Client-server system with security function intermediary

US 20020035685A1
Filed: 09/10/2001
Published: 03/21/2002
Est. Priority Date: 09/11/2000
Status: Abandoned Application

First Claim

Patent Images

1. A method for securing data communication between two computers, comprising the steps of:

providing an intermediary device between the two computers; and

the intermediary device having at least one of predetermined security functions on behalf of one of the computers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary device ensuring high security and lightening load on a client in a client-server system is disclosed. The intermediary device is provided between the server and the client. The intermediary device has a management table for storing security information indicating at least one of server authentication, client authentication, and encryption and decryption, and session information regarding a session formed between the server and the client. The intermediary device performs appropriate security operation depending on a received message on behalf of the client.

129 Citations

44 Claims

1. A method for securing data communication between two computers, comprising the steps of:
- providing an intermediary device between the two computers; and
  
  the intermediary device having at least one of predetermined security functions on behalf of one of the computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21, 22, 23, 24, 26, 27, 28, 29, 30, 31)
- - 2. The method according to claim 1, wherein the two computers are a server and a client, wherein the intermediary device has said at least one of predetermined security functions on behalf of the client.
  - 3. The method according to claim 2, wherein the predetermined security functions include a server authentication function, a client authentication function, and an encryption and decryption function.
  - 4. The method according to claim 3, wherein the intermediary device has at least the server authentication function of checking validity of a server certification by communicating with a certificate authority that has issued the server certification.
  - 5. The method according to claim 4, further comprising the steps of:
    - the intermediary device sending a server authentication result to the client; and
      
      the client determining from the server authentication result whether the server is authorized, without doing server authentication.
  - 6. The method according to claim 5, wherein, when the server certification is valid, the intermediary device sends a server authentication message to the client, wherein the server authentication message includes an indicator indicating that the server authentication message is a local certification message, wherein the client determines from the indicator that the server authentication has been terminated.
  - 7. The method according to claim 5, wherein, when the server certification is valid, the intermediary device issues a new certification and sends a server authentication message including the new certification to the client, wherein the client determines whether the server is authorized, depending on whether the server authentication message is valid.
  - 8. The method according to claim 7, wherein the client communicates with the intermediary device to determine whether the server authentication message is valid.
  - 9. The method according to claim 5, wherein, when the server certification is not valid, the intermediary device sends an alert message to both the client and the server.
  - 10. The method according to claim 3, wherein the intermediary device has at least the client authentication function of submitting a certification necessary for client authentication to the server.
  - 11. The method according to claim 3, wherein the intermediary device has at least the encryption and decryption function of encrypting and decrypting data transferred between the server and the intermediary device.
  - 12. The method according to claim 11, wherein the encryption and decryption function also encrypts and decrypts data transferred between the client and the intermediary device.
  - 13. The method according to claim 12, wherein a first encryption strength between the server and the intermediary device and a second encryption strength between the client and the intermediary device are individually determined.
  - 14. The method according to claim 11, wherein a secure session has been registered between the server and the client through the intermediary device, the method further comprising the steps of:
    - the client sending a connection request for a new connection on the secure session to the server;
      
      when receiving the connection request from the client, the intermediary device performing negotiation with the server to establish the new connection on behalf of the client.
  - 16. The method according to claim 15, wherein the management table stores security information indicating at least the server authentication, and the step c) comprises the steps of:
    - c.1) when receiving the message from the client, determining whether the received message requests a server certification;
      
      c.2) when the received message requests a server certification, reading information of a certificate authority that has issued the server certification, from the received message;
      
      c.3) accessing the certificate authority according to the information of the certificate authority to determine whether the server certification is valid; and
      
