System and method for establishing a secure connection

US 7,254,237 B1
Filed: 01/07/2002
Issued: 08/07/2007
Est. Priority Date: 01/12/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for initiating a private secure connection between at least one client and a remote server interconnected by a public network for transmission of enciphered communications, the method comprising the steps of:

equipping the remote server with at least one secure processor configured for running at least one secure server process for independently initiating and maintaining a private secure connection with the at least one client;

communicatively coupling a first secure receipt pre-processor and a response manager to the at least one client via the public network and to the remote server via a protocol stack associated with a first layered communication protocol,the remote server being configured with an operating system operative to selectively direct the at least one secure server process;

storing at least one user supplied configuration option expressing at least one secure server process capability supporting the initiating and maintaining of the private secure connection with the at least one client;

receiving at the first secure receipt pre-processor, mediated by an interface compatible with the first layered communication protocol, a first client communication originating at the at least one client and transmitted over the public network using the first layered communication protocol, the first client communication expressing at least one client capability supporting the initiating of the private secure connection with the remote server;

storing the first client communication after retaining a pointer to the first client communication;

responsive to the receipt of the first client communication, generating at the first secure receipt pre-processor, independent of the first secure server process, a first client-related identification object based on the first client communication;

generating a first client-related data-object embodying the pointer to the first client communication, a time-stamp obtained from the operating system and the first client-related identification object;

hashing the identification object using a hashing algorithm to create a first hash index;

storing the first client-related data-object indexed by the first hash index after associating a unique session identifier to the first-client-related data object;

comparing the at least one user supplied configuration option with the first client-related data object to generate a portion of a complete first server communication to the client that is consistent with the at least one capability expressed in the first client communication;

based upon the portion of the complete first server response and the layered communications protocol, generating at the response manager and communicating to the at least one client the complete first server communication responsive to the first client communication and expressing at least one server capability for supporting the initiation of the private secure connection with the at least first client;

responsive to the receipt of the complete first server communication at the at least one client, receiving at the first secure receipt pre-processor a first client reply, mediated by the interface compatible with the first layered communication protocol, containing a pre-master secret transmitted from the client, the pre-master secret being based at least in part upon the complete first server communication communicated to the at least one client by the response manager;

generating at the first secure receipt pre-processor, independent of the first secure server process, a second client-related identification object based on the first client reply;

retrieving the first client-related data-object embodying the first client-related identification object matching the second client-related identification object;

generating a first remote server response under direction of the first secure server process by using the first client-related data-object forwarded to the remote server through the intermediation of the protocol stack;

communicating the first remote server response to the response manager, through the intermediation of the protocol stack at the response manager, creating a first server-related search object based on the first server response;

under direction of the first secure server process, generating a session key using the pre-master secret in the first client reply; and

encrypting subsequent communications, between the remote server and the at least one client over the public network using the session key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method initiates secure sessions without occupying a process on the server until the premaster key is received from the client.

155 Citations

5 Claims

1. A method for initiating a private secure connection between at least one client and a remote server interconnected by a public network for transmission of enciphered communications, the method comprising the steps of:
- equipping the remote server with at least one secure processor configured for running at least one secure server process for independently initiating and maintaining a private secure connection with the at least one client;
  
  communicatively coupling a first secure receipt pre-processor and a response manager to the at least one client via the public network and to the remote server via a protocol stack associated with a first layered communication protocol,the remote server being configured with an operating system operative to selectively direct the at least one secure server process;
  
  storing at least one user supplied configuration option expressing at least one secure server process capability supporting the initiating and maintaining of the private secure connection with the at least one client;
  
  receiving at the first secure receipt pre-processor, mediated by an interface compatible with the first layered communication protocol, a first client communication originating at the at least one client and transmitted over the public network using the first layered communication protocol, the first client communication expressing at least one client capability supporting the initiating of the private secure connection with the remote server;
  
  storing the first client communication after retaining a pointer to the first client communication;
  
  responsive to the receipt of the first client communication, generating at the first secure receipt pre-processor, independent of the first secure server process, a first client-related identification object based on the first client communication;
  
  generating a first client-related data-object embodying the pointer to the first client communication, a time-stamp obtained from the operating system and the first client-related identification object;
  
  hashing the identification object using a hashing algorithm to create a first hash index;
  
  storing the first client-related data-object indexed by the first hash index after associating a unique session identifier to the first-client-related data object;
  
  comparing the at least one user supplied configuration option with the first client-related data object to generate a portion of a complete first server communication to the client that is consistent with the at least one capability expressed in the first client communication;
  
  based upon the portion of the complete first server response and the layered communications protocol, generating at the response manager and communicating to the at least one client the complete first server communication responsive to the first client communication and expressing at least one server capability for supporting the initiation of the private secure connection with the at least first client;
  
