Avoiding server storage of client state

US 7,373,502 B2
Filed: 01/12/2004
Issued: 05/13/2008
Est. Priority Date: 01/12/2004
Status: Active Grant

First Claim

Patent Images

1. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:

based on a local key that is not known to a client, encrypting client state information to produce encrypted information, wherein the client state information includes a secret key known only to the client and the server;

receiving the encrypted information from the client;

based on the local key, decrypting the encrypted information that was received from the client, thereby producing decrypted information; and

using the secret key, which was included in the decrypted information, to communicate securely with the client by encrypting data that is to be sent to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for avoiding the storage of client state on a server. Based on a local key that is not known to a client, a server encrypts the client'"'"'s state information. The client'"'"'s state information may include, for example, the client'"'"'s authentication credentials, the client'"'"'s authorization characteristics, and a shared secret key that the server can use to encrypt and authenticate communication to and from the client. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client'"'"'s state information. When the server needs the client'"'"'s state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client'"'"'s own state information in encrypted form, the server does not need to store any client'"'"'s state information permanently.

23 Citations

View as Search Results

28 Claims

1. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:
- based on a local key that is not known to a client, encrypting client state information to produce encrypted information, wherein the client state information includes a secret key known only to the client and the server;
  
  receiving the encrypted information from the client;
  
  based on the local key, decrypting the encrypted information that was received from the client, thereby producing decrypted information; and
  
  using the secret key, which was included in the decrypted information, to communicate securely with the client by encrypting data that is to be sent to the client.
- View Dependent Claims (11, 12)
- - 11. A method as recited in claim 1, further comprising the steps of:
    - selecting the local key from among a plurality of keys, wherein each key in the plurality of keys is associated with a different index value; and
      
      sending, to the first client, an index value that is associated with the local key.
  - 12. A method as recited in claim 11, further comprising the steps of:
    - receiving, from the first client, the index value that is associated with the local key;
      
      wherein the step of decrypting the first encrypted information comprises the step of decrypting the first encrypted information based on a key that is associated with an index value that was received from the first client.

2. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:
- based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information;
  
  receiving, at a first time, from the first client, both the first encrypted information and a first request;
  
  based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information;
  
  determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and
  
  satisfying the first request only if the first request is authorized.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 13)
- - 3. A method as recited in claim 2, further comprising the steps of:
    - removing the first client state information from memory before the first time; and
      
      removing the first encrypted information from memory before the first time.
  - 4. A method as recited in claim 2, further comprising the steps of:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from authorization information that was included in the first client state information;
      
      sending the second encrypted information to the first client;
      
      receiving, from the first client, both the second encrypted information and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the first client, thereby producing second decrypted information;
      
      determining, based on authorization information that was included in the second decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.
  - 5. A method as recited in claim 2, further comprising the steps of:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from authorization information that was included in the first client state information;
      
      sending the second encrypted information to the first client;
      
      receiving, at a second time, from the first client, the first encrypted information, the second encrypted information, and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the first client, thereby producing second decrypted information;
      
      based on the local key, decrypting the first encrypted information that was received from the first client at the second time, thereby producing third decrypted information;
      
      determining, based on both authorization information that was included in the second decrypted information and authorization information that was included in the third decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.
  - 6. A method as recited in claim 2, further comprising the steps of:
    - before sending the first encrypted information to the first client, calculating a first authentication code based on both the local key and the first client state information; and
      
      sending the first encrypted information and the first authentication code to the first client.
  - 7. A method as recited in claim 6, further comprising the steps of:
    - after decrypting the first encrypted information that was received from the first client, calculating a second authentication code based on both the local key and client state information that was included in the first decrypted information; and
      
      determining whether the second authentication code matches an authentication code that was included in the first decrypted information.
  - 8. A method as recited in claim 7, wherein the first client state information includes a value that uniquely identifies the first client.
  - 9. A method as recited in claim 2, further comprising the steps of:
    - before sending the first encrypted information to the first client, encrypting a first time value along with the first client state information to produce the first encrypted information.
  - 10. A method as recited in claim 9, further comprising the steps of:
    - after decrypting the first encrypted information that was received from the first client, determining, based on both a second time value and a time value that was included in the first decrypted information, whether the first client state information has expired.
  - 13. A method as recited in claim 2, further comprising the steps of:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from the authorization information included in the first client state information, and wherein the local key is not known to a second client that differs from the first client;
      
      sending the second encrypted information to the second client;
      
      receiving, from the second client, both the second encrypted information and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the second client, thereby producing second decrypted information;
      
      determining, based on authorization information that was included in the second decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.

14. A method of avoiding the storage of client state on a server, the method comprising the computer-implemented steps of:
- selecting a local key from among a plurality of keys that are not known to a client, wherein each key in the plurality of keys is associated with a different index value;
  
  calculating a first authentication code based on both client state information and the local key, wherein the client state information includes both authorization information and a value that uniquely identifies the client;
  
  based on the local key, encrypting the first authentication code, the client state information, and a first time value, thereby producing encrypted information;
  
  sending, to the client, both the encrypted information and a particular index value that is associated with the local key;
  
  receiving the encrypted information, the particular index value, and a request;
  
  based on a particular key that is associated with the particular index value, decrypting the received encrypted information, thereby producing decrypted information;
  
  calculating a second authentication code based on both the particular key and client state information that was included in the decrypted information;
  
  determining whether the second authentication code matches an authentication code that was included in the decrypted information;
  
  determining, based on both a current time value and a time value that was included in the decrypted information, whether the client state information has expired;
  
  determining, based on authorization information that was included in the decrypted information, whether a request indicated in the message is authorized; and
  
  satisfying the request only if the request is authorized, the second authentication code matches the authentication code that was included in the decrypted information, and the client state information that was included in the decrypted information has not expired.

