`
`
`(19) United States
`
`
`
`
`
`
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2003/0079143 A1
`
`
`
`
`
`
`
`Mikel et al.
`
`
`(43) Pub. Date:
`Apr. 24, 2003
`
`US 20030079143A1
`
`
`
`
`ONE PASS SECURITY
`
`
`
`
`
`(5 7)
`
`
`
`ABSTRACT
`
`
`
`(54)
`
`<76)
`
`
`
`
`
`(21)
`
`(22)
`
`
`
`
`(60)
`
`
`
`(51)
`(52)
`
`
`
`
`Inventors: Dean Mikel, Boise, ID (US); Mark
`
`
`
`
`
`Wilkins, Boise, ID (US)
`
`
`
`
`
`
`
`
`Correspondence Address:
`
`
`Ormiston & McKinney
`Suite 400
`
`
`802 W. Bannock
`
`PO. Box 298
`
`
`
`Boise, ID 83701-0298 (US)
`
`
`
`
`
`
`
`10/096,784
`
`
`
`Appl. No.:
`
`Filed:
`
`
`
`
`
`
`Mar. 12, 2002
`
`
`
`Related US. Application Data
`
`
`
`
`Provisional application No. 60/353,354, filed on Oct.
`
`
`
`
`
`22, 2001.
`
`
`Publication Classification
`
`
`
`Int. Cl.7
`.. H04L 9/00; H04L 9/32
`
`
`
`
`
`
`US. Cl.
`.............................................................. 713/200
`
`
`Asystem and method for secure network communication. In
`
`
`
`
`
`
`
`various embodiments of the present invention, data needed
`
`
`
`
`
`
`
`for authentication an encryption is included in each com-
`
`
`
`
`
`
`
`munication pass between network devices, so that when a
`
`
`
`
`
`
`
`network connection is broken, a secure connection can be
`
`
`
`
`
`
`reestablished with the next pass. A client authentication
`
`
`
`
`
`
`
`service on the client receives a server request and searches
`
`
`
`
`
`
`
`
`for a current client-side session key. If one is not present, the
`
`
`
`
`
`
`
`
`
`client authentication service generates and encrypts an initial
`
`
`
`
`
`
`
`session key, acquires credentials, adds the credentials to the
`
`
`
`
`
`
`
`
`server request, and encrypts the server request with the
`
`
`
`
`
`
`
`
`
`initial session key. The encrypted server request and the
`
`
`
`
`
`
`
`
`
`encrypted session key are sent to the server, where a server
`
`
`
`
`
`
`
`
`
`authentication service decrypts the initial session key,
`
`
`
`
`
`
`
`decrypts the server request with the initial session key, and
`
`
`
`
`
`
`
`
`
`
`authenticates the credentials before allowing the server
`
`
`
`
`
`
`
`request to be acted upon. Where a current client-side session
`
`
`
`
`
`
`
`key is detected, the client authentication service acquires the
`
`
`
`
`
`
`
`
`current client-side session key, generates a next step session
`
`
`
`
`
`
`
`
`key, adds the next step session key to the server request, and
`
`
`
`
`
`
`
`
`
`
`
`encrypts the server request with the current client-side
`
`
`
`
`
`
`
`
`session key. The encrypted server request is sent to the
`
`
`
`
`
`
`
`
`server where the server authentication service decrypts the
`
`
`
`
`
`
`
`
`server request with a current server-side session key allow-
`
`
`
`
`
`
`
`
`ing the server request to be acted upon.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`76
`
`
`
`
`USER(S)
`CREDENTIALS
`
`
`
`SERVER
`
`CREDENTIALS
`
`
`
`DEVICE
`
`RECORD
`
`
`TIME MODULE SERVER
`
`RESPONSE
`
`BUILDER
`
`
`CREDENTIAL
`MODULE
`
`
`
`
`SERVER
`
`
`SEQUENCE
`MODULE
`
`
`
`ENCRYPTION
`MODULE
`
`
`
`
`SERVER
`
`
`
`
`
`
`SERVER
`
`INTEGRITY
`MODULE
`
`
`
`
`Page 1 of 20
`
`GOOGLE EXHIBIT 1015
`
`Page 1 of 20
`
`GOOGLE EXHIBIT 1015
`
`

`

`
`
`US 2003/0079143 A1
`
`a.05
`
`Patent Application Publication Apr. 24, 2003 Sheet 1 0f 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Hmmbamm
`
`57550ImaZoommmH
`
`
`
` meommmm
`mmgmmmlmnzoummA:
`
`Nam52540ImQZOommmfi
`
`
`
`
`IIIIIIIIIdammmamWHvlggilillt
`maximI228%SIATlllltlulxiillllliIIiIIllilliillll
`mmzommmmgfizgfimmpm
`
`
`
`
`
`
`
`
`
`
`
`
`
`MfimmmqF—thEMAn—mbmBZMEOlngoommA:
`
`
`
`——————————ATIlII.E.fI.Ammmammmm.Mb:lllllllll
`
`
`
`
`
`
`
`szOommoblmfi"13..on
`
`
`
`Iv]
`
`OOOOO/S
`
`
`Page 2 of 20
`
`Page 2 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 2 0f 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2003/0079143 A1
`
`
`
`
`
`
`
`
`
`IG.
