WO2020011332A1 - System and method for creating a secure connection - Google Patents

System and method for creating a secure connection Download PDF

Info

Publication number
WO2020011332A1
WO2020011332A1 PCT/EP2018/068518 EP2018068518W WO2020011332A1 WO 2020011332 A1 WO2020011332 A1 WO 2020011332A1 EP 2018068518 W EP2018068518 W EP 2018068518W WO 2020011332 A1 WO2020011332 A1 WO 2020011332A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
processing unit
service
network connection
service provider
Prior art date
Application number
PCT/EP2018/068518
Other languages
French (fr)
Inventor
Igor SHAFRAN
Irena BEREZOVSKY
Itamar OFEK
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to CN201880095428.5A priority Critical patent/CN112385192B/en
Priority to PCT/EP2018/068518 priority patent/WO2020011332A1/en
Publication of WO2020011332A1 publication Critical patent/WO2020011332A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention in some embodiments thereof, relates to a system for providing a computerized service and, more specifically, but not exclusively, to a system for creating a secure connection between a client and a provider of a computerized service.
  • secure channel means a way of transferring data that is resistant to overhearing and tampering.
  • One possible method to establish a secure channel between a client and a provider of a computerized service is to use a secure point to point network protocol.
  • Some examples of a secure point to point network protocol are Internet Protocol Security (IPSec), Hypertext Transfer Protocol Secure (HTTPS), and Secure Shell (SSH).
  • IPSec Internet Protocol Security
  • HTTPS Hypertext Transfer Protocol Secure
  • SSH Secure Shell
  • Another possible method is to create a Virtual Private Network (VPN) for network communication between the client and the provider of the computerized service.
  • Some methods require exchanging one or more encryption keys between the client and the provider of the computerized service.
  • Some systems that use encryption key exchange use the Internet Key Exchange (IKE) protocol.
  • IKE Internet Key Exchange
  • a system for creating a secure connection between a client and a provider of a computerized service comprises a management processing unit adapted to: receive from a client processing unit a service identifier and a plurality of client credentials; deduce from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values; send to the client processing unit the plurality of client side network connection values to be used by the client processing unit when establishing a direct network connection; and send to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection.
  • Using a management processing unit may eliminate a necessity for the service provider processing unit to listen on a public port.
  • a method for creating a secure connection between a client and a provider of a computerized service comprises receiving from a client processing unit a service identifier and a plurality of client credentials; deducing from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values; sending to the client processing unit the plurality of client side network connection values to be used by the client when establishing a direct network connection; and sending to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection.
  • a system for creating a secure connection between a client and a provider of a computerized service comprises a client processing unit adapted to: send a service identifier and a plurality of client credentials to a management processing unit; receive from the management processing unit a plurality of client side network connection values; and establish a direct network connection with a service provider processing unit using the plurality of client side network connection values for the purpose of receiving the computerized service from the service provider processing unit.
  • the plurality of client side network connection values are selected from a group of network connection values comprising: a network address value, a network port number value, a service type identifier value, an algorithm identifier, a shared secret value, a private secret value, a public secret value, and a hint value describing a preferred protocol.
  • the plurality of server side network connection values are selected from the group of network connection values.
  • the plurality of client side network connection values comprises a network address value of the service provider processing unit and a network port number value of the service provider processing unit
  • the plurality of server side network connection values comprises a network address value of the client.
  • the service type identifier value identifies a service selected from a group consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), Internet Protocol Security (IPSec), Transport Layer Security (TLS), and Secure Sockets Layer (SSL).
  • Sending the client processing unit a network address and port number of the service provider processing unit may eliminate a necessity for the service provider processing unit to listen on a public port, and sending the service provider processing unit a network address of the client processing unit may facilitate the service provider processing unit authenticating the client processing unit when the client processing unit attempts to establish a connection with the service provider processing unit.
  • the plurality of server side network connection values comprises some or all of the plurality of client credentials. Some or all of the plurality of client credentials may facilitate the service provider processing unit authenticating the client and thus reduce a risk of unauthorized access to the service provider.
  • the management processing unit is further adapted to instruct the service provider processing unit to execute a service software object or a plurality of service software objects for the purpose of providing the computerized service to the client processing unit.
  • the service software object or plurality of service software objects comprise a compute instance executed by the service provider processing unit for the purpose of providing the computerized service to the client processing unit.
  • the management processing unit is further adapted to configure at least one network device to direct a digital message or a plurality of digital messages from the client processing unit to the service provider processing unit. Configuring the at least one network device only when the computerized service is required by the client processing unit may reduce risk of unauthorized access to the computerized service as access is not permitted before there is demand from a client.
  • the system further comprises an authentication processing unit adapted to execute a hash-based message authentication code (HMAC) One-time Password (HOTP) server.
  • HMAC hash-based message authentication code
  • HOTP One-time Password
  • the client processing unit uses some or all of the client side values to generate a one-time password token for use in the direct network connection, and the service provider processing unit communicates with the HOTP server to authenticate the one time password token.
  • the authentication processing unit is the management processing unit or the service provider processing unit. Using a one-time password may facilitate supporting computerized services that require a one-time password.
  • the client credentials comprise an International Telecommunications Union's Standardization sector X.509 certificate (X.509 certificate) comprising an Enhanced Key Usage field, and a value of the Enhanced Key Usage field is the service identifier.
  • X.509 certificate International Telecommunications Union's Standardization sector X.509 certificate
  • a value of the Enhanced Key Usage field is the service identifier.
  • the management processing unit executes at least one Authentication, Authorization and
  • AAA Accounting
  • IKE Internet Key Exchange
  • RADIUS Radial Service
  • Login-TCP-Port attribute and a Login-Service attribute and the at least one AAA software object communicates with the at least one IKE software object using the plurality of RADIUS data attributes.
  • a value of the Login-IP-Host attribute sent from the at least one IKE software object to the client processing unit is a network address value of the service provider processing unit
  • a value of the Login-TCP-Port attribute sent from the at least one IKE software object to the client processing unit is a network port number value of the service provider processing unit
  • a value of the Login-Service attribute sent from the at least one IKE software object to the client processing unit is a service type identifier value
  • a value of the Filter-Id attribute sent from the at least one AAA software object to the at least one IKE software object or the client processing unit is a shared secret value for creation of a one-time password.
  • Using some RADIUS attributes may facilitate reduced costs of implementation and operation by using existing RADIUS supporting components.
  • the client processing unit sends the service identifier and the plurality of client credentials to the management processing unit using the Internet Key Exchange (IKE) protocol.
  • IKE Internet Key Exchange
  • the client processing unit establishes the direct network connection using a protocol selected from a group of secure protocols consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), and Internet Protocol Security (IPSec).
  • SSH Secure Shell
  • HTTPS Hypertext Transfer Protocol Secure
  • IPSec Internet Protocol Security
  • FIG. 1 is a schematic block diagram of an exemplary system, according to some embodiments of the present invention.
