Verification of server authorization to provide network resources

US 6,304,969 B1
Filed: 03/16/1999
Issued: 10/16/2001
Est. Priority Date: 03/16/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of verifying that a server is authorized to provide resources to a client, comprising the steps of:

generating and encrypting a first message at the client, including selecting an encryption key from among a plurality of encryption keys encoded on an integrated circuit at the client, the first message including a random number and the selected encryption key;

transmitting the first message to the server;

receiving an encrypted second message from the server;

decrypting the second message at the client; and

determining, by client, whether the random number has been included in the second message, wherein the inclusion of the random number in the second message indicates that the server is authorized to provide resources to the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for verifying the authorization of a server to provide network resources to a client. At selected times, the client asserts an authorization interrupt, which will disable some or all non-essential functions of the client unless the server'"'"'s authorization is verified within an allotted period of time. The client creates a client message by generating a random number and combining it with a client identifier and a value that specifies the current time. The client message is encrypted and sent to the server. Only authorized servers can decrypt the client message and create an encrypted service message that includes the random number. The service message can also contain an authorization code specifying the services that the client may receive, and an expiration count indicating when the authorization procedure will be repeated. The client receives and decrypts the service message. If the random number in the service message is found to be the same as the random number in the client message, the server is authorized, and the client is enabled to exhibit a selected level of functionality. The client can be associated with a smart card or another intelligent peripheral that verifies the authorization of the server in behalf of the client.

150 Citations

40 Claims

1. A method of verifying that a server is authorized to provide resources to a client, comprising the steps of:
- generating and encrypting a first message at the client, including selecting an encryption key from among a plurality of encryption keys encoded on an integrated circuit at the client, the first message including a random number and the selected encryption key;
  
  transmitting the first message to the server;
  
  receiving an encrypted second message from the server;
  
  decrypting the second message at the client; and
  
  determining, by client, whether the random number has been included in the second message, wherein the inclusion of the random number in the second message indicates that the server is authorized to provide resources to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as defined in claim 1, further comprising the steps of:
3. A method as defined in claim 2, wherein the step of determining whether the random number has been included comprises the step of determining that the random number has been included in the second message, the method further comprising the step of activating selected functions of the client.
4. A method as defined in claim 2, wherein:
- the step of receiving the encrypted second message comprises the step of receiving the encrypted second message from an unauthorized server; and
  
  the step of determining whether the random number has been included comprises the step of determining that the random number has not been included in the second message.
5. A method as defined in claim 4, further comprising the step of disabling selected functions of the client.
6. A method as defined in claim 1, further comprising the step processing asynchronous input to the client to generate the random number.
7. A method as defined in claim 1, further comprising the step of asserting an authorization interrupt signal at the client prior to the step of generating and encrypting the first message, wherein the authorization interrupt disables at least some functions of the client after the expiration of an allotted period of time unless the server is first verified as being authorized to provide resources to the client.
8. A method as defined in claim 6, wherein the step of determining whether the random number is included comprises the step of determining that the random number is included in the second message, the method further comprising the step of identifying an expiration count encoded in the second message that specifies when a next authorization interrupt signal is to be asserted.
9. A method as defined in claim 6, wherein the step of determining whether the random number is included comprises the step of determining that the random number is included in the second message, the method further comprising the step of identifying an authorization code that specifies a level of functionality to be exhibited by the client.
10. A method as defined in claim 1, further comprising the steps of:
- generating and encrypting another message at the client, the other message including another random number;
  
  transmitting the other message to unauthorized server that does not possess a decryption key for decrypting the other message; and
  
  noting, at the client, that no message has been received from the unauthorized server within an allotted period of time, thereby indicating that the unauthorized server is not authorized to provide resources to the client.
11. A method as defined in claim 1, wherein the client includes an intelligent peripheral, and wherein the step of generating and encrypting a first message at the client is conducted by the intelligent peripheral.
12. A method as defined in claim 11, further comprising the step of communicating between the intelligent peripheral and a system enabler module of the client to indicate whether the server is authorized to provide resources to the client.

