Method and apparatus for encrypting data communicated between a client and a server that use an unencrypted data transfer protocol

US 7,194,621 B1
Filed: 02/28/2002
Issued: 03/20/2007
Est. Priority Date: 02/28/2002
Status: Active Grant

First Claim

Patent Images

1. A method for securing data in communications between a client and server using an unencrypted transfer protocol that does not encrypt a payload defined by the transfer protocol, the method comprising the computer-implemented steps of:

selecting a subset of data for encryption from a set of data to be communicated between the client and the server in a particular payload of the unencrypted transfer protocol;

determining a secret integer that is unique for the subset among a plurality of subsets in a plurality of payloads, wherein the secret integer associated with the particular payload is unique relative to secret integers associated with other payloads of the plurality of payloads, wherein determining the secret integer comprises;

determining a shared secret key based on a first integer and a first public key associated with a receiving device of the client and the server; and

selecting the secret integer based on the shared secret key;

encrypting the subset of data using at least the secret integer to generate encrypted data that is impractical for a device other than the client and the server to decrypt; and

sending, from a sending device of the client and the server to the receiving device, in the particular payload, the encrypted data and clue information to determine, only at the client and the server, the secret integer for decrypting the encrypted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securing data in communications between a client and server using an unencrypted transfer protocol, which does not encrypt a payload defined by the transfer protocol, include selecting a subset from a set of data to be communicated in a particular payload. A secret integer is determined that is unique for the subset. Based on the subset and the secret integer, encrypted data is generated that is practically unintelligible to a device other than the client and the server. A sending device, of the client and the server, sends to a receiving device, in the particular payload, the encrypted data and information to determine, only at the client and the server, the secret integer for decrypting the encrypted data. The present techniques allow a lightweight encryption algorithm to provide authentication and data security for more secure transfer of selective portions of unencrypted payloads transferred by such protocols as the Hypertext Transfer Protocol (HTTP).

34 Citations

View as Search Results

40 Claims

1. A method for securing data in communications between a client and server using an unencrypted transfer protocol that does not encrypt a payload defined by the transfer protocol, the method comprising the computer-implemented steps of:
- selecting a subset of data for encryption from a set of data to be communicated between the client and the server in a particular payload of the unencrypted transfer protocol;
  
  determining a secret integer that is unique for the subset among a plurality of subsets in a plurality of payloads, wherein the secret integer associated with the particular payload is unique relative to secret integers associated with other payloads of the plurality of payloads, wherein determining the secret integer comprises;
  
  determining a shared secret key based on a first integer and a first public key associated with a receiving device of the client and the server; and
  
  selecting the secret integer based on the shared secret key;
  
  encrypting the subset of data using at least the secret integer to generate encrypted data that is impractical for a device other than the client and the server to decrypt; and
  
  sending, from a sending device of the client and the server to the receiving device, in the particular payload, the encrypted data and clue information to determine, only at the client and the server, the secret integer for decrypting the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as recited in claim 1, wherein the unencrypted transfer protocol is Hypertext Transfer Protocol (HTTP).
  - 3. A method as recited in claim 1, said step of determining a secret integer that is unique for the subset further comprising the steps of:
    - generating the first integer using a random number generator.
  - 4. A method as recited in claim 3, said step of sending the information to determine the secret integer further comprising the steps of:
    - determining a second public key associated with the sending device based on the first integer; and
      
      including the second public key in the information to determine the secret integer.
  - 5. A method as recited in claim 3, said step of sending the information to determine the secret integer further comprising the steps of:
    - determining a plurality of second public keys associated with the sending device based on the first integer, wherein each of the second public keys is associated with one of a plurality of subsets from the set of data; and
      
