TLS key and CGI session ID pairing

US 8,275,984 B2
Filed: 12/15/2008
Issued: 09/25/2012
Est. Priority Date: 12/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating communication between a server and a first client, comprising:

forming a first secured communication channel between the server and the first client using an initial transport layer security (TLS) key;

forming an authenticated common gateway interface (CGI) session over the first secured communication channel based on an initial CGI session identifier (ID);

combining the initial CGI session ID and the initial TLS key into a pair;

receiving incoming data that includes an incoming CGI session ID via the first secured communication channel or a second secured communication channel;

retrieving an incoming TLS key of the first or the second secured communication channel that carries the incoming CGI session ID; and

permitting the incoming data to execute on the server when the incoming TLS key matches the initial TLS key of the pair.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The prevention of impersonation attacks based on hijacked common gateway interface (CGI) session IDs is disclosed. In accordance with one embodiment, a secured communication channel is formed between a server and a client using an initial transport layer security (TLS) key. Additionally, an authenticated CGI session is formed over the secured communication channel based on an initial CGI session identifier (ID). Further, the initial CGI session ID and the initial TLS key are combined into a pair. Next, incoming data that includes an incoming CGI session ID is received via a secured communication channel. An incoming TLS key of the secured communication channel that carries the incoming CGI session ID is then retrieved. Based on the retrieved incoming TLS key, the incoming data is permitted to execute on the server when the incoming TLS key matches the initial TLS key of the pair.

30 Citations

View as Search Results

20 Claims

1. A method for facilitating communication between a server and a first client, comprising:
- forming a first secured communication channel between the server and the first client using an initial transport layer security (TLS) key;
  
  forming an authenticated common gateway interface (CGI) session over the first secured communication channel based on an initial CGI session identifier (ID);
  
  combining the initial CGI session ID and the initial TLS key into a pair;
  
  receiving incoming data that includes an incoming CGI session ID via the first secured communication channel or a second secured communication channel;
  
  retrieving an incoming TLS key of the first or the second secured communication channel that carries the incoming CGI session ID; and
  
  permitting the incoming data to execute on the server when the incoming TLS key matches the initial TLS key of the pair.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising terminating at least one of the first and second secured communication channels when the incoming TLS key does not match the initial TLS key of the pair.
  - 3. The method of claim 1, further comprising terminating the authenticated CGI session when the incoming TLS key does not match the initial TLS key of the pair.
  - 4. The method of claim 1, wherein the retrieving comprises:
    - Identifying the first or the second communication channel that carries the incoming data and the incoming CGI session ID; and
      
      retrieving the incoming TLS key of the first or second communication channel.
  - 5. The method of claim 1, wherein the retrieving comprises:
    - providing the incoming CGI session ID to an application program interface (API) of a TLS server component; and
      
      retrieving the incoming TLS key of the first or the second communication channel from the TLS server component via the API,wherein the TLS server component is configured to form secured communication channels by negotiating TLS keys for use by the server and one or more clients.
  - 6. The method of claim 1, wherein the receiving incoming data that includes an incoming CGI session ID via the second secured communication channel comprises:
    - forming the second secured communication channel between the server and a second client using another TLS key; and
      
      receiving the incoming data that includes the incoming CGI session ID from the second client via the second secured communication channel.
  - 7. The method of claim 1, wherein the receiving includes receiving incoming malicious data that includes the incoming CGI session ID.