`
`2 F
`
`
`
`Page 3 of 20
`
`Page 3 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 3 0f 10
`
`US 2003/0079143 A1
`
`mm>mmm
`
`Hm<m<rw<m
`
`mm>mmm
`
`ZOHB<OHBZmEBD<
`
`Hogmmm
`
`mm>MMm
`
`«um
`
`
`
`
`
`
`
`mmogamzMmoBemz
`
`
`
`moflmmmezHwo<mmmth
`
`
`
`mafiaEma
`
`
`
`AmvzogofimfiAmvzeioimi
`
`m.UE
`
`BZMEO
`
`
`
`mogmamm>mmm"5ngE7530
`
`mm<m¢h<m
`
`HZHEU
`
`ZOF<OEmeBD<
`
`mot/mam
`
`Page 4 of 20
`
`Page 4 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 4 0f 10
`
`US 2003/0079143 A1
`
`mamb
`>m<mom2m9mm>mMm
`
`4.55mqfifizmammomqfihznmommo
`
`
`zSEEQZmmozgcmm
`
`wEmmmezHmabnozm2;
`
`Ego:E282
`
`EaseEase
`EaseEmdo
`
`emmbamm
`
`mmmdbm
`
`WADQOE
`
`w.03
`
`Page 5 of 20
`
`Page 5 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 5 0f 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2003/0079143 A1
`
`
`
`
`
`
`
`Amvmmmp
`
`
`amoommmqfiezmammomefiEmemmo
`
`
`
`m.05
`
`mm>mmm
`
`
`
`F530"FE/n
`
`"5.3902
`
`mmgmmm
`
`
`
`MADQOEHEEL
`
`
`
`mm>mmm
`
`
`
`mozmbdmm
`
`maDmoE
`
`
`
`
`
`@5552
`
`
`
`
`
`ZoflmwmoZm
`
`
`"53:02
`
`mm.
`
`
`
`mogmnmm>mmm
`
`
`
`
`mm>mmm
`
`
`
`ASeZQOmo
`
`mmzommmm
`
`mmmdbm
`
`Page 6 of 20
`
`Page 6 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 6 0f 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2003/0079143 A1
`
`
`
`
`
`80
`
`
`
`
`
`
`
`
`IS SERVER PUBLIC KEY PRESENT?
`
`
`
`RECEIVE SERVER REQUEST
`
`
`
`Y
`
`
`
`
`
`
`
`v
`
`
`
`
`
`
`DOES SESSION KEY EXIST?
`
`
`
`82
`
`
`
`84
`
`
`
`Page 7 of 20
`
`Page 7 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 7 0f 10
`
`
`
`
`
`
`86
`
`
`
`
`
`
`
`
`
`US 2003/0079143 A1
`
`
`
`
`
`
`
`
`REQUEST SERVER PUBLIC KEY
`
`
`
`V
`
`
`
`RETRIEVE AND RETURN
`
`
`
`V
`
`
`
`
`
`
`
`
`
`
`
`ENCRYPT AND SEND REQUEST
`
`
`
`
`
`
`
`
`
`STORE
`
`V
`
`V
`
`
`
`
`
`DECRYPT REQUEST
`
`V
`
`AUTHENTICATE
`
`V
`
`
`
`
`88
`
`
`90
`
`
`92
`
`
`94
`
`
`96
`
`
`98
`
`100
`
`
`
`102
`
`
`
`Page 8 of 20
`
`
`
`
`
`GENERATE, ENCRYPT AND SEND RESPONSE
`
`
`
`CREATE DEVICE RECORD
`
`
`
`
`
`
`
`
`V
`
`V
`
`
`
`
`
`DECRYPT RESPONSE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 7
`
`Page 8 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 8 0f 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2003/0079143 A1
`
`
`
`
`
`104
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`GENERATE, STORE AND ENCRYPT SESSION KEYl
`
`
`
`
`
`
`CREATE AND ADD SESSION COUNTER
`Y
`
`106
`
`108
`
`
`
`ADD PASSWORD AND TIME STAMP
`
`
`
`
`V
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`V
`
`V
`
`Y
`
`
`
`
`
`
`
`113
`
`
`
`
`
`
`
`
`DECRYPT AND STORE SESSION KEYl
`
`
`
`
`
`
`120
`
`
`
`
`
`123
`
`
`
`124
`
`
`
`126
`
`
`
`138
`
`
`
`DECRYPT REQUEST
`
`V
`
`
`
`
`
`V
`
`
`
`STORE TIME STAMP
`
`
`V
`
`
`
`AUTHENTICATE USER
`
`V
`
`
`
`STORE SESSION COUNTER
`
`
`
`
`
`GENERATE RESPONSE
`
`V
`
`
`
`
`GENERATE, STORE AND ADD NEXT STEP
`SESSION KEY AND ENCRYPTl
`
`
`
`
`
`
`
`
`
`DECRYPT AND STOREll
`
`SEND CLIENT RESPONSE
`
`
`
`
`
`
`
`
`
`
`
`133
`
`
`
`134
`
`
`
`130
`
`
`
`Page 9 of 20
`
`
`FIG. 8
`
`Page 9 of 20
`
`

`

`Patent Application Publication Apr. 24, 2003 Sheet 9 0f 10
`
`
`
`
`
`
`
`
`
`US 2003/0079143 A1
`
`
`
`
`
`
`
`
`
`
`
`FIG. 9
`
`
`
`FIG. 9A
`
`
`
`130
`
`150
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`GENERATE AND STORE NEXT STEP SESSION KEYl
`
`
`
`
`
