ESTABLISHING A SECURE CONNECTION ACROSS SECURED ENVIRONMENTS

US 20180131525A1
Filed: 11/07/2016
Published: 05/10/2018
Est. Priority Date: 11/07/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method for establishing a verifiable secure communication connection between a server and a client using a trusted secure gateway, wherein the server and the trusted secure gateway reside within a first network realm, wherein the server'"'"'s public key certificates are signed by a certifying authority not certifiable from a the client residing within a second network realm different to the first network realm, the method comprising:

verifying, by the trusted secure gateway, a certificate of the server signed by a certificate authority of the first network realm before establishing the communication connection between the server and the client, wherein the trusted secure gateway is trusted by the server;

verifying, by the trusted secure gateway, a certificate of the client signed by a certificate authority of the second network realm before establishing the communication connection between the server and the client;

verifying, by the client, a certificate of the trusted secure gateway signed by a public key certificate authority certifiable from the client'"'"'s network before establishing the communication between the server and the client; and

establishing, via the trusted secure gateway, the communication connection between the client and the server if authorized by an access control list residing on the trusted of the trusted secure gateway, the access control list being indicative of allowed communication connections out of systems of the first network realm and into systems of the first network realm.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed aspects relate to establishing a secure communication connection between a server and a client. The server and a gateway reside within a first network realm. The server'"'"'s public key certificates are signed by a certifying authority not certifiable from a the client residing within a second network realm. Aspects relate to verifying a server'"'"'s certificate signed by a certificate authority of the first network realm before establishing the communication connection between the server and the client. Aspects relate to verifying a client'"'"'s certificate signed by a certificate authority of the second network realm before establishing the communication connection between the server and the client. Aspects relate to verifying, a trusted secure gateway'"'"'s certificate signed by a public key certificate authority certifiable from the client'"'"'s network before establishing the communication between the server and the client.

22 Citations

View as Search Results

20 Claims

1. A method for establishing a verifiable secure communication connection between a server and a client using a trusted secure gateway, wherein the server and the trusted secure gateway reside within a first network realm, wherein the server'"'"'s public key certificates are signed by a certifying authority not certifiable from a the client residing within a second network realm different to the first network realm, the method comprising:
- verifying, by the trusted secure gateway, a certificate of the server signed by a certificate authority of the first network realm before establishing the communication connection between the server and the client, wherein the trusted secure gateway is trusted by the server;
  
  verifying, by the trusted secure gateway, a certificate of the client signed by a certificate authority of the second network realm before establishing the communication connection between the server and the client;
  
  verifying, by the client, a certificate of the trusted secure gateway signed by a public key certificate authority certifiable from the client'"'"'s network before establishing the communication between the server and the client; and
  
  establishing, via the trusted secure gateway, the communication connection between the client and the server if authorized by an access control list residing on the trusted of the trusted secure gateway, the access control list being indicative of allowed communication connections out of systems of the first network realm and into systems of the first network realm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method according to claim 1, further comprising:
    - verifying, by the server, a certificate of the trusted secure gateway signed by the public key certificate authority certifiable from the server'"'"'s network realm before establishing the communication connection between the server and the client.
  - 3. The method according to claim 1, wherein the certificate authority of the second network realm is a local certificate authority of the client.
  - 4. The method according to claim 1, wherein the certificate authority of the second network realm is a well-trusted 3rd party certificate authority.
  - 5. The method according to claim 1, wherein:
    - the verifying, by the trusted secure gateway, the server'"'"'s certificate represents an authentication of the server, andthe verifying, by the trusted secure gateway, the client'"'"'s certificate represents an authentication of the client.
  - 6. The method according to claim 1, wherein a first symmetric key is exchanged between the client and the trusted secure gateway, and a second symmetric key is exchanged between the server and the trusted secure gateway, wherein an inbound communication to the trusted secure gateway is decrypted by the first symmetric key before being encrypted with a the second symmetric key before being transmitted by the trusted secure gateway.
  - 7. The method according to claim 1, further comprising:
    - exchanging a single symmetric key between the client and the server, wherein an inbound communication to the trusted secure gateway is transmitted directly without requiring decryption.
  - 8. The method according to claim 1, further comprising:
    - exchanging a single symmetric key between the client and the server, wherein an inbound communication to the trusted secure gateway is transmitted directly without requiring re-encryption.
  - 9. The method according to claim 1, further comprising:
    - exchanging a single symmetric key between the client and the server, wherein an inbound communication to the trusted secure gateway is transmitted directly without requiring decryption and re-encryption.
  - 10. The method according to claim 1, wherein the trusted secure gateway performs a port-forwarding for a determination of a specific server in the first network realm to be connected to the client.
  - 11. The method according to claim 1, wherein the trusted secure gateway acts as SOCKS5 proxy for a determination of a specific client in the second network realm is to be connected to the server.
  - 12. The method according to claim 1, wherein the trusted secure gateway acts as HTTP proxy for a determination of a specific client in the second network realm is to be connected to the server.
  - 13. The method according to claim 1, wherein the trusted secure gateway logs one or more accesses of one or more communication connections between one or more of the servers in the first network realm and one or more of the clients in the second network realm.
  - 14. The method according to claim 1, wherein the trusted secure gateway logs all accesses of all communication connections between any of the servers in the first network realm and any of the clients in the second network realm.
  - 15. The method according to claim 13, wherein the logging includes:
    - one or more network addresses.
  - 16. The method according to claim 13, wherein the logging includes:
    - an access time.
  - 17. The method according to claim 13, wherein the logging includes:
    - a communication connection duration.
  - 18. The method according to claim 13, wherein the logging includes:
    - a verified public certificate of the client and the server.

