System and method for automatic negotiation of a security protocol

US 20040268118A1
Filed: 06/30/2003
Published: 12/30/2004
Est. Priority Date: 06/30/2003
Status: Active Grant

First Claim

Patent Images

1. A method for automatically negotiating a security protocol, comprising:

receiving a security authorization request to establish a secure connection between an internal node, the internal node being internal to a security-enabled domain, and an external node, the external node being external to the security-enabled domain;

comparing a first protocol set associated with the internal node to a second protocol set associated with the external node; and

establishing a secure connection between the external node and the internal node when a matching protocol between the first protocol set and the second protocol set is found.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A protocol negotiation platform permits a computer or other node lying outside of a security-enabled domain to negotiate a supported security protocol with a server or other node within that domain. Active Directory™, Kerberos and other secure network technologies permit agents or nodes within a domain to communicate securely with each other, using default, protocols and key, certificate or other authentication techniques. In the past external agents however had no transparent way to enter the domain, requiring the manual selection of protocols for use across the domain boundary. According to the invention either of an external agent or an internal agent may initiate an attempt to establish a secure session across the domain boundary, transmitting a request including a set of supported protocols to the recipient machine. A negotiation engine may then compare the available protocols on both of the agents, nodes or machines at either end of the session, and select a compatible protocol when found. The internal and external agents may likewise authenticate each other using a key, certificate or other mechanism.

Citations

62 Claims

1. A method for automatically negotiating a security protocol, comprising:
- receiving a security authorization request to establish a secure connection between an internal node, the internal node being internal to a security-enabled domain, and an external node, the external node being external to the security-enabled domain;
  
  comparing a first protocol set associated with the internal node to a second protocol set associated with the external node; and
  
  establishing a secure connection between the external node and the internal node when a matching protocol between the first protocol set and the second protocol set is found.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method according to claim 1, wherein the external node comprises at least one of a computer and a network-enabled wireless device.
  - 3. A method according to claim 1, wherein the internal node comprises at least one of a client computer and a server.
  - 4. A method according to claim 1, wherein the security-enabled domain comprises a distributed directory domain.
  - 5. A method according to claim 1, wherein the security-enabled domain comprises a certificate-based domain.
  - 6. A method according to. claim 5, wherein the certificate-based domain comprises a Kerberos-enabled domain.
  - 7. A method according to claim 6, wherein the matching protocol comprises an X.509 certificate.
  - 8. A method according to claim 1, wherein the security authorization request is generated by the external node.
  - 9. A method according to claim 8, wherein the step of receiving the security authorization request is executed by the internal node.
  - 10. A method according to claim 1, wherein the security authorization request is generated by the internal node.
  - 11. A method according to claim 10, wherein the step of receiving the security authorization request is executed by the external node.
  - 12. A method according to claim 1, further comprising a step of terminating the secure connection when a session between the external node and the internal node is complete.
  - 13. A method according to claim 1, further comprising a step of terminating connection processing when no match between the first protocol set and the second protocol set is found.
  - 14. A method according to claim 1, further comprising a step of selecting a protocol to use in establishing the secure connection when a plurality of matching protocols are found.
  - 15. A method according to claim 1, further comprising a step of authenticating at least one of the internal node and the external node.
  - 16. A method according to claim 15, wherein the step of authenticating comprises communicating a certificate to a certificate authority.

17. A system for automatically negotiating a security protocol, comprising:
- a first interface to an internal node, the internal node being internal to a security-enabled domain, the internal node having an associated first protocol set;
  
  a second interface to an external node, the external node being external to the security-enabled domain, the external node having an associated second protocol set; and
  
  a negotiation engine, the negotiation engine receiving a security authorization request to establish a secure connection between the internal node and the external node, comparing the first protocol set associated with the internal node to the second protocol set associated with the external node, and establishing a secure connection between the external node and the internal node when a matching protocol between the first protocol set and the second protocol set is found.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. A system according to claim 17, wherein the external node comprises at least one of a computer and a network-enabled wireless device.
  - 19. A system according to claim 17, wherein the internal node comprises at least one of a client computer and a server.
  - 20. A system according to claim 17, wherein the security-enabled domain comprises a distributed directory domain.
  - 21. A system according to claim 17, wherein the security-enabled domain comprises a certificate-based domain.
  - 22. A system according to claim 21, wherein the certificate-based domain comprises a Kerberos-enabled domain.
  - 23. A system according to claim 22, wherein the matching protocol comprises an X.509 certificate.
  - 24. A system according to claim 17, wherein the security authorization request is generated by the external node.
  - 25. A system according to claim 24, wherein the security authorization request is received by the internal node.
  - 26. A system according to claim 17, wherein the security authorization request is generated by the internal node.
  - 27. A system according to claim 26, wherein the security authorization request is received by the external node.
  - 28. A system according to claim 17, wherein the negotiation engine terminates the secure connection when a session between the external node and the internal node is complete.
  - 29. A system according to claim 17, wherein the negotiation engine terminates connection processing when no match between the first protocol set and the second protocol set is found.
  - 30. A system according to claim 17, wherein the negotiation engine selects a protocol to use in establishing the secure connection when a plurality of matching protocols are found.
  - 31. A system according to claim 17, wherein at least one of the internal node and the external node authenticates the other.
  - 32. A system according to claim 31, wherein the authenticating comprises communicating a certificate to a certificate authority.