  • FIG. 2 is a sequence diagram of an optional flow of operations, according to some embodiments of the present invention.
  • FIG. 3 is a sequence diagram of an optional flow of operations to deduce the plurality of client and server side network connection values, according to some embodiments of the present invention
  • FIG. 4 is a sequence diagram of an optional flow of operations using a one-time password, according to some embodiments of the present invention.
  • FIG. 5 is a sequence diagram of an optional flow of operations to establish an SSH connection, according to some embodiments of the present invention.
  • FIG. 6 is a sequence diagram of an optional flow of operations to establish an IPSec connection, according to some embodiments of the present invention.
  • the present invention in some embodiments thereof, relates to a system for providing a computerized service and, more specifically, but not exclusively, to a system for creating a secure connection between a client and a provider of a computerized service.
  • a client communicates with a provider of the computerized service using a digital communication network.
  • the digital communication network may be a Local Area Network (LAN), for example an Ethernet network or a wireless network such as a Wireless Fidelity (WiFi) network.
  • the digital communication network may be a Wide Area Network (WAN), for example the Internet.
  • the digital communication network may comprise a LAN and a WAN.
  • the provider of the computerized service may be one or more hardware processors adapted to execute one or more software objects for providing the computerized service.
  • server is used to mean a provider of a computerized service and the term“network” is used to mean a digital communication network.
  • the client sends the server a service request.
  • the server must listen continuously to a known network port for the service request from the client.
  • the server is located within a controlled access network (private network), such that other computers may access the server only via one or more network devices configured to filter network traffic into and out of the private network. Examples of a network device are a router, a switch, and a firewall.
  • a network device may be a dedicated device.
  • a network device may be a device, for example a computer, configured to implement a networking service such as routing, switching or a firewall, as well as other computerized services.
  • the term“gateway” refers to one or more network devices configured to filter network traffic into and out of a private network.
  • the gateway is configured to allow delivering the service request to the server inside the private network.
  • the gateway may be configured to deliver network traffic between the client and the server only using the secure network protocol. Allowing a service request from any client to be delivered to the server could expose the server to malicious exploitation via the known network port.
  • Configuring the gateway to allow only traffic from a group of known clients requires advance knowledge of which clients may require the computerized service, or manual ad hoc configuration of the gateway as a new client requires the computerized service.
  • more than one server is located on one private network there is a need to configure the gateway with access rules per client, per computerized service.
  • Additional configuration of the gateway may be needed when a new secure protocol is introduced, in addition to one or more secure protocols the gateway is already configured to deliver.
  • Some systems create a VPN for network access by the client to the private network; however using a VPN may expose the entire private network to the client, which may not be necessary or desirable as this exposure could expose the topology of the private network and additionally or alternately expose other computers connected to the private network to a malicious exploitation from the client.
  • a secure point to point network protocol is used for communication between the client and the server
  • a VPN solution requires double encryption - one for a secure channel between the client and the server and one for the VPN. This requires more than one encryption key exchange.
  • the present invention proposes using a mediation service for a single encryption key exchange to enable access to a computerized service on a private network using one of a plurality of secure point to point network protocols.
  • a secure connection interface (endpoint) is exposed by the server according to a client’s identity and security credentials, upon receiving by the mediation service a service request from the client.
  • the present invention proposes dynamically provisioning a service instance only when a client requires the service instance.
  • the present invention proposes dynamically configuring one or more network devices (the gateway) to enable establishment of a secure channel between the client and the server.
  • Dynamically configuring a secure point to point network protocol may allow eliminating pre-configuration of the gateway, reducing the ability of an unauthorized entity to access the server. Dynamically provisioning the service instance may further reduce the ability of an unauthorized entity to access the server as a service instance’s endpoint in the server exists for a reduced period of time.
  • refraining from using a VPN may prevent an unauthorized entity from accessing other devices connected to the private network other than the server.
  • refraining from using a VPN may facilitate reducing costs of operation as VPN expertise, which may be expensive, is not required.
  • EAP EAP Protocol
  • the exchanged information comprises client credentials.
  • client credential are a client’s identity, a preferred point to point network protocol identifier, a security certificate, and a permission to use a service.
  • IKE protocol with one or more EAP based protocols may facilitate using existing network devices and network software solutions already adapted to support IKE and EAP based protocols, and thus may facilitate lower implementation costs when implementing the present invention compared to implementing a solution requiring specially adapted network devices and network software solutions.
  • the present invention may be a system, a method, and/or a computer program product.
  • the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
  • the computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device.
  • the computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
  • Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • a network for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.
  • FPGA field-programmable gate arrays
  • PLA programmable logic arrays
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures.
  • two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • system 100 comprises a management processing unit 101 for the purpose of provisioning a secure channel between a client processing unit 104 and a service provider processing unit 106 in order to provide client processing unit 104 with at least one computerized service by service provider processing unit 106.
  • a processing unit may be any kind of programmable or non programmable circuitry that is configured to carry out the operations described here within.
  • the processing unit may comprise hardware as well as software.
  • a processing unit may comprise one or more processors and a transitory or non-transitory memory that carries a program which causes the processing unit to perform the respective operations when the program is executed by the one or more processors.
  • client processing unit (client) 104 is connected to management processing unit (management) 101 via at least one digital communication network.
  • Client 104 is optionally connected to service provider processing unit (service provider) 106 via at least one other digital communication network.
  • service provider 106 is connected to a private network and client 104 is connected to service provider 106 via at least one network device 110, optionally configured to control access to the private network. Examples of a network device are a router, a switch, a residential gateway, and a firewall.
  • system 100 comprises authentication processing unit 114, for the purpose of executing a hash-based message authentication code (HMAC) One-time Password (HOTP) server used to authenticate client 104 when establishing a secure connection with service provider 106.
  • authentication processing unit 114 is management 101.
  • authentication processing unit 114 is service provider 106.
  • system 100 implements the following optional method.
  • client 104 sends management 101 a service identifier, identifying a computerized service requested by client 104, and a plurality of client credentials.
  • a computerized service examples include SSH, HTTPS, IPSec, Transport Layer Security (TLS), and Secure Sockets Layer (SSL).
  • the plurality of client credentials comprises an International Telecommunications Union’s Standardization sector X.509 certificate (X.509 certificate), used to prove client 104’ s ownership of a public key.
  • the X.509 certificate comprises an Enhanced Key Usage field.
  • a value of the Enhanced Key Usage field is the service identifier.
  • management 101 After receiving in 201 the service identifier and the plurality of client credentials from client 104, in 210 management 101 optionally deduces from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values.
  • Examples of a network connection value are: a network address value, a network port number value, a service type identifier value, an algorithm identifier, a shared secret value, a public secret value, and a hint value describing a preferred protocol.
