Authenticating peer-to-peer connections

US 20040034776A1
Filed: 08/14/2002
Published: 02/19/2004
Est. Priority Date: 08/14/2002
Status: Active Grant

First Claim

Patent Images

1. A method of establishing and authenticating a peer-to-peer connection between at least two client components, said client components each having an authenticated connection to a server, said method comprising:

exchanging a shared key between the client components via the server;

establishing a peer-to-peer connection between the client components;

exchanging the shared key between the client components via the established, peer-to-peer connection; and

authenticating each of the client components by verifying that the shared key exchanged via the peer-to-peer connection corresponds to the shared key exchanged via the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods employing authenticated connections to a central server to establish and authenticate a peer-to-peer connection between peer devices. The invention circumvents the potential vulnerability of clear-text transmission of secrets through a series of encrypted data transfers. A secret key is encrypted and then transmitted from one peer device to another using authenticated connections to the server. The secret key is then used to transmit encrypted data over a peer connection between the peer devices for the purpose of authenticating the peer devices on each end of the connection.

274 Citations

55 Claims

1. A method of establishing and authenticating a peer-to-peer connection between at least two client components, said client components each having an authenticated connection to a server, said method comprising:
- exchanging a shared key between the client components via the server;
  
  establishing a peer-to-peer connection between the client components;
  
  exchanging the shared key between the client components via the established, peer-to-peer connection; and
  
  authenticating each of the client components by verifying that the shared key exchanged via the peer-to-peer connection corresponds to the shared key exchanged via the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein exchanging a shared key between the client components via the server comprises exchanging a shared key in encrypted form between the client components via the server.
  - 3. The method of claim 1, wherein exchanging a shared key between the client components via the server comprises exchanging a shared key between the client components via the authenticated connection with the server.
  - 4. The method of claim 1, wherein exchanging the shared key between the client components via the established, peer-to-peer connection comprises exchanging the shared key in encrypted form between the client components via the established, peer-to-peer connection.
  - 5. The method of claim 1, wherein the shared key comprises a randomly-generated, single-use session key.
  - 6. The method of claim 1, further comprising:
    - encrypting a first message using the shared key;
      
      transmitting the encrypted first message to one of the client components via said peer-to-peer connection;
      
      receiving a second message in decrypted form from said one of the client components; and
      
      authenticating said one of the client components by comparing the received second message to the first message.
  - 7. The method of claim 1, further comprising:
    - receiving a message in encrypted form from one of the client components via said peer-to-peer connection;
      
      decrypting the received message using the shared key; and
      
      transmitting the decrypted message to said one of the client components.
  - 8. The method of claim 1, wherein said establishing comprises:
    - transmitting a request for an identifier associated with said one of the client components to the server; and
      
      receiving the requested identifier from the server; and
      
      establishing the peer-to-peer connection with said one of the client components using the received identifier.
  - 9. The method of claim 8, wherein said identifier comprises a network address.
  - 10. The method of claim 9, wherein said identifier further comprises a communication port.
  - 11. The method of claim 1, wherein said establishing comprises:
    - receiving, from one of said client components via the authenticated connection to the server, a request to establish a peer-to-peer connection; and
      
      opening a communication port in response to the received request.
  - 12. The method of claim 11, wherein opening comprises randomly determining the communication port to open.
  - 13. The method of claim 11, further comprising closing the opened communication port if one or more rogue applications are attempting to connect on the opened communication port.
  - 14. The method of claim 11, wherein said establishing comprises establishing a plurality of peer-to-peer connections between a plurality of client components via the opened communication port, and wherein said shared key identifies each of the established connections.
  - 15. The method of claim 1, wherein said establishing comprises:
    - attempting to connect with one of the client components; and
      
      if said attempting fails, waiting for a preset time period for said one of the client components to initiate establishing the peer-to-peer connection.
  - 16. The method of claim 1, wherein said establishing comprises storing the shared key in memory for a preset time period.
  - 17. The method of claim 1, further comprising randomly generating the shared key in a cryptographic manner in response to a request to establish a peer-to-peer connection between the client components.
  - 18. The method of claim 1, wherein the shared key is a shared secret session key.
  - 19. The method of claim 1, further comprising:
    - encrypting data with the shared key; and
      
      transferring the encrypted data between the client components via the authenticated, peer-to-peer connection.
  - 20. The method of claim 1, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 1.

21. A method of establishing and authenticating a peer connection between a first device and a second device, the first device and the second device having authenticated connections to a server, said method comprising:
- enabling the first device and the second device to exchange a shared key in encrypted form via the authenticated connections;
  
  receiving a request from the first device for an identifier associated with the second device; and
  
  transmitting the requested identifier to the first device, wherein the first device and the second device establish the peer connection based on the identifier.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21, wherein said receiving comprises receiving a request from the first device for a network identifier associated with the second device.
  - 23. The method of claim 21, wherein said enabling comprises:
    - receiving the shared key in encrypted form from the first device via the authenticated connections; and
      
      transmitting the received shared key in encrypted form to the second device via the authenticated connections.
  - 24. The method of claim 21, wherein said enabling comprises:
    - receiving the shared key in encrypted form from the second device via the authenticated connections; and
      
      transmitting the received shared key in encrypted form to the first device via the authenticated connections.
  - 25. The method of claim 21, wherein the shared key comprises a randomly-generated, single-use cryptographic session key.
  - 26. The method of claim 21, wherein the shared key is randomly generated in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 27. The method of claim 21, wherein the server is an instant messaging server, and the first device and the second device are instant messaging clients.
  - 28. The method of claim 21, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 21.

