ESTABLISHING SECURE, MUTUALLY AUTHENTICATED COMMUNICATION CREDENTIALS

US 20070283154A1
Filed: 05/31/2006
Published: 12/06/2007
Est. Priority Date: 05/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method for establishing secure, mutually authenticated communication between trusted servers of a trusted network and an edge server of a perimeter network outside the trusted network, said method comprising:

creating a public key and a password associated with the edge server in the perimeter network;

transferring securely the public key and the password to the trusted network;

creating an edge configuration object associated with the edge server on a distributed directory service administered within the trusted network;

placing the public key and the password on the corresponding created edge configuration object of the distributed directory service within the trusted network;

updating, by the distributed directory service, the public key and password associated with the edge server to two or more of the trusted servers on the trusted network adapted for communicating with the perimeter network, thereby identifying the edge server to each of the trusted servers adapted for communicating with the perimeter network as a registered edge server;

encrypting, by each trusted server adapted for communicating with the perimeter network, a password associated with the particular trusted server with the public key created by the edge server; and

sending, by each trusted server adapted for communicating with the perimeter network, a password associated with each particular trusted server encrypted with a private key associated with the particular trusted server to the edge server for authenticating the edge server with respect to each respective trusted server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Establishing secure, mutually authenticated communication between a trusted network and a perimeter network. Servers on the perimeter network may be securely and automatically configured to communicate with the trusted network. Servers not functioning properly may be stopped from communicating with the other servers. Credential information relating to a perimeter server may be automatically, and regularly, updated without intervention.

69 Citations

View as Search Results

20 Claims

1. A method for establishing secure, mutually authenticated communication between trusted servers of a trusted network and an edge server of a perimeter network outside the trusted network, said method comprising:
- creating a public key and a password associated with the edge server in the perimeter network;
  
  transferring securely the public key and the password to the trusted network;
  
  creating an edge configuration object associated with the edge server on a distributed directory service administered within the trusted network;
  
  placing the public key and the password on the corresponding created edge configuration object of the distributed directory service within the trusted network;
  
  updating, by the distributed directory service, the public key and password associated with the edge server to two or more of the trusted servers on the trusted network adapted for communicating with the perimeter network, thereby identifying the edge server to each of the trusted servers adapted for communicating with the perimeter network as a registered edge server;
  
  encrypting, by each trusted server adapted for communicating with the perimeter network, a password associated with the particular trusted server with the public key created by the edge server; and
  
  sending, by each trusted server adapted for communicating with the perimeter network, a password associated with each particular trusted server encrypted with a private key associated with the particular trusted server to the edge server for authenticating the edge server with respect to each respective trusted server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as set forth in claim 1 further comprising storing a private key associated with the public key on the edge server in the perimeter network.
  - 3. A method as set forth in claim 1 further comprising creating a self-signed certificate for secure SSL (secure sockets layer) connection on an edge server, said public key and said password associated with said self-signed certificate, wherein said transferring securely comprises transferring manually the self-signed certificate with the public key and the password to the trusted network.
  - 4. A method as set forth in claim 3 further comprising maintaining the self-signed certificate with the public key and the password in a secure state during said transferring manually.
  - 5. A method as set forth in claim 3 wherein said sending comprises sending through the secure SSL established by the self-signed certificate.
  - 6. A method as set forth in claim 1 wherein said transferring securely further comprises transferring securely a location identifier associated with the edge server.
  - 7. A method as set forth in claim 1 wherein said sending an encrypted password comprises sending the encrypted password to a stand-alone directory service administered by the edge server being authenticated.

8. A method for automatically updating credential information between a trusted server residing on a trusted network and an edge server residing on a perimeter network, said trusted network administering a distributed directory service, said method comprising:
- reading, by the trusted server, the current credential information of the edge server residing on the perimeter network;
  
  determining the expiration status of the current credential information on the edge server;
  
  propagating the replacement credential information from the distributed directory service to the edge server by any trusted server; and
  
  utilizing, by the trusted server, the replacement credential information when an attempt to utilize the current credential information fails.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. A method as set forth in claim 8 further comprising deleting the current credential information when an attempt to utilize the replacement credential information is successful.
  - 10. A method as set forth in claim 8 further comprising creating replacement credential information when a replacement criteria is met.
  - 11. A method as set forth in claim 10 wherein said creating replacement credential information comprises:
    - encrypting the replacement credential information for the edge server; and
      
      placing the replacement credential information on an edge configuration object of the distributed directory service associated with the edge server.
  - 12. A method as set forth in claim 11 wherein said reading the current credential information comprises reading a password of the edge server;
    - andwherein said encrypting the replacement credential information comprises encrypting a replacement password.
  - 13. A method as set forth in claim 12 wherein said encrypting a replacement password comprises encrypting a replacement password including non-ASCII characters.
  - 14. A method as set forth in claim 12 wherein said encrypting a replacement password comprises encrypting a replacement password created automatically by a random number generator.
  - 15. A method as set forth in claim 12 wherein said encrypting a replacement password comprises encrypting a replacement password including a maximum number of allowable characters.
  - 16. A method as set forth in claim 10 wherein said creating replacement credential information comprises digitally signing, by each trusted server, the credential information of the particular trusted server with a private key created by the trusted server, said method further comprising verifying, at the edge server, that each particular trusted server has digitally signed its respective credentials.
  - 17. A method as set forth in claim 8 wherein said propagating the replacement credential information occurs with any trusted server adapted for communication with the perimeter network.

18. A method for disenfranchising a server residing on a trusted network or a perimeter network from communication with other servers on the trusted network or the perimeter network, said trusted network administering a distributed directory service comprising credential information corresponding to each of the servers on the trusted network and the perimeter network, said method comprising:
- receiving instructions from an administrator from within the trusted network instructing that one of the servers requires disenfranchisement from communicating with the other servers; and
  
  deleting credential information associated with the server requiring disenfranchisement within the distributed directory service, thereby eliminating the ability of any server on the trusted network or the perimeter network to establish communication with the server with deleted credential information.
- View Dependent Claims (19, 20)
- - 19. A method as set forth in claim 18 wherein said deleting credential information associated with a server comprises deleting a configuration object associated with the server on the distributed directory service administered by the trusted network.
  - 20. A method as set forth in claim 18 wherein said receiving instructions comprises receiving an indication that the server requiring disenfranchisement poses a security risk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Zhang, Hao, Tribble, Eric D., Pearson, Malcolm E., Kay, Jeffrey B.

Granted Patent

US 8,549,295 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

H04L 2463/081   applying self-generating cr...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

ESTABLISHING SECURE, MUTUALLY AUTHENTICATED COMMUNICATION CREDENTIALS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ESTABLISHING SECURE, MUTUALLY AUTHENTICATED COMMUNICATION CREDENTIALS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links