Piggy-backed key exchange protocol for providing secure low-overhead browser connections from a client to a server using a trusted third party

US 6,775,772 B1
Filed: 10/12/1999
Issued: 08/10/2004
Est. Priority Date: 10/12/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product embodied on one or more computer-readable media, for establishing a secure connection between a client application and a server application using pre-existing message types, said computer program product comprising:

computer-readable program code means for piggy-backing a first portion of security information onto a first message sent from said client application to said server application, wherein said first message uses a first pre-existing message type and wherein said first portion is to be used by said server application in establishing said secure connection;

computer-readable program code means for forwarding said first portion from said server application to a trusted third party (TTP);

computer-readable program code means for decrypting said first portion at said TTP;

computer-readable program code means for returning a version of said decrypted first portion from said TTP to said server application; and

computer-readable program code means for piggy-backing a second portion of security information onto a second message sent from said server application to said client application, wherein said second message responds to said first message and uses a second pre-existing message type and wherein said second portion is to be used by said client application in establishing said secure connection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer program product for establishing security parameters that are used to exchange data on a secure connection. A piggy-backed key exchange protocol is defined, with which these security parameters are advantageously exchanged. By piggy-backing the key exchange onto other already-required messages (such as a client'"'"'s HTTP GET request, or the server'"'"'s response thereto), the overhead associated with setting up a secure browser-to-server connection is minimized. This technique is defined for a number of different scenarios, where the client and server may or may not share an encoding scheme, and is designed to maintain the integrity of application layer communication protocols. In one scenario, a client and a server exchange secure messages using a trusted third party.

222 Citations

67 Claims

1. A computer program product embodied on one or more computer-readable media, for establishing a secure connection between a client application and a server application using pre-existing message types, said computer program product comprising:
- computer-readable program code means for piggy-backing a first portion of security information onto a first message sent from said client application to said server application, wherein said first message uses a first pre-existing message type and wherein said first portion is to be used by said server application in establishing said secure connection;
  
  computer-readable program code means for forwarding said first portion from said server application to a trusted third party (TTP);
  
  computer-readable program code means for decrypting said first portion at said TTP;
  
  computer-readable program code means for returning a version of said decrypted first portion from said TTP to said server application; and
  
  computer-readable program code means for piggy-backing a second portion of security information onto a second message sent from said server application to said client application, wherein said second message responds to said first message and uses a second pre-existing message type and wherein said second portion is to be used by said client application in establishing said secure connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer program product according to claim 1, wherein said first pre-existing message type is a HyperText Transfer Protocol (HTTP) GET request message and wherein said second pre-existing message type is a response to said HTTP GET request message.
  - 3. The computer program product according to claim 1, wherein said first pre-existing message type is a HyperText Transfer Protocol (HTTP) POST request message and wherein said second pre-existing message type is a response to said HTTP POST request message.
  - 4. The computer program product according to claim 1, wherein said first pre-existing message type is a Wireless Session Protocol (WSP) GET request message and wherein said second pre-existing message type is a response to said WSP GET request message.
  - 5. The computer program product according to claim 1, wherein said first pre-existing message type is a Wireless Session Protocol (WSP) POST request message and wherein said second pre-existing message type is a response to said WSP POST request message.
  - 6. The computer program product according to claim 1, wherein said client application and said server application have no previously-existing common message encoding scheme, but said client application shares a first message encoding scheme with said TTP and said server application shares a second message encoding scheme with said TTP, and wherein:
7. The computer program product according to claim 6, wherein:
- said first portion further comprises a first set of information encrypted using a public key of said TTP; and
  
  said second portion further comprises a nonce of said server application, encrypted using a public key of said client application.
8. The computer program product according to claim 7, wherein said second portion further comprises a security certificate of said server application.
9. The computer program product according to claim 7, wherein said first set of information comprises:
- zero or more parameters required for said secure page request;
  
  an identification of said client application;
  
  an identification of said server application;
  
  an identification of said TTP;
  
  a client nonce; and
  
  optionally including a timestamp.
10. The computer program product according to claim 7, wherein said forwarded first portion comprises said first set of information.
11. The computer program product according to claim 7, wherein said returned version of said decrypted first portion comprises a subset of said first set of information, wherein said subset is encrypted using a public key of said server.
12. The computer program product according to claim 11, wherein said subset comprises:
- said zero or more parameters;
  
