Use and generation of a session key in a secure socket layer connection

US 7,975,139 B2
Filed: 04/30/2002
Issued: 07/05/2011
Est. Priority Date: 05/01/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for establishing a secure connection and authenticating a server in connections formed with PKI procedures, wherein a server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection, said method offering an alternative for authenticating the server public key, and comprising:

generating a symmetric server authentication key by the server, the server authentication key used for encrypting server authentication information;

transmitting a server public key by the server to the client in clear text form;

generating a symmetric client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret known to both the client and server, said common secret generated by;

generating a strong authentication token time-based response by a strong authentication token at the client;

deriving a client authentication key from the response by the client;

sending a synchronization challenge from the server to the client;

encrypting the synchronization challenge with the client authentication key by the client;

sending the encrypted synchronization challenge from the client to the server; and

generating said server authentication key by the server that corresponds to the client authentication key used by the client,sending server authentication information to the client to authenticate the server, the server authentication information including data related to the server'"'"'s public key, the server authentication information encrypted by the server using the server authentication key and a symmetric encryption algorithm,decrypting, at the client, received server authentication information with the client authentication key and a symmetric decryption algorithm to obtain data related to the server public key, andverifying the correctness of the server authentication information at the client in order to authenticate the server by comparing the decrypted data related to the server public key with the server public key used in establishing the secure connection and received from the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention describes a method and system for verifying the link between a public key and a server'"'"'s identity as claimed in the server'"'"'s certificate without relying on the trustworthiness of the root certificate of the server'"'"'s certificate chain. The system establishes a secure socket layer type connection between a client and a server, wherein the server transmits information including the server'"'"'s public key to the client while establishing the connection. Next, a first information is sent from the client to the server. The client and the server create an identical authentication key using a shared secret known to the server and the client. Next, the server transmits a first encrypted message to the client, wherein the first encrypted message includes the server'"'"'s public key encrypted with the authentication key. Then, the client decrypts the first encrypted message and verifies the correctness of that message including comparing the public key included in the decrypted first encrypted message to the public key transmitted during the set-up of the secure socket layer type connection to authenticate the client and to establish the trustworthiness of the server'"'"'s public key and thereby the entire SSL connection. The client then transmits a second encrypted message to the server, wherein the second encrypted message is the first information encrypted with the authentication key. Finally, the server then decrypts the second encrypted message and verifies the correctness of the decrypted second encrypted message to authenticate the client.

Citations

39 Claims

1. A method for establishing a secure connection and authenticating a server in connections formed with PKI procedures, wherein a server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection, said method offering an alternative for authenticating the server public key, and comprising:
- generating a symmetric server authentication key by the server, the server authentication key used for encrypting server authentication information;
  
  transmitting a server public key by the server to the client in clear text form;
  
  generating a symmetric client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret known to both the client and server, said common secret generated by;
  
  generating a strong authentication token time-based response by a strong authentication token at the client;
  
  deriving a client authentication key from the response by the client;
  
  sending a synchronization challenge from the server to the client;
  
  encrypting the synchronization challenge with the client authentication key by the client;
  
  sending the encrypted synchronization challenge from the client to the server; and
  
  generating said server authentication key by the server that corresponds to the client authentication key used by the client,sending server authentication information to the client to authenticate the server, the server authentication information including data related to the server'"'"'s public key, the server authentication information encrypted by the server using the server authentication key and a symmetric encryption algorithm,decrypting, at the client, received server authentication information with the client authentication key and a symmetric decryption algorithm to obtain data related to the server public key, andverifying the correctness of the server authentication information at the client in order to authenticate the server by comparing the decrypted data related to the server public key with the server public key used in establishing the secure connection and received from the server.
- View Dependent Claims (2, 3, 4, 5, 6, 11, 14, 15, 16)
- - 2. The method of claim 1 wherein the server authentication information includes a server certificate.
  - 3. The method of claim 1 wherein the secure connection includes an SSL connection.
  - 4. The method of claim 1 wherein the secure connection includes an WTLS connection.
  - 5. The method of claim 1 wherein the secure connection includes an IPSEC connection.
  - 6. The method of claim 1 wherein the secure connection includes a TLS connection.
  - 11. The method as recited in claim 1 which further includes:
    - sending client information to the server to authenticate the client, the client information encrypted by the client using the client authentication key and decrypted by the server using the server authentication key, the correctness of the client information verified by the server.
  - 14. The method of claim 1 wherein the server authentication information includes the server public key.
  - 15. The method of claim 1 wherein the server authentication information includes data derived from the server public key.
  - 16. The method of claim 15 wherein the data derived from the server public key includes a hash of the server public key.

