Creating secure interactive connections with remote resources

US 20070061878A1
Filed: 02/15/2006
Published: 03/15/2007
Est. Priority Date: 09/12/2005
Status: Active Grant

First Claim

Patent Images

1. At a server in a computerized system in which the server communicates data with a client computer system through a secure connection, a method of creating the secure connection by authenticating the user initiating the connection from the client computer system relatively early in a connection process, comprising the acts of:

receiving a connection request from a client computer system to communicate with one or more remote server resources at a server, the connection request indicating a plurality of secure communication protocols with which the client computer system is enabled;

sending a connection response to the client computer system, the connection response indicating a preferred secure communication protocol of the plurality of secure communication protocols;

confirming use of the preferred secure communication protocol through a data exchange in a secured channel set up with the client computer system; and

communicating data with a client application program of the client computer system through the preferred secure communication protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

396 Citations

20 Claims

1. At a server in a computerized system in which the server communicates data with a client computer system through a secure connection, a method of creating the secure connection by authenticating the user initiating the connection from the client computer system relatively early in a connection process, comprising the acts of:
- receiving a connection request from a client computer system to communicate with one or more remote server resources at a server, the connection request indicating a plurality of secure communication protocols with which the client computer system is enabled;
  
  sending a connection response to the client computer system, the connection response indicating a preferred secure communication protocol of the plurality of secure communication protocols;
  
  confirming use of the preferred secure communication protocol through a data exchange in a secured channel set up with the client computer system; and
  
  communicating data with a client application program of the client computer system through the preferred secure communication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, wherein the plurality of secure communication protocols include at least one of an RDP, SSL, NTLM, Kerberos security protocols, or a combination thereof.
  - 3. The method as recited in claim 1, wherein the connection request from the client computer system is an X224 connection request extended to include the plurality of secure communication protocols with which the client computer system is enabled;
    - and wherein the connection response is an X224 connection response extended to include the preferred secure communication protocol.
  - 4. The method as recited in claim 1, further comprising an act of identifying one or more secure communication protocols at the server that are the same as at least one of the plurality of secure communication protocols indicated by the client computer system.
  - 5. The method as recited in claim 4, further comprising an act of determining that one of the one or more secure communication protocols at the server are allowed based on a server system setting.
  - 6. The method as recited in claim 1, further comprising the acts of:
    - identifying a plurality of server certificates in a certificate store; and
      
      determining a preferred one of the plurality of server certificates to send to the client computer system.
  - 7. The method as recited in claim 6, wherein the preferred server certificate is any of a certificate explicitly selected by a user, a certificate configured through a server system policy, or a self-signed server certificate.
  - 8. The method as recited in claim 1, further comprising the acts of:
    - receiving client computer system authentication information; and
      
      storing the authentication information as part of a connection context for the client computer system.
  - 9. The method as recited in claim 8, further comprising a step for determining that the client computer system authentication information is invalid, the step comprising one or more of:
    - (i) an act of identifying that a timestamp in the client computer system authentication information has expired;
      
      (ii) an act of identifying that one or more messages have been received from the client computer system that have not included expected authentication information;
      
      or (iii) an act of identifying that a received authentication certificate does not match an expected authentication certificate associated with the connection request from the client computer system.
  - 10. The method as recited in claim 1, further comprising an act of receiving a different connection request directed to a VIP address, wherein the different connection request includes connection information for a prior connection.
  - 11. The method as recited in claim 10, further comprising the acts of:
    - identifying that a connection context identified for the prior connection is saved at the server; and
      
      allowing the requested different connection.
  - 12. The method as recited in claim 10, further comprising the acts of:
    - identifying that a connection context for the prior connection is saved at a different server; and
      
      sending a response message to the client computer system, of the response message indicating that the different server is an appropriate server for the different connection request.
  - 13. The method as recited in claim 1, further comprising an act of appending one or more messages previously received from the client computer system regarding the initial connection request to an outgoing message prepared by the server, such that the server confirms its selection of the preferred secure communication protocol to the client computer system.

14. At a client computer system configured to communicate data with a server through a secure connection, a method of creating the secure connection with the server by authenticating relatively early in a connection process, comprising:
- an act of identifying a plurality of secure communication protocol capabilities at a client computer system;
  
  a step for negotiating a preferred one of the plurality of secure communication protocol capabilities with a server, such that a mutually preferred secure communication protocol is identified;
  
  an act of exchanging authentication information with the server using the preferred secure communication protocol, wherein authentication information from the server comprises any one of a self-signed certificate, a manually installed certificate, or a certificate received from a remote certificate authority; and
  
  a step for confirming use of the secure communication protocol negotiated with the server with one or more initial data packets communicated during negotiation with the server.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method as recited in claim 14, wherein the step for negotiating a preferred one of the plurality of secure communication protocols further comprises the acts of:
    - sending a connection request message that includes an indication of the one or more secure communication protocols identified at the client computer system; and
      
      receiving a response from the server that identifies the mutually preferred one of the secure communication protocols.
  - 16. The method as recited in claim 14, wherein the step for confirming the use of the secure communication protocol negotiated with the server comprises the acts of:
    - receiving one or more initial data packets from the server; and
      
      identifying information having been previously exchanged with the server appended to any of the one or more initial data packets.
  - 17. The method as recited in claim 14, further comprising an act of storing the server certificate received from the server in a connection context at the client computer system.
  - 18. The method as recited in claim 17, further comprising the acts of:
    - identifying that a connection with the server has failed; and
      
      sending a reconnection request message to a virtual IP address for the server, wherein the reconnection request message includes at least some information stored in the connection context.
  - 19. The method as recited in claim 17, further comprising the acts of:
    - receiving a connection denial message from the virtual IP address for the server, the connection denial message including at least one of a server name and network address for the server;
      
      sending a new reconnection request message to the virtual IP address for the server, the new reconnection request message including the at least one of the server name and network address for the server; and
      
      reestablishing the connection with the server in accordance with the connection context.

20. At a server in a computerized system in which the server communicates data with a client computer system through a secure connection, a computer program product having computer-executable instructions that, when executed, cause one or more processors at the server to perform a method of creating the secure connection by authenticating the client computer system relatively early in a connection process, comprising the acts of:
- receiving a connection request from a client computer system to communicate with one or more remote server resources at a server, the connection request indicating a plurality of secure communication protocols with which the client computer system is enabled;
  
  sending a connection response to the client computer system, the connection response indicating a preferred secure communication protocol of the plurality of secure communication protocols;
  
  confirming use of the preferred secure communication protocol through a data exchange in a secured channel set up with the client computer system; and
  
  communicating data with a client application program of the client computer system through the preferred secure communication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hagiu, Costin, Chik, Joy, Bernardi, Ara, Palekar, Ashwin, Mahajan, Rajneesh, Saul, Elton, Kuzin, Sergey, Parsons, John

Granted Patent

US 8,220,042 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

G06F 21/42   using separate channels for...

G06F 21/606   by securing the transmissio...

G06F 2221/2107   File encryption

H04L 63/0823   using certificates cryptogr...

H04L 67/14   Session management for real...

H04L 67/141   Setup of application sessio...

Creating secure interactive connections with remote resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

396 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Creating secure interactive connections with remote resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

396 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links