`UPDATE AND ADD SESSION COUNTER
`V
`
`
`
`138
`
`140
`
`
`
`
`
`
`
`ADD TIME STAMP AND CHECKSUM
`V
`
`
`
`
`
`
`
`
`
`
`
`V
`
`V
`
`146w
`
`
`
`1
`
`148
`
`
`
`LOCATE DEVICE RECORD
`
`
`V
`
`
`
`
`
`
`RETRIEVE SESSION KEYl
`
`
`
`DECRYPT REQUEST
`
`
`152
`
`
`
`
`
`154
`
`
`
`
`
`
`
`156
`
`
`
`VERIFY AND STORE TIME STAMP
`
`
`
`
`
`
`
`158
`
`
`
`VERIFY SESSION COUNTER
`
`
`
`
`
`160
`
`
`
`
`
`
`STORE UPDATED SESSION COUNTER
`
`
`
`162
`
`
`
`GENERATE RESPONSE
`
`
`
`
`Page 10 of 20
`
`Page 10 of 20
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Apr. 24, 2003 Sheet 10 0f 10
`
`
`
`US 2003/0079143 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`166
`
`
`
`
`
`
`
`
`STORE NEW NEXT STEP SESSION KEY
`
`
`
`168
`
`
`
`170
`
`
`
`172
`
`
`
`ENCRYPT
`
`
`
`
`
`SEND CLIENT RESPONSE
`
`
`
`DECRYPT CLIENT RESPONSE
`
`
`
`
`
`174
`
`
`
`
`
`
`
`
`STORE NEW NEXT STEP SESSION KEY
`
`
`
`
`FIG. QB
`
`
`
`Page 11 of 20
`
`Page 11 of 20
`
`

`

`
`
`US 2003/0079143 A1
`
`
`
`Apr. 24, 2003
`
`
`
`ONE PASS SECURITY
`
`
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`[0001] This invention relates generally to securing net-
`work communication. More specifically, this invention is
`
`
`
`
`
`
`directed to one-pass authentication and encryption enabling
`
`
`
`
`
`
`secure network communication.
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`[0002] With the advent of the Internet, electronic business
`
`
`
`
`
`
`
`and financial transactions have flourished. Virtual private
`
`
`
`
`
`
`
`networks now enable people to conduct business from
`
`
`
`
`
`
`
`
`anywhere in the world, at least anywhere an Internet con-
`
`
`
`
`
`
`
`nection is available. With cellular and satellite communica-
`
`
`
`
`
`
`
`tion technology, Internet connections are available virtually
`
`
`
`
`
`
`
`everywhere. Network communication protocols, such as
`
`
`
`
`
`
`S-HTTP (Secure Hypertext Transport Protocol) and SSL
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(Secure Socket Layer), have been developed to enable
`secure communication links between two network devices.
`
`
`
`
`
`
`
`These technologies provide security in two forms—authen-
`
`
`
`
`
`
`
`
`
`
`
`
`tication and encryption. Authentication is important to verify
`that each device is who it claims to be. Encryption allows the
`
`
`
`
`
`
`
`
`
`devices to exchange data rendering that data useless to a
`
`
`
`
`
`
`
`third party. The security provides confidence in transmitting
`
`
`
`
`
`
`
`private financial, business, and personal data over a com-
`
`
`
`
`
`
`
`
`puter network.
`
`
`[0003]
`In addition to desktop computers, workstations,
`
`
`
`
`
`
`
`and servers, modern computing environments often include
`
`
`
`
`
`
`
`fit
`lightweight handheld computing devices that
`into a
`
`
`
`
`
`
`
`pocket, purse, or briefcase. To enable true mobility for these
`
`
`
`
`
`
`
`
`devices, wireless network communication is required. Wire—
`
`
`
`
`
`
`less network interface cards enable network communication
`
`
`
`
`
`
`
`within a particular geographic area such as an ollice com-
`
`
`
`
`
`
`
`plex. The mobile device must remain within range of a
`
`
`
`
`
`
`
`
`
`server to communicate. Cellular modems and Internet ready
`
`
`
`
`
`
`
`cellular telephones enable network communication between
`
`
`
`
`
`
`devices located most anywhere.
