Avoiding server storage of client state
First Claim
1. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:
- based on a local key that is not known to a client, encrypting client state information to produce encrypted information, wherein the client state information includes a secret key known only to the client and the server;
receiving the encrypted information from the client;
based on the local key, decrypting the encrypted information that was received from the client, thereby producing decrypted information; and
using the secret key, which was included in the decrypted information, to communicate securely with the client by encrypting data that is to be sent to the client.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed for avoiding the storage of client state on a server. Based on a local key that is not known to a client, a server encrypts the client'"'"'s state information. The client'"'"'s state information may include, for example, the client'"'"'s authentication credentials, the client'"'"'s authorization characteristics, and a shared secret key that the server can use to encrypt and authenticate communication to and from the client. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client'"'"'s state information. When the server needs the client'"'"'s state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client'"'"'s own state information in encrypted form, the server does not need to store any client'"'"'s state information permanently.
23 Citations
28 Claims
-
1. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:
-
based on a local key that is not known to a client, encrypting client state information to produce encrypted information, wherein the client state information includes a secret key known only to the client and the server; receiving the encrypted information from the client; based on the local key, decrypting the encrypted information that was received from the client, thereby producing decrypted information; and using the secret key, which was included in the decrypted information, to communicate securely with the client by encrypting data that is to be sent to the client. - View Dependent Claims (11, 12)
-
-
2. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:
-
based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information; receiving, at a first time, from the first client, both the first encrypted information and a first request; based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information; determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and satisfying the first request only if the first request is authorized. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 13)
-
-
14. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:
-
selecting a local key from among a plurality of keys that are not known to a client, wherein each key in the plurality of keys is associated with a different index value; calculating a first authentication code based on both client state information and the local key, wherein the client state information includes both authorization information and a value that uniquely identifies the client; based on the local key, encrypting the first authentication code, the client state information, and a first time value, thereby producing encrypted information; sending, to the client, both the encrypted information and a particular index value that is associated with the local key; receiving the encrypted information, the particular index value, and a request; based on a particular key that is associated with the particular index value, decrypting the received encrypted information, thereby producing decrypted information; calculating a second authentication code based on both the particular key and client state information that was included in the decrypted information; determining whether the second authentication code matches an authentication code that was included in the decrypted information; determining, based on both a current time value and a time value that was included in the decrypted information, whether the client state information has expired; determining, based on authorization information that was included in the decrypted information, whether a request indicated in the message is authorized; and satisfying the request only if the request is authorized, the second authentication code matches the authentication code that was included in the decrypted information, and the client state information that was included in the decrypted information has not expired.
-
-
15. A method of storing client state on a client, the method comprising the computer-implemented steps of:
-
storing encrypted client state information that was generated by encrypting, based on a general key, client state information; storing first encrypted key information that a first server generated by encrypting, based on a first local key that is associated with the first server, the general key; establishing an association between the first server and the first encrypted key information; storing second encrypted key information that a second server generated by encrypting, based on a second local key that is associated with the second server, the general key, wherein the second local key differs from the first local key, and wherein the second server differs from the first server; establishing an association between the second server and the second encrypted key information; sending, to the first server, both the encrypted client state information and the encrypted key information that is associated with the first server; and sending, to the second server, both the encrypted client state information and the encrypted key information that is associated with the second server; wherein the first local key is not known to the second server; and wherein the second local key is not known to the first server.
-
-
16. A computer-readable storage medium carrying one or more sequences of instructions for avoiding the storage of client state on a server, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information; receiving, at a first time, from the first client, both the first encrypted information and a first request; based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information; determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and satisfying the first request only if the first request is authorized. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. An apparatus for avoiding the storage of client state on a server, comprising:
-
means for encrypting, based on a local key that is not known to a client, client state information to produce encrypted information, wherein the client state information includes authorization information; means for receiving, from the client, both the encrypted information and a request; means for decrypting, based on the local key, the encrypted information that was received from the client, thereby producing decrypted information; means for determining, based on authorization information that was included in the decrypted information, whether the request is authorized; and means for satisfying the request only if the request is authorized.
-
Specification