  • a network address value may identify service provider 106 or client 104.
  • a network port number value may identify an endpoint of a computerized service or be used by service provider 106 to authenticate a request from client 104.
  • a service type identifier may identify a computerized service that service provider 106 is allowed to provide to client 104.
  • An algorithm identifier may identify an encryption algorithm to be used in a secure connection between client 104 and service provider 106.
  • a public secret value may be generated by management on behalf of service provider 106 or client 104 and sent to respective other party.
  • a hint value may be used by client 104 and/or service provider 106 when more than one computerized service is possible.
  • the client side network connection values may comprise one or more of: a network address value of service provider 106, and a network port value of service provider 106 identifying an endpoint for the computerized service provided by service provider 106 to client 104.
  • the server side network connection values may comprise a network address value of client 104.
  • the plurality of server side network connection values comprise some or all of the plurality of client credentials.
  • the plurality of server side network connection values optionally comprises the X.509 certificate.
  • the plurality of server side network connection values optionally comprises another X.509 certificate, used to prove client 104’ s ownership of another public key, for example a public key generated by management 101.
  • FIG. 3 a sequence diagram of an optional flow of operations 300 to deduce the plurality of client and server side network connection values, according to some embodiments of the present invention.
  • client 104 sends the service identifier and the plurality of client credentials to management 101 using the IKE protocol.
  • management 101 executes at least one IKE software object (IKE service) 121, for communicating with client 104.
  • IKE service IKE software object
  • client 104 optionally establishes a secure connection with IKE service 121 using IKE phase 1 protocol.
  • management 101 executes at least one Authentication Authorization and Accounting software object (AAA extended service) 122, to generate the plurality of client side network connection values and plurality of server side network connection values.
  • AAA extended service Authentication Authorization and Accounting software object
  • An optional flow of operations to deduce the plurality of client side network connection values and plurality of server side network connection values in 210 comprises in 311 IKE service 121 opening a secure channel with AAA extended service 122, and in 312 IKE service 121 negotiating with AAA extended service 122 one or more security keys using a shared secret value from the plurality of client credentials received from client 104 in 201.
  • IKE service 121 sends the plurality of client credentials and the service identifier received from client 104 in 201 to AAA extended service 122.
  • AAA extended service 122 generates in 313 the plurality of client side network connection values and plurality of server side network connection values, optionally using the plurality of client credentials and the service identifier received from the client in 201.
  • management 101 executes one or more connection controller software objects (connection controller) 123, for the purpose of provisioning a secure connection between client 104 and service provider 106.
  • connection controller software objects
  • AAA extended service 122 optionally sends connection controller 123 in 314 the generated plurality of client side network connection values and plurality of server side network connection values.
  • client 104 uses a plurality of Remote Authentication Dial-In User Service (RADIUS) data attributes when communicating with IKE service 121 and optionally communicating with AAA extended service 122
  • AAA extended service 122 uses the plurality of RADIUS data attributes when communicating with IKE service 121.
  • RADIUS Remote Authentication Dial-In User Service
  • a value of a RADIUS Login-IP-Host attribute sent from IKE service 121 to client 104 is a network address value of service provider 106
  • a value of a RADIUS Login-TCP-Port attribute sent from IKE service 121 to client 104 is a network port number value of service provider 106
  • a value of a RADIUS Login-Service attribute sent from IKE service 121 to client 104 is a service type identifier value
  • a value of a RADIUS Filter- Id attribute sent from the AAA extended service 122 to IKE service 121 or client 104 is a shared secret value for creation of a one-time password.
  • management 101 optionally sends client 104 the plurality of client side network connection values and in 241 management 101 optionally sends service provider 106 the plurality of server side network connection values.
  • management 101 optionally configures network device 110 to direct a digital message of a plurality of digital messages from client 104 to service provider 106, for example by configuring a port forwarding rule.
  • management 101 instructs service provider 106 to execute one or more service software objects for the purpose of providing the computerized service to client 104.
  • the one or more service software objects comprise a compute instance executed by service provider 106 for the purpose of providing the computerized service to client 104.
  • Examples of a compute instance are a virtual machine and an operating- system-level virtualization software object, also known as a container or a virtualization container, running one or more software programs or applications in isolation from other software programs.
  • Some examples of a service software object are a SSH service, an IPSec service and an HTTPS service.
  • client 104 optionally establishes a direct secure network connection with service provider 106 using the plurality of client side network connection values received from management 101 in 240, for the purpose of receiving the computerized service from server provider 106.
  • Service provider 106 optionally uses the plurality of server side network connection values when establishing the direct secure network connection with client 104.
  • client 104 establishes the direct secure network connection with service provider 106 using a secure point-to-point network protocol, for example SSH, HTTPS or IPSec.
  • authorization processing unit 114 executes one or more HOTP server software objects implementing a HOTP server.
  • 210 further comprises generating in 401 a one-time password token, optionally using a shared secret value from the plurality of client credentials received from client 104 in 201, sent by AAA extended service 122 to authorization processing unit 114.
  • the plurality of server side network connection values sent in 241 to server provider 106 comprises a network address value of authorization processing unit 114.
  • Some secure protocols that may use a one-time password include SSH and IPSec.
  • client 104 After receiving the plurality of client network connection values in 240, in 410 client 104 optionally initiates an SSH connection with service provider 106.
  • client 104 may execute one or more SSH client software objects, and service provider may execute one or more SSH server software objects.
  • client 104 optionally generates a one time password token in 420 and optionally sends the one-time password token to service provider 106 in 421.
  • service provider 106 optionally sends the one-time password token to authentication processing unit 114 to authenticate that client 104 connecting to SSH service provided by service provider 106 is the same client that connected in 301 and 210.
  • client 104 optionally executes one or more IPSec client software objects
  • service provider 106 optionally executes one or more IPSec server client objects.
  • client 104 After receiving the plurality of client network connection values in 240, in 601 client 104 optionally initiates an IPSec connection with service provider 106, for example using IKE phase 2 protocol. Optionally, client 104 sends service provider 106 the generated one-time password token. In this flow as well, in 422 service provider 106 optionally sends the one-time password token to authentication processing unit 114 to authenticate that client 104 connecting to IPSec service provided by service provider 106 is the same client that connected in 301 and 210. After authenticating client 104 with authentication processing unit 114, service provider 106 optionally establishes in 605 and IPSec connection with client 104, for example a VPN connection.
  • composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
  • a compound or “at least one compound” may include a plurality of compounds, including mixtures thereof.
  • range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of the invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system for creating a secure connection between a client and a provider of a computerized service comprises a management processing unit adapted to: receive from a client processing unit a service identifier and a plurality of client credentials; deduce from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values; send to the client processing unit the plurality of client side network connection values to be used by the client processing unit when establishing a direct network connection; and send to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection. A need for the service provider processing unit to listen on a public port can thus be eliminated.

