Method and system for establishing a secure communication tunnel

US 10,404,475 B2
Filed: 01/22/2016
Issued: 09/03/2019
Est. Priority Date: 01/22/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for establishing a secure communication tunnel between a device and a server, wherein the method is carried out at the server having a processor and a memory configured to provide instructions to the processor and the method comprises:

receiving a session request from the device to establish a secure tunnel;

carrying out a handshake procedure to set up an encryption/decryption key for the secure tunnel wherein the handshake procedure uses a first communication channel from the server to the device;

sending a first component of the handshake procedure to the device via the first communication channel; and

sending a second component of the handshake procedure to the device via a second communication channel,wherein continuing the handshake procedure or commencing use of the secure tunnel established by the handshake procedure comprises use, by the device, of the second component sent to the device via the second communication channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for establishing a secure communication tunnel between a device and a server is provided. The method comprises the server receiving a session request from the device to establish a secure tunnel. A handshake procedure is carried out to set up an encryption/decryption key for the secure tunnel. The handshake procedure uses a first communication channel from the server to the device. The method also includes sending a component of the handshake procedure to the device via a second communication channel. This component is required by the device to continue the handshake procedure or to commencing use of the secure tunnel established by the handshake procedure.

Citations

21 Claims

1. A computer-implemented method for establishing a secure communication tunnel between a device and a server, wherein the method is carried out at the server having a processor and a memory configured to provide instructions to the processor and the method comprises:
- receiving a session request from the device to establish a secure tunnel;
  
  carrying out a handshake procedure to set up an encryption/decryption key for the secure tunnel wherein the handshake procedure uses a first communication channel from the server to the device;
  
  sending a first component of the handshake procedure to the device via the first communication channel; and
  
  sending a second component of the handshake procedure to the device via a second communication channel,wherein continuing the handshake procedure or commencing use of the secure tunnel established by the handshake procedure comprises use, by the device, of the second component sent to the device via the second communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as claimed in claim 1, further comprising looking up an address or identifier relating to the second communication channel of the device prior to sending the second component of the handshake procedure via the second communication channel.
  - 3. The method as claimed in claim 1, wherein the second component is a component for the handshake procedure and continuing the handshake procedure comprises use of the second component by the device to generate a premaster key or the encryption/decryption key for the secure tunnel.
  - 4. The method as claimed in claim 3, wherein the second component is one of a group of:
    - a version of a communication protocol used;
      
      a cipher version;
      
      a set of random data used for a session encryption key;
      
      a public key of the server; and
      
      a certificate of the server.
  - 5. The method as claimed in claim 1, wherein the second component is a component for a session using the secure tunnel, and wherein commencing use of the secure tunnel comprises use of the second component by the device to start or recommence a session with the server.
  - 6. The method as claimed in claim 5, wherein the second component is a session identifier which references session parameters at the server.
  - 7. The method as claimed in claim 1, including, in response to detecting receipt of a session identifier from a different socket, sending a new component of the handshake procedure to the device via the second communication channel;
    - and carrying out a new handshake procedure or commencing use of a session using the second component.
  - 8. The method as claimed in claim 7, wherein the new component for commencing use of the session is a new set of random numbers for generating a new session encryption/decryption key for the secure tunnel under the existing handshake.
  - 9. The method as claimed in claim 1, wherein the second component is encrypted with an encryption key.
  - 10. The method as claimed in claim 1, wherein the first communication channel is a data channel using Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocol, and the second communication channel is one of a group of:
    - a Short Message Service channel, Unstructured Supplementary Service Data (USSD) channel, an email channel, or another form of communication channel independent of the TLS or SSL channel.
  - 11. The method according to claim 1, further comprising in response to receiving the first component and the second component of the handshake procedure, authenticating the server.

