Piggy-backed key exchange protocol for providing secure, low-overhead browser connections to a server with which a client shares a message encoding scheme

US 6,751,731 B1
Filed: 10/12/1999
Issued: 06/15/2004
Est. Priority Date: 10/12/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a computing environment having a connection to a network, a computer program product embodied on one or more computer readable media, for establishing a secure connection between a client application and a server application using existing message types, wherein said client application and said server application have a common message encoding scheme, said computer program product comprising:

computer-readable program code means for sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein a parameter portion of said first security data comprises zero or more parameters to be used by said server application when creating a content response and a client nonce portion of said first security data comprises a client nonce provided by said client application, said parameter portion encrypted with said client nonce and said client nonce portion encrypted with a key such that only said server application can decrypt said client nonce portion, according to said common message encoding scheme; and

computer-readable program code means for sending said content response, from said server application to said client application responsive to receiving said content request, wherein;

(1) at least a portion of content included in said content response is encrypted; and

(2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said sever application in establishing said secure connection.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer program product for establishing security parameters that are used to exchange data on a secure connection. A piggy-backed key exchange protocol is defined, with which these security parameters are advantageously exchanged. By piggy-backing the key exchange onto other already-required messages (such as a client'"'"'s HTTP GET request, or the server'"'"'s response thereto), the overhead associated with setting up a secure browser-to-server connection is minimized. This technique is defined for a number of different scenarios, where the client and server may or may not share an encoding scheme, and is designed to maintain the integrity of application layer communication protocols. In one scenario, a client and server share a common message encoding scheme.

Citations

67 Claims

1. In a computing environment having a connection to a network, a computer program product embodied on one or more computer readable media, for establishing a secure connection between a client application and a server application using existing message types, wherein said client application and said server application have a common message encoding scheme, said computer program product comprising:
- computer-readable program code means for sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein a parameter portion of said first security data comprises zero or more parameters to be used by said server application when creating a content response and a client nonce portion of said first security data comprises a client nonce provided by said client application, said parameter portion encrypted with said client nonce and said client nonce portion encrypted with a key such that only said server application can decrypt said client nonce portion, according to said common message encoding scheme; and
  
  computer-readable program code means for sending said content response, from said server application to said client application responsive to receiving said content request, wherein;
  
  (1) at least a portion of content included in said content response is encrypted; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said sever application in establishing said secure connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer program product according to claim 1, wherein said first existing message type is a HyperText Transfer Protocol (HTTP) GET message and wherein said second existing message type is a response to said HTTP GET message.
  - 3. The computer program product according to claim 1, wherein said first existing message type is a HyperText Transfer Protocol (HTTP) POST message and wherein said second existing message type is a response to said HTTP POST message.
  - 4. The computer program product according to claim 1, wherein said first existing message type is a Wireless Session Protocol (WSP) GET message and wherein said second existing message type is a response to said WSP GET message.
  - 5. The computer program product according to claim 1, wherein said first existing message type is a Wireless Session Protocol (WSP) POST message and wherein said second existing message type is a response to said WSP POST message.
  - 6. The computer program product according to claim 1, wherein:
7. The computer program product according to claim 1, wherein said encrypted portion is encrypted using a session key created from said client nonce and a server nonce that is included in said second security data.
8. The computer program product according to claim 1, wherein said encrypted portion is encrypted using a public key of said client application.
9. The computer program product according to claim 1, wherein said key used to encrypt said client nonce portion is a public key of said server application.
10. The computer program product according to claim 1, wherein said parameter portion further comprises an identification of said client application and an optional timestamp.
11. The computer program product according to claim 1, wherein said client nonce portion further comprises an identification of said client application, an identification of said server application, and an optional timestamp.
12. The computer program product according to claim 11, wherein a client authentication portion of said first security data comprises said client nonce, said identification of said client application, said identification of said server application, and said timestamp if said client nonce portion specified said timestamp, said client authentication portion encrypted with a private key of said client application such that said server application can authenticate said client authentication as having created said content request by using a public key of said client application that corresponds to said private key.
13. The computer program product according to claim 1, wherein said encrypted portion is encrypted using a session key and wherein said second security data enables said client application to recreate said session key.
14. The computer program product according to claim 1, wherein said encrypted portion is encrypted using a session key created using said client nonce and a server nonce contained in said second security data, and wherein said client application can recreate said session key using said server nonce and said client nonce and can thereby decrypt said encrypted portion.
15. The computer program product according to claim 14, wherein said second security data further comprises an identification of said server application.
16. The computer program product according to claim 7, wherein said client application can decrypt said encrypted portion using said client nonce and said server nonce.
17. The computer program product according to claim 1, wherein said key used to encrypt said client nonce portion is a public key of said server application and said parameter portion contains at least one parameter, and further comprising:
- computer-readable program code means for decrypting said client nonce portion, responsive to receiving said content request, using a private key of said server application that corresponds to said public key;
  
