Avoiding server storage of client state
First Claim
1. An apparatus, comprising:
- a network interface that is coupled to a data network for receiving or transmitting one or more packet flows;
a processor coupled to the network interface;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;
based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information;
receiving, at a first time, from the first client, both the first encrypted information and a first request;
based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information;
determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and
satisfying the first request only if the first request is authorized;
wherein the apparatus is a first computer and wherein the first client is implemented by a second computer and is communicatively coupled with the first computer.
0 Assignments
0 Petitions
Accused Products
Abstract
A method is disclosed for avoiding the storage of client state on a server. Based on a local key that is not known to a client, a server encrypts the client'"'"'s state information. The client'"'"'s state information may include, for example, the client'"'"'s authentication credentials, the client'"'"'s authorization characteristics, and a shared secret key that the server can use to encrypt and authenticate communication to and from the client. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client'"'"'s state information. When the server needs the client'"'"'s state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client'"'"'s own state information in encrypted form, the server does not need to store any client'"'"'s state information permanently.
-
Citations
30 Claims
-
1. An apparatus, comprising:
-
a network interface that is coupled to a data network for receiving or transmitting one or more packet flows; a processor coupled to the network interface; one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform; based on a local key that is not known to a first client, encrypting first client state information to produce first encrypted information, wherein the first client state information includes authorization information; receiving, at a first time, from the first client, both the first encrypted information and a first request; based on the local key, decrypting the first encrypted information that was received from the first client, thereby producing first decrypted information; determining, based on authorization information that was included in the first decrypted information, whether the first request is authorized; and satisfying the first request only if the first request is authorized; wherein the apparatus is a first computer and wherein the first client is implemented by a second computer and is communicatively coupled with the first computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
a network interface that is coupled to a data network for receiving or transmitting one or more packet flows; a processor coupled to the network interface; one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform; receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client; sending, at a second time, to the first server, both the first encrypted information and a first request; and receiving, at a third time, from the first server, a first response to the first request; wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A volatile or non-volatile computer-readable medium storing one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client; sending, at a second time, to the first server, both the first encrypted information and a first request; and receiving, at a third time, from the first server, a first response to the first request; wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A method, comprising:
-
receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client, and wherein the first client state information includes first authorization information; sending, at a second time, to the first server, both the first encrypted information and a first request; and receiving, at a third time, from the first server, a first response to the first request; wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client. - View Dependent Claims (24, 25, 26)
-
-
27. An apparatus, comprising:
-
means for receiving, at a first time, from a first server, first encrypted information, wherein the first encrypted information is produced by encrypting first client state information based on a first key that is not known to a client, and wherein the first client state information includes first authorization information; means for sending, at a second time, to the first server, both the first encrypted information and a first request; and means for receiving, at a third time, from the first server, a first response to the first request; wherein a first computer implements the client and wherein the first server is implemented by a second computer and is communicatively coupled with the client. - View Dependent Claims (28, 29, 30)
-
Specification