Secure communication system and method

US 10,298,588 B2
Filed: 07/29/2015
Issued: 05/21/2019
Est. Priority Date: 07/29/2014
Status: Active Grant

First Claim

Patent Images

1. A secure communication system comprising:

a software program client operating on a host computing device, wherein said client is configured to access one or more protected services running on a computing device that is remote to said host computing device over a communication channel, and wherein said client is configured to unlock a token such that said client uses a particular user identity;

a service manager configured to manage said access to said protected services by said client, wherein said service manager is remote to said host computing device, and wherein said service manager maintains a list of predetermined services authorized for said client and limits said access of said client to said predetermined services;

an authorizer in communication between said client and said service manager, wherein said authorizer is operable to authenticate said client'"'"'s user identity and, upon authentication, request said predetermined services authorized for said client from said service manager to relay to said client; and

a receiver in communication with said service manager and serving as an interface to said protected services, wherein said receiver ignores connection requests from said client until a notification is received from said service manager authorizing said receiver to open a communication channel with said client, wherein access of at least one of a browser and an application of said client is limited to said predetermined services, and wherein the at least one of a browser and an application of said client communicates with said predetermined services through said receiver.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure communication system comprises a software program client operating on a host computing device, a service manager configured to manage client access to the protected services, an authorizer in communication between the client and the service manager, and a receiver in communication with the service manager and serves as an interface to the protected services. At least one of a browser and an application of the client is configured to access one or more protected services running on a computing device that is remote to the host computing device over a communication channel. The service manager maintains a list of predetermined services authorized for the client and limits client access to the predetermined services.

Citations

30 Claims

1. A secure communication system comprising:
- a software program client operating on a host computing device, wherein said client is configured to access one or more protected services running on a computing device that is remote to said host computing device over a communication channel, and wherein said client is configured to unlock a token such that said client uses a particular user identity;
  
  a service manager configured to manage said access to said protected services by said client, wherein said service manager is remote to said host computing device, and wherein said service manager maintains a list of predetermined services authorized for said client and limits said access of said client to said predetermined services;
  
  an authorizer in communication between said client and said service manager, wherein said authorizer is operable to authenticate said client'"'"'s user identity and, upon authentication, request said predetermined services authorized for said client from said service manager to relay to said client; and
  
  a receiver in communication with said service manager and serving as an interface to said protected services, wherein said receiver ignores connection requests from said client until a notification is received from said service manager authorizing said receiver to open a communication channel with said client, wherein access of at least one of a browser and an application of said client is limited to said predetermined services, and wherein the at least one of a browser and an application of said client communicates with said predetermined services through said receiver.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The secure communication system of claim 1, wherein said client is further configured to maintain a heartbeat connection with said authorizer, and wherein said authorizer sends a request to said service manager to have said receiver disconnect said communication channel with said client when said heartbeat is no longer present.
  - 3. The secure communication system of claim 1, further including a switch or router in communication between said client and said receiver, wherein said switch or router is configured to direct data messages not intended for said protected services away from said receiver.
  - 4. The secure communication system of claim 1, wherein communication between said client, said authorizer, said service manager and said receiver is over a network.
  - 5. The secure communication system of claim 4, wherein said network is the Internet.
  - 6. The secure communication system of claim 1, wherein said communication between said receiver and said protected services is over a local bus network.
  - 7. The secure communication system of claim 6, wherein said local bus network is a local bus.
  - 8. The secure communication system of claim 1, wherein said communication channel between said client and said receiver is secure.
  - 9. The secure communication system of claim 1 further comprising a plurality of authorizers, wherein said receiver is remote to said computing device running said protected services.
  - 10. The secure communication system of claim 1 further comprising a local bus network, wherein communication between said client, said authorizer, and said service manager is over the Internet, wherein said receiver and an additional authorizer are local to said local bus network, and wherein said communication between said receiver and said protected services is over said local bus network.
  - 11. The secure communication system of claim 10, wherein said client has access to one or more unprotected services local to said local bus network without said receiver acting as an interface.
  - 12. The secure communication system of claim 1, wherein communication between said client, said authorizer, said service manager, and said receiver is over a logically isolated network residing in the Internet, and wherein the logically isolated network is isolated from all outside network traffic.

13. An authorizer comprising:
- a communication device operable to send and receive messages over a network; and
  
  a processing device in digital communication with said communication device, wherein said processing device is enabled to;
  
  authenticate an access request to one or more protected services running on a remote computing device based on a user identity received through said communication device from a client operating on a remote host computing device, wherein said user identity identifies the user requesting access to said protected services, and wherein said client acquires the user identity by unlocking a token;
  
  request a list of available services associated with said user identity from a service manager using said communication device, wherein said service manager maintains a list of predetermined services authorized for said user identity, and wherein said service manager is remote to said host computing device; and
  
  return said list of predetermined services to said client using said communication device.
- View Dependent Claims (14, 15)
- - 14. The authorizer of claim 13, wherein said processing device is further enabled to monitor a heartbeat message received periodically over said communication device from said client and report to said service manager using said communication device when said heartbeat message is no longer present.
  - 15. The authorizer of claim 13, wherein said network is an Internet.

