Using atomic messaging to increase the security of transferring data across a network

US 20030084292A1
Filed: 10/22/2002
Published: 05/01/2003
Est. Priority Date: 10/22/2001
Status: Active Grant

First Claim

Patent Images

1. In a computer system that received an unencrypted version of a session key in response to authenticating with an authentication server, a method for including a significant portion of the information needed to process a message at an application server within the message, the method comprising:

an act of sending a request to the authentication server, the request indicating a desire to access a service at the application server;

an act of receiving a binary token from the authentication server, the binary token containing an encrypted version of the session key, which was encrypted using a service key that is shared between the authentication server and the application server;

an act of using the unencrypted version of session key to generate encrypted application data that is to be delivered to the service at the application server;

an act of encoding the encrypted application data and the binary token into a text format; and

an act of sending a message that includes text-encoded encrypted application data and a text-encoded token which contains the encrypted version of the session key to the application server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client sends a request to an authentication server requesting access to a service at an application server. The authentication server returns a token containing an encrypted version of a session key that was encrypted using a secret shared between the authentication server and the application server. The client encrypts application data using a corresponding unencrypted version of the session key and text-encodes both the encrypted application data and the encrypted version of the session key. The text-encoded application and text-encoded encrypted version of the session key are both included in a message and sent to the application server. The application server decrypts the encrypted version of the session key using the shared secret so as to reveal the unencrypted version of the session key. The application server then decrypts the encrypted application data using the revealed unencrypted version of the session key.

Citations

32 Claims

1. In a computer system that received an unencrypted version of a session key in response to authenticating with an authentication server, a method for including a significant portion of the information needed to process a message at an application server within the message, the method comprising:
- an act of sending a request to the authentication server, the request indicating a desire to access a service at the application server;
  
  an act of receiving a binary token from the authentication server, the binary token containing an encrypted version of the session key, which was encrypted using a service key that is shared between the authentication server and the application server;
  
  an act of using the unencrypted version of session key to generate encrypted application data that is to be delivered to the service at the application server;
  
  an act of encoding the encrypted application data and the binary token into a text format; and
  
  an act of sending a message that includes text-encoded encrypted application data and a text-encoded token which contains the encrypted version of the session key to the application server.
- View Dependent Claims (2, 3)
- - 2. The method in accordance with claim 1, wherein the act of receiving a binary token from the authentication server comprises an act of receiving a data structure that includes a first field representing a encrypted session key and second field representing other connection data used for transferring the encrypted session key represented in the first field to the application server.
  - 3. The method in accordance with claim 1, wherein the act of an act of sending a message that includes text-encoded encrypted application data and a text-encoded token which contains the encrypted version of the session key comprises an act of sending a Simple Object Access Protocol envelope.

4. In an application server having one or more services that are accessible to clients, a method for processing a message to cause one of the one or more services to be accessed, the method comprising:
- an act of establishing a shared service key with an authentication server;
  
  an act of receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key;
  
  an act of decoding the text-encoded token to expose a corresponding binary token that contains the encrypted version of the session key;
  
  an act of decoding the text-encoded encrypted application data to expose corresponding encrypted application data;
  
  an act of using the shared service key to decrypt the encrypted version of the session key contained in the binary token to reveal an unencrypted version of the session key;
  
  an act of decrypting the encrypted application data using the decrypted session key to reveal unencrypted binary application data; and
  
  an act of delivering the unencrypted application data to the requested service.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
- - 5. The method in accordance with claim 4, wherein the act of establishing a shared service key with an authentication server comprises an act of establishing a shared service key that is unknown to the client that sent the received message.
  - 6. The method in accordance with claim 4, wherein an act of receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key comprises an act of receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and a data structure including a first field representing an encrypted session key and a second field representing other connection data used for transferring the encrypted session key represented in the first field to the application server.
  - 7. The method in accordance with claim 4, wherein an act of receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key comprises an act of receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded encrypted token containing an encrypted version of a session key.
  - 8. The method in accordance with claim 7, further comprising:
    - an act of, prior to the act of using the shared service key to decrypt the encrypted version of the session key, decrypting an encrypted binary token that corresponds the text-encoded encrypted token.
  - 9. The method in accordance with claim 4, wherein an act of receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key comprises an act of receiving a Simple Object Access Protocol envelope.
  - 10. The method in accordance with claim 9, wherein receiving a Simple Object Access Protocol envelope comprises an act of receiving a Simple Object Access Protocol envelope including one more headers representing security data associated with the text-encoded encrypted application data, wherein the headers can be processed by the application server to determine how to process the text-encoded encrypted application data.
  - 11. The method in accordance with claim 9, wherein receiving a Simple Object Access Protocol envelope comprises an act of receiving a Simple Object Access Protocol envelope that includes a signing header with signing data, wherein the signing data indicates that a first portion of the Simple Object Access Protocol envelope is signed and an a second portion of the Simple Object Access Protocol envelope is not signed.

