System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel

US 6,986,040 B1
Filed: 11/03/2000
Issued: 01/10/2006
Est. Priority Date: 11/03/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for establishing a secure communication channel between a client and an application server comprising the steps of:

(a) receiving, at a web server, a request from a client to have an application program executed on an application server and to have output from said application program executing on said application server transmitted to said client;

(b) generating, by a ticket service, a ticket having an identifier and a session key;

(c) obtaining, by said web server, said ticket from said ticket service;

(d) transmitting, by said web server, said ticket to said client over a secure communication channel;

(e) transmitting, by said client, said identifier from said ticket to said application server;

(f) obtaining, by said application server, a copy of said session key from said ticket service using said identifier;

(g) establishing an application communication channel between said client and said application server;

(h) executing, by said application server, said application program identified in said request;

(i) transmitting, by said application server, output of said application program over said application communication channel via a remote display protocol; and

(j) encrypting said output communicated to said client over said application communication channel using said session key.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention features a system and method for establishing a secure communication channel between a client and an application server. In one embodiment, a ticket service generates a ticket having an identifier and a session key. A communications device obtains the ticket from the ticket service and transmits the ticket to a client over a secure communication channel. The client transmits the identifier of the ticket to an application server over an application communication channel. The application server then obtains a copy of the session key of the ticket from the ticket service. Communications exchanged between the client and the application server over the application communication channel are then encrypted using the session key to establish the application communication channel as a secure communication channel.

288 Citations

89 Claims

1. A method for establishing a secure communication channel between a client and an application server comprising the steps of:
- (a) receiving, at a web server, a request from a client to have an application program executed on an application server and to have output from said application program executing on said application server transmitted to said client;
  
  (b) generating, by a ticket service, a ticket having an identifier and a session key;
  
  (c) obtaining, by said web server, said ticket from said ticket service;
  
  (d) transmitting, by said web server, said ticket to said client over a secure communication channel;
  
  (e) transmitting, by said client, said identifier from said ticket to said application server;
  
  (f) obtaining, by said application server, a copy of said session key from said ticket service using said identifier;
  
  (g) establishing an application communication channel between said client and said application server;
  
  (h) executing, by said application server, said application program identified in said request;
  
  (i) transmitting, by said application server, output of said application program over said application communication channel via a remote display protocol; and
  
  (j) encrypting said output communicated to said client over said application communication channel using said session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein said ticket service resides on said web server.
  - 3. The method of claim 1 wherein step (f) further comprises transmitting, by said application server, said identifier to said web server over a server communication channel.
  - 4. The method of claim 3 further comprising receiving, by said application server, a response to transmitting said identifier to said web server, said response including said session key.
  - 5. The method of claim 3 further comprising validating, by said web server, said identifier.
  - 6. The method of claim 5 wherein said validating step further comprises confirming by said web server that said identifier is received by said web server within a predetermined time frame.
  - 7. The method of claim 3 further comprising establishing said server communication channel as a secure communication channel.
  - 8. The method of claim 1 wherein said session key is substantially equivalent to a null value.
  - 9. The method of claim 8 wherein said null value is a constant value.
  - 10. The method of claim 1 wherein said identifier is a nonce.
  - 11. The method of claim 1 wherein said identifier is an application server certificate.
  - 12. The method of claim 1 wherein step (j) further comprises decrypting communications from said application server using said session key.
  - 13. The method of claim 1 wherein said remote display protocol is the Independent Computing Architecture protocol.
  - 14. The method of claim 1 wherein said remote display protocol is the Remote Desktop Protocol.

15. A method for establishing a secure communication channel between a client and an application server comprising the steps of:
- (a) transmitting to a web server a request to have an application server execute an application program and transmit output from said application program executing on said application server;
  
  (b) establishing a secure web communication channel between a web browser executing on said client and said web server;
  
  (c) receiving a ticket having an identifier and a session key from said web server over said secure web communication channel;
  
  (d) establishing an application communication channel with said application server over said application communication channel;
  
  (e) transmitting said identifier from said ticket to said application server over an application communication channel to provide said application server with information for obtaining a copy of said session key;
  
  (f) receiving output of said application program, identified in said request, from said application server over said application communication channel via a remote display protocol; and
  
  (g) decrypting said output using said session key.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15 wherein said ticket is generated by a ticket service.
  - 17. The method of claim 16 wherein said ticket service resides on said web server.
  - 18. The method of claim 15 wherein said identifier is an application server certificate.
  - 19. The method of claim 15 wherein step (b) further comprises using secure socket layer technology to establish said secure web communication channel.
  - 20. The method of claim 15 wherein step (e) further comprises transmitting a password to said application server.
  - 21. The method of claim 15 wherein said session key is substantially equivalent to a null value.
  - 22. The method of claim 15 wherein said session key is substantially equivalent to a null value.
  - 23. The method of claim 15 wherein step (g) further comprises encrypting communications to said application server.
  - 24. The method of claim 15 wherein said remote display protocol is the Independent Computing Architecture protocol.
  - 25. The method of claim 15 wherein said remote display protocol is the Remote Desktop Protocol.