      c.4) when the server certification is valid, sending a server authentication message to the client, wherein the client determines that the server authentication has been made when receiving the server authentication message.
  - 17. The method according to claim 16, wherein in the step c.4), the server authentication message includes an indicator indicating that the server authentication message is a temporary certification message.
  - 18. The method according to claim 16, wherein the step c.4) comprises the steps of:
    - when the server certification is valid, issuing a new certification certifying that the server certification is valid, and sending a server authentication message including the new certification to the client.
  - 19. The method according to claim 15, wherein the management table stores security information indicating at least the client authentication, and the step c) comprises the steps of:
    - c.1) when receiving the message from the server, determining whether the received message requests a client certification;
      
      c.2) when the received message requests a client certification, searching the session management table for a client certification of the client; and
      
      c.3) when the client certification of the client is found, sending a message including the client certification to the server.
  - 20. The method according to claim 15, wherein the management table stores security information indicating at least the encryption and decryption and session information including encryption information for each session, and the step c) comprises the steps of:
    - c.1) receiving a message including first encrypted data from one of the server and the client, wherein the first encrypted data is encrypted according to first encryption information;
      
      c.2) converting the first encrypted data to second encrypted data by referring to the management table, wherein the second encrypted data is encrypted according to second encryption information; and
      
      c.3sending the second encrypted data to the other of the server and the client.
  - 21. The method according to claim 20, wherein the first encrypted data is transferred between the server and the intermediary device, and the second encrypted data is transferred between the intermediary device and the client, wherein the first encryption information is identical to the second encryption information.
  - 22. The method according to claim 20, wherein the first encrypted data is transferred between the server and the intermediary device, and the second encrypted data is transferred between the intermediary device and the client, wherein the first encryption information is different from the second encryption information.
  - 23. The method according to claim 22, wherein an encryption strength of the first encryption information is stronger than that of the second encryption information.
  - 24. The method according to claim 15, wherein the management table stores security information indicating at least the encryption and decryption and session information including encryption information for each session, and the step c) comprises the steps of:
    - c.1) receiving a message including first encrypted data from the server, wherein the first encrypted data is encrypted according to encryption information including a secret key and a predetermined encryption method;
      
      c.2) converting the encrypted data to plain data by referring to the management table;
      
      c.3) sending the plain data to the client;
      
      c.4) receiving a message including plain data from the client;
      
      c.5) converting the plain data to second encrypted data by referring to the management table, wherein the second encrypted data is encrypted according to the encryption information;
      
      c.6) sending the second encrypted data to the server.
  - 26. The system according to claim 25, wherein the intermediary device has at least the server authentication function of checking validity of a server certification by communicating with a certificate authority that has issued the server certification.
  - 27. The system according to claim 25, wherein the intermediary device has at least the client authentication function of submitting a certification necessary for client authentication to the server.
  - 28. The system according to claim 25, wherein the intermediary device has at least the encryption and decryption function of encrypting and decrypting data transferred between the server and the intermediary device.
  - 29. The system according to claim 28, wherein the encryption and decryption function also encrypts and decrypts data transferred between the client and the intermediary device.
  - 30. The system according to claim 29, wherein a first encryption strength between the server and the intermediary device and a second encryption strength between the client and the intermediary device are individually determined.
  - 31. The system according to claim 30, wherein the first encryption strength is stronger than the second encryption strength.

15. A method for transferring data between a server and a client via an intermediary device, comprising the steps of:
- at the intermediary device, a) storing in a management table security information indicating at least one security operation previously selected from server authentication, client authentication, and encryption and decryption, and session information regarding a session formed between the server and the client;
  
  b) receiving a message from one of the client and the server; and
  
  c) performing a security operation for the received message by referring to the management table.

25. A system for securing data communication between a server and a client, comprising:
- an intermediary device between the server and the client, the intermediary device having at least one of a server authentication function, a client authentication function, and an encryption and decryption function on behalf of one of the computers.

32. A data communication system using a security protocol, comprising a server;
- a client;
  
  an intermediary device through which data is transferred between the server and the client, wherein the intermediary device comprises;
  
  a management table for storing security information indicating at least one security operation previously selected from server authentication, client authentication, and encryption and decryption, and session information regarding a session formed between the server and the client; and
  
  a processor section for performing a security operation for a received message by referring to the management table.