  , said identification of said client application;
  
  said client nonce; and
  
  said timestamp when said first set includes said timestamp.
13. The computer program product according to claim 1, wherein:
- said client application and said server application have no previously-existing common message encoding scheme, but said client application shares a first message encoding scheme with said TTP and said server application shares a second message encoding scheme with said TTP; and
  
  said second message includes a content portion that is encrypted using a public key of said client application.
14. The computer program product according to claim 6, wherein said forwarded first portion is encrypted using a public key of said TTP and said returned version is encrypted using a public key of said server application.
15. The computer program product according to claim 6, wherein said forwarded first portion and said returned version are encrypted using a private key shared by said TTP and said server application.
16. The computer program product according to claim 7, wherein said first portion comprises meta-information for a message encoding scheme proposed by said client application.
17. The computer program product according to claim 16, further comprising:
- computer-readable program code means for piggy-backing additional information onto said first message, wherein said additional information comprises zero or more parameters required for said secure page request.
18. The computer program product according to claim 17, wherein said parameters are encrypted using a client nonce.

19. A system for establishing a sure connection between a client application and a server application using pre-existing message types, said system comprising:
- means for piggy-backing a first portion of security information onto a first message sent from said client application to said server application, wherein said first message uses a first pre-existing message type and wherein said first portion is to be used by said server application in establishing said secure connection;
  
  means for forwarding said first portion from said server application to a trusted third party TTP);
  
  means for decrypting said first portion at said TTP;
  
  means for returning a version of said decrypted first portion from said TTP to said server application; and
  
  means for piggy-backing a second portion of security information onto a second message sent from said server application to said client application, wherein said second message responds to said first message and uses a second pre-existing message type and wherein said second portion is to be used by said client application in establishing said secure connection.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The system according to claim 19, wherein said first pre-existing message type is a HyperText Transfer Protocol (HTTP) GET request message and wherein said second pre-existing message type is a response to said HTTP GET request message.
  - 21. The system according to claim 19, wherein said first pre-existing message type is a HyperText Transfer Protocol (HTTP) POST request message and wherein said second pre-existing message type is a response to said HTTP POST request message.
  - 22. The system according to claim 19, wherein said first pre-existing message type is a Wireless Session Protocol (WSP) GET request message and wherein said second pre-existing message type is a response to said WSP GET request message.
  - 23. The system according to claim 19, wherein said first pre-existing message type is a Wireless Session Protocol (WSP) POST request message and wherein said second pre-existing message type is a response to said WSP POST request message.
  - 24. The system according to claim 19, wherein said client application and said server application have no previously-existing common message encoding scheme, but said client application shares a first message encoding scheme with said TTP and said server application shares a second message encoding scheme with said TTP, and wherein:
25. The system according to claim 24, wherein:
- said first portion further comprises a first set of information encrypted using a public key of said TTP; and
  
  said second portion further comprises a nonce of said server application, encrypted using a public key of said client application.
26. The system according to claim 25, wherein said second portion further comprises a security certificate of said server application.
27. The system according to claim 25, wherein said first set of information comprises:
- zero or more parameters required for said secure page request;
  
  an identification of said client application;
  
  an identification of said server application;
  
  an identification of said TTP;
  
  a client nonce; and
  
  optionally including a timestamp.
28. The system according to claim 25, wherein said forwarded first portion comprises said first set of information.
29. The system according to claim 25, wherein said returned version of said decrypted first portion comprises a subset of said first set of information, wherein said subset is encrypted using a public key of said server.
30. The system according to claim 29, wherein said subset comprises:
- said zero or more parameters;
  
  said identification of said client application;
  
  said client nonce; and
  
  said timestamp when said first set includes said timestamp.
31. The system according to claim 19, wherein:
- said client application and said server application have no previously-existing common message encoding scheme, but said client application shares a first message encoding scheme with said TTP and said server application shares a second message encoding scheme with said TTP; and
  
  said second message includes a content portion that is encrypted using a public key of said client application.
32. The system according to claim 24, wherein said forwarded first portion is encrypted using a public key of said TTP and said returned version is encrypted using a public key of said server application.
33. The system according to claim 24, wherein said forwarded first portion and said returned version are encrypted using a private key shared by said TTP and said server application.
34. The system according to claim 25, wherein said first portion comprises meta-information for a message encoding scheme proposed by said client application.
35. The system according to claim 34, further comprising:
- computer-readable program code means for piggy-backing additional information onto said first message, wherein said additional information comprises zero or more parameters required for said secure page request.
36. The system according to claim 35, wherein said parameters are encrypted using a client nonce.

