Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-08-30
2004-06-08
Barron, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S155000, C713S156000, C713S168000
Reexamination Certificate
active
06748528
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to secured communications and more particularly to secured communications based on the Secure Socket Layer (SSL) protocol.
BACKGROUND OF THE INVENTION
In communications between a client and a server, it is often beneficial to provide increased security. One mechanism for providing increased security is through the use of the Secure Socket Layer (SSL) protocol which uses a hybrid public-key system in which public-key cryptography is used to allow a client and a server to securely agree on a secret session key.
FIG. 1
illustrates a conventional SSL connection between a client
10
and a server
12
. As seen in
FIG. 1
, the client
10
communicates directly with the server
12
utilizing the SSL connection
16
.
The SSL protocol may provide privacy and integrity between two communicating applications. The SSL protocol typically utilizes two layers, the lowest layer of which is the SSL Record Protocol, which is layered on top of a communications protocol such as TCP/IP. The SSL Record Protocol encapsulates higher level protocols such as the SSL Handshake Protocol. The SSL Handshake Protocol allows the server and client to authenticate each other and to establish an encryption method and keys. The SSL protocol is further described in U.S. Pat. No. 5,657,390 entitled “Secure Socket Layer Application Program Apparatus and Method” which is incorporated herein by reference as if set forth in its entirety.
One advantage of SSL is that it is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently. Thus, the SSL protocol provides connection security where encryption is used after an initial handshake to define a secret key for use during a session and where the communication partner's identity can be authenticated using, for example, a well known public certificate issuing authority. Examples of such well known certificate authorities include RSA Data Security, Inc, Verisign™ and EquiFax™.
Authentication is important in establishing the secure connection as it provides a basis for the client to trust that the server (typically identified by its Universal Resource Locator (URL)) is the entity associated with the server public key provided to the client and used to establish the secret session key. As noted above, this authentication may be provided through the use of certificates obtained by the server from one of the well known certificate authorities. The certificate (such as a X.509 certificate) typically includes an identification of the server (such as its hostname), the server's public key, and a digital signature which is provided by the well known certificate authority and which is used by a client receiving the certificate to authenticate the identity of the server before initiating a secured session. In particular, the application on the client initiating the secured communication session, such as a browser, is typically installed with a public key ring including public keys for various of the well known certificate authorities which allow the client to verify server certificates issued by these certificate authorities.
One problem with SSL implementations based on certificates from well known certificate authorities is the cost and administrative burdens associated with obtaining a certificate from one of the well known certificate authorities. This can be particularly problematic for corporate or other networks having a plurality of servers and which may add additional server stations over time as each server typically requires its own certificate before it will be “trusted” by clients.
One option is to rely on a self-signed certificate or a certificate signed by a local certificate authority. However, this typically requires either that a local private key be deployed to all client machines securely (such as through an out of band process) or that the keys be insecurely downloaded during the negotiations establishing an SSL session, thereby potentially reducing the security of the session.
An additional problem with SSL implementations using browsers is that the browser typically does not make its public key ring available to other applications on the client. In addition, browsers typically only support Hypertext Transport Protocol (HTTP) communications. Accordingly, it is often difficult to provide a public key ring to other applications which may desire the use of SSL secured communications which are not based on HTTP.
One solution to the problem of SSL support for non-HTTP sessions is provided by the Host on Demand™ product from International Business Machines Corporation through the SSLight™ java toolkit. In this application, a public key may be provided for use by an application being downloaded to the client from a Host on Demand server. The public key or key ring may be included in a class file which is included with the application when it is downloaded. Accordingly, if the browser interface between the client and the host on demand server is set up as a secured connection, such as a HTTP over SSL (HTTPS) connection, the public key in the class file may be securely transferred. However, a problem with this approach is that the entire application transfer must occur on a secured connection, thereby creating an unneccesary performance disadvantage as there may be no need to secure the remainder of the transfer.
In light of the above discussion, a need exists for improvements in the authentication process for servers under the SSL protocol to address the limitations associated with the use of well known certificate authorities and self-signed certificates.
SUMMARY OF THE INVENTION
In view of the above discussion, it is an object of the present invention to provide systems and methods which can allow secure authentication in SSL systems with reduced reliance on well known certificate authorities.
A further object of the present invention is to provide such systems and methods which can support network environments with a plurality of clients and servers which are controlled by a common organization, such as a corporation.
These and other objects of the present invention may be provided by methods, systems and computer program products which allow “bootstrapping” of credentials by a client application using the well known certificate authority SSL capabilities of another installed application, such as a browser. A first secured session is established between the client and a server which has a certificate including a digital signature from a well known certificate authority. For example, a HTTPS session may be established to the server by a browser such as Netscape™ or Internet Explorer™. An additional public key, or public key ring is then downloaded from the server to the client which may be subsequently used by the client to establish SSL sessions with servers that do not have a certificate from a well known certificate authority.
By using bootstrapping on the secured session to download additional public keys, the present invention allows SSL sessions to be subsequently setup by an application with servers that do not have certificates from a well known certificate authority, thereby possibly avoiding financial and administrative expenses. As an additional advantage, a public key can be downloaded from a server, which may have a certificate from a well known certificate authority, which public key can be provided by the browser to a separate application which supports a variety of communication protocols. This may be advantageous as a browser typically only supports HTTP and typically does not make its public key ring available to other applications residing on the client.
In an embodiment of the present invention, a method is provided for establishing secured communication sessions between a client and a server. A first secured communication session, which is preferably a secured SSL communication session, is established between the client and a first server based on a certificate transmitted from the first server to the client, the first server certif
Barron Gilberto
Gurshman G.
Herndon Jerry W.
International Business Machines - Corporation
Myers Bigel Sibley and Sajovec, P.A.
LandOfFree
Methods, systems, and computer program products for... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods, systems, and computer program products for..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods, systems, and computer program products for... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3358164