Establishing secure, mutually authenticated communication credentials

US 8,549,295 B2
Filed: 05/31/2006
Issued: 10/01/2013
Est. Priority Date: 05/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method for establishing secure, mutually authenticated communication between trusted servers of a trusted network and an edge server of a perimeter network outside the trusted network, said method comprising:

creating, by the edge server of a perimeter network outside the trusted network, a public key, a private key, and a password associated with the edge server in the perimeter network;

creating a self-signed certificate for secure SSL (secure sockets layer) connection on an edge server using said public key and said password;

transferring securely, from the edge server, the public key, the created password, and configuration information related to the edge server to a distributed directory service administered on at least one trusted server within the trusted network, said transferring securely including transferring the self-signed certificate with the public key and the password to the trusted network;

storing, at the edge server, the created private key associated with said edge server;

creating, by the distributed directory service, an edge configuration object associated with the edge server, said edge configuration object including the created public key, the created password associated with the edge server, and the configuration information related to the edge server;

storing, by the distributed directory service, the created edge configuration object in the distributed directory service;

updating, by the distributed directory service, the public key, the created password, and the configuration information associated with the edge server and stored in the edge configuration object to two or more of the trusted servers on the trusted network adapted for communicating with the perimeter network, thereby identifying the edge server to each of the trusted servers adapted for communicating with the perimeter network as a registered edge server;

encrypting, by each trusted server adapted for communicating with the perimeter network, the created password associated with only the particular trusted server with the public key associated with the edge server, such that only said edge server can decrypt the encrypted password associated with the trusted server using the private key stored by said edge server; and

sending, by each trusted server adapted for communicating with the perimeter network, the encrypted password associated with the particular trusted server through the SSL established by the created self-signed certificate to the edge server for authenticating the edge server with respect to each respective trusted server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Establishing secure, mutually authenticated communication between a trusted network and a perimeter network. Servers on the perimeter network may be securely and automatically configured to communicate with the trusted network. Servers not functioning properly may be stopped from communicating with the other servers. Credential information relating to a perimeter server may be automatically, and regularly, updated without intervention.

49 Citations

View as Search Results

18 Claims

1. A method for establishing secure, mutually authenticated communication between trusted servers of a trusted network and an edge server of a perimeter network outside the trusted network, said method comprising:
- creating, by the edge server of a perimeter network outside the trusted network, a public key, a private key, and a password associated with the edge server in the perimeter network;
  
  creating a self-signed certificate for secure SSL (secure sockets layer) connection on an edge server using said public key and said password;
  
  transferring securely, from the edge server, the public key, the created password, and configuration information related to the edge server to a distributed directory service administered on at least one trusted server within the trusted network, said transferring securely including transferring the self-signed certificate with the public key and the password to the trusted network;
  
  storing, at the edge server, the created private key associated with said edge server;
  
  creating, by the distributed directory service, an edge configuration object associated with the edge server, said edge configuration object including the created public key, the created password associated with the edge server, and the configuration information related to the edge server;
  
  storing, by the distributed directory service, the created edge configuration object in the distributed directory service;
  
  updating, by the distributed directory service, the public key, the created password, and the configuration information associated with the edge server and stored in the edge configuration object to two or more of the trusted servers on the trusted network adapted for communicating with the perimeter network, thereby identifying the edge server to each of the trusted servers adapted for communicating with the perimeter network as a registered edge server;
  
  encrypting, by each trusted server adapted for communicating with the perimeter network, the created password associated with only the particular trusted server with the public key associated with the edge server, such that only said edge server can decrypt the encrypted password associated with the trusted server using the private key stored by said edge server; and
  
  sending, by each trusted server adapted for communicating with the perimeter network, the encrypted password associated with the particular trusted server through the SSL established by the created self-signed certificate to the edge server for authenticating the edge server with respect to each respective trusted server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as set forth in claim 1 further comprising storing a private key associated with the public key on the edge server in the perimeter network.
  - 3. A method as set forth in claim 1 further comprising maintaining the self-signed certificate with the public key and the password in a secure state during said transferring.
  - 4. A method as set forth in claim 1 wherein said transferring securely further comprises transferring securely a location identifier associated with the edge server.
  - 5. A method as set forth in claim 1 wherein said sending an encrypted password comprises sending the encrypted password to a stand-alone directory service administered by the edge server being authenticated.
  - 6. A method as set forth in claim 1, said configuration information comprising system configuration data detailing the hardware and software configuration of the edge server.

