TLS tunneling

US 7,529,933 B2
Filed: 05/30/2002
Issued: 05/05/2009
Est. Priority Date: 05/30/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of authentication between a client and a server, the method comprising:

negotiating the use of an extensible authentication protocol;

receiving from the server, using the extensible authentication protocol, a first request packet requesting to use a protected extensible authentication protocol;

transmitting a first response packet, using the extensible authentication protocol, to the server agreeing to use the protected extensible authentication protocol, wherein the protected extensible authentication protocol is used in transmitting and receiving further authentication packets between the client and the server;

receiving a second request packet from the server with information for establishing a secure communication tunnel between the client and the server and for authenticating the server to the client;

authenticating the server;

transmitting a second response packet to the server establishing the secure communication tunnel between the client and the server;

receiving a third request packet sent by the server within the secure communication tunnel, the third request packet requesting an identity for authenticating the client;

transmitting a third response packet within the secure communication tunnel to the server with the identity;

receiving a fourth request packet sent by the server within the secure communication tunnel, the fourth request packet proposing an inner extensible authentication protocol method for authenticating the client;

transmitting a fourth response packet to the server within the secure communication tunnel, the fourth request packet agreeing to the inner extensible authentication protocol method; and

authenticating the client within the secure communication tunnel using the inner extensible authentication protocol method.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication protocol can be used to establish a secure method of communication between two devices on a network. Once established, the secure communication can be used to authenticate a client through various authentication methods, providing security in environments where intermediate devices cannot be trusted, such as wireless networks, or foreign network access points. Additionally, the caching of session keys and other relevant information can enable the two securely communicating endpoints to quickly resume their communication despite interruptions, such as when one endpoint changes the access point through which it is connected to the network. Also, the secure communication between the two devices can enable users to roam off of their home network, providing a mechanism by which access through foreign networks can be granted, while allowing the foreign network to monitor and control the use of its bandwidth.

Citations

33 Claims

1. A method of authentication between a client and a server, the method comprising:
- negotiating the use of an extensible authentication protocol;
  
  receiving from the server, using the extensible authentication protocol, a first request packet requesting to use a protected extensible authentication protocol;
  
  transmitting a first response packet, using the extensible authentication protocol, to the server agreeing to use the protected extensible authentication protocol, wherein the protected extensible authentication protocol is used in transmitting and receiving further authentication packets between the client and the server;
  
  receiving a second request packet from the server with information for establishing a secure communication tunnel between the client and the server and for authenticating the server to the client;
  
  authenticating the server;
  
  transmitting a second response packet to the server establishing the secure communication tunnel between the client and the server;
  
  receiving a third request packet sent by the server within the secure communication tunnel, the third request packet requesting an identity for authenticating the client;
  
  transmitting a third response packet within the secure communication tunnel to the server with the identity;
  
  receiving a fourth request packet sent by the server within the secure communication tunnel, the fourth request packet proposing an inner extensible authentication protocol method for authenticating the client;
  
  transmitting a fourth response packet to the server within the secure communication tunnel, the fourth request packet agreeing to the inner extensible authentication protocol method; and
  
  authenticating the client within the secure communication tunnel using the inner extensible authentication protocol method.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the inner extensible authentication method is selected from a plurality of extensible authentication methods supported by the client and the server.
  - 3. The method of claim 2, further comprising the use of a transport layer security protocol for establishing the secure communication tunnel.
  - 4. The method of claim 3, further comprising:
    - after the receiving the second request packet from the server, transmitting a set of possible cryptographic mechanisms to the server;
      
      receiving from the server, a selected cryptographic mechanism from the set of possible cryptographic mechanisms;
      
      deriving cryptographic keys for the selected cryptographic mechanism;
      
      implementing the selected cryptographic mechanism with the derived cryptographic keys; and
      
      transmitting the second response packet to the server establishing the secure communication tunnel between the client and the server.
  - 5. The method of claim 1, wherein the inner extensible authentication method is selected from the group consisting of Client Handshake Authentication Protocol and MS Client Handshake Authentication Protocol.
  - 6. The method of claim 1, wherein the identity comprises a human user identity.
  - 7. The method of claim 1, wherein the identity comprises a client device identity.
  - 8. The method of claim 1, further comprising:
    - after the negotiating the use of the extensible authentication protocol, receiving a request from the server for an initial client identity; and
      
      transmitting a portion of a user identification in response to the request for an initial client identity, wherein transmitting the third response packet comprises transmitting a remaining portion of the user identification.
  - 9. The method of claim 1, further comprising:
    - after the negotiating the use of the extensible authentication protocol, receiving a request from the server for an initial client identity; and
      
      transmitting a user alias in response to the request for an initial client identity, and wherein transmitting the third response packet further comprises transmitting a human user identity.
  - 10. The method of claim 9 wherein transmitting the third response packet further comprises transmitting a client device identity.
  - 11. The method of claim 1, further comprising:
    - after the negotiating the use of the extensible authentication protocol, receiving a request from the server for an initial client identity; and
      
      transmitting a client device identity in response to the request for an initial client identity, and wherein transmitting the third response packet further comprises transmitting a human user identity.