33. An intermediary device through which data is transferred between a server and a client, comprises:
- A management table for storing security information indicating at least one security operation previously selected from server authentication, client authentication, and encryption and decryption, and session information regarding a session formed between the server and the client; and
  
  a processor section for performing a security operation for a received message by referring to the management table.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. The intermediary device according to claim 33, wherein the management table stores security information indicating at least the server authentication, and the processor section comprises:
    - a message interpreter for determining whether a message received from the client requests a server certification;
      
      an extractor for extracting information of a certificate authority that has issued the server certification, from the received message, when the received message requests the server certification;
      
      an authentication section for determining whether the server certification is valid by accessing the certificate authority according to the information of the certificate authority; and
      
      a message shaper for, when the server certification is valid, generating a server authentication message to be sent to the client, wherein the client determines that the server authentication has been made when receiving the server authentication message.
  - 35. The intermediary device according to claim 34, wherein the server authentication message includes an indicator indicating that the server authentication message is a temporary certification message.
  - 36. The intermediary device according to claim 34, wherein, when the server certification is valid, the authentication section issues a new certification certifying that the server certification is valid, and the message shaper generates a server authentication message including the new certification to be sent to the client.
  - 37. The intermediary device according to claim 33, wherein the management table stores security information indicating at least the client authentication, and the processor section comprises:
    - a message interpreter for determining whether a message received from the server requests a client certification;
      
      a certification submission section for, when the received message requests a client certification, searching the session management table for a client certification of the client; and
      
      a message shaper for, when the client certification of the client is found, generating a message including the client certification to be sent to the server.
  - 38. The intermediary device according to claim 33, wherein the management table stores security information indicating at least the encryption and decryption and session information including encryption information for each session, and the processor section comprises:
    - a message interpreter for determining whether a message received from one of the server and the client includes first encrypted data that is encrypted according to first encryption information;
      
      an encryption converter for converting the first encrypted data to second encrypted data by referring to the management table, wherein the second encrypted data is encrypted according to second encryption information; and
      
      a message shaper for generating a message including the second encrypted data to the other of the server and the client.
  - 39. The intermediary device according to claim 38, wherein the first encrypted data is transferred between the server and the intermediary device, and the second encrypted data is transferred between the intermediary device and the client, wherein the first encryption information is identical to the second encryption information.
  - 40. The intermediary device according to claim 38, wherein the first encrypted data is transferred between the server and the intermediary device, and the second encrypted data is transferred between the intermediary device and the client, wherein the first encryption information is different from the second encryption information.
  - 41. The intermediary device according to claim 40, wherein an encryption strength of the first encryption information is stronger than that of the second encryption information.
  - 42. The intermediary device according to claim 38, wherein the first encrypted data is transferred between the server and the intermediary device, and the second encrypted data is transferred between the intermediary device and the client, wherein the second encrypted data is decrypted data of the first encrypted data.

43. A computer program instructing an intermediary device for transferring data between a server and a client, the program comprising the steps of:
- a) storing in a management table security information indicating at least one security operation previously selected from server authentication, client authentication, and encryption and decryption, and session information regarding a session formed between the server and the client;
  
  b) receiving a message from one of the client and the server; and
  
  c) performing a security operation for the received message by referring to the management table.

44. A recording medium storing a computer program instructing an intermediary device for transferring data between a server and a client, the program comprising the steps of:
- a) storing in a management table security information indicating at least one security operation previously selected from server authentication, client authentication, and encryption and decryption, and session information regarding a session formed between the server and the client;
  
  b) receiving a message from one of the client and the server; and
  
  c) performing a security operation for the received message by referring to the management table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Ono, Masahiro, Takeda, Kenji

Application Number

US09/950,339
Publication Number

US 20020035685A1
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/33   using certificates

G06F 21/602   Providing cryptographic fac...

G06F 2221/2107   File encryption

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

Client-server system with security function intermediary

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

129 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Client-server system with security function intermediary

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links