Creating secure interactive connections with remote resources

US 9,038,162 B2
Filed: 06/25/2012
Issued: 05/19/2015
Est. Priority Date: 09/12/2005
Status: Active Grant

First Claim

Patent Images

1. A server computer system comprising:

at least one hardware processor; and

a storage medium storing computer executable instructions which, when executed by the at least one hardware processor, implement a method of creating a secure connection with a client computer system early in a connection process by negotiating secure connection protocols, including the following;

prior to the server indicating to the client computer system one or more secure communication protocols enabled at the server, the server receiving a connection request from a client computer system to communicate with one or more server resources using a secure connection, the connection request including the identity of a plurality of secure communication protocols which are installed at the client computer system, and with which the client computer system is presently enabled for establishing the secure connection;

based on receiving the connection request from the client computer system, the server processing the connection request to select a preferred secure communication protocol to use when establishing the secure connection, including;

the server identifying the one or more secure communication protocols with which the server is presently enabled for establishing secure connections;

the server comparing the plurality of secure communication protocols enabled at the client computer system with the one or more secure communication protocols enabled at the server to determine one or more common secure communication protocols that are common to both the one or more secure communication protocols enabled at the server and the plurality of secure communication protocols enabled at the client computer system; and

the server selecting the preferred secure communication protocol from among the determined one or more common secure communication protocols;

the server sending a connection response to the client computer system, the connection response indicating the determined preferred secure communication protocol;

the server establishing a secure communication channel with the client computer system using the preferred secure communication protocol;

the server confirming use of the preferred secure communication protocol through a data exchange in the secure communication channel established with the client computer system; and

the server communicating data with a client application program of the client computer system through the secure communication channel using the preferred secure communication protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

Citations

20 Claims

1. A server computer system comprising:
- at least one hardware processor; and
  
  a storage medium storing computer executable instructions which, when executed by the at least one hardware processor, implement a method of creating a secure connection with a client computer system early in a connection process by negotiating secure connection protocols, including the following;
  
  prior to the server indicating to the client computer system one or more secure communication protocols enabled at the server, the server receiving a connection request from a client computer system to communicate with one or more server resources using a secure connection, the connection request including the identity of a plurality of secure communication protocols which are installed at the client computer system, and with which the client computer system is presently enabled for establishing the secure connection;
  
  based on receiving the connection request from the client computer system, the server processing the connection request to select a preferred secure communication protocol to use when establishing the secure connection, including;
  
  the server identifying the one or more secure communication protocols with which the server is presently enabled for establishing secure connections;
  
  the server comparing the plurality of secure communication protocols enabled at the client computer system with the one or more secure communication protocols enabled at the server to determine one or more common secure communication protocols that are common to both the one or more secure communication protocols enabled at the server and the plurality of secure communication protocols enabled at the client computer system; and
  
  the server selecting the preferred secure communication protocol from among the determined one or more common secure communication protocols;
  
  the server sending a connection response to the client computer system, the connection response indicating the determined preferred secure communication protocol;
  
  the server establishing a secure communication channel with the client computer system using the preferred secure communication protocol;
  
  the server confirming use of the preferred secure communication protocol through a data exchange in the secure communication channel established with the client computer system; and
  
  the server communicating data with a client application program of the client computer system through the secure communication channel using the preferred secure communication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The server computer system recited in claim 1, wherein the plurality of secure communication protocols include at least one of RDP, SSL, NTLM, or Kerberos, or a combination thereof.
  - 3. The server computer system as recited in claim 1, wherein the connection request from the client computer system is an X224 connection request extended to include the plurality of secure communication protocols with which the client computer system is enabled, and wherein the connection response is an X224 connection response extended to include the preferred secure communication protocol.
  - 4. The server computer system as recited in claim 1, wherein selecting the preferred secure communication protocol comprises determining that the preferred secure communication protocol is allowed based on a server system setting.
  - 5. The server computer system as recited in claim 1, further including:
    - the server identifying a plurality of server certificates in a certificate store; and
      