  computer-readable program code means for using said client nonce from said decrypted client nonce portion to decrypt said parameter portion; and
  
  computer-readable program code means for using said at least one parameter from said decrypted parameter portion when creating said content.
18. The computer program product according to claim 17, further comprising:
- computer-readable program code means for using said client nonce, along with a server nonce, to create a session key; and
  
  computer-readable program code means for using said session key when encrypting said encrypted portion.

19. In a computing environment having a connection to a network, a computer program product embodied on one or more computer readable media, for establishing a secure connection between a client application and a server application using existing message types, wherein said client application and said server application have a common message encoding scheme, said computer program product comprising:
- computer-readable program code means for a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein said first security data comprises zero or more parameters to be used by said server application when creating a content response, said first security data encrypted with a shared key previously established between said client application and said server application according to said common message encoding scheme, such that said server application can decrypt said first security data; and
  
  computer-readable program code means for sending said content response, from said server application to said client application responsive to receiving said content request wherein;
  
  (1) at least a portion of content included in said content response is encrypted; and
  
  (2) said content response uses a second existing message type onto which is piggy-blocked second security data, such that said server application provides said client application with said second security data for use by said client application in establishing said secure connection.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The computer program product according to claim 19, wherein:
21. The computer program product according to claim 20, wherein said first security data further comprises an identification of said client application and optionally a timestamp.
22. The computer program product according to claim 20, wherein said server nonce is encrypted using said previously-established shared key.
23. The computer program product according to claim 20, wherein said server nonce is encrypted using a public key of said client application, such that said client application can decrypt said server nonce using a private key of said client application that corresponds to said public key.
24. The computer program product according to claim 19, wherein said first security data further comprises a client nonce provided by said client application and further comprising:
- computer-readable program code means for decrypting said first security data, responsive to receiving said content request, using said previously-established shared key;
  
  computer-readable program code means for using said client nonce from said decrypted first security data, along with a server none, to create a new shared key; and
  
  computer-readable program code means for using said new shared key when encrypting said encrypted portion.
25. The computer program product according to claim 24, wherein at least one parameter is contained in said first security data and further comprising computer-readable program code means for using said at least one parameter from said decrypted first security data when creating said content.
26. The computer program product according to claim 20, further comprising:
- computer-readable program code means for decrypting said second security data, responsive to receiving said content response, using said previous-established shared key;
  
  computer-readable program code means for using said server nonce from said decrypted second security data, along with said client nonce, to recreate said new session key, and computer-readable program code means for using said recreated new session key when decrypting said encrypted portion.