Description

SYSTEM AND METHOD FOR CREATING A SECURE CONNECTION
BACKGROUND
The present invention, in some embodiments thereof, relates to a system for providing a computerized service and, more specifically, but not exclusively, to a system for creating a secure connection between a client and a provider of a computerized service.
There are systems where there is a need to provide a secure channel between a client and a provider of a computerized service connected via a digital communication network, for example financial systems and medical information systems. As used herein, the term secure channel means a way of transferring data that is resistant to overhearing and tampering. One possible method to establish a secure channel between a client and a provider of a computerized service is to use a secure point to point network protocol. Some examples of a secure point to point network protocol are Internet Protocol Security (IPSec), Hypertext Transfer Protocol Secure (HTTPS), and Secure Shell (SSH). Another possible method is to create a Virtual Private Network (VPN) for network communication between the client and the provider of the computerized service. Some methods require exchanging one or more encryption keys between the client and the provider of the computerized service. Some systems that use encryption key exchange use the Internet Key Exchange (IKE) protocol.
SUMMARY
It is an object of the present invention to provide a system and a method for creating a secure connection between a client and a provider of a computerized service.
The foregoing and other objects are achieved by the features of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.
According to a first aspect of the invention, a system for creating a secure connection between a client and a provider of a computerized service comprises a management processing unit adapted to: receive from a client processing unit a service identifier and a plurality of client credentials; deduce from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values; send to the client processing unit the plurality of client side network connection values to be used by the client processing unit when establishing a direct network connection; and send to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection. Using a management processing unit may eliminate a necessity for the service provider processing unit to listen on a public port.
According to a second aspect of the invention, a method for creating a secure connection between a client and a provider of a computerized service comprises receiving from a client processing unit a service identifier and a plurality of client credentials; deducing from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values; sending to the client processing unit the plurality of client side network connection values to be used by the client when establishing a direct network connection; and sending to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection.
According to a third aspect of the invention, a system for creating a secure connection between a client and a provider of a computerized service comprises a client processing unit adapted to: send a service identifier and a plurality of client credentials to a management processing unit; receive from the management processing unit a plurality of client side network connection values; and establish a direct network connection with a service provider processing unit using the plurality of client side network connection values for the purpose of receiving the computerized service from the service provider processing unit.
With reference to the aspects, in a possible implementation of the present invention, the plurality of client side network connection values are selected from a group of network connection values comprising: a network address value, a network port number value, a service type identifier value, an algorithm identifier, a shared secret value, a private secret value, a public secret value, and a hint value describing a preferred protocol. The plurality of server side network connection values are selected from the group of network connection values. Optionally, the plurality of client side network connection values comprises a network address value of the service provider processing unit and a network port number value of the service provider processing unit, and the plurality of server side network connection values comprises a network address value of the client. Optionally the service type identifier value identifies a service selected from a group consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), Internet Protocol Security (IPSec), Transport Layer Security (TLS), and Secure Sockets Layer (SSL). Sending the client processing unit a network address and port number of the service provider processing unit may eliminate a necessity for the service provider processing unit to listen on a public port, and sending the service provider processing unit a network address of the client processing unit may facilitate the service provider processing unit authenticating the client processing unit when the client processing unit attempts to establish a connection with the service provider processing unit. Optionally, the plurality of server side network connection values comprises some or all of the plurality of client credentials. Some or all of the plurality of client credentials may facilitate the service provider processing unit authenticating the client and thus reduce a risk of unauthorized access to the service provider.
With reference to the aspects, in a possible implementation of the present invention, the management processing unit is further adapted to instruct the service provider processing unit to execute a service software object or a plurality of service software objects for the purpose of providing the computerized service to the client processing unit. Optionally, the service software object or plurality of service software objects comprise a compute instance executed by the service provider processing unit for the purpose of providing the computerized service to the client processing unit. When the service provider processing unit doesn’t execute the computerized service until instructed by the management processing unit there may be reduced risk of unauthorized access to the computerized service as the computerized service is available for less time than if it were executed continuously regardless of demand.
With reference to the aspects, in a possible implementation of the present invention, the management processing unit is further adapted to configure at least one network device to direct a digital message or a plurality of digital messages from the client processing unit to the service provider processing unit. Configuring the at least one network device only when the computerized service is required by the client processing unit may reduce risk of unauthorized access to the computerized service as access is not permitted before there is demand from a client.
With reference to the aspects, in a possible implementation of the present invention, the system further comprises an authentication processing unit adapted to execute a hash-based message authentication code (HMAC) One-time Password (HOTP) server. The client processing unit uses some or all of the client side values to generate a one-time password token for use in the direct network connection, and the service provider processing unit communicates with the HOTP server to authenticate the one time password token. Optionally, the authentication processing unit is the management processing unit or the service provider processing unit. Using a one-time password may facilitate supporting computerized services that require a one-time password.
With reference to the aspects, in a possible implementation of the present invention, the client credentials comprise an International Telecommunications Union's Standardization sector X.509 certificate (X.509 certificate) comprising an Enhanced Key Usage field, and a value of the Enhanced Key Usage field is the service identifier. Using an Enhanced Key Usage field of an X.509 certificate may reduce installation and operation costs of a system by using existing components that support X.509.
With reference to the aspects, in a possible implementation of the present invention, the management processing unit executes at least one Authentication, Authorization and
Accounting (AAA) software object, and at least one Internet Key Exchange (IKE) software object, the client processing unit communicates with the at least one IKE software object and the at least one AAA software object using a plurality of Remote Authentication Dial-In User
Service (RADIUS) data attributes comprising a Filter-Id attribute, a Login-IP-Host attribute, a
