System and method for secure remote access

US 8,904,178 B2
Filed: 09/26/2007
Issued: 12/02/2014
Est. Priority Date: 08/26/2003
Status: Active Grant

First Claim

Patent Images

1. A method of directing a client to establish a secure connection with a server providing remote customer services across a network, the method comprising:

(a) exchanging a server authentication public key, a client authentication public key, and a remote service unique identifier between the server and the client during a registration process, and transmitting from the client to the server a client information package encrypted with a temporary server public key provided by the server in response to initiating a connection between the client and the server, wherein the client information package includes the unique identifier and a client challenge information package encrypted with the server authentication public key to authenticate the client to the server and indicating a client session public key, wherein the unique identifier uniquely identifies a remote service customer, and decryption of the client information package by a temporary server private key and the client challenge information package by the server with a server authentication private key authenticates the client, and wherein said server authentication private key is associated with the server authentication public key and is retrieved based on the unique identifier serving as an index;

(b) receiving at the client from the server a server information package encrypted with the client session public key indicated in the client information package and having the unique identifier and a server challenge information package encrypted with the client authentication public key and indicating a server session public key;

(c) decrypting the received server information package utilizing a client session private key and decrypting and verifying the server challenge information package with a client authentication private key associated with the client authentication public key to authenticate the server, wherein decryption of the server challenge information package by the client with the client authentication private key authenticates the server; and

(d) transmitting from the client to the server portion of the decrypted server challenge information utilizing the server session public key indicated in the received server information package to indicate decryption of the server challenge information and authenticity of the server and facilitate access by the client to the remote customer services.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for directing a client to establish a secure connection with a server across a public network. The server and the client exchange a Server Authentication Public Key, a Client Authentication Public Key, and a Remote Service Unique Identifier (RSUID) during a registration process. In one embodiment, the method includes the client transmitting to the server a client information package having the RSUID and a client challenge information package encrypted with the Server Authentication Public Key, the client receiving from the server a server information package having the RSUID and a server challenge information package and a portion of the received client challenge information encrypted with the Client Authentication Public Key, the client decrypting and verifying the server challenge information package with the Client Authentication Private Key, and, the client transmitting to the server an encrypted portion of the received client challenge information.

31 Citations

View as Search Results

14 Claims

1. A method of directing a client to establish a secure connection with a server providing remote customer services across a network, the method comprising:
- (a) exchanging a server authentication public key, a client authentication public key, and a remote service unique identifier between the server and the client during a registration process, and transmitting from the client to the server a client information package encrypted with a temporary server public key provided by the server in response to initiating a connection between the client and the server, wherein the client information package includes the unique identifier and a client challenge information package encrypted with the server authentication public key to authenticate the client to the server and indicating a client session public key, wherein the unique identifier uniquely identifies a remote service customer, and decryption of the client information package by a temporary server private key and the client challenge information package by the server with a server authentication private key authenticates the client, and wherein said server authentication private key is associated with the server authentication public key and is retrieved based on the unique identifier serving as an index;
  
  (b) receiving at the client from the server a server information package encrypted with the client session public key indicated in the client information package and having the unique identifier and a server challenge information package encrypted with the client authentication public key and indicating a server session public key;
  
  (c) decrypting the received server information package utilizing a client session private key and decrypting and verifying the server challenge information package with a client authentication private key associated with the client authentication public key to authenticate the server, wherein decryption of the server challenge information package by the client with the client authentication private key authenticates the server; and
  
  (d) transmitting from the client to the server portion of the decrypted server challenge information utilizing the server session public key indicated in the received server information package to indicate decryption of the server challenge information and authenticity of the server and facilitate access by the client to the remote customer services.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein step (a) further includes:
    - (a.1) transmitting the client challenge information package including a client session public key.
  - 3. The method of claim 1, wherein step (a) further includes:
    - (a.1) transmitting the client challenge information package including a previous session ID to enable the server to select a client session public key associated with the previous session ID.

