Efficient start-up for secured connections and related services

US 10,050,955 B2
Filed: 10/22/2015
Issued: 08/14/2018
Est. Priority Date: 10/24/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of:

generating entity authentication data that identifies and authenticates a client machine;

generating user authentication data that identifies a user associated with the client machine;

generating a first key request for generating a first plurality of session keys for encrypting and authenticating messages exchanged with the client machine; and

transmitting a first message to a server machine that includes the entity authentication data, the user authentication data, the first key request, and payload data, wherein, prior to transmission, the first message is encrypted using a pre-provisioned encryption key,wherein the first plurality of session keys are generated based on decrypting the first message to retrieve the key request and the payload data, authenticating the client machine based on the entity authentication data included in the first message, and authenticating the user associated with the client machine based on the user authenticated data included in the first message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention includes an approach for efficient start-up for secured connections and related services. A client machine receives, via an application program, a request to send a secure message to a server machine. The client machine transmits a plurality of messages to the server machine that includes a first message comprising at least two of user authentication data, entity authentication data, key exchange data, and encrypted message data. The client machine receives, from the server machine, a second message that includes a first master token comprising a first set of session keys for encrypting and authenticating messages exchanged with the server machine.

Citations

20 Claims

1. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of:
- generating entity authentication data that identifies and authenticates a client machine;
  
  generating user authentication data that identifies a user associated with the client machine;
  
  generating a first key request for generating a first plurality of session keys for encrypting and authenticating messages exchanged with the client machine; and
  
  transmitting a first message to a server machine that includes the entity authentication data, the user authentication data, the first key request, and payload data, wherein, prior to transmission, the first message is encrypted using a pre-provisioned encryption key,wherein the first plurality of session keys are generated based on decrypting the first message to retrieve the key request and the payload data, authenticating the client machine based on the entity authentication data included in the first message, and authenticating the user associated with the client machine based on the user authenticated data included in the first message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The non-transitory computer-readable storage medium of claim 1, further comprising receiving, from the server machine, a second message that includes a first master token comprising the first plurality of session keys.
  - 3. The non-transitory computer-readable storage medium of claim 2, wherein the second message further includes the entity authentication data.
  - 4. The non-transitory computer-readable storage medium of claim 2, wherein the second message further includes a first user identification token.
  - 5. The non-transitory computer-readable storage medium of claim 2, further comprising:
    - determining that the first master token is renewable;
      
      generating a second key request for a second plurality of session keys; and
      
      transmitting a third message to the server machine that includes the first master token, the first user identification token, and the second key request.
  - 6. The non-transitory computer-readable storage medium of claim 5, further comprising identifying the third message as renewable.
  - 7. The non-transitory computer-readable storage medium of claim 5, further comprising receiving, from the server machine, a fourth message that includes a second master token comprising the second plurality of session keys.
  - 8. The non-transitory computer-readable storage medium of claim 5, wherein determining that the first master token is renewable comprises determining that a threshold number of messages has been exchanged between the client machine and the server machine subsequent to receiving the first master token.
  - 9. The non-transitory computer-readable storage medium of claim 5, wherein determining that the first master token is renewable comprises determining that a threshold amount of time has passed subsequent to receiving the first master token.
  - 10. The non-transitory computer-readable storage medium of claim 2, wherein the client machine and the server machine communicate via a trusted services network.
  - 11. The non-transitory computer-readable storage medium of claim 2, wherein the client machine and the server machine communicate via a peer-to-peer network.
  - 12. The non-transitory computer-readable storage medium of claim 1, wherein the first message further includes payload data.

13. A server machine, comprising:
- a processor; and
  
  a memory coupled to the processor and including a base authentication module;
  
  a key derivation module; and
  
  a key exchange module;
  
  wherein, when executed by the processor, the base authentication module is configured to;
  
  receive a first message from a client machine that includes entity authentication data, user authentication data, and a first key request for generating a first plurality of session keys for encrypting and authenticating messages exchanged with the client machine, wherein, prior to transmission, the first message is encrypted using a pre-provisioned encryption key,decrypting the first message to retrieve the key request and the payload data,authenticating the client machine based on the entity authentication data included in the first message,authenticating the user associated with the client machine based on the user authenticated data included in the first message, andgenerate a signature the includes a private key for transmission to the client machine;
  
  wherein, when executed by the processor, the key derivation module is configured to;
  
  generate the first plurality of session keys in response to decrypting the first key request, authenticating the client machine, and authenticating the user associated with the client machine; and
  
  wherein, when executed by the processor, the key exchange module is configured to;
  
  transmit a second message to the client machine that includes the private key and the first plurality of session keys.
- View Dependent Claims (14, 15)
- - 14. The server machine of claim 13, wherein:
    - the memory further includes a master token generator, and, when executed by the processor, the master token generator is configured to generate a first master token, andthe second message further includes the first master token.
  - 15. The server machine of claim 13, wherein:
    - the memory further includes a user identification token generator, and, when executed by the processor, the user identification token generator is configured to generate a first user identification token, andthe second message further includes the first user identification token.

16. A computer-implemented method, comprising:
- receiving, via an application program, a request to send a secure message to a server machine;
  
  transmitting a plurality of messages to the server machine that includes a first message comprising a first key request for generating a first plurality of session keys for encrypting and authenticating messages exchanged with the server machine and at least one of user authentication data, entity authentication data, key exchange data, and encrypted message data wherein, prior to transmission, the first message is encrypted using a pre-provisioned encryption key; and
  
  receiving, from the server machine, a second message that includes a first master token comprising the first plurality of session keys, wherein the first plurality of session keys are generated based on decrypting the first message to retrieve the key request and the payload data, authenticating the client machine based on the entity authentication data included in the first message, and authenticating the user associated with the client machine based on the user authenticated data included in the first message.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising determining that a current time falls within a renewal window that defines a time after which the first master token is renewed if a message that is included in the plurality of messages is identified as renewable.
  - 18. The method of claim 17, further comprising:
    - identifying a second message included in the plurality of messages as renewable; and
      
      transmitting the second message to the server machine.
  - 19. The method of claim 18, further comprising receiving a set of renewed credentials from the server machine that includes a second master token comprising a second set of session keys for encrypting and authenticating messages exchanged with the server machine, wherein the second master token replaces the first master token and the second set of session keys replaces the first set of session keys.
  - 20. The method of claim 19, wherein the plurality of messages includes one or more additional messages that are associated with the first master token and transmitted to the server machine prior to receiving the set of renewed credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netflix, Inc.
Original Assignee
Netflix, Inc.
Inventors
Zollinger, James Mitchell, Miaw, Wesley
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/920,641
Publication Number

US 20160119318A1
Time in Patent Office

1,027 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/083   using passwords cryptograph...

H04L 9/0819   Key transport or distributi...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0861   Generation of secret inform...

H04L 9/3228   One-time or temporary data,...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04W 12/069   using certificates or pre-s...

H04W 12/082   using revocation of authori...

Y04S 40/20   Information technology spec...

Efficient start-up for secured connections and related services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient start-up for secured connections and related services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links