Server-client secret generation with cached data

US 9,391,771 B2
Filed: 02/06/2014
Issued: 07/12/2016
Est. Priority Date: 02/06/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A method to generate shared secrets between a server and a client, the method comprising:

transmitting, by the server, a plurality of encrypted secrets corresponding to a plurality of data blocks to the client, the plurality of encrypted secrets generated by encryption of each secret with a respective data block in the plurality of data blocks;

recovering, by the client, a first subset of secrets from the plurality of encrypted secrets, wherein the first subset of secrets corresponds to a first subset of data blocks including data cached at the client for application acceleration, and the first subset of data blocks is a subset of the plurality of data blocks;

encrypting a message at the client by use of the first subset of secrets;

transmitting, by the client, the message to the server;

recovering, by the server, the message by use of a second subset of secrets from the plurality of encrypted secrets, wherein the second subset of secrets corresponds to a second subset of data blocks known by the server to be previously stored at the client and the second subset of data blocks is a subset of the plurality of data blocks; and

evaluating, by the server, a security status of the client and a security status of a connection between the server and the client in response to detecting one of;

a change in contents of the data cached at the client when the client has been connected to the server, a lack of change in the contents of the data cached at the client when the client has been disconnected from the server for a period of time, and a security response that contains decryptions of encrypted secrets serving as decoys.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies are provided for shared secret generation between a server and a client using cached data. In some examples, a server may send a number of encrypted secrets to a client that caches a number of data blocks previously provided by the server. Each of the encrypted secrets may be encrypted using a data block that may or may not be cached at the client. The client may then identify the encrypted secrets that correspond to data blocks in its cache and use those data blocks to recover those secrets. The client may then encrypt a message for the server using the recovered secrets. Upon reception of the message, the server may then recover the message using its knowledge of the data blocks cached at the client.

11 Citations

19 Claims

1. A method to generate shared secrets between a server and a client, the method comprising:
- transmitting, by the server, a plurality of encrypted secrets corresponding to a plurality of data blocks to the client, the plurality of encrypted secrets generated by encryption of each secret with a respective data block in the plurality of data blocks;
  
  recovering, by the client, a first subset of secrets from the plurality of encrypted secrets, wherein the first subset of secrets corresponds to a first subset of data blocks including data cached at the client for application acceleration, and the first subset of data blocks is a subset of the plurality of data blocks;
  
  encrypting a message at the client by use of the first subset of secrets;
  
  transmitting, by the client, the message to the server;
  
  recovering, by the server, the message by use of a second subset of secrets from the plurality of encrypted secrets, wherein the second subset of secrets corresponds to a second subset of data blocks known by the server to be previously stored at the client and the second subset of data blocks is a subset of the plurality of data blocks; and
  
  evaluating, by the server, a security status of the client and a security status of a connection between the server and the client in response to detecting one of;
  
  a change in contents of the data cached at the client when the client has been connected to the server, a lack of change in the contents of the data cached at the client when the client has been disconnected from the server for a period of time, and a security response that contains decryptions of encrypted secrets serving as decoys.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - transmitting, by the server, a plurality of identifiers to the client, each identifier associated with a respective encrypted secret in the plurality of encrypted secrets and identifying the respective data block used to encrypt the respective encrypted secret; and
      
      recovering, by the client, the first subset of secrets by use of the plurality of identifiers to identify the encrypted secrets corresponding to the first subset of data blocks.
  - 3. The method of claim 1, wherein the plurality of encrypted secrets includes a random number.
  - 4. The method of claim 1, wherein:
    - the plurality of encrypted secrets includes a third subset of secrets corresponding to a third subset of data blocks known by the server to not be stored at the client; and
      
      the third subset of data blocks is a subset of the plurality of data blocks.
  - 5. The method of claim 1, further comprising:
    - encrypting, by the client, the message by use of every secret in the first subset of secrets;
      
      transmitting, by the client, an indicator of a number of secrets in the first subset of secrets to the server; and
      
      recovering, by the server, the message by use of a permutation of data blocks in the second subset of data blocks based on the indicator.
  - 6. The method of claim 1, wherein the message includes at least one of a handshake, login information, and at least one secret from the first subset of secrets.
  - 7. The method of claim 1, further comprising establishing a secondary secret shared between the server and the client based on the message.