      the server determining a preferred one of the plurality of server certificates to send to the client computer system.
  - 6. The server computer system as recited in claim 5, wherein the preferred server certificate is any of a certificate explicitly selected by a user, a certificate configured through a server system policy, or a self-signed server certificate.
  - 7. The server computer system as recited in claim 1, further including:
    - the server receiving client computer system authentication information; and
      
      the server storing the authentication information as part of a connection context for the client computer system.
  - 8. The server computer system as recited in claim 7, further including a step for determining that the client computer system authentication information is invalid, the step comprising one or more of:
    - the server identifying that a timestamp in the client computer system authentication information has expired;
      
      the server identifying that one or more messages have been received from the client computer system that have not included expected authentication information;
      
      orthe server identifying that a received authentication certificate does not match an expected authentication certificate associated with the connection request from the client computer system.
  - 9. The server computer system as recited in claim 1, further including the server receiving a different connection request directed to a Virtual Internet Protocol (VIP) address, wherein the different connection request includes connection information for a prior connection.
  - 10. The server computer system as recited in claim 9, further including:
    - the server identifying that a connection context identified for the prior connection is saved at the server; and
      
      the server allowing the requested different connection.
  - 11. The server computer system as recited in claim 10, further including:
    - the server identifying that a connection context for the prior connection is saved at a different server; and
      
      the server sending a response message to the client computer system, of the response message indicating that the different server is an appropriate server for the different connection request.
  - 12. The server computer system as recited in claim 1, wherein confirming use of the preferred secure communication protocol through a data exchange in the secure communication channel comprises:
    - the server appending one or more messages previously received from the client computer system regarding the initial connection request to an outgoing message prepared by the server, such that the server confirms its selection of the preferred secure communication protocol to the client computer system.
  - 13. The server computer system as recited in claim 1, wherein establishing the secure communication channel with the client computer system comprises exchanging authentication information with the client computer system with the server sending server authentication information to the client computer system.
  - 14. The server computer system as recited in claim 1, wherein the secure communication channel is established in response to a secure channel negotiation message received from the client computer system subsequent to the server the server sending the connection response to the client computer system, the secure channel negotiation message including a proposal of one or more secure channels to use when establishing the secure communication channel, and further including:
    - the server sending a confirmation message to the client computer system which confirms use of at least one of the one or more secure channels.

15. A client computer system comprising:
- at least one hardware processor; and
  
  a storage medium storing computer executable instructions which, when executed by the at least one hardware processor, implement a method of creating a secure connection with a server by negotiating secure communication protocols, including the following;
  
  prior to the client computer system receiving an indication of one or more secure communication protocols enabled at the server, the client computer system identifying a plurality of secure communication protocols, each of the plurality of secure communication protocols being presently installed and enabled at the client computer system and usable by the client computer system to establish a secure connection with the server;
  
  the client computer system sending to the server a connection request including the identity of the plurality of secure communication protocols with which the client computer system is presently enabled for establishing the secure connection;
  
  subsequent to the client computer system sending the connection request, the client computer system receiving a connection response from the server, the connection response specifying a preferred secure communication protocol from among the plurality of secure communication protocols, the preferred secure communication protocol being identified by the server based on the server;
  
  identifying the one or more secure communication protocols with which the server is presently enabled for establishing secure connections;
  
  comparing the plurality of secure communication protocols enabled at the client computer system with the one or more secure communication protocols enabled at the server to determine one or more common secure communication protocols that are common to both the one or more secure communication protocols enabled at the server and the plurality of secure communication protocols enabled at the client computer system; and
  
  selecting the preferred secure communication protocol from among the determined one or more common secure communication protocols;
  
