 further comprising:
storing the synchronization factor.
6. A method in a data processing system for synchronizing time, the method comprising:
sending a synchronization request to a target;
receiving a reply, wherein the reply includes a current time from the target;
identifying a clock skew using the current time from the target; and
generating a time stamp for a message using the clock skew.
7. The method ofclaim 6 further comprising:
sending the message to a server.
8. The method ofclaim 6 , wherein the message is a request for authentication.
9. The method ofclaim 6 , wherein the target is a key distribution center server.
10. The method ofclaim 6 , wherein the clock skew is identified as follows:
CS=T3−T2
wherein CS is the clock skew, T2 is the current time from the target, and T3 is a current time at the data processing system when the reply is received.
11. The method ofclaim 6 , wherein the request is sent a selected time and wherein the clock skew is determined as follows:
CS=T3−T2−(T3−T1)/2
wherein CS is the clock skew, T1 is the selected time, T2 is the current time from the target, and T3 is a current time at the data processing system when the reply is received.
12. The method ofclaim 7 further comprising:
determining whether the server is located in a different realm from the target, prior to sending the message to the server; and
responsive to the server being located in the different realm, sending a synchronization request to a new target in the different realm; receiving a reply, wherein the reply includes a new current time from the new target; identifying a new clock skew using the current time from the new target; and generating a new time stamp for the message using the new clock skew.
13. The method ofclaim 12 , wherein the new target is a key distribution center server.
14. A data processing system comprising:
a bus system;
a communications unit connected to the bus, wherein data is sent and received using the communications unit;
a memory connected to the bus system, wherein a set of instructions are located in the memory; and
a processor unit connected to the bus system, wherein the processor unit executes the set of instructions to send a synchronization request to a target; receive a reply, wherein the reply includes a current time from the target; identify a clock skew using the current time from the target; and generate a time stamp for a message using the clock skew.
15. The data processing system ofclaim 14 , wherein the bus system includes a primary bus and a secondary bus.
16. The data processing system ofclaim 14 , wherein the processor unit includes a single processor.
17. The data processing system ofclaim 14 , wherein the processor unit includes a plurality of processors.
18. The data processing systemclaim 14 , wherein the communications unit is an Ethernet adapter.
19. A network data processing system for synchronizing time comprising:
receiving means for receiving a request for time synchronization at a target data processing system, wherein the request is received from a source data processing system;
placing means for placing a current target time at the target data processing system in a reply;
sending means for sending the reply to the source data processing system;
comparing means for comparing a current source time from when the reply is received at the source data processing system to the current target time to generate a comparison; and
generating means for generating a synchronization factor using the comparison.
20. The network data processing system ofclaim 19 , wherein the synchronization factor is determined as follows:
SF=T3−T2
wherein SF is the synchronization factor, T2 is the current target time, and T3 is the current source time when the reply is received.
21. The network data processing system ofclaim 19 , wherein the synchronization factor is determined as follows:
SF=T3−T2−(T3−-T1)/2
wherein SF is the synchronization factor, T1 is a source time when the request is sent, T2 is the current source time, and T3 is the current source time when the reply is received.
22. The network data processing system ofclaim 19 , wherein the generating means is a first generating means and further comprising:
second generating means for generating a time stamp for a message using the synchronization factor and a current time in the target data processing system.
23. The network data processing system ofclaim 19 further comprising:
storing the synchronization factor.
24. The network data processing system ofclaim 19 , wherein the receiving means, placing means, and sending means are located in the target data processing system and wherein the comparing means and the generating means are located in the source data processing system.
25. A data processing system for synchronizing time, the data processing system comprising:
sending means for sending a synchronization request to a target;
receiving means for receiving a reply, wherein the reply includes a current time from the target;
identifying means for identifying a clock skew using the current time from the target; and
generating means for generating a time stamp for a message using the clock skew.
26. The data processing system ofclaim 25 , wherein the sending means is a first sending means and further comprising:
second sending means for sending the message to a server
27. The data processing system ofclaim 25 , wherein the message is a request for authentication.
28. The data processing system ofclaim 25 , wherein the target is a key distribution center server.
29. The data processing system ofclaim 25 , wherein the clock skew is identified as follows:
CS=T3−T2
wherein CS is the clock skew, T2 is the current time from the target, and T3 is a current time at the data processing system when the reply is received.
30. The data processing system ofclaim 25 , wherein the request is sent a selected time and wherein the clock skew is determined as follows:
CS=T3−T2−(T3−T1)/2
wherein CS is the clock skew, T1 is the selected time, T2 is the current time from the target, and T3 is a current time at the data processing system when the reply is received.
31. The data processing system ofclaim 26 further comprising:
determining means for determining whether the server is located in a different realm from the target, prior to sending the message to the server; and
execution means, responsive to the server being located in the different realm, for sending a synchronization request to a new target in the different realm; receiving a reply, wherein the reply includes a new current time from the new target; identifying a new clock skew using the current time from the new target; and generating a new time stamp for the message using the new clock skew.