33. A system for automatically negotiating a security protocol, comprising:
- first interface means for interfacing to an internal node, the internal node being internal to a security-enabled domain, the internal node having an associated first protocol set;
  
  second interface means for interfacing to an external node, the external node being external to the security-enabled domain, the external node having an associated second protocol set; and
  
  negotiation means, the negotiation means for receiving a security authorization request to establish a secure connection between the internal node and the external node, comparing the first protocol set associated with the internal node to the second protocol set associated with the external node, and establishing a secure connection between the external node and the internal node when a matching protocol between the first protocol set and the second protocol set is found.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 61, 62)
- - 34. A system according to claim 33, wherein the external node comprises at least one of a computer and a network-enabled wireless device.
  - 35. A system according to claim 33, wherein the internal node comprises at least one of a client computer and a server.
  - 36. A system according to claim 33, wherein the security-enabled domain comprises a distributed directory domain.
  - 37. A system according to claim 36, wherein the security-enabled domain comprises a certificate-based domain.
  - 38. A system according to claim 37, wherein the certificate-based domain comprises a Kerberos-enabled domain.
  - 39. A system according to claim 38, wherein the matching protocol comprises an X.509 certificate.
  - 40. A system according to claim 33, wherein the security authorization request is generated by the external node.
  - 41. A system according to claim 40, wherein the security authorization request is received by the internal node.
  - 42. A system according to claim 33, wherein the security authorization request is generated by the internal node.
  - 43. A system according to claim 42, wherein the security authorization request is received by the external node.
  - 44. A system according to claim 33, wherein the negotiation means terminates the secure connection when a session between the external node and the internal node is complete.
  - 45. A system according to claim 33, wherein the negotiation means terminates connection processing when no match between the first protocol set and the second protocol set is found.
  - 46. A system according to claim 33, wherein the negotiation means selects a protocol to use in establishing the secure connection when a plurality of matching protocols are found.
  - 47. A system according to claim 33, wherein at least one of the internal node and the external node authenticates the other.
  - 48. A system according to claim 47, wherein the authenticating comprises communicating a certificate to a certificate authority.
  - 61. A computer readable medium according to claim 43, wherein the method further comprises a step of terminating connection processing when no match between the first protocol set and the second protocol set is found.
  - 62. A computer readable medium according to claim 43, wherein the method further comprises a step of selecting a protocol to use in establishing the secure connection when a plurality of matching protocols are found.

49. A computer readable medium, the computer readable medium being readable to execute a method for automatically negotiating a security protocol, the method comprising:
- receiving a security authorization request to establish a secure connection between an internal node, the internal node being internal to a security-enabled domain, and an external node, the external node being external to the security-enabled domain;
  
  comparing a first protocol set associated with the internal node to a second protocol set associated with the external node; and
  
  establishing a secure connection between the external node and the internal node when a matching protocol between the first protocol set and the second protocol set is found.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 50. A computer readable medium according to claim 49, wherein the external node comprises at least one of a computer and a network-enabled wireless device.
  - 51. A computer readable medium according to claim 49, wherein the internal node comprises at least one of a client computer and a server.
  - 52. A computer readable medium according to claim 49, wherein the security-enabled domain comprises a distributed directory domain.
  - 53. A computer readable medium according to claim 49, wherein the security-enabled domain comprises a certificate-based domain.
  - 54. A computer readable medium according to claim 53, wherein the certificate-based domain comprises a Kerberos-enabled domain.
  - 55. A computer readable medium according to claim 54, wherein the matching protocol comprises an X.509 certificate.
  - 56. A computer readable medium according to claim 49, wherein the step of generating a security authorization request is executed by the external node.
  - 57. A computer readable medium according to claim 56, wherein the step of receiving the security authorization request is executed by the internal node.
  - 58. A computer readable medium according to claim 49, wherein the step of generating a security authorization request is executed by the internal node.
  - 59. A computer readable medium according to claim 58, wherein the step of receiving the security authorization request is executed by the external node.
  - 60. A computer readable medium according to claim 49, wherein the method further comprises a step of terminating the secure connection when a session between the external node and the internal node is complete.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bazan Bejarano, Dario

Granted Patent

US 7,526,640 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/16   Implementing security featu...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/14   Session management for real...

System and method for automatic negotiation of a security protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automatic negotiation of a security protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links