15. A method of storing client state on a client, the method comprising the computer-implemented steps of:
- storing encrypted client state information that was generated by encrypting, based on a general key, client state information;
  
  storing first encrypted key information that a first server generated by encrypting, based on a first local key that is associated with the first server, the general key;
  
  establishing an association between the first server and the first encrypted key information;
  
  storing second encrypted key information that a second server generated by encrypting, based on a second local key that is associated with the second server, the general key, wherein the second local key differs from the first local key, and wherein the second server differs from the first server;
  
  establishing an association between the second server and the second encrypted key information;
  
  sending, to the first server, both the encrypted client state information and the encrypted key information that is associated with the first server; and
  
  sending, to the second server, both the encrypted client state information and the encrypted key information that is associated with the second server;
  
  wherein the first local key is not known to the second server; and
  
  wherein the second local key is not known to the first server.

16. A computer-readable storage medium carrying one or more sequences of instructions for avoiding the storage of client state on a server, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information;
  
  receiving, at a first time, from the first client, both the first encrypted information and a first request;
  
  based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information;
  
  determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and
  
  satisfying the first request only if the first request is authorized.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. A computer-readable storage medium as recited in claim 16, further comprising instructions for performing the steps of:
    - removing the first client state information from memory before the first time; and
      
      removing the first encrypted information from memory before the first time.
  - 18. A computer-readable storage medium as recited in claim 16, further comprising instructions for performing the steps of:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from authorization information that was included in the first client state information;
      
      sending the second encrypted information to the first client;
      
      receiving, from the first client, both the second encrypted information and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the first client, thereby producing second decrypted information;
      
      determining, based on authorization information that was included in the second decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.
  - 19. A computer-readable storage medium as recited in claim 16, further comprising instructions for performing the steps of:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from authorization information that was included in the first client state information;
      
      sending the second encrypted information to the first client;
      
      receiving, at a second time, from the first client, the first encrypted information, the second encrypted information, and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the first client, thereby producing second decrypted information;
      
      based on the local key, decrypting the first encrypted information that was received from the first client at the second time, thereby producing third decrypted information;
      
      determining, based on both authorization information that was included in the second decrypted information and authorization information that was included in the third decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.
  - 20. A computer-readable storage medium as recited in claim 16, further comprising instructions for performing the steps of:
    - before sending the first encrypted information to the first client, calculating a first authentication code based on both the local key and the first client state information; and
      
      sending the first encrypted information and the first authentication code to the first client.
  - 21. A computer-readable storage medium as recited in claim 20, further comprising instructions for performing the steps of:
    - after decrypting the first encrypted information that was received from the first client, calculating a second authentication code based on both the local key and client state information that was included in the first decrypted information; and
      
      determining whether the second authentication code matches an authentication code that was included in the first decrypted information.
  - 22. A computer-readable storage medium as recited in claim 21, wherein the first client state information includes a value that uniquely identifies the first client.
  - 23. A computer-readable storage medium as recited in claim 16, further comprising instructions for performing the steps of:
    - before sending the first encrypted information to the first client, encrypting a first time value along with the first client state information to produce the first encrypted information.
  - 24. A computer-readable storage medium as recited in claim 23, further comprising instructions for performing the steps of:
    - after decrypting the first encrypted information that was received from the first client, determining, based on both a second time value and a time value that was included in the first decrypted information, whether the first client state information has expired.
  - 25. A computer-readable storage medium as recited in claim 16, further comprising instructions for performing the steps of:
    - selecting the local key from among a plurality of keys, wherein each key in the plurality of keys is associated with a different index value; and
      
      sending, to the first client, an index value that is associated with the local key.
  - 26. A computer-readable storage medium as recited in claim 25, further comprising instructions for performing the steps of:
    - receiving, from the first client, the index value that is associated with the local key;
      
      wherein the step of decrypting the first encrypted information comprises the step of decrypting the first encrypted information based on a key that is associated with an index value that was received from the first client.
  - 27. A computer-readable storage medium as recited in claim 16, further comprising instructions for performing the steps of:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from the authorization information included in the first client state information, and wherein the local key is not known to a second client that differs from the first client;
      
      sending the second encrypted information to the second client;
      
      receiving, from the second client, both the second encrypted information and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the second client, thereby producing second decrypted information;
      
      determining, based on authorization information that was included in the second decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.

28. An apparatus for avoiding the storage of client state on a server, comprising:
- means for encrypting, based on a local key that is not known to a client, client state information to produce encrypted information, wherein the client state information includes authorization information;
  
  means for receiving, from the client, both the encrypted information and a request;
  
  means for decrypting, based on the local key, the encrypted information that was received from the client, thereby producing decrypted information;
  
  means for determining, based on authorization information that was included in the decrypted information, whether the request is authorized; and
  
  means for satisfying the request only if the request is authorized.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McGrew, David A.
Primary Examiner(s)
Jung; David

Application Number

US10/756,633
Publication Number

US 20050154872A1
Time in Patent Office

1,583 Days
Field of Search

713/155, 713/153, 713/150, 713/151
US Class Current

713/155
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0435   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/02   based on web technology, e....

H04L 67/142   Managing session states for...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/14   using a plurality of keys o...

H04L 9/3226   using a predetermined code,...

Y10S 707/99942   Manipulating data structure...

Y10S 707/99943   Generating database or data...

Avoiding server storage of client state

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Avoiding server storage of client state

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links