Security between client and server in a computer network
First Claim
1. A method for a server to establish a network session with a client logged on to a network, including:
- receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server; and
negotiating a session with the client if the client should have access to the server.
1 Assignment
0 Petitions
Accused Products
Abstract
Improved security between a client and a server in a computer network is provided by allowing either endpoint (the client or the server) to initiate request messages. In this way, it is possible to configure the system so that the server always makes the opening move of negotiation, allowing the location of the server to remain hidden until a legal session is established. Dynamic relocation of the server further hides the location of the server from unauthorized users. Additionally, each message may be authenticated individually as it is received, with the endpoint making no response to an unauthentic message, thus preventing attacks on its security. Finally, negotiation of both the encryption method and the key used in the encryption process allows for the rapid reconfiguration of encryption to protect against unauthorized users who may have broken the code.
-
Citations
110 Claims
-
1. A method for a server to establish a network session with a client logged on to a network, including:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server; and
negotiating a session with the client if the client should have access to the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for network communication between a client and a server during a negotiated session, including:
-
sending a first request message from the server to the client;
sending a first response message from the client to the server in response to said first request message;
sending a second request message from the client to the server;
sending a second response message from the server to the client in response to said second request message; and
dynamically relocating the server. - View Dependent Claims (13, 14, 15, 16, 17)
sending a message from the server to the client indicating that the server has dynamically relocated and informing the client of the new location if it is reasonably possible that the client will send a message to it before it sends a message to the client.
-
-
14. The method of claim 12, wherein said dynamically relocating includes changing the server'"'"'s port address.
-
15. The method of claim 12, wherein said dynamically relocating includes changing the server'"'"'s IP address.
-
16. The method of claim 12, wherein negotiation of the session involves agreeing upon a set of session parameters, one of said session parameters being an encryption method and another of said session parameters being a key.
-
17. The method of claim 16, wherein the data contained in said first request message, said first response message, said second request message, and said second response message has been encrypted using said encryption method and said key and is decrypted using said encryption method and said key.
-
18. A method of network communication between a server and a client logged on to a network including:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server;
negotiating a session between the client and the server if the client should have access to the server;
sending a first request message from the server to the client during said session;
sending a first response message from the client to the server in response to said first request message during said session;
sending a second request message from the client to the server during said session; and
sending a second response message from the server to the client in response to said second request message during said session. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A method for network communication between a server and a client logged on to a network including:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server;
negotiating a session between the server and the client if the client should have access to the server, said negotiating comprising agreeing upon a set of session parameters, one of said session parameters being a sequence number and another of said session parameters being an increment value or increment value algorithm;
communicating between the server and client during said session by transmitting messages between the server and client, each message including said sequence number;
incrementing said sequence number by said increment value or a value determined by said increment value algorithm each time a message is transmitted;
checking whether said sequence number matches a predicted sequence number each time a message is received by the client or the server; and
ignoring a received message if the sequence number of said received message does not match said predicted sequence number. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
maintaining a local variable representing said predicted sequence number on both the client and the server;
incrementing said local variable on the server by said increment value or a value determined by said increment value algorithm each time the server receives a message from the client; and
incrementing said local variable on the client by said increment value or a value determined by said increment value algorithm each time the client receives a message from the server.
-
-
36. The method of claim 29, further including:
terminating the session if the sequence number of a received message does not match said predicted sequence number.
-
37. The method of claim 29, wherein said another of said session parameters agreed upon during said negotiation step is an encryption method and another of said session parameters agreed upon during said negotiation step is a key.
-
38. The method of claim 37, wherein said communicating includes:
-
encrypting said messages using said encryption method and said key;
sending the messages through the network; and
decrypting said data using said encryption method and said key.
-
-
39. A method for network communication between a server and a client logged on to a network, including:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server;
negotiating a session between the server and the client if the client should have access to the server, said negotiating comprising agreeing upon a set of session parameters, one of said session parameters being a sequence number and another of said session parameters being an increment value or increment value algorithm;
communicating between the server and client during said session by transmitting messages between the server and client, wherein said communicating involves sending a request message from either the client to the server or the server to the client, and then sending a response message in the other direction in response to said request message, each message including said sequence number;
incrementing said sequence number by said increment value or a value determined by said increment value algorithm each time a message is transmitted;
checking whether said sequence number matches a predicted sequence number each time a message is received by the client or the server; and
ignoring a received message if the sequence number of said received message does not match said predicted sequence number. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
maintaining a local variable representing said predicted sequence number on both the client and the server;
incrementing said local variable on the server by said increment value or a value determined by said increment value algorithm each time the server receives a message from the client; and
incrementing said local variable on the client by said increment value or a value determined by said increment value algorithm each time the client receives a message from the server.