32. The data processing system ofclaim 31 , wherein the new target is a key distribution center server.
33. A computer program product in a computer readable medium for synchronizing time in a network data processing system, wherein the computer program product:
first instructions for receiving a request for time synchronization at a target data processing system, wherein the request is received from a source data processing system;
second instructions for placing a current target time at the target data processing system in a reply;
third instructions for sending the reply to the source data processing system;
fourth instructions for comparing a current source time from when the reply is received at the source data processing system to the current target time to generate a comparison; and
fifth instructions for generating a synchronization factor using the comparison.
34. A computer program product in a computer readable medium for synchronizing time, the computer program product comprising:
first instructions for sending a synchronization request to a target;
second instructions for receiving a reply, wherein the reply includes a current time from the target;
third instructions for identifying a clock skew using the current time from the target; and
fourth instructions for generating a time stamp for a message using the clock skew.
Priority Applications (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US09/738,244US20020078243A1 (en) | 2000-12-15 | 2000-12-15 | Method and apparatus for time synchronization in a network data processing system |
| US11/134,639US20050210306A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
| US11/134,707US20050210153A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
| US12/129,490US7818562B2 (en) | 2000-12-15 | 2008-05-29 | Method and apparatus for time synchronization in a network data processing system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US09/738,244US20020078243A1 (en) | 2000-12-15 | 2000-12-15 | Method and apparatus for time synchronization in a network data processing system |
Related Child Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US11/134,707DivisionUS20050210153A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
| US11/134,639DivisionUS20050210306A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US20020078243A1true US20020078243A1 (en) | 2002-06-20 |
Family
ID=24967186
Family Applications (4)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US09/738,244AbandonedUS20020078243A1 (en) | 2000-12-15 | 2000-12-15 | Method and apparatus for time synchronization in a network data processing system |
| US11/134,707AbandonedUS20050210153A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
| US11/134,639AbandonedUS20050210306A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
| US12/129,490Expired - Fee RelatedUS7818562B2 (en) | 2000-12-15 | 2008-05-29 | Method and apparatus for time synchronization in a network data processing system |
Family Applications After (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US11/134,707AbandonedUS20050210153A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
| US11/134,639AbandonedUS20050210306A1 (en) | 2000-12-15 | 2005-05-20 | Method and apparatus for time synchronization in a network data processing system |
| US12/129,490Expired - Fee RelatedUS7818562B2 (en) | 2000-12-15 | 2008-05-29 | Method and apparatus for time synchronization in a network data processing system |
Country Status (1)
| Country | Link |
|---|---|
| US (4) | US20020078243A1 (en) |
Cited By (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040148333A1 (en)* | 2003-01-27 | 2004-07-29 | Microsoft Corporation | Peer-to-peer grouping interfaces and methods |
| US20040151125A1 (en)* | 2000-12-28 | 2004-08-05 | Oyvind Holmeide | Method for synchronization in a local area network including a store-and-forward device |
| US20050005114A1 (en)* | 2003-07-05 | 2005-01-06 | General Instrument Corporation | Ticket-based secure time delivery in digital networks |
| US20050108371A1 (en)* | 2003-10-23 | 2005-05-19 | Microsoft Corporation | Managed peer name resolution protocol (PNRP) interfaces for peer to peer networking |
| US20050108373A1 (en)* | 2003-11-05 | 2005-05-19 | Microsoft Corporation | Method for establishing and maintaining a shared view of time in a peer-to-peer network |
| US20050146448A1 (en)* | 2002-01-15 | 2005-07-07 | Microsoft Corporation | Methods and systems for synchronizing data streams |
| GB2404761B (en)* | 2003-08-08 | 2006-10-11 | Hewlett Packard Development Co | Multiprocessor system with interactive synchronization of local clocks |
| US20060239295A1 (en)* | 2005-04-22 | 2006-10-26 | Microsoft Corporation | Application programming interface for inviting participants in a serverless peer to peer network |
| US20060242415A1 (en)* | 2005-04-22 | 2006-10-26 | Citrix Systems, Inc. | System and method for key recovery |
| DE102005025325A1 (en)* | 2005-05-31 | 2006-12-07 | Siemens Ag | Method for transmission and verification of synchronization messages |