`
`
`
`
`[0004] Existing secure network communication protocols
`
`
`
`
`
`
`such as SSL require a series of communications between two
`
`
`
`
`
`
`
`devices to establish a secure communication link between
`
`
`
`
`
`
`the devices. These communications are often referred to as
`
`
`
`
`
`
`
`a “handshake.” A handshake allows the network devices to
`
`
`
`
`
`
`
`authenticate one another while exchanging data needed to
`
`
`
`
`
`
`
`encrypt filture communications. FIG. 1 illustrates a typical
`
`
`
`
`
`
`handshake between a cellular enabled PDA (Personal Digital
`
`
`
`
`
`
`
`Assistant) 10 and a server 12. PDA 10 initiates the hand—
`
`
`
`
`
`
`
`
`shake communicating data to server 12. Server 12 responds
`
`
`
`
`
`
`
`sending data to PDA 10. Each communication can be
`
`
`
`
`
`
`
`
`referred to as a “pass.” Existing protocols require several
`
`
`
`
`
`
`
`passes to establish a secure connection. For example, one
`
`
`
`
`
`
`
`version of an SSL handshake requires the following steps:
`
`
`
`
`
`
`
`[0005] PDA 10 initiates communication requesting a
`
`
`
`
`
`digital certificate from server 12. A digital certificate
`
`
`
`
`
`
`
`includes a public key used to encrypt a reply as well
`
`
`
`
`
`
`
`as electronic data used to authenticate server 12.
`
`
`
`
`
`
`
`[0006] Server 12 returns its certificate and requests a
`
`
`
`
`
`
`
`digital certificate from FDA 10.
`
`
`
`
`[0007] With the server’s certificate, PDA 10 authen-
`
`
`
`
`
`
`
`ticates server 12 and returns its own certificate. With
`
`
`
`
`
`
`
`
`the PDA’s certificate, server 12 authenticates PDA
`
`
`
`
`
`
`10.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0008] PDA 10 then generates a symmetric encryp-
`tion key. Using the public key from the server‘s
`
`
`
`
`
`
`
`
`certificate, PDA 10 encrypts the symmetric encryp-
`
`
`
`
`
`tion key and then sends it to server 12. Using its own
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`private key, server 12 decrypts the symmetric
`
`
`encryption key.
`[0009] The handshake is complete. PDA 10 and server 12
`
`
`
`
`
`
`
`have been authenticated. Future communications between
`
`
`
`
`
`
`PDA 10 and server 12 are encrypted and decrypted using the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`symmetric encryption key. For example, PDA 10 can gen-
`
`
`
`
`
`
`
`
`
`erate a request for server (server request) to return data
`relating to a bank account for instance. PDA 10 encrypts the
`
`
`
`
`
`
`
`
`server request with the symmetric encryption key and sends
`
`
`
`
`
`
`
`
`
`it to server 12. Server 12 decrypts the server requests and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`generates a response to the server request (client response).
`Server 12 then encrypts the client response with the sym-
`
`
`
`
`
`
`
`
`
`metric encryption key and returns it
`to PDA 12 which
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`decrypts and displays the client response. Whenever the
`network connection between PDA 10 and server 12 is
`
`
`
`
`
`
`
`broken, the handshake must be repeated in order to authen-
`
`
`
`
`
`
`
`ticate the devices. When communicating over a cellular
`
`
`
`
`
`
`
`connection, each pass of a handshake requires approxi—
`
`
`
`
`
`
`
`
`
`
`
`
`
`mately fifteen seconds. Consequently, a handshake typically
`
`
`
`
`
`
`
`requires anywhere from forty-five to seventy seconds,
`before a secure connection can be established or reestab-
`
`
`
`
`
`
`
`lished.
`
`[0010] Wireless network connections can be unreliable.
`
`
`
`
`
`
`They are often broken requiring a secure connection to be
`
`
`
`
`
`
`
`frequently reestablished. The resulting delay of forty-five to
`
`
`
`
`
`
`seventy seconds required for each handshake renders secure
`
`
`
`
`
`
`
`
`cellular network communication annoying if not inefficient
`
`
`
`
`
`
`or unworkable. What is needed is a more efficient method for
`
`
`
`
`
`
`
`establishing and secure network communication that elimi-
`
`
`
`
`
`
`
`nates the need for a handshake as described above each time
`
`
`
`
`
`
`
`
`
`the connection is broken.