Login-TCP-Port attribute and a Login-Service attribute and the at least one AAA software object communicates with the at least one IKE software object using the plurality of RADIUS data attributes. A value of the Login-IP-Host attribute sent from the at least one IKE software object to the client processing unit is a network address value of the service provider processing unit, a value of the Login-TCP-Port attribute sent from the at least one IKE software object to the client processing unit is a network port number value of the service provider processing unit, a value of the Login-Service attribute sent from the at least one IKE software object to the client processing unit is a service type identifier value, and a value of the Filter-Id attribute sent from the at least one AAA software object to the at least one IKE software object or the client processing unit is a shared secret value for creation of a one-time password. Using some RADIUS attributes may facilitate reduced costs of implementation and operation by using existing RADIUS supporting components.
With reference to the aspects, in a possible implementation of the present invention, the client processing unit sends the service identifier and the plurality of client credentials to the management processing unit using the Internet Key Exchange (IKE) protocol. Optionally, the client processing unit establishes the direct network connection using a protocol selected from a group of secure protocols consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), and Internet Protocol Security (IPSec).
Other systems, methods, features, and advantages of the present disclosure will be or become apparent to one with skill in the art upon examination of the following drawings and detailed description. It is intended that all such additional systems, methods, features, and advantages be included within this description, be within the scope of the present disclosure, and be protected by the accompanying claims.
Unless otherwise defined, all technical and/or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the invention pertains. Although methods and materials similar or equivalent to those described herein can be used in the practice or testing of embodiments of the invention, exemplary methods and/or materials are described below. In case of conflict, the patent specification, including definitions, will control. In addition, the materials, methods, and examples are illustrative only and are not intended to be necessarily limiting.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
Some embodiments of the invention are herein described, by way of example only, with reference to the accompanying drawings. With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of embodiments of the invention. In this regard, the description taken with the drawings makes apparent to those skilled in the art how embodiments of the invention may be practiced.
In the drawings:
FIG. 1 is a schematic block diagram of an exemplary system, according to some embodiments of the present invention;
FIG. 2 is a sequence diagram of an optional flow of operations, according to some embodiments of the present invention;
FIG. 3 is a sequence diagram of an optional flow of operations to deduce the plurality of client and server side network connection values, according to some embodiments of the present invention;
FIG. 4 is a sequence diagram of an optional flow of operations using a one-time password, according to some embodiments of the present invention;
FIG. 5 is a sequence diagram of an optional flow of operations to establish an SSH connection, according to some embodiments of the present invention; and
FIG. 6 is a sequence diagram of an optional flow of operations to establish an IPSec connection, according to some embodiments of the present invention.
DETAILED DESCRIPTION
The present invention, in some embodiments thereof, relates to a system for providing a computerized service and, more specifically, but not exclusively, to a system for creating a secure connection between a client and a provider of a computerized service.
In some systems that provide a computerized service, a client communicates with a provider of the computerized service using a digital communication network. The digital communication network may be a Local Area Network (LAN), for example an Ethernet network or a wireless network such as a Wireless Fidelity (WiFi) network. The digital communication network may be a Wide Area Network (WAN), for example the Internet. The digital communication network may comprise a LAN and a WAN. The provider of the computerized service may be one or more hardware processors adapted to execute one or more software objects for providing the computerized service.
For brevity, henceforth the term“server” is used to mean a provider of a computerized service and the term“network” is used to mean a digital communication network.
In some systems, to provide the client with the computerized service the client sends the server a service request. In some such systems, the server must listen continuously to a known network port for the service request from the client. In some systems the server is located within a controlled access network (private network), such that other computers may access the server only via one or more network devices configured to filter network traffic into and out of the private network. Examples of a network device are a router, a switch, and a firewall. A network device may be a dedicated device. A network device may be a device, for example a computer, configured to implement a networking service such as routing, switching or a firewall, as well as other computerized services.
Henceforth, the term“gateway” refers to one or more network devices configured to filter network traffic into and out of a private network.
For the server to receive the service request from the client, in such systems the gateway is configured to allow delivering the service request to the server inside the private network. When a secure network protocol is used to communicate between the client and the server, the gateway may be configured to deliver network traffic between the client and the server only using the secure network protocol. Allowing a service request from any client to be delivered to the server could expose the server to malicious exploitation via the known network port. Configuring the gateway to allow only traffic from a group of known clients requires advance knowledge of which clients may require the computerized service, or manual ad hoc configuration of the gateway as a new client requires the computerized service. In addition, when more than one server is located on one private network there is a need to configure the gateway with access rules per client, per computerized service. Additional configuration of the gateway may be needed when a new secure protocol is introduced, in addition to one or more secure protocols the gateway is already configured to deliver. Some systems create a VPN for network access by the client to the private network; however using a VPN may expose the entire private network to the client, which may not be necessary or desirable as this exposure could expose the topology of the private network and additionally or alternately expose other computers connected to the private network to a malicious exploitation from the client. In addition, when a secure point to point network protocol is used for communication between the client and the server, a VPN solution requires double encryption - one for a secure channel between the client and the server and one for the VPN. This requires more than one encryption key exchange.
The present invention, in some embodiments thereof, proposes using a mediation service for a single encryption key exchange to enable access to a computerized service on a private network using one of a plurality of secure point to point network protocols. According to some embodiments of the present invention, there are no service network ports accessible a priori, and a secure connection interface (endpoint) is exposed by the server according to a client’s identity and security credentials, upon receiving by the mediation service a service request from the client. Optionally, the present invention proposes dynamically provisioning a service instance only when a client requires the service instance. Optionally the present invention proposes dynamically configuring one or more network devices (the gateway) to enable establishment of a secure channel between the client and the server.