-
-
48. The method of claim 39, further including:
terminating the session if the sequence number of a received message does not match said predicted sequence number.
-
49. The method of claim 39, wherein said another of said session parameters agreed upon during said negotiation step is an encryption method and another of said session parameters agreed upon during said negotiation step is a key.
-
50. The method of claim 39, wherein said communicating includes:
-
encrypting said messages using said encryption method and said key;
sending the messages through the network; and
decrypting said data using said encryption method and said key.
-
-
51. A server for use in a computer network, including:
-
an access determiner which determines if a client logged on to the network should have access to the server;
a session initiator, which sends a message to said client to initiate session negotiation if said client should have access to the server; and
a negotiator, which negotiates a session between the server and said client if said client should have access to the server. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58)
-
-
59. A computer network including:
-
a server designed to send a first request message to a client;
a client designed to send a first response message to said server in response to said first request message;
said client further designed to send a second request message to said server;
said server further designed to send a second response message to said client in response to said second request message; and
said server further designed to dynamically relocate itself. - View Dependent Claims (60)
-
-
61. A computer network including:
-
a server having an access determiner which determines if a client logged on to the network should have access to the server;
said server further having a session initiator, which sends a message to said client to initiate session negotiation if said client should have access to the server; and
said server further having a negotiator, which negotiates a session between the server and said client if said client should have access to the server, said server designed to send a first request message to a client during said session;
said client designed to send a first response message to said server in response to said first request message during said session;
said client further designed to send a second request message to said server during said session; and
said server further designed to send a second response message to said client in response to said second request message during said session. - View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69)
-
-
70. An apparatus for allowing a server to establish a network session with a client logged on to a network, comprising:
-
means for receiving a packet from an authentication server indicating that the client should have access to the server;
means for sending a message to the client to initiate session negotiation if the client should have access to the server; and
means for negotiating a session with the client if the client should have access to the server. - View Dependent Claims (71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
-
-
81. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for a server to establish a network session with a client logged on to a network, the method comprising:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server; and
negotiating a session with the client if the client should have access to the server.
-
-
82. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for network communication between a client and a server during a negotiated session, the method comprising:
-
sending a first request message from the server to the client;
sending a first response message from the client to the server in response to said first request message;
sending a second request message from the client to the server;
sending a second response message from the server to the client in response to said second request message; and
dynamically relocating the server.
-
-
83. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for network communication between a server and a client logged on to a network, the method comprising:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server;
negotiating a session between the client and the server if the client should have access to the server;
sending a first request message from the server to the client during said session;
sending a first response message from the client to the server in response to said first request message during said session;
sending a second request message from the client to the server during said session; and
sending a second response message from the server to the client in response to said second request message during said session.
-
-
84. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for network communication between a server and a client logged on to a network, the method comprising:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server;
negotiating a session between the server and the client if the client should have access to the server, said negotiating comprising agreeing upon a set of session parameters, one of said session parameters being a sequence number and another of said session parameters being an increment value or increment value algorithm;
communicating between the server and client during said session by transmitting messages between the server and client, each message including said sequence number;
incrementing said sequence number by said increment value or a value determined by said increment value algorithm each time a message is transmitted;
checking whether said sequence number matches a predicted sequence number each time a message is received by the client or the server; and
ignoring a received message if the sequence number of said received message does not match said predicted sequence number.
-
-
85. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for network communication between a server and a client logged on to a network, the method comprising:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server;
negotiating a session between the server and the client if the client should have access to the server, said negotiating comprising agreeing upon a set of session parameters, one of said session parameters being a sequence number and another of said session parameters being an increment value or increment value algorithm;
communicating between the server and client during said session by transmitting messages between the server and client, wherein said communicating involves sending a request message from either the client to the server or the server to the client, and then sending a response message in the other direction in response to said request message, each message including said sequence number;
incrementing said sequence number by said increment value or a value determined by said increment value algorithm each time a message is transmitted;
checking whether said sequence number matches a predicted sequence number each time a message is received by the client or the server; and
ignoring a received message if the sequence number of said received message does not match said predicted sequence number.