| US20070094584A1 (en)* | 2005-10-26 | 2007-04-26 | Lee Preimesberger | Unit time synchronization techniques in a manufacturing environment |
| US20070157295A1 (en)* | 2005-12-30 | 2007-07-05 | Geetha Mangalore | Method and apparatus for provisioning a device to access digital rights management (DRM) services in a universal plug and play (UPnP) network |
| US20070204022A1 (en)* | 2006-02-24 | 2007-08-30 | Acer Inc. | Method for acquiring information, and hand-held mobile communications device for implementing the method |
| US20080014910A1 (en)* | 2006-05-11 | 2008-01-17 | Acer Inc. | Method for acquiring information, and hand-held mobile communications device for implementing the method |
| US7373508B1 (en)* | 2002-06-04 | 2008-05-13 | Cisco Technology, Inc. | Wireless security system and method |
| US20080126820A1 (en)* | 2006-07-17 | 2008-05-29 | Keir Fraser | Tracking current time on multiprocessor hosts and virtual machines |
| US20080183899A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Server time protocol messages and methods |
| US20080184060A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Facilitating recovery in a coordinated timing network |
| US20080183895A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Facilitating synchronization of servers in a coordinated timing network |
| US20080183897A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Employing configuration information to determine the role of a server in a coordinated timing network |
| US7493363B2 (en) | 2001-09-19 | 2009-02-17 | Microsoft Corporation | Peer-to-peer group management and method for maintaining peer-to-peer graphs |
| US7539777B1 (en)* | 2002-10-25 | 2009-05-26 | Cisco Technology, Inc. | Method and system for network time protocol forwarding |
| US20090248868A1 (en)* | 2005-04-22 | 2009-10-01 | Microsoft Corporation | Contact Management in a Serverless Peer-to-Peer System |
| US20090248900A1 (en)* | 2008-03-27 | 2009-10-01 | Microsoft Corporation | Synchronizing clocks in an asynchronous distributed system |
| US20090257456A1 (en)* | 2008-04-10 | 2009-10-15 | International Business Machines Corporation | Coordinated timing network having servers of different capabilities |
| US7613812B2 (en) | 2002-12-04 | 2009-11-03 | Microsoft Corporation | Peer-to-peer identity management interfaces and methods |
| US7653631B1 (en)* | 2001-05-10 | 2010-01-26 | Foundationip, Llc | Method for synchronizing information in multiple case management systems |
| US20100100762A1 (en)* | 2008-10-21 | 2010-04-22 | International Business Machines Corporation | Backup power source used in indicating that server may leave network |
| US20100185889A1 (en)* | 2007-01-31 | 2010-07-22 | International Business Machines Corporation | Channel subsystem server time protocol commands |
| US7797414B2 (en)* | 2007-01-31 | 2010-09-14 | International Business Machines Corporation | Establishing a logical path between servers in a coordinated timing network |
| US7899894B2 (en) | 2006-08-30 | 2011-03-01 | International Business Machines Corporation | Coordinated timing network configuration parameter update procedure |
| US7925916B2 (en) | 2008-04-10 | 2011-04-12 | International Business Machines Corporation | Failsafe recovery facility in a coordinated timing network |
| US7949996B2 (en) | 2003-10-23 | 2011-05-24 | Microsoft Corporation | Peer-to-peer identity management managed interfaces and methods |
| US20110252266A1 (en)* | 2010-04-12 | 2011-10-13 | Costa Glauber De Oliveira | Keeping time in multi-processor virtualization environments |
| US8688803B2 (en) | 2004-03-26 | 2014-04-01 | Microsoft Corporation | Method for efficient content distribution using a peer-to-peer networking infrastructure |
| US8806063B1 (en)* | 2011-07-11 | 2014-08-12 | Juniper Networks, Inc. | Enhanced pulse assisted time synchronization protocol |
| US9027099B1 (en) | 2012-07-11 | 2015-05-05 | Microstrategy Incorporated | User credentials |
| US9071424B1 (en)* | 2013-03-29 | 2015-06-30 | Emc Corporation | Token-based key generation |
| US9154303B1 (en) | 2013-03-14 | 2015-10-06 | Microstrategy Incorporated | Third-party authorization of user credentials |
| US9432339B1 (en) | 2014-09-29 | 2016-08-30 | Emc Corporation | Automated token renewal using OTP-based authentication codes |
| US9640001B1 (en) | 2012-11-30 | 2017-05-02 | Microstrategy Incorporated | Time-varying representations of user credentials |
| US9887992B1 (en) | 2012-07-11 | 2018-02-06 | Microstrategy Incorporated | Sight codes for website authentication |
| US9886569B1 (en) | 2012-10-26 | 2018-02-06 | Microstrategy Incorporated | Credential tracking |
| US12088576B2 (en)* | 2019-12-13 | 2024-09-10 | Visa International Service Association | System, method, and computer program product for managing computational cluster access to multiple domains |
Families Citing this family (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020078243A1 (en)* | 2000-12-15 | 2002-06-20 | International Business Machines Corporation | Method and apparatus for time synchronization in a network data processing system |