37. A method for establishing a secure connection between a client application and a server application using pre-existing message types, said method comprising the steps of:
- piggy-backing a first portion of security information onto a first message sent from said client application to said server application, wherein said first message uses a first pre-existing message type and wherein said first portion is to be used by said server application in establishing said secure connection;
  
  forwarding said first portion from said server application to a trusted third party (TTP);
  
  decrypting said first portion at said TTP;
  
  returning a version of said decrypted first portion from said TTP to said server application; and
  
  piggy-backing a second portion of security information onto a second message sent from said server application to said client application, wherein said second message responds to said first message and uses a second pre-existing message type and wherein said second portion is to be used by said client application in establishing said secure connection.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 38. The method according to claim 37, wherein said first pre-existing message type is a HyperText Transfer Protocol (HTTP) GET request message and wherein said second pre-existing message type is a response to said HTTP GET request message.
  - 39. The method according to claim 37, wherein said first pre-existing message type is a HyperText Transfer Protocol (HTTP) POST request message and wherein said second pre-existing message type is a response to said HTTP POST request message.
  - 40. The method according to claim 37, wherein said first pre-existing message type is a Wireless Session Protocol (WSP) GET request message and wherein said second exist pre-existing message type is a response to said WSP GET request message.
  - 41. The method according to claim 37, wherein said first pre-existing message type is a Wireless Session Protocol (WSP) POST request message and wherein said second pre-existing message type is a response to said WSP POST request message.
  - 42. The method according to claim 37, wherein said client application and said server application have no previously-existing common message encoding scheme, but said client application shares a first message encoding scheme with said TTP and said server application shares a second message encoding scheme with said TTP, and wherein:
43. The method according to claim 42, wherein:
- said first portion further comprises a first set of information encrypted using a public key of said TTP; and
  
  said second portion further comprises a nonce of said server application, encrypted using a public key of said client application.
44. The method according to claim 43, wherein said second portion further comprises a security certificate of said server application.
45. The method according to claim 43, wherein said first set of information comprises:
- zero or more parameters required for said secure page request;
  
  an identification of said client application;
  
  an identification of said server application;
  
  an identification of said TTP;
  
  a client nonce; and
  
  optionally including a timestamp.
46. The method according to claim 43, wherein said forwarded first portion comprises said first set of information.
47. The method according to claim 43, wherein said returned version of said decrypted first portion comprises a subset of said first set of information, wherein said subset is encrypted using a public key of said server.
48. The method according to claim 47, wherein said subset comprises:
- said zero or more parameters;
  
  said identification of said client application;
  
  said client nonce; and
  
  said timestamp when said first set includes said timestamp.
49. The method according to claim 37, wherein:
- said client application and said server application have no previously-existing common message encoding scheme, but said client application shares a first message encoding scheme with said TTP and said server application shares a second message encoding scheme with said TTP; and
  
