System for providing secure remote command execution network
First Claim
Patent Images
1. A system having a key distribution center and having improved security for a message sent over an insecure network from a client computer to a destination server via a network server, the system comprising:
- a security protocol interface configured to establish communication over the insecure network with a first type of security between the client computer and the network server;
an authentication protocol interface configured to obtain first client-authenticating information from the key distribution center and to provide the first client-authenticating information obtained to the network server to establish communication over the insecure network with a second type of security;
the network server configured to transmit the first client-authenticating information to the client computer;
the client computer configured to transmit the message and the first client-authenticating information to the network server; and
the network server configured to obtain permission from the key distribution center to access the destination server over the insecure network using second client-authenticating information.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus is disclosed for enhancing the security of a message sent through a network server from a client computer to a destination server. A secure connection for receiving and transmitting data is established between the client computer and the network server. Using client-identifying information and a secure authentication protocol, the network server may then obtain client-authentication information from a validation center. The client-authentication information is transmitted to the client and erased from the network server. The network server then receives the client-authenticating information back from the client with an accompanying message for the destination server. The network server may use the client-authenticating information to obtain permission data from the validation center for use in accessing the destination server.
225 Citations
13 Claims
-
1. A system having a key distribution center and having improved security for a message sent over an insecure network from a client computer to a destination server via a network server, the system comprising:
-
a security protocol interface configured to establish communication over the insecure network with a first type of security between the client computer and the network server;
an authentication protocol interface configured to obtain first client-authenticating information from the key distribution center and to provide the first client-authenticating information obtained to the network server to establish communication over the insecure network with a second type of security;
the network server configured to transmit the first client-authenticating information to the client computer;
the client computer configured to transmit the message and the first client-authenticating information to the network server; and
the network server configured to obtain permission from the key distribution center to access the destination server over the insecure network using second client-authenticating information. - View Dependent Claims (2, 3, 4, 5, 6, 7)
a validation program at the destination server configured to use the message and the second client-authenticating information to validate authorization of the client computer to access the destination server.
-
-
3. The system of claim 1, wherein the network server is configured to erase the first client-authenticating information from the network server after transmitting the first client-authenticating information to the client computer.
-
4. The system of claim 1, wherein the security protocol interface utilizes a secure sockets layer protocol.
-
5. The system of claim 1, wherein the second type of security is provided using a Kerberos protocol.
-
6. The system of claim 1, wherein the first client-authenticating information is stored in a credentials cache.
-
7. The system of claim 5, wherein the credentials cache is stored in non-volatile storage.
-
8. A network comprising a client computer, a key distribution center, and a destination computer capable of being operatively coupled to a network server of the network, the network comprising:
-
a client network interface of the network server configured to receive client-identifying information from the client computer;
a security protocol network interface of the network server configured to provide at least a portion of the client-identifying information to the key distribution center and to receive first client-authenticating information from the key distribution center;
a pass-through interface of the network server configured to transmit at least a portion of the client-identifying information and a portion of first client-authenticating information to the client computer via the client networking interface, the pass-through interface configured to receive the at least a portion of the client-identifying information and the portion of the first-client-authenticating information in order to obtain second client-authenticating information from the key distribution center; and
a destination computer network interface of the network server configured to communicate with the destination computer using at least a portion of the second client-authenticating information. - View Dependent Claims (9, 10, 11, 12, 13)
a web server configured to receive the client-identifying information from the client computer;
a network server key data base, the network server key data base having a key, the key associated with a public-private key pair of a cryptographic algorithm;
a decryptor, the decryptor configured to decipher a session key generated and enciphered by the client computer using a public key of the public-private key pair of the cryptographic algorithm; and
an encryptor configured to encipher an authenticating message using the session key and the cryptographic algorithm.
-
-
12. The network of claim 8, wherein the client network interface uses at least in part a secure sockets layer protocol.
-
13. The network of claim 8, wherein the security protocol network interface uses at least a part of a Kerberos authentication protocol.
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeHanger Solutions, LLC (IP Investments Group LLC)
-
Original AssigneeVerizon Laboratories Incorporated (Verizon Communications Inc.)
-
InventorsShambroom, W. David
-
Primary Examiner(s)CANGIALOSI, SALVATORE A
-
Application NumberUS09/309,695Time in Patent Office665 DaysField of Search380/279, 713/168, 713/153, 713/156US Class Current380/279CPC Class CodesG06F 21/41 where a single sign-on prov...G06F 2211/007 Encryption, En-/decode, En-...H04L 2463/062 applying encryption of the ...H04L 63/0442 wherein the sending and rec...H04L 63/0807 using tickets, e.g. Kerbero...H04L 63/0823 using certificates cryptogr...H04L 63/101 Access control lists [ACL]H04L 9/0822 using key encryption keyH04L 9/0825 using asymmetric-key encryp...H04L 9/083 involving central third par...H04L 9/3213 using tickets or tokens, e....H04L 9/3297 involving time stamps, e.g....H04L 9/40 Network security protocols