| DE10241429B4 (en)* | 2002-09-06 | 2007-10-25 | Siemens Ag | Method for the synchronization of network nodes of a subnetwork |
| US8591974B2 (en) | 2003-11-21 | 2013-11-26 | Kraft Foods Global Brands Llc | Delivery system for two or more active components as part of an edible composition |
| US20050112236A1 (en) | 2003-11-21 | 2005-05-26 | Navroz Boghani | Delivery system for active components as part of an edible composition having preselected tensile strength |
| US8597703B2 (en) | 2005-05-23 | 2013-12-03 | Kraft Foods Global Brands Llc | Delivery system for active components as part of an edible composition including a ratio of encapsulating material and active component |
| US8591972B2 (en) | 2005-05-23 | 2013-11-26 | Kraft Foods Global Brands Llc | Delivery system for coated active components as part of an edible composition |
| US8591973B2 (en) | 2005-05-23 | 2013-11-26 | Kraft Foods Global Brands Llc | Delivery system for active components and a material having preselected hydrophobicity as part of an edible composition |
| US8389032B2 (en) | 2005-05-23 | 2013-03-05 | Kraft Foods Global Brands Llc | Delivery system for active components as part of an edible composition having selected particle size |
| US8389031B2 (en) | 2005-05-23 | 2013-03-05 | Kraft Foods Global Brands Llc | Coated delivery system for active components as part of an edible composition |
| US8591968B2 (en) | 2005-05-23 | 2013-11-26 | Kraft Foods Global Brands Llc | Edible composition including a delivery system for active components |
| US7805612B2 (en)* | 2005-12-02 | 2010-09-28 | Gm Global Technology Operations, Inc. | Use of global clock to secure and synchronize messages in XM and SMS messages to a vehicle |
| US20070136792A1 (en)* | 2005-12-05 | 2007-06-14 | Ting David M | Accelerating biometric login procedures |
| US8307120B2 (en)* | 2006-03-07 | 2012-11-06 | Nec Corporation | Resource information managing device, system, method, and program |
| US20080031283A1 (en)* | 2006-08-07 | 2008-02-07 | Martin Curran-Gray | Time synchronization for network aware devices |
| US20080072303A1 (en)* | 2006-09-14 | 2008-03-20 | Schlumberger Technology Corporation | Method and system for one time password based authentication and integrated remote access |
| EP2153611B1 (en) | 2007-06-01 | 2013-03-27 | Research In Motion Limited | Synchronization of side information caches |
| WO2009033001A2 (en)* | 2007-09-05 | 2009-03-12 | University Of Utah Research Foundation | Robust location distinction using teporal link signatures |
| GB2454937A (en)* | 2007-11-23 | 2009-05-27 | Ubiquisys Ltd | Acquiring time references for a telecommunications basestation from a time server |
| US8515061B2 (en)* | 2008-09-11 | 2013-08-20 | The University Of Utah Research Foundation | Method and system for high rate uncorrelated shared secret bit extraction from wireless link characteristics |
| US8503673B2 (en) | 2008-09-11 | 2013-08-06 | University Of Utah Research Foundation | Method and system for secret key exchange using wireless link characteristics and random device movement |
| US8502728B2 (en) | 2008-09-12 | 2013-08-06 | University Of Utah Research Foundation | Method and system for tracking objects using radio tomographic imaging |
| WO2010030950A2 (en)* | 2008-09-12 | 2010-03-18 | University Of Utah Research Foundation | Method and system for detecting unauthorized wireless access points using clock skews |
| US8108557B2 (en)* | 2009-01-22 | 2012-01-31 | Hewlett-Packard Development Company, L.P. | System and method for measuring clock skew on a network |
| US8818288B2 (en) | 2010-07-09 | 2014-08-26 | University Of Utah Research Foundation | Statistical inversion method and system for device-free localization in RF sensor networks |
| EP2701532B1 (en) | 2011-04-29 | 2017-11-15 | Intercontinental Great Brands LLC | Encapsulated acid, method for the preparation thereof, and chewing gum comprising same |
| CN103814338A (en) | 2011-07-20 | 2014-05-21 | 航空网络公司 | Systems and methods of network synchronization |
| US8938636B1 (en) | 2012-05-18 | 2015-01-20 | Google Inc. | Generating globally coherent timestamps |
| US9569253B1 (en) | 2012-06-04 | 2017-02-14 | Google Inc. | Ensuring globally consistent transactions |
| JP5734934B2 (en)* | 2012-09-07 | 2015-06-17 | 株式会社東芝 | Communication node, key synchronization method, key synchronization system |
| CN103516794B (en)* | 2013-09-24 | 2016-08-24 | 武汉企鹅能源数据有限公司 | The network architecture of a kind of distributed server and its implementation |
| US9952620B2 (en)* | 2014-04-10 | 2018-04-24 | Intel Corporation | Time-synchronizing a group of nodes |
| EP2963855A1 (en)* | 2014-07-04 | 2016-01-06 | Gemalto SA | Synchronization method for synchronizing a peripheral function. |
| US10050789B2 (en) | 2015-04-24 | 2018-08-14 | Red Hat, Inc. | Kerberos preauthentication with J-PAKE |