27. A system for establishing a secure connection between a client application and a server application using using existing message types in a computing environment having a connection to a network, wherein said client application and said server application have a common message encoding scheme, said system comprising:
- means for sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein said first security data comprises zero or more parameters to be used by said server application when creating a content response, said first security data encrypted with a shared key previously established between said client application and said server application according to said common message encoding scheme, such that said server application can decrypt said first security data; and
  
  means for sending said content response, from said server application to said client application responsive to receiving said content request, wherein;
  
  (1) at least a portion of content included in said content response is encrypted; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in establishing said secure connection.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The system according to claim 27, wherein said first existing message type is a HyperText Transfer Protocol (HTTP) GET message and wherein said second existing message type is a response to said HTTP GET message.
  - 29. The system according to claim 27, wherein said first existing message type is a HyperText Transfer Protocol (HTTP) POST message and wherein said second existing message type is a response to said HTTP POST message.
  - 30. The system according to claim 27, wherein said first existing message type is a Wireless Session Protocol (WSP) GET message and wherein said second existing message type is a response to said WSP GET message.
  - 31. The system according to claim 27, wherein said first existing message type is a Wireless Session Protocol (WSP) POST message and wherein said second existing message type is a response to said WSP POST message.
  - 32. The system according to claim 27, wherein:
33. The method according to claim 32, wherein said first security data further comprises an identification of said client application and optionally a timestamp.

34. A system for establishing a secure connection between a client application and a server application using existing message types in a computing environment having a connection to a network, wherein said client application and said server application have a common message encoding scheme, said system comprising:
- means for sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by server application establishing said secure connection, wherein a parameter portion of said first security data comprises zero or more parameters to be used by said server application when creating a content response and a client nonce portion of said first security data comprises a client nonce provided by said client application, said parameter portion encrypted with said client nonce and said client nonce portion encryption with a key such that only said server application can decrypt said client nonce portion, according to said common message encoding schemes; and
  
  means for sending said content response, from said server application to said client application responsive to receiving said content request, wherein;
  
  (1) at least a portion of content included in said content response is encrypted; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in established, said cure connection.
- View Dependent Claims (35, 36, 37)
- - 35. The system according to claim 34, wherein:
36. The system according to claim 34, wherein said encrypted portion is encrypted using a session key created from said client nonce and a server nonce that is included in said second security data.
37. The system according to claim 34, wherein said encrypted portion is encrypted a public key of said client application.

38. A method for establishing a secure connection between a client application and a server application using existing message types in a computing environment having a connection to a network, wherein said client application and said server application have a common message encoding scheme, said method comprising the steps of:
- sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein a parameter portion of said first security data comprises zero or more parameters to be used by said server application when creating a content response and a client nonce portion of said first security data comprises a client nonce provided by said client application, said parameter portion encrypted with said client nonce and said client nonce portion encrypted with a key such that only said server application can decrypt said client nonce portion, according to said common message encoding scheme; and
  
  sending said content response, from said server application to said client application responsive to receiving said content request, wherein;
  
  (1) at least a portion of content included in said content response is encrypted; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in establishing said secure connection.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 39. The method according to claim 38, wherein said first existing message type is a HyperText Transfer Protocol (HTTP) GET message and wherein said second existing message type is a response to said HTTP GET message.
  - 40. The method according to claim 38, wherein said first existing message type is a HyperText Transfer Protocol (HTTP) POST message and wherein said second existing message type is a response to said HTTP POST message.
  - 41. The method according to claim 38, wherein:
42. The method according to claim 38, wherein said encrypted portion is encrypted using a session key created from said client nonce and a server nonce that is included in said second security data.
43. The method according to claim 38, wherein said encrypted portion is encrypted using a public key of said client application.
44. The method according to claim 38, wherein said key used to encrypt said client nonce portion is a public key of said server application.
45. The method according to claim 38, wherein said parameter portion further comprises an identification of said client application and an optional timestamp.
46. The method according to claim 38, wherein said client nonce portion further comprises an identification of said client application, an identification of said server application, and an optional timestamp.
47. The method according to claim 46, wherein a client authentication portion of said first security data comprises said client nonce, said identification of said client application, said identification of said server application, and said timestamp if said client nonce portion specified said timestamp, said client authentication portion encrypted with a private key of said client application such that said server application can authenticate said client authentication as having created said content request by using a public key of said client application that corresponds to said private key.
48. The method according to claim 38, wherein said encrypted portion is encrypted using a session key and wherein said second security data enables said client application to recreate said session key.
49. The method according to claim 38, whey said encrypted portion is encrypted using a session key created using said client nonce and a server nonce contained in said second security data, and wherein said client application can recreate said session key using said server nonce and said client nonce and can thereby decrypt said encrypt portion.
50. The method according to claim 49, wherein said second security data further comprises an identification of said server application.
51. The method according to claim 42, wherein said client application can decrypt said encrypted portion using said client nonce and said server nonce.
52. The method according to claim 38, wherein said key used to encrypt said client nonce portion is a public key of said server application and said parameter portion contains at least one parameter, and further comprising the steps of:
- decrypting said client nonce portion, responsive to receiving said content request, using a private key of said server application that corresponds to said public key;
  