`
`
`
`SUMMARY OF THE INVENTION
`
`
`
`[0011] The present invention is directed to authentication
`
`
`
`
`
`
`and encryption for secure network communication. In vari-
`
`
`
`
`
`
`
`ous embodiments of the present invention, data needed for
`
`
`
`
`
`
`
`
`authentication an encryption is included in each communi-
`
`
`
`
`
`cation pass between network devices, so that when a net-
`
`
`
`
`
`
`
`
`
`work connection is broken, a secure connection can be
`
`
`
`
`
`
`reestablished with the next pass. A client authentication
`
`
`
`
`
`
`
`service on the client receives a server request and searches
`
`
`
`
`
`
`
`
`for a current client-side session key. If one is not present, the
`
`
`
`
`
`
`
`
`
`client authentication service generates and encrypts an initial
`
`
`
`
`
`
`
`session key, acquires credentials, adds the credentials to the
`
`
`
`
`
`
`
`
`server request, and encrypts the server request with the
`
`
`
`
`
`
`
`
`
`initial session key. The encrypted server request and the
`
`
`
`
`
`
`
`
`
`encrypted session key are sent to the server, where a server
`
`
`
`
`
`
`
`
`
`authentication service decrypts the initial session key,
`
`
`
`
`
`
`
`decrypts the server request with the initial session key, and
`
`
`
`
`
`
`
`
`
`
`authenticates the credentials before allowing the server
`
`
`
`
`
`
`
`request to be acted upon. Where a current client-side session
`
`
`
`
`
`
`
`key is detected, the client authentication service acquires the
`
`
`
`
`
`
`
`
`current client-side session key, generates a next step session
`
`
`
`
`
`
`
`
`key, adds the next step session key to the server request, and
`
`
`
`
`
`
`
`
`
`
`
`encrypts the server request with the current client-side
`
`
`
`
`
`
`
`
`session key. The encrypted server request is sent to the
`
`
`
`
`
`
`
`
`server where the server authentication service decrypts the
`
`
`
`
`
`
`
`
`server request with a current server-side session key allow-
`
`
`
`
`
`
`
`
`ing the server request to be acted upon.
`
`
`
`
`
`
`
`Page 12 of 20
`
`Page 12 of 20
`
`

`

`
`
`US 2003/0079143 A1
`
`
`
`Apr. 24, 2003
`
`
`
`DESCRIPTION OF THE DRAWINGS
`
`
`
`[0012] FIG. 1 is a schematic representation of a mobile
`
`
`
`
`
`
`computing environment illustrating a multi-pass handshake.
`
`
`
`
`
`[0013] FIG. 2 is a schematic representation of a mobile
`
`
`
`
`
`
`computing environment in which various embodiment of the
`
`
`
`
`
`
`present invention may be incorporated.
`
`
`
`
`
`
`
`
`
`
`[0014] FIG. 3 is schematic representation of the compo-
`nents of the client and server devices of FIG. 2 according to
`
`
`
`
`
`
`
`one embodiment of the present invention.
`
`
`
`
`
`[0015] FIG. 4 is a schematic representation of the client
`
`
`
`
`
`authentication service and client database of FIG. 3.
`
`
`
`
`
`
`[0016] FIG. 5 is a schematic representation of the server
`
`
`
`
`
`authentication service and server database of FIG. 3.
`
`
`
`
`
`
`[0017] FIGS. 6, 7, 8, 9A, and 9B are interrelated flow
`
`
`
`
`
`
`
`
`
`diagrams illustrating steps followed during an authentication
`
`
`
`
`
`
`process according to one embodiment of the present inven-
`
`
`
`
`
`
`
`tion.
`
`
`
`
`
`
`DETAILED DESCRIPTION OF THE
`
`
`INVENTION
`
`
`
`
`
`
`
`
`
`[0018]
`INTRODUCTION: Traditional security protocols,
`such as SSL and S-IITTP, require a handshake to establish
`
`
`
`
`
`
`a secure network connection. For the connection to remain
`
`
`
`
`
`
`
`
`secure, the connection cannot be broken. When broken, the
`
`
`
`
`
`
`
`
`handshake must be repeated to reestablish a secure connec-
`
`
`
`
`
`
`tion. In a wireless network, a handshake is a relatively slow
`
`
`
`
`
`
`
`
`
`
`
`
`process. Establishing and then continually reestablishing
`secure connection on a wireless network renders the network
`
`
`
`
`
`
`
`communication inefficient if not, in some cases, unworkable.
`
`
`
`
`
`
`[0019]
`It is expected that various embodiments of the
`
`
`
`
`
`
`
`
`present invention will enable users to establish and reestab-
`
`
`
`
`
`
`
`
`lish a secure network communication session with a single
`
`
`
`
`
`
`
`pass. Network security is established with each application
`
`
`
`
`
`
`
`level request that a client makes on a server and with each
`
`
`
`
`
`
`
`
`
`application level response that the server returns to the
`
`
`
`
`
`
`
`
`
`client. Consequently, as may often be the case, the network
`
`
`
`
`
`
`
`
`connection between the client and the server can be broken
`
`
`
`
`
`
`
`
`between each server request, client response, and subsequent
`
`
`
`
`
`
`
`
`server request without negatively affecting the communica-
`
`
`
`
`
`
`
`tion speed between the client and the server.
