Destroying a secure session maintained by a server on behalf of a connection owner

US 8,583,809 B2
Filed: 09/07/2007
Issued: 11/12/2013
Est. Priority Date: 09/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a secure session on behalf of a connection owner, the secure session being maintained by a server that is connected to a wireless device via a communications network, the connection owner being associated with the wireless device, the secure session defining a context for a secure over-the-air device connection between the connection owner and the server;

while establishing the secure session, storing, on both the server and the wireless device, a registration key and a reset key, in association with the secure session, wherein the reset key differs from the registration key;

using the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged between the wireless device and the server; and

upon determining at the wireless device that the registration key is irretrievable from a memory of the wireless device, generating at the wireless device a request to reset the established secure session, using the reset key to generate at the wireless device a first Message Authentication Code (MAC) from the request, and transmitting the request and the first MAC from the wireless device to the server;

upon receipt of the request and the first MAC at the server, destroying the secure session at the server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for establishing a secure over-the-air (OTA) connection between a connection owner and a server, the connection owner being associated with a wireless device connected to the server via a communications network. A secure session is instantiated on behalf of the connection owner, the secure session being maintained by the server and defining a context for the secure OTA connection. A registration key and a reset key are defined, and stored in association with the secure session on both the server and the wireless device. Access to the secure session is controlled using at least the registration key, and the secure session is maintained on the server only as long as the connection owner has a valid registration key.

20 Citations

View as Search Results

17 Claims

1. A method comprising:
- establishing a secure session on behalf of a connection owner, the secure session being maintained by a server that is connected to a wireless device via a communications network, the connection owner being associated with the wireless device, the secure session defining a context for a secure over-the-air device connection between the connection owner and the server;
  
  while establishing the secure session, storing, on both the server and the wireless device, a registration key and a reset key, in association with the secure session, wherein the reset key differs from the registration key;
  
  using the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged between the wireless device and the server; and
  
  upon determining at the wireless device that the registration key is irretrievable from a memory of the wireless device, generating at the wireless device a request to reset the established secure session, using the reset key to generate at the wireless device a first Message Authentication Code (MAC) from the request, and transmitting the request and the first MAC from the wireless device to the server;
  
  upon receipt of the request and the first MAC at the server, destroying the secure session at the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as claimed in claim 1, wherein the connection owner comprises any one of:
    - the wireless device;
      
      a device/application-tuple comprising the wireless device and an application installed on the wireless device; and
      
      a device/application-pair comprising the wireless device, an application installed on the wireless device, and an application executing on a remote server.
  - 3. The method as claimed in claim 1, wherein the act of using the registration key to authenticate messages of the secure session comprises:
    - receiving a message from the connection owner, the message containing a second Message Authentication Code (MAC) generated using at least the Registration key;
      
      validating the second MAC; and
      
      upon successful validation, processing a payload portion of the message using the secure session.
  - 4. The method as claimed in claim 3, wherein the second MAC is calculated using the Registration key alone, and the act of validating the second MAC comprises comparing the second MAC against a checkMAC calculated using the Registration key.
  - 5. The method as claimed in claim 3, wherein the second MAC is calculated using the Registration key in combination with a selected one or more of:
    - at least a portion of the payload; and
      
      one or more fields of a header of the message,and wherein the act of validating the second MAC comprises comparing the second MAC against a checkMAC calculated using the Registration key in combination with the selected one or more of;
      
      at least a portion of the payload; and
      
      one or more fields of the header of the message.
  - 6. The method as claimed in claim 1, wherein as part of the secure session the server stores private information associated with the connection owner and destroying the secure session comprises removing the private information from the server.
  - 7. The method as claimed in claim 6, wherein the private information comprises any of a secure Sockets Layer (SSL) connection, a HTTP cookie, a Windows NT™
    - LAN Manager (NTLM)-authenticated connection and a Windows NT™
      
      LAN Manager (NTLM)-authenticated subscription.

8. A server comprising a processor and a computer readable medium for storing software instructions for controlling the processor to:
- establish, on behalf of a connection owner, a secure session with a wireless device connected to the server over a communications network, the connection owner being associated with the wireless device, the secure session being maintained by the server and defining a context for a secure over-the-air device connection between the connection owner and the server,while establishing the secure session, store in association with the secure session a registration key, a reset key and an identification of the connection owner, wherein the reset key differs from the registration key;
  
  use the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged with the wireless device;
  
  receive from the wireless device a request to reset the established secure session and a Message Authentication Code (MAC), the request generated by the wireless device upon the wireless device having determined that the registration key is irretrievable from a memory of the wireless device; and
  
  upon successfully verifying that the MAC was generated from the request using the reset key, destroy the secure session at the server.
- View Dependent Claims (9, 10)
- - 9. The server as claimed in claim 8, wherein as part of the secure session the server stores private information associated with the connection owner and the software instructions to destroy the secure session at the server control the processor to remove the private information from the server.
  - 10. The server as claimed in claim 9, wherein the private information comprises any of a secure Sockets Layer (SSL) connection, a HTTP cookie, a Windows NT™
    - LAN Manager (NTLM)-authenticated connection and a Windows NT™
      
      LAN Manager (NTLM)-authenticated subscription.