12. In an application server having one or more services that are accessible to clients, a method for processing a message to cause one of the one or more services to be accessed, the method comprising:
- an act of establishing a shared service key with an authentication server;
  
  an act of receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key;
  
  a step for preparing application data for delivery to the requested service; and
  
  an act of delivering unencrypted application data to the requested service.
- View Dependent Claims (13)
- - 13. The method in accordance with claim 12, wherein the step for preparing application data for delivery to the requested service comprises decrypted an encrypted binary token to reveal an encrypted version of a session key.

14. A computer program product for use in a computer system that received an unencrypted version of a session key in response to authenticating with an authentication server, the computer program product for implementing a method for including a significant portion of the information needed to process a message at an application server within the message, the computer program product comprising one or more computer-readable media having stored thereon the following:
- computer-executable instructions for sending a request to the authentication server, the request indicating a desire to access a service at the application server;
  
  computer-executable instructions for receiving a binary token from the authentication server, the binary token containing an encrypted version of the session key, which was encrypted using a service key that is shared between the authentication server and the application server;
  
  computer-executable instructions for using the unencrypted version of session key to generate encrypted application data that is to be delivered to the service at the application server;
  
  computer-executable instructions for encoding the encrypted application data and the binary token into a text format; and
  
  computer-executable instructions for sending a message that includes text-encoded encrypted application data and a text-encoded token which contains the encrypted version of the session key to the application server.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. A computer program product in accordance with claim 14, wherein computer-executable instructions for sending a message that includes text-encoded encrypted application data and a text-encoded token which contains the encrypted version of the session key further comprise computer-executable instructions for sending a message that includes a data structure with a first data field representing text-encoded encrypted application data and a second field representing a text encoded token that can be processed to reveal a session key for decrypting the text-encoded encrypted application data.
  - 16. A computer program product in accordance with claim 14, wherein computer-executable instructions for receiving a binary token from the authentication server further comprise computer executable instructions for receiving a data structure that includes a first field representing a encrypted session key and second field representing other connection data used for transferring the encrypted session key to the application server.
  - 17. A computer program product in accordance with claim 14, wherein computer-executable instructions for using the unencrypted version of session key to generate encrypted application further comprise computer-executable instructions for using a symmetric key to encrypt application data.
  - 18. A computer program product in accordance with claim 14, wherein computer-executable instructions for using the unencrypted version of session key to generate encrypted application data further comprise computer-executable instructions for using a public key which has a corresponding private key that can be used to decrypt data that is encrypted with the public key, to encrypt application data.
  - 19. A computer program product in accordance with claim 14, wherein computer-executable instructions for sending a message that includes text-encoded encrypted application data and a text-encoded token which contains the encrypted version of the session key further comprise computer-executable instructions for sending a Simple Object Access Protocol envelope.
  - 20. A computer program product in accordance with claim 19, wherein computer-executable instructions for sending a Simple Object Access Protocol envelope further comprise computer-executable instructions for sending a Simple Object Access Protocol envelope that includes one more headers representing security data associated with the text-encoded encrypted application data, wherein the headers can be processed by the application server to determine how to process the text-encoded encrypted application data.
  - 21. A computer program product in accordance with claim 19, wherein computer-executable instructions for sending a Simple Object Access Protocol envelope further comprise computer-executable instructions for sending a Simple Object Access Protocol envelope that includes a header with signing data, wherein the signing data indicates that a first portion of the Simple Object Access Protocol envelope is signed and an a second portion of the Simple Object Access Protocol envelope is not signed.
  - 22. A computer program product in accordance with claim 14, further comprising:
    - computer-executable instructions for encrypting the binary token.