`
`
`
`
`
`
`
`
`[0020] COMPONENTS: FIG. 2 illustrates a computing
`
`
`
`
`
`environment 16 in which various embodiments of the
`
`
`
`
`
`
`
`present invention may be incorporated. Embodiments of the
`
`
`
`
`
`
`present invention, however, may be incorporated in any
`
`
`
`
`
`
`environment in which it is desirable or necessary to establish
`
`
`
`
`
`secure network communication. Environment 16 includes
`
`
`
`
`
`server device 18, client devices 20, and link 22, intercon-
`
`
`
`
`
`
`
`
`
`
`necting client device 18 with client devices 22. Server
`
`
`
`
`
`
`
`
`
`device 18 represent generally any computing device capable
`
`
`
`
`
`
`
`of serving electronic data over link 22. Client devices 20
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`represent generally any computing device capable of com-
`municating with server device 18 over link 22. Link 22
`
`
`
`
`
`
`
`
`
`represents generally any cable, wireless, or remote connec-
`
`
`
`
`
`
`
`tion via a telecommunication link, an infrared link, a radio
`
`
`
`
`
`
`
`frequency link, cellular link, or any other connector or
`
`
`
`
`
`
`
`
`
`system that provides electronic communication between the
`
`
`
`
`
`
`
`devices. Link 22 may represent, in part, an intranet,
`the
`
`
`
`
`
`
`
`
`
`Internet, or a combination of both.
`
`
`
`[0021] FIG. 3 illustrates the components of server device
`
`
`
`
`
`
`18 and a single client device 20 used to establish a secure
`
`
`
`
`
`
`
`
`
`
`
`network communication link between the devices. Client
`
`
`
`
`
`
`
`device 20 includes client 24, client application 26, network
`
`
`
`
`
`
`
`
`interface 28, client authentication service 30, and client
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`database 32. Client 24 represents any programming capable
`
`
`
`
`
`
`
`
`of generating and sending a server request. Aserver request
`is electronic data formed to instruct a server to perform a
`
`
`
`
`
`
`
`particular task. When that
`task involves instructing the
`
`
`
`
`
`
`
`
`server to return electronic data, the return of that data can be
`
`
`
`
`
`
`
`
`
`referred to as a client response. However, a server request
`
`
`
`
`
`
`in some cases, only instruct a server to perform a
`may,
`
`
`
`
`
`
`
`particular task without returning electronic data to the client.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Client application 26 represents any programming capable
`of providing client 24 with electronic data used to generate
`
`
`
`
`
`
`
`
`the server request. Client 24 and client application 26 may,
`
`
`
`
`
`
`
`
`in the case of a web browser, be incorporated in a single
`
`
`
`
`
`
`
`
`application. Network interface 28 represents any combina-
`
`
`
`
`
`
`tion of hardware and/or programming capable of transmit-
`
`
`
`
`
`
`
`ting and receiving electronic data over link 22. Network
`
`
`
`
`
`
`
`
`
`interface 28 may be a standard network interface card, a
`
`
`
`
`
`
`
`wireless network interface card, a wireless or cellular
`
`
`
`
`
`
`
`modem, or an Internet ready Cellular telephone. Client
`
`
`
`
`
`
`
`authentication service 30 represents programming capable
`
`
`
`
`
`
`of adding electronic information to and encrypting a server
`
`
`
`
`
`
`
`request as well as decrypting a client response. Client
`
`
`
`
`
`
`
`
`database 32 represents any readable and writeable memory
`
`
`
`
`
`
`
`used to hold electronic data used by client authentication
`
`
`
`
`
`
`
`service 30.
`
`
`[0022] Server device 18 includes server 34, server appli-
`
`
`
`
`
`
`
`
`
`cation 36, network interface 38, server authentication ser-
`
`
`
`
`
`
`
`
`vice 40, and server database 42. Server 34 represents gen-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`erally any programming capable of receiving and acting on
`a server request as well as generating a client response.
`
`
`
`
`
`
`
`
`
`Server application 36 represents programming used by
`
`
`
`
`
`
`
`server 34 to act on a server request and to generate a client
`
`
`
`
`
`
`
`response. For example, server application 34 may be a
`
`
`
`
`
`
`
`program interface enabling server 32 to retrieve and manipu-
`
`
`
`
`
`
`
`late information in a database located on server device 18 or
`
`
`
`
`
`
`elsewhere. Network interface 38 like network interface 28
`
`
`
`
`
`
`represents any combination of hardware and/or program-
`
`
`
`
`
`
`
`ming capable of transmitting and receiving electronic data
`
`
`
`
`
`
`
`over link 22. Server authentication service 40 represents
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`generally any programming capable of decrypting a server
`request as well as adding information to and encrypting a
`
`
`
`
`
`
`client response. Server database 42 represents any readable
`
`
`
`
`
`
`
`and writeable memory used to hold electronic data used by
`
`
`
`
`
`
`
`
`server authentication service 40.
