Negotiating secure connections through a proxy server

US 6,996,841 B2
Filed: 04/19/2001
Issued: 02/07/2006
Est. Priority Date: 04/19/2001
Status: Expired due to Fees

First Claim

Patent Images

1. In computer network interconnecting a client system, a proxy system, and a server system, wherein data exchanged over the computer network is subject to being compromised, a method of negotiating, through the proxy system, a secure end-to-end connection between the client system and the server system, wherein the client system securely authenticates to the proxy system, the method comprising the acts of:

receiving a request from the client system for a secure connection between the client system and the proxy system;

establishing a secure connection between the client and proxy systems, in which at least the client is authenticated to the proxy system;

receiving a request from the client system for a secure end-to-end connection with the server system;

upon authenticating the client, downgrading the secure connection between the client and the proxy systems to an insecure client-proxy connection;

forwarding the client system request for a secure end-to-end connection to the server system only after authenticating the client and upon downgrading the secure connection between the client and the proxy systems to an insecure client-proxy connection, such that the secure connection between the client and the proxy systems is downgraded to an insecure client-proxy connection prior to establishing the secure end-to-end connection between the client and server systems, and such that the secure end-to-end connection is encapsulated within the insecure client-proxy connection, and such that the proxy server does not encrypt or decrypt any data sent between the client and the server within the insecure client-proxy connection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for negotiating a secure end-to-end connection using a proxy server as an intermediary. The client first negotiates a secure connection between the client and the proxy so that any credentials exchanged will be encrypted. After the exchange of authentication credentials, the secure client-proxy connection is altered so that no further encryption takes place. The client and server then negotiate a secure end-to-end connection through the proxy, with the secure end-to-end connection being encapsulated within the insecure client-proxy connection. In this way, the overhead of creating a separate client-proxy connection for the secure end-to-end connection may be avoided, but the insecure client-proxy connection introduces only minimal overhead because it no longer encrypts any data that it carries.

155 Citations

60 Claims

1. In computer network interconnecting a client system, a proxy system, and a server system, wherein data exchanged over the computer network is subject to being compromised, a method of negotiating, through the proxy system, a secure end-to-end connection between the client system and the server system, wherein the client system securely authenticates to the proxy system, the method comprising the acts of:
- receiving a request from the client system for a secure connection between the client system and the proxy system;
  
  establishing a secure connection between the client and proxy systems, in which at least the client is authenticated to the proxy system;
  
  receiving a request from the client system for a secure end-to-end connection with the server system;
  
  upon authenticating the client, downgrading the secure connection between the client and the proxy systems to an insecure client-proxy connection;
  
  forwarding the client system request for a secure end-to-end connection to the server system only after authenticating the client and upon downgrading the secure connection between the client and the proxy systems to an insecure client-proxy connection, such that the secure connection between the client and the proxy systems is downgraded to an insecure client-proxy connection prior to establishing the secure end-to-end connection between the client and server systems, and such that the secure end-to-end connection is encapsulated within the insecure client-proxy connection, and such that the proxy server does not encrypt or decrypt any data sent between the client and the server within the insecure client-proxy connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 2. A method as recited in claim 1 further comprising the acts of:
    - issuing an authenticate challenge to the client system; and
      
      receiving, over the secure client-proxy connection, proper authentication credentials from the client system.
  - 3. A method as recited in claim 2 wherein the authenticate challenge issued to the client system is one of a basic and a digest authenticate challenge.
  - 4. A method as recited in claim 1 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is certificate based.
  - 5. A method as recited in claim 4 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is one of a secure sockets layer and a transport layer security connection.
  - 6. A method as recited in claim 1 further comprising the act of sending a certificate to the client system, wherein the certificate may be used to verify the identity of the proxy system.
  - 7. A method as recited in claim 1 further comprising the act of receiving proper authentication credentials from the client system, wherein the proper authentication credentials received from the client system are certificate based.
  - 8. A method as recited in claim 1 further comprising the act of transferring data between the client system and the server system through the secure end-to-end connection.
  - 9. A method as recited in claim 1 wherein downgrading the secure connection between the client system and the proxy system to be insecure comprises the act of setting the cipher set for the connection to be a null cipher.
  - 10. A method as recited in claim 1 wherein the request for a secure end-to-end connection comprises a hypertext transfer protocol connect request.
  - 11. A method as recited in claim 1 wherein the server system comprises one of a reverse proxy server system and a forward proxy system.
  - 12. A method as recited in claim 1 wherein at least one connection is over the Internet.
  - 13. A method as recited in claim 1 wherein the server system comprises a cascaded proxy system, the server system allowing secure connections, insecure connections, or both secure and insecure connections, with one or more other server systems.
  - 35. In computer network interconnecting a client system, a proxy system, and a sewer system, wherein data exchanged over the computer network is subject to being compromised, a computer program product far implementing a meted of negotiating, through the proxy system, a secure end-to-end connection between the client system and the server system, wherein the client system securely authenticates to the proxy system, comprising:
    - a computer readable medium for carrying machine-executable instructions for implementing the method recited in claim 1.
  - 36. A computer program product as recited in claim 35, the method comprised further of machine-executable instructions for performing the acts of:
    - issuing an authenticate challenge to the client system; and
      