23. A computer program product for use in an application server having one or more services that are accessible to clients, the computer program product for implementing method for processing a message to cause one of the one or more services to be accessed, the computer program product comprising one or more computer-readable media having stored thereon the following:
- computer-executable instructions for establishing a shared service key with an authentication server;
  
  computer-executable instructions for receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key;
  
  computer-executable instructions for decoding the text-encoded token to expose a corresponding binary token that contains the encrypted version of the session key;
  
  computer-executable instructions for decoding the text-encoded encrypted application data to expose corresponding encrypted application data;
  
  computer-executable instructions for using the shared service key to decrypt the encrypted version of the session key contained in the binary token to reveal an unencrypted version of the session key;
  
  computer-executable instructions for decrypting the encrypted application data using the decrypted session key to reveal unencrypted binary application data; and
  
  computer-executable instructions for delivering the unencrypted application data to the requested service.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The computer program product in accordance with claim 23, wherein computer-executable instructions for receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key further comprise computer-executable instructions for receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and a data structure including a first field representing an encrypted session key and a second field representing other connection data used for transferring the encrypted session key represented in the first field to the application server.
  - 25. The computer program product in accordance with claim 23, wherein computer-executable instructions for receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key further comprise computer-executable instructions for receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded encrypted token containing an encrypted version of a session key.
  - 26. The computer program product in accordance with claim 23, wherein computer-executable instructions for receiving a message that includes text-encoded encrypted application data that is to be processed by a service requested in the message and includes a text-encoded token containing an encrypted version of a session key comprises receiving a Simple Object Access Protocol envelope.
  - 27. The computer program product in accordance with claim 26, wherein computer-executable instructions for receiving a Simple Object Access Protocol envelope further comprise computer-executable instructions for receiving a Simple Object Access Protocol envelope including one more headers representing security data associated with the text-encoded encrypted application data, wherein the headers can be processed by the application server to determine how to process the text-encoded encrypted application data.
  - 28. The computer program product in accordance with claim 26, wherein computer-executable instructions for receiving a Simple Object Access Protocol envelope further comprise computer-executable instructions for receiving a Simple Object Access Protocol envelope that includes a header with signing data, wherein the signing data indicates that a first portion of the Simple Object Access Protocol envelope is signed and an a second portion of the Simple Object Access Protocol envelope is not signed.

29. One or more computer-readable media having stored thereon a data structure, the data structure comprising:
- a first field representing text-encoded encrypted application data that is to be delivered to a requested service;
  
  a second field representing a text-encoded token that can be processed to reveal a session key for decrypting the text-encoded encrypted data represented in the first field.
- View Dependent Claims (30, 31, 32)
- - 30. The one or more computer-readable media having stored thereon a data structure in accordance with claim 29, wherein the second field is comprised of:
    - a third field representing an encrypted session key that can be used to decrypt the text-encoded encrypted application data represented in the first field; and
      
      a fourth field representing other connection data that can be used to transfer the encrypted session key represented in the third field to an application where the text-encoded encrypted application data represented in the first field is to be processed.
  - 31. The one or more computer-readable media having stored thereon a data structure in accordance with claim 29, further comprising:
    - a fifth field representing one or more headers containing security data associated with the text-encoded encrypted application data represented in the first field, wherein the headers can be processed to determine how to process the text-encoded encrypted application data represented in the first field.
  - 32. The one or more computer-readable media having stored thereon a data structure in accordance with claim 29, further comprising:
    - a sixth field representing signing data associated with a Simple Object Access Protocol envelope that contains the text-encoded encrypted application data represented in the first field, wherein the signing data indicates that a first portion of the Simple Object Access Protocol envelope is signed and an a second portion of the Simple Object Access Protocol envelope is not signed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zhigu Holdings Limited
Original Assignee
Microsoft Corporation
Inventors
Leach, Paul J., Ward, Richard B., Lucovsky, Mark H., Cox, Shaun D., Pierce, Shaun D.

Granted Patent

US 7,305,548 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/606   by securing the transmissio...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

Using atomic messaging to increase the security of transferring data across a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Using atomic messaging to increase the security of transferring data across a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links