Multi-access virtual private network
DC CAFCFirst Claim
1. Apparatus for carrying out communications over a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, comprising:
- means for intercepting function calls and requests for service sent by an applications program on one of said client computers to a lower level set of communications drivers;
means for causing an applications level authentication and encryption program in said one of said client computers to communicate with the server, generate a session key, and use the session key generated by the applications level authentication and encryption program to encrypt files sent by the applications program before transmittal over said open network, andmeans for intercepting files packaged by a transport driver interface layer to form packets and encrypting the packets using a session key generated during communications between corresponding lower layers of the server and said one of said client computers.
5 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A virtual private network for communicating between a server and clients over an open network uses an applications level encryption and mutual authentication program and at least one shim positioned above either the socket, transport driver interface, or network interface layers of a client computer to intercept function calls, requests for service, or data packets in order to communicate with the server and authenticate the parties to a communication and enable the parties to the communication to establish a common session key. Where the parties to the communication are peer-to-peer applications, the intercepted function calls, requests for service, or data packets include the destination address of the peer application, which is supplied to the server so that the server can authenticate the peer and enable the peer to decrypt further direct peer-to-peer communications.
398 Citations
28 Claims
-
1. Apparatus for carrying out communications over a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, comprising:
-
means for intercepting function calls and requests for service sent by an applications program on one of said client computers to a lower level set of communications drivers; means for causing an applications level authentication and encryption program in said one of said client computers to communicate with the server, generate a session key, and use the session key generated by the applications level authentication and encryption program to encrypt files sent by the applications program before transmittal over said open network, and means for intercepting files packaged by a transport driver interface layer to form packets and encrypting the packets using a session key generated during communications between corresponding lower layers of the server and said one of said client computers.
-
-
2. Apparatus for carrying out communications over a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, comprising:
-
means for intercepting function calls and requests for service sent by an applications program on one of said client computers to a lower level set of communications drivers; and means for causing an applications level authentication and encryption program in said one of said client computers to communicate with the server, generate a session key, and use the session key generated by the applications level authentication and encryption program to encrypt files sent by the applications program before transmittal over said open network, and further comprising means for intercepting a destination address during initialization of communications between said one of said client computers and a second of said client computers on said virtual private network; means for causing said applications level authentication and encryption program to communicate with the server to in order to enable the applications level authentication and encryption program to generate said session key; means for transmitting said destination address to said server; means for causing said server to communicate with the second of said two client computers; means for enabling said second of said two client computers to recreate the session key; means for causing said authentication software to encrypt files to be sent to the destination address using the session key; and means for transmitting the encrypted files directly to the destination address. - View Dependent Claims (3)
-
-
4. A multi-tier virtual private network, comprising:
-
a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, wherein said means for transmitting data to and receiving data from the open network includes, in any client computer initiating communications with the server; applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files;at least one lower level set of communications drivers; and a shim arranged to intercept function calls and requests for service sent by an applications program to the lower level set of communications drivers in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before transmittal over said open network, wherein said lower level set of communications drivers includes a network driver layer, a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and an applications socket for facilitating service requests by said applications program to the transport driver interface layer, and wherein said shim is a socket shim positioned between the applications program and the socket to intercept function calls to the socket in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer, and wherein said applications program is a peer-to-peer communications program, wherein a peer application destination address, included in said function calls to the socket, is diverted by the socket shim, and wherein a destination address including said intercepted function calls is supplied to the server during communications with the server, causing the service to establish a communications link with a peer application, mutually authenticate the peer application, and enable the peer application to reconstruct the session key in order to receive encrypted files sent by the peer-to-peer communications program over the open network.
-
-
5. A multi-tier virtual private network, comprising:
-
a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, wherein said means for transmitting data to and receiving data from the open network includes, in any client computer initiating communications with the server; applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files;at least one lower level set of communications drivers; and a shim arranged to intercept function calls and requests for service sent by an applications program to the lower level set of communications drivers in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before transmittal over said open network, wherein said lower level set of communications drivers includes a network driver layer, a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and an applications socket for facilitating service requests by said applications program to the transport driver interface layer, and wherein said shim is a socket shim positioned between the applications program and the socket to intercept function calls to the socket in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer, and further including a transport driver interface shim positioned between the transport driver interface layer and a second applications program, for intercepting requests from the second applications program for service by the transport driver interface layer in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer. - View Dependent Claims (6)
-
-
7. A multi-tier virtual private network, comprising:
-
a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, wherein said means for transmitting data to and receiving data from the open network includes, in an client computer initiating communications with the server; applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files;at least one lower level set of communications drivers; and a shim arranged to intercept function calls and requests for service sent by an applications program to the lower level set of communications drivers in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before transmittal over said open network, and wherein said lower level set of communications drivers includes a network driver layer, and a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and wherein said shim is a transport driver interface layer shim positioned between the applications program and the transport driver interface layer to intercept service requests by the applications program to the transport driver interface layer in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer. - View Dependent Claims (8, 9)
-
-
10. A multi-tier virtual private network, comprising:
-
a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, wherein said means for transmitting data to and receiving data from the open network includes, in any client computer initiating communications with the server; applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files; andat least one lower level set of communications drivers, wherein said lower level set of communications drivers includes a network driver layer, a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and a network driver layer shim positioned between the transport driver interface layer and the network driver layer and arranged to intercept files packaged by the transport driver interface layer and encrypt the files using a session key generated during communications with a lower layer of the server.