13. A method of verifying that a server is authorized to provide resources to a client, comprising:
- repeatedly conducting, at times specified by a timing mechanism at the client, the steps of;
  
  by the client, combining and encrypting a client identifier, a random number, and a time identifier to generate a first message;
  
  transmitting the first message from the client to the server;
  
  at the server, conducting the steps of;
  
  decrypting the first message;
  
  identifying an authorization code associated with the client identifier, the authorization code defining a level of functionality to be exhibited by the client;
  
  generating an expiration count based upon the time identifier, the expiration count defining a time when the client is to verify the authorization of the server; and
  
  combining and encrypting the authorization code, the expiration count, and the random number to generate a second message;
  
  transmitting the second message to the client;
  
  decrypting the second message at the client; and
  
  verifying, by the client, that the random number has been included in the second message, thereby indicating that the server is authorized to provide resources to the client.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. A method as defined in claim 13, further comprising the step processing asynchronous input to the client to generate the random number.
  - 15. A method as defined in claim 14, wherein the step of processing asynchronous input comprises the step of using a linear feedback shift register to generate the random number.
  - 16. A method as defined in claim 13, wherein the step of identifying an authorization code comprises the step of comparing the client identifier against a client authorization database specifying levels of functionality that can be exhibited by various clients.
  - 17. A method as defined in claim 13, further comprising the step of selecting, at the server, an expiration count for the client, the expiration count indicating a time when the timing mechanism at the client is to again initiate an authorization process, wherein the expiration count is included in the second message.
  - 18. A method as defined in claim 13, further comprising, after the step of verifying that the random number has been included in the second message, the step of activating selected functions of the client.
  - 19. A method as defined in claim 13, wherein the client includes an intelligent peripheral, and wherein the step of verifying that the random number has been included in the second message is conducted by the intelligent peripheral.

20. A computer program product for implementing, at a client system, a method of verifying that a server is authorized to provide resources to the client system, the computer program product comprising:
- a computer-readable medium having computer-executable instructions for implementing the method, wherein the computer-executable instructions comprise;
  
  program code means for generating and encrypting a first message identifying the client system and including a random number, the first message being encrypted using an encryption key selected from a plurality of encryption keys encoded on an integrated circuit at the client system;
  
  program code means for initiating transmission of the first message to the server, the first message including the encryption key;
  
  program code means for receiving an encrypted second message from the server;
  
  program code means for decrypting the second message; and
  
  program code means for determining whether the random number has been included in the second message, wherein inclusion of the random number in the second message indicates that the server is authorized to provide resources to the client system.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. A computer program product as defined in claim 20, wherein the computer-executable instructions further comprise program code means for detecting that the server has not transmitted a second message to the client system within an allotted period of time.
  - 22. A computer program product as defined in claim 20, wherein the computer-executable instructions further comprise program code means for selecting a decryption key from among a plurality of encryption keys encoded on an integrated circuit at the client system.
  - 23. A computer program product as defined in claim 20, wherein the program code means for generating and encrypting a first message comprise program code means for processing asynchronous input to the client system to generate the random number.
  - 24. A computer program product as defined in claim 20, wherein the computer-executable instructions further comprise program code means for disabling selected functions of the client when the random number has not been included in the second message.
  - 25. A computer program product as defined in claim 20, wherein the computer-executable instructions further comprise program code means for activating selected functions of the client when the random number has been included in the second message.

26. A computer program product for implementing, at a server, a method of verifying that the server is authorized to provide resources to a client, the computer program product comprising:
- a computer-readable medium having computer-executable instructions for implementing the method, wherein the computer-executable instructions comprise;
  
  program code means for receiving an encrypted first message from the client, the first message identifying the client and including a random number and an encryption key selected from a plurality of encryption keys encoded on an integrated circuit at the client;
  
  program code means for decrypting the first message;
  
  program code means for selecting an authorization code associated with the client, the authorization code defining a level of functionality to be exhibited by the client;
  
  program code means for generating and encrypting a second message including the random number and the authorization code; and
  
  program code means for initiating transmission of the second message to the client, wherein the random number, having been included in the second message, is to indicate to the client that the server is authorized to provide resources to the client.
- View Dependent Claims (27, 28)
- - 27. A computer program product as defined in claim 26, wherein the computer-executable instructions further comprise program code means for comparing a client identifier included in the first message against a client authorization database specifying levels of functionality that can be exhibited by various clients.
  - 28. A computer program product as defined in claim 26, wherein the computer-executable instructions further comprise program code means for selecting an expiration count for the client, the expiration count indicating a time when a timing mechanism at the client is to again initiate an authorization process, wherein the expiration count is included in the second message.

