Secure message delivery using a trust broker
First Claim
Patent Images
1. A computer-implemented method comprising:
- storing, in a data store associated with a federation server, first identity information associated with a first server and second identity information associated with a second server, wherein;
the first server is configured to provide a computing service to a first user,the second server is configured to provide a computing service to a second user,the federation server is configured to communicate with, and act as a trust broker between, the first server and the second server,the first identity information includes a first public key associated with the first server, andthe second identity information includes a second public key associated with the second server;
receiving, by the federation server, a request from the first server for a token for securely sending a message from the first server to the second server over an unsecured communication network between the first server and the second server; and
in response to the request from the first server;
identifying, by the federation server, a first private key from the request;
verifying, by the federation server, identity of the first server using the first private key and the first public key;
based on verifying the identity of the first server, generating, by the federation server, an encrypted token that is encrypted with the second public key and includes a symmetric key; and
sending, by the federation server to the first server, a response to the request, wherein the response includes the encrypted token that is decryptable by the second server using a second private key that is stored in association with the second server and corresponds to the second public key.
2 Assignments
0 Petitions
Accused Products
Abstract
An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender'"'"'s email server with a secure token for encrypting the message to provide secure delivery over the unsecured network.
23 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
storing, in a data store associated with a federation server, first identity information associated with a first server and second identity information associated with a second server, wherein; the first server is configured to provide a computing service to a first user, the second server is configured to provide a computing service to a second user, the federation server is configured to communicate with, and act as a trust broker between, the first server and the second server, the first identity information includes a first public key associated with the first server, and the second identity information includes a second public key associated with the second server; receiving, by the federation server, a request from the first server for a token for securely sending a message from the first server to the second server over an unsecured communication network between the first server and the second server; and in response to the request from the first server; identifying, by the federation server, a first private key from the request; verifying, by the federation server, identity of the first server using the first private key and the first public key; based on verifying the identity of the first server, generating, by the federation server, an encrypted token that is encrypted with the second public key and includes a symmetric key; and sending, by the federation server to the first server, a response to the request, wherein the response includes the encrypted token that is decryptable by the second server using a second private key that is stored in association with the second server and corresponds to the second public key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computing system comprising:
-
at least one processor; and memory storing instructions that, when executed by the at least one processor, configure the computing system to; store, in a data store associated with a federation server, first identity information associated with a first server and second identity information associated with a second server, wherein; the first server is configured to provide a computing service to a first user, the second server is configured to provide a computing service to a second user, the federation server is configured to communicate with and, act as a trust broker between, the first server and the second server, the first identity information includes a first public key associated with the first server, and the second identity information includes a second public key associated with the second server; receive, by the federation server, a request from the first server for a token for securely sending a message from the first server to the second server over an unsecured communication network between the first server and the second server; and in response to the request from the first server; identify, by the federation server, a first private key from the request, verify, by the federation server, identity of the first server as a sender of the message using the first private key and the first public key, based on verifying identity of the first server, generate, by the federation server, an encrypted token that is encrypted with the second public key and includes a symmetric key that encrypts the message; and send, by the federation server to the first server, a response to the request, wherein the response includes the encrypted token that is decryptable using a second private key that is stored in association with the second server and corresponds to the second public key. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A federation server comprising:
-
at least one processor; and memory storing instructions executable by the at least one processor, wherein the instructions, when executed, configure the federation server to; store first identity information associated with a first server and second identity information associated with a second server, wherein; the first server is configured to provide a computing service to a first user, the second server is configured to provide a computing, service to a second user, the federation server is configured to communicate with and, act as a trust broker between, the first server and the second server, the first identity information includes a first public key associated with the first server; and the second identity information includes a second public key associated with the second server; receive a request from the first server for a token for securely sending a message from the first server to the second server over an unsecured communication network between the first server and the second server; and based on the request, identify a first private key; based on a determination that the first private key corresponds to the first public key associated with the first server, verify identity of the first server as a sender, of the request; based on the first server being verified as the sender of the request, generate an encrypted token that is encrypted with the second public key and a symmetric key; send a response to the request to the first server, wherein; the response includes the encrypted token containing the second public key and the symmetric key, and the encrypted token is decryptable using a second private key that is stored in association with the second server and corresponds to the second public key. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification