Avoiding server storage of client state

US 7,493,331 B2
Filed: 03/21/2007
Issued: 02/17/2009
Est. Priority Date: 01/12/2004
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus, comprising:

a network interface that is coupled to a data network for receiving or transmitting one or more packet flows;

a processor coupled to the network interface;

one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;

based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information;

receiving, at a first time, from the first client, both the first encrypted information and a first request;

based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information;

determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and

satisfying the first request only if the first request is authorized;

wherein the apparatus is a first computer and wherein the first client is implemented by a second computer and is communicatively coupled with the first computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for avoiding the storage of client state on a server. Based on a local key that is not known to a client, a server encrypts the client'"'"'s state information. The client'"'"'s state information may include, for example, the client'"'"'s authentication credentials, the client'"'"'s authorization characteristics, and a shared secret key that the server can use to encrypt and authenticate communication to and from the client. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client'"'"'s state information. When the server needs the client'"'"'s state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client'"'"'s own state information in encrypted form, the server does not need to store any client'"'"'s state information permanently.

Citations

30 Claims

1. An apparatus, comprising:
- a network interface that is coupled to a data network for receiving or transmitting one or more packet flows;
  
  a processor coupled to the network interface;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;
  
  based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information;
  
  receiving, at a first time, from the first client, both the first encrypted information and a first request;
  
  based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information;
  
  determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and
  
  satisfying the first request only if the first request is authorized;
  
  wherein the apparatus is a first computer and wherein the first client is implemented by a second computer and is communicatively coupled with the first computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. An apparatus as recited in claim 1, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - removing the first client state information from memory before the first time; and
      
      removing the first encrypted information from memory before the first time.
  - 3. An apparatus as recited in claim 1, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from authorization information that was included in the first client state information;
      
      sending the second encrypted information to the first client;
      
      receiving, from the first client, both the second encrypted information and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the first client, thereby producing second decrypted information;
      
      determining, based on authorization information that was included in the second decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.
  - 4. An apparatus as recited in claim 1, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from authorization information that was included in the first client state information;
      
      sending the second encrypted information to the first client;
      
      receiving, at a second time, from the first client, the first encrypted information, the second encrypted information, and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the first client, thereby producing second decrypted information;
      
      based on the local key, decrypting the first encrypted information that was received from the first client at the second time, thereby producing third decrypted information;
      
      determining, based on both authorization information that was included in the second decrypted information and authorization information that was included in the third decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.
  - 5. An apparatus as recited in claim 1, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - before sending the first encrypted information to the first client, calculating a first authentication code based on both the local key and the first client state information; and
      
      sending the first encrypted information and the first authentication code to the first client.
  - 6. An apparatus as recited in claim 5, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - after decrypting the first encrypted information that was received from the first client, calculating a second authentication code based on both the local key and client state information that was included in the first decrypted information; and
      
      determining whether the second authentication code matches an authentication code that was included in the first decrypted information.
  - 7. An apparatus as recited in claim 6, wherein the first client state information includes a value that uniquely identifies the first client.
  - 8. An apparatus as recited in claim 1, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - before sending the first encrypted information to the first client, encrypting a first time value along with the first client state information to produce the first encrypted information.
  - 9. An apparatus as recited in claim 8, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - after decrypting the first encrypted information that was received from the first client, determining, based on both a second time value and a time value that was included in the first decrypted information, whether the first client state information has expired.
  - 10. An apparatus as recited in claim 9, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - selecting the local key from among a plurality of keys, wherein each key in the plurality of keys is associated with a different index value; and
      
      sending, to the first client, an index value that is associated with the local key.
  - 11. An apparatus as recited in claim 10, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - receiving, from the first client, the index value that is associated with the local key; and
      
      decrypting the first encrypted information based on a key that is associated with an index value that was received from the first client.
  - 12. An apparatus as recited in claim 1, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - based on the local key, encrypting second client state information to produce second encrypted information, wherein the second client state information includes authorization information that differs from the authorization information included in the first client state information, and wherein the local key is not known to a second client that differs from the first client;
      
      sending the second encrypted information to the second client;
      
      receiving, from the second client, both the second encrypted information and a second request;
      
      based on the local key, decrypting the second encrypted information that was received from the second client, thereby producing second decrypted information;
      
      determining, based on authorization information that was included in the second decrypted information, whether the second request is authorized; and
      
      satisfying the second request only if the second request is authorized.

13. An apparatus, comprising:
- a network interface that is coupled to a data network for receiving or transmitting one or more packet flows;
  
  a processor coupled to the network interface;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;
  
  receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client;
  
  sending, at a second time, to the first server, both the first encrypted information and a first request; and
  
  receiving, at a third time, from the first server, a first response to the first request;
  
  wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client.
- View Dependent Claims (14, 15, 16, 17)
- - 14. An apparatus as recited in claim 13, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - storing the first encrypted information to memory after the first time; and
      
      retrieving the first encrypted information from memory before the second time.
  - 15. An apparatus as recited in claim 13, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - receiving, at a fourth time, from a second server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization informationsending, at a fifth time, to the second server, both the second encrypted information and a second request; and
      
      receiving, at a sixth time, from the second server, a second response to the second request.
  - 16. An apparatus as recited in claim 13, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to perform:
    - receiving, at a fourth time, from a first server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization information that differs from the first authorization information that was included in the first client state information;
      
      sending, at a fifth time, to the first server, both the second encrypted information and a second request; and
      
      receiving, at a sixth time, from the first server, a second response to the second request.
  - 17. An apparatus as recited in claim 13, wherein the first client state information includes first authorization information.

18. A volatile or non-volatile computer-readable medium storing one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client;
  
  sending, at a second time, to the first server, both the first encrypted information and a first request; and
  
  receiving, at a third time, from the first server, a first response to the first request;
  
  wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client.
- View Dependent Claims (19, 20, 21, 22)
- - 19. A volatile or non-volatile computer-readable medium as recited in claim 18, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the step of:
    - storing the first encrypted information to memory after the first time; and
      
      retrieving the first encrypted information from memory before the second time.
  - 20. A volatile or non-volatile computer-readable medium as recited in claim 18, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the step of:
    - receiving, at a fourth time, from a second server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization informationsending, at a fifth time, to the second server, both the second encrypted information and a second request; and
      
      receiving, at a sixth time, from the second server, a second response to the second request.
  - 21. A volatile or non-volatile computer-readable medium as recited in claim 18, wherein the sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the step of:
    - receiving, at a fourth time, from a first server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization information that differs from the first authorization information that was included in the first client state information;
      
      sending, at a fifth time, to the first server, both the second encrypted information and a second request; and
      
      receiving, at a sixth time, from the first server, a second response to the second request.
  - 22. A volatile or non-volatile computer-readable medium as recited in claim 18, wherein the first client state information includes first authorization information.

23. A method, comprising:
- receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client, and wherein the first client state information includes first authorization information;
  
  sending, at a second time, to the first server, both the first encrypted information and a first request; and
  
  receiving, at a third time, from the first server, a first response to the first request;
  
  wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client.
- View Dependent Claims (24, 25, 26)
- - 24. A method as recited in claim 23, further comprising:
    - storing the first encrypted information to memory after the first time; and
      
      retrieving the first encrypted information from memory before the second time.
  - 25. A method as recited in claim 23, further comprising:
    - receiving, at a fourth time, from a second server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization informationsending, at a fifth time, to the second server, both the second encrypted information and a second request; and
      
      receiving, at a sixth time, from the second server, a second response to the second request.
  - 26. A method as recited in claim 23, further comprising:
    - receiving, at a fourth time, from a first server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization information that differs from the first authorization information that was included in the first client state information;
      
      sending, at a fifth time, to the first server, both the second encrypted information and a second request; and
      
      receiving, at a sixth time, from the first server, a second response to the second request.

27. An apparatus, comprising:
- means for receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client, and wherein the first client state information includes first authorization information;
  
  means for sending, at a second time, to the first server, both the first encrypted information and a first request; and
  
  means for receiving, at a third time, from the first server, a first response to the first request;
  
  wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client.
- View Dependent Claims (28, 29, 30)
- - 28. An apparatus as recited in claim 27, further comprising:
    - means for storing the first encrypted information to memory after the first time; and
      
      means for retrieving the first encrypted information from memory before the second time.
  - 29. An apparatus as recited in claim 27, further comprising:
    - means for receiving, at a fourth time, from a second server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization informationmeans for sending, at a fifth time, to the second server, both the second encrypted information and a second request; and
      
      means for receiving, at a sixth time, from the second server, a second response to the second request.
  - 30. An apparatus as recited in claim 27, further comprising:
    - means for receiving, at a fourth time, from a first server, second encrypted information, wherein the second encrypted information is produced by encrypting second client state information based on a second key that is not known to the client, and wherein the second client state information includes second authorization information that differs from the first authorization information that was included in the first client state information;
      
      means for sending, at a fifth time, to the first server, both the second encrypted information and a second request; and
      
      means for receiving, at a sixth time, from the first server, a second response to the second request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McGrew, David A.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US11/726,671
Publication Number

US 20070198829A1
Time in Patent Office

699 Days
Field of Search

713/170, 707/10, 707/102, 707/101
US Class Current

1/1
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/121   Timestamp

H04L 63/0435   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/02   based on web technology, e....

H04L 67/142   Managing session states for...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/14   using a plurality of keys o...

H04L 9/3226   using a predetermined code,...

Y10S 707/99942   Manipulating data structure...

Y10S 707/99943   Generating database or data...

Avoiding server storage of client state

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Avoiding server storage of client state

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links