Secure end-to-end notification

US 7,299,349 B2
Filed: 01/31/2002
Issued: 11/20/2007
Est. Priority Date: 01/31/2002
Status: Expired due to Fees

First Claim

Patent Images

1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:

an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating;

after the security information has been negotiated, an act of using the security information to generate an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object, wherein the PAP message has at least one PAP header, and wherein the at least one PAP header include a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and

an act of initiating transmission of the HTTP message to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing secure end-to-end notifications from a notification source to a notification sink despite the notification mechanism including one or more message transit points between the notification source and the notification sink. Initially, security information (e.g., the master security, the cryptographic algorithm, and the like) is negotiated out-of-band from the one or more message transit points so that the message transit points are not apprised of the security information. When a designated event occurs, the notification source generates a push message that includes the notification encrypted using the pre-negotiated security information. When the notification sink receives the push message, the notification sink decrypts the notification using the pre-negotiated security information, as well as supplemental information provided in the push message. Thus, the message transit points only have access to the encrypted form of the notification.

33 Citations

View as Search Results

26 Claims

1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
- an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating;
  
  after the security information has been negotiated, an act of using the security information to generate an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object, wherein the PAP message has at least one PAP header, and wherein the at least one PAP header include a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and
  
  an act of initiating transmission of the HTTP message to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 25, 26)
- - 2. A method in accordance with claim 1, wherein the act of using the security information to generate an HTTP message that includes an encrypted form of the notification comprises the following:
    - an act of using the security information to generate an HTTP message that includes an encrypted form of an automatically-generated notification.
  - 3. A method in accordance with claim 1, wherein the act of using the security information to generate an HTTP message that includes an encrypted form of the notification comprises the following:
    - an act of using the security information to generate an HTTP message that includes an encrypted form of a subscription-based notification.
  - 4. A method in accordance with claim 1, wherein the at least one message transit point comprises a server maintained by a wireless carrier, wherein the act of initiating transmission of the HTTP message to the notification sink comprises the following:
    - an act of initiating transmission of the HTTP message to a wireless device via the server maintained by the wireless carrier.
  - 5. A method in accordance with claim 1, wherein the at least one message transit point comprises a server, wherein the act of initiating transmission of the HTTP message to the notification sink comprises the following:
    - an act of transmitting the HTTP message to the server using a first protocol, wherein the server transmits the HTTP message to a wireless device using a second protocol.
  - 6. A method in accordance with claim 5, wherein the act of transmitting the HTTP message to the server using a first protocol comprises the following:
    - an act of transmitting the HTTP message to a Push Proxy Gateway (PPG).
  - 7. A method in accordance with claim 6, wherein the HTTP message is included as a multipart segment.
  - 8. A method in accordance with claim 7, wherein the server is configured to extract the HTTP message from the PAP message and transmit the HTTP message to the wireless device.
  - 9. A method in accordance with claim 8, wherein the server is configured to extract the HTTP message from the PAP message and encode the HTTP message in a Push Over-the-Air protocol message.
  - 10. A method in accordance with claim 1, wherein the clear-text supplemental information that may be used to decrypt the notification using the security information comprises a session identifier field.
  - 11. A method in accordance with claim 1, wherein the encrypted form of the notification comprises a payload data field.
  - 12. A method in accordance with claim 1, wherein the at least one message transmit point comprises a corporate server.
  - 13. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises the following:
    - an act of establishing a secure session between the notification source and the notification sink.
  - 14. A method in accordance with claim 13, wherein the act of establishing a secure session between the notification source and the notification sink comprises the following:
    - an act of establishing a Secure Socket Layer (SSL) session between the notification source and the notification sink.
  - 15. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises:
    - an act of negotiating a master secret shared by the notification source and the notification sink.
  - 16. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises:
    - an act of negotiating a cryptographic algorithm to be used when encrypting and decrypting notifications.
  - 25. A method as recited in claim 1, wherein the schema document is an XML document specifying the address of the notification sink.
  - 26. A method as recited in claim 1, wherein negotiating security information comprises negotiating a session identifier unique within the notification sink, and wherein the generated HTTP message further includes a security association, the security association including the session identifier, an IP address of the notification sink, and a security protocol according to which the message is encrypted.

17. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
- a step for drafting a message so as to ensure secure end-to-end notification between the notification source and the notification sink, including an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating, and wherein the drafted message is an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object and at least one PAP header, wherein the at least one PAP header includes a schema document specifying an address corresponding to the notification sink for facilitating point-to-point transmission of the drafted HTTP message, and the HTTP message further including clear-text supplemental information; and
  
  an act of initiating transmission of the HTTP message to the notification sink using the address of the notification sink and via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink.

18. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising:
- one or more computer-readable storage media having stored thereon computer executable instructions that, when executed by a processor, cause a computing system to perform the method for securely passing the notification, the method including;
  
  negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating;
  
  using the security information to generate an HTTP message after the security information has been negotiated, the HTTP message including an encrypted form of the notification, and the HTTP message being included within a PAP message containing an ESP object and at least one PAP header, the at least one PAP header including a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated HTTP message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and
  
  causing the HTTP message to be transmitted to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink.
- View Dependent Claims (19, 20, 21)
- - 19. A computer program product in accordance with claim 18, wherein causing the HTTP message to be transmitted to the notification sink comprise the following:
    - causing the HTTP message to be transmitted to the server using a first protocol, wherein the server transmits the HTTP message to a wireless device using a second protocol.
  - 20. A computer program product in accordance with claim 19, wherein causing the HTTP message to be transmitted to the server using a first protocol comprise the following:
    - causing the HTTP message to be transmitted to a Push Proxy Gateway (PPG).
  - 21. A computer program product in accordance with claim 18, wherein negotiating security information between the notification source and the notification sink comprises the following:
    - establishing a secure session between the notification source and the notification sink.

22. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely receiving a notification from the notification source using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
- an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating;
  
  after the security information has been negotiated, an act of receiving an HTTP message from the notification source that was received via the at least one message transit point using the notification mechanism, wherein the HTTP message includes an encrypted form of the notification, the HTTP message being included in a PAP message with an ESP object and one or more PAP headers, wherein the one or more PAP headers includes a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the HTTP message, the HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using security information; and
  
  an act of using the security information previously negotiated between the notification source and notification sink along with the clear-text supplemental information included in the HTTP message to decrypt the encrypted form of the notification also included in the HTTP message.
- View Dependent Claims (23)
- - 23. A method in accordance with claim 22, wherein the act of receiving the HTTP message in the PAP message with the ESP object comprises the following:
    - an act of receiving the ESP object as a MIME attachment encoded with a Push Over-the-Air protocol message.

24. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely receiving a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising:
- one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by a processor, cause a computing system to perform the method for securely receiving the notification, the method including;
  
  negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating;
  
  detecting the receipt of an HTTP message from the notification source after negotiating the security information between the notification source and the notification sink, the HTTP message including an encrypted form of the notification, and the HTTP message including a PAP message containing an ESP object and at least one PAP header, wherein the at least one PAP header includes a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated HTTP message, the HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using security information, wherein the HTTP message is received via the at least one message transit point using the notification mechanism; and
  
  using the security information previously negotiated between the notification source and notification sink along with the clear-text supplemental information included in the HTTP message to decrypt the encrypted form of the notification also included in the HTTP message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simon, Daniel R., Zhu, Yuhang, Kramer, Michael, Hammond, Bradley M., Butler, Lee M., Roberts, Paul, Cohen, Josh R.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Shaw; Yin-Chen

Application Number

US10/062,068
Publication Number

US 20030145229A1
Time in Patent Office

2,119 Days
Field of Search

713150-153, 713/161, 713170-171, 713/201, 713/168, 380/247, 380/255, 380/270, 380/278, 380/259, 380/33, 380/277, 709223-228, 709/246, 370352-356, 370/401, 370/278, 370/312, 455/411, 455/410, 726/2, 726/3
US Class Current

713/150
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 67/04   specially adapted for termi...

H04L 67/55   Push-based network services

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Secure end-to-end notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Secure end-to-end notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links