16. A service manager comprising:
- a communication device operable to send and receive messages over a network;
  
  a memory device for storing access rights to one or more protected services running on a remote computing device; and
  
  a processing device in digital communication with said communication device and said memory device, wherein said processing device is enabled to;
  
  retrieve from said memory device a list of protected services authorized for a remote client operating on a host computing system based on a user identity received through said communication device from an authorizer, and return to said authorizer said list of said protected services associated with said user identity using said communication device, wherein said user identity is acquired when said client unlocks a token, and wherein said service manager is remote to said host computing device; and
  
  validate a request received through said communication device to access said protected services based on said access rights stored in said memory device and notify a receiver of said valid request, wherein said receiver is in communication between said client and said protected services when notified of said valid session request by said service manager, and wherein said receiver ignores all attempts to communicate with said protected services until notified of said valid session request.
- View Dependent Claims (17, 18)
- - 17. The service manager of claim 16, wherein said processing device is further enabled to track a history of connections to said protected services.
  - 18. The service manager of claim 16, wherein said network is an internet.

19. A receiver comprising:
- a communication device operable to send and receive messages over a network;
  
  a memory; and
  
  a processing device in communication with said communication device;
  
  wherein said processing device is enabled to create a communication session between at least one of a browser and an application of a client operating on a host computing system and one or more protected services running on a remote computing device, and wherein said receiver is remote to said computing device running said protected services,wherein said processing device ignores requests from said client to access said protected services until said processing device receives an authorization from a service manager through said communication device to allow a secure communication session with said client, wherein said service manager is configured to manage access to said protected services, wherein said service manager is remote to said host computing device, and wherein said communication session between the at least one of a browser and an application of said client and said protected services is through said receiver, andwherein said processing device disconnects the secure communication session between the receiver and said client if the client fails to maintain a heartbeat with an authorizer.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The receiver of claim 19, wherein said network is an internet.
  - 21. The receiver of claim 19, further comprising a local bus hardware controller for communicating with said protected services.
  - 22. The receiver of claim 21, wherein said local bus hardware controller is a local bus hardware controller.
  - 23. The receiver of claim 19, wherein said communication session between said receiver and at least one of a browser and an application of said client is secure.

24. A method of securely accessing protected services running on a remote computing device by a remote client operating on a host computing system, the method comprising:
- transmitting a user identity over a network to an authorizer for authentication, wherein the user identity is acquired by the client unlocking a token, wherein said authorizer is in communication with a service manager configured to limit access to said protected services based on limitations established by an administrator of said protected services, wherein said service manager is remote to said client operating on said host computing system;
  
  waiting to receive an authentication response from said authorizer over said network, wherein said authentication response includes a list of protected services authorized for said user identity;
  
  transmitting a request to access one or more services from said list of protected services to said authorizer over said network, wherein said authorizer relays said request to said service manager, and wherein said request is verified by said service manager based on said list of protected services authorized for said user identity;
  
  transmitting a connection request from the client over said network to a receiver, wherein said receiver is in communication with said protected services, and wherein said receiver is configured to ignore said connection request until said receiver receives a notification from said service manager that said request to access said protected services via a secure communication session has been verified;
  
  waiting for said receiver to validate said connection request and open a communication channel; and
  
  communicating with said service through said receiver over said communication channel.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, further comprising transmitting a heartbeat message to said authorizer over said network to keep said communication channel open.
  - 26. The method of claim 24, wherein said communication channel with said receiver is secured.
  - 27. The method of claim 24, wherein said network is an internet.

28. A method of providing access to protected services running on a remote server comprising:
- authenticating, with an authorizer, a client requesting access to said protected services based on a user identity received from said client, wherein said user identity identifies a host computing system running said client, and wherein said user identity is acquired by the client unlocking a token;
  
  requesting, with the authorizer, a list of protected services authorized for said host computing system based on said user identity from a service manager; and
  
  authorizing, with the service manager, a receiver to open a communication channel between at least one of a browser and an application of said client and said protected services through said receiver, wherein said service manager is remote to said client, wherein all communication between the at least one of a browser and an application of said client and said protected services is through said receiver, and wherein said access of the at least one of a browser and an application of said client to said protected services is limited to protected services authorized for said host computing system.
- View Dependent Claims (29, 30)
- - 29. The method of claim 28, further comprising monitoring a heartbeat message received from said client and closing said communication channel if said heartbeat message is no longer received.
  - 30. The method of claim 28, wherein said communication channel between said client and said receiver is secure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blacksands, Inc.
Original Assignee
Blacksands, Inc.
Inventors
Pawl, Dan T., Pawl, Nathan J., Gallagher, Timothy F.
Primary Examiner(s)
Chang, Kenneth W

Application Number

US15/320,479
Publication Number

US 20170230374A1
Time in Patent Office

1,392 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/44   Program or device authentic...

G06F 21/629   to features or functions of...

H04L 12/40117   Interconnection of audio or...

H04L 63/101   Access control lists [ACL]

Secure communication system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links