Method for client delegation of security to a proxy

US 7,249,377 B1
Filed: 03/31/1999
Issued: 07/24/2007
Est. Priority Date: 03/31/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of enabling a proxy to participate in a secure communication between a client and a server, comprising the steps of:

establishing via a connectivity service a first secure session between the client and the proxy;

upon verifying via the connectivity service the first secure session, establishing a second secure session between the client and the proxy, the second secure session requesting the proxy to act as a conduit to the server;

having the client and the server negotiate a session master secret;

delivering the session master secret to the proxy using the first secure session to enable the proxy to participate in the secure communication; and

having the proxy use the master secret and a session identifier to generate given cryptographic information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of enabling a proxy to participate in a secure communication between a client and a server. The method begins by establishing a first secure session between the client and the proxy. Upon verifying the first secure session, the method continues by establishing a second secure session between the client and the proxy. In the second secure session, the client requests the proxy to act as a conduit to the server. Thereafter, the client and the server negotiate a session master secret. Using the first secure session, this session master secret is then provided by the client to the proxy to enable the proxy to participate in secure communications between the client and the server. After receiving the session master secret, the proxy generates cryptographic information that enables it to provide a given service (e.g., transcoding, monitoring, encryption/decryption, caching, or the like) on the client'"'"'s behalf and without the server'"'"'s knowledge or participation. The first secure session is maintained between the client and the proxy during such communications.

118 Citations

View as Search Results

24 Claims

1. A method of enabling a proxy to participate in a secure communication between a client and a server, comprising the steps of:
- establishing via a connectivity service a first secure session between the client and the proxy;
  
  upon verifying via the connectivity service the first secure session, establishing a second secure session between the client and the proxy, the second secure session requesting the proxy to act as a conduit to the server;
  
  having the client and the server negotiate a session master secret;
  
  delivering the session master secret to the proxy using the first secure session to enable the proxy to participate in the secure communication; and
  
  having the proxy use the master secret and a session identifier to generate given cryptographic information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 further including the step of having the proxy modify requests and responses following receipt of the session master secret and generation of the given cryptographic information.
  - 3. The method as described in claim 2 wherein the proxy performs a given service on behalf of the client while modifying content from the server.
  - 4. The method as described in claim 3 wherein the given service is selected from a set of services including transcoding, caching, encryption, decryption, monitoring, filtering and pre-fetching.
  - 5. The method as described in claim 1 wherein the first and second secure sessions confirm to a network security protocol.
  - 6. The method as described in claim 5 wherein the network security protocol is SSL.
  - 7. The method as described in claim 5 wherein the network security protocol is TSL.
  - 8. The method as described in claim 1 wherein the server is a Web server and the client is a pervasive computing client.

9. A method of enabling a proxy to participate in a secure communication between a client and a server, comprising the steps of:
- having the client request a first secure connection to the proxy;
  
  upon authenticating validity of a certificate received from the proxy, having the client request a second secure connection to proxy, the second secure connection requesting the proxy to act as a conduit to the server;
  
  having the proxy generate a session identifier;
  
  having the client and the server negotiate a session master secret through the conduit;
  
  upon completion of the negotiation, having the client deliver the session master secret to the proxy using the first secure connection;
  
  having the proxy use the session master secret and the session identifier to generate given cryptographic information that is useful for participating in the secure communication.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method as described in claim 9 further including the step of having the proxy modify requests and responses following receipt of the session master secret and generating of the given cryptographic information.
  - 11. The method as described in claim 10 wherein the proxy performs a given service on behalf of the client while modifying content from the server.
  - 12. The method as described in claim 11 wherein the given service is selected from a set of services including transcoding, caching, encryption, decryption, monitoring, filtering and pre-fetching.
  - 13. The method as described in claim 9 wherein the first and second secure sessions confirm to a network security protocol.
  - 14. The method as described in claim 13 wherein the network security protocol is SSL.
  - 15. The method as described in claim 13 wherein the network security protocol is TSL.

16. A method for establishing the security of a session between a client and a server, comprising the steps of:
- through a proxy, conducing a security handshake procedure between the client and the server to produce a session key; and
  
  transmitting the session key to the proxy so that the proxy can participate in communications between the client and the server during the session.
- View Dependent Claims (17, 18)
- - 17. The method as described in claim 16 wherein the session key is transmitted from the client to the proxy over a secure connection.
  - 18. The method as described in claim 17 wherein the secure connection between the client and the proxy is created before the security handshake procedure is maintained throughout the session.

19. A cryptographic system, comprising:
- a client;
  
  a server;
  
  a proxy;
  
  a network protocol service for enabling the client and server to communicate over a secure connection;
  
  a computer program product in a computer readable medium (i) for controlling the client to request a first secure connection to the proxy, (ii) responsive to authenticating validity of a certificate from the proxy, for controlling the client to request a second secure connection to proxy, the second secure connection requesting the proxy to act as a conduit to the server, (iii) for controlling the client to negotiate with the server through the conduit to obtain a session master secret; and
  
  (iv) upon successful completion of the negotiation, for controlling the client to deliver the session master secret to the proxy using the first secure connection; and
  
  a computer program product in a computer readable medium (i) for controlling the proxy to use the session master secret and a session identifier to generate given cryptographic information, and (ii) for having the proxy modify content in communications between the client and the server.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The cryptographic system as described in claim 19 wherein the proxy includes means for providing transcoding services on behalf of the client.
  - 21. The cryptographic system as described in claim 19 wherein the proxy includes means for providing encryption/decryption services on behalf of the client.
  - 22. The cryptographic system as described in claim 19 wherein the proxy includes means for providing caching services on behalf of the client.
  - 23. The cryptographic system as described in claim 19 wherein the proxy includes means for providing monitoring services on behalf of the client.

24. A computer program product in a computer readable medium for use in a cryptographic system including a client, a server, and a proxy, comprising:
- a first routine (i) for controlling the client to request a first secure connection to the proxy, (ii) responsive to authenticating validity of a certificate from the proxy, for controlling the client to request a second secure connection to proxy, the second secure connection requesting the proxy to act as a conduit to the server, (iii) for controlling the client to negotiate with the server through the conduit to obtain a session master; and
  
  (iv) upon successful completion of the negotiation, for controlling the client to deliver the session master secret to the proxy using the first secure connection; and
  
  a second routine (i) for controlling the proxy to use the session master secret and a session identifier to generate given cryptographic information, and (ii) for having the proxy modify content in communications between the client and the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Lita, Christian, Vepstas, Linas
Primary Examiner(s)
Zia; Syed A.
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US09/282,633
Time in Patent Office

3,037 Days
Field of Search

713/151
US Class Current

726/12
CPC Class Codes

G06F 21/6236   between heterogeneous systems

G06F 21/83   input devices, e.g. keyboar...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

Method for client delegation of security to a proxy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method for client delegation of security to a proxy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links