Secure federation of data communications networks

US 7,506,369 B2
Filed: 05/27/2004
Issued: 03/17/2009
Est. Priority Date: 05/27/2004
Status: Active Grant

First Claim

Patent Images

1. A method performed by an edge proxy server for federating a network in a direct federation mode, comprising:

receiving an indication a list of authorized entities;

receiving a message;

verifying that the message was sent by an authorized and authenticated entity; and

after verifying that the message was sent by an authorized and authenticated entity,determining a next hop for the message wherein the next hop identifies a computing device to which the message will be routed next; and

forwarding the message to the next hop.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure federation of data communications networks are provided. The techniques employ an edge proxy server to route messages depending on a federation mode. In Direct federation mode, an edge proxy server of a network is configured to exchange messages with a specified set of entities, such as other networks, servers, other devices, or users. In Automatic federation mode, an edge proxy server may accept all incoming messages from entities that have a valid certificate. In Clearinghouse federation mode, the edge proxy server forwards all outgoing messages to a specified, trusted clearinghouse server.

49 Citations

View as Search Results

36 Claims

1. A method performed by an edge proxy server for federating a network in a direct federation mode, comprising:
- receiving an indication a list of authorized entities;
  
  receiving a message;
  
  verifying that the message was sent by an authorized and authenticated entity; and
  
  after verifying that the message was sent by an authorized and authenticated entity,determining a next hop for the message wherein the next hop identifies a computing device to which the message will be routed next; and
  
  forwarding the message to the next hop.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the message is received using a session initiation protocol.
  - 3. The method of claim 1 wherein the indication of authorized entities is a list.
  - 4. The method of claim 3 wherein the list comprises entities designated by an administrator to be authorized.
  - 5. The method of claim 3 wherein an entity is authorized when it does not appear on the list.
  - 6. The method of claim 1 wherein the next hop is determined from a header field of the message.
  - 7. The method of claim 1 wherein the next hop is determined by querying a server.
  - 8. The method of claim 7 wherein the server is a domain name service.
  - 9. The method of claim 1 wherein the next hop is determined from a list of authorized entities.

10. A method performed by an edge proxy server for federating a network in an automatic federation mode, comprising:
- receiving a message;
  
  verifying that the message was sent by an authenticated entity;
  
  determining whether a certificate indicated in a header field of the received message appears in a list of revoked certificates; and
  
  when the received message is an incoming message,verifying that a uniform resource identifier indicated for a sender of the message matches a domain from which the message was received; and
  
  when the received message is an outgoing message, querying a domain name service.
- View Dependent Claims (11)
- - 11. The method of claim 10 wherein the querying includes determining a next hop for the message.

12. An edge proxy server system for federating a network, comprising:
- a component that receives an indication of a federation mode for the proxy server;
  
  a component that receives a message;
  
  a component that authenticates a sender of the received message based on the indicated federation mode; and
  
  a component that handles the message based on the indicated federation mode and whether the sender of the received message is authenticated.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 13. The system of claim 12 wherein the handling includes forwarding the message when a recipient indicated in the message does not appear in a deny list.
  - 14. The system of claim 12 wherein the federation mode is direct.
  - 15. The system of claim 14 wherein a sender is authenticated by determining whether the sender sent the message in a valid connection.
  - 16. The system of claim 14 wherein the handling includes forwarding the message when a recipient indicated in the message appears in an accept list.
  - 17. The system of claim 14 wherein the handling includes determining a next hop for the message.
  - 18. The system of claim 12 wherein the federation mode is automatic.
  - 19. The system of claim 18 wherein the sender is authenticated when the message was sent in a valid connection.
  - 20. The system of claim 18 wherein the sender is authenticated when a domain of a URI indicated for the sender matches a domain of an entity that actually sent the message.
  - 21. The system of claim 18 wherein the handling includes determining services offered by a destination entity indicated in the message.
  - 22. The system of claim 21 wherein a service is mutually authenticated transport layer security.
  - 23. The system of claim 12 wherein the federation mode is clearinghouse.
  - 24. The system of claim 23 wherein the handling includes receiving messages from the clearinghouse.
  - 25. The system of claim 24 wherein the sender is implicitly trusted.
  - 26. The system of claim 23 wherein the handling includes forwarding outgoing messages to a clearinghouse.
  - 27. The system of claim 23 wherein the handling includes establishing a session directly with the sender.
  - 28. The system of claim 12 wherein the federation mode includes a combination of federation modes.
  - 29. The system of claim 28 wherein the combination of federation modes includes a direct federation mode, an automatic federation mode, and a clearinghouse federation mode.
  - 30. The system of claim 28 wherein the authentication includes receiving a certificate.

31. A computer-readable medium having computer-executable instructions for performing steps, comprising:
- receiving an indication of authorized entities;
  
  receiving a message;
  
  determining whether an entity that sent the message is authorized; and
  
  when the entity that sent the message is authorized,authenticating the authorized entity, wherein the authenticating includes determining whether the message was received on a valid connection; and
  
  when the authorized entity is authenticated,determining a next hop for the message wherein the next hop identifies a computing device to which the message will be routed next; and
  
  forwarding the message to the next hop.
- View Dependent Claims (32)
- - 32. The computer-readable medium of claim 31 including instructions for performing steps relating to determining whether the message was received from the authorized entity in a valid connection.

33. An edge proxy server for federating a network, comprising:
- means for establishing sessions with computing devices;
  
  means for authorizing the computing devices;
  
  means for validating messages from or to the computing devices;
  
  means for determining a destination for the validated messages; and
  
  means for routing the messages to the determined destination depending on a federation mode.
- View Dependent Claims (34, 35, 36)
- - 34. The edge proxy server of claim 33 wherein the means for establishing sessions with computing devices controls a number of sessions.
  - 35. The edge proxy server of claim 33 wherein the means for authorizing computing devices may have an associated list of unauthorized entities.
  - 36. The edge proxy server of claim 33 wherein the means for validating messages validates messages based on contents of the messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Buch, Jeremy, Kimchi, Gur, Shoroff, Srikanth
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US10/856,259
Publication Number

US 20050265327A1
Time in Patent Office

1,755 Days
Field of Search

726/12
US Class Current

726/12
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/10 for controlling access to d...

Secure federation of data communications networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Secure federation of data communications networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links