USE AND GENERATION OF A SESSION KEY IN A SECURE SOCKET LAYER CONNECTION

US 20110231650A1
Filed: 05/27/2011
Published: 09/22/2011
Est. Priority Date: 05/01/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for establishing a secure connection and authenticating a server in connections formed with PKI procedures, wherein a server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection, said method offering an alternative for authenticating the server public key, and comprising:

generating a server authentication key by the server,transmitting said server public key by the server to the client in clear text form;

generating a client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret;

generating server authentication information from data derived from the server public key and processed with a symmetric cryptographic algorithm and the server authentication key,sending said server authentication information to the client,verifying the server authentication information at the client in order to authenticate the server public key, said verifying using the client authentication key to determine that the server authentication information is based on said server authentication key and the server public key used in establishing the secure connection and received from the server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention describes a method and system for verifying the link between a public key and a server'"'"'s identity without relying on the trustworthiness of the root certificate of the server'"'"'s certificate chain. The system establishes a secure socket layer type connection between a client and a server. The client and the server create an identical authentication key using a shared secret known to the server and the client. Next, the server transmits a first encrypted message to the client, wherein the first encrypted message includes the server'"'"'s public key encrypted with the authentication key. Then, the client decrypts the first encrypted message and verifies the correctness of that message including comparing the public key included in the decrypted first encrypted message to the public key transmitted during the set-up of the secure socket layer type connection to authenticate the client.

52 Citations

View as Search Results

46 Claims

1. A method for establishing a secure connection and authenticating a server in connections formed with PKI procedures, wherein a server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection, said method offering an alternative for authenticating the server public key, and comprising:
- generating a server authentication key by the server,transmitting said server public key by the server to the client in clear text form;
  
  generating a client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret;
  
  generating server authentication information from data derived from the server public key and processed with a symmetric cryptographic algorithm and the server authentication key,sending said server authentication information to the client,verifying the server authentication information at the client in order to authenticate the server public key, said verifying using the client authentication key to determine that the server authentication information is based on said server authentication key and the server public key used in establishing the secure connection and received from the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 23)
- - 2. A method as recited in claim 1 wherein:
    - the server authentication key is used for encrypting the server authentication information with a symmetric encryption algorithm; and
      
      which further includes;
      
      decrypting, at the client, the received server authentication information with the client authentication key and a symmetric decryption algorithm, andwherein said verifying implements verifying the correctness of the server authentication information at the client by comparing the decrypted server authentication information with the server public key used in establishing the secure connection and received from the server.
  - 3. The method of claim 2 wherein the server authentication information includes a server certificate.
  - 4. The method of claim 2 wherein the secure connection includes an SSL connection.
  - 5. The method of claim 2 wherein the secure connection includes an WTLS connection.
  - 6. The method of claim 2 wherein the secure connection includes an IPSEC connection.
  - 7. The method of claim 2 wherein the secure connection includes a TLS connection.
  - 8. The method of claim 2 wherein the secret is generated by a strong authentication token.
  - 9. The method as recited in claim 2 which further includes:
    - sending client information to the server to authenticate the client, the client information encrypted by the client using the client authentication key and decrypted by the server using the server authentication key, the correctness of the client information verified by the server.
  - 10. The method of claim 2 wherein the server authentication information includes the server public key.
  - 11. The method of claim 2 wherein the server authentication information includes data derived from the server public key.
  - 12. The method of claim 8 wherein the strong authentication token is a challenge response token, wherein generating an authentication key by both the server and the client includes:
    - sending a challenge from a server to the strong authentication token;
      
      generating a first strong authentication token response to the challenge at the client;
      
      generating a second strong authentication token response to the challenge at the server, the first response identical to the second response when the secret is common to the client and server;
      
      deriving a client authentication key by the client from the first strong authentication token response;
      
      deriving a server authentication key by the server from the second strong authentication token response.
  - 23. The method of claim 11 wherein the data derived from the server public key includes a hash of the server public key.

13. A method for authenticating a server public key and establishing a secure connection between a client and a server, the connection formed with PKI procedures and including a symmetric key established using the server public key with asymmetric cryptography, said symmetric key used to encrypt communications during the connection with symmetric cryptography, the method offering an alternative for authenticating the server public key, and comprising:
- transmitting a server certificate from the server to the client, the server certificate including server public key information;
  
  generating separate authentication keys by the server and the client, the keys being identical as generated using a common secret, said generating separate authentication keys including;
  
  sending user authentication information from the client to the server;
  
  exchanging dynamic information between the client and the server;
  
  generating a secret by the client and the server from the response of a strong authentication token; and
  
  generating authentication keys at client and server using the user authentication information, the dynamic information, and the secret;
  
  thereaftergenerating server authentication information at the server from data derived from the server public key and processed with a symmetric cryptographic algorithm and the server authentication key;
  
  sending said server authentication information to the client;
  
  receiving the server authentication information at the client, andverifying the server authentication information at the client in order to authenticate the server public key, said verifying using the client authentication key to determine that the server authentication information is based on said server authentication key and the server public key information from the server certificate.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 24)
- - 14. A method as recited in claim 13 wherein:
    - said generating server authentication information comprises encrypting data related to the server public key using the server authentication key and a symmetric encryption algorithm;
      
      said verifying includes decrypting the received server authentication information at the client using a symmetric decryption algorithm and the client authentication key; and
      
      determining the correctness of the server authentication information by comparing the decrypted server authentication information with the server public key information from the server certificate.
  - 15. The method of claim 14 wherein the user authentication information includes a user identification information.
  - 16. The method of claim 14 wherein the secure connection is an SSL connection.
  - 17. The method of claim 14 wherein the dynamic information includes random information.
  - 18. The method of claim 14 wherein the strong authentication token includes a challenge- response strong authentication token, wherein the secret is derived from the response of the challenge response token.
  - 19. The method as recited in claim 14 further including:
    - sending encrypted user authentication information to the server, the user authentication information encrypted by the client using the authentication key generated by the client; and
      
      receiving and decrypting the user authentication information by the server, the server decrypting the user authentication information using the authentication key created by the server, the correctness of the user authentication information verified by the server.
  - 20. The method of claim 14 wherein the server certificate transmitted to the client includes the server public key.
  - 21. The method of claim 14 wherein the server authentication information includes the server public key.
  - 22. The method of claim 14 wherein the server authentication information includes data derived from the server public key.
  - 24. The method of claim 22 wherein the data derived from the server public key includes a hash of the server public key.