7. A method for authenticating a server public key and establishing a secure connection between a client and a server, the connection formed with PKI procedures and including a symmetric key established using the server public key with asymmetric cryptography, said symmetric key used to encrypt communications during the connection with symmetric cryptography, the method, offering an alternative for authenticating the server public key, and comprising:
- transmitting a server certificate from the server to the client, the server certificate including server public key information;
  
  generating separate symmetric authentication keys by the server and the client, the keys being identical as generated using a common secret known to both client and server, said generating separate authentication keys including;
  
  sending user authentication information from the client to the server;
  
  exchanging dynamic information between the client and the server;
  
  generating a secret by the client and the server from the response of a strong authentication token, said strong authentication token including a time-based token or an event-based token; and
  
  generating symmetric authentication keys at client and server using the user authentication information, the dynamic information, and the secret;
  
  thereaftersending server authentication information to the client, the server authentication information including data related to the server public key, the server authentication information encrypted by the server using the symmetric authentication key generated by the server and a symmetric encryption algorithm;
  
  receiving and decrypting the server authentication information by the client, the client decrypting the server authentication information using a symmetric decryption algorithm and the symmetric authentication key created by the client, andverifying the correctness of the server information at the client by comparing the decrypted server authentication information with server public key information from the server certificate.
- View Dependent Claims (8, 9, 10, 12, 13, 17, 18, 19)
- - 8. The method of claim 7 wherein the user authentication information includes a user identification information.
  - 9. The method of claim 7 wherein the secure connection is an SSL connection.
  - 10. The method of claim 7 wherein the dynamic information includes random information.
  - 12. The method as recited in claim 7 further including:
    - sending encrypted user authentication information to the server, the user authentication information encrypted by the client using the authentication key generated by the client; and
      
      receiving and decrypting the user authentication information by the server, the server decrypting the user authentication information using the authentication key created by the server, the correctness of the user authentication information verified by the server.
  - 13. The method of claim 7 wherein the server certificate transmitted to the client includes the server public key.
  - 17. The method of claim 7 wherein the server authentication information includes the server public key.
  - 18. The method of claim 7 wherein the server authentication information includes data derived from the server public key.
  - 19. The method of claim 18 wherein the data derived from the server public key includes a hash of the server public key.

20. A method for establishing a secure connection and authenticating a server public key in connections formed with PKI procedures, wherein the server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection and offering an alternative for authenticating the server public key where a symmetric server authentication key is generated by the server and used to encrypt server authentication information for transmission to the client, said method comprisinggenerating a symmetric client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret known to both server and client, said generating said client authentication key including;
- generating a strong authentication token time-based response by a strong authentication token at the client;
  
  deriving a client authentication key from the response by the client;
  
  receiving, at the client, a synchronization challenge from the server;
  
  encrypting the synchronization challenge with the client authentication key by the client; and
  
  sending the encrypted synchronization challenge from the client to the server for generating a server authentication key by the server that corresponds to the client authentication key used by the client,receiving the server public key in clear text form from the server;
  
  receiving encrypted server authentication information at the client to authenticate the server, the server authentication information including data related to the server'"'"'s public key encrypted with a symmetric encryption algorithm;
  