12. A computer-implemented method for establishing a secure communication tunnel between a device and a server, wherein the method is carried out at the device having a processor and a memory configured to provide instructions to the processor and the method comprises:
- sending a session request to the server to establish a secure tunnel;
  
  carrying out a handshake procedure to set up an encryption/decryption key for the secure tunnel wherein the handshake procedure uses a first communication channel from the server to the device;
  
  receiving a first component of the handshake procedure via the first communication channel;
  
  receiving a second component of the handshake procedure via a second communication channel; and
  
  automatically detecting the receipt of the second component at the second communication channel and using this component to continue the handshake procedure or to commence use of the secure tunnel established by the handshake procedure.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method as claimed in claim 12, wherein the second component is a component for the handshake procedure and continuing the handshake procedure includes:
    - using the second component to generate a premaster key or the encryption/decryption key for the secure tunnel.
  - 14. The method as claimed in claim 12, wherein the second component is a component for a session using the secure tunnel, and wherein commencing use of the secure tunnel includes:
    - providing the second component to the server to start or recommence a session with the server.
  - 15. The method as claimed in claim 12, in response to using a session identifier from a different socket, receiving a new component of the handshake procedure via the second communication channel;
    - and carrying out a new handshake procedure or commencing use of a session using the new component.
  - 16. The method as claimed in claim 15, wherein the new component for commencing use of the session is a new set of random numbers for generating a new session encryption/decryption key for the secure tunnel under the existing handshake.
  - 17. The method as claimed in claim 12, wherein the sent component is encrypted with an encryption key, and the method includes:
    - decrypting the sent component using a decryption key provided by the server during the handshake procedure or at a registration process.

18. A system for establishing a secure communication tunnel comprising a server having a processor and a memory configured to provide instructions to the processor for carrying out functions of server components, the server including:
- a handshake initiating component for initiating a handshake procedure with a device in response to receiving a session request from the device;
  
  a handshake component for carrying out a handshake procedure to set up an encryption/decryption key for the secure communication tunnel wherein the handshake procedure uses a first communication channel from the server to the device;
  
  a first component sending module for transmitting a first component of the handshake procedure to the device via the first communication channel; and
  
  a second component sending module for transmitting a second component of the handshake procedure to the device via a second communication channel,wherein continuing the handshake procedure or commencing use of the secure communication tunnel established by the handshake procedure comprises use of the second component by the device.
- View Dependent Claims (19, 20)
- - 19. The system as claimed in claim 18, including a second channel identifier lookup component for, in response to receiving a session request over the first communication channel, looking up an identifier or address associated with the device.
  - 20. The system as claimed in claim 18, including a different socket detecting component for detecting when a valid session identifier is received via a different socket.

21. A system for establishing a secure communication tunnel comprising a device having a processor and a memory configured to provide instructions to the processor for carrying out functions of device components, the device including:
- a handshake initiating component for initiating a handshake procedure with a server by transmitting a session request to the server to establish a secure tunnel;
  
  a handshake component for carrying out a handshake procedure to set up an encryption/decryption key for the secure tunnel wherein the handshake procedure uses a first communication channel from the server to the device;
  
  a first automatic detection component for automatically detecting a first component of the handshake procedure received via the first communication channel;
  
  a second automatic detection component for automatically detecting a second component of the handshake procedure received via a second communication channel; and
  
  a handshake finalizing component for finalizing the handshake procedure using the component of the handshake procedure received via the second communication channel or a session commencing component for commencing use of the secure tunnel established by the handshake procedure using the component of the handshake procedure received via the second communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
O'Regan, Alan Joseph, Huxham, Horatio
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/525,896
Publication Number

US 20170338964A1
Time in Patent Office

1,320 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 2463/061   applying further key deriva...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/166   at the transport layer

H04L 63/18   using different networks or...

H04L 67/141   Setup of application sessio...

H04L 69/14   Multichannel or multilink p...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3263   involving certificates, e.g...

H04L 9/40   Network security protocols

Method and system for establishing a secure communication tunnel

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for establishing a secure communication tunnel

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links