Method of bootstrapping an authenticated data session configuration
First Claim
1. A method of bootstrapping configuration for Transport Layer Security “
- TLS-type”
data sessions comprising steps of;
a) procuring a client public key having a private key counterpart;
b) generating at the client entity a registration cryptogram according to a registration procedure to establish a symmetric secret key, and a second cryptogram that binds said client public key and said symmetric secret key;
c) sending at least said client public key, said registration cryptogram, and said second cryptogram to a registration server entity;
d) supplying from the client entity identification data elements for the client entity through at least one TLS-type data session instance connected to the registration server entity in which the client entity uses said private key counterpart, whereas temporary client entity authentication uses said client public key;
e) completing at the registration server entity the server procedures for said registration procedure using said registration cryptogram, whereas this step includes verification of identification data for the client entity including at least one of said data elements supplied from the client entity;
f) verifying at the registration server entity said second cryptogram; and
g) affixing a validity indication to said client public key at the registration server entity, contingent upon successful completion of said registration procedure and said verifying of said second cryptogram.
0 Assignments
0 Petitions
Accused Products
Abstract
An inventive method is disclosed for bootstrapping a trusted client public key at the server side in a client-server model of e-commerce or distributed computer applications. Generally, the invention integrates security technique elements and user procedural elements in such a way that no vulnerability arises due to the decoupling of elements. It is thus aimed at high security application areas. The readily available support of X.509 client security certificates in web browsers is advantageous for easy deployment at the client side. However, serious usability flaws deter the use of client certificates despite their potential for high security client authentication. The invention circumvents this contradiction at the client registration phase, and extends the benefits of simplified reliance on client public-private key pair to production use of the circumvention. Many variations of the inventive idea are disclosed, including the use of a dummy client security certificate that addresses the interoperability pitfalls of the X.509 technology while the trust in the client public key rests on other elements of the inventive method.
-
Citations
25 Claims
-
1. A method of bootstrapping configuration for Transport Layer Security “
- TLS-type”
data sessions comprising steps of;a) procuring a client public key having a private key counterpart; b) generating at the client entity a registration cryptogram according to a registration procedure to establish a symmetric secret key, and a second cryptogram that binds said client public key and said symmetric secret key; c) sending at least said client public key, said registration cryptogram, and said second cryptogram to a registration server entity; d) supplying from the client entity identification data elements for the client entity through at least one TLS-type data session instance connected to the registration server entity in which the client entity uses said private key counterpart, whereas temporary client entity authentication uses said client public key; e) completing at the registration server entity the server procedures for said registration procedure using said registration cryptogram, whereas this step includes verification of identification data for the client entity including at least one of said data elements supplied from the client entity; f) verifying at the registration server entity said second cryptogram; and g) affixing a validity indication to said client public key at the registration server entity, contingent upon successful completion of said registration procedure and said verifying of said second cryptogram. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- TLS-type”
-
12. A method of bootstrapping configuration for Transport Layer Security “
- TLS-type”
data sessions comprising steps of;a) receiving from a client entity at a registration server entity at least a.1) a client public key of said client, where said client public key has a private key counterpart; a.2) a registration cryptogram generated by the client entity according to a registration procedure to establish a symmetric secret key; and a.3) a second cryptogram that binds said client public key and said symmetric key; b) accepting identification data elements for the client entity through at least one TLS-type data session instance connected to the client entity in which the client entity uses said private key counterpart, whereas temporary client entity authentication uses said client public key; c) completing at the registration server entity the server procedures for said registration procedure using said registration cryptogram, whereas this step includes verification of identification data for the client entity including at least one of said data elements accepted from the client entity; d) verifying at the registration server entity said second cryptogram; and e) affixing a validity indication to said client public key at the registration server entity, contingent upon successful completion of said registration procedure and said verifying of said second cryptogram. - View Dependent Claims (13, 14, 15, 16, 17, 18)
- TLS-type”
-
19. A method of bootstrapping configuration for Transport Layer Security “
- TLS-type”
data sessions and using said configuration in at least one TLS-type data session instance connected to a production server entity that enforce client entity authentication, the method comprising steps of;a) procuring a client public key having a private key counterpart; b) generating a registration cryptogram according to a registration procedure to establish a symmetric secret key, and a second cryptogram that binds said client public key and said symmetric secret key; c) sending at least said client public key, said registration cryptogram, and said second cryptogram to a registration server entity; d) supplying identification data elements for the client entity through at least one TLS-type data session instance connected to the registration server entity in which the client entity uses said private key counterpart; and e) transmitting data between the client entity and a production server entity, after said sending step c) and said supplying step d) are completed, using at least one TLS-type data session instance in which the client entity uses said private key counterpart. - View Dependent Claims (20, 21, 22, 23, 24, 25)
- TLS-type”
Specification