      including the plurality of second public keys in the information to determine the secret integer.
  - 6. A method as recited in claim 3, said step of selecting the secret integer further comprising the step of applying a particular hash function to the shared secret key to generate the secret integer.
  - 7. A method as recited in claim 3, said step of generating encrypted data further comprising the step of performing an exclusive or (XOR) operation between corresponding bits of the subset and the secret integer to generate the encrypted data.
  - 8. A method as recited in claim 1, wherein:
    - said step of determining the secret integer further comprises the step of applying a particular hash function a plurality of times to the shared secret key shared with the receiving device; and
      
      said step of sending the information to determine the secret integer further comprises the step of storing, as part of the clue information, data that indicates a number of times the particular hash function has been applied.
  - 9. A method as recited in claim 8, said step of determining the secret integer further comprising the steps of:
    - determining a second integer formed after the particular hash function is applied the number of times indicated in the information;
      
      determining a third integer formed after the particular hash function is applied fewer times than the number of times indicated in the information; and
      
      performing an exclusive or (XOR) operation between corresponding bits of the second integer and the third integer.
  - 10. A method as recited in claim 8, said step of determining the secret integer further comprising the steps of:
    - determining a second integer formed after the particular hash function is applied the number of times indicated in the information;
      
      determining a third integer formed after a second hash function is applied for the number of times indicated in the information, wherein the second hash function is different from the particular hash function that is used to determine the second integer; and
      
      performing an exclusive or (XOR) operation between corresponding bits of the second integer and the third integer.
  - 11. A method as recited in claim 8,wherein determining the shared secret key is based on a particular communication between the client and the server;
    - andfurther comprising storing the shared secret key in a secure data structure.
  - 12. A method as recited in claim 1, wherein the secret integer has a particular number of bits fixed for all subsets in all payloads communicated during a communication session between the client and the server.
  - 13. A method as recited in claim 1, wherein the secret integer has a number of bits that varies in accordance with lengths of payloads that are communicated during a communication session between the client and the server.

14. A computer-readable storage medium storing one or more sequences of instructions for securing data in communications between a client and server using an unencrypted transfer protocol that does not encrypt a payload defined by the transport protocol, which instructions, when executed by one or more processor, cause the one or more processor to carry out the steps of:
- selecting a subset of data for encryption from a set of data to be communicated between the client and the server in a particular payload of the unencrypted transfer protocol;
  
  determining a secret integer that is unique for the subset among a plurality of subsets in a plurality of payloads, wherein the secret integer associated with the particular payload is unique relative to secret integers associated with other payloads of the plurality of payloads, wherein determining the secret integer comprising;
  
  determining a shared secret key based on a first integer and a first public key associated with a receiving device of the client and the server; and
  
  selecting the secret integer based on the shared secret key;
  
  encrypting the subset of data using at least the secret integer to generate encrypted data that is practically unintelligible to a device other than the client and server; and
  
  sending, from a sending device of the client and the server to the receiving device, in the particular payload, the encrypted data and information to determine, only at the client and the server, the secret integer for decrypting the encrypted data.

15. An apparatus for securing data in communications between a client and server using an unencrypted transfer protocol that does not encrypt a payload defined by the transport protocol, comprising:
- means for selecting a subset of data for encryption from a set of data to be communicated between the client and the server in a particular payload of the unencrypted transfer protocol;
  
  means for determining a shared secret key based on a first integer and a first public key associated with a receiving device of the client and the server;
  
  means for determining a secret integer that is unique for the subset among a plurality of subsets in a plurality of payloads, wherein the secret integer associated with the particular payload is unique relative to secret integers associated with other payloads of the plurality of payloads, wherein the means for determining the secret integer comprise means for selecting the secret integer based on the shared secret key;
  
  means for encrypting the subset of data using at least the secret integer to generate, encrypted data that is practically unintelligible to a device other than the client and the server; and
  
  means for sending to the receiving device, in the particular payload, the encrypted data and information to determine, only at the client and the server, the secret integer for decrypting the encrypted data.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The apparatus of claim 15, wherein the unencrypted transfer protocol is Hypertext Transfer Protocol (HTTP).
  - 17. The apparatus of claim 15, wherein the means for determining a generating the first integer using a random number generator.
  - 18. The apparatus of claim 17, wherein the means for sending the information to determine the secret integer comprises means for:
    - determining a second public key associated with the sending device based on the first integer; and
      
