System and method for secure distribution of digital information to a chain of computer system nodes in a network

US 6,799,270 B1
Filed: 09/24/1999
Issued: 09/28/2004
Est. Priority Date: 10/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a network including a first node, a second node, and a third node, a method for securely delivering digital information to the first node from the third node by way of the second node, the method comprising:

receiving a first request at the third node from the first node, wherein the first request is contained within a second request from the second node;

generating first digital information in response to the first request;

operating on the first request and the first digital information to produce a first respeonse, the first response including a representation of the first digital information;

operating on the second request and the first response to produce a second response, the second response including the first response; and

transmitting the second response to the second node, wherein the first response is formed using an explicit identifier of the first node as the recipient for the first response and the second response is formed using an explicit identifier of the second node as the recipient for the second response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are a system and method for securely distributing session keys over a network to each node in a chain of computer system nodes. The chain of nodes recursively constructs and presents a nested request to the authentication server. The nested request includes a request from each of the nodes in the chain requiring a session key to communicate with a neighboring node. The authentication server recursively unravels the request and recursively prepares a response that includes a session key for each node that submitted a request. The response traverses the chain of nodes in the reverse order taken by the nested request to reach the authentication server. Each node receiving the response extracts the portion of the response directed to that node, and forwards the remainder of the response, if any, to the next node in the chain. Thus, with a single traversal of the chain of nodes each node receives at least one session key. The forward and reverse protocols easily generalize for any number of nodes in the chain. The protocols can employ one-way hash functions to seal requests and responses and to encode session keys.

Citations

23 Claims

1. In a network including a first node, a second node, and a third node, a method for securely delivering digital information to the first node from the third node by way of the second node, the method comprising:
- receiving a first request at the third node from the first node, wherein the first request is contained within a second request from the second node;
  
  generating first digital information in response to the first request;
  
  operating on the first request and the first digital information to produce a first respeonse, the first response including a representation of the first digital information;
  
  operating on the second request and the first response to produce a second response, the second response including the first response; and
  
  transmitting the second response to the second node, wherein the first response is formed using an explicit identifier of the first node as the recipient for the first response and the second response is formed using an explicit identifier of the second node as the recipient for the second response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein the first digital information is a session key for the first node to use in communications with the second node.
  - 3. The method of claim 2 further comprising encoding the session key using a key shared exclusively with the first node to conceal the session key within the first response.
  - 4. The method of claim 3 further comprising sealing a portion of the first response using the session key.
  - 5. The method of claim 4 further comprising:
6. The method of claim 2 further comprising:
- generating a second session key for the second node to use in communications with the first node;
  
  sealing a portion of the second response containing the first response using the second session key.
7. The method of claim 6 further comprising:
- encoding the second session key using a key shared exclusively with the second node; and
  
  including the encoded second session key within the second respnse.
8. The method of claim 2 further comprising:
- extracting the first response from the second response at the second node;
  
  transmitting the first response to the first node from the second node; and
  
  extracting the session key from the first response at the first node.
9. The method of claim 8 wherein the session key is a first session key and the second response includes a second session key and further comprising:
- extracting the second session key from the second response at the second node, and wherein the first and second session keys provide secure communication between the first node and the second node.
10. The method of claim 1 wherein the second node is a first intermediate node and the network includes a second intermediate node in a communication path between the first intermediate node and the third node, and further comprising:
- operating on the first request and the second response to generate a third response, the third response including the second response;
  
  transmitting the third response to the second intermediate node; and
  
  extracting the second response at the second intermediate node for transmission to the first intermediate node.
11. The method of claim 2 wherein generating the first response includes:
- generating plaintext;
  
  encoding the session key;
  
  generating a digest of a combination of the plaintext and the encoded session key; and
  
  combining the plaintext, the encoded session key, and the digest to produce the first response.
12. The method of claim 11 wherein generating the digest includes applying a one-way hash function using the session key to the combination of the plaintext and the encoded session key.
13. The method of claim 11 wherein generating the digest includes applying an encryption algorithm using the session key to the combination of the plaintext message and the encoded session key.
14. The method of claim 11 wherein encoding the session key includes:
- generating a digest of the plaintext; and
  
  exclusive-ORing the session key with the digest of the plaintext to produce the encoded session key.
15. The method of claim 11 wherein the plaintext includes a first nonce associated with the first node and a second nonce associated with the second node.
16. The method of claim 2 wherein generating the second response includes:
- generating plaintext;
  
  generating a second session key;
  
  encoding the second session key;
  
  generating a digest of a combination of the plaintext, the encoded second session key, and the first response; and
  
  combining the plaintext, the encoded second session key, the first response, and the digest to produce the second data response.
17. The method of claim 2 further comprising generating the second request including:
- generating a first plaintext at the first node;
  
  generating a first digest of the first plaintext at the first node;
  
  transmitting a first combination of the first plaintext and the first digest from the first node to the second node;
  
  generating a second plaintext at the second node;
  
  generating a second digest of a second combination of the second plaintext and the first combination of the first plaintext and the first digest; and
  
  combining the second plaintext and the second digest to produce the second request.

18. In a network including a client node and an authentication server node, a method for securely delivering a session key to the client node from the authentication server node in response to a request from the client node, the method comprising:
- sealing plaintext using the session key;
  
  encoding the session key using a key shared with the client node; and
  
  transmitting a data structure to the client node that includes the encoded session key, an explicit identifier of the client node as the recipient of the data structure, and the sealed plaintext.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18 further comprising:
20. The method of claim 19, further comprising determining from the extracted plaintext that the decoded session key is unaltered during transmission from the authentication server.
21. The method of claim 19, further comprising determining from the extracted plaintext that the data structure is a current response from the authentication server to the request from the client node.
22. The method of claim 18 wherein the data structure is a first data structure and the network includes an intermediate node in a communication path between the authentication server node and the client node, and further comprising:
- operating on the request and the first data structure to generate a second data structure, the second data structure including the first data structure; and
  
  transmitting the second data structure to the intermediate node for extracting the first data structure at the intermediate node and for transmitting the extracted first data structure to the client node.

23. A system for securely distributing session keys by way of a network, the network including a first node transmitting a first request to obtain a first session key and a second node in communication with the first node, the second node transmitting a second request to obtain a second session key, wherein the first request is contained within the second request from the second node, the system comprising:
- a third node in communication with the second node and receiving the first request by way of the second node, the third node including;
  
  a processor generating (1) a first response by operating on the first request and the first session key, the first fesponse including a representation of the first session key, and (2) generating a second response by operating on the second request and the first response, the second response including the first response; and
  
  a network interface coupled to the processor for transmitting the second response to the second node over the network, wherein the first response is formed using an explicit identifier of the first node as the recipient of the first response and the second response is formed using an explicit

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Otway, David J., Bull, John A.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/404,955
Time in Patent Office

1,831 Days
Field of Search

713/153, 713/155, 713/156, 713/161, 713/168, 713/171, 713/176
US Class Current

713/153
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 9/0822   using key encryption key

H04L 9/0827   involving distinctive inter...

H04L 9/3236   using cryptographic hash fu...

H04L 9/50   using hash chains, e.g. blo...

System and method for secure distribution of digital information to a chain of computer system nodes in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure distribution of digital information to a chain of computer system nodes in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links