Authentication of tunneled connections

US 7,661,131 B1
Filed: 02/03/2005
Issued: 02/09/2010
Est. Priority Date: 02/03/2005
Status: Active Grant

First Claim

Patent Images

1. A Secure tunnel communications method, comprising;

establishing a first connection from an inner agent to an outer agent comprising;

initiating a first TCP connection from the inner agent to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent,negotiating a first SSL/TLS session between the inner agent and the outer agent over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, andapplying the first SSL/TLS session between the inner agent and the outer agent over the first TCP connection;

establishing a second connection from a client to the outer agent comprising;

initiating a second TCP connection from the client to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent, and wherein the client and outer agent each reside on devices separated by a network,negotiating a second SSL/TLS session between the client and the outer agent over the second TCP connection when the outer agent certificate is presented by the outer agent to the client, andapplying the second SSL/TLS session between the client and the outer agent over the second TCP connection;

negotiating a third SSL/TLS session between the client and the inner agent; and

applying the third SSL/TLS session between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session,wherein negotiating the second SSL/TLS session comprises authenticating the client, by the outer agent,wherein the outer agent implements an outer agent authentication policy,wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent,wherein the client presents the certificate possessed by the client to the outer agent, andwherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agent,wherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises;

implementing, by the inner agent, an inner agent authentication policy;

presenting, by the client, the certificate possessed by the client to the inner agent; and

verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for authentication of tunneled connections. A method includes establishing a first connection (C_IO) from an inner agent to an outer agent including making a first TCP connection from the inner agent to the outer agent, negotiating a first SSL/TLS session (SSLSession_IO) between the inner agent and the outer agent over the first TCP connection and applying the second SSL/TLS session (SSLSession_IO) between the inner agent and the outer agent over the first TCP connection; establishing a second connection (C_CO) from a client and the outer agent including making a second TCP connection from the client to the outer agent, negotiating a second SSL/TLS session (SSLSession_CO) between the client and the outer agent over the second TCP connection and applying the second SSL/TLS session (SSLSession_CO) between the client and the outer agent over the second TCP connection; and then negotiating a third SSL/TLS session (SSLSession_CI) between the client and the inner agent via both the first SSL/TLS session (SSLSession_IO) and the second SSL/TLS session (SSLSession_CO) and applying the third SSL/TLS session (SSLSession_CI) between the client and the inner agent layered over both the first SSL/TLS session (SSLSession_IO) and the second SSL/TLS session (SSLSession_CO), wherein negotiating the second SSL/TLS session (SSLSession_CO) includes verifying at the outer agent that the client possesses a certificate signed with a certificate associated with the inner agent.

114 Citations

15 Claims

1. A Secure tunnel communications method, comprising;
- establishing a first connection from an inner agent to an outer agent comprising;
  
  initiating a first TCP connection from the inner agent to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent,negotiating a first SSL/TLS session between the inner agent and the outer agent over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, andapplying the first SSL/TLS session between the inner agent and the outer agent over the first TCP connection;
  
  establishing a second connection from a client to the outer agent comprising;
  
  initiating a second TCP connection from the client to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent, and wherein the client and outer agent each reside on devices separated by a network,negotiating a second SSL/TLS session between the client and the outer agent over the second TCP connection when the outer agent certificate is presented by the outer agent to the client, andapplying the second SSL/TLS session between the client and the outer agent over the second TCP connection;
  
  negotiating a third SSL/TLS session between the client and the inner agent; and
  
  applying the third SSL/TLS session between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session,wherein negotiating the second SSL/TLS session comprises authenticating the client, by the outer agent,wherein the outer agent implements an outer agent authentication policy,wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent,wherein the client presents the certificate possessed by the client to the outer agent, andwherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agent,wherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises;
  
  implementing, by the inner agent, an inner agent authentication policy;
  
  presenting, by the client, the certificate possessed by the client to the inner agent; and
  
  verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The secure tunnel communications method of claim 1, wherein the certificate associated with the inner agent is created by the inner agent and the inner agent is the certificate authority for the certificate associated with the inner agent.
  - 3. The secure tunnel communications method of claim 1, wherein authenticating at the inner agent, performed while negotiating the third SSL/TLS session, comprises utilizing a list of authorized users that is i) available to the inner agent and ii) is not a) stored by the outer agent or b) available to the outer agent.
  - 4. The secure tunnel communications method of claim 1, further comprising, after applying the third SSL/TLS session, ceasing to apply the first SSL/TLS session between the inner agent and the outer agent and ceasing to apply the second SSL/TLS session between the client and the outer agent.
  - 5. The secure tunnel communication method of claim 1, further comprising:
    - caching the first SSL/TLS session as a set of state information on both the inner agent and the outer agent;
      
