Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1999-03-16
2001-10-16
Barron, Jr., Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S169000, C380S211000, C709S229000
Reexamination Certificate
active
06304969
ABSTRACT:
BACKGROUND OF THE INVENTION
1. The Field of the Invention
The present invention relates to systems and methods for verifying the authorization of a server to provide network resources to a client. More specifically, the present invention relates to systems and methods whereby the client compares a random number encrypted in a message sent to the server with a random number encrypted in a message sent to the client from the server, wherein the client determines that the server is authorized if the random numbers are the same.
2. The Prior State of the Art
During recent years, the use of computer networks to distribute information to users has increased dramatically. For example, the Internet is currently used for many purposes, including electronic commerce, delivery of news, entertainment, and education, to name just a few. Many Internet service providers (“ISPs”) and content providers have found that accurate identification of users is necessary to support subscription services. When a client establishes communication with an ISP, the server at the ISP typically verifies that the client is recognized as one that has duly subscribed to the Internet service. Likewise, many World Wide Web (“Web”) sites are available to users by subscription only. When a client attempts to access a subscription-based Web site, the client may be prompted to verify that it is authorized to receive content from the site.
Verification of the identity of clients has been accomplished in many ways. A simple example involves the client transmitting to the server a user name and a password that has been previously registered with the server. If the user name and password match a registered user name and password stored at the server, the client is allowed access to the network resources. More advanced security systems include, for example, transmitting a client machine identifier from the client to the server or other techniques whereby information associated with the client verifies the identity of the client.
Verifying the identity and authorization status of clients allows ISPs and content providers to collect subscription fees from users. Without a reliable system to verify authorization of clients, non-authorized users could access service, and legitimate users may have little incentive to pay for service.
There are some network configurations and business models that require security measures beyond the typical client-identification strategies described above. In some instances, it is desirable to identify the authorization of the server to provide network resources to the client. For a variety of reasons, suppliers or manufacturers of certain client systems may desire to allow only selected servers to provide network resources to their client systems. In one example, a provider of enhanced Internet, television, or other information or entertainment services may develop a client system specifically designed to receive its information or entertainment resources. In this example, the supplier of the client system can be seen primarily as the provider of the information or entertainment services, while the client system can be seen as a tool allowing users to gain access to the provider.
The traditional security strategy of providing user names, passwords, or other identifiers is inadequate when applied to the verification of authorization of a server to provide network resources. As can be easily understood, simple identifiers are not readily applicable to configurations where a single or a small number of servers provide service to a large number of clients. In particular, if a server were to widely distribute an identifier to multiple clients, an imposter server could easily intercept the identifier and attempt to adopt the identity of the authorized server.
In addition, the entity that desires to control access by unauthorized servers is often not the client, but is instead the operator of the authorized server. When an unauthorized server attempts to gain access to client systems, the operator of the authorized server may not be aware of the attempt. Accordingly, if conventional security systems were the only available means of protection, the client system and the operator of the unauthorized server could collude to override the security system. As a result, any security system that is freely accessible by the operators of client systems or unauthorized servers could be breached relatively easily.
In view of the foregoing, what is needed is a system for verifying the identity or authorization of servers to provide network resources to client systems. It would be an advancement in the art to provide a system for verifying the authorization of servers that is not merely analogous to the conventional use of identifiers to verify the identity of clients. It would be particularly advantageous to verify the authorization of servers using a security system that cannot be readily accessed or overridden by an operator of the client system. It would also be desirable to combine such a system for verifying the authorization of servers with a system for verifying the identity of clients.
SUMMARY AND OBJECTS OF THE INVENTION
The present invention relates to systems and methods for verifying the authorization of a server to provide network resources to a client. The authorization process requires the server to decrypt a message generated by the client and to respond with an appropriate encrypted message. Authorized servers have the decryption key needed to decrypt the message, whereas unauthorized servers will be unable to decrypt the message or to return the appropriate encrypted message to the client. The system can be configured to prevent software operating on the client from enabling the functions of the client without proper server authorization or may otherwise override the security features. In addition, the process of verifying the authorization of the server can be combined with measures to verify the identity of the client.
According to one implementation of the invention, when a security counter, or timer, exceeds the value of an expiration count stored at the client or at other selected times, an authorization interrupt is generated. The other selected times for generating authorization interrupts may occur, for example, when the client is turned on or when software operating at the client generates a reauthorization signal. The authorization interrupt eventually disables some or all of the functions of the client unless the server is authorized within an allotted period of time. In response to the authorization interrupt, the client generates a client message that includes the value of the security counter, a client identifier, and a random number. The client message is encrypted using an encryption key and is transmitted to the server.
If the client message is received by an unauthorized server, the server is unable to decrypt the message and to access the encoded information included therein. When the client message is instead received by an authorized server, the server uses a decryption key to decrypt the message. The server then decombines the value of the security counter, the client identifier, and the random number. Based on the value of the security counter, the server selects a new expiration count that will cause the client to again initiate the authorization process at a future time. The client identifier is compared against a client authorization database to determine the level of service that the client is authorized to receive. The level of service represents a level of functionality that the client is permitted to exhibit. The server generates an authorization code corresponding to the authorized level of service.
The server then creates a service message by combining the new expiration count, the authorization code, and the random number that was included in the client message. The server encrypts the service message and transmits it to the client. If the client message had been received by an unauthorized server, the message would have remained encrypted, such that the unautho
Farrand Toby E.
Gray, III Donald M.
Wasserman Steven C.
Barron Jr. Gilberto
Webiv Networks, Inc.
Workman & Nydegger & Seeley
LandOfFree
Verification of server authorization to provide network... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Verification of server authorization to provide network..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Verification of server authorization to provide network... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2587617