8. A computer readable storage device storing computer-executable instructions that, when executed, cause one or more processors to perform acts comprising:
- forming a first secured communication channel between a server and a first client using an initial transport layer security (TLS) key;
  
  forming an authenticated common gateway interface (CGI) session over the first secured communication channel based on an initial CGI session identifier (ID);
  
  combining the initial CGI session ID and the initial TLS key into a pair at the server;
  
  receiving incoming data that includes an incoming CGI session ID via a second secured communication channel at the server;
  
  retrieving an incoming TLS key of the second secured communication channel that carries the incoming CGI session ID at the server; and
  
  terminating the authenticated CGI session when the incoming TLS key does not match the initial TLS key of the pair.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable storage device of claim 8, the computer-executable instructions causing the one or more processors to perform acts further comprising permitting the incoming data to execute on the server when the incoming TLS key matches the initial TLS key of the pair.
  - 10. The computer readable medium of claim 8, the computer-executable instructions causing the one or more processors to perform acts further comprising terminating the first and second secured communication channels when the incoming TLS key does not match the initial TLS key of the pair.
  - 11. The computer readable medium of claim 8, the wherein the retrieving comprises computer-executable instructions causing the one or more processors to perform acts further comprising:
    - identifying the second communication channel that carries the incoming data and the incoming CGI session ID; and
      
      retrieving the incoming TLS key of the second communication channel.
  - 12. The computer readable medium of claim 8, wherein the retrieving comprises computer-executable instructions causing the one or more processors to perform acts further comprising:
    - providing the incoming CGI session ID to an application program interface (API) of a TLS server component; and
      
      retrieving the incoming TLS key of the second communication channel from the TLS server component via the API,wherein TLS server component is configured to form secured communication channels by negotiating TLS keys for use by the server and one or more clients.
  - 13. The computer readable medium of claim 8, the wherein the receiving comprises computer-executable instructions causing the one or more processors to perform acts further comprising:
    - forming the second secured communication channel between the server and a second client using another TLS key; and
      
      receiving the incoming data that includes the incoming CGI session ID from the second client via the second secured communication channel.
  - 14. The computer readable medium of claim 8, wherein the receiving comprises computer-executable instructions causing the one or more processors to perform acts further comprising receiving incoming malicious data that includes the incoming CGI session ID.

15. A server, comprising:
- a transport layer security (TLS) server component to form a first secured communication channel between a server and a first client using an initial TLS key;
  
  a first common gateway interface (CGI) platform component to form an authenticated CGI session over the first secured communication channel based on an initial CGI session identifier (ID);
  
  a pairing component to combine the initial CGI session ID and the initial TLS key into a pair at the server;
  
  a second CGI platform component to receive incoming data that includes an incoming CGI session ID via a second secured communication channel at the server;
  
  a retrieval component to retrieve an incoming TLS key of the second secured communication channel that carries the incoming CGI session ID at the server; and
  
  a comparison component to terminate at least one of the first and second secured communication channels when the incoming TLS key does not match the initial TLS key of the pair.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The server of claim 15, wherein the comparison component is to terminate the authenticated CGI session when the incoming TLS key does not match the initial TLS key of the pair.
  - 17. The server of claim 15, wherein the comparison component is to permit the incoming data to execute on the server when the incoming TLS key matches the initial TLS key of the pair.
  - 18. The server of claim 15, wherein the retrieval component is to retrieve an incoming TLS key of the second secured communication channel by:
    - identifying the second communication channel that carries the incoming data and the incoming CGI session ID; and
      
      retrieving the incoming TLS key of the second communication channel.
  - 19. The server of claim 15, further comprising an application program interface (API) to:
    - receiving the incoming CGI session ID of the incoming data from the retrieval component; and
      
      providing the incoming TLS key of the second communication channel that carries the incoming CGI session ID to the retrieval component.
  - 20. The server of claim 15, wherein the TLS server component is to further form the second secured communication channel between the server and a second client using another TLS key, wherein the second CGI platform is to further receive the incoming data that includes the incoming CGI session ID from the second client via the second secured communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Loveless, Peter
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Su, Sarah

Application Number

US12/335,329
Publication Number

US 20100153702A1
Time in Patent Office

1,380 Days
Field of Search

713/151, 713/154, 705/75, 726/22, 726/23
US Class Current

713/151
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

TLS key and CGI session ID pairing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TLS key and CGI session ID pairing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links