26. A method for establishing a secure communication channel between a client and an application server comprising the steps of:
- (a) receiving a request from a web server to execute an application program on behalf of a client and transmit to said client output from said application program executing on said application server;
  
  (b) receiving an identifier from said client;
  
  (c) obtaining from said web server a copy of a session key associated with said identifier;
  
  (d) establishing an application communication channel with said client;
  
  (e) executing said application program identified in said request;
  
  (f) transmitting output of said executing application program over said application communication channel via a remote display protocol; and
  
  (g) encrypting said output using said session key.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 27. The method of claim 26 wherein step (b) comprises receiving a nonce from said client.
  - 28. The method of claim 26 wherein said ticket is generated by a ticket service.
  - 29. The method of claim 26 wherein said identifier is an application server certificate.
  - 30. The method of claim 26 wherein step (b) further comprises receiving a password from said client.
  - 31. The method of claim 26 wherein said ticket is generated by a ticket service.
  - 32. The method of claim 31 wherein said application server receives a response to transmitting said identifier to said web server, said response including said session key.
  - 33. The method of claim 31 wherein said web server validates said identifier.
  - 34. The method of claim 26 wherein said ticket service resides on said web server.
  - 35. The method of claim 34 wherein said web server validates said identifier is received by said web server within a predetermined time frame.
  - 36. The method of claim 26 wherein step (c) further comprises transmitting by said application server said identifier to said web server over a server communication channel.
  - 37. The method of claim 26 wherein said identifier is an application server certificate.
  - 38. The method of claim 26 wherein said session key is substantially equivalent to a null value.
  - 39. The method of claim 26 wherein said null value is a constant value.
  - 40. The method of claim 26 wherein step (g) further comprises decrypting communications from said client.
  - 41. The method of claim 26 wherein said remote display protocol is the Independent Computing Architecture protocol.
  - 42. The method of claim 26 wherein said remote display protocol is the Remote Desktop protocol.

43. A communications system for establishing a secure communication channel between a client and an application server comprising:
- a ticket service generating a ticket associated with a client, said ticket having an identifier and a session key;
  
  a web server in communication with said ticket service;
  
  said web server receiving a request from said client to have an application program executed on an application server, obtaining said ticket from said ticket service, and transmitting said ticket to said client over a secure communication channel;
  
  said client transmitting said identifier from said ticket to said application server;
  
  said application server obtaining a copy of said session key from said ticket service using said identifier;
  
  said client and said application server establishing an application communication channel, said application server executing said application program identified in said request and transmitting output from said executing application program over said application communication channel via a remote display protocol; and
  
  said client and said application server encrypting communications using said session key.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 44. The system of claim 43 wherein said ticket service resides on said web server.
  - 45. The system of claim 43 further comprising said application server transmitting said identifier to said web server over a server communication channel.
  - 46. The system of claim 45 further comprising said application server requesting a copy of said session key in response to receiving said identifier from said client.
  - 47. The system of claim 46 further comprising said web server validating said identifier.
  - 48. The system of claim 47 wherein said web server validates said identifier has not been previously received from said application server.
  - 49. The system of claim 48 further comprising said web server transmitting said session key to said application server over said server communication channel.
  - 50. The system of claim 47 wherein said web server validates said identifier when said identifier is received by said web server within a predetermined time frame.
  - 51. The system of claim 46 further comprising said web server transmitting additional information to said application server over said server communication channel.
  - 52. The system of claim 51 wherein said additional information comprises login information of a user of said client.
  - 53. The system of claim 52 wherein said additional information comprises a name of a software application executing on said application server.
  - 54. The system of claim 45 wherein said server communication channel is a secure communication channel.
  - 55. The system of claim 43 further comprising said client transmitting a password to said application server.
  - 56. The system of claim 43 further comprising said ticket service transmitting information corresponding to at least one of said client and a user operating said client to said application server.

