Reverse network authentication for nonstandard threat profiles

US 8,676,998 B2
Filed: 11/29/2007
Issued: 03/18/2014
Est. Priority Date: 11/29/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

deploying a proxy to serve as a representative of a management server, wherein the serve as the representative comprises collecting information to monitor and administer a private network, wherein the private network is a private domain;

managing certificate production and distribution costs of the management server by establishing a half-authenticated data connection between the proxy and the management server using a client certificate, wherein the establishing comprises;

receiving, by the management server, the client certificate from the proxy for authenticating the proxy, without the proxy authenticating the management server;

validating, by the management server, the client certificate to authenticate the proxy, the validation of the client certificate comprising validating a cryptographic challenge of a certificate authority by obtaining a public key of the certificate authority and checking a signature associated with the public key;

creating, by the management server, the half-authenticated data connection with the proxy in response to a successful validation of the client certificate; and

communicating data between the proxy and the management server over the half-authenticated data connection in response to a successful validation of the client certificate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client-server communication protocol permits the server to authenticate the client without requiring the client to authenticate the server. After establishing the half-authenticated connection, the client transmits a request and the server performs or responds accordingly. A network management system and environment where this protocol can be used is also described and claimed.

37 Citations

View as Search Results

21 Claims

1. A method comprising:
- deploying a proxy to serve as a representative of a management server, wherein the serve as the representative comprises collecting information to monitor and administer a private network, wherein the private network is a private domain;
  
  managing certificate production and distribution costs of the management server by establishing a half-authenticated data connection between the proxy and the management server using a client certificate, wherein the establishing comprises;
  
  receiving, by the management server, the client certificate from the proxy for authenticating the proxy, without the proxy authenticating the management server;
  
  validating, by the management server, the client certificate to authenticate the proxy, the validation of the client certificate comprising validating a cryptographic challenge of a certificate authority by obtaining a public key of the certificate authority and checking a signature associated with the public key;
  
  creating, by the management server, the half-authenticated data connection with the proxy in response to a successful validation of the client certificate; and
  
  communicating data between the proxy and the management server over the half-authenticated data connection in response to a successful validation of the client certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein establishing the half-authenticated data connection further comprising:
    - establishing a bidirectional data connection according to a low-level protocol from a client to the management server;
      
      commencing a reversed Secure Sockets Layer (“
      
      SSL”
      
      ) protocol negotiation, wherein the management server takes a role according to an SSL client and the client takes a role according to an SSL server;
      
      transmitting a certificate from the client to the management server in the reversed SSL protocol negotiation; and
      
      completing the reversed SSL protocol negotiation.
  - 3. The method of claim 1, wherein communicating comprises transmitting a request from a client to the management server, the request is to obtain system information including at least one of a system uptime, a system load average, a system free memory, a system network utilization, or a system disk utilization.
  - 4. The method of claim 3 wherein the request is to obtain system hardware characteristic including at least one of an installed processor identification, an installed memory size, a network hardware identifier, or a disk identifier.
  - 5. The method of claim 3, wherein the request is to change a status of the management server including one of a system reset or a system shutdown.
  - 6. The method of claim 1, wherein the half-authentication data connection comprises an anonymous data connection between a client and the management server in which at least the server remains anonymous and cannot authenticate the client.
  - 7. The method of claim 1, further comprising terminating the half-authenticated data connection between a client and the management server once the data has been communicated.

