Securing communication over a network using client system authorization and dynamically assigned proxy servers

US 9,065,856 B2
Filed: 03/11/2013
Issued: 06/23/2015
Est. Priority Date: 02/01/2013
Status: Active Grant

First Claim

Patent Images

1. A method for providing secure access to network resources, comprising:

at a trust broker system having one or more processors and memory storing one or more programs for execution by the one or more processors, wherein the trust broker system enables a client system to connect to a server system through a secure communication session;

receiving, from the client system, a request to access network applications and resources associated with and hosted by the server system;

locating a first virtual domain of a plurality of virtual domains, wherein;

each virtual domain provides a respective logical set of network applications and resources, distinct from other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system, andthe first virtual domain provides the requested network applications and resources;

determining whether the client system is authorized to access the requested network applications and resources, including;

determining the identity of a user associated with the client system; and

determining whether the user associated with the client system is authorized to access the requested network applications and resources, includingretrieving stored permissions of the user associated with the client system; and

determining, based on the stored permissions associated with the user, that the user is permitted to access the first virtual domain;

in response to determining that the client system has authorization to access the requested network applications and resources;

determining, from a plurality of potential proxy servers, a proxy server associated with the server system;

transmitting an identification value for the client system to the determined proxy server, wherein the identification value is an encrypted value identifying the client system;

transmitting the identification value to the client system; and

transmitting, to the client system, contact information for connecting to the determined proxy server, wherein all communication between the client system and the server system associated with the requested network applications and resources passes through the determined proxy server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for securing communication over a network is disclosed. A trust broker system receives a request to connect to applications and resources from a client system. The trust broker system determines whether the client system is authorized to connect to the requested applications and resources. In response to determining the client system has authorization to connect to the requested applications and resources, the trust broker system determines, from a plurality of potential proxy servers, a proxy server associated with the requested server system and transmits an identification value for the client system to the requested server system. The trust broker system then transmits the identification value to the client system and transmits contact information for the determined proxy server to the client system, wherein all communication between the client system and the requested server system passes through the proxy server.

45 Citations

12 Claims

1. A method for providing secure access to network resources, comprising:
- at a trust broker system having one or more processors and memory storing one or more programs for execution by the one or more processors, wherein the trust broker system enables a client system to connect to a server system through a secure communication session;
  
  receiving, from the client system, a request to access network applications and resources associated with and hosted by the server system;
  
  locating a first virtual domain of a plurality of virtual domains, wherein;
  
  each virtual domain provides a respective logical set of network applications and resources, distinct from other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system, andthe first virtual domain provides the requested network applications and resources;
  
  determining whether the client system is authorized to access the requested network applications and resources, including;
  
  determining the identity of a user associated with the client system; and
  
  determining whether the user associated with the client system is authorized to access the requested network applications and resources, includingretrieving stored permissions of the user associated with the client system; and
  
  determining, based on the stored permissions associated with the user, that the user is permitted to access the first virtual domain;
  
  in response to determining that the client system has authorization to access the requested network applications and resources;
  
  determining, from a plurality of potential proxy servers, a proxy server associated with the server system;
  
  transmitting an identification value for the client system to the determined proxy server, wherein the identification value is an encrypted value identifying the client system;
  
  transmitting the identification value to the client system; and
  
  transmitting, to the client system, contact information for connecting to the determined proxy server, wherein all communication between the client system and the server system associated with the requested network applications and resources passes through the determined proxy server.
- View Dependent Claims (2, 3, 10)
- - 2. The method of claim 1, wherein determining a proxy server associated with the server system further includes:
    - determining the specific server system associated with the requested network applications and resources by examining a lookup table stored on the trust broker system.
  - 3. The method of claim 2, wherein determining a proxy server associated with the server system further includes:
    - determining the proxy server currently associated with the determined server system.
  - 10. The method of claim 1, wherein determining whether the client system is authorized to access the requested network applications and resources further includes:
    - verifying hardware and/or software integrity of the client system; and
      
      verifying the identity of the user associated with the client system, including receiving a unique user identifier that is encrypted with a one-time session-based key that is changed for each communication session.