19. A system for establishing a verifiable secure communication connection between a server and a client using a trusted secure gateway, wherein the server and the trusted secure gateway reside within a first network realm, wherein the server'"'"'s public key certificates are signed by a certifying authority not certifiable from a the client residing within a second network realm different to the first network realm, the system comprising:
- a memory having a set of computer readable computer instructions, anda processor for executing the set of computer readable instructions, the set of computer readable instructions including;
  
  verifying, by the trusted secure gateway, a certificate of the server signed by a certificate authority of the first network realm before establishing the communication connection between the server and the client, wherein the trusted secure gateway is trusted by the server;
  
  verifying, by the trusted secure gateway, a certificate of the client signed by a certificate authority of the second network realm before establishing the communication connection between the server and the client;
  
  verifying, by the client, a certificate of the trusted secure gateway signed by a public key certificate authority certifiable from the client'"'"'s network before establishing the communication between the server and the client; and
  
  establishing, via the trusted secure gateway, the communication connection between the client and the server if authorized by an access control list residing on the trusted of the trusted secure gateway, the access control list being indicative of allowed communication connections out of systems of the first network realm and into systems of the first network realm.

20. A computer program product for establishing a verifiable secure communication connection between a server and a client using a trusted secure gateway, wherein the server and the trusted secure gateway reside within a first network realm, wherein the server'"'"'s public key certificates are signed by a certifying authority not certifiable from a the client residing within a second network realm different to the first network realm, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a processor to cause the processor to perform a method comprising:
- verifying, by the trusted secure gateway, a certificate of the server signed by a certificate authority of the first network realm before establishing the communication connection between the server and the client, wherein the trusted secure gateway is trusted by the server;
  
  verifying, by the trusted secure gateway, a certificate of the client signed by a certificate authority of the second network realm before establishing the communication connection between the server and the client;
  
  verifying, by the client, a certificate of the trusted secure gateway signed by a public key certificate authority certifiable from the client'"'"'s network before establishing the communication between the server and the client; and
  
  establishing, via the trusted secure gateway, the communication connection between the client and the server if authorized by an access control list residing on the trusted of the trusted secure gateway, the access control list being indicative of allowed communication connections out of systems of the first network realm and into systems of the first network realm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kass, Eric

Application Number

US15/345,150
Publication Number

US 20180131525A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/33   using certificates

G06F 21/53   by executing in a restricte...

H04L 12/66   Arrangements for connecting...

H04L 63/02   for separating internal fro...

H04L 63/0435   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/123   received data contents, e.g...

H04L 67/01   Protocols

H04L 67/141   Setup of application sessio...

H04L 67/561   Adding application-function...

H04L 9/3268   using certificate validatio...

ESTABLISHING A SECURE CONNECTION ACROSS SECURED ENVIRONMENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ESTABLISHING A SECURE CONNECTION ACROSS SECURED ENVIRONMENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links