      receiving proper authentication credentials from the client system.
  - 37. A computer program product as recited in claim 36 wherein the authenticate challenge issued to the client system is one of a basic and a digest authenticate challenge.
  - 38. A computer program product as recited in claim 36, the method comprised further of machine executable instructions for performing the act of sending a certificate to the client system, wherein the certificate may be used to verify the identity of the proxy system.
  - 39. A computer program product as recited in claim 36 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is certificate based.
  - 40. A computer program product as recited in claim 39 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is one of a secure sockets layer and a transport layer security connection.
  - 41. A computer program product as recited in claim 35, the method further comprised of machine-executable instructions for performing the act of receiving proper authentication credentials from the client system, wherein proper authentication credentials received from the client system are certificate based.
  - 42. A computer program product as recited in claim 35, to method further comprised of machine-executable instructions for performing the act of transferring data between the client system and the server system through the secure end-to-end connection.
  - 43. A computer program product as recited in claim 35, the method comprised further of machine-executable instructions for performing the act of setting the cipher set for the secure client-proxy connection to be a null cipher, thereby downgrading the client-proxy connection to be insecure.
  - 44. A computer program product as recited in claim 35 wherein the request for a secure end-to-end connection comprises a hypertext transfer protocol connect request.
  - 45. A computer program product as recited in claim 35 wherein the server system comprises one of a reverse proxy server system and a forward proxy server system.
  - 46. A computer program product as recited in claim 35 wherein at least one connection is over the Internet.
  - 47. A computer program product as recited in claim 35 wherein the server system comprises a cascaded proxy system, the sewer system allowing secure connections, insecure connections, or both secure and insecure connections, with one or more other server systems.

14. In computer network interconnecting a client system, a proxy system, and a server system, wherein data exchanged over the computer network is subject to being compromised, a method of negotiating, through the proxy system, a secure end-to-end connection between the client system and the server system, wherein the client system securely authenticates to the proxy system, the method comprising the acts of:
- sending a request to the proxy system for a secure connection between the client system and the proxy system;
  
  establishing a secure client-proxy connection between the client and proxy systems, in which at least the client is authenticated to the proxy system;
  
  sending a request to the proxy system for a secure end-to-end connection with the server system, wherein the proxy system forwards the request to the server system for the secure end-to-end connection only after first authenticating the client and only after first downgrading the secure client-proxy connection to an insecure client-proxy connection, such that the secure connection between the client and the proxy systems is downgraded to an insecure client-proxy connection prior to establishing the secure end-to-end connection between the client and server systems, and such that the secure end-to-end connection is encapsulated within the insecure client-proxy connection, and such that the proxy server does not encrypt or decrypt any data sent between the client and the server.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 15. A method as recited in claim 14 further comprising the acts of:
    - receiving an authenticate challenge from the proxy system; and
      
      sending, over the secure client-proxy connection, proper authentication credentials to the proxy system.
  - 16. A method as recited in claim 15 wherein the authenticate challenge received by the client system is one of a basic and a digest authenticate challenge.
  - 17. A method as recited in claim 14 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is certificate based.
  - 18. A method as recited in claim 17 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is one of a secure sockets layer and a transport layer security connection.
  - 19. A method as recited in claim 14 further comprising the act of receiving a certificate from the proxy system, wherein the certificate may be used to verify the identity of the proxy system.
  - 20. A method as recited in claim 14 further comprising the act of sending proper authentication credentials to the proxy system, wherein the proper authentication credentials sent to the proxy system are certificate based.
  - 21. A method as recited in claim 14 further comprising the act of transferring data to the server system through the secure end-to-end connection.
  - 22. A method as recited in claim 14 wherein downgrading to secure connection between the client system and the proxy system to be insecure comprises the act of setting the cipher set fix the connection to be a null cipher.
  - 23. A method as recited in claim 14 wherein the request for a secure end-to-end connection comprises a hypertext transfer protocol connect request.
  - 24. A method as recited in claim 14 wherein the server system comprises one of a reverse proxy server system and a forward proxy server system.
  - 25. A method as recited in claim 14 wherein at least one connection is over the Internet.
  - 26. A method as recited in claim 14 wherein the server system comprises a cascaded proxy system, the server system allowing secure connections, insecure connections, or both secure and insecure connections, with one or more other server systems.
  - 48. In computer network interconnecting a client system, a proxy system, and a server system, wherein data exchanged over the computer network is subject to being compromised, a computer program product for implementing a method of negotiating, through the proxy system, a secure end-to-end connection between the client system and the server system, wherein the client system securely authenticates to the proxy system, comprising:
    - a computer readable medium for carrying machine-executable instructions for implementing the method recited in claim 14.
  - 49. A computer program product as recited in claim 48, the method comprised further of machine-executable instructions for performing the acts of:
    - receiving an authenticate challenge from the proxy system; and
      