Dynamically configuring a secure point to point network protocol may allow eliminating pre-configuration of the gateway, reducing the ability of an unauthorized entity to access the server. Dynamically provisioning the service instance may further reduce the ability of an unauthorized entity to access the server as a service instance’s endpoint in the server exists for a reduced period of time. In addition, refraining from using a VPN may prevent an unauthorized entity from accessing other devices connected to the private network other than the server. In addition, refraining from using a VPN may facilitate reducing costs of operation as VPN expertise, which may be expensive, is not required.
Some embodiments of the present invention use one or more Extensible Authentication
Protocol (EAP) methods when exchanging information between the client and the mediation service and between the client and the server. Optionally, the IKE protocol is used to exchange information between the client and the mediation service and between the client and the server, optionally, using one or more EAP based protocols, for example using EAP Internet Key
Exchange version 2 (EAP-IKEv2). Optionally, the exchanged information comprises client credentials. Examples of a client credential are a client’s identity, a preferred point to point network protocol identifier, a security certificate, and a permission to use a service. Using IKE protocol with one or more EAP based protocols may facilitate using existing network devices and network software solutions already adapted to support IKE and EAP based protocols, and thus may facilitate lower implementation costs when implementing the present invention compared to implementing a solution requiring specially adapted network devices and network software solutions.
Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not necessarily limited in its application to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or the Examples. The invention is capable of other embodiments or of being practiced or carried out in various ways.
The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.
Reference is now made to FIG. 1, showing a schematic block diagram of an exemplary system 100, according to some embodiments of the present invention. In such embodiments system 100 comprises a management processing unit 101 for the purpose of provisioning a secure channel between a client processing unit 104 and a service provider processing unit 106 in order to provide client processing unit 104 with at least one computerized service by service provider processing unit 106. A processing unit may be any kind of programmable or non programmable circuitry that is configured to carry out the operations described here within. The processing unit may comprise hardware as well as software. For example, a processing unit may comprise one or more processors and a transitory or non-transitory memory that carries a program which causes the processing unit to perform the respective operations when the program is executed by the one or more processors. Optionally, client processing unit (client) 104 is connected to management processing unit (management) 101 via at least one digital communication network. Client 104 is optionally connected to service provider processing unit (service provider) 106 via at least one other digital communication network. Optionally service provider 106 is connected to a private network and client 104 is connected to service provider 106 via at least one network device 110, optionally configured to control access to the private network. Examples of a network device are a router, a switch, a residential gateway, and a firewall. Optionally, system 100 comprises authentication processing unit 114, for the purpose of executing a hash-based message authentication code (HMAC) One-time Password (HOTP) server used to authenticate client 104 when establishing a secure connection with service provider 106. Optionally, authentication processing unit 114 is management 101. Optionally, authentication processing unit 114 is service provider 106.
To create a secure connection between client 104 and service provider 106, in some embodiments of the present invention system 100 implements the following optional method.
Reference is now made also to FIG. 2, showing a sequence diagram of an optional flow of operations 200, according to some embodiments of the present invention. In such embodiments, in 201 client 104 sends management 101 a service identifier, identifying a computerized service requested by client 104, and a plurality of client credentials. Examples of a computerized service are SSH, HTTPS, IPSec, Transport Layer Security (TLS), and Secure Sockets Layer (SSL). Optionally, the plurality of client credentials comprises an International Telecommunications Union’s Standardization sector X.509 certificate (X.509 certificate), used to prove client 104’ s ownership of a public key. Optionally, the X.509 certificate comprises an Enhanced Key Usage field. Optionally, a value of the Enhanced Key Usage field is the service identifier. After receiving in 201 the service identifier and the plurality of client credentials from client 104, in 210 management 101 optionally deduces from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values. Examples of a network connection value are: a network address value, a network port number value, a service type identifier value, an algorithm identifier, a shared secret value, a public secret value, and a hint value describing a preferred protocol. A network address value may identify service provider 106 or client 104. A network port number value may identify an endpoint of a computerized service or be used by service provider 106 to authenticate a request from client 104. A service type identifier may identify a computerized service that service provider 106 is allowed to provide to client 104. An algorithm identifier may identify an encryption algorithm to be used in a secure connection between client 104 and service provider 106. A public secret value may be generated by management on behalf of service provider 106 or client 104 and sent to respective other party. A hint value may be used by client 104 and/or service provider 106 when more than one computerized service is possible. For example, the client side network connection values may comprise one or more of: a network address value of service provider 106, and a network port value of service provider 106 identifying an endpoint for the computerized service provided by service provider 106 to client 104. The server side network connection values may comprise a network address value of client 104. Optionally, the plurality of server side network connection values comprise some or all of the plurality of client credentials. For example, when the plurality of client credentials comprise an X.509 certificate, the plurality of server side network connection values optionally comprises the X.509 certificate. Optionally, the plurality of server side network connection values optionally comprises another X.509 certificate, used to prove client 104’ s ownership of another public key, for example a public key generated by management 101.
Reference is now made also to FIG. 3, a sequence diagram of an optional flow of operations 300 to deduce the plurality of client and server side network connection values, according to some embodiments of the present invention. In such embodiments, client 104 sends the service identifier and the plurality of client credentials to management 101 using the IKE protocol. Optionally, management 101 executes at least one IKE software object (IKE service) 121, for communicating with client 104. In 301, client 104 optionally establishes a secure connection with IKE service 121 using IKE phase 1 protocol. Optionally, management 101 executes at least one Authentication Authorization and Accounting software object (AAA extended service) 122, to generate the plurality of client side network connection values and plurality of server side network connection values. An optional flow of operations to deduce the plurality of client side network connection values and plurality of server side network connection values in 210 comprises in 311 IKE service 121 opening a secure channel with AAA extended service 122, and in 312 IKE service 121 negotiating with AAA extended service 122 one or more security keys using a shared secret value from the plurality of client credentials received from client 104 in 201. Optionally, IKE service 121 sends the plurality of client credentials and the service identifier received from client 104 in 201 to AAA extended service 122. Optionally, AAA extended service 122 generates in 313 the plurality of client side network connection values and plurality of server side network connection values, optionally using the plurality of client credentials and the service identifier received from the client in 201. Optionally, management 101 executes one or more connection controller software objects (connection controller) 123, for the purpose of provisioning a secure connection between client 104 and service provider 106. In embodiments where management 101 executes connection controller 123, AAA extended service 122 optionally sends connection controller 123 in 314 the generated plurality of client side network connection values and plurality of server side network connection values.