| EP3333750A1 (en)* | 2016-12-06 | 2018-06-13 | Safenet Canada Inc. | Method to create a trusted pool of devices |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5500897A (en)* | 1993-07-22 | 1996-03-19 | International Business Machines Corporation | Client/server based secure timekeeping system |
| US5921938A (en)* | 1997-10-09 | 1999-07-13 | Physio-Control Manufacturing Corporation | System and method for adjusting time associated with medical event data |
| US5968133A (en)* | 1997-01-10 | 1999-10-19 | Secure Computing Corporation | Enhanced security network time synchronization device and method |
| US6023769A (en)* | 1998-09-17 | 2000-02-08 | Apple Computer, Inc. | Method and apparatus for synchronizing an imprecise time clock maintained by a computer system |
| US6028939A (en)* | 1997-01-03 | 2000-02-22 | Redcreek Communications, Inc. | Data security system and method |
| US6223240B1 (en)* | 1998-01-27 | 2001-04-24 | Lsi Logic Corporation | Bus bridge architecture for a data processing system capable of sharing processing load among a plurality of devices |
| US20030123491A1 (en)* | 2000-12-13 | 2003-07-03 | Bruno Couillard | Method and system for time synchronization |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5544322A (en)* | 1994-05-09 | 1996-08-06 | International Business Machines Corporation | System and method for policy-based inter-realm authentication within a distributed processing system |
| US5978918A (en)* | 1997-01-17 | 1999-11-02 | Secure.Net Corporation | Security process for public networks |
| US6157957A (en)* | 1998-01-22 | 2000-12-05 | Cisco Technology, Inc. | Clock synchronization system and method using a continuous conversion function for a communication network |
| US6175920B1 (en)* | 1998-02-20 | 2001-01-16 | Unisys Corporation | Expedited message control for synchronous response in a Kerberos domain |
| US6986039B1 (en)* | 2000-07-11 | 2006-01-10 | International Business Machines Corporation | Technique for synchronizing security credentials using a trusted authenticating domain |
| US20020078243A1 (en)* | 2000-12-15 | 2002-06-20 | International Business Machines Corporation | Method and apparatus for time synchronization in a network data processing system |
- 2000
- 2000-12-15USUS09/738,244patent/US20020078243A1/ennot_activeAbandoned
- 2005
- 2005-05-20USUS11/134,707patent/US20050210153A1/ennot_activeAbandoned
- 2005-05-20USUS11/134,639patent/US20050210306A1/ennot_activeAbandoned
- 2008
- 2008-05-29USUS12/129,490patent/US7818562B2/ennot_activeExpired - Fee Related
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5500897A (en)* | 1993-07-22 | 1996-03-19 | International Business Machines Corporation | Client/server based secure timekeeping system |
| US6028939A (en)* | 1997-01-03 | 2000-02-22 | Redcreek Communications, Inc. | Data security system and method |
| US5968133A (en)* | 1997-01-10 | 1999-10-19 | Secure Computing Corporation | Enhanced security network time synchronization device and method |
| US5921938A (en)* | 1997-10-09 | 1999-07-13 | Physio-Control Manufacturing Corporation | System and method for adjusting time associated with medical event data |
| US6223240B1 (en)* | 1998-01-27 | 2001-04-24 | Lsi Logic Corporation | Bus bridge architecture for a data processing system capable of sharing processing load among a plurality of devices |
| US6023769A (en)* | 1998-09-17 | 2000-02-08 | Apple Computer, Inc. | Method and apparatus for synchronizing an imprecise time clock maintained by a computer system |
| US20030123491A1 (en)* | 2000-12-13 | 2003-07-03 | Bruno Couillard | Method and system for time synchronization |
Cited By (95)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040151125A1 (en)* | 2000-12-28 | 2004-08-05 | Oyvind Holmeide | Method for synchronization in a local area network including a store-and-forward device |
| US8291105B2 (en)* | 2000-12-28 | 2012-10-16 | Abb Research Ltd. | Method for synchronization in a local area network including a store-and-forward device |
| US7653631B1 (en)* | 2001-05-10 | 2010-01-26 | Foundationip, Llc | Method for synchronizing information in multiple case management systems |
| US7493363B2 (en) | 2001-09-19 | 2009-02-17 | Microsoft Corporation | Peer-to-peer group management and method for maintaining peer-to-peer graphs |
| US7248187B2 (en) | 2002-01-15 | 2007-07-24 | Microsoft Corporation | Synchronizing data streams |
| US7480728B2 (en) | 2002-01-15 | 2009-01-20 | Microsoft Corporation | Synchronizing data streams |
| US7202803B2 (en)* | 2002-01-15 | 2007-04-10 | Microsoft Corporation | Methods and systems for synchronizing data streams |
| US20050146448A1 (en)* | 2002-01-15 | 2005-07-07 | Microsoft Corporation | Methods and systems for synchronizing data streams |
| US20050228898A1 (en)* | 2002-01-15 | 2005-10-13 | Microsoft Corporation | Synchronizing data streams |
| US20060031556A1 (en)* | 2002-01-15 | 2006-02-09 | Microsoft Corporation | Synchronizing data streams |
| US7885410B1 (en) | 2002-06-04 | 2011-02-08 | Cisco Technology, Inc. | Wireless security system and method |