-
-
86. A server for use in a computer network, including:
-
an authentication packet receiver, which receives a packet from an authentication server indicating that a client should have access to the server;
a session initiator, which sends a message to said client to initiate session negotiation if said client should have access to the server;
a negotiator, which negotiates a session between the server and said client if said client should have access to the server, said negotiating comprising agreeing upon a set of session parameters, one of said session parameters being a sequence number and another of said session parameters being an increment value or increment value algorithm;
a transmitter, which communicates between the server and client by transmitting messages between the server and client, wherein said communicating involves sending a request message from the server to the client and awaiting a response message, or receiving a request message from said client and sending a response message to the client, each message including a sequence number, and wherein a received message is ignored if the sequence number of said received message does not match said predicted sequence number;
a sequence number incrementer, which increments said sequence number by said increment value or a value determined by said increment value algorithm each time a message is transmitted; and
a sequence number checker, which checks whether said sequence number matches a predicted sequence number each time a message is received by the server. - View Dependent Claims (87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97)
maintaining a local variable on the server representing said predicted sequence number; and
incrementing said local variable on the server by said increment value or a value determined by said increment value algorithm each time the server receives a message from the client.
-
-
95. The server of claim 86, further including a session terminator, which terminates the session if the sequence number of a received message does not match said predicted sequence number.
-
96. The server of claim 86, wherein another of said session parameters agreed upon during negotiation is an encryption method and another of said session parameters agreed upon during said negotiation is a key.
-
97. The server of claim 86, wherein said transmitter encrypts said messages using said encryption method and said key and sends the messages through the network.
-
98. An apparatus for network communication between a server and a client logged on to a network, including:
-
means for receiving a packet from an authentication server indicating that the client should have access to the server;
means for sending a message to the client to initiate session negotiation if the client should have access to the server;
means for negotiating a session between the server and the client if the client should have access to the server, said negotiating comprising agreeing upon a set of session parameters, one of said session parameters being a sequence number and another of said session parameters being an increment value or increment value algorithm;
means for communicating between the server and client during said session by transmitting messages between the server and client, wherein said communicating involves sending a request message from the server to the client and awaiting a response message, or receiving a request message from said client and sending a response message to said client, each message including said sequence number and wherein a received message is ignored if the sequence number of said received message does not match said predicted sequence number;
means for incrementing said sequence number by said increment value or a value determined by said increment value algorithm each time a message is transmitted; and
means for checking whether said sequence number matches a predicted sequence number each time a message is received by the server. - View Dependent Claims (99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109)
maintaining a local variable representing said predicted sequence number on both the client and the server;
incrementing said local variable on the server by said increment value or a value determined by said increment value algorithm each time the server receives a message from the client; and
incrementing said local variable on the client by said increment value or a value determined by said increment value algorithm each time the client receives a message from the server.
-
-
107. The apparatus of claim 98, further including means for terminating the session if the sequence number of a received message does not match said predicted sequence number.
-
108. The apparatus of claim 98, wherein said another of said session parameters agreed upon during said negotiation is an encryption method and another of said session parameters agreed upon during said negotiation is a key.
-
109. The apparatus of claim 98, wherein said means for communicating includes:
-
means for encrypting said messages using said encryption method and said key; and
means for sending the messages through the network.
-
-
110. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for network communication between a server and a client logged on to a network, the method including:
-
receiving a packet from an authentication server indicating that the client should have access to the server;
sending a message to the client to initiate session negotiation if the client should have access to the server;
negotiating a session between the server and the client if the client should have access to the server, said negotiating comprising agreeing upon a set of session parameters, one of said session parameters being a sequence number and another of said session parameters being an increment value or increment value algorithm;
communicating between the server and client during said session by transmitting messages between the server and client, wherein said communicating involves sending a request message from the server to the client and awaiting a response message, or receiving a request message from said client and sending a response message to said client, each message including said sequence number;
incrementing said sequence number by said increment value or a value determined by said increment value algorithm each time a message is transmitted;
checking whether said sequence number matches a predicted sequence number each time a message is received by the server; and
ignoring a received message if the sequence number of said received message does not match said predicted sequence number.
-
Specification