Method for providing secure remote command execution over an insecure computer network

US 5,923,756 A
Filed: 02/12/1997
Issued: 07/13/1999
Est. Priority Date: 02/12/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method of enhancing the security of a message sent through a network server from a client computer to a destination server, comprising the steps, performed by the network server, of:

(a) receiving at least one request for authentication from said client computer;

(b) establishing a secure connection for receiving data from said client computer;

(c) generating a credentials cache containing client-authenticating information from a validation center;

(d) transmitting said credentials cache to said client computer and erasing said client-authenticating information from the network server;

(e) receiving from said client computer a new credentials cache containing said client-authenticating information and a corresponding message for said destination server;

(f) obtaining permission data for accessing said destination server from said validating center using said client-authenticating information and a secure authentication protocol; and

(g) transmitting said permission data and said message to said destination server.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is disclosed for enhancing the security of a message sent through a network server from a client computer to a destination server. A secure connection for receiving and transmitting data is established between the client computer and the network server. Using client-identifying information and a secure authentication protocol, the network server may then obtain client-authentication information from a validation center. The client-authentication information is transmitted to the client and erased from the network server. The network server then receives the client-authenticating information back from the client with an accompanying message for the destination server. The network server may use the client-authenticating information to obtain permission data from the validation center for use in accessing the destination server.

Citations

27 Claims

1. A method of enhancing the security of a message sent through a network server from a client computer to a destination server, comprising the steps, performed by the network server, of:
- (a) receiving at least one request for authentication from said client computer;
  
  (b) establishing a secure connection for receiving data from said client computer;
  
  (c) generating a credentials cache containing client-authenticating information from a validation center;
  
  (d) transmitting said credentials cache to said client computer and erasing said client-authenticating information from the network server;
  
  (e) receiving from said client computer a new credentials cache containing said client-authenticating information and a corresponding message for said destination server;
  
  (f) obtaining permission data for accessing said destination server from said validating center using said client-authenticating information and a secure authentication protocol; and
  
  (g) transmitting said permission data and said message to said destination server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising the additional steps of the network server, in response to said request from said client, transmitting to said client a network server key associated with a public-private key pair and a known cryptographic algorithm, receiving back from said client a session key encrypted using said cryptographic algorithm and said network server key, and sending the client information encrypted using the known algorithm and said session key to authenticate the network server to said client.
  - 3. The method of claim 1, wherein said network establishes a secure connection using the Secure Sockets Layer (SSL) protocol.
  - 4. The method of claim 1, wherein the step of generating said credentials cache includes the steps of:
    - (a) sending a request for a permission indicator on behalf of said client computer to said validating center;
      
      (b) receiving said permission indicator from said validating center; and
      
      (c) storing said permission indicator in said credentials cache.
  - 5. The method of claim 4, wherein the step of receiving said permission indicator is performed using a DES symmetric secret-key based authentication protocol.
  - 6. The method of claim 1, wherein the step of generating said credentials cache uses client-authenticating information obtained using a Kerberos protocol.
  - 7. The method of claim 4, wherein the step of generating the credentials cache further includes the steps of:
    - (a) receiving a security session key encrypted using a known algorithm with a user key;
      
      (b) generating the user key from said client-identifying information; and
      
      (c) decrypting said security session key at said network server using said known algorithm to obtain said security session key and said permission indicator.
  - 8. The method of claim 7, wherein the step of generating the user key from said client-identifying information further is performed by a one-way hash algorithm applied to a client password.
  - 9. The method of claim 7, wherein the step of transmitting said credentials cache to said client computer further includes the steps of:
    - encoding said credentials cache, wherein said credentials cache includes said security session key and said permission indicator.
  - 10. The method of claim 9, wherein the step of encoding said credentials cache is performed by ASCII encoding.
  - 11. The method of claim 10, wherein the step of encoding said credentials cache further includes the use of URL-encoding.
  - 12. The method of claim 11, wherein the step of obtaining permission data for accessing said destination server, further includes the steps of the network server:
    - (a) transmitting said permission indicator to said validating center; and
      
      (b) receiving an access indicator, if permission indicator is authenticated by validating center to be the same permission indicator as previously received from said validating center.
  - 13. The method of claim 1, further including the step of validating the authority of said client computer to access the destination server using said permission data.
  - 14. The method of claim 13, wherein the step of the destination server validating the authority of said client to access the destination server further includes the steps of:
    - (a) authenticating that the party transmitting the message to said destination server is the same party that was certified using the authentication protocol by the key distribution center to receive said access indicator; and
      
      (b) deciding on the basis of access control criteria whether said client is authorized to access the destination server.

15. A computer system comprising:
- (a) a first computer server issuing commands over a network connection;
  
  (b) a second computer server connected to said first server by a secure connection, said second server further having an authentication device generating an authentication request relating to said first server and generating a credentials cache containing client-authenticating information received in response to said authentication request, wherein said second server transmits said credentials cache to said first server and erases said client-authenticating information;
  
  (c) a third computer server responsive to said second server over said network and capable of receiving said authentication request, responding to said request to authenticate the identity of said first computer server, and sending authentication indicator information regarding said first server back to said second server; and
  
  (d) a fourth computer server for operative connection to said network and capable of receiving and executing said commands if said second server transmits authentication indicator information to said fourth server authenticating said first server.