| US7373508B1 (en)* | 2002-06-04 | 2008-05-13 | Cisco Technology, Inc. | Wireless security system and method |
| US7539777B1 (en)* | 2002-10-25 | 2009-05-26 | Cisco Technology, Inc. | Method and system for network time protocol forwarding |
| US9021106B2 (en) | 2002-12-04 | 2015-04-28 | Microsoft Technology Licensing, Llc | Peer-to-peer identity management interfaces and methods |
| US8756327B2 (en) | 2002-12-04 | 2014-06-17 | Microsoft Corporation | Peer-to-peer identity management interfaces and methods |
| US7613812B2 (en) | 2002-12-04 | 2009-11-03 | Microsoft Corporation | Peer-to-peer identity management interfaces and methods |
| US20100030900A1 (en)* | 2002-12-04 | 2010-02-04 | Microsoft Coporation | Peer-to-Peer Identity Management Interfaces and Methods |
| US8010681B2 (en) | 2002-12-04 | 2011-08-30 | Microsoft Corporation | Communicating between an application process and a server process to manage peer-to-peer identities |
| US7596625B2 (en) | 2003-01-27 | 2009-09-29 | Microsoft Corporation | Peer-to-peer grouping interfaces and methods |
| US20040148333A1 (en)* | 2003-01-27 | 2004-07-29 | Microsoft Corporation | Peer-to-peer grouping interfaces and methods |
| US20050005114A1 (en)* | 2003-07-05 | 2005-01-06 | General Instrument Corporation | Ticket-based secure time delivery in digital networks |
| GB2404761B (en)* | 2003-08-08 | 2006-10-11 | Hewlett Packard Development Co | Multiprocessor system with interactive synchronization of local clocks |
| US7949996B2 (en) | 2003-10-23 | 2011-05-24 | Microsoft Corporation | Peer-to-peer identity management managed interfaces and methods |
| US20050108371A1 (en)* | 2003-10-23 | 2005-05-19 | Microsoft Corporation | Managed peer name resolution protocol (PNRP) interfaces for peer to peer networking |
| US7496648B2 (en) | 2003-10-23 | 2009-02-24 | Microsoft Corporation | Managed peer name resolution protocol (PNRP) interfaces for peer to peer networking |
| US7689720B2 (en) | 2003-11-05 | 2010-03-30 | Microsoft Corporation | Method for establishing and maintaining a shared view of time in a peer-to-peer network |
| US20050108373A1 (en)* | 2003-11-05 | 2005-05-19 | Microsoft Corporation | Method for establishing and maintaining a shared view of time in a peer-to-peer network |
| US8688803B2 (en) | 2004-03-26 | 2014-04-01 | Microsoft Corporation | Method for efficient content distribution using a peer-to-peer networking infrastructure |
| US8036140B2 (en) | 2005-04-22 | 2011-10-11 | Microsoft Corporation | Application programming interface for inviting participants in a serverless peer to peer network |
| US20060239295A1 (en)* | 2005-04-22 | 2006-10-26 | Microsoft Corporation | Application programming interface for inviting participants in a serverless peer to peer network |
| US7814214B2 (en) | 2005-04-22 | 2010-10-12 | Microsoft Corporation | Contact management in a serverless peer-to-peer system |
| US20090248868A1 (en)* | 2005-04-22 | 2009-10-01 | Microsoft Corporation | Contact Management in a Serverless Peer-to-Peer System |
| US7831833B2 (en) | 2005-04-22 | 2010-11-09 | Citrix Systems, Inc. | System and method for key recovery |
| US20060242415A1 (en)* | 2005-04-22 | 2006-10-26 | Citrix Systems, Inc. | System and method for key recovery |
| DE102005025325B4 (en)* | 2005-05-31 | 2007-06-28 | Siemens Ag | Method for transmission and verification of synchronization messages |
| DE102005025325A1 (en)* | 2005-05-31 | 2006-12-07 | Siemens Ag | Method for transmission and verification of synchronization messages |
| US7634580B2 (en)* | 2005-10-26 | 2009-12-15 | Hewlett-Packard Development Company, L.P. | Unit time synchronization techniques in a manufacturing environment |
| US20070094584A1 (en)* | 2005-10-26 | 2007-04-26 | Lee Preimesberger | Unit time synchronization techniques in a manufacturing environment |
| US8176534B2 (en)* | 2005-12-30 | 2012-05-08 | General Instrument Corporation | Method and apparatus for provisioning a device to access digital rights management (DRM) services in a universal plug and play (UPnP) network |
| US20070157295A1 (en)* | 2005-12-30 | 2007-07-05 | Geetha Mangalore | Method and apparatus for provisioning a device to access digital rights management (DRM) services in a universal plug and play (UPnP) network |
| US20070204022A1 (en)* | 2006-02-24 | 2007-08-30 | Acer Inc. | Method for acquiring information, and hand-held mobile communications device for implementing the method |
| US20080014910A1 (en)* | 2006-05-11 | 2008-01-17 | Acer Inc. | Method for acquiring information, and hand-held mobile communications device for implementing the method |
| US7870411B2 (en)* | 2006-07-17 | 2011-01-11 | Xensource, Inc. | Tracking current time on multiprocessor hosts and virtual machines |
| WO2008011030A3 (en)* | 2006-07-17 | 2008-09-25 | Xensource Inc | Tracking current time on multiprocessor hosts and virtual machines |
| US20080126820A1 (en)* | 2006-07-17 | 2008-05-29 | Keir Fraser | Tracking current time on multiprocessor hosts and virtual machines |
