Secure end-to-end notification
First Claim
1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
- an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating;
after the security information has been negotiated, an act of using the security information to generate an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object, wherein the PAP message has at least one PAP header, and wherein the at least one PAP header include a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and
an act of initiating transmission of the HTTP message to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink.
2 Assignments
0 Petitions
Accused Products
Abstract
Providing secure end-to-end notifications from a notification source to a notification sink despite the notification mechanism including one or more message transit points between the notification source and the notification sink. Initially, security information (e.g., the master security, the cryptographic algorithm, and the like) is negotiated out-of-band from the one or more message transit points so that the message transit points are not apprised of the security information. When a designated event occurs, the notification source generates a push message that includes the notification encrypted using the pre-negotiated security information. When the notification sink receives the push message, the notification sink decrypts the notification using the pre-negotiated security information, as well as supplemental information provided in the push message. Thus, the message transit points only have access to the encrypted form of the notification.
33 Citations
26 Claims
-
1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
-
an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; after the security information has been negotiated, an act of using the security information to generate an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object, wherein the PAP message has at least one PAP header, and wherein the at least one PAP header include a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and an act of initiating transmission of the HTTP message to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 25, 26)
-
-
17. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
-
a step for drafting a message so as to ensure secure end-to-end notification between the notification source and the notification sink, including an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating, and wherein the drafted message is an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object and at least one PAP header, wherein the at least one PAP header includes a schema document specifying an address corresponding to the notification sink for facilitating point-to-point transmission of the drafted HTTP message, and the HTTP message further including clear-text supplemental information; and an act of initiating transmission of the HTTP message to the notification sink using the address of the notification sink and via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink.
-
-
18. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising:
-
one or more computer-readable storage media having stored thereon computer executable instructions that, when executed by a processor, cause a computing system to perform the method for securely passing the notification, the method including; negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; using the security information to generate an HTTP message after the security information has been negotiated, the HTTP message including an encrypted form of the notification, and the HTTP message being included within a PAP message containing an ESP object and at least one PAP header, the at least one PAP header including a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated HTTP message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and
causing the HTTP message to be transmitted to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink. - View Dependent Claims (19, 20, 21)
-
-
22. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely receiving a notification from the notification source using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following:
-
an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; after the security information has been negotiated, an act of receiving an HTTP message from the notification source that was received via the at least one message transit point using the notification mechanism, wherein the HTTP message includes an encrypted form of the notification, the HTTP message being included in a PAP message with an ESP object and one or more PAP headers, wherein the one or more PAP headers includes a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the HTTP message, the HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using security information; and an act of using the security information previously negotiated between the notification source and notification sink along with the clear-text supplemental information included in the HTTP message to decrypt the encrypted form of the notification also included in the HTTP message. - View Dependent Claims (23)
-
-
24. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely receiving a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising:
-
one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by a processor, cause a computing system to perform the method for securely receiving the notification, the method including; negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; detecting the receipt of an HTTP message from the notification source after negotiating the security information between the notification source and the notification sink, the HTTP message including an encrypted form of the notification, and the HTTP message including a PAP message containing an ESP object and at least one PAP header, wherein the at least one PAP header includes a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated HTTP message, the HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using security information, wherein the HTTP message is received via the at least one message transit point using the notification mechanism; and using the security information previously negotiated between the notification source and notification sink along with the clear-text supplemental information included in the HTTP message to decrypt the encrypted form of the notification also included in the HTTP message.
-
Specification