      sending proper authentication credentials to the proxy system.
  - 50. A computer program product as recited in claim 49 wherein the authenticate challenge received by the client system is one of a basic and a digest authenticate challenge.
  - 51. A computer program product as recited in claim 48, the method comprised further of machine-executable instructions for performing the act of receiving a certificate from the proxy system, wherein the certificate may be used to verify the identity of the proxy system.
  - 52. A computer program product as recited in claim 48 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is certificate based.
  - 53. A computer program product as recited in claim 52 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is one of a secure sockets layer and a transport layer security connection.
  - 54. A computer program product as recited in claim 48, the method comprised further of machine-executable instructions for performing the act of sending proper authentication credentials to the proxy system, wherein the proper authentication credentials sent to the proxy system are certificate based.
  - 55. A computer program product as recited in claim 48, the method comprised further of machine-executable instructions for performing the act of transferring data between the client system and the server system through the secure end-to-end connection.
  - 56. A computer program product as recited in claim 48, the method comprised further of machine-executable instructions for performing the act of setting the cipher set for the secure client-proxy connection to be a null cipher, thereby downgrading the client-proxy connection to be insecure.
  - 57. A computer program product as recited in claim 48 wherein the request for a secure end-to-end connection comprises a hypertext transfer protocol connect request.
  - 58. A computer program product as recited in claim 48 wherein the server system comprises one of a reverse proxy server system and a forward proxy server system.
  - 59. A computer program product as recited in claim 48 wherein at least one connection is over the Internet.
  - 60. A computer program product as recited in claim 48 wherein the server system comprises a cascaded proxy system, the server system allowing secure connections, insecure connections, or both secure and insecure connections, with one or more other server systems.

27. In computer network interconnecting a client system, a proxy system, and a server system, wherein data exchanged over the computer network is subject to being compromised, a method of negotiating, through the proxy system, a secure end-to-end connection between the client system and the server system, wherein the client system securely authenticates to the proxy system, the method comprising steps for:
- negotiating a secure client-proxy connection between the client and proxy systems, in which least client is authenticated to the proxy system;
  
  downgrading the secure client-proxy connection to an insecure client-proxy connection alter authenticating the client;
  
  only after authenticating the client and after downgrading the secure client-proxy connection, negotiating a secure end-to-end connection between the client and the server system using the secure client-proxy connection, such that the secure connection between the client and the proxy systems is downgraded to an insecure client-proxy connection prior to establishing the secure end-to-end connection between the client and server systems, and such that the secure end-to-end connection is encapsulated within the insecure client-proxy connection, and such that the proxy server does not encrypt or decrypt any data sent between the client and the server.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. A method as recited in claim 27 further comprising a step for authenticating the client system to the proxy system, wherein the step for authenticating comprises an act of either the client system sending or the proxy system receiving, proper authentication credentials including at least one of a basic authenticate challenge response, a digest authenticate challenge response, and a certificate.
  - 29. A method as recited in claim 27 wherein the step for negotiating a secure connection between the client and proxy systems comprises the act of the client system receiving or the proxy system sending a certificate, wherein the certificate may be used to verify the identity of the proxy system.
  - 30. A method as recited in claim 27 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is certificate based.
  - 31. A method as recited in claim 30 wherein at least one of the secure client-proxy connection and the secure end-to-end connection is one of a secure sockets layer and a transport layer security connection.
  - 32. A method as recited in claim 27 wherein the step for altering the secure client-proxy connection comprises the act of setting the cipher set for the connection to be a null cipher, thereby downgrading the client-proxy connection to be insecure.
  - 33. A method as recited in claim 27 where the step for negotiating a secure end-to-end connection comprises the act of either the client system sending or the proxy system receiving a hypertext transfer protocol connect request.
  - 34. A method as recited in claim 27 wherein the server system comprises a cascaded proxy system, the server system allowing secure connections, insecure connections, or both secure and insecure connections, with one or more other server systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Fishman, Neil S., Kramer, Michael, Seinfeld, Marc E., Kadyk, Donald J.
Primary Examiner(s)
Song, Hesuk
Assistant Examiner(s)
KLIMACH, PAULA W

Application Number

US09/838,745
Publication Number

US 20020157019A1
Time in Patent Office

1,755 Days
Field of Search

713/171, 713/201, 713/153, 713/150, 713/182, 713/156, 713/151, 713/152, 380/278, 380/281, 380/283, 709/225, 709/203, 709/230, 709/241, 709/200, 709/249, 709/229, 726/12, 726/15, 726/3, 726/5
US Class Current

726/12
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 67/14   Session management for real...

Negotiating secure connections through a proxy server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Negotiating secure connections through a proxy server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links