-
-
11. A multi-tier virtual private network, comprising:
-
a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, wherein said means for transmitting data to and receiving data from the open network includes, in any client computer initiating communications with the server; applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files; andfurther comprising means for securing peer-to-peer communications between applications on two of said client computers, said peer-to-peer communications securing means comprising; means for intercepting a destination address during initialization of communications by a first of said two client computers; means for causing said authentication software to communicate with the server to carry out functions a.) and b.); means for transmitting said destination address to said server; means for causing said server to carry-out functions a.) and b.) with respect to the second of said two client computers; means for enabling said second of said two client computers to recreate the session key; means for causing said authentication software to encrypt files to be sent to the destination address using the session key; means for transmitting the encrypted files directly to the destination address. - View Dependent Claims (12, 13, 14)
-
-
15. Computer software for installation on a client computer of a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, wherein said computer software includes:
-
applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files;and a shim arranged to intercept function calls and requests for service sent by an applications program to a lower level set of communications drivers in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before transmittal over said open network, wherein said lower level set of communications drivers includes a network driver layer, a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and an applications socket for facilitating service requests by said applications program to the transport driver interface layer, and wherein said shim is a socket shim positioned between the applications program and the socket to intercept function calls to the socket in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer, and wherein said applications program is a peer-to-peer communications program, wherein a peer application destination address, included in said function calls to the socket, is diverted by the socket shim, and wherein a destination address including said intercepted function calls is supplied to the server during communications with the server, causing the service to establish a communications link with a peer application, mutually authenticate the peer application, and enable the peer application to reconstruct the session key in order to receive encrypted files sent by the peer-to-peer communications program over the open network.
-
-
16. Computer software for installation on a client computer of a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network,
wherein said computer software includes: -
applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files;and a shim arranged to intercept function calls and requests for service sent by an applications program to a lower level set of communications drivers in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before transmittal over said open network, wherein said lower level set of communications drivers includes a network driver layer, a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and an applications socket for facilitating service requests by said applications program to the transport driver interface layer, and wherein said shim is a socket shim positioned between the applications program and the socket to intercept function calls to the socket in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer, and further including a transport driver interface shim positioned between the transport driver interface layer and a second applications program, for intercepting requests from the second applications program for service by the transport driver interface layer in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer. - View Dependent Claims (17)
-
-
18. Computer software for installation on a client computer of a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network,
wherein said computer software includes: -
applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files;and a shim arranged to intercept function calls and requests for service sent by an applications program to a lower level set of communications drivers in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before transmittal over said open network, and wherein said lower level set of communications drivers includes a network driver layer, and a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and wherein said shim is a transport driver interface layer shim positioned between the applications program and the transport driver interface layer to intercept service requests by the applications program to the transport driver interface layer in order to cause the applications level authentication and encryption program to communicate with the server, generate said session key, and encrypt files sent by the applications program before the files are packaged by the transport driver interface layer. - View Dependent Claims (19, 20)
-
-
21. Computer software for installation on a client computer of a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network,
wherein said computer software includes: -
applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files; andat least one lower level set of communications drivers, wherein said lower level set of communications drivers includes a network driver layer, a transport driver interface layer arranged to package applications files as packets capable of being routed over the open network and supply the packets to the network driver layer for transmission to the open network, and a network driver layer shim positioned between the transport driver interface layer and the network driver layer and arranged to intercept files packaged by the transport driver interface layer and encrypt the files using a session key generated during communications with a lower layer of the server.
-
-
22. Computer software for installation on a client computer of a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network,
wherein said computer software includes: -
applications level encryption and authentication software arranged to communicate with the server in order to;
a.) mutually authenticate the server and the client computer initiating communications with the server and b.) generate a session key for use by the client computer initiating communications to encrypt files; andfurther comprising means for securing peer-to-peer communications between applications on two of said client computers, said peer-to-peer communications securing means comprising; means for intercepting a destination address during initialization of communications by a first of said two client computers; means for causing said authentication software to communicate with the server to carry out functions a.) and b.); means for transmitting said destination address to said server; means for causing said server to carry-out functions a.) and b.) with respect to the second of said two client computers; means for enabling said second of said two client computers to recreate the session key; means for causing said authentication software to encrypt files to be sent to the destination address using the session key; means for transmitting the encrypted files directly to the destination address. - View Dependent Claims (23, 24, 25)
-
-
26. A method of carrying out communications over a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, comprising the steps of:
-
intercepting function calls and requests for service sent by an applications program in one of said client computers to a lower level set of communications drivers; causing an applications level authentication and encryption program in said one of said client computers to communicate with the server, generate a session key, and use the session key generated by the applications level authentication and encryption program to encrypt files sent by the applications program before transmittal over said open network; and intercepting files packaged by a transport driver interface layer to form packets and encrypting the packets using a session key generated during communications between a lower layer of the server and a lower layer of said one of said client computers.
-
-
27. A method of carrying out communications over a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, comprising the steps of:
-
intercepting function calls and requests for service sent by an applications program in one of said client computers to a lower level set of communications drivers; causing an applications level authentication and encryption program said one of said client computers to communicate with the server, generate a session key, and use the session key generated by the applications level authentication and encryption program to encrypt files sent by the applications program before transmittal over said open network; intercepting a destination address during initialization of communications between said one of said client computers and a second of said client computers on said virtual private network; causing said applications level authentication and encryption program to communicate with the server in order to enable the applications level authentication and encryption program to generate said session key; transmitting said destination address to said server; causing said server to communicate with the second of said two client computers; enabling said second of said two client computers to recreate the session key; causing said authentication software to encrypt files to be sent to the destination address using the session key; and transmitting the encrypted files directly to the destination address. - View Dependent Claims (28)
-
Specification