  decrypting, at the client, the received server authentication information with the symmetric client authentication key and a symmetric decryption algorithm to obtain data related to the server public key, andverifying the correctness of the server authentication information at the client in order to authenticate the server by comparing the decrypted data related to the server public key with the server public key used in establishing the secure connection and received from the server.
- View Dependent Claims (21, 22, 23, 24, 25, 31, 34, 35, 36)
- - 21. The method of claim 20 wherein the server authentication information includes a server certificate.
  - 22. The method of claim 20 wherein the secure connection includes an SSL connection.
  - 23. The method of claim 20 wherein the secure connection includes an WTLS connection.
  - 24. The method of claim 20 wherein the secure connection includes an IPSEC connection.
  - 25. The method of claim 20 wherein the secure connection includes a TLS connection.
  - 31. The method as recited in claim 20 which further includes:
    - sending client information to the server to authenticate the client, the client information encrypted by the client using the client authentication key.
  - 34. The method of claim 20 wherein the server authentication information includes the server public key.
  - 35. The method of claim 20 wherein the server authentication information includes data derived from the server public key.
  - 36. The method of claim 35 wherein the data derived from the server public key includes a hash of the server public key.

26. A method for authenticating a server public key and establishing a secure connection between a client and a server, the connection formed with PKI procedures and including a symmetric key, established using the server public key with asymmetric cryptography, to encrypt communications during the connection with symmetric cryptography, the method offering an alternative for authenticating the server public key, and comprising:
- receiving a server certificate at the client, the server certificate including server public key information in clear text form;
  
  generating a symmetric authentication key by the client corresponding to a symmetric authentication key generated at the server, the keys being identical as generated using a common secret known to both client and server, said generating an authentication key by the client including;
  
  sending user authentication information from the client to the server;
  
  exchanging dynamic information between the client and server,generating a secret by the client from a response of a client strong authentication token corresponding to a secret generated by the server, said strong authentication token including a time-based or event-based token; and
  
  the client generating said symmetric authentication key, corresponding to a symmetric authentication key generated at the server, using the user authentication information, the dynamic information, and the secret;
  
  thereafterreceiving server authentication information at the client, the server authentication information including data related to the server public key encrypted using the symmetric authentication key generated by the server and a symmetric encryption algorithm;
  
  decrypting the server authentication information by the client, the client decrypting the server authentication information using a symmetric decryption algorithm and the authentication key created by the client, andverifying the correctness of the server information at the client by comparing the decrypted server authentication information with server public key information received in clear text form.
- View Dependent Claims (27, 28, 29, 30, 32, 33, 37, 38, 39)
- - 27. The method of claim 26 wherein the user authentication information includes a user identification information.
  - 28. The method of claim 26 wherein the secure connection is an SSL connection.
  - 29. The method of claim 26 wherein the dynamic information includes random information.
  - 30. The method of claim 26 wherein the strong authentication token includes a challenge-response strong authentication token, wherein the secret is derived from the response of the challenge response token.
  - 32. The method as recited in claim 26 further including:
    - sending encrypted user authentication information to the server, the user authentication information encrypted by the client using the authentication key generated by the client.
  - 33. The method of claim 26 wherein the server certificate received by the client includes the server public key.
  - 37. The method of claim 26 wherein the server authentication information includes the server public key.
  - 38. The method of claim 26 wherein the server authentication information includes data derived from the server public key.
  - 39. The method of claim 38 wherein the data derived from the server public key includes a hash of the server public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Vasco Data Security Incorporated (OneSpan, Inc.)
Inventors
Coulier, Frank
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US10/135,163
Publication Number

US 20020166048A1
Time in Patent Office

3,353 Days
Field of Search

713/151, 713168-172, 713175-176, 726/5, 726 2- 3, 380277-278
US Class Current

713/169
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0869   for achieving mutual authen...

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

Use and generation of a session key in a secure socket layer connection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Use and generation of a session key in a secure socket layer connection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links