| US7899894B2 (en) | 2006-08-30 | 2011-03-01 | International Business Machines Corporation | Coordinated timing network configuration parameter update procedure |
| US7783913B2 (en) | 2007-01-31 | 2010-08-24 | International Business Machines Corporation | Facilitating recovery in a coordinated timing network |
| US8738792B2 (en) | 2007-01-31 | 2014-05-27 | International Business Machines Corporation | Server time protocol messages and methods |
| US7797414B2 (en)* | 2007-01-31 | 2010-09-14 | International Business Machines Corporation | Establishing a logical path between servers in a coordinated timing network |
| US7783736B2 (en)* | 2007-01-31 | 2010-08-24 | International Business Machines Corporation | Definition of an active stratum-1 server in a coordinated timing network |
| US7779109B2 (en)* | 2007-01-31 | 2010-08-17 | International Business Machines Corporation | Facilitating synchronization of servers in a coordinated timing network |
| US20100185889A1 (en)* | 2007-01-31 | 2010-07-22 | International Business Machines Corporation | Channel subsystem server time protocol commands |
| US9164699B2 (en) | 2007-01-31 | 2015-10-20 | International Business Machines Corporation | Channel subsystem server time protocol commands |
| US9112626B2 (en) | 2007-01-31 | 2015-08-18 | International Business Machines Corporation | Employing configuration information to determine the role of a server in a coordinated timing network |
| US7895303B2 (en) | 2007-01-31 | 2011-02-22 | International Business Machines Corporation | Server time protocol control messages and methods |
| US20080183899A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Server time protocol messages and methods |
| US8972606B2 (en) | 2007-01-31 | 2015-03-03 | International Business Machines Corporation | Channel subsystem server time protocol commands |
| US20080184060A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Facilitating recovery in a coordinated timing network |
| US20100223317A1 (en)* | 2007-01-31 | 2010-09-02 | International Business Machines Corporation | Server time protocol messages and methods |
| US8001225B2 (en) | 2007-01-31 | 2011-08-16 | International Business Machines Corporation | Server time protocol messages and methods |
| US20080183895A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Facilitating synchronization of servers in a coordinated timing network |
| US8458361B2 (en) | 2007-01-31 | 2013-06-04 | International Business Machines Corporation | Channel subsystem server time protocol commands |
| US20080183897A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Employing configuration information to determine the role of a server in a coordinated timing network |
| US20080183849A1 (en)* | 2007-01-31 | 2008-07-31 | International Business Machines Corporation | Server time protocol control messages and methods |
| WO2009121005A3 (en)* | 2008-03-27 | 2009-12-23 | Microsoft Corporation | Synchronizing clocks in an asynchronous distributed system |
| KR101566570B1 (en) | 2008-03-27 | 2015-11-05 | 마이크로소프트 테크놀로지 라이센싱, 엘엘씨 | Synchronizing clocks in an asynchronous distributed system |
| CN101981527B (en)* | 2008-03-27 | 2012-12-26 | 微软公司 | Synchronizing clocks in an asynchronous distributed system |
| US8073976B2 (en) | 2008-03-27 | 2011-12-06 | Microsoft Corporation | Synchronizing clocks in an asynchronous distributed system |
| US20090248900A1 (en)* | 2008-03-27 | 2009-10-01 | Microsoft Corporation | Synchronizing clocks in an asynchronous distributed system |
| US8416811B2 (en) | 2008-04-10 | 2013-04-09 | International Business Machines Corporation | Coordinated timing network having servers of different capabilities |
| US20090257456A1 (en)* | 2008-04-10 | 2009-10-15 | International Business Machines Corporation | Coordinated timing network having servers of different capabilities |
| US7925916B2 (en) | 2008-04-10 | 2011-04-12 | International Business Machines Corporation | Failsafe recovery facility in a coordinated timing network |
| US20100100761A1 (en)* | 2008-10-21 | 2010-04-22 | International Business Machines Corporation | Maintaining a primary time server as the current time server in response to failure of time code receivers of the primary time server |
| US7873862B2 (en) | 2008-10-21 | 2011-01-18 | International Business Machines Corporation | Maintaining a primary time server as the current time server in response to failure of time code receivers of the primary time server |
| US7958384B2 (en) | 2008-10-21 | 2011-06-07 | International Business Machines Corporation | Backup power source used in indicating that server may leave network |
| US20100100762A1 (en)* | 2008-10-21 | 2010-04-22 | International Business Machines Corporation | Backup power source used in indicating that server may leave network |
| US20110252266A1 (en)* | 2010-04-12 | 2011-10-13 | Costa Glauber De Oliveira | Keeping time in multi-processor virtualization environments |
| US8359488B2 (en)* | 2010-04-12 | 2013-01-22 | Red Hat, Inc. | Keeping time in multi-processor virtualization environments |
