Secure end-to-end notification

US 20030145229A1
Filed: 01/31/2002
Published: 07/31/2003
Est. Priority Date: 01/31/2002
Status: Active Grant

First Claim

Patent Images

1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:

an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism;

after the security information has been negotiated, an act of using the security information to generate a message that includes an encrypted form of the notification, as well as clear-text supplemental information that may be used to decrypt the notification using the security information; and

an act of initiating transmission of the message to the notification sink via the at least one message transit point using the notification mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing secure end-to-end notifications from a notification source to a notification sink despite the notification mechanism including one or more message transit points between the notification source and the notification sink. Initially, security information (e.g., the master security, the cryptographic algorithm, and the like) is negotiated out-of-band from the one or more message transit points so that the message transit points are not apprised of the security information. When a designated event occurs, the notification source generates a push message that includes the notification encrypted using the pre-negotiated security information. When the notification sink receives the push message, the notification sink decrypts the notification using the pre-negotiated security information, as well as supplemental information provided in the push message. Thus, the message transit points only have access to the encrypted form of the notification.

Citations

29 Claims

1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
- an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism;
  
  after the security information has been negotiated, an act of using the security information to generate a message that includes an encrypted form of the notification, as well as clear-text supplemental information that may be used to decrypt the notification using the security information; and
  
  an act of initiating transmission of the message to the notification sink via the at least one message transit point using the notification mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method in accordance with claim 1, wherein the act of using the security information to generate a message that includes an encrypted form of the notification comprises the following:
    - an act of using the security information to generate a message that includes an encrypted form of an automatically-generated notification.
  - 3. A method in accordance with claim 1, wherein the act of using the security information to generate a message that includes an encrypted form of the notification comprises the following:
    - an act of using the security information to generate a message that includes an encrypted form of a subscription-based notification.
  - 4. A method in accordance with claim 1, wherein the at least one message transit point comprises a server maintained by a wireless carrier, wherein the act of initiating transmission of the message to the notification sink comprises the following:
    - an act of initiating transmission of the message to a wireless device via the server maintained by the wireless carrier.
  - 5. A method in accordance with claim 1, wherein the at least one message transit point comprises a server, wherein the act of initiating transmission of the message to the notification sink comprises the following:
    - an act of transmitting the message to the server using a first protocol, wherein the server transmits the message to a wireless device using a second protocol.
  - 6. A method in accordance with claim 5, wherein the act of transmitting the message to the server using a first protocol comprises the following:
    - an act of transmitting the message to a Push Proxy Gateway (PPG) using a Push Access Protocol (PAP) message.
  - 7. A method in accordance with claim 6, wherein the message is included in the Push Access Protocol message as a multipart segment.
  - 8. A method in accordance with claim 7, wherein the server is configured to extract the message from the Push Access Protocol message and transmit the message to the wireless device.
  - 9. A method in accordance with claim 8, wherein the server is configured to extract the message from the Push Access Protocol message and encode the message in a Push Over-the-Air protocol message.
  - 10. A method in accordance with claim 1, wherein the act of using the security information to generate a message comprises the following:
    - an act of generating an Encapsulated Security Payload (ESP) object.
  - 11. A method in accordance with claim 10, wherein the clear-text supplemental information that may be used to decrypt the notification using the security information comprises a session identifier field.
  - 12. A method in accordance with claim 10, wherein the encrypted form of the notification comprises a payload data field.
  - 13. A method in accordance with claim 1, wherein the at least one message transmit point comprises a corporate server.
  - 14. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises the following:
    - an act of establishing a secure session between the notification source and the notification sink.
  - 15. A method in accordance with claim 14, wherein the act of establishing a secure session between the notification source and the notification sink comprises the following:
    - an act of establishing a Secure Socket Layer (SSL) session between the notification source and the notification sink.
  - 16. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises:
    - an act of negotiating a master secret shared by the notification source and the notification sink.
  - 17. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises:
    - an act of negotiating a cryptographic algorithm to be used when encrypting and decrypting notifications.

18. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
- a step for drafting a message so as to ensure secure end-to-end notification between the notification source and the notification sink; and
  
  an act of initiating transmission of the message to the notification sink via the at least one message transit point using the notification mechanism.
- View Dependent Claims (19)
- - 19. A method in accordance with claim 18, wherein the step for drafting a message so as to ensure secure end-to-end notification between the notification source and the notification sink comprises the following:
    - an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism; and
      
      after the security information has been negotiated, an act of using the security information to generate a message that includes an encrypted form of the notification, as well as clear-text supplemental information that may be used to decrypt the notification using the security information.

20. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising one or more computer-readable media having stored thereon the following:
- computer-executable instructions for negotiating security information between the notification source and the notification sink out of band from the notification mechanism;
  
  computer-executable instructions for using the security information to generate a message after the security information has been negotiated, the message including an encrypted form of the notification, as well as clear-text supplemental information that may be used to decrypt the notification using the security information; and
  
  computer-executable instructions for causing the message to be transmitted to the notification sink via the at least one message transit point using the notification mechanism.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. A computer program product in accordance with claim 20, wherein the one or more computer-readable media are physical storage media.
  - 22. A computer program product in accordance with claim 20, wherein the computer executable instructions for causing the message to be transmitted to the notification sink comprise the following:
    - computer-executable instruction for causing the message to be transmitted to the server using a first protocol, wherein the server transmits the message to a wireless device using a second protocol.
  - 23. A computer program product in accordance with claim 22, wherein the computer-executable instructions for causing the message to be transmitted to the server using a first protocol comprise the following:
    - computer-executable instructions for causing the message to be transmitted to a Push Proxy Gateway (PPG) using a Push Access Protocol (PAP) message.
  - 24. A computer program product in accordance with claim 20, wherein the computer-executable instructions for using the security information to generate a message comprise the following:
    - computer-executable instructions for generating an Encapsulated Security Payload (ESP) object.
  - 25. A computer program product in accordance with claim 20, wherein the computer-executable instructions for negotiating security information between the notification source and the notification sink comprises the following:
    - computer-executable instructions for establishing a secure session between the notification source and the notification sink.

26. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely receiving a notification from the notification source using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
- an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism;
  
  after the security information has been negotiated, an act of receiving a message from the notification source that was received via the at least one message transit point using the notification mechanism; and
  
  an act of using the security information along with clear-text supplemental information included in the message to decrypt an encrypted form of the notification also included in the message.
- View Dependent Claims (27, 28)
- - 27. A method in accordance with claim 26, wherein the act of receiving a message comprises the following:
    - an act of receiving an Encapsulated Security Payload (ESP) object.
  - 28. A method in accordance with claim 27, wherein the act of receiving an ESP object comprises the following:
    - an act of receiving the ESP object as a MIME attachment encoded within a Push Over-the-Air protocol message.

29. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely receiving a notification from the notification source using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising one or more computer-readable media having stored thereon the following:
- computer-executable instructions for negotiating security information between the notification source and the notification sink out of band from the notification mechanism;
  
  computer-executable instructions for detecting the receipt of a message from the notification source after negotiating the security information, the message being received via the at least one message transit point using the notification mechanism; and
  
  computer-executable instructions for using the security information along with clear-text supplemental information included in the message to decrypt an encrypted form of the notification also included in the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simon, Daniel R., Zhu, Yuhang, Roberts, Paul, Kramer, Michael, Hammond, Bradley M., Butler, Lee M., Cohen, Josh R.

Granted Patent

US 7,299,349 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 67/04   specially adapted for termi...

H04L 67/55   Push-based network services

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Secure end-to-end notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Secure end-to-end notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links