7. A system for establishing secure, mutually authenticated communication between trusted servers of a trusted network and an edge server of a perimeter network outside the trusted network, said system comprising:
- a distributed directory service for storing information used to secure communication between the trusted servers of the trusted network and the edge server; and
  
  one or more processors configured to execute computer-executable instructions for;
  
  creating, by the edge server of a perimeter network outside the trusted network, a public key, a private key, and a password associated with the edge server in the perimeter network;
  
  creating a self-signed certificate for secure SSL (secure sockets layer) connection on an edge server using said public key and said password;
  
  transferring securely, from the edge server, the public key, the created password, and configuration information related to the edge server to a distributed directory service administered on at least one trusted server within the trusted network, said transferring securely including transferring the self-signed certificate with the public key and the password to the trusted network;
  
  storing, at the edge server, the created private key associated with said edge server;
  
  creating, by the distributed directory service, an edge configuration object associated with the edge server, said edge configuration object including the created public key, the created password associated with the edge server, and the configuration information related to the edge server;
  
  storing, by the distributed directory service, the created edge configuration object in the distributed directory service;
  
  updating, by the distributed directory service, the public key, the created password, and the configuration information associated with the edge server and stored in the edge configuration object to two or more of the trusted servers on the trusted network adapted for communicating with the perimeter network, thereby identifying the edge server to each of the trusted servers adapted for communicating with the perimeter network as a registered edge server;
  
  encrypting, by each trusted server adapted for communicating with the perimeter network, the created password associated with only the particular trusted server with the public key associated with the edge server, such that only said edge server can decrypt the encrypted password associated with the trusted server using the private key stored by said edge server; and
  
  sending, by each trusted server adapted for communicating with the perimeter network, the encrypted password associated with the particular trusted server through the SSL established by the created self-signed certificate to the edge server for authenticating the edge server with respect to each respective trusted server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system as set forth in claim 7, said one or more processors being further configured to execute computer-executable instructions for storing a private key associated with the public key on the edge server in the perimeter network.
  - 9. The system as set forth in claim 7, said one or more processors being further configured to execute computer-executable instructions for maintaining the self-signed certificate with the public key and the password in a secure state during said transferring.
  - 10. The system as set forth in claim 7, said one or more processors being further configured to execute computer-executable instructions for transferring securely a location identifier associated with the edge server.
  - 11. The system as set forth in claim 7, said one or more processors being further configured to execute computer-executable instructions for sending the encrypted password to a stand-alone directory service administered by the edge server being authenticated.
  - 12. The system as set forth in claim 7, said configuration information comprising system configuration data detailing the hardware and software configuration of the edge server.

13. One or more computer-readable memory device having stored thereon computer-executable instructions for establishing secure, mutually authenticated communication between trusted servers of a trusted network and an edge server of a perimeter network outside the trusted network, said computer-executable instructions comprising instructions for:
- creating, by the edge server of a perimeter network outside the trusted network, a public key, a private key, and a password associated with the edge server in the perimeter network;
  
  creating a self-signed certificate for secure SSL (secure sockets layer) connection on an edge server using said public key and said password;
  
  transferring securely, from the edge server, the public key, the created password, and configuration information related to the edge server to a distributed directory service administered on at least one trusted server within the trusted network, said transferring securely including transferring the self-signed certificate with the public key and the password to the trusted network;
  
  storing, at the edge server, the created private key associated with said edge server;
  
  creating, by the distributed directory service, an edge configuration object associated with the edge server, said edge configuration object including the created public key, the created password associated with the edge server, and the configuration information related to the edge server;
  
  storing, by the distributed directory service, the created edge configuration object in the distributed directory service;
  
  updating, by the distributed directory service, the public key, the created password, and the configuration information associated with the edge server and stored in the edge configuration object to two or more of the trusted servers on the trusted network adapted for communicating with the perimeter network, thereby identifying the edge server to each of the trusted servers adapted for communicating with the perimeter network as a registered edge server;
  
  encrypting, by each trusted server adapted for communicating with the perimeter network, the created password associated with only the particular trusted server with the public key associated with the edge server, such that only said edge server can decrypt the encrypted password associated with the trusted server using the private key stored by said edge server; and
  
  sending, by each trusted server adapted for communicating with the perimeter network, the encrypted password associated with the particular trusted server through the secure SSL established by the created self-signed certificate to the edge server for authenticating the edge server with respect to each respective trusted server.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The one or more computer-readable memory device as set forth in claim 13, said computer-executable instructions further comprising instructions for storing a private key associated with the public key on the edge server in the perimeter network.
  - 15. The one or more computer-readable memory device as set forth in claim 13, said computer-executable instructions further comprising instructions for maintaining the self-signed certificate with the public key and the password in a secure state during said transferring.
  - 16. The one or more computer-readable memory device as set forth in claim 13, said computer-executable instructions further comprising instructions for transferring securely a location identifier associated with the edge server.
  - 17. The one or more computer-readable memory device as set forth in claim 13, said computer-executable instructions further comprising instructions for sending the encrypted password to a stand-alone directory service administered by the edge server being authenticated.
  - 18. The one or more computer-readable memory device as set forth in claim 13, said configuration information comprising system configuration data detailing the hardware and software configuration of the edge server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Zhang, Hao, Kay, Jeffrey B., Pearson, Malcolm E., Tribble, Eric D.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Salehi, Helai

Application Number

US11/421,341
Publication Number

US 20070283154A1
Time in Patent Office

2,680 Days
Field of Search

713/169
US Class Current

713/169
CPC Class Codes

H04L 2463/081   applying self-generating cr...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Establishing secure, mutually authenticated communication credentials

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing secure, mutually authenticated communication credentials

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links