29. One or more computer-readable media having computer-executable components comprising:
- a server component; and
  
  one or more client components, wherein each of the client components has a authenticated connection to the server component, and wherein the server component interacts with each of the client components via the authenticated connection to establish and authenticate a peer connection between one or more of the client components.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The computer-readable media of claim 29, wherein the server component and the client components implement instant messaging.
  - 31. The computer-readable media of claim 29, further comprising at least one communicative application program associated with a first one of the client components, said communicative application program configured to interface with said first one of the client components for transmitting a shared key in encrypted form between said first one of the client components and a second one of the client components via said authenticated connection to the server component, and said communicative application program configured to establish and authenticate the peer connection between the first one of the client components and the second one of the client components using said shared key.
  - 32. The computer-readable media of claim 31, wherein the shared key comprises a randomly-generated, single-use session key.
  - 33. The computer-readable media of claim 29, wherein the shared key is randomly generated in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 34. The computer-readable media of claim 29, wherein said server component is one of a plurality of server components, and further comprising a security component connected to the plurality of server components via one or more authenticated and encrypted connections for authenticating the client components.

35. A method of securing information between a first device and a second device, the method comprising:
- establishing authenticated connections to a server from the first device and from the second device;
  
  encrypting, in the first device, a shared key using a public key associated with the second device;
  
  transmitting the shared key as encrypted using the public key associated with the second device from the first device to the second device via said authenticated connections to the server;
  
  decrypting, in the second device, the shared key received from the first device;
  
  establishing a peer connection between the first device and the second device;
  
  encrypting, in the second device, the shared key received from the first device using a public key associated with the first device;
  
  transmitting the shared key as encrypted using the public key associated with the first device from the second device to the first device via said peer connection;
  
  decrypting, in the first device, the shared key received from the second device; and
  
  confirming, in the first device, that the shared key received from the second device via said peer connection is the same as the shared key transmitted to the second device via said authenticated connections to the server to thereby authenticate the second device.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 36. The method of claim 35 further comprising:
    - encrypting, in the second device, a first message using the shared key;
      
      transmitting the encrypted first message from the second device to the first device via said peer connection;
      
      decrypting, in the first device, the encrypted, first message received from the second device using the shared key;
      
      transmitting the decrypted message from the first device to the second device; and
      
      authenticating the first device by comparing, in the second device, the decrypted message received from the first device with the first message.
  - 37. The method of claim 35 further comprising transmitting the public key associated with the second device from the second device to the first device via said authenticated connections to the server.
  - 38. The method of claim 35 further comprising transmitting the public key associated with the first device from the first device to the second device via said authenticated connections to the server.
  - 39. The method of claim 35 further comprising generating the shared key in the first device.
  - 40. The method of claim 39 wherein generating comprises generating a shared key unique to said peer connection.
  - 41. The method of claim 39, wherein generating comprises randomly generating the shared key in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 42. The method of claim 35 wherein establishing a peer connection includes transmitting communication port information from the first device to the second device, and using said communication port information in the second device to establish the peer connection with the first device.
  - 43. The method of claim 35, wherein the shared key comprises a randomly-generated, single-use cryptographic session key.
  - 44. The method of claim 35, wherein the server is an instant messaging server, and the first device and the second device are instant messaging clients.
  - 45. The method of claim 35, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 35.

46. A method of securing information between a first device and a second device, the method comprising:
- establishing authenticated connections to a server from the first device and from the second device;
  
  encrypting, in the first device, a shared key using a public key associated with the second device;
  
  transmitting the shared key as encrypted using the public key associated with the second device from the first device to the second device via said authenticated connections to the common server;
  
  decrypting, in the second device, the shared key received from the first device;
  
  establishing a peer connection between the first device and the second device;
  
  transmitting the shared key as encrypted using the public key associated with the second device from the first device to the second device via said peer connection;
  
  decrypting, in the second device, the shared key received from the first device via said peer connection; and
  
  confirming, in the second device, that the shared key received from the first device via said peer connection is the same as the shared key received from the first device via said authenticated connections to the server to thereby authenticate the first device.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 47. The method of claim 46 further comprising:
    - encrypting, in the first device, a first message using the shared key;
      
      transmitting the encrypted, first message from the first device to the second device via said peer connection;
      
      decrypting, in the second device, the encrypted, first message received from the first device using the shared key;
      
      transmitting the decrypted message from the second device to the first device; and
      
      authenticating the second device by comparing, in the first device, the decrypted message received from the second device with the first message.
  - 48. The method of claim 46 further comprising transmitting the public key associated with the second device from the second device to the first device via said authenticated connections to the server.
  - 49. The method of claim 46 further comprising generating the shared key in the first device.
  - 50. The method of claim 49 wherein generating comprises generating a shared key unique to said peer connection.
  - 51. The method of claim 49, wherein generating comprises randomly generating the shared key in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 52. The method of claim 46 wherein establishing a peer connection includes transmitting communication port information from the first device to the second device, and using said communication port information in the second device to establish the peer connection with the first device.
  - 53. The method of claim 46, wherein the shared key comprises a randomly-generated, single-use cryptographic session key.
  - 54. The method of claim 46, wherein the server is an instant messaging server, and the first device and the second device are instant messaging clients.
  - 55. The method of claim 46, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 46.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shah, Mehul Y., Fernando, Joseph P.

Granted Patent

US 7,386,878 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 69/329   in the application layer [O...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0827   involving distinctive inter...

H04L 9/0869   involving random numbers or...

H04L 9/321   involving a third party or ...

Authenticating peer-to-peer connections

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

274 Citations

55 Claims

Specification

Use Cases

Quick Links

Others

Authenticating peer-to-peer connections

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

274 Citations

55 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others