Method and system for authentification of a mobile user via a gateway

US 7,742,605 B2
Filed: 08/06/2001
Issued: 06/22/2010
Est. Priority Date: 08/18/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

a gateway computer receiving a first party certificate from a first party, said first party certificate being signed and including a name identifying said first party;

in response to receiving said first party certificate, said gateway computer generating a new first party certificate, different from a certificate generated for the first party by a certificate authority, said new certificate including said name identifying said first party, but also including a gateway-generated first party public key, and said gateway computer signing said new certificate using a gateway private key;

supplying said new certificate from the gateway computer to a second party, the new certificate identifying the gateway as the first party, the first party being different from the gateway computer;

using said first party certificate to establish a first secure communication link between said first party and said gateway computer; and

using said new certificate to establish a second secure communication link between said second party and said gateway computer, and wherein said gateway computer uses said first and second communication links to conduct secure communications between said first and second parties.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for establishing secure communications between two entities, such as a server and a client, may involve the use of an intermediate gateway. Each party may establish a secure communication link with the gateway, and the gateway may provide signed certificates to each party, each certificate identifying the gateway as the other party for purposes of the communication. The gateway may then facilitate the secure communications between the two parties, and may perform data translation on the communications. The identification information may be contained within the certificates used by the gateway.

39 Citations

View as Search Results

22 Claims

1. A method comprising:
- a gateway computer receiving a first party certificate from a first party, said first party certificate being signed and including a name identifying said first party;
  
  in response to receiving said first party certificate, said gateway computer generating a new first party certificate, different from a certificate generated for the first party by a certificate authority, said new certificate including said name identifying said first party, but also including a gateway-generated first party public key, and said gateway computer signing said new certificate using a gateway private key;
  
  supplying said new certificate from the gateway computer to a second party, the new certificate identifying the gateway as the first party, the first party being different from the gateway computer;
  
  using said first party certificate to establish a first secure communication link between said first party and said gateway computer; and
  
  using said new certificate to establish a second secure communication link between said second party and said gateway computer, and wherein said gateway computer uses said first and second communication links to conduct secure communications between said first and second parties.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method according to claim 1, wherein:
    - encryption protocols of the first secure communication link between the first party and the gateway computer and the second secure communication link between the second party and the gateway computer are different.
  - 3. The method according to claim 2 wherein:
    - an encryption protocol of the first secure communication link between the first party and the gateway computer is wireless transport layer security and an encryption protocol of the second secure communication link between the gateway computer and the second party is secure sockets layer.
  - 4. The method according to claim 1, further comprising:
    - indicating to the second party that the provided gateway-generated first party public key is the public key of a trusted certification authority.
  - 5. The method according to claim 1, further comprising:
    - the gateway computer generating different public-private key-pairs for a plurality of first parties, each key-pair comprising a generated first party public key and a generated first party private key.
  - 6. The method according to claim 5, further comprising:
    - the gateway computer generating different certificates in the names of different first parties.
  - 7. The method according to claim 6, further comprising:
    - the gateway computer signing said different certificates with said gateway private key.
  - 8. The method according to claim 7, wherein:
    - the different certificates contain a distinguished name of a corresponding first party and its first party public key.
  - 9. The method according to claim 1, comprising:
    - the gateway computer receiving an identifier indicating a common origin with the second party.
  - 10. The method according to claim 9, comprising:
    - requesting certificates for the second party and the gateway computer corresponding to the common identifier of the second party and the gateway computer, but containing different public keys belonging to the second party and to the gateway computer.
  - 11. The method according to claim 1, comprising:
    - performing a handshake in order to authenticate each party to the other and to negotiate one or more session keys.
  - 12. The method according to claim 11, wherein:
    - the handshake is a double handshake.
  - 13. The method according to claim 1, wherein:
    - the first party and the gateway computer execute a common first handshake authenticating each other and negotiate a master secret.
  - 14. The method according to claim 13, further comprising:
    - the gateway computer using a first party private key and the first party certificate to execute a second handshake with the second party.
  - 15. The method according to claim 14, wherein:
    - at least one of the handshakes is a handshake which occurs prior to communication according to wireless transport layer security.
  - 16. The method according to claim 14, wherein:
    - at least one of the handshakes is a handshake which occurs prior to communication according to secure sockets layer or transport layer security.
  - 17. The method according to claim 1, wherein:
    - the first party is a client and the second party is a server.
  - 18. The method according to claim 1, comprising:
    - providing the first party and the gateway computer with a common public key to authenticate a source of information transferred from one to the other wherein the common public key is the public key of a trusted certification authority.

19. A method, comprising:
- establishing a first secure communication session between a client and a gateway computer by the gateway computer providing said client with a signed certificate identifying the gateway computer as a server, the gateway computer being different from the server;
  
  establishing a second secure communication session between said server and said I gateway computer by providing said server with a second signed certificate identifying the gateway computer as the client, the gateway computer being different from the client; and
  
  prior to establishing the second secure communication session, said gateway computer generating a public/private key pair for said client, generating the second signed certificate containing said public key for said client and being signed by a private key of the gateway, the second signed certificate being different from a certificate generated for the client by a certificate authority, and sending said second signed certificate to said server to establish the second secure communication session.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising the following performed by the gateway computer:
    - receiving a message from the client directed to said server;
      
      decrypting said message according to encryption of said first secure communication session;
      
      performing data conversion on contents of said decrypted message;
      
      encrypting said converted contents according to encryption of said second secure communication session; and
      
      transmitting said encrypted converted contents to said server.

21. An apparatus comprising:
- a gateway computer configured to;
  
  establish a first secure communication session between a client and said gateway computer by providing said client with a signed certificate identifying the gateway computer as a server, the gateway computer being different from the server;
  
  establish a second secure communication session between said server and said gateway computer by providing said server with a second signed certificate identifying the gateway computer as the client, the gateway computer being different than the client;
  
  generate a public/private key pair for said client;
  
  generate, prior to establishing the second secure communication session, the second signed certificate containing said public key for said client and being signed by a private key of the gateway computer, the second signed certificate being different from a certificate generated for the client by a certificate authority; and
  
  transmit the second signed certificate to the server to establish the second secure communication session.
- View Dependent Claims (22)
- - 22. The apparatus of claim 21, wherein the gateway computer is further configured to:
    - receive a message from the client directed to said server;
      
      decrypt said message according to encryption of said first communication session;
      
      perform data conversion on contents of said decrypted message;
      
      encrypt said converted contents according to encryption of said second communication session; and
      
      transmit said encrypted converted contents to said server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Hornak, Zoltan
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/362,017
Publication Number

US 20040103283A1
Time in Patent Office

3,242 Days
Field of Search

713/175, 713155-157, 713/173, 726 12- 14
US Class Current

380/277
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 63/0442   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 67/04   specially adapted for termi...

H04L 69/329   in the application layer [O...

H04L 9/3263   involving certificates, e.g...

H04L 9/40   Network security protocols

Method and system for authentification of a mobile user via a gateway

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for authentification of a mobile user via a gateway

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links