4. An electronic device for providing secure access to network resources, wherein the electronic device comprises a trust broker system which enables a client system to connect to a server system through a secure communication session, comprising:
- one or more processors;
  
  memory storing one or more programs to be executed by the one or more processors;
  
  the one or more programs comprising instructions for;
  
  receiving, from the client system, a request to access network applications and resources associated with and hosted by the server system;
  
  locating a first virtual domain of a plurality of virtual domains, wherein;
  
  each virtual domain provides a respective logical set of network applications and resources, distinct from other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system, andthe first virtual domain provides the requested network applications and resources;
  
  determining whether the client system is authorized to access the requested network applications and resources, including;
  
  determining the identity of a user associated with the client system; and
  
  determining whether the user associated with the client system is authorized to access the requested network applications and resources, includingretrieving stored permissions of the user associated with the client system; and
  
  determining, based on the stored permissions associated with the user, that the user is permitted to access the first virtual domain;
  
  in response to determining that the client system has authorization to access the requested network applications and resources;
  
  determining, from a plurality of potential proxy servers, a proxy server associated with the server system;
  
  transmitting an identification value for the client system to the determined proxy server, wherein the identification value is an encrypted value identifying the client system;
  
  transmitting the identification value to the client system; and
  
  transmitting, to the client system, contact information for connecting to the determined proxy server, wherein all communication between the client system and the server system associated with the requested network applications and resources passes through the determined proxy server.
- View Dependent Claims (5, 6, 11)
- - 5. The device of claim 4, wherein the instructions for determining a proxy server associated with the server system further include instructions for:
    - determining the specific server system associated with the requested network applications and resources by examining a lookup table stored on the trust broker system.
  - 6. The device of claim 5, wherein the instructions for determining a proxy server associated with the server system further include instructions for:
    - determining the proxy server currently associated with the determined server system.
  - 11. The device of claim 4, wherein the instructions determining whether the client system is authorized to access the requested network applications and resources further include instructions for:
    - verifying hardware and/or software integrity of the client system; and
      
      verifying the identity of the user associated with the client system, including receiving a unique user identifier that is encrypted with a one-time session-based key that is changed for each communication session.

7. A non-transitory computer readable storage medium storing one or more programs configured for execution by an electronic device, wherein the electronic device comprises a trust broker system which enables a client system to connect to a server system through a secure communication session, the one or more programs comprising instructions for:
- receiving, from the client system, a request to access network applications and resources associated with and hosted by the server system;
  
  locating a first virtual domain of a plurality of virtual domains, wherein;
  
  each virtual domain provides a respective logical set of network applications and resources, distinct from other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system, andthe first virtual domain provides the requested network applications and resources;
  
  determining whether the client system is authorized to access the requested network applications and resources, including;
  
  determining the identity of a user associated with the client system; and
  
  determining whether the user associated with the client system is authorized to access the requested network applications and resources, includingretrieving stored permissions of the user associated with the client system; and
  
  determining, based on the stored permissions associated with the user, that the user is permitted to access the first virtual domain;
  
  in response to determining that the client system has authorization to access the requested network applications and resources;
  
  determining, from a plurality of potential proxy servers, a proxy server associated with the server system;
  
  transmitting an identification value for the client system to the determined proxy server, wherein the identification value is an encrypted value identifying the client system;
  
  transmitting the identification value to the client system; and
  
  transmitting, to the client system, contact information for connecting to the determined proxy server, wherein all communication between the client system and the server system associated with the requested network applications and resources passes through the determined proxy server.
- View Dependent Claims (8, 9, 12)
- - 8. The non-transitory computer readable storage medium of claim 7, wherein the instructions for determining a proxy server associated with the server system further include instructions for:
    - determining the specific server system associated with the requested network applications and resources by examining a lookup table stored on the trust broker system.
  - 9. The non-transitory computer readable storage medium of claim 8, wherein the instructions for determining a proxy server associated with the server system further include instructions for:
    - determining the proxy server currently associated with the determined server system.
  - 12. The non-transitory computer readable storage medium of claim 7, wherein the instructions determining whether the client system is authorized to access the requested network applications and resources further include instructions for:
    - verifying hardware and/or software integrity of the client system; and
      
      verifying the identity of the user associated with the client system, including receiving a unique user identifier that is encrypted with a one-time session-based key that is changed for each communication session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Vidder, Inc. (Verizon Communications Inc.)
Inventors
Islam, Junaid, Bilger, Brent, Schroeder, Ted
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US13/794,689
Publication Number

US 20140223537A1
Time in Patent Office

834 Days
Field of Search

726/4, 726/5, 726/7, 726/12, 713/155, 713/156, 713/158, 713/170
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 2101/69   using geographic informatio...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/562   Brokering proxy services

Securing communication over a network using client system authorization and dynamically assigned proxy servers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Securing communication over a network using client system authorization and dynamically assigned proxy servers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links