System and method for establishing a secure connection
First Claim
Patent Images
1. A method for initiating a private secure connection between at least one client and a remote server interconnected by a public network for transmission of enciphered communications, the method comprising the steps of:
- equipping the remote server with at least one secure processor configured for running at least one secure server process for independently initiating and maintaining a private secure connection with the at least one client;
communicatively coupling a first secure receipt pre-processor and a response manager to the at least one client via the public network and to the remote server via a protocol stack associated with a first layered communication protocol,the remote server being configured with an operating system operative to selectively direct the at least one secure server process;
storing at least one user supplied configuration option expressing at least one secure server process capability supporting the initiating and maintaining of the private secure connection with the at least one client;
receiving at the first secure receipt pre-processor, mediated by an interface compatible with the first layered communication protocol, a first client communication originating at the at least one client and transmitted over the public network using the first layered communication protocol, the first client communication expressing at least one client capability supporting the initiating of the private secure connection with the remote server;
storing the first client communication after retaining a pointer to the first client communication;
responsive to the receipt of the first client communication, generating at the first secure receipt pre-processor, independent of the first secure server process, a first client-related identification object based on the first client communication;
generating a first client-related data-object embodying the pointer to the first client communication, a time-stamp obtained from the operating system and the first client-related identification object;
hashing the identification object using a hashing algorithm to create a first hash index;
storing the first client-related data-object indexed by the first hash index after associating a unique session identifier to the first-client-related data object;
comparing the at least one user supplied configuration option with the first client-related data object to generate a portion of a complete first server communication to the client that is consistent with the at least one capability expressed in the first client communication;
based upon the portion of the complete first server response and the layered communications protocol, generating at the response manager and communicating to the at least one client the complete first server communication responsive to the first client communication and expressing at least one server capability for supporting the initiation of the private secure connection with the at least first client;
responsive to the receipt of the complete first server communication at the at least one client, receiving at the first secure receipt pre-processor a first client reply, mediated by the interface compatible with the first layered communication protocol, containing a pre-master secret transmitted from the client, the pre-master secret being based at least in part upon the complete first server communication communicated to the at least one client by the response manager;
generating at the first secure receipt pre-processor, independent of the first secure server process, a second client-related identification object based on the first client reply;
retrieving the first client-related data-object embodying the first client-related identification object matching the second client-related identification object;
generating a first remote server response under direction of the first secure server process by using the first client-related data-object forwarded to the remote server through the intermediation of the protocol stack;
communicating the first remote server response to the response manager, through the intermediation of the protocol stack at the response manager, creating a first server-related search object based on the first server response;
under direction of the first secure server process, generating a session key using the pre-master secret in the first client reply; and
encrypting subsequent communications, between the remote server and the at least one client over the public network using the session key.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method initiates secure sessions without occupying a process on the server until the premaster key is received from the client.