8. A server configured to generate shared secrets with a client, the server comprising:
- a memory configured to store instructions and a plurality of data blocks; and
  
  a processing module configured to;
  
  generate a plurality of encrypted secrets corresponding to the plurality of data blocks by encryption of each secret in a plurality of secrets by use of a respective data block in the plurality of data blocks;
  
  transmit the plurality of encrypted secrets to the client;
  
  receive, from the client, a message encrypted by use of at least one secret from the plurality of encrypted secrets and an indication of a number of secrets from the plurality of encrypted secrets used to encrypt the message; and
  
  recover the message by iteratively using combinations and permutations of a first subset of secrets from the encrypted plurality of secrets to decrypt the message, wherein the first subset of secrets corresponds to a first subset of data blocks known by the server to be previously stored at the client that includes data cached at the client for application acceleration, and the first subset of data blocks is a subset of the plurality of data blocks, and wherein the number of secrets indicated by the client is employed to reduce a number of the combinations and permutations attempted in order to recover the message.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The server of claim 8, wherein the processing module is further configured to:
    - transmit a plurality of identifiers to the client, each identifier associated with a respective encrypted secret in the plurality of encrypted secrets and identify the respective data block used to encrypt the respective encrypted secret.
  - 10. The server of claim 8, wherein the plurality of encrypted secrets includes a random number.
  - 11. The server of claim 8, wherein:
    - the plurality of encrypted secrets includes a second subset of secrets corresponding to a second subset of data blocks known by the server to not be stored at the client; and
      
      the second subset of data blocks is a subset of the plurality of data blocks.
  - 12. The server of claim 8, wherein the message includes at least one of a handshake, login information, and at least one secret from the plurality of secrets.
  - 13. The server of claim 8, wherein the processing module is further configured to establish a secondary secret shared between the server and the client based on the message.

14. A client configured to generate shared secrets with a server, the client comprising:
- a memory configured to store instructions and a first subset of data blocks that includes data cached at the client for acceleration of a web application, wherein the first subset of data blocks is a subset of a plurality of data blocks; and
  
  a processing module configured to;
  
  receive, from the server, a plurality of encrypted secrets corresponding to the plurality of data blocks;
  
  recover a first subset of secrets from the plurality of encrypted secrets, wherein the first subset of secrets corresponds to the first subset of data blocks;
  
  encrypt a message by use of the first subset of secrets;
  
  transmit the message to the server; and
  
  in response to one of a conclusion or a pause of a session of the web application, indicate the memory as available although the memory still comprises the first subset of data blocks that includes the data cached at the client for the acceleration of the web application in order to prevent the first subset of data blocks from consuming visible amounts of the memory and impacting other systems or applications operating on the client.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The client of claim 14, wherein the processing module is further configured to:
    - receive, from the server, a plurality of identifiers, each identifier associated with a respective encrypted secret in the plurality of encrypted secrets and identify the respective data block used to encrypt the respective encrypted secret; and
      
      recover the first subset of secrets by use of the plurality of identifiers to identify the encrypted secrets corresponding to the first subset of data blocks.
  - 16. The client of claim 14, wherein the first subset of secrets includes a random number.
  - 17. The client of claim 14, wherein the processing module is further configured to:
    - encrypt the message by use of every secret in the first subset of secrets; and
      
      transmit an indicator of a number of secrets in the first subset of secrets to the server.
  - 18. The client of claim 14, wherein the message includes at least one of a handshake, login information, and at least one secret from the first subset of secrets.
  - 19. The client of claim 14, wherein the processing, module is further configured to establish a secondary secret shared between the server and the client based on the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Original Assignee
Empire Technology Development LLC (Allied Inventors Management, LLC)
Inventors
Kruglick, Ezekiel
Primary Examiner(s)
Le, David

Application Number

US14/390,368
Publication Number

US 20150349953A1
Time in Patent Office

887 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 2209/08   Randomization, e.g. dummy o...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0861   Generation of secret inform...

H04L 9/0869   involving random numbers or...

Server-client secret generation with cached data

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Server-client secret generation with cached data

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links