  using said client nonce from said decrypted client nonce portion to decrypt said parameter portion; and
  
  using said at least one parameter from said decrypted parameter portion when creating said content.
53. The method according to claim 52, comprising the steps of:
- using said client nonce, along with a server nonce, to create a session key; and
  
  using said session key when encrypting said encrypted portion.

54. A method for establishing a secure connection between a client application and a server application using existing message types in a computing environment having a connection to a network, wherein said client application and said server application have a common message encoding scheme, said method comprising the steps of:
- sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein said first security data comprises zero or more parameters to be used by said server application when creating a content response, said first security data encrypted with a shared key previously established between said client application and said server application according to said common message encoding scheme, such that said server application can decrypt said first security data; and
  
  sending said content response, from said server application to said client application responsive to receiving said content request, wherein;
  
  (1) at least a portion of content included in said content response is encrypted; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in establishing said secure connection.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 55. The method according to claim 54, wherein:
56. The method according to claim 55, wherein said fast security data further comprises an identification of said client application and optionally a timestamp.
57. The method according to claim 54, wherein said first existing message type is a Wireless Session Protocol (WSP) GET message and wherein said second existing message type is a response to said WSP GET message.
58. The method according to claim 54, wherein said first existing message type is a Wireless Session Protocol (WSP) POST message and wherein said second existing message type is a response to said WSP POST message.
59. The method according to claim 55, wherein said server nonce is encrypted using said previously-established shared key.
60. The method according to claim 55, wherein said server nonce is encrypted using a public key of said client application, such that said client application can decrypt said server nonce using a private key of said client application that corresponds to said public key.
61. The method according to claim 54, wherein said first security data further comprises a client nonce provided by said client application and further comprising the steps of:
- decrypting said first security data, responsive to receiving said content request, using said previously-established shared key;
  
  using said client nonce from said decrypted first security data, along with a server nonce, to create a new shared keys; and
  
  using said new shared key when encrypting said encrypted portion.
62. The method according to claim 61, wherein at least one parameter is contained in said first security data and further comprising the step of using said at least one parameter from said decrypted first security data when creating said content.
63. The method according to claim 55, further comprising the steps of:
- decrypting said second security data, responsive to receiving said content response, using said previously-established shared key;
  
  using said server nonce from said decrypted second security data, along with said client nonce, to recreate said new session key; and
  
  using said recreated new session key when decrypting said encrypted portion.

64. In a computing environment having a connection to a network, a computer program product embodied on one or more computer readable media, for establishing a secure connection between a client application and a server application using existing message types, wherein said client application and said server application have a common message encoding scheme, said computer program product comprising:
- computer-readable program code means for sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein a client nonce portion of said first security data comprises a client nonce provided by said client application, said client nonce portion encrypted with a public key of said server application such that only said server application can decrypt said client nonce portion, according to said common message encoding scheme;
  
  computer-readable program code means for decrypting said client nonce portion, responsive to receiving said content request, using a private key of said server application that corresponds to said public key;
  
  computer-readable program code means for using said client nonce from said decrypted client nonce portion, along with a server nonce, to create a session key; and
  
  computer-readable program code means for sending a content response, from said sever application to said client application, wherein;
  
  (1) at least a portion of content included in said content response is encrypted using said session key; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in establishing said secure connection.

65. In a computing environment having a connection to a network, a computer program product embodied on one or more computer readable media, for establishing a secure connection between a client application and a server application using existing message types, wherein said client application and said server application have a common message encoding scheme, said computer program product comprising:
- computer-readable program code means for sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein a client nonce portion of said first security data comprises a client nonce provided by said client application, said client nonce portion encrypted with a public key of said server application such that only said server application can decrypt said client nonce portion, according to said common message encoding scheme;
  
  computer-readable program code means for sending a content response, from said server application to said client application, wherein;
  
  (1) at least a portion of content included in said content response in encrypted using a session key; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in established said secure connection, wherein said session key is created using said client nonce and a server nonce contained in said second security data;
  
  computer-readable program code means for using said server nonce, responsive to receiving said content response, along with said client nonce, to recreate said session key; and
  
  computer-readable program code means for using said recreated session key when decrypting said encrypted portion, according to said common message encoding scheme.

66. A method of establishing a secure connection between a client application and a server application using existing message types, wherein said client application and said server application have a common message encoding scheme, said method comprising steps of:
- sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein a client nonce portion of said first security data comprises a client nonce provided by said client application, said client nonce portion encrypted with a public key of said server application such that only said server application can decrypt said client nonce portion, according to said common message encoding scheme;
  
  decrypting said client nonce portion, responsive to receiving said content request, using a private key of said server application that corresponds to said public key;
  
  using said client nonce from said decrypted client nonce portion, along with a server nonce, to create a session key; and
  
  sending a content response, from said server application to said client application, wherein;
  
  (1) at least a portion of content included in said content response is encrypted using said session key; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in establishing said secure connection.

67. A method of establishing a secure connection between a client application and a server application using existing message types, wherein said client application and said server application have a common message encoding scheme, said method comprising steps of:
- sending a content request from said client application to said server application, wherein said content request uses a first existing message type onto which is piggy-backed first security data, such that said client application provides said server application with said first security data for use by said server application in establishing said secure connection, wherein a client nonce portion of said first security data comprises a client nonce provided by said client application, said client nonce portion encrypted with a public key of said server application such that only said saver application can decrypt said client nonce portion, according to said common message encoding scheme;
  
  sending a content response, from said server application to said client application, wherein;
  
  (1) at least a portion of content included in said content response is encrypted using a session key; and
  
  (2) said content response uses a second existing message type onto which is piggy-backed second security data, such that said server application provides said client application with said second security data for use by said client application in establishing said secure connection, wherein said session key is created using said client nonce and a server nonce contained in said second security data;
  
  using said server nonce, responsive to receiving said content response, along with said client nonce, to recreate said session key; and
  
  using said recreated session key when decrypting said encrypted portion, according to said common message encoding scheme.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Singhal, Sandeep K., Steiner, Michael, Binding, Carl, Hild, Stefan Georg, Shoup, Victor John, Huang, Yen-Min, OʼConnor, Luke James
Primary Examiner(s)
Peeso, Thomas R.
Assistant Examiner(s)
Zand, Kambiz

Application Number

US09/416,332
Time in Patent Office

1,708 Days
Field of Search

713/160, 713/168, 713/171, 713/201, 709/203
US Class Current

713/171
CPC Class Codes

H04L 63/0869 for achieving mutual authen...

H04L 63/12 Applying verification of th...

Piggy-backed key exchange protocol for providing secure, low-overhead browser connections to a server with which a client shares a message encoding scheme

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

67 Claims

Specification

Solutions

Use Cases

Quick Links

Piggy-backed key exchange protocol for providing secure, low-overhead browser connections to a server with which a client shares a message encoding scheme

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

67 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links