12. A method of authenticating a client, the method comprising:
- negotiating the use of an extensible authentication protocol with the client;
  
  transmitting to the client a first request packet, using the extensible authentication protocol, requesting to use a protected extensible authentication protocol;
  
  receiving from the client a first response packet, using the extensible authentication protocol, agreeing to use the protected extensible authentication protocol, wherein the protected extensible authentication protocol is used in transmitting and receiving further authentication packets;
  
  transmitting a second request packet to the client with information for establishing a secure communication tunnel;
  
  receiving a second response packet from the client establishing the secure communication tunnel;
  
  transmitting a third request packet to the client within the secure communication tunnel, the third request packet requesting an identity for authenticating the client;
  
  receiving a third response packet within the secure communication tunnel with the identity;
  
  transmitting a fourth request packet to the client within the secure communication tunnel, the fourth request packet proposing an inner extensible authentication protocol method for authenticating the client;
  
  receiving a fourth response packet within the secure communication tunnel, the fourth request packet agreeing to the inner extensible authentication protocol method; and
  
  authenticating the client within the secure communication tunnel using the inner extensible authentication protocol method.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the inner extensible authentication method is selected from a plurality of extensible authentication methods supported by the client.
  - 14. The method of claim 12, wherein the inner extensible authentication method is selected from the group consisting of Client Handshake Authentication Protocol and MS Client Handshake Authentication Protocol.
  - 15. The method of claim 13, further comprising the use of a transport layer security protocol for establishing the secure communication tunnel.
  - 16. The method of claim 15, further comprising:
    - after the transmitting the second request packet to the client, receiving a set of possible cryptographic mechanisms;
      
      transmitting to the client, a selected cryptographic mechanism from the set of possible cryptographic mechanism; and
      
      receiving the second response packet establishing the secure communication tunnel between the client and the server.
  - 17. The method of claim 12, wherein the identity comprises a human user identity.
  - 18. The method of claim 12, wherein the identity comprises a client device identity.
  - 19. The method of claim 12, further comprising:
    - after the negotiating the use of the extensible authentication protocol, transmitting a request to the client for an initial client identity; and
      
      receiving a portion of a user identification in response to the request for an initial client identity, wherein receiving the third response packet comprises receiving a remaining portion of the user identification.
  - 20. The method of claim 12, further comprising:
    - after the negotiating the use of the extensible authentication protocol, transmitting a request to the client for an initial client identity; and
      
      receiving a user alias in response to the request for an initial client identity, and wherein receiving the third response packet further comprises receiving a human user identity.
  - 21. The method of claim 20 wherein receiving the third response packet further comprises receiving a client device identity.
  - 22. The method of claim 12, further comprising:
    - after the negotiating the use of the extensible authentication protocol, transmitting a request to the client for an initial client identity; and
      
      receiving a client device identity in response to the request for an initial client identity, and wherein receiving the third response packet further comprises receiving a human user identity.

23. A computer storage medium storing computer executable instructions that when executed perform a method comprising:
- negotiating the use of an extensible authentication protocol with the client;
  
  transmitting to the client a first request packet, using the extensible authentication protocol, requesting to use a protected extensible authentication protocol;
  
  receiving from the client a first response packet, using the extensible authentication protocol, agreeing to use the protected extensible authentication protocol, wherein the protected extensible authentication protocol is used in transmitting and receiving further authentication packets;
  
  transmitting a second request packet to the client with information for establishing a secure communication tunnel;
  
  receiving a second response packet from the client establishing the secure communication tunnel;
  
  transmitting a third request packet to the client within the secure communication tunnel, the third request packet requesting an identity for authenticating the client;
  
  receiving a third response packet within the secure communication tunnel with the identity;
  
  transmitting a fourth request packet to the client within the secure communication tunnel, the fourth request packet proposing an inner extensible authentication protocol method for authenticating the client;
  
  receiving a fourth response packet within the secure communication tunnel, the fourth request packet agreeing to the inner extensible authentication protocol method; and
  
  authenticating the client within the secure communication tunnel using the inner extensible authentication protocol method.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer storage medium of claim 23, wherein the inner extensible authentication method is selected from a plurality of extensible authentication methods supported by the client.
  - 25. The computer storage medium of claim 24, further comprising the use of a transport layer security protocol for establishing the secure communication tunnel.
  - 26. The computer storage medium of claim 23, wherein the inner extensible Authentication method is selected from the group consisting of Client Handshake Authentication Protocol and MS Client Handshake Authentication Protocol.
  - 27. The computer storage medium of claim 26, further comprising:
    - after the transmitting the second request packet to the client, receiving a set of possible cryptographic mechanisms;
      
      transmitting to the client, a selected cryptographic mechanism from the set of possible cryptographic mechanism; and
      
      receiving the second response packet establishing the secure communication tunnel between the client and the server.
  - 28. The computer storage medium of claim 23, wherein the identity comprises a human user identity.
  - 29. The computer storage medium of claim 23, wherein the identity comprises a client device identity.
  - 30. The computer storage medium of claim 23, further comprising:
    - after the negotiating the use of the extensible authentication protocol, transmitting a request to the client for an initial client identity; and
      
      receiving a portion of a user identification in response to the request for an initial client identity, wherein receiving the third response packet comprises receiving a remaining portion of the user identification.
  - 31. The computer storage medium of claim 23, further comprising:
    - after the negotiating the use of the extensible authentication protocol, transmitting a request to the client for an initial client identity; and
      
      receiving a user alias in response to the request for an initial client identity, and wherein receiving the third response packet further comprises receiving a human user identity.
  - 32. The computer storage medium of claim 31 wherein receiving the third response packet further comprises receiving a client device identity.
  - 33. The computer storage medium of claim 23, further comprising:
    - after the negotiating the use of the extensible authentication protocol, transmitting a request to the client for an initial identity; and
      
      receiving a client device identity in response to the request for an initial client identity, and wherein receiving the third response packet further comprises receiving a human user identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simon, Daniel R., Ayyagari, Arun, Palekar, Ashwin
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
GERGISO, TECHANE

Application Number

US10/157,806
Publication Number

US 20030226017A1
Time in Patent Office

2,532 Days
Field of Search

713/168, 713/153, 713/152, 713/151, 726/2
US Class Current

713/168
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

TLS tunneling

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

TLS tunneling

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links