| US8806063B1 (en)* | 2011-07-11 | 2014-08-12 | Juniper Networks, Inc. | Enhanced pulse assisted time synchronization protocol |
| US9269358B1 (en) | 2012-07-11 | 2016-02-23 | Microstrategy Incorporated | User credentials |
| US9742781B1 (en) | 2012-07-11 | 2017-08-22 | Microstrategy Incorporated | Generation and validation of user credentials |
| US9979723B1 (en) | 2012-07-11 | 2018-05-22 | Microstrategy Incorporated | User credentials |
| US9264415B1 (en) | 2012-07-11 | 2016-02-16 | Microstrategy Incorporated | User credentials |
| US9027099B1 (en) | 2012-07-11 | 2015-05-05 | Microstrategy Incorporated | User credentials |
| US9887992B1 (en) | 2012-07-11 | 2018-02-06 | Microstrategy Incorporated | Sight codes for website authentication |
| US9860246B1 (en) | 2012-07-11 | 2018-01-02 | Microstrategy Incorporated | Generation and validation of user credentials having multiple representations |
| US9807074B1 (en) | 2012-07-11 | 2017-10-31 | Microstrategy Incorporated | User credentials |
| US9886569B1 (en) | 2012-10-26 | 2018-02-06 | Microstrategy Incorporated | Credential tracking |
| US9640001B1 (en) | 2012-11-30 | 2017-05-02 | Microstrategy Incorporated | Time-varying representations of user credentials |
| US10084775B1 (en) | 2012-11-30 | 2018-09-25 | Microstrategy Incorporated | Time-varying representations of user credentials |
| US9154303B1 (en) | 2013-03-14 | 2015-10-06 | Microstrategy Incorporated | Third-party authorization of user credentials |
| US10027680B1 (en) | 2013-03-14 | 2018-07-17 | Microstrategy Incorporated | Third-party authorization of user credentials |
| US9071424B1 (en)* | 2013-03-29 | 2015-06-30 | Emc Corporation | Token-based key generation |
| US9432339B1 (en) | 2014-09-29 | 2016-08-30 | Emc Corporation | Automated token renewal using OTP-based authentication codes |
| US12088576B2 (en)* | 2019-12-13 | 2024-09-10 | Visa International Service Association | System, method, and computer program product for managing computational cluster access to multiple domains |
Also Published As
| Publication number | Publication date |
|---|---|
| US7818562B2 (en) | 2010-10-19 |
| US20050210306A1 (en) | 2005-09-22 |
| US20080244094A1 (en) | 2008-10-02 |
| US20050210153A1 (en) | 2005-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7818562B2 (en) | Method and apparatus for time synchronization in a network data processing system | |
| RU2417422C2 (en) | Single network login distributed service | |
| US7150038B1 (en) | Facilitating single sign-on by using authenticated code to access a password store | |
| US5717756A (en) | System and method for providing masquerade protection in a computer network using hardware and timestamp-specific single use keys | |
| US7062781B2 (en) | Method for providing simultaneous parallel secure command execution on multiple remote hosts | |
| US6446206B1 (en) | Method and system for access control of a message queue | |
| US6732277B1 (en) | Method and apparatus for dynamically accessing security credentials and related information | |
| RU2297037C2 (en) | Method for controlling protected communication line in dynamic networks | |
| US6993652B2 (en) | Method and system for providing client privacy when requesting content from a public server | |
| KR100414238B1 (en) | Secure network protocol system and method | |
| US5923756A (en) | Method for providing secure remote command execution over an insecure computer network | |
| US7698736B2 (en) | Secure delegation using public key authentication | |
| EP2520064B1 (en) | Distributed authentication with data cloud | |
| US9602275B2 (en) | Server pool kerberos authentication scheme | |
| US20050210253A1 (en) | Secure communication method, terminal device, authentication server, computer program, and computer-readable recording medium | |
| US20060288230A1 (en) | One time password integration with Kerberos | |
| US7571311B2 (en) | Scheme for sub-realms within an authentication protocol | |
| EP1749389B1 (en) | Method and system for authentication in a computer network | |
| EP2805447B1 (en) | Integrating server applications with multiple authentication providers | |
| US20090138702A1 (en) | Method and apparatus for supporting cryptographic-related activities in a public key infrastructure | |
| Gollmann et al. | Authentication services in distributed systems | |
| Weeks et al. | CCI-Based Web security: a design using PGP | |
| US20110307700A1 (en) | System and method for performing two factor authentication and digital signing | |
| US7536543B1 (en) | System and method for authentication and authorization using a centralized authority | |
| Tusa et al. | Design and implementation of an xml-based grid file storage system with security features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment | Owner name:INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RICH, BRUCE ARLAND;ZHANG, XIAOYAN;REEL/FRAME:011389/0006;SIGNING DATES FROM 20001207 TO 20001212 | |
| STCB | Information on status: application discontinuation | Free format text:EXPRESSLY ABANDONED -- DURING EXAMINATION |