Authenticating peer-to-peer connections

US 7,386,878 B2
Filed: 08/14/2002
Issued: 06/10/2008
Est. Priority Date: 08/14/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of establishing and authenticating a peer-to-peer connection between at least two client components, said client components each having an authenticated connection to a server, said method comprising:

exchanging through the server a shared key between the client components via the authenticated connections to the server;

establishing a peer-to-peer connection between the client components, said peer-to-peer connection excluding the server;

exchanging said shared key between the client components via the established, peer-to-peer connection;

comparing said shared key exchanged via the peer-to-peer connection with said shared key exchanged via the authenticated connection to the server, wherein a firstone of the client components authenticates a second one of the client components responsive to said comparing by verifying that said shared key exchanged via the peer-to-peer connection corresponds to said shared key exchanged via the authenticated connections to the server,encrypting, by the second one of the client components, a first message using the shared key;

transmitting the encrypted first message from the second one of the client components to the first one of the client components via the peer-to-peer connection, wherein the first one of the client components decrypts the received encrypted message using the shared key to create a second message;

receiving, by the second one of the client components, the decrypted second message from the first one of the client components via the peer-to-peer connection; and

comparing, by the second one of the client components, the first message with the second message to confirm that the first one of the client components possesses the shared key to thereby authenticate the first one of the client components.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods employing authenticated connections to a central server to establish and authenticate a peer-to-peer connection between peer devices. The invention circumvents the potential vulnerability of clear-text transmission of secrets through a series of encrypted data transfers. A secret key is encrypted and then transmitted from one peer device to another using authenticated connections to the server. The secret key is then used to transmit encrypted data over a peer connection between the peer devices for the purpose of authenticating the peer devices on each end of the connection.

Citations

51 Claims

1. A method of establishing and authenticating a peer-to-peer connection between at least two client components, said client components each having an authenticated connection to a server, said method comprising:
- exchanging through the server a shared key between the client components via the authenticated connections to the server;
  
  establishing a peer-to-peer connection between the client components, said peer-to-peer connection excluding the server;
  
  exchanging said shared key between the client components via the established, peer-to-peer connection;
  
  comparing said shared key exchanged via the peer-to-peer connection with said shared key exchanged via the authenticated connection to the server, wherein a firstone of the client components authenticates a second one of the client components responsive to said comparing by verifying that said shared key exchanged via the peer-to-peer connection corresponds to said shared key exchanged via the authenticated connections to the server,encrypting, by the second one of the client components, a first message using the shared key;
  
  transmitting the encrypted first message from the second one of the client components to the first one of the client components via the peer-to-peer connection, wherein the first one of the client components decrypts the received encrypted message using the shared key to create a second message;
  
  receiving, by the second one of the client components, the decrypted second message from the first one of the client components via the peer-to-peer connection; and
  
  comparing, by the second one of the client components, the first message with the second message to confirm that the first one of the client components possesses the shared key to thereby authenticate the first one of the client components.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein exchanging a shared key between the client components via the server comprises exchanging a shared key in encrypted form between the client components via the server.
  - 3. The method of claim 1, wherein exchanging a shared key between the client components via the server comprises exchanging a shared key between the client components via the authenticated connection with the server.
  - 4. The method of claim 1, wherein exchanging the shared key between the client components via the established, peer-to-peer connection comprises exchanging the shared key in encrypted form between the client components via the established, peer-to-peer connection.
  - 5. The method of claim 1, wherein the shared key comprises a randomly-generated, single-use session key.
  - 6. The method of claim 1, further comprising:
    - receiving a message in encrypted form from one of the client components via said peer-to-peer connection;
      
      decrypting the received message using the shared key; and
      
      transmitting the decrypted message to said one of the client components.
  - 7. The method of claim 1, wherein said establishing comprises:
    - transmitting a request for an identifier associated with said one of the client components to the server; and
      
      receiving the requested identifier from the server; and
      
      establishing the peer-to-peer connection with said one of the client components using the received identifier.
  - 8. The method of claim 7, wherein said identifier comprises a network address.
  - 9. The method of claim 8, wherein said identifier further comprises a communication port.
  - 10. The method of claim 1, wherein said establishing comprises:
    - receiving, from one of said client components via the authenticated connection to the server, a request to establish a peer-to-peer connection; and
      
      opening a communication port in response to the received request.
  - 11. The method of claim 10, wherein opening comprises randomly determining the communication port to open.
  - 12. The method of claim 10, further comprising closing the opened communication port if one or more rogue applications are attempting to connect on the opened communication port.
  - 13. The method of claim 10, wherein said establishing comprises establishing a plurality of peer-to-peer connections between a plurality of client components via the opened communication port, and wherein said shared key identifies each of the established connections.
  - 14. The method of claim 1, wherein said establishing comprises:
    - attempting to connect with one of the client components; and
      
      if said attempting fails, waiting for a preset time period for said one of the client components to initiate establishing the peer-to-peer connection.
  - 15. The method of claim 1, wherein said establishing comprises storing the shared key in memory for a preset time period.
  - 16. The method of claim 1, further comprising randomly generating the shared key in a cryptographic manner in response to a request to establish a peer-to-peer connection between the client components.
  - 17. The method of claim 1, wherein the shared key is a shared secret session key.
  - 18. The method of claim 1, further comprising:
    - encrypting data with the shared key; and
      
      transferring the encrypted data between the client components via the authenticated, peer-to-peer connection.
  - 19. The method of claim 1, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 1.

