Mutually authenticated secure channel

US 8,782,414 B2
Filed: 05/07/2007
Issued: 07/15/2014
Est. Priority Date: 05/07/2007
Status: Active Grant

First Claim

Patent Images

1. One or more device-readable storage media, the one or more device-readable storage media storing device-executable instructions for performing a method comprising:

receiving, at a remote access gateway server, a request from a remote device to establish a first secure connection;

forwarding an acknowledgment to the remote device to establish the first secure connection;

establishing the first secure connection from the remote device to the remote access gateway server such that the remote device can accept remote access requests only through the remote access gateway server;

after establishing the first secure connection, receiving, at the remote access gateway server, a request from a client to establish a second secure connection with the remote device;

forwarding the request to establish the second secure connection to the remote device;

receiving a response to the request to establish the second secure connection from the remote device;

forwarding the response to the request to establish the second secure connection to the client;

establishing the second secure connection from the client to the remote device;

receiving, in response to the establishing the second secure connection, encrypted data traffic from the client, wherein the remote access gateway server does not possess a key required to decrypt the encrypted data; and

forwarding the encrypted data traffic from the client to the remote device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and methods for establishing a mutually authenticated secure channel between a client device and remote device through a remote access gateway server. The remote access gateway server forwards secure connection requests and acknowledgements between the client and the remote device such that the remote access gateway does not possess any or all session keys necessary to decrypt communication between the client device and remote device.

45 Citations

View as Search Results

20 Claims

1. One or more device-readable storage media, the one or more device-readable storage media storing device-executable instructions for performing a method comprising:
- receiving, at a remote access gateway server, a request from a remote device to establish a first secure connection;
  
  forwarding an acknowledgment to the remote device to establish the first secure connection;
  
  establishing the first secure connection from the remote device to the remote access gateway server such that the remote device can accept remote access requests only through the remote access gateway server;
  
  after establishing the first secure connection, receiving, at the remote access gateway server, a request from a client to establish a second secure connection with the remote device;
  
  forwarding the request to establish the second secure connection to the remote device;
  
  receiving a response to the request to establish the second secure connection from the remote device;
  
  forwarding the response to the request to establish the second secure connection to the client;
  
  establishing the second secure connection from the client to the remote device;
  
  receiving, in response to the establishing the second secure connection, encrypted data traffic from the client, wherein the remote access gateway server does not possess a key required to decrypt the encrypted data; and
  
  forwarding the encrypted data traffic from the client to the remote device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The one or more device-readable storage media storing device-executable instructions of claim 1, the method further comprising:
    - receiving encrypted data traffic from the remote device, the encrypted data traffic being decryptable by only the client and the remote device; and
      
      forwarding encrypted data traffic from the remote device to the client.
  - 3. The one or more device-readable storage media storing device-executable instructions of claim 1, the method further comprising:
    - receiving a request from the client to create an encrypted tunnel between the client and the remote device;
      
      matching a cryptographically strong identity of the client and a cryptographically strong identity of the remote device;
      
      forwarding the request to create an encrypted tunnel between the client and the remote device in response to positively matching the cryptographically strong identity of the client and the cryptographically strong identity of the remote device; and
      
      forwarding encrypted data traffic from the client and the remote device, without decrypting the encrypted data traffic, in order to create the encrypted tunnel between the client and the remote device.
  - 4. The one or more device-readable storage media storing device-executable instructions of claim 1, the method further comprising:
    - receiving a request from the client to establish a network connection; and
      
      establishing a network connection with the client in response to verifying a cryptographically strong identity of the client.
  - 5. The one or more device-readable storage media storing device-executable instructions of claim 1, the method further comprising:
    - receiving a request from the remote device to establish a network connection;
      
      establishing the network connection with the remote device in response to verifying a cryptographically strong identity of the remote device.
  - 6. The one or more device-readable storage media storing device-executable instructions of claim 1, the method further comprising:
    - receiving a keep alive command from the remote device; and
      
      sending an acknowledgement of the keep alive command to the remote device.
  - 7. The one or more device-readable storage media storing device-executable instructions of claim 1, wherein the client is connected from behind a firewall.
  - 8. The one or more device-readable storage media storing device-executable instructions of claim 1, wherein the remote device is connected from behind a firewall.
  - 9. The one or more device-readable storage media storing device-executable instructions of claim 1, wherein the client has been redirected from a remote access gateway index server.
  - 10. The one or more device-readable storage media storing device-executable instructions of claim 1, wherein the encrypted data traffic comprises remote desktop commands.

