LOW-LATENCY PEER SESSION ESTABLISHMENT
First Claim
1. A method of establishing a communication session by a source device having a processor and a source private key with a target device having a target public certificate, the method comprising:
- executing on the processor instructions configured to;
generate a source session key;
transmit to the target device a session invite comprising a source address and the source session key, the session invite encrypted using the target public certificate; and
upon receiving from the target device a session acceptance comprising a target address and a target session key;
decrypt the session acceptance using the source private key;
generate a session key using the source session key and the target session key; and
initiate the communication session with the target device at the target address, the communication session encrypted using the session key.
2 Assignments
0 Petitions
Accused Products
Abstract
A source device and a target device may endeavor to form a secure communication session whereby encrypted messages may be transmitted over an untrusted network, such as the internet. However, the exchange of many messages in the establishment of the communication session may involve considerable latency and computational resources, particularly in scenarios featuring many communication sessions (e.g., peer-to-peer communication sessions.) Techniques for initiating a communication session may be devised that enables the initiation of a communication session with only two exchanged messages, or even with a single message transmitted from the source device to the target device. Some embodiments of these techniques may also permit the inclusion of advantageous security features, such as authentication via public certificate to detect man-in-the-middle attacks and the inclusion of nonces to detect replay attacks, without increasing the number of messages involved in the initiation of the communication session.
-
Citations
20 Claims
-
1. A method of establishing a communication session by a source device having a processor and a source private key with a target device having a target public certificate, the method comprising:
executing on the processor instructions configured to; generate a source session key; transmit to the target device a session invite comprising a source address and the source session key, the session invite encrypted using the target public certificate; and upon receiving from the target device a session acceptance comprising a target address and a target session key; decrypt the session acceptance using the source private key; generate a session key using the source session key and the target session key; and initiate the communication session with the target device at the target address, the communication session encrypted using the session key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A method of establishing a communication session by a target device having a processor and a target private key with a source device having a source public certificate, the method comprising:
executing on the processor instructions configured to; upon receiving from the source device a session invite comprising a source session key; decrypt the session invite using the target private key; generate a target session key comprising a target session key; generate a session key using the source session key and the target session key; and transmit to the source device a session acceptance comprising a target address and the target session key, the session acceptance encrypted using the source public certificate; and upon receiving from the source device an initiation of a communication session, initiate the communication session with the source device at the source address, the communication session encrypted using the session key. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
20. A computer-readable storage medium comprising instructions that, when executed on a processor of a source device operated by a source user and comprising a certificate cache and a source private key and having at least one source address, represented in a deployable computing environment hosted by a computing environment host and also representing a target device operated by a target user and having at least one target address, the source device having access to a certificate server comprising at least one public certificate including a target public certificate identifying the target device, establish a communication session with the target device by:
-
obtaining the target public certificate of the target device from the certificate server; storing the target public certificate in the certificate cache; generating a source session key; generating a source nonce; transmitting to the target device a session invite comprising the at least one source address, the source session key, and the source nonce, the session invite encrypted using the target public certificate; upon receiving from the target device a session acceptance comprising at least one candidate target address, a target session key, a target nonce, and a target user authenticator; decrypting the session acceptance using the source private key; verifying the target nonce; verifying the target user using the target user authenticator; and upon verifying the target user and the target nonce; selecting at least one target address among the at least two candidate target addresses, generating a session key using the source session key and the target session key, and initiating the communication session with the target device at a selected target address, the communication session encrypted using the session key; and establishing a subsequent communication session with the target device by retrieving the target public certificate from the certificate cache.
-
Specification