Optionally, client 104 uses a plurality of Remote Authentication Dial-In User Service (RADIUS) data attributes when communicating with IKE service 121 and optionally communicating with AAA extended service 122, and AAA extended service 122 uses the plurality of RADIUS data attributes when communicating with IKE service 121. In a possible embodiment of the present invention, a value of a RADIUS Login-IP-Host attribute sent from IKE service 121 to client 104 is a network address value of service provider 106, a value of a RADIUS Login-TCP-Port attribute sent from IKE service 121 to client 104 is a network port number value of service provider 106, a value of a RADIUS Login-Service attribute sent from IKE service 121 to client 104 is a service type identifier value, and a value of a RADIUS Filter- Id attribute sent from the AAA extended service 122 to IKE service 121 or client 104 is a shared secret value for creation of a one-time password.
Reference is now made again to FIG. 2. In 240 management 101 optionally sends client 104 the plurality of client side network connection values and in 241 management 101 optionally sends service provider 106 the plurality of server side network connection values. In 270, management 101 optionally configures network device 110 to direct a digital message of a plurality of digital messages from client 104 to service provider 106, for example by configuring a port forwarding rule. Optionally, management 101 instructs service provider 106 to execute one or more service software objects for the purpose of providing the computerized service to client 104. Optionally, the one or more service software objects comprise a compute instance executed by service provider 106 for the purpose of providing the computerized service to client 104. Examples of a compute instance are a virtual machine and an operating- system-level virtualization software object, also known as a container or a virtualization container, running one or more software programs or applications in isolation from other software programs. Some examples of a service software object are a SSH service, an IPSec service and an HTTPS service.
In 280, client 104 optionally establishes a direct secure network connection with service provider 106 using the plurality of client side network connection values received from management 101 in 240, for the purpose of receiving the computerized service from server provider 106. Service provider 106 optionally uses the plurality of server side network connection values when establishing the direct secure network connection with client 104. Optionally client 104 establishes the direct secure network connection with service provider 106 using a secure point-to-point network protocol, for example SSH, HTTPS or IPSec.
Some computerized services use a one-time password. Reference is now made also to FIG. 4, showing a sequence diagram of an optional flow of operations 400 using a one time password, according to some embodiments of the present invention. In such embodiments, authorization processing unit 114 executes one or more HOTP server software objects implementing a HOTP server. Optionally, 210 further comprises generating in 401 a one-time password token, optionally using a shared secret value from the plurality of client credentials received from client 104 in 201, sent by AAA extended service 122 to authorization processing unit 114. Optionally, the plurality of server side network connection values sent in 241 to server provider 106 comprises a network address value of authorization processing unit 114.
Some secure protocols that may use a one-time password include SSH and IPSec.
Reference is now made also to FIG. 5, showing a sequence diagram of an optional flow of operations 500 to establish an SSH connection, according to some embodiments of the present invention. After receiving the plurality of client network connection values in 240, in 410 client 104 optionally initiates an SSH connection with service provider 106. In such embodiments client 104 may execute one or more SSH client software objects, and service provider may execute one or more SSH server software objects. In 420 client 104 optionally generates a one time password token in 420 and optionally sends the one-time password token to service provider 106 in 421. In 422, service provider 106 optionally sends the one-time password token to authentication processing unit 114 to authenticate that client 104 connecting to SSH service provided by service provider 106 is the same client that connected in 301 and 210.
Reference is now made also to FIG. 6, showing a sequence diagram of an optional flow of operations 600 to establish an IPSec connection, according to some embodiments of the present invention. In such embodiments, client 104 optionally executes one or more IPSec client software objects, and service provider 106 optionally executes one or more IPSec server client objects.
After receiving the plurality of client network connection values in 240, in 601 client 104 optionally initiates an IPSec connection with service provider 106, for example using IKE phase 2 protocol. Optionally, client 104 sends service provider 106 the generated one-time password token. In this flow as well, in 422 service provider 106 optionally sends the one-time password token to authentication processing unit 114 to authenticate that client 104 connecting to IPSec service provided by service provider 106 is the same client that connected in 301 and 210. After authenticating client 104 with authentication processing unit 114, service provider 106 optionally establishes in 605 and IPSec connection with client 104, for example a VPN connection.
The descriptions of the various embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein. It is expected that during the life of a patent maturing from this application many relevant computerized services will be developed and the scope of the term computerized service is intended to include all such new technologies a priori.
As used herein the term“about” refers to ± 10 %.
The terms "comprises", "comprising", "includes", "including",“having” and their conjugates mean "including but not limited to". This term encompasses the terms "consisting of" and "consisting essentially of".
The phrase "consisting essentially of" means that the composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
As used herein, the singular form "a", "an" and "the" include plural references unless the context clearly dictates otherwise. For example, the term "a compound" or "at least one compound" may include a plurality of compounds, including mixtures thereof.
The word“exemplary” is used herein to mean“serving as an example, instance or illustration”. Any embodiment described as“exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments and/or to exclude the incorporation of features from other embodiments.
The word“optionally” is used herein to mean“is provided in some embodiments and not provided in other embodiments”. Any particular embodiment of the invention may include a plurality of“optional” features unless such features conflict.
Throughout this application, various embodiments of this invention may be presented in a range format. It should be understood that the description in range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of the invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.
Whenever a numerical range is indicated herein, it is meant to include any cited numeral (fractional or integral) within the indicated range. The phrases“ranging/ranges between” a first indicate number and a second indicate number and“ranging/ranges from” a first indicate number“to” a second indicate number are used herein interchangeably and are meant to include the first and second indicated numbers and all the fractional and integral numerals therebetween.
It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment of the invention. Certain features described in the context of various embodiments are not to be considered essential features of those embodiments, unless the embodiment is inoperative without those elements.
All publications, patents and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent or patent application was specifically and individually indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present invention. To the extent that section headings are used, they should not be construed as necessarily limiting.