  the client computer system establishing a secure communication channel with the server by at least exchanging authentication information with the server using the preferred secure communication protocol, wherein authentication information from the server comprises any one of a self-signed certificate, a manually installed certificate, or a certificate received from a remote certificate authority; and
  
  the client computer system confirming the use of the secure communication protocol negotiated with the server with one or more initial data packets communicated during negotiation with the server.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The client computer system as recited in claim 15, wherein confirming the use of the secure communication protocol negotiated with the server comprises:
    - the client computer system receiving one or more initial data packets from the server; and
      
      the client computer system identifying information having been previously exchanged with the server appended to any of the one or more initial data packets.
  - 17. The client computer system as recited in claim 15, further including the client computer system storing the server certificate received from the server in a connection context at the client computer system.
  - 18. The client computer system as recited in claim 17, further including:
    - the client computer system identifying that a connection with the server has failed; and
      
      the client computer system sending a reconnection request message to a virtual internet protocol (IP) address for the server, wherein the reconnection request message includes at least some information stored in the connection context.
  - 19. The client computer system as recited in claim 18, further including:
    - the client computer system receiving a response message, including at least one of a new server name and network address for the new server;
      
      the client computer system sending a new reconnection request message to the virtual IP address for the server, the new reconnection request message including the at least one of the new server name and network address for the new server; and
      
      the client computer system reestablishing the connection with the new server in accordance with the connection context.

20. One or more computer storage devices having computer-executable instructions encoded thereon that, when executed at a client computer system in a computerized system in which a server communicates data with a client computer system through a secure connection, cause one or more hardware processors at the client computer system to perform a method of creating the secure connection by negotiating secure communication protocols with the server early in a connection process, the method comprising:
- prior to the client computer system receiving an indication of one or more secure communication protocols enabled at the server, the client computer system identifying a plurality of secure communication protocols, each of the plurality of secure communication protocols being presently installed and enabled at the client computer system and usable by the client computer system to establish a secure connection with the server;
  
  the client computer system sending to the server a connection request including the identity of the plurality of secure communication protocols with which the client computer system is presently enabled for establishing the secure connection;
  
  subsequent to the client computer system sending the connection request, the client computer system receiving a connection response from the server, the connection response specifying a preferred secure communication protocol from among the plurality of secure communication protocols, the preferred secure communication protocol being identified by the server based on the server;
  
  identifying the one or more secure communication protocols with which the server is presently enabled for establishing secure connections;
  
  comparing the plurality of secure communication protocols enabled at the client computer system with the one or more secure communication protocols enabled at the server to determine one or more common secure communication protocols that are common to both the one or more secure communication protocols enabled at the server and the plurality of secure communication protocols enabled at the client computer system; and
  
  selecting the preferred secure communication protocol from among the determined one or more common secure communication protocols;
  
  the client computer system establishing a secure communication channel with the server by at least exchanging authentication information with the server using the preferred secure communication protocol, wherein authentication information from the server comprises any one of a self-signed certificate, a manually installed certificate, or a certificate received from a remote certificate authority; and
  
  the client computer system confirming the use of the secure communication protocol negotiated with the server with one or more initial data packets communicated during negotiation with the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Hagiu, Costin, Saul, Elton, Mahajan, Rajneesh, Kuzin, Sergey A., Parsons, John E., Palekar, Ashwin, Bernardi, Ara, Chik, Joy
Primary Examiner(s)
LEE, JASON T

Application Number

US13/532,593
Publication Number

US 20120266214A1
Time in Patent Office

1,058 Days
Field of Search

726/14, 713/201
US Class Current

726/14
CPC Class Codes

G06F 21/42   using separate channels for...

G06F 21/606   by securing the transmissio...

G06F 2221/2107   File encryption

H04L 63/0823   using certificates cryptogr...

H04L 67/14   Session management for real...

H04L 67/141   Setup of application sessio...

Creating secure interactive connections with remote resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Creating secure interactive connections with remote resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links