`
`
`
`
`[0023] As illustrated in FIG. 4, client authentication ser-
`
`
`
`
`
`
`
`vice 30 includes client encryption module 44,
`request
`
`
`
`
`
`
`
`
`builder 46, client sequence module 48, client time module
`
`
`
`
`
`
`
`
`
`50, and client integrity module 52. Client encryption module
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`44 represents any programming capable of generating sym-
`metric encryption keys, encrypting server requests, and
`
`
`
`
`
`
`
`decrypting client responses. Request builder 46 represents
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`any programming capable of adding electronic data to a
`server request, encrypted or not, to be sent by client 24 to
`
`
`
`
`
`
`server 34. Client sequence module 48 represents program-
`
`
`
`
`
`
`
`ming capable of generating and updating a session counter
`
`
`
`
`
`
`
`to be added to a server request by request builder 46. The
`
`
`
`
`
`
`
`
`term session represents a period of communication between
`
`
`
`
`
`
`client device 20 and server device 18 used to perform a
`
`
`
`
`
`
`
`
`
`particular task or tasks. Asession does not require a constant
`
`
`
`
`
`
`
`
`network connection. An incrementally increased session
`
`
`
`
`
`
`counter is added to each subsequent server request during
`
`
`
`
`
`
`
`the session to ensure that a single server request is not acted
`
`
`
`
`
`
`
`
`
`
`Page 13 of 20
`
`Page 13 of 20
`
`

`

`
`
`US 2003/0079143 A1
`
`
`
`Apr. 24, 2003
`
`
`
`the first
`upon twice by server device 18. For example,
`
`
`
`
`
`
`
`
`
`
`session counter for a session may have a value of zero, the
`
`
`
`
`
`
`
`
`
`second—a value of one, and so on. Client time module 50
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`represents any programming capable of generating a time
`stamp for request builder 46 to add to a server request as well
`
`
`
`
`
`
`
`as validating a time stamp obtained from a client response.
`
`
`
`
`
`
`
`
`In some instances it may be desirable to break a secure
`
`
`
`
`
`
`
`
`communication link between server and client devices 18
`
`
`
`
`
`
`
`
`and 20 where time between server
`requests or client
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`responses exceeds a specified limit. Time stamps enable
`tracking of the time elapsed between server requests and/or
`
`
`
`
`
`
`
`
`server responses.
`
`
`
`
`
`
`
`
`[0024] Client integrity module 52 represents programming
`capable of generating integrity data such as a checksum for
`
`
`
`
`
`
`
`request builder 46 to add to a server request as well as
`
`
`
`
`
`
`
`
`
`verifying the integrity of a client response. When commu-
`
`
`
`
`
`
`
`
`nicating through a secure network link, it can be important
`
`
`
`
`
`
`
`to verify that the data making up a server request or a client
`
`
`
`
`
`
`
`
`
`response has not been intercepted and altered since the
`
`
`
`
`
`
`
`
`
`request or response was sent. A checksum is a numerical
`
`
`
`
`
`
`value calculated, at least in part, by the number of bits that
`
`
`
`
`
`
`
`
`comprise an electronic message such as a server request or
`
`
`
`
`
`
`
`
`
`
`
`
`
`client response. Upon receipt of the electronic message, if
`the number of bits does not match the checksum,
`the
`
`
`
`
`
`
`
`
`
`receiver of the message, in this case server device 18, can
`
`
`
`
`
`
`
`
`
`assume that the message contains errors or has been tam-
`
`
`
`
`
`
`
`
`
`
`pered with.
`
`
`[0025] Still referring to FIG. 4, client database 32 contains
`
`
`
`
`
`
`
`user credentials 54, server credentials 56, and client tempo-
`
`
`
`
`
`
`
`
`
`rary data 58. User credentials 54 represent electronic data
`
`
`
`
`
`
`
`
`identifying and unique to a particular user of client device 20
`
`
`
`
`
`
`
`or unique to client device 20 itself. It is expected that user
`
`
`
`
`
`
`
`
`
`
`credentials will be a username and password pair. Server
`
`
`
`
`
`
`
`credentials 56 represent electronic data used to encrypt data
`
`
`
`
`
`
`
`that can then only be decrypted by server device 18. It is
`
`
`
`
`
`
`
`
`
`expected that server credentials will include an asymmetric
`
`
`
`
`
`
`
`public encryption key, referred to herein as a server public
`
`
`
`
`
`
`
`key. Client temporary data 58 includes the most recently
`
`
`
`
`
`
`
`
`
`generated session counter, a time stamp obtained from the
`
`
`
`
`
`
`
`
`most recent client response, and electronic data used by
`
`
`
`
`
`
`
`
`client encryption module 44 to encrypt server requests and
`
`
`
`
`
`
`
`to decrypt client responses. It is expected that this electronic
`
`
`
`
`
`
`
`
`data Will include a symmetric encryption key, referred to
`
`
`
`
`
`
`
`herein as a current client-side session key, that is periodi-
`
`
`
`
`
`
`
`cally updated during a session.
`
`
`
`
`[0026] Referring now to FIG. 5, server authentication
`
`
`
`
`
`
`service 40 includes server encryption module 60, response
`
`
`
`
`
`
`
`
`builder 62, credential module 64, server sequence module
`
`
`
`
`
`
`
`
`66, server time module 68 and server integrity module 70.