20. A method of establishing and authenticating a peer connection between a first device and a second device, the first device and the second device having authenticated connections to a server, said method comprising:
- enabling the first device and the second device to exchange, through the server, a shared key in encrypted form via the authenticated connections to the server;
  
  receiving, via the authenticated connections to the server, a request from the first device for an identifier associated with the second device;
  
  transmitting, via the authenticated connections to the server, the requested identifier to the first device, wherein the first device and the second device establish the peer connection based on the identifier, said peer connection excluding the server;
  
  enabling the first device and the second device to exchange said shared key in encrypted form via the established, peer connection;
  
  comparing said shared key exchanged via the peer connection with said shared key exchanged via the authenticated connections to the server;
  
  enabling the first device and the second device to authenticate each other responsive to said comparing by verifying, by the first device and the second device, that said shared key exchanged via the peer connection corresponds to said shared key exchanged via the authenticated connections to the server, wherein the first device encrypts a first message using the shared key and transmits the encrypted first message to the second device via the peer-to-peer connection, wherein the second device decrypts the first message using the shared key to create a second message and transmits the second message to the first device via the peer-to-peer connection to enable the first device to confirm that the second device possesses the shared key to thereby authenticate the second device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The method of claim 20, wherein said receiving comprises receiving a request from the first device for a network identifier associated with the second device.
  - 22. The method of claim 20, wherein said enabling the first device and the second device to exchange the shared key comprises:
    - receiving the shared key in encrypted form from the first device via the authenticated connections; and
      
      transmitting the received shared key in encrypted form to the second device via the authenticated connections.
  - 23. The method of claim 20, wherein said enabling the first device and the second device to exchange the shared key comprises:
    - receiving the shared key in encrypted form from the second device via the authenticated connections; and
      
      transmitting the received shared key in encrypted form to the first device via the authenticated connections.
  - 24. The method of claim 20, wherein the shared key comprises a randomly-generated, single-use cryptographic session key.
  - 25. The method of claim 20, wherein the shared key is randomly generated in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 26. The method of claim 20, wherein the server is an instant messaging server, and the first device and the second device are instant messaging clients.
  - 27. The method of claim 20, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 20.

28. One or more computer storage media having computer-executable components comprising:
- a server component;
  
  one or more client components, wherein each of the client components has a authenticated connection to the server component, and wherein the server component interacts with each of the client components via the authenticated connection to establish a peer connection between one or more of the client components, said established peer connection excluding the server; and
  
  at least one communicative application program associated with a first one of the client components, said communicative application program configured to interface with said first one of the client components to transmit through the server component a shared key in encrypted form from said first one of the client components to a second one of the client components via said authenticated connection to the server component, and said communicative application program configured to establish the peer connection between the first one of the client components and the second one of the client components using said shared key, said communicative application program further configured to interface with said first one of the client components to transmit said shared key in encrypted form from said first one of the client components to said second one of the client components via said established peer connection, wherein said second one of the client components receives said shared key transmitted from said first one of the client components and further transmits the received shared key back to said first one of the client components via said established peer connection, wherein said communicative application program is configured to interface with said first one of the client components to receive said shared key from said second one of the client components via the established peer connection and to compare said shared key received from said second one of the client components via said established peer connection with said shared key transmitted from said first one of the client components to said second one of the client components via said authenticated connection to the server component, wherein the communicative application program then authenticates said second one of the client components responsive to the comparison by verifying that said shared key received from said second one of the client components via said established peer connection corresponds to said shared key transmitted from said first one of the client components to said second one of the client components via said authenticated connections to the server component;
  
  wherein the first one of the client components encrypts a first message using the shared key and transmits the encrypted first message to the second one of the client components via the peer connection, wherein the second one of the client components decrypts the first message using the shared key to create a second message and transmits the second message to the first one of the client components via the peer connection to enable the first one of the client components to confirm that the second one of the client components possesses the shared key to thereby authenticate the second one of the client components.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The computer storage media of claim 28, wherein the server component and the client components implement instant messaging.
  - 30. The computer storage media of claim 28, wherein the shared key comprises a randomly-generated, single-use session key.
  - 31. The computer storage media of claim 28, wherein the shared key is randomly generated in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 32. The computer storage media of claim 28, wherein said server component is one of a plurality of server components, and further comprising a security component connected to the plurality of server components via one or more authenticated and encrypted connections for authenticating the client components.

