System and method for encrypted communication

US 20060277406A1
Filed: 05/18/2006
Published: 12/07/2006
Est. Priority Date: 05/20/2005
Status: Active Grant

First Claim

Patent Images

1. A communication system including an internal communication terminal coupled to an intra-organization network, an external communication terminal for accessing the internal communication terminal from an outside of the intra-organization network, and a management server for managing the inter communication terminal and the external communication terminal, wherein:

the internal communication terminal establishes an encryption communication path between communication terminal and management server for establishing an encryption communication path, to the management server, by performing beforehand authentication;

the external communication terminal establishes the encryption communication path between communication terminal and management server, to the management server;

the external communication terminal transmits a connection request for the internal communication terminal to the management server;

the external communication terminal transmits a connection request for the internal communication terminal to the management server;

the management server generates an encryption communication key for encrypting communication between the external communication terminal and the internal communication terminal, and transmits a connection request for connection from the external communication terminal to the internal communication terminal and the generated encryption communication key to the internal communication terminal by using the already established encryption communication path between the communication terminal and management server;

the internal communication terminal supplies a judgment of whether the connection request from the external communication terminal is permitted, to the management server;

if a judgment result received from the internal communication terminal indicates a communication permission, the management server transmits the generated encryption communication key to the internal communication terminal via the already established encryption communication path between communication terminal and management server;

the external communication terminal and the internal communication terminal establish encryption communication path betweens between communication terminals for establishing a communication terminal between the external communication terminal and the internal communication terminal, by using the encryption communication key received from the management server; and

the external communication terminal performs encryption communication with the internal communication terminal without involving the management server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an encryption communication using VPN technologies, a load on a VPN system becomes large if the number of communication terminals increases. When an external terminal accesses via an internal terminal an application server, processes become complicated because it is necessary to perform authentication at VPN and authentication at the application server. A management server is provided for managing external terminals, internal terminals and application servers. The management server authenticates each communication terminal and operates to establish an encryption communication path between communication terminals. Authentication of each terminal by the management server relies upon a validation server. When the external terminal performs encryption communication with the application server via the internal terminal, two encryption communication paths are established and used between the external terminal and internal terminal and between the internal terminal and application server.

53 Citations

View as Search Results

13 Claims

1. A communication system including an internal communication terminal coupled to an intra-organization network, an external communication terminal for accessing the internal communication terminal from an outside of the intra-organization network, and a management server for managing the inter communication terminal and the external communication terminal, wherein:
- the internal communication terminal establishes an encryption communication path between communication terminal and management server for establishing an encryption communication path, to the management server, by performing beforehand authentication;
  
  the external communication terminal establishes the encryption communication path between communication terminal and management server, to the management server;
  
  the external communication terminal transmits a connection request for the internal communication terminal to the management server;
  
  the external communication terminal transmits a connection request for the internal communication terminal to the management server;
  
  the management server generates an encryption communication key for encrypting communication between the external communication terminal and the internal communication terminal, and transmits a connection request for connection from the external communication terminal to the internal communication terminal and the generated encryption communication key to the internal communication terminal by using the already established encryption communication path between the communication terminal and management server;
  
  the internal communication terminal supplies a judgment of whether the connection request from the external communication terminal is permitted, to the management server;
  
  if a judgment result received from the internal communication terminal indicates a communication permission, the management server transmits the generated encryption communication key to the internal communication terminal via the already established encryption communication path between communication terminal and management server;
  
  the external communication terminal and the internal communication terminal establish encryption communication path betweens between communication terminals for establishing a communication terminal between the external communication terminal and the internal communication terminal, by using the encryption communication key received from the management server; and
  
  the external communication terminal performs encryption communication with the internal communication terminal without involving the management server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The communication system according to claim 1, wherein:
    - a validation server for validating a certificate is newly provided;
      
      the management server asks the validation server about certificate validation of each communication terminal when the communication terminal is authenticated for establishing the encryption communication path between communication terminal and management server;
      
      the validation server supplies a result of execution of a validation process for the certificate to the management server; and
      
      the management server judges that authentication of the communication terminal succeeds only when a validation result supplied from the validation server indicates a success.
  - 3. The communication system according to claim 1, wherein:
    - the communication system is a communication system having a structure that an application server is newly coupled to the intra-organization network for providing a business application;
      
      the external communication terminal establishes an encryption communication path between communication terminals for the internal communication terminal;
      
      the external communication terminal transmits a connection request for the application server to the internal communication terminal by using the established encryption communication path;
      
      the internal communication terminal establishes an encryption communication path between communication terminals for the application server; and
      
      the external communication terminal communicates with the application server via the internal communication terminal by using the encryption communication path between the external communication terminal and the internal communication terminal and the encryption communication path between the internal communication terminal and the application server.
  - 4. The communication system according to claim 1, wherein:
    - the external communication terminal establishes a first encryption communication path between terminals to the internal communication terminal;
      
      the external communication terminal transmits a connection request for an application server as the external communication terminal to the internal communication terminal, by using the established encryption communication path;
      
      the internal communication terminal transmits a connection request with authentication object information to the management server in order to establish a second encryption communication path between terminals to the application server, the connection request with authentication object information being written with information on the internal communication terminal as communication source information, information on the application server as communication destination information, and information on the external communication terminal as authentication object information;
      