`
`
`
`
`
`
`
`
`
`Server encryption module 60 represents any programming
`
`
`
`
`
`
`
`
`
`
`
`
`capable of generating symmetric encryption keys, encrypt-
`ing client
`responses
`and decrypting server
`requests.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Response builder 62 represents any programming capable of
`adding electronic data to a client response, encrypted or not,
`
`
`
`
`
`
`
`to be sent by server 34 to client 24. Credential module 64
`
`
`
`
`
`
`
`
`
`
`
`
`
`represents any programming capable of authenticating cre-
`dentials acquired from a decrypted server request as well as
`
`
`
`
`
`
`
`identifying data in server database 42 associated with cre-
`
`
`
`
`
`
`
`dentials obtained from a server request.
`
`
`
`
`
`
`
`
`
`
`
`
`[0027] Server sequence module 66 represents program-
`ming capable of storing a session counter obtained from a
`
`
`
`
`
`
`
`server request and comparing that session counter with the
`
`
`
`
`
`
`
`
`
`
`Page 14 of 20
`
`
`
`
`
`
`
`session counter received and stored following a previous
`
`
`
`
`
`
`server request. Server sequence module 66 can then compare
`
`
`
`
`
`
`
`the stored session counter with a new session counter
`
`
`
`
`
`
`
`obtained from the subsequent server request. If the new
`
`
`
`
`
`
`
`
`session counter does not exceed the stored session counter,
`
`
`
`
`
`
`
`
`the subsequent server request is to be ignored.
`
`
`
`
`
`
`
`
`
`
`
`
`[0028] Server time module 68 represents programming
`capable of generating a time stamp for response builder 62
`
`
`
`
`
`
`
`to add to a client response as well as validating a time stamp
`
`
`
`
`
`
`
`
`obtained from a server request. Server integrity module 70
`
`
`
`
`
`
`
`
`
`
`
`
`
`represents programming capable of generating integrity data
`such as a checksum for response builder 62 to add to a client
`
`
`
`
`
`
`
`
`
`
`
`
`
`response as well verifying the integrity of a server request.
`[0029] Still
`referring to FIG. 5, server database 42
`
`
`
`
`
`
`
`
`includes user credentials 72, server credentials 74, and
`
`
`
`
`
`
`
`
`device record 76. User credentials 72 contain electronic
`
`
`
`
`
`
`
`
`data, typically in the form of verified user name and pass-
`
`
`
`
`
`
`
`
`
`word pairs used by credential module 64 to authenticate
`
`
`
`
`
`
`
`credentials obtained from a server request. Server creden—
`
`
`
`
`
`
`
`tials 74 contain data used by server encryption module 60 to
`
`
`
`
`
`
`
`decrypt data used to encrypt a server request. It is expected
`
`
`
`
`
`
`
`that this data will include an asymmetric private encryption
`
`
`
`
`
`
`
`
`key, referred to herein as a server private key. Device record
`
`
`
`
`
`
`
`
`76 represents electronic data used by server encryption
`
`
`
`
`
`
`
`
`module 60, server sequence module 66, and server time
`
`
`
`
`
`
`
`
`
`module 68 and used to establish secure network communi-
`
`
`
`
`
`
`
`cation with client device 20. Server database 42 may include
`
`
`
`
`
`
`
`
`
`other device records to store data for securely communicat-
`
`
`
`
`
`
`
`
`ing with devices other then client device 20. It is expected
`
`
`
`
`
`
`
`
`
`
`that this electronic data will include a session key that is
`
`
`
`
`
`
`
`
`
`periodically changed during a given session as well as a
`
`
`
`
`
`
`
`session counter and time stamp for the most recent server
`
`
`
`
`
`
`
`
`
`
`request.
`
`[0030] The block diagrams of FIGS. 2—5 show the archi—
`
`
`
`
`
`
`
`
`tecture and functionality of one implementation of the
`
`
`
`
`
`
`
`present invention. If embodied in software, each block may
`
`
`
`
`
`
`represent a module, segment, or portion of code that com-
`
`
`
`
`
`
`prises one or more executable instructions to implement the
`
`
`
`
`
`
`
`
`
`
`
`specified logical function(s). If embodied in hardware, each
`block may represent a circuit or a number of interconnected
`
`
`
`
`
`
`
`
`
`
`
`circuits to implement the specified logical function(s).
`[0031] Also, the present invention can be embodied in any
`
`
`
`
`
`
`
`
`computer—readable medium for use by or in connection with
`
`
`
`
`
`an instruction execution system such as a computer/proces-
`
`
`
`
`
`
`sor based system or other system that can fetch or obtain the
`
`
`
`
`
`
`
`
`
`
`logic from the computer-readable medium and execute the
`
`
`
`
`
`
`
`
`instructions
`contained
`therein. A “computer-readable
`
`
`
`
`medium” can be any medium that c