  said second message includes a content portion that is encrypted using a public key of said client application.
50. The method according to claim 42, wherein said forwarded first portion is encrypted using a public key of said TTP and said returned version is encrypted using a pubic key of said server application.
51. The method according to claim 42, wherein said forwarded first portion and said returned version are encrypted using a private key shared by said TTP and said server application.
52. The method according to claim 43, wherein said first portion comprises meta-information for a message encoding scheme proposed by said client application.
53. The method according to claim 52, further comprising:
- computer-readable program code means for piggy-backing additional information onto said first message, wherein said additional information comprises zero or more parameters required for said secure page request.
54. The method according to claim 53, wherein said parameters are encrypted using a client nonce.
55. The method according to claim 37, wherein at least a portion of content included in said second message is encrypted.
56. The method according to claim 55, wherein the encrypted portion is encrypted using a session key created from first information contained in said first portion and second information contained in said second portion.
57. The method according to claim 55, wherein the encrypted portion is encrypted using a session key created from a client nonce contained in said first portion and a server nonce contained in said second portion.
58. The method according to claim 55, wherein the encrypted portion is encrypted using a session key and wherein said second portion enables said client application to recreate said session key.
59. The method according to claim 57, wherein said client application can recreate said session key upon receiving said server nonce and can thereby decrypt said encrypted portion.
60. The method according to claim 43, wherein said fist set of information comprises:
- an identification of said client application;
  
  an identification of said server application;
  
  an identification of said TTP;
  
  a client nonce; and
  
  optionally including a timestamp.
61. The method according to claim 47, wherein said subset comprises:
- said identification of said client application;
  
  said client nonce; and
  
  said timestamp when said first set includes said timestamp.
62. The method according to claim 37, wherein said forwarded first portion is encrypted prior to forwarding, using a message encoding scheme understood by said TTP and said server application.
63. The method according to claim 37, wherein said returned version is encrypted prior to returning, using a message encoding scheme understood by said TTP and said server application.
64. The method according to claim 37, wherein said forwarded first portion is encrypted such that only said TTP can decrypt said forwarded first portion and said returned version is encrypted such that only said server application can decrypt said returned version.

65. A method for securely establishing a connection between a client application and a server application using a trusted third party (TTP) as an intermediary, further comprising steps of:
- sending, from the client application to the server application, a first message that uses a first pre-existing message type, wherein;
  
  the first message requests information from the server application, and includes a parameter portion and a proposed encoding scheme portion;
  
  the parameter portion contains zero or more parameters that may be used by the server application in creating the requested information, and is encrypted using a proposed encoding scheme that is identified in the proposed encoding scheme portion; and
  
  the proposed encoding scheme portion is encrypted using a first encoding scheme shared by the client application and the TTP;
  
  forwarding, from the server application to the TTP upon receiving the first message, the proposed encoding scheme portion;
  
  decrypting the forwarded proposed encoding scheme portion, upon receipt at the TTP, using the first encoding scheme, thereby revealing the proposed encoding scheme to the TTP;
  
  returning the revealed proposed encoding scheme from the TTP to the server application;
  
  using the returned proposed encoding scheme portion, upon receipt at the server application, to decrypt the parameter portion, thereby revealing the zero or more parameters to the server application;
  
  using the revealed zero or more parameters, if necessary, by the server application in creating the requested information;
  
  encrypting the created information, using a second encoding scheme that enables the client application to decrypt the encrypted information; and
  
  sending, from the server application to the client application, a second message that uses a second pre-existing message type, wherein the second message responds to the first message and includes the encrypted information.
- View Dependent Claims (66, 67)
- - 66. The method according to claim 65, wherein the second encoding scheme uses a session key created from a client nonce provided by the client application in the proposed encoding scheme portion and a server nonce provided by the server application, and wherein the second message also includes the server nonce in a portion that is encrypted using a public key of the client application.
  - 67. The method according to claim 65, wherein:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo International Limited (Lenovo Group Ltd.)
Original Assignee
International Business Machines Corporation
Inventors
OʼConnor, Luke James, Singhal, Sandeep K., Steiner, Michael, Binding, Carl, Hild, Stefan Georg, Shoup, Victor John
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Callahan, Paul E.

Application Number

US09/415,827
Time in Patent Office

1,764 Days
Field of Search

709/220, 709/228, 709/230, 709/310, 709/315, 713/151, 713/152, 713/171, 713/200, 345/804, 380/279
US Class Current

713/171
CPC Class Codes

H04L 63/0428 wherein the data content is...

Piggy-backed key exchange protocol for providing secure low-overhead browser connections from a client to a server using a trusted third party

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

222 Citations

67 Claims

Specification

Solutions

Use Cases

Quick Links

Piggy-backed key exchange protocol for providing secure low-overhead browser connections from a client to a server using a trusted third party

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

222 Citations

67 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links