4. A computer program product having a computer readable memory device tangibly embodying computer program logic for directing a client to establish a secure connection with a server providing remote customer services across a network, said computer program product comprising:
- a registration module to exchange a server authentication public key, a client authentication public key, and a remote service unique identifier between the server and the client during a registration process;
  
  an initiation module to transmit from the client to the server a client information package encrypted with a temporary server public key provided by the server in response to initiation of a connection between the client and the server, wherein the client information package includes the unique identifier and a client challenge information package encrypted with the server authentication public key to authenticate the client to the server and indicating a client session public key, wherein the unique identifier uniquely identifies a remote service customer, and decryption of the client information package by a temporary server private key and the client challenge information package by the server with a server authentication private key authenticates the client, and wherein said server authentication private key is associated with the server authentication public key and is retrieved based on the unique identifier serving as an index;
  
  a reception module to receive at the client from the server a server information package encrypted with the client session public key indicated in the client information package having the unique identifier and a server challenge information package encrypted with the client authentication public key and indicating a server session public key;
  
  a decryption module to decrypt the received server information package utilizing a client session private key and to decrypt and verify the server challenge information package with a client authentication private key associated with the client authentication public key to authenticate the server, wherein decryption of the server challenge information package by the client with the client authentication private key authenticates the server; and
  
  a response module to transmit from the client to the server a portion of the decrypted received server challenge information encrypted utilizing the server session public key indicated in the received server information package to indicate decryption of the server challenge information and authenticity of the server and to facilitate access by the client to the remote customer services.
- View Dependent Claims (5, 6)
- - 5. The computer program product of claim 4, wherein the initiation module includes:
    - a session key module to place a client session public key within the client challenge information package.
  - 6. The computer program product of claim 4, wherein the initiation module includes:
    - a session tracking module to place a previous session ID within the client challenge information package to enable the server to select a client session public key associated with the previous session ID.

7. A method for directing a server providing remote customer services to establish a secure connection with a client across a network, the method comprising:
- (a) exchanging a server authentication public key, a client authentication public key, and a remote service unique identifier between the server and the client during a registration process, and receiving at the server from the client a client information package encrypted with a temporary server public key provided by the server in response to initiation of a connection between the client and the server, wherein the client information package includes the unique identifier and a client challenge information package encrypted with the server authentication public key to authenticate the client to the server and indicating a client session public key, wherein the unique identifier uniquely identifies a remote service customer;
  
  (b) decrypting the received client information package utilizing a temporary server private key and retrieving a server authentication private key associated with the server authentication public key utilizing the received unique identifier as an index;
  
  (c) decrypting and verifying the client challenge information package with the server authentication private key, wherein decryption of the client Challenge information package by the server with the server authentication private key authenticates the client;
  
  (d) transmitting from the server to the client a server information package encrypted with the client session public key indicated in the received client information package and including the unique identifier and a server challenge information package encrypted with the client authentication public key to authenticate the server to the client and indicating a server session public key, wherein decryption by the client of the server information package utilizing a client session private key and the server challenge information package utilizing a client authentication private key associated with the client authentication public key authenticates the server; and
  
  (e) enabling access by the client to the remote customer services in accordance with an appropriate response from the client indicating decryption of the server challenge information and authenticity of the server, wherein the appropriate response includes a portion of the decrypted server challenge information encrypted utilizing the server session public key indicated in the server information package.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein step (d) further includes:
    - (d.1) transmitting the server challenge information package including a server session public key.
  - 9. The method of claim 7, wherein step (d) further includes:
    - (d.1) transmitting the server challenge information package including a previous session ID that enables the client to select a server session public key associated with the previous session ID.

10. A computer program product having a computer readable memory device tangibly embodying computer program logic for directing a server providing remote customer services to establish a secure connection with a client across a network, said computer program product comprising:
- a registration module to exchange a server authentication public key, a client authentication public key, and a remote service unique identifier between the server and the client during a registration process;
  
  a reception module at the server to receive from the client a client information package encrypted with a temporary server public key provided by the server in response to initiation of a connection between the client and the server, wherein the client information package includes the unique identifier and a client challenge information package encrypted with the server authentication public key to authenticate the client to the server and indicating a client session public key, wherein the unique identifier uniquely identifies a remote service customer;
  
