System and method for secure distribution of digital information to a chain of computer system nodes in a network
First Claim
1. In a network including a first node, a second node, and a third node, a method for securely delivering digital information to the first node from the third node by way of the second node, the method comprising:
- receiving a first request at the third node from the first node, wherein the first request is contained within a second request from the second node;
generating first digital information in response to the first request;
operating on the first request and the first digital information to produce a first respeonse, the first response including a representation of the first digital information;
operating on the second request and the first response to produce a second response, the second response including the first response; and
transmitting the second response to the second node, wherein the first response is formed using an explicit identifier of the first node as the recipient for the first response and the second response is formed using an explicit identifier of the second node as the recipient for the second response.
1 Assignment
0 Petitions
Accused Products
Abstract
Described are a system and method for securely distributing session keys over a network to each node in a chain of computer system nodes. The chain of nodes recursively constructs and presents a nested request to the authentication server. The nested request includes a request from each of the nodes in the chain requiring a session key to communicate with a neighboring node. The authentication server recursively unravels the request and recursively prepares a response that includes a session key for each node that submitted a request. The response traverses the chain of nodes in the reverse order taken by the nested request to reach the authentication server. Each node receiving the response extracts the portion of the response directed to that node, and forwards the remainder of the response, if any, to the next node in the chain. Thus, with a single traversal of the chain of nodes each node receives at least one session key. The forward and reverse protocols easily generalize for any number of nodes in the chain. The protocols can employ one-way hash functions to seal requests and responses and to encode session keys.
-
Citations
23 Claims
-
1. In a network including a first node, a second node, and a third node, a method for securely delivering digital information to the first node from the third node by way of the second node, the method comprising:
-
receiving a first request at the third node from the first node, wherein the first request is contained within a second request from the second node;
generating first digital information in response to the first request;
operating on the first request and the first digital information to produce a first respeonse, the first response including a representation of the first digital information;
operating on the second request and the first response to produce a second response, the second response including the first response; and
transmitting the second response to the second node, wherein the first response is formed using an explicit identifier of the first node as the recipient for the first response and the second response is formed using an explicit identifier of the second node as the recipient for the second response. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
receiving the first response from the second node;
decoding the encoded session key using the shared key;
extracting data from the sealed portion of the first response using the decoded session key; and
using the extracted data (1) to authenticate that the session key originated from the third node, (2) to determine that the session key is unaltered during transmission from the third node, and (3) to determine that the first response is a current response from the third node to the request from the first node.
-
-
6. The method of claim 2 further comprising:
-
generating a second session key for the second node to use in communications with the first node;
sealing a portion of the second response containing the first response using the second session key.
-
-
7. The method of claim 6 further comprising:
-
encoding the second session key using a key shared exclusively with the second node; and
including the encoded second session key within the second respnse.
-
-
8. The method of claim 2 further comprising:
-
extracting the first response from the second response at the second node;
transmitting the first response to the first node from the second node; and
extracting the session key from the first response at the first node.
-
-
9. The method of claim 8 wherein the session key is a first session key and the second response includes a second session key and further comprising:
extracting the second session key from the second response at the second node, and wherein the first and second session keys provide secure communication between the first node and the second node.
-
10. The method of claim 1 wherein the second node is a first intermediate node and the network includes a second intermediate node in a communication path between the first intermediate node and the third node, and further comprising:
-
operating on the first request and the second response to generate a third response, the third response including the second response;
transmitting the third response to the second intermediate node; and
extracting the second response at the second intermediate node for transmission to the first intermediate node.
-
-
11. The method of claim 2 wherein generating the first response includes:
-
generating plaintext;
encoding the session key;
generating a digest of a combination of the plaintext and the encoded session key; and
combining the plaintext, the encoded session key, and the digest to produce the first response.
-
-
12. The method of claim 11 wherein generating the digest includes applying a one-way hash function using the session key to the combination of the plaintext and the encoded session key.
-
13. The method of claim 11 wherein generating the digest includes applying an encryption algorithm using the session key to the combination of the plaintext message and the encoded session key.
-
14. The method of claim 11 wherein encoding the session key includes:
-
generating a digest of the plaintext; and
exclusive-ORing the session key with the digest of the plaintext to produce the encoded session key.
-
-
15. The method of claim 11 wherein the plaintext includes a first nonce associated with the first node and a second nonce associated with the second node.
-
16. The method of claim 2 wherein generating the second response includes:
-
generating plaintext;
generating a second session key;
encoding the second session key;
generating a digest of a combination of the plaintext, the encoded second session key, and the first response; and
combining the plaintext, the encoded second session key, the first response, and the digest to produce the second data response.
-
-
17. The method of claim 2 further comprising generating the second request including:
-
generating a first plaintext at the first node;
generating a first digest of the first plaintext at the first node;
transmitting a first combination of the first plaintext and the first digest from the first node to the second node;
generating a second plaintext at the second node;
generating a second digest of a second combination of the second plaintext and the first combination of the first plaintext and the first digest; and
combining the second plaintext and the second digest to produce the second request.
-
-
18. In a network including a client node and an authentication server node, a method for securely delivering a session key to the client node from the authentication server node in response to a request from the client node, the method comprising:
-
sealing plaintext using the session key;
encoding the session key using a key shared with the client node; and
transmitting a data structure to the client node that includes the encoded session key, an explicit identifier of the client node as the recipient of the data structure, and the sealed plaintext. - View Dependent Claims (19, 20, 21, 22)
receiving the data structure;
decoding the encoded session key using the shared key;
extracting the sealed plaintext using the decoded session key; and
using the extracted plaintext to authenticate that the session key originated from the authentication server.
-
-
20. The method of claim 19, further comprising determining from the extracted plaintext that the decoded session key is unaltered during transmission from the authentication server.
-
21. The method of claim 19, further comprising determining from the extracted plaintext that the data structure is a current response from the authentication server to the request from the client node.
-
22. The method of claim 18 wherein the data structure is a first data structure and the network includes an intermediate node in a communication path between the authentication server node and the client node, and further comprising:
-
operating on the request and the first data structure to generate a second data structure, the second data structure including the first data structure; and
transmitting the second data structure to the intermediate node for extracting the first data structure at the intermediate node and for transmitting the extracted first data structure to the client node.
-
-
23. A system for securely distributing session keys by way of a network, the network including a first node transmitting a first request to obtain a first session key and a second node in communication with the first node, the second node transmitting a second request to obtain a second session key, wherein the first request is contained within the second request from the second node, the system comprising:
-
a third node in communication with the second node and receiving the first request by way of the second node, the third node including;
a processor generating (1) a first response by operating on the first request and the first session key, the first fesponse including a representation of the first session key, and (2) generating a second response by operating on the second request and the first response, the second response including the first response; and
a network interface coupled to the processor for transmitting the second response to the second node over the network, wherein the first response is formed using an explicit identifier of the first node as the recipient of the first response and the second response is formed using an explicit
-
Specification