      in response to an event of reception of the connection request with authentication object information, the management server confirms that the internal communication terminal as a communication source, the application server as a communication destination and the external communication terminal as an authentication object are already authenticated by the management server, and confirms that the internal communication terminal as the communication source and the external communication terminal as the authentication k has already established the first encryption communication path between terminals;
      
      after the confirmation, the management server generates an encryption communication key for encrypting communication between the internal communication terminal and the application server, and transmits the generated encryption communication key and the connection request with authentication object information to the application server by using the already established encryption communication path between communication terminal and management server;
      
      the application server judges whether the connection request for the external communication terminal sent from the internal communication terminal, and supplies a judgment result to the management server;
      
      if the judgment result received from the application server indicates a connection permission, the management server transmits the generated encryption communication key to the internal communication terminal by using the encryption communication path between communication terminal and management server, and establishes the second encryption communication path between terminals; and
      
      the external communication terminal communicates with the application server via the internal communication terminal by using sid first encryption communication path between terminals and the second encryption communication path between terminals.
  - 5. The communication system according to claim 4, wherein:
    - the management server manages an authentication state table registering address information, an authentication state and an authentication time of the external communication terminal, the internal communication terminal and the application server;
      
      the management server registers an authentication result acquired when the encryption communication paths between communication terminal and management server are established among the external communication terminal, the internal communication terminal and a terminal of the application server, in the authentication state table; and
      
      in response to reception of the connection request with authentication object information from the internal communication terminal, the management server confirms whether the authentication state table registers an authentication success of the communication source terminal, the communication destination terminal and a terminal of the authentication object.
  - 6. The communication system according to claim 4, wherein:
    - in a step of the server confirming in a description of the connection request with authentication object information received from the internal communication terminal whether the communication terminal and the terminal of the authentication object has already established the encryption communication path between communication terminals, the management server manages a communication state table registering communication source address information, communication destination address information and a communication start time of the already established first and second encryption communication paths between terminals; and
      
      in response to reception of the connection request with authentication object information from the internal communication terminal, the management server refers to the communication state table and confirms whether the internal communication terminal and the external communication terminal as the authentication object have already established the first encryption communication path between terminals.

7. A communication system including an internal communication terminal coupled to an intra-organization network, an external communication terminal for accessing the internal communication terminal from an outside of the intra-organization network, a management server for managing the inter communication terminal and the external communication terminal, and an application server for providing services, wherein:
- the management server generates an encryption key for performing encryption communication between the external communication terminal and the internal communication terminal without involving the management server, and transmits the encryption key to the external communication terminal and the internal communication terminal to establish a first encryption communication path between terminals;
  
  the external communication terminal transmits start control information for starting a process request for the application server to the internal communication terminal by using the first encryption communication path between terminals;
  
  the internal communication terminal transmits a connection request for the application server to the management server, in accordance with the start control information received from the external communication terminal;
  
  the management server;
  
  generates an encryption key for performing encryption communication between the external communication terminal and the application server without involving the management server, and transmits the encryption key to the external communication terminal and the application server to establish a second encryption communication path between terminals; and
  
  in response to the start control information received from the external communication terminal, notifies the external communication terminal of establishment of the second encryption communication path between terminal;
  
  in response to the notice, the external communication terminal transmits control information for requesting the application server about a process to the internal communication terminal; and
  
  the internal communication terminal;
  
  requests the application server about the process in accordance with the process control information received from the external communication terminal, by using the second encryption communication path between terminals;
  
  receives a process result of the control information from the application server; and
  
  transmits process result information on the process result to the external communication terminal by using the first encryption communication path between terminals.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The communication system according to claim 7, wherein:
    - the process control information is input information for operating the internal communication terminal from the external communication terminal; and
      
      the process control information is screen display information to be generated by the internal communication terminal and display the process result by the application server on a display screen of the external communication terminal.
  - 9. The communication system according to claim 7, wherein:
    - the process control information is a process request command to be issued from the external communication terminal to the internal communication terminal; and
      
      the process result information is a return value of a process result of the process request command by the application server.
  - 10. The communication system according to claim 7, wherein:
    - when the connection request is transmitted to the application server from the internal communication terminal;
      
      a connection request with authentication object information is transmitted which indicates that the external communication terminal has been authenticated and the first encryption communication path between terminals has been established to the internal communication terminal.
  - 11. The communication system according to claim 8, wherein:
    - when the management server generates the encryption keys to establish the first and second encryption communication path between terminals;
      
      the external communication terminal authenticates the internal communication terminal and the application server and manages an authentication result.
  - 12. The communication system according to claim 7, wherein the management server authenticates a user of the external communication terminal when the external communication terminal is authenticated.
  - 13. The communication system according to claim 7, wherein the management server manages a correspondence between a communication state of the first encryption communication path between terminals and a communication state of the second encryption communication path between terminals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Hashimoto, Yoko, Hoshino, Kazuyoshi, Fujishiro, Takahiro, Takata, Osamu, Kaji, Tadashi, Nakamura, Shinji

Granted Patent

US 7,984,290 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

H04L 9/3273   for mutual authentication n...

System and method for encrypted communication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for encrypted communication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links