      sending a request from the outer agent to the inner agent via the first connection to create a new connection from the inner agent to the outer agent;
      
      establishing the new connection from the inner agent to the outer agent; and
      
      resuming the first SSL/TLS session using the set of state information on the new connection.
  - 6. The secure tunnel communications method of claim 1, wherein the client closes the second connection if the outer agent does not present the outer agent certificate as part of negotiating the second SSL/TLS session.
  - 7. The secure tunnel communications method of claim 1, wherein the second connection from the client to the outer agent is through TCP port 443.
  - 8. The secure tunnel communications method of claim 1, wherein the inner agent closes the first connection if the outer agent does not present the outer agent certificate as part of negotiating the first SSL/TLS session.
  - 9. The secure tunnel communications method of claim 1, wherein the first connection from the inner agent to the outer agent is through TCP port 443.
  - 10. The secure tunnel communications method of claim 1, wherein the client closes the second connection if the inner agent does not present an inner agent certificate as part of negotiating the third SSL/TLS session.
  - 11. The secure tunnel communications method of claim 1, further comprising establishing another connection from another inner agent to the outer agent including making another TCP connection from the another inner agent to the outer agent and negotiating another SSL/TLS session between the another inner agent and the outer agent over the another TCP connection.
  - 12. The secure tunnel communications method of claim 11, further comprising caching the another SSL/TLS session as a set of state information on both the another inner agent and the outer agent.
  - 13. The secure tunnel communications method of claim 1, further comprising mimicking https connection behaviour including at least one connection technique selected from the group consisting of hopping, dropping and opening, so as to bypass application level firewall traffic analysis.

14. A computer readable medium, comprising software instructions executable by a processor to perform a method, the method comprising:
- establishing a first connection from an inner agent to an outer agent comprising;
  
  initiating a first TCP connection from the inner agent to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent,negotiating a first SSL/TLS session between the inner agent and the outer agent over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, andapplying the first SSL/TLS session between the inner agent and the outer agent over the first TCP connection;
  
  establishing a second connection from a client to the outer agent comprising;
  
  initiating a second TCP connection from the client to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent,negotiating a second SSL/TLS session between the client and the outer agent over the second TCP connection when the outer agent certificate is presented by the outer agent to the client, andapplying the second SSL/TLS session between the client and the outer agent over the second TCP connection;
  
  negotiating a third SSL/TLS session between the client and the inner agent; and
  
  applying the third SSL/TLS session between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session,wherein negotiating the second SSL/TLS session comprises authenticating the client by the outer agent,wherein the outer agent implements an outer agent authentication policy,wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent,wherein the client presents the certificate possessed by the client to the outer agent, andwherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agentwherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises;
  
  implementing, by the inner agent, an inner agent authentication policy;
  
  presenting, by the client, the certificate possessed by the client to the inner agent; and
  
  verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent.

15. A secure tunnel communications system, comprising:
- an inner agent;
  
  an outer agent coupled to the inner agent,wherein the inner agent initiates a first TCP connection to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent,wherein the inner agent and outer agent negotiate a first SSL/TLS session over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, andwherein the first SSL/TLS session is applied between the inner agent and outer agent over the first TCP connection; and
  
  a client coupled to the outer agent,wherein the client initiates a second TCP connection to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent, and wherein the client and outer agent each reside on devices separated by a network,wherein the client and outer agent negotiate a second SSL/TLS session over the second TCP connection when an outer agent certificate is presented by the outer agent to the client, wherein negotiating the second SSL/TLS session comprises authenticating the client, by the outer agent,wherein the outer agent implements an outer agent authentication policy,wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent,wherein the client presents the certificate possessed by the client to the outer agent, andwherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agent,wherein the first SSL/TLS session is applied between the client and the outer agent over the second TCP connection,wherein the client and inner agent negotiatea third SSL/TLS session via both the first SSL/TLS session and the second SSL/TLS sessionwherein the third SSL/TLS session is applied between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session and,wherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises;
  
  implementing, by the inner agent, an inner agent authentication policy;
  
  presenting, by the client the certificate possessed by the client to the inner agent; and
  
  verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Shaw, Andrew, Burgess, Karl Richard, McEwen, Michael Thomas
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Kaplan; Benjamin A

Application Number

US11/050,102
Time in Patent Office

1,832 Days
Field of Search

709/220, 709/223, 709/227, 709/230, 726/15
US Class Current

726/15
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0478   applying multiple layers of...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 63/18   using different networks or...

Authentication of tunneled connections

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of tunneled connections

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links