      including the second public key in the information to determine the secret integer.
  - 19. The apparatus of claim 17, wherein the means for sending the information to determine the secret integer comprises means for:
    - determining a plurality of second public keys associated with the sending device based on the first integer, wherein each of the second public keys is associated with one of a plurality of subsets from the set of data; and
      
      including the plurality of second public keys in the information to determine the secret integer.
  - 20. The apparatus of claim 17, wherein the means for selecting the secret integer comprises means for applying a particular hash function to the shared secret key to generate the secret integer.
  - 21. The apparatus of claim 17, wherein the means for generating encrypted data comprises means for performing an exclusive or (XOR) operation between corresponding bits of the subset and the secret integer to generate the encrypted data.
  - 22. The apparatus of claim 15, wherein the means for determining the secret integer comprises means for applying a particular hash function a plurality of times to the shared secret key shared with the receiving device;
    - andwherein the means for sending the information to determine the secret integer comprise comprises means for storing, as part of the clue information, data that indicates a number of times the particular hash function has been applied.
  - 23. The apparatus of claim 22, wherein the means for determining the secret integer comprises means for:
    - determining a second integer formed after the particular hash function is applied the number of times indicated in the information;
      
      determining a third integer formed after the particular hash function is applied fewer times than the number of times indicated in the information; and
      
      performing an exclusive or (XOR) operation between corresponding bits of the second integer and the third integer.
  - 24. The apparatus of claim 22, wherein the means for determining the secret integer comprises means for:
    - determining a second integer formed after the particular hash function is applied the number of times indicated in the information;
      
      determining a third integer formed after a second hash function is applied for the number of times indicated in the information, wherein the second hash function is different from the particular hash function that is used to determine the second integer; and
      
      performing an exclusive or (XOR) operation between corresponding bits of the second integer and the third integer.
  - 25. The apparatus of claim 22, further comprising means for:
    - determining the shared secret key based on a particular communication between the client and the server; and
      
      storing the shared secret key in a secure data structure.
  - 26. The apparatus of claim 15, wherein the secret integer has a particular number of bits fixed for all subsets in all payloads communicated during a communication session between the client and the server.
  - 27. The apparatus of claim 15, wherein the secret integer has a number of bits that varies in accordance with lengths of payloads that are communicated during a communication session between the client and the server.

28. An apparatus for securing data in communications between a client and server using an unencrypted transfer protocol that does not encrypt a payload defined by the transport protocol, comprising:
- a network interface that is coupled to the data network for sending one or more packet flows thereto;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  selecting a subset of data for encryption from a set of data to be communicated between the client and the server in a particular payload of the unencrypted transfer protocol;
  
  determining a secret integer that is unique for the subset among a plurality of subsets in a plurality of payloads, wherein the secret integer associated with the particular payload is unique relative to secret integers associated with other payloads of the plurality of payloads, wherein determining the secret integer comprises;
  
  determining a shared secret key based on a first integer and a first public key associated with a receiving device of the client and the server; and
  
  selecting the secret integer based on the shared secret key;
  
  encrypting the subset of data using at least the secret integer to generate encrypted data that is practically unintelligible to a device other than the client and the server; and
  
  sending, to the receiving device, in the particular payload, the encrypted data and information to determine, only at the client and the server, the secret integer for decrypting the encrypted data.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 29. The apparatus of claim 28, wherein the unencrypted transfer protocol is Hypertext Transfer Protocol (HTTP).
  - 30. The apparatus of claim 28, wherein the sequences of instructions that cause the processor to perform determining a secret integer that is unique for the subset comprise sequences of instructions which, when executed by the processor, cause the processor to perform:
    - generating the first integer using a random number generator.
  - 31. The apparatus of claim 30, wherein the sequences of instructions that cause the processor to perform sending the information to determine the secret integer comprise sequences of instructions which, when executed by the processor, cause the processor to perform:
    - determining a second public key associated with the sending device based on the first integer; and
      