16. A computer system having improved security for a message sent over an insecure network from a client computer to a destination server via a network server, said system comprising:
- (a) means for establishing a secure network connection between said client computer and said network server;
  
  (b) means for obtaining at the network server client-authenticating information from a validating center in a secure manner and generating a credentials cache therefrom;
  
  (c) means for transmitting said credentials cache containing said client-authenticating information from said network server to said client computer and erasing said client-authenticating information from said network server;
  
  (d) means for transmitting said message and said client identifying information from said client computer to said network server; and
  
  (e) means for obtaining permission to access said destination server from said validating center over said insecure network using the secure authentication protocol.
- View Dependent Claims (17, 18, 19)
- - 17. The computer system of claim 16, further comprising means for validating at the destination server the authority of said client to access said destination server using said message andmeans for accessing said destination server with said message if the authority of the client is validated.
  - 18. The computer system of claim 16, wherein said means for establishing said secure network connection comprising SSL protocol.
  - 19. The computer system of claim 16, wherein said means for obtaining client-authenticating information comprises a Kerberos protocol.

20. A network computer server comprising:
- (a) a client network interface for receiving client-identifying information from a client computer over a secure network connection;
  
  (b) a permission-granting network interface for exchanging client-authenticating information and permission-granting data with a validating center through a network connection and means for generating a credentials cache therefrom;
  
  (c) means for transmitting said credentials cache containing said client-authenticating information received from said validating center to said client without retaining said client-authenticating information; and
  
  (d) a destination computer network interface for operative communication with a destination computer through which client-authenticating information received back from said client computer and permission-granting data received from said validating center is transmitted to said destination computer via a network connection.
- View Dependent Claims (21, 22, 23)
- - 21. A network computer server of claim 20, wherein the client network interface further includes:
    - (a) a web server for receiving a request for authentication from said client;
      
      (b) a network server key data base containing a key associated with a public-private key pair of a known cryptographic algorithm;
      
      (c) a decryptor for decrypting a client-generated session key generated by said client and encrypted using the public key of said key pair and said known cryptographic algorithm; and
      
      ,(d) an encryptor capable of encrypting an authenticating message using said session key and said cryptographic algorithm.
  - 22. A network computer server of claim 20, wherein the network connection through which the client-identifying information is received from said client is secured by using the Secure Sockets Layer (SSL) protocol.
  - 23. A network computer server of claim 20, wherein said permission-granting interface is made secure by using a Kerberos authentication protocol.

24. A method of enhancing the security of a message sent through a network server from a client computer to a destination server, comprising the steps, performed by the network server, of:
- (a) obtaining client-authenticating information from a validation center using client-identifying information and a secure authentication protocol;
  
  (b) transmitting to said client computer a credentials cache containing said client-authenticating information;
  
  (c) erasing said client-authenticating information;
  
  (d) receiving said credentials cache and a message for said destination server back from said client computer;
  
  (e) obtaining permission data for accessing said destination server from said validating center using said credentials cache and a secure authentication protocol; and
  
  ,(f) transmitting said permission data and said message to said destination server.

25. A computer server responsive to a client, validation center, and destination server over a network, the server comprising:
- means for obtaining client-authenticating information on behalf of the client from the validation center using client-identifying information and a secure authentication protocol;
  
  means for transmitting to said client a credentials cache containing said client-authenticating information;
  
  means for erasing said client-authenticating information from said network server;
  
  means for receiving said credentials cache and a message for said destination server back from said client; and
  
  means for obtaining permission data for accessing said destination server on behalf of said client from said validating center using said credentials cache and a secure authentication protocol.

26. A method of providing improved security of a network transaction, comprising the steps performed by a server of:
- (a) establishing a secure connection for receiving data from a client;
  
  (b) generating a credentials cache containing client-authenticating information from a source external to the server;
  
  (c) transmitting the credentials cache to the client; and
  
  (d) erasing the client-authenticating information from the server.
- View Dependent Claims (27)
- - 27. The method of claim 26, further comprising the steps of:
    - (e) receiving from the client the credentials cache;
      
      (f) using the client-authenticating information, obtaining permission data for accessing a destination server on behalf of the client; and
      
      ,(g) transmitting the permission data and a message to the destination server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hanger Solutions, LLC (IP Investments Group LLC)
Original Assignee
GTE Laboratories Incorporated (Lumen Technologies, Inc.)
Inventors
Shambroom, W. David
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US08/799,402
Time in Patent Office

881 Days
Field of Search

380/21, 380/25, 380/23, 340/825.34, 705/44
US Class Current

713/156
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 2211/007   Encryption, En-/decode, En-...

H04L 2463/062   applying encryption of the ...

H04L 63/0442   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3297   involving time stamps, e.g....

H04L 9/40   Network security protocols

Method for providing secure remote command execution over an insecure computer network

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method for providing secure remote command execution over an insecure computer network

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links