  a decryption module to decrypt the received client information package utilizing a temporary server private key;
  
  an index module at the server to retrieve a server authentication private key associated with the server authentication public key utilizing the received unique identifier as an index;
  
  a validation module at the server to decrypt and verify the client challenge information package with the server authentication private key, wherein decryption of the client challenge information package by the server with the server authentication private key authenticates the client;
  
  a transmission module at the server to transmit to the client a server information package encrypted with the client session public key indicated in the received client information package and including the unique identifier and a server challenge information package encrypted with the client authentication public key to authenticate the server to the client and indicating a server session public key, wherein decryption by the client of the server information package utilizing a client session private key and the server challenge information package utilizing a client authentication private key associated with the client authentication public key authenticates the server; and
  
  an access module at the server to enable access by the client to the remote customer services in accordance with an appropriate response from the client indicating decryption of the server challenge information and authenticity of the server, wherein the appropriate response includes a portion of the decrypted server challenge information encrypted utilizing the server session public key indicated in the server information package.
- View Dependent Claims (11, 12)
- - 11. The computer program product of claim 10, wherein the transmission module includes:
    - a session module to place a server session public key within the server challenge information package.
  - 12. The computer program product of claim 10, wherein the transmission module includes:
    - a session tracking module to place a previous session ID within the server challenge information package that enables the client to select a server session public key associated with the previous session ID.

13. A system to establish a secure connection between a server computer system providing remote customer services and a client across a network, the system comprising:
- a server computer system in communication with a client via a network;
  
  a registration module to exchange a server authentication public key, a client authentication public key, and a remote service unique identifier between the server computer system and the client during a registration process;
  
  a reception module at the server computer system to receive from the client a client information package encrypted with a temporary server public key provided by the server computer system in response to initiation of a connection between the client and the server computer system, wherein the client information package includes the unique identifier and a client challenge information package encrypted with the server authentication public key to authenticate the client to the server computer system and indicating a client session public key, wherein the unique identifier uniquely identifies a remote service customer;
  
  a decryption module to decrypt the received client information package utilizing a temporary server private key;
  
  an index module at the server computer system to retrieve a server authentication private key associated with the server authentication public key utilizing the received unique identifier as an index;
  
  a validation module at the server computer system to decrypt and verify the client challenge information package with the server authentication private key, wherein decryption of the client challenge information package by the server computer system with the server authentication private key authenticates the client;
  
  a transmission module at the server computer system to transmit to the client a server information package encrypted with the client session public key indicated in the received client information package and including the unique identifier and a server challenge information package encrypted with the client authentication public key to authenticate the server computer system to the client and indicating a server session public key, wherein decryption by the client of the server information package utilizing a client session private key and the server challenge information package utilizing a client authentication private key associated with the client authentication public key authenticates the server computer system; and
  
  an access module at the server computer system to enable access by the client to the remote customer services in accordance with an appropriate response from the client indicating decryption of the server challenge information and authenticity of the server computer system, wherein the appropriate response includes a portion of the decrypted server challenge information encrypted utilizing the server session public key indicated in the server information package.
- View Dependent Claims (14)
- - 14. The system of claim 13, further including:
    - an initiation module at said client to transmit to the server computer system the client information package including the unique identifier and the client challenge information package encrypted with the server authentication public key;
      
      a reception module at the client to receive from the server computer system the server information package having the unique identifier and the server challenge information package encrypted with the client authentication public key;
      
      a client decryption module at the client to decrypt and verify the server challenge information package with the client authentication private key; and
      
      a response module at the client to transmit to the server computer system a portion of the decrypted server challenge information encrypted utilizing the server session public key indicated in the server information package to facilitate access by the client to the remote customer services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hulu LLC (The Walt Disney Company)
Original Assignee
International Business Machines Corporation
Inventors
Wilding, Mark F., Horman, Randall W.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Avery, Jeremiah

Application Number

US11/861,740
Publication Number

US 20080016354A1
Time in Patent Office

2,624 Days
Field of Search

713/169
US Class Current

713/171
CPC Class Codes

G06F 21/445   by mutual authentication, e...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

System and method for secure remote access

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure remote access

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links