System and Method for Application-Level Virtual Private Network

US 20030229786A1
Filed: 05/14/2003
Published: 12/11/2003
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method for application-level virtual private networking, comprising the steps of:

requesting access for sending requestor messages to an external resource by a requestor application within a user workstation;

identifying the requester application and calculating a hash value of the requestor application by a connection manager within the user workstation;

forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway;

receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway;

authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource; and

receiving the requestor messages by the external resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for enabling users to securely share application information and resources by granting resource owners access to user-application combinations. It provides a means for ensuring that only approved and unaltered applications may access available resources. A connection negotiation scheme allows both ends of a communication channel to agree on a specific version of a specific application to be used to access a target resource. Once agreement is reached, a virtual private network channel may be established between approved applications and designated resources that enable channel encryption using an encryption key and a verified signature using a calculated hash value of the negotiated application.

50 Citations

View as Search Results

22 Claims

1. A method for application-level virtual private networking, comprising the steps of:
- requesting access for sending requestor messages to an external resource by a requestor application within a user workstation;
  
  identifying the requester application and calculating a hash value of the requestor application by a connection manager within the user workstation;
  
  forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway;
  
  receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway;
  
  authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource; and
  
  receiving the requestor messages by the external resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the step of requesting access for sending requestor messages to an external resource by a requester application within a user workstation comprises the step of requesting access for sending requestor messages to an external server application program within the channel gateway by a requestor application within a user workstation;
    - the step of forwarding the requestor messages to the external resource comprises the step of forwarding the requestor messages to an external server application program within the channel gateway; and
      
      the step of receiving the requestor messages by the external resource comprises receiving the requestor messages by the external server application program within the channel gateway.
  - 3. The method of claim 1, wherein:
    - the step of identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation further comprises calculating a hash value of only one specific version of one specific requestor application by a connection manager within the user workstation; and
      
      the step of authenticating the received requestor messages using the calculated application hash value comprises authenticating the received requestor messages using the calculated hash value of only the one specific version of the one specific requestor application.
  - 4. The method of claim 1, wherein the step of identifying the user application comprises querying a workstation operating system for identifying the user application.
  - 5. The method of claim 1, further comprising:
    - preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway;
      
      receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation;
      
      receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requestor application within the user workstation; and
      
      receiving the response messages by the requestor application within the user workstation.
  - 6. The method of claim 5, wherein the step of authenticating the received response messages using the received calculated application hash value comprises authenticating the received response messages by comparing the received calculated application hash value with an application hash value calculated by the connection manager.
  - 7. The method of claim 1, wherein:
    - the step of forwarding the requester messages and the calculated application hash value comprises the steps of obtaining public and private keys from a PKI authority, encrypting the requestor messages using the external resource public PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway;
      
      the step of receiving the requester messages and the calculated application hash value comprises receiving the encrypted requestor messages, application hash value, digital signature, user ID and password by the channel receiver of the channel gateway; and
      
      the step of authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource comprises decrypting the application hash value, digital signature, user ID and password using the application requestor PKI public key, decrypting the encrypted requestor messages using the external resource PKI private key, authenticating the received requestor messages using the decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requester messages to the external resource.
  - 8. The method of claim 5, wherein:
    - the step of receiving the response messages by the channel receiver and forwarding the response messages comprises receiving the response messages by the channel receiver, encrypting the response messages using the requestor application PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user workstation; and
      
      the step of receiving the response messages by the connection manager comprises receiving the response messages by the connection manager, decrypting the response messages using the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation.
  - 9. The method of claim 1, further comprising:
    - the step of forwarding the calculated application hash value, a digital signature, a user ID and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key;
      
      the step of encrypting the requestor messages by the connection manager using the session key; and
      
      the step of decrypting the requestor messages by the channel receiver using the session key.
  - 10. The method of claim 5, further comprising:
    - the step of negotiating a connection and obtaining a session key from an access authority;
      
      the step of encrypting the response messages by the channel receiver using a session key; and
      
      the step of decrypting the response messages by the connection manager using the session key.
  - 11. A computer-readable medium containing instructions for controlling a computer system to implement the method of claim 1.
  - 12. A computer-readable medium containing instructions for controlling a computer system to implement the method of claim 5.

13. A system for application-level virtual private networking, comprising:
- means for requesting access for sending requestor messages to an external resource by a requestor application within a user workstation;
  
  means for identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation;
  
  means for forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway;
  
  means for receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway;
  
  means for authenticating the received requester messages using the calculated application hash value and forwarding the requestor messages to the external resource; and
  
  means for receiving the requestor messages by the external resource.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein the external resource is a server application program.
  - 15. The system of claim 13, wherein the requestor application is one specific version of one specific application.
  - 16. The system of claim 13, further comprising:
    - means for preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway;
      
      means for receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation;
      
      means for receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requester application within the user workstation; and
      
      means for receiving the response messages by the requestor application within the user workstation.
  - 17. The system of claim 13, wherein:
    - means for forwarding the requestor messages and the calculated application hash value comprises the steps of obtaining public and private keys from a PKI authority, encrypting the requester messages using the external resource public PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway;
      
      means for receiving the requestor messages and the calculated application hash value comprises receiving the encrypted requestor messages, application hash value, digital signature, user ID and password by the channel receiver of the channel gateway; and
      
      means for authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource comprises decrypting the application hash value, digital signature, user ID and password using the application requestor PKI public key, decrypting the encrypted requester messages using the external resource PKI private key, authenticating the received requestor messages using the decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requestor messages to the external resource.
  - 18. The system of claim 16, wherein:
    - means for receiving the response messages by the channel receiver and forwarding the response messages comprises receiving the response messages by the channel receiver, encrypting the response messages using the requestor application PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user workstation; and
      
      means for receiving the response messages by the connection manager comprises receiving the response messages by the connection manager, decrypting the response messages using-the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation.
  - 19. The system of claim 13, further comprising:
    - means for forwarding the calculated application hash value, a digital signature, a user ID and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key;
      
      means for encrypting the requestor messages by the connection manager using the session key; and
      
      means for decrypting the requestor messages by the channel receiver using the session key.
  - 20. The method of claim 16, further comprising:
    - means for negotiating a connection and obtaining a session key from an access authority;
      
      means for encrypting the response messages by the channel receiver using a session key; and
      
      means for decrypting the response messages by the connection manager using the session key.

21. A user interface method for application-level virtual private networking, comprising:
- defining a remote resource to be accessed without connection negotiation, including;
  
  selecting a remote resource to be accessed;
  
  designating a local port for accessing a virtual private network;
  
  providing an IP address of the remote resource;
  
  assigning a port number where the remote resource is available;
  
  defining a connection for the requestor application, including;
  
  using an executable application program for connecting to the remote resource;
  
  selecting a remote resource designation;
  
  supplying a user ID;
  
  entering a password; and
  
  clicking an enable button for accessing the remote resource.
- View Dependent Claims (22)
- - 22. The user interface method of claim 21, further comprising defining a remote resource to be accessed with connection negotiation, including:
    - checking a box for designating negotiation required; and
      
      assigning an access authority to be used and for determining an IP address and remote resource port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatguard, Inc.
Original Assignee
Threatguard, Inc.
Inventors
Enger, J. Marc, Hollis, Robert L., Engelbach, R. Gunnar

Granted Patent

US 6,804,777 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0442 wherein the sending and rec...

H04L 63/123 received data contents, e.g...

System and Method for Application-Level Virtual Private Network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Application-Level Virtual Private Network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links