8. A non-transitory computer-readable storage medium containing data and instructions to cause a hardware processor to execute operations comprising:
- deploying, by the hardware processor, a proxy to serve as a representative of a management server, wherein the serve as the representative comprises collecting information to monitor and administer a private network, wherein the private network is a private domain;
  
  managing certificate production and distribution costs of the management server by establishing a half-authenticated data connection between the proxy and the management server using a client certificate, wherein the establishing comprises;
  
  receiving, by the management server, the client certificate from the proxy for authenticating the proxy, without the proxy authenticating the management server;
  
  validating, by the management server, the client certificate to authenticate the proxy, the validation of the client certificate comprising validating a cryptographic challenge of a certificate authority by obtaining a public key of the certificate authority and checking a signature associated with the public key;
  
  creating, by the management server, the half-authenticated data connection with the proxy in response to a successful validation of the client certificate; and
  
  communicating data between the proxy and the management server over the half-authenticated data connection in response to a successful validation of the client certificate.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, further comprising:
    - establishing a bidirectional data connection according to a low-level protocol from a client to the management server;
      
      commencing a reversed Secure Sockets Layer (“
      
      SSL”
      
      ) protocol negotiation, wherein the management server takes a role according to an SSL client and the client takes a role according to an SSL server;
      
      transmitting the certificate from the client to the management server in the reversed SSL protocol negotiation; and
      
      completing the reversed SSL protocol negotiation.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein communicating comprises transmitting a request from a client to the management server, the request is to obtain system information including at least one of a system uptime, a system load average, a system free memory, a system network utilization, or a system disk utilization.
  - 11. The non-transitory computer-readable storage medium of claim 10, wherein the request is to obtain system hardware characteristic including at least one of an installed processor identification, an installed memory size, a network hardware identifier, or a disk identifier.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein the request is to change a status of the management server including one of a system reset or a system shutdown.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the half-authentication data connection comprises an anonymous data connection between a client and the management server in which at least the management server remains anonymous.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the operations further include terminating the half-authenticated data connection between a client and the management server once the data has been communicated.

15. A system comprising:
- a memory to store instructions for half-authentication, anda hardware processor to execute the instructions,wherein the instructions cause the hardware processor to;
  
  deploy a proxy to serve as a representative of a management server, wherein the serve as the representative comprises collect information to monitor and administer a private network, wherein the private network is a private domain;
  
  manage certificate production and distribution costs of the management server by establish a half-authenticated data connection between the proxy and the management server using a client certificate, wherein the establish comprises;
  
  receive the client certificate from the proxy for authenticating the proxy, without the proxy authenticating the management server;
  
  validate the client certificate to authenticate the proxy, the validation of the client certificate comprising validate a cryptographic challenge of a certificate authority by obtaining a public key of the certificate authority and check a signature associated with the public key;
  
  create the half-authenticated data connection with the proxy in response to a successful validation of the client certificate; and
  
  communicate data between the proxy and the management server over the half-authenticated data connection in response to a successful validation of the client certificate.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, further comprising:
    - establish a bidirectional data connection according to a low-level protocol from the client to the management server;
      
      commence a reversed Secure Sockets Layer (“
      
      SSL”
      
      ) protocol negotiation, wherein the management server takes a role according to an SSL client and the client takes a role according to an SSL server;
      
      transmit the certificate from the client to the management server in the reversed SSL protocol negotiation; and
      
      complete the reversed SSL protocol negotiation.
  - 17. The system of claim 15, wherein to communicate comprises the hardware processor to transmit a request from a client to the management server, the request is to obtain system information including at least one of a system uptime, a system load average, a system free memory, a system network utilization, or a system disk utilization.
  - 18. The system of claim 17, wherein the request is to obtain system hardware characteristic including at least one of an installed processor identification, an installed memory size, a network hardware identifier, or a disk identifier.
  - 19. The system of claim 17, wherein the request is to change a status of the management server including one of a system reset or a system shutdown.
  - 20. The system of claim 15, wherein the half-authentication data connection comprises an anonymous data connection between a client and the management server in which at least the management server remains anonymous.
  - 21. The system of claim 15, wherein the hardware processor is further to terminate the half-authenticated data connection between a client and the management server once the data has been communicated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James P.
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
VOSTAL, ONDREJ C

Application Number

US11/947,446
Publication Number

US 20090144436A1
Time in Patent Office

2,301 Days
Field of Search

709/229
US Class Current

709/229
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

Reverse network authentication for nonstandard threat profiles

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Reverse network authentication for nonstandard threat profiles

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links