      including the second public key in the information to determine the secret integer.
  - 32. The apparatus of claim 30, wherein the sequences of instructions that cause the processor to perform sending the information to determine the secret integer comprise sequences of instructions which, when executed by the processor, cause the processor to perform:
    - determining a plurality of second public keys associated with the sending device based on the first integer, wherein each of the second public keys is associated with one of a plurality of subsets from the set of data; and
      
      including the plurality of second public keys in the information to determine the secret integer.
  - 33. The apparatus of claim 30, wherein the sequences of instructions that cause the processor to perform selecting the secret integer comprise sequences of instructions which, when executed by the processor, cause the processor to perform applying a particular hash function to the shared secret key to generate the secret integer.
  - 34. The apparatus of claim 30, wherein the sequences of instructions that cause the processor to perform generating encrypted data comprise sequences of instructions which, when executed by the processor, cause the processor to perform an exclusive or (XOR) operation between corresponding bits of the subset and the secret integer to generate the encrypted data.
  - 35. The apparatus of claim 28, wherein the sequences of instructions that cause the processor to perform determining the secret integer comprise sequences of instructions which, when executed by the processor, cause the processor to perform applying a particular hash function a plurality of times to the shared secret key shared with the receiving device;
    - andwherein the sequences of instructions that cause the processor to perform sending the information to determine the secret integer comprise sequences of instructions which, when executed by the processor, cause the processor to perform storing, as part of the clue information, data that indicates a number of times the particular hash function has been applied.
  - 36. The apparatus of claim 35, wherein the sequences of instructions that cause the processor to perform determining the secret integer comprise sequences of instructions which, when executed by the processor, cause the processor to perform:
    - determining a second integer formed after the particular hash function is applied the number of times indicated in the information;
      
      determining a third integer formed after the particular hash function is applied fewer times than the number of times indicated in the information; and
      
      performing an exclusive or (XOR) operation between corresponding bits of the second integer and the third integer.
  - 37. The apparatus of claim 35, wherein the sequences of instructions that cause the processor to perform determining the secret integer comprise sequences of instructions which, when executed by the processor, cause the processor to perform:
    - determining a second integer formed after the particular hash function is applied the number of times indicated in the information;
      
      determining a third integer formed after a second hash function is applied for the number of times indicated in the information, wherein the second hash function is different from the particular hash function that is used to determine the second integer; and
      
      performing an exclusive or (XOR) operation between corresponding bits of the second integer and the third integer.
  - 38. The apparatus of claim 35, wherein the sequences of instructions that cause the processor to perform determining the shared secret key comprise sequences of instructions which, when executed by the processor, cause the processor to perform:
    - determining the shared secret key based on a particular communication between the client and the server, andfurther comprising sequences of instructions which, when executed by the processor, cause the processor to perform the steps of;
      
      storing the shared secret key in a secure data structure.
  - 39. The apparatus of claim 28, wherein the secret integer has a particular number of bits fixed for all subsets in all payloads communicated during a communication session between the client and the server.
  - 40. The apparatus of claim 28, wherein the secret integer has a number of bits that varies in accordance with lengths of payloads that are communicated during a communication session between the client and the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Nguyen, Khanh V., Richter, Thomas W.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
SHIFERAW, ELENI A

Application Number

US10/086,516
Time in Patent Office

1,846 Days
Field of Search

713/162
US Class Current

713/162
CPC Class Codes

H04L 63/0442 wherein the sending and rec...

H04L 9/0841 involving Diffie-Hellman or...

Method and apparatus for encrypting data communicated between a client and a server that use an unencrypted data transfer protocol

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for encrypting data communicated between a client and a server that use an unencrypted data transfer protocol

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others