Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol
First Claim
Patent Images
1. A method for establishing a secure context for communicating messages between a first system and a second system, the method comprising:
- obtaining by the second system a first public key certificate of the first system, wherein the second system is able to validate the first public key certificate that contains a public key;
generating by the second system a transport key, wherein the transport key is a symmetric secret key;
placing by the second system the transport key and an authentication token into a first message secured with the public key;
sending the first message from the second system to the first system;
receiving at the second system from the first system a second message secured with the transport key in response to sending the first message to the first system;
extracting by the second system a session key from the second message, wherein the session key is a symmetric secret key; and
employing the session key to secure subsequent messages sent by the second system to the first system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for establishing a secure context for communicating messages between a client and a server is presented that is compliant with the Generic Security Service application programming interface (GSS-API). The client sends to the server a first message containing a first symmetric secret key generated by the client and an authentication token; the first message is secured with the public key from the server'"'"'s public key certificate. After the server authenticates the client based on the authentication token, the client then receives from the server a second message that has been secured with the first symmetric secret key and that contains a second symmetric secret key. The client and the server employ the second symmetric secret key to secure subsequent messages sent between the client and the server. The authentication token may be a public key certificate associated with the client, a username-password pair, or a secure ticket.
104 Citations
18 Claims
-
1. A method for establishing a secure context for communicating messages between a first system and a second system, the method comprising:
-
obtaining by the second system a first public key certificate of the first system, wherein the second system is able to validate the first public key certificate that contains a public key;
generating by the second system a transport key, wherein the transport key is a symmetric secret key;
placing by the second system the transport key and an authentication token into a first message secured with the public key;
sending the first message from the second system to the first system;
receiving at the second system from the first system a second message secured with the transport key in response to sending the first message to the first system;
extracting by the second system a session key from the second message, wherein the session key is a symmetric secret key; and
employing the session key to secure subsequent messages sent by the second system to the first system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for establishing a secure context for communicating messages between a first system and a second system, the method comprising:
-
providing by the first system a public key certificate associated with the first system, wherein the second system is able to validate the public key certificate;
receiving at the first system from the second system a first message, wherein the first message is secured with a public key from the public key certificate associated with the first system, wherein the first message contains a transport key and an authentication token, and wherein the transport key is a symmetric secret key;
authenticating the second system by the first system based on the authentication token;
generating by the first system a session key, wherein the session key is a symmetric secret key;
placing by the first system the session key into a second message secured with the transport key;
sending the second message from the first system to the second system in response to receiving the first message; and
receiving at the first system from the second system subsequent messages secured with the session key. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product on a computer readable medium for use in a second system for establishing a secure context for communicating messages between a first system and the second system, the computer program product comprising:
-
means for obtaining a public key certificate containing a public key associated with the first system;
means for generating a transport key, wherein the transport key is a symmetric secret key;
means for placing the transport key and an authentication token into a first message secured with the public key;
means for sending the first message to the first system;
means for receiving from the first system a second message secured with the transport key in response to sending the first message to the first system;
means for extracting a session key from the second message, wherein the session key is a symmetric secret key; and
means for employing the session key to secure subsequent messages sent to the first system. - View Dependent Claims (12)
-
-
13. A computer program product on a computer readable medium for use in a first system for establishing a secure context for communicating messages between a first system and the second system, the computer program product comprising:
-
means for providing a public key certificate associated with the first system;
means for receiving a first message from the second system, wherein the first message is secured with a public key from the public key certificate associated with the first system, wherein the first message contains a transport key and an authentication token, and wherein the transport key is a symmetric secret key;
means for authenticating the second system based on the authentication token;
means for generating a session key, wherein the session key is a symmetric secret key;
means for placing the session key into a second message secured with the transport key;
means for sending the second message to the second system in response to receiving the first message; and
means for receiving from the second system subsequent messages secured with the session key. - View Dependent Claims (14)
-
-
15. An apparatus for establishing a secure context for communicating messages between a first system and a second system, the apparatus comprising:
-
means for obtaining a public key certificate containing a public key associated with the first system;
means for generating a transport key, wherein the transport key is a symmetric secret key;
means for placing the transport key and an authentication token into a first message secured with the public key;
means for sending the first message to the first system;
means for receiving from the first system a second message secured with the transport key in response to sending the first message to the first system;
means for extracting a session key from the second message, wherein the session key is a symmetric secret key; and
means for employing the session key to secure subsequent messages sent to the first system. - View Dependent Claims (16)
-
-
17. An apparatus for establishing a secure context for communicating messages between a first system and a second system, the apparatus comprising:
-
means for providing a public key certificate associated with the first system;
means for receiving a first message from the second system, wherein the first message is secured with a public key from the public key certificate associated with the first system, wherein the first message contains a transport key and an authentication token, and wherein the transport key is a symmetric secret key;
means for authenticating the second system based on the authentication token;
means for generating a session key, wherein the session key is a symmetric secret key;
means for placing the session key into a second message secured with the transport key;
means for sending the second message to the second system in response to receiving the first message; and
means for receiving from the second system subsequent messages secured with the session key. - View Dependent Claims (18)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsFyfe, Robert Andrew, Ashley, Paul Anthony, Thomas, Michael James
-
Application NumberUS10/753,842Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current713/171CPC Class CodesH04L 2209/56 Financial cryptography, e.g...H04L 2209/805 Lightweight hardware, e.g. ...H04L 63/0435 wherein the sending and rec...H04L 63/08 for authentication of entit...H04L 63/0807 using tickets, e.g. Kerbero...H04L 63/0823 using certificates cryptogr...H04L 63/105 Multiple levels of securityH04L 63/164 at the network layerH04L 9/0822 using key encryption keyH04L 9/0825 using asymmetric-key encryp...H04L 9/3234 involving additional secure...H04L 9/3268 using certificate validatio...H04W 12/0431 Key distribution or pre-dis...