25. A method for establishing a secure connection using PKI procedures and authenticating a server public key, wherein the server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection and offering an alternative for authenticating the server public key where a server authentication key is generated by the server and used to create server authentication information for transmission to the client, said method comprisinggenerating a client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret;
- receiving the server public key in clear text form from the server;
  
  receiving the server authentication information at the client to authenticate the server public key, the server authentication information including data derived from the server'"'"'s public key and processed with a server authentication key and with a symmetric cryptographic algorithm; and
  
  verifying the server authentication information at the client in order to authenticate the server public key, said verifying using the client authentication key to determine that the server authentication information is based on the server authentication key and the server public key used in establishing the secure connection and received from the server.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 45)
- - 26. A method as recited in claim 25 wherein the server authentication key is used to encrypt the server authentication information for transmission to the client, wherein said method further includes:
    - decrypting, at the client, the received server authentication information with the client authentication key and a symmetric decryption algorithm to obtain decrypted data, andwherein said verifying includes verifying the correctness of the server authentication information at the client in order to authenticate the server public key by comparing the decrypted data with the server public key used in establishing the secure connection and received from the server.
  - 27. The method of claim 26 wherein the server authentication information includes a server certificate.
  - 28. The method of claim 26 wherein the secure connection includes an SSL connection.
  - 29. The method of claim 26 wherein the secure connection includes an WTLS connection.
  - 30. The method of claim 26 wherein the secure connection includes an IPSEC connection.
  - 31. The method of claim 26 wherein the secure connection includes a TLS connection.
  - 32. The method of claim 26 wherein the secret is generated by a client strong authentication token.
  - 33. The method as recited in claim 26 which further includes:
    - sending client information to the server to authenticate the client, the client information encrypted by the client using the client authentication key.
  - 34. The method of claim 26 wherein the server authentication information includes the server public key.
  - 35. The method of claim 32 wherein the strong authentication token is a challenge response token, wherein generating an authentication key by the client includes:
    - receiving a challenge from the server for the strong authentication token;
      
      generating a strong authentication token response to the challenge at the client; and
      
      deriving a client authentication key by the client from the strong authentication token response.
  - 45. The method of claim 26 wherein the data derived from the server public key includes a hash of the server public key.

36. A method for authenticating a server public key and establishing a secure connection between a client and a server, the connection formed with PKI procedures and including a symmetric key, established using the server public key with asymmetric cryptography, to encrypt communications during the connection with symmetric cryptography, the method offering an alternative for authenticating the server public key, and comprising:
- receiving a server certificate at the client, the server certificate including server public key information in clear text form;
  
  generating an authentication key by the client corresponding to an authentication key generated at the server, the keys being identical as generated using a common secret, said generating an authentication key by the client including;
  
  sending user authentication information from the client to the server;
  
  exchanging dynamic information between the client and server,generating a secret by the client from a response of a client strong authentication token corresponding to a secret generated by the server; and
  
  the client generating said authentication key, corresponding to an authentication key generated at the server, using the user authentication information, the dynamic information, and the secret;
  
  thereafterreceiving server authentication information at the client, the server authentication information including data derived from the server public key, processed using the authentication key generated by the server and a symmetric cryptographic algorithm; and
  
  verifying the server authentication information at the client by using the client authentication key to determine that the server authentication information is based on the server authentication key and the server public key information received in clear text form.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 46)
- - 37. A method as recited in claim 36 wherein;
    - said receiving server authentication information comprises receiving server authentication information encrypted using the authentication key generated by the server and a symmetric encryption algorithm, and whereinsaid verifying further comprises;
      
      decrypting the server authentication information by the client, the client decrypting the server authentication information using a symmetric decryption algorithm and the authentication key created by the client, andcomparing the decrypted server authentication information at the client with server public key information received in clear text form.
  - 38. The method of claim 36 wherein the user authentication information includes a user identification information.
  - 39. The method of claim 36 wherein the secure connection is an SSL connection.
  - 40. The method of claim 36 wherein the dynamic information includes random information.
  - 41. The method of claim 36 wherein the strong authentication token includes a challenge-response strong authentication token, wherein the secret is derived from the response of the challenge response token.
  - 42. The method as recited in claim 36 further including:
    - sending encrypted user authentication information to the server, the user authentication information encrypted by the client using the authentication key generated by the client.
  - 43. The method of claim 36 wherein the server certificate received by the client includes the server public key.
  - 44. The method of claim 36 wherein the server authentication information includes the server public key.
  - 46. The method of claim 37 wherein the data derived from the server public key includes a hash of the server public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Frank Coulier
Original Assignee
Frank Coulier
Inventors
Coulier, Frank

Application Number

US13/117,656
Publication Number

US 20110231650A1
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0869   for achieving mutual authen...

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

USE AND GENERATION OF A SESSION KEY IN A SECURE SOCKET LAYER CONNECTION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

USE AND GENERATION OF A SESSION KEY IN A SECURE SOCKET LAYER CONNECTION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links