33. A method of securing information between a first device and a second device, the method comprising:
- establishing authenticated connections to a server from the first device and from the second device, wherein the first device encryptsa shared key using a public key associated with the second device and transmitssaid shared key as encrypted using the public key associated with the second device to the server via said authenticated connection and from the server to the second device via said authenticated connection;
  
  decrypting, in the second device, said shared key received from the first device;
  
  establishing a peer connection between the first device and the second device, said peer connection excluding the server;
  
  encrypting, in the second device, said shared key received from the first device using a public key associated with the first device;
  
  transmitting said shared key as encrypted using the public key associated with the first device from the second device to the first device via said peer connection, wherein the first device decryptssaid shared key received from the second device; and
  
  confirms that said shared key received from the second device via said peer connection is the same as said shared key transmitted to the second device via said authenticated connections to the server to thereby authenticate the second device; and
  
  encrypting, by the second device, a first message using the shared key;
  
  transmitting the encrypted first message from the second device to the first device via the peer connection, wherein the first device decrypts the received encrypted message using the shared key to create a second message;
  
  receiving, by the second device, the decrypted second message from the first device via the peer connection; and
  
  comparing, by the second device, the first message with the second message to confirm that the first device possesses the shared key to thereby authenticate the first device.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. The method of claim 33 further comprising transmitting the public key associated with the second device from the second device to the first device via said authenticated connections to the server.
  - 35. The method of claim 33 further comprising transmitting the public key associated with the first device from the first device to the second device via said authenticated connections to the server.
  - 36. The method of claim 33 further comprising generating the shared key in the first device.
  - 37. The method of claim 36 wherein generating comprises generating a shared key unique to said peer connection.
  - 38. The method of claim 36, wherein generating comprises randomly generating the shared key in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 39. The method of claim 33, wherein establishing a peer connection includes transmitting communication port information from the first device to the second device, and using said communication port information in the second device to establish the peer connection with the first device.
  - 40. The method of claim 33, wherein the shared key comprises a randomly-generated, single-use cryptographic session key.
  - 41. The method of claim 33, wherein the server is an instant messaging server, and the first device and the second device are instant messaging clients.
  - 42. The method of claim 33, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 33.

43. A method of securing information between a first device and a second device, the method comprising:
- establishing authenticated connections to a server from the first device and from the second device;
  
  encrypting, in the first device, a shared key using a public key associated with the second device;
  
  transmitting said shared key as encrypted using the public key associated with the second device from the first device to the common server via said authenticated connection and from the common server to the second device via said authenticated connection, wherein the second device decryptssaid shared key received from the first device;
  
  establishing a peer connection between the first device and the second device, said peer connection excluding the common server;
  
  transmitting said shared key as encrypted using the public key associated with the second device from the first device to the second device via said peer connection, wherein the second device decryptssaid shared key received from the first device via said peer connection, wherein the second device confirmsthat said shared key received from the first device via said peer connection is the same as said shared key received from the first device via said authenticated connections to the server to thereby authenticate the first device;
  
  encrypting, by the first device, a first message using the shared key;
  
  transmitting the encrypted first message from the first device to the second device via the peer connection, wherein the second device decrypts the received encrypted message using the shared key to create a second message;
  
  receiving, by the first device, the decrypted second message from the second device via the peer connection; and
  
  comparing, by the first device, the first message with the second message to confirm that the second device possesses the shared key to thereby authenticate the second device.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51)
- - 44. The method of claim 43 further comprising transmitting the public key associated with the second device from the second device to the first device via said authenticated connections to the server.
  - 45. The method of claim 43 further comprising generating the shared key in the first device.
  - 46. The method of claim 45 wherein generating comprises generating a shared key unique to said peer connection.
  - 47. The method of claim 45, wherein generating comprises randomly generating the shared key in a cryptographic manner in response to a request to establish a peer-to-peer connection between the first device and the second device.
  - 48. The method of claim 43 wherein establishing a peer connection includes transmitting communication port information from the first device to the second device, and using said communication port information in the second device to establish the peer connection with the first device.
  - 49. The method of claim 43, wherein the shared key comprises a randomly-generated, single-use cryptographic session key.
  - 50. The method of claim 43, wherein the server is an instant messaging server, and the first device and the second device are instant messaging clients.
  - 51. The method of claim 43, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 46.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shah, Mehul Y., Fernando, Joseph P.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US10/218,877
Publication Number

US 20040034776A1
Time in Patent Office

2,127 Days
Field of Search

726 2- 4, 726/12, 726/17, 726/21, 726/27, 726/30, 713/161, 713/170, 713/171, 709/203, 709/232, 709223-225, 709227-228, 380228-229, 380/232, 380/277, 380/282, 380/285, 380/30
US Class Current

726/3
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 69/329   in the application layer [O...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0827   involving distinctive inter...

H04L 9/0869   involving random numbers or...

H04L 9/321   involving a third party or ...

Authenticating peer-to-peer connections

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticating peer-to-peer connections

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links