29. A method for periodically authorizing a client to exhibit a selected level of functionality, the method comprising the steps of:
- establishing communication between the client and the server; and
  
  repeatedly conducting, at selected times while communication is established between the client and the server, the steps of;
  
  causing the client to determine whether the server is authorized to provide resources to the client by verifying that a random number received in an encrypted message from the server is the same as the random number stored at the client, wherein the random number is initially sent from the client to the server and is encrypted using one of a plurality of encryption keys encoded on an integrated circuit at the client;
  
  if the client determines that the server is authorized to provide resources, then activating selected functions of the client; and
  
  if the client determines that the server is not authorized to provide resources, then disabling selected functions of the client.
- View Dependent Claims (30, 31, 32)
- - 30. A method as defined in claim 29, further comprising the step of repeatedly conducting, at the server, the step of determining a level of functionality to be exhibited by the client.
  - 31. A method as defined in claim 29, wherein the step of causing the client to determine whether the server is authorized to provide resources to the client comprises the step of determining, at the client, whether the server is capable of decrypting an encrypted message generated by the client.
  - 32. A method as defined in claim 29, further comprising, if the client determines that the server is authorized to provide resources, the steps of:

33. In a networked system including a client and a server interconnected one with another, wherein resources are provided from the server to the client based on an authorization level of the client, a method for verifying the authorization level, comprising the steps of:
- receiving at the server, a first message including a random number, an authorization code, and an encryption key selected from a plurality of encryption keys encoded on an integrated circuit at the client;
  
  transmitting an encrypted message from the server to the client, the encrypted message including the random number received from the client and the authorization code defining the authorization level of the client;
  
  decrypting the encrypted message using decryption instructions encoded in hardware at the client, the decryption instructions being inaccessible to software executed on the client; and
  
  upon matching the random number included in the encrypted message with the random number stored at the client, writing the authorization code to a register in the client after the step of decrypting the encrypted message.
- View Dependent Claims (34, 35, 36, 37)
- - 34. A method as defined in claim 33, further comprising the steps of:
35. A method as defined in claim 33, wherein the step of transmitting an encrypted message from the server to the client is conducted in response to an encrypted first message being transmitted from the client to the server.
36. A method as defined in claim 33, further comprising the steps of:
- including an expiration count in the encrypted message, the expiration count indicating a time when a timing mechanism at the client is to again initiate an authorization process; and
  
  writing the expiration count to another register in the client after the step of decrypting the encrypted message.
37. A method as defined in claim 33, wherein the hardware at the client is an integrated circuit.

38. A method of verifying that a server is authorized to provide resources to a client, comprising the steps of:
- asserting an authorization interrupt signal at the client, the-authorization interrupt disabling at least some functions of the client after the expiration of an allotted period of time unless the server is first verified as being authorized to provide resources to the client;
  
  generating and encrypting a first message at the client, the first message including a random number;
  
  transmitting the first message to the server;
  
  receiving an encrypted second message from the server;
  
  decrypting the second message at the client; and
  
  determining, by the client, whether the random number has been included in the second message, wherein the inclusion of the random number in the second message indicates that the server is authorized to provide resources to the client.

39. A method of verifying that a server is authorized to provide resources to a client, comprising the steps of:
- asserting an authorization interrupt signal at the client, the authorization interrupt disabling at least some functions of the client after the expiration of an allotted period of time unless the server is first verified as being authorized to provide resources to the client;
  
  generating and encrypting a first message at the client, the first message identifying the client and including a random number and an encryption key encoded on an integrated circuit at the client;
  
  transmitting the first message to the server;
  
  receiving an encrypted second message from the server;
  
  decrypting the second message at the client; and
  
  determining, by the client, whether the random number has been included in the second message, wherein the inclusion of the random number in the second message indicates that the server is authorized to provide resources to the client.

40. A method of verifying that a server is authorized to provide resources to a client, comprising:
- repeatedly conducting, at times specified by a timing mechanism at the client, the steps of;
  
  by the client, combining and encrypting a client identifier, a random number, and a time identifier to generate a first message;
  
  encrypting the first message using an encryption key selected from a plurality of encryption keys encoded on an integrated circuit at the client, the encryption key being included in the first message;
  
  transmitting the first message from the client to the server;
  
  at the server, conducting the steps of;
  
  decrypting the first message;
  
  identifying an authorization code associated with the client identifier, the authorization code defining a level of functionality to be exhibited by the client; and
  
  combining and encrypting the authorization code and the random number to generate a second message;
  
  transmitting the second message to the client;
  
  decrypting the second message at the client; and
  
  verifying, by the client, that the random number has been included in the second message, thereby indicating that the server is authorized to provide resources to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
WebTV Networks Inc. (Microsoft Corporation)
Inventors
Farrand, Toby E., Wasserman, Steven C., Gray, Donald M. III
Primary Examiner(s)
Barron, Jr., Gilberto

Application Number

US09/270,362
Time in Patent Office

945 Days
Field of Search

713/169, 713/155, 713/172, 709/229, 380/211
US Class Current

713/172
CPC Class Codes

H04L 63/0478   applying multiple layers of...

H04L 63/0869   for achieving mutual authen...

H04L 67/01   Protocols

Verification of server authorization to provide network resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

Verification of server authorization to provide network resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others