11. A method performed by a server, the method comprising:
- establishing, on behalf of a connection owner, a secure session with a wireless device that is connected to the server via a communications network, the connection owner being associated with the wireless device, the secure session being maintained by the server and defining a context for a secure over-the-air device connection between the connection owner and the server;
  
  while establishing the secure session, storing in association with the secure session a registration key, a reset key and an identification of the connection owner, wherein the reset key differs from the registration key;
  
  using the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged with the wireless device;
  
  receiving from the wireless device a request to reset the established secure session and a Message Authentication Code (MAC), the request generated by the wireless device upon the wireless device having determined that the registration key is irretrievable from a memory of the wireless device; and
  
  upon successfully verifying that the MAC was generated using the reset key, destroying the secure session at the server.
- View Dependent Claims (12, 13)
- - 12. The method as claimed in claim 11, wherein as part of the secure session the server stores private information associated with the connection owner and destroying the secure session at the server comprises removing the private information from the server.
  - 13. The method as claimed in claim 12, wherein the private information comprises any of a secure Sockets Layer (SSL) connection, a HTTP cookie, a Windows NT™
    - LAN Manager (NTLM)-authenticated connection and a Windows NT™
      
      LAN Manager (NTLM)-authenticated subscription.

14. A method performed by a wireless device, the method comprising:
- while connected to a server via a communications network, initiating establishment of a secure session on behalf of a connection owner associated with the wireless device, the secure session being maintained by the server and defining a context for a secure over-the-air device connection between the connection owner and the server;
  
  while initiating establishment of the secure session, storing in association with the secure session a registration key and a reset key, wherein the reset key differs from the registration key;
  
  using the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged between the wireless device and the server; and
  
  upon determining that the registration key is irretrievable from a memory of the wireless device, generating a request to reset the established secure session, using the reset key to generate a Message Authentication Code (MAC) from the request, and transmitting the request and the MAC to the server.

15. A wireless device having data communication capabilities and a memory, the wireless device configured to:
- connect to a server via a communications network for a secure over-the-air (OTA) device connection between a connection owner and the server, the connection owner being associated with the wireless device;
  
  initiate establishment of a secure session on behalf of the connection owner, the secure session being maintained by the server and defining a context for the secure OTA device connection;
  
  while initiating establishment of the secure session, store in association with the secure session a registration key and a reset key in the memory, wherein the reset key differs from the registration key;
  
  use the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged between the wireless device and the server; and
  
  upon determining that the registration key is irretrievable from a memory of the wireless device, use the reset key to generate a Message Authentication Code (MAC) from the request, and transmit the request and the MAC to the server.

16. A non-transitory computer readable medium comprising software instructions, the software instructions controlling a processor of a server to:
- establish, on behalf of a connection owner, a secure session with a wireless device that is connected to the server via a communications network, the connection owner being associated with the wireless device, the secure session being maintained by the server and defining a context for a secure over-the-air device connection between the connection owner and the server;
  
  while establishing the secure session, store in association with the secure session a registration key, a reset key and an identification of the connection owner, wherein the reset key differs from the registration key;
  
  use the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged with the wireless device; and
  
  receive from the wireless device a request to reset the established secure session and a Message Authentication Code (MAC) , the request generated by the wireless device upon the wireless device having determined that the registration key is irretrievable from a memory of the wireless device;
  
  upon successfully verifying that the MAC was generated using the reset key, destroy the secure session at the server.

17. A non-transitory computer readable medium comprising software instructions, the software instructions controlling a wireless device to:
- while connected to a server via a communications network, initiate establishment of a secure session on behalf of a connection owner associated with the wireless device, the secure session being maintained by the server and defining a context for a secure over-the-air device connection between the connection owner and the server;
  
  while initiating establishment of the secure session, store in association with the secure session a registration key and a reset key, wherein the reset key differs from the registration key;
  
  use the registration key to authenticate and optionally to encrypt messages of the established secure session exchanged between the wireless device and the server; and
  
  upon determining that the registration key is irretrievable from a memory of the wireless device, generate a request to reset the established secure session, use the reset key to generate a Message Authentication Code (MAC) from the request, and transmit the request and the MAC to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Sherkin, Alexander, Karmakar, Srimantee, Doktorova, Laura, Vitanov, Kamen, Little, Herbert, Hung, Michael, Fritsch, Brindusa Laura
Primary Examiner(s)
Georgandellis, Andrew
Assistant Examiner(s)
SCOTT, RANDY A

Application Number

US11/851,499
Publication Number

US 20080065777A1
Time in Patent Office

2,258 Days
Field of Search

709/229, 726/2, 713/153, 713/155
US Class Current

709/229
CPC Class Codes

H04L 63/068   using time-dependent keys, ...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 67/14   Session management for real...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

Destroying a secure session maintained by a server on behalf of a connection owner

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Destroying a secure session maintained by a server on behalf of a connection owner

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links