  responsive to the receipt of the complete first server communication at the at least one client, receiving at the first secure receipt pre-processor a first client reply, mediated by the interface compatible with the first layered communication protocol, containing a pre-master secret transmitted from the client, the pre-master secret being based at least in part upon the complete first server communication communicated to the at least one client by the response manager;
  
  generating at the first secure receipt pre-processor, independent of the first secure server process, a second client-related identification object based on the first client reply;
  
  retrieving the first client-related data-object embodying the first client-related identification object matching the second client-related identification object;
  
  generating a first remote server response under direction of the first secure server process by using the first client-related data-object forwarded to the remote server through the intermediation of the protocol stack;
  
  communicating the first remote server response to the response manager, through the intermediation of the protocol stack at the response manager, creating a first server-related search object based on the first server response;
  
  under direction of the first secure server process, generating a session key using the pre-master secret in the first client reply; and
  
  encrypting subsequent communications, between the remote server and the at least one client over the public network using the session key.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the step of generating the first complete server response to the client further includes the steps of:
    - choosing a lesser of a protocol version contained in the first client communication and a protocol version in the at least one user supplied configuration option if the first client communication contains a protocol version;
      
      choosing a first compression method indicated in a list of compression methods contained in the first client communication that is also in a list of compression methods in the at least one configuration options if the first client communication contains a list of compression methods;
      
      examining a “
      
      request client authentication”
      
      option stored in the at least one user supplied configuration option and upon the “
      
      request client authentication”
      
      option being true, constructing a client authentication request; and
      
      examining a “
      
      provide server authentication”
      
      option stored in the at least one user supplied configuration option, and upon the “
      
      provide server authentication”
      
      option being true, examining a chosen cipher and using the chosen cipher to choose a server authentication from a certificate storage.
  - 3. The method of claim 1 wherein the hashing algorithm comprises an algorithm selected from the set consisting of one of:
    - a Rivest Shamir Adelman (RSA), a Message-Digest algorithm 5 (MD5) and a Secure Hash Algorithm (SHA).
  - 4. The method of claim 1 wherein the layered communication protocol is the Transfer Control Protocol (TCP).

5. A method for initiating a private secure session for secured data communications over an unsecured network, the method comprising:
- providing a server running under an operating system that controls at least a first process and a second process, the server including a secure receipt pre-processor, a response manager and a secure processor communicatively coupled to each other, wherein the secure receipt pre-processor and optionally the response manager are operationally directed by the first process and the secure processor is operationally directed by the second process;
  
  receiving a client communication from a client at the secure receipt pre-processor;
  
  classifying the client communication into one of a client hello having a first expression indicative of initiating the private secure session with the secure processor, a client reply having a pre-master secret created responsive to a server hello, and an encrypted client communication;
  
  if the received client communication is the client hello and the client hello is missing a secure session identifier, buffering the client hello at the secure receipt pre-processor after generating and assigning a secure session identifier to the client hello, and saving the secure session identifier;
  
  responsive to the client hello, generating and forwarding to the client a server hello cooperatively between the secure receipt pre-processor and the response manager independent of the second process, the server hello including at least one second expression to enable the client to initiate the private secure session;
  
  if the received client communication is the client hello and the client hello includes the secure session identifier, locating the secure session identifier and examining a timestamp associated with the secure session identifier;
  
  if the timestamp associated with secure session identified is unacceptable, generating and forwarding to the client the server hello cooperatively between the secure receipt pre-processor and the response manager independent of the second process, the server hello including the at least one second expression to enable the client to initiate the private secure session;
  
  if the timestamp associated with secure session identified is acceptable, substituting the secure session identifier by a sever session identifier, sending the client hello to the secure server, receiving and examining a secure server reply;
  
  upon detecting a secure server reply that is a server hello, saving the server session identification and the timestamp before forwarding the server hello to the client, otherwise forwarding the secure server reply to the client;
  
  upon receiving the client reply at the secure receipt pre-processor responsive to the first client hello, wherein the client reply is in a first ciphertext form and including the pre-master secret based at least in part on the at least one second expression, forwarding the client hello that corresponds to the client reply received at the secure receipt pre-processor to the secure processor;
  
  assigning the server session identifier associated with the first client hello to the private secure session;
  
  using the pre-master secret in the client reply to generate a session key at the secure server; and
  
  using the session key to process encrypted client communications at the secure server and for encrypting communications before forwarding to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SLT Logic LLC
Original Assignee
SLT Logic LLC
Inventors
Jacobson, Van, Poduri, Kedar
Primary Examiner(s)
Moazzami, Nasser
Assistant Examiner(s)
HOFFMAN, BRANDON S

Application Number

US10/042,886
Time in Patent Office

2,038 Days
Field of Search

713200-204, 713/151
US Class Current

380/277
CPC Class Codes

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2463/061   applying further key deriva...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 9/32   including means for verifyi...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3297   involving time stamps, e.g....

System and method for establishing a secure connection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

5 Claims

Specification

Use Cases

Quick Links

Others

System and method for establishing a secure connection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

5 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others