Claims

WHAT IS CLAIMED IS:
1. A system for creating a secure connection between a client and a provider of a computerized service, comprising:
a management processing unit adapted to:
receive from a client processing unit a service identifier and a plurality of client credentials;
deduce from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values;
send to the client processing unit the plurality of client side network connection values to be used by the client processing unit when establishing a direct network connection; and
send to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection.
2. The system of claim 1, wherein the management processing unit is further adapted to: instruct the service provider processing unit to execute a service software object or a plurality of service software objects for the purpose of providing the computerized service to the client processing unit.
3. The system of claim 1 or claim 2, wherein the plurality of client side network connection values are selected from a group of network connection values comprising: a network address value, a network port number value, a service type identifier value, an algorithm identifier, a shared secret value, a private secret value, a public secret value, and a hint value describing a preferred protocol; and
wherein the plurality of server side network connection values are selected from the group of network connection values.
4. The system of any one of the previous claims, wherein the plurality of client side network connection values comprises a network address value of the service provider processing unit and a network port number value of the service provider processing unit; and wherein the plurality of server side network connection values comprises a network address value of the client.
5. The system of any one of the previous claims, wherein the plurality of server side network connection values comprises some or all of the plurality of client credentials.
6. The system of any one of the previous claims, wherein the management processing unit is further adapted to configure at least one network device to direct a digital message or a plurality of digital messages from the client processing unit to the service provider processing unit.
7. The system of any of the previous claims further comprising an authentication processing unit adapted to execute a hash-based message authentication code (HMAC) One time Password (HOTP) server;
wherein the client processing unit uses some or all of the client side values to generate a one-time password token for use in the direct network connection; and
wherein the service provider processing unit communicates with the HOTP server to authenticate the one time password token.
8. The system of claim 7, wherein the authentication processing unit is the management processing unit or the service provider processing unit.
9. The system of claim 3, wherein the service type identifier value identifies a service selected from a group consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), Internet Protocol Security (IPSec), Transport Layer Security (TLS), and Secure Sockets Layer (SSL).
10. The system of any of the previous claims, wherein the client credentials comprise an International Telecommunications Union's Standardization sector X.509 certificate (X.509 certificate) comprising an Enhanced Key Usage field; and
wherein a value of the Enhanced Key Usage field is the service identifier.
11. The system of any of the previous claims, wherein the management processing unit executes at least one Authentication, Authorization and Accounting (AAA) software object, and at least one Internet Key Exchange (IKE) software object;
wherein the client processing unit communicates with the at least one IKE software object and the at least one AAA software object using a plurality of Remote Authentication Dial-In User Service (RADIUS) data attributes comprising a Filter-Id attribute, a Login-IP- Host attribute, a Login-TCP-Port attribute and a Login-Service attribute;
wherein the at least one AAA software object communicates with the at least one IKE software object using the plurality of RADIUS data attributes;
wherein a value of the Login-IP-Host attribute sent from the at least one IKE software object to the client processing unit is a network address value of the service provider processing unit;
wherein a value of the Login-TCP-Port attribute sent from the at least one IKE software object to the client processing unit is a network port number value of the service provider processing unit;
wherein a value of the Login-Service attribute sent from the at least one IKE software object to the client processing unit is a service type identifier value; and
wherein a value of the Filter- Id attribute sent from the at least one AAA software object to the at least one IKE software object or the client processing unit is a shared secret value for creation of a one-time password.
12. The system of claim 2, wherein the service software object or plurality of service software objects comprise a compute instance executed by the service provider processing unit for the purpose of providing the computerized service to the client processing unit.
13. A system for creating a secure connection between a client and a provider of a computerized service, comprising: a client processing unit adapted to:
send a service identifier and a plurality of client credentials to a management processing unit;
receive from the management processing unit a plurality of client side network connection values; and
establish a direct network connection with a service provider processing unit using the plurality of client side network connection values for the purpose of receiving the computerized service from the service provider processing unit.
14. The system of claim 13, wherein the client processing unit sends the service identifier and the plurality of client credentials to the management processing unit using the Internet Key Exchange (IKE) protocol.
15. The system of any one of claims 13 and 14, wherein the client processing unit establishes the direct network connection using a protocol selected from a group of secure protocols consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), and Internet Protocol Security (IPSec).
16. A method for creating a secure connection between a client and a provider of a computerized service, comprising:
receiving from a client processing unit a service identifier and a plurality of client credentials;
deducing from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values;
sending to the client processing unit the plurality of client side network connection values to be used by the client when establishing a direct network connection; and
sending to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection.
17. A computer program product comprising program code which when executed by a computer causes the computer to carry out the method of claim 16.
PCT/EP2018/068518 2018-07-09 2018-07-09 System and method for creating a secure connection WO2020011332A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201880095428.5A CN112385192B (en) 2018-07-09 2018-07-09 System and method for creating secure connections
PCT/EP2018/068518 WO2020011332A1 (en) 2018-07-09 2018-07-09 System and method for creating a secure connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/068518 WO2020011332A1 (en) 2018-07-09 2018-07-09 System and method for creating a secure connection

Publications (1)

Publication Number Publication Date
WO2020011332A1 true WO2020011332A1 (en) 2020-01-16

Family

ID=62904452

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/068518 WO2020011332A1 (en) 2018-07-09 2018-07-09 System and method for creating a secure connection

Country Status (2)

Country Link
CN (1) CN112385192B (en)
WO (1) WO2020011332A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268152A1 (en) * 2003-06-27 2004-12-30 Wrq, Inc. Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
US20060080545A1 (en) * 2004-10-12 2006-04-13 Bagley Brian B Single-use password authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012989B (en) * 2010-12-07 2013-11-27 江苏风云网络服务有限公司 Threshold and key-based authorization method in software as service (SaaS)
US9717003B2 (en) * 2015-03-06 2017-07-25 Qualcomm Incorporated Sponsored connectivity to cellular networks using existing credentials

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268152A1 (en) * 2003-06-27 2004-12-30 Wrq, Inc. Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
US20060080545A1 (en) * 2004-10-12 2006-04-13 Bagley Brian B Single-use password authentication

Also Published As

Publication number Publication date
CN112385192A (en) 2021-02-19
CN112385192B (en) 2022-04-22

Similar Documents

Publication Publication Date Title
US8201233B2 (en) Secure extended authentication bypass
US10298581B2 (en) Zero-touch IoT device provisioning
EP3272094B1 (en) End-to-end authentication at the service layer using public keying mechanisms
US8607301B2 (en) Deploying group VPNS and security groups over an end-to-end enterprise network
JP4829554B2 (en) Firewall that protects a group of devices, device that participates in the system, and method for updating firewall rules in the system
US11621945B2 (en) Method and system for secure communications
US7536548B1 (en) System and methodology providing multi-tier-security for network data exchange with industrial control components
US9059977B2 (en) Distribution of secure or cryptographic material
US8555344B1 (en) Methods and systems for fallback modes of operation within wireless computer networks
ES2376143T3 (en) DISTRIBUTION FRAMEWORK OF SYNTHETIC KEY FOR INTERNET.
US20150288679A1 (en) Interposer with Security Assistant Key Escrow
EP2951948B1 (en) Network controller provisioned macsec keys
US11425098B2 (en) Streamlined authentication and authorization for virtual private network tunnel establishment
CN108809907B (en) Certificate request message sending method, receiving method and device
US9516065B2 (en) Secure communication device and method
US9059962B2 (en) Secure access to applications behind firewall
CN110830351B (en) Tenant management and service providing method and device based on SaaS service mode
US20150249639A1 (en) Method and devices for registering a client to a server
Gunleifsen et al. Dynamic setup of IPsec VPNs in service function chaining
NO338710B1 (en) Method of providing an authentication / authorization of an external client terminal, a communication network and a terminal for a communication network
CN103780389A (en) Port based authentication method and network device
EP3288235A1 (en) System and apparatus for enforcing a service level agreement (sla) in a cloud environment using digital signatures
CN112385192B (en) System and method for creating secure connections
Hauser et al. P4sec: Automated Deployment of 802.1 X, IPsec, and MACsec Network Protection in P4-Based SDN
Sahare et al. A survey paper: Data security in local networks using distributed firewalls

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18740171

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18740171

Country of ref document: EP

Kind code of ref document: A1