11. A system, comprising:
- a client for sending and receiving a first stream of encrypted data, the first stream of encrypted data including remote desktop commands formed by the client based on user input from one or more input devices;
  
  a remote device for sending and receiving a second stream of encrypted data, the second stream of encrypted data including screen update data usable by the client to update a screen in response to the user input from one of more input devices; and
  
  a remote access gateway server, for establishing a cryptographically strong identity of the client, establishing a cryptographically strong identity of the remote device, receiving a request from the remote device to establish a first secure connection with the remote device, after establishing the first secure connection with the remote device, receiving a request from the client to establish a second secure connection with the remote device, establishing a second secure connection from the client to the remote device, and for forwarding the encrypted data sent from the client to the remote device and from the remote device to the client, wherein the remote access gateway server does not possess a key required to decrypt the encrypted data after the secure connection from the client to the remote device has been established, and wherein the remote device can accept remote access requests only through the remote access gateway server during the second secure connection.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, further comprising a remote access gateway index server, for storing an identifier of the remote access gateway server and for receiving a query from the client to locate the remote access gateway server to which the remote device is connected.
  - 13. The system of claim 11, wherein the remote access gateway server is further for establishing a secure sockets layer (SSL) connection to the client.
  - 14. The system of claim 11, wherein the remote access gateway server is further for establishing a secure sockets layer (SSL) connection to the remote device.
  - 15. The system of claim 11, wherein the client includes a digital certificate signed by a digital security authority.
  - 16. The system of claim 11, wherein the remote device includes a digital certificate signed by a digital security authority.
  - 17. The system of claim 11, wherein the first stream of encrypted data is encrypted with a secure sockets layer (SSL) session key.
  - 18. The system of claim 11, wherein the second stream of encrypted data is encrypted with a secure sockets layer (SSL) session key.

19. A method, comprising:
- receiving, at a remote access gateway server, a request from a remote device to establish a secure sockets layer (SSL) connection;
  
  forwarding an acknowledgment to the remote device to establish the securesockets layer (SSL) connection;
  
  establishing the secure sockets layer (SSL) connection with the remote device such that the remote device can accept remote access requests only through the remote access gateway server;
  
  after establishing the secure sockets layer (SSL) connection, receiving, at the remote access gateway server, a request from a client to establish a remote desktop session with the remote device;
  
  matching a cryptographically strong identity of the client with a cryptographically strong identity of the remote device;
  
  forwarding a secure sockets layer (SSL) session establishment command from the client to the remote device;
  
  forwarding a secure sockets layer (SSL) response from the remote device to the client; and
  
  forwarding, between the client and the remote device, remote desktop session data encrypted with a secure sockets layer (SSL) cryptographic session key, the remote desktop session data including remote desktop commands based on one or more of keyboard or mouse data input at the client, the remote desktop data further including screen update data from the remote device and usable by the client to update a screen at the client in response to the keyboard or mouse input data, wherein the remote access gateway server does not possess a key required to decrypt the encrypted data after a secure sockets layer (SSL) session has been established.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein the encrypted data is forwarded asynchronously between the client and the remote device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Patiejunas, Kestutis
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US11/745,418
Publication Number

US 20080282081A1
Time in Patent Office

2,626 Days
Field of Search

713/153, 713/169, 713/168, 726/3, 726/6, 726 10- 15, 709/219, 709/232, 709227-229, 370/352
US Class Current

713/169
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 2209/80   Wireless network architectu...

H04L 43/0811   by checking connectivity

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Mutually authenticated secure channel

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mutually authenticated secure channel

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links