155 Citations
5 Claims
-
1. A method for initiating a private secure connection between at least one client and a remote server interconnected by a public network for transmission of enciphered communications, the method comprising the steps of:
-
equipping the remote server with at least one secure processor configured for running at least one secure server process for independently initiating and maintaining a private secure connection with the at least one client; communicatively coupling a first secure receipt pre-processor and a response manager to the at least one client via the public network and to the remote server via a protocol stack associated with a first layered communication protocol, the remote server being configured with an operating system operative to selectively direct the at least one secure server process; storing at least one user supplied configuration option expressing at least one secure server process capability supporting the initiating and maintaining of the private secure connection with the at least one client; receiving at the first secure receipt pre-processor, mediated by an interface compatible with the first layered communication protocol, a first client communication originating at the at least one client and transmitted over the public network using the first layered communication protocol, the first client communication expressing at least one client capability supporting the initiating of the private secure connection with the remote server; storing the first client communication after retaining a pointer to the first client communication; responsive to the receipt of the first client communication, generating at the first secure receipt pre-processor, independent of the first secure server process, a first client-related identification object based on the first client communication; generating a first client-related data-object embodying the pointer to the first client communication, a time-stamp obtained from the operating system and the first client-related identification object; hashing the identification object using a hashing algorithm to create a first hash index; storing the first client-related data-object indexed by the first hash index after associating a unique session identifier to the first-client-related data object; comparing the at least one user supplied configuration option with the first client-related data object to generate a portion of a complete first server communication to the client that is consistent with the at least one capability expressed in the first client communication; based upon the portion of the complete first server response and the layered communications protocol, generating at the response manager and communicating to the at least one client the complete first server communication responsive to the first client communication and expressing at least one server capability for supporting the initiation of the private secure connection with the at least first client; responsive to the receipt of the complete first server communication at the at least one client, receiving at the first secure receipt pre-processor a first client reply, mediated by the interface compatible with the first layered communication protocol, containing a pre-master secret transmitted from the client, the pre-master secret being based at least in part upon the complete first server communication communicated to the at least one client by the response manager; generating at the first secure receipt pre-processor, independent of the first secure server process, a second client-related identification object based on the first client reply; retrieving the first client-related data-object embodying the first client-related identification object matching the second client-related identification object; generating a first remote server response under direction of the first secure server process by using the first client-related data-object forwarded to the remote server through the intermediation of the protocol stack; communicating the first remote server response to the response manager, through the intermediation of the protocol stack at the response manager, creating a first server-related search object based on the first server response; under direction of the first secure server process, generating a session key using the pre-master secret in the first client reply; and encrypting subsequent communications, between the remote server and the at least one client over the public network using the session key. - View Dependent Claims (2, 3, 4)
-
-
5. A method for initiating a private secure session for secured data communications over an unsecured network, the method comprising:
-
providing a server running under an operating system that controls at least a first process and a second process, the server including a secure receipt pre-processor, a response manager and a secure processor communicatively coupled to each other, wherein the secure receipt pre-processor and optionally the response manager are operationally directed by the first process and the secure processor is operationally directed by the second process; receiving a client communication from a client at the secure receipt pre-processor; classifying the client communication into one of a client hello having a first expression indicative of initiating the private secure session with the secure processor, a client reply having a pre-master secret created responsive to a server hello, and an encrypted client communication; if the received client communication is the client hello and the client hello is missing a secure session identifier, buffering the client hello at the secure receipt pre-processor after generating and assigning a secure session identifier to the client hello, and saving the secure session identifier; responsive to the client hello, generating and forwarding to the client a server hello cooperatively between the secure receipt pre-processor and the response manager independent of the second process, the server hello including at least one second expression to enable the client to initiate the private secure session; if the received client communication is the client hello and the client hello includes the secure session identifier, locating the secure session identifier and examining a timestamp associated with the secure session identifier; if the timestamp associated with secure session identified is unacceptable, generating and forwarding to the client the server hello cooperatively between the secure receipt pre-processor and the response manager independent of the second process, the server hello including the at least one second expression to enable the client to initiate the private secure session; if the timestamp associated with secure session identified is acceptable, substituting the secure session identifier by a sever session identifier, sending the client hello to the secure server, receiving and examining a secure server reply; upon detecting a secure server reply that is a server hello, saving the server session identification and the timestamp before forwarding the server hello to the client, otherwise forwarding the secure server reply to the client; upon receiving the client reply at the secure receipt pre-processor responsive to the first client hello, wherein the client reply is in a first ciphertext form and including the pre-master secret based at least in part on the at least one second expression, forwarding the client hello that corresponds to the client reply received at the secure receipt pre-processor to the secure processor; assigning the server session identifier associated with the first client hello to the private secure session; using the pre-master secret in the client reply to generate a session key at the secure server; and using the session key to process encrypted client communications at the secure server and for encrypting communications before forwarding to the client.
-
Specification