57. A communications system for establishing a secure communication channel between a client and an application server comprising:
- a web browser on a client establishing a secure web communication channel with a web server, said web browser;
  
  transmitting to said web server a request to have an application server execute an application program and transmit to said client output of said application program executing on said application server;
  
  receiving a ticket associated with said client from said web server, said ticket having an identifier and a session key; and
  
  transmitting said identifier from said ticket to said application server; and
  
  an application client on said client establishing an application communication channel with said application server, said application client receiving output of said application program, identified in said request, executing on said application server, over said application communication channel via a remote display protocol and decrypting said output using said session key.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 58. The system of claim 57 wherein said web browser receives additional information from said web server over said secure web communication channel.
  - 59. The system of claim 58 wherein said additional information further comprises an address of said application server.
  - 60. The system of claim 57 wherein said application client transmits a password of a user operating said client to said application server.
  - 61. The system of claim 57 wherein said identifier is an application server certificate.
  - 62. The system of claim 57 wherein said web browser uses secure socket layer technology to establish said secure web communication channel.
  - 63. The system of claim 57 wherein said identifier is a nonce.
  - 64. The system of claim 57 wherein said session key is substantially equivalent to a null value.
  - 65. The system of claim 57 wherein said null value is a constant value.
  - 66. The system of claim 57 wherein said remote display protocol is the Independent Computing Architecture protocol.
  - 67. The system of claim 57 wherein said remote display protocol is the Remote Display Protocol.
  - 68. The system of claim 57 wherein said client encrypts communications to said application server using said session key.

69. A communications system for establishing a secure communication channel between a client and an application server comprising:
- a ticket service generating a ticket associated with a client, said ticket having an identifier and a session key;
  
  a web server in communication with said ticket service, said web server receiving a request from said client to have an application program executed on said client'"'"'s behalf and to have output of said application program transmitted to said client, said web server transmitting said ticket to said client over a secure web communication channel;
  
  an application server receiving said identifier from said ticket from said client, obtaining a copy of said session key from said web server, establishing an application communication channel with said client, executing said application program, transmitting output from said application program identified in said request to said client over said application communication channel via a remote display protocol, and encrypting said output using said session key.
- View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89)
- - 70. The system of claim 69 wherein said ticket service resides on said web server.
  - 71. The system of claim 69 wherein said application server obtains a copy of said session key from said web server in response to receiving said identifier from said client.
  - 72. The system of claim 69 wherein said web server validates said identifier.
  - 73. The system of claim 72 wherein said web server validates said identifier has not been previously received from said application server.
  - 74. The system of claim 72 wherein said web server validates said identifier is received by said web server within a predetermined time frame.
  - 75. The system of claim 72 wherein said web server transmits said session key to said application server over a server communication channel in response to receiving said identifier from said application server.
  - 76. The system of claim 75 wherein said server communication channel is a secure communication channel.
  - 77. The system of claim 75 wherein said web server transmits additional information to said application server over said server communication channel.
  - 78. The system of claim 77 wherein said additional ticket information further comprises login information of a user of said client.
  - 79. The system of claim 77 wherein said additional ticket information further comprises a name of a software application executing on said application server.
  - 80. The system of claim 72 wherein said client transmits a password of a user operating said client to said application server.
  - 81. The system of claim 72 wherein said ticket service transmits information corresponding to at least one of said client and a user operating said client to said application server.
  - 82. The system of claim 72 wherein said identifier is an application server certificate.
  - 83. The system of claim 72 wherein said identifier is a nonce.
  - 84. The system of claim 72 wherein said session key is substantially equivalent to a null value.
  - 85. The system of claim 72 wherein said null value is a constant value.
  - 86. The system of claim 72 wherein said secure web communication channel is established using secure socket layer technology.
  - 87. The system of claim 69 wherein said remote display protocol is the Independent Computing Architecture protocol.
  - 88. The system of claim 69 wherein said remote display protocol is the Remote Desktop Display Protocol.
  - 89. The system of claim 69 wherein said application server decrypts communications from said client using said session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kramer, Andre, Harwood, Will
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Moorthy, Aravind K

Application Number

US09/706,117
Time in Patent Office

1,894 Days
Field of Search

713/155, 713200-202, 713/152, 713/168, 380/255, 380/277, 380/28
US Class Current

713/155
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 2221/2115   Third party

G06Q 20/0855   involving a third party

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/3829   involving key management

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/18   using different networks or...

System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

288 Citations

89 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

288 Citations

89 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links