IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0062068
(2002-01-31)
|
등록번호 |
US-7299349
(2007-11-20)
|
발명자
/ 주소 |
- Cohen,Josh R.
- Kramer,Michael
- Hammond,Bradley M.
- Roberts,Paul
- Simon,Daniel R.
- Butler,Lee M.
- Zhu,Yuhang
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
10 인용 특허 :
7 |
초록
▼
Providing secure end-to-end notifications from a notification source to a notification sink despite the notification mechanism including one or more message transit points between the notification source and the notification sink. Initially, security information (e.g., the master security, the crypt
Providing secure end-to-end notifications from a notification source to a notification sink despite the notification mechanism including one or more message transit points between the notification source and the notification sink. Initially, security information (e.g., the master security, the cryptographic algorithm, and the like) is negotiated out-of-band from the one or more message transit points so that the message transit points are not apprised of the security information. When a designated event occurs, the notification source generates a push message that includes the notification encrypted using the pre-negotiated security information. When the notification sink receives the push message, the notification sink decrypts the notification using the pre-negotiated security information, as well as supplemental information provided in the push message. Thus, the message transit points only have access to the encrypted form of the notification.
대표청구항
▼
What is claimed and desired to be secured by United States Letters Patent is: 1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification
What is claimed and desired to be secured by United States Letters Patent is: 1. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following: an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; after the security information has been negotiated, an act of using the security information to generate an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object, wherein the PAP message has at least one PAP header, and wherein the at least one PAP header include a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and an act of initiating transmission of the HTTP message to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink. 2. A method in accordance with claim 1, wherein the act of using the security information to generate an HTTP message that includes an encrypted form of the notification comprises the following: an act of using the security information to generate an HTTP message that includes an encrypted form of an automatically-generated notification. 3. A method in accordance with claim 1, wherein the act of using the security information to generate an HTTP message that includes an encrypted form of the notification comprises the following: an act of using the security information to generate an HTTP message that includes an encrypted form of a subscription-based notification. 4. A method in accordance with claim 1, wherein the at least one message transit point comprises a server maintained by a wireless carrier, wherein the act of initiating transmission of the HTTP message to the notification sink comprises the following: an act of initiating transmission of the HTTP message to a wireless device via the server maintained by the wireless carrier. 5. A method in accordance with claim 1, wherein the at least one message transit point comprises a server, wherein the act of initiating transmission of the HTTP message to the notification sink comprises the following: an act of transmitting the HTTP message to the server using a first protocol, wherein the server transmits the HTTP message to a wireless device using a second protocol. 6. A method in accordance with claim 5, wherein the act of transmitting the HTTP message to the server using a first protocol comprises the following: an act of transmitting the HTTP message to a Push Proxy Gateway (PPG). 7. A method in accordance with claim 6, wherein the HTTP message is included as a multipart segment. 8. A method in accordance with claim 7, wherein the server is configured to extract the HTTP message from the PAP message and transmit the HTTP message to the wireless device. 9. A method in accordance with claim 8, wherein the server is configured to extract the HTTP message from the PAP message and encode the HTTP message in a Push Over-the-Air protocol message. 10. A method in accordance with claim 1, wherein the clear-text supplemental information that may be used to decrypt the notification using the security information comprises a session identifier field. 11. A method in accordance with claim 1, wherein the encrypted form of the notification comprises a payload data field. 12. A method in accordance with claim 1, wherein the at least one message transmit point comprises a corporate server. 13. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises the following: an act of establishing a secure session between the notification source and the notification sink. 14. A method in accordance with claim 13, wherein the act of establishing a secure session between the notification source and the notification sink comprises the following: an act of establishing a Secure Socket Layer (SSL) session between the notification source and the notification sink. 15. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises: an act of negotiating a master secret shared by the notification source and the notification sink. 16. A method in accordance with claim 1, wherein the act of negotiating security information between the notification source and the notification sink comprises: an act of negotiating a cryptographic algorithm to be used when encrypting and decrypting notifications. 17. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following: a step for drafting a message so as to ensure secure end-to-end notification between the notification source and the notification sink, including an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating, and wherein the drafted message is an HTTP message that includes an encrypted form of the notification, the HTTP message being included in a PAP message containing an ESP object and at least one PAP header, wherein the at least one PAP header includes a schema document specifying an address corresponding to the notification sink for facilitating point-to-point transmission of the drafted HTTP message, and the HTTP message further including clear-text supplemental information; and an act of initiating transmission of the HTTP message to the notification sink using the address of the notification sink and via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink. 18. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely passing a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising: one or more computer-readable storage media having stored thereon computer executable instructions that, when executed by a processor, cause a computing system to perform the method for securely passing the notification, the method including: negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; using the security information to generate an HTTP message after the security information has been negotiated, the HTTP message including an encrypted form of the notification, and the HTTP message being included within a PAP message containing an ESP object and at least one PAP header, the at least one PAP header including a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated HTTP message, the generated HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using the security information; and causing the HTTP message to be transmitted to the notification sink via the at least one message transit point using the notification mechanism, wherein the notification sink is configured to decrypt the notification using the clear-text supplemental information included in the HTTP message and the security information previously negotiated between the notification source and the notification sink. 19. A computer program product in accordance with claim 18, wherein causing the HTTP message to be transmitted to the notification sink comprise the following: causing the HTTP message to be transmitted to the server using a first protocol, wherein the server transmits the HTTP message to a wireless device using a second protocol. 20. A computer program product in accordance with claim 19, wherein causing the HTTP message to be transmitted to the server using a first protocol comprise the following: causing the HTTP message to be transmitted to a Push Proxy Gateway (PPG). 21. A computer program product in accordance with claim 18, wherein negotiating security information between the notification source and the notification sink comprises the following: establishing a secure session between the notification source and the notification sink. 22. In a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, a method for securely receiving a notification from the notification source using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the method comprising the following: an act of negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; after the security information has been negotiated, an act of receiving an HTTP message from the notification source that was received via the at least one message transit point using the notification mechanism, wherein the HTTP message includes an encrypted form of the notification, the HTTP message being included in a PAP message with an ESP object and one or more PAP headers, wherein the one or more PAP headers includes a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the HTTP message, the HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using security information; and an act of using the security information previously negotiated between the notification source and notification sink along with the clear-text supplemental information included in the HTTP message to decrypt the encrypted form of the notification also included in the HTTP message. 23. A method in accordance with claim 22, wherein the act of receiving the HTTP message in the PAP message with the ESP object comprises the following: an act of receiving the ESP object as a MIME attachment encoded with a Push Over-the-Air protocol message. 24. A computer program product for use in a network that includes at least one notification source and at least one notification sink, the network supporting a notification mechanism by which the notification source passes notifications to the notification sink via at least one message transit point, the computer program product for implementing a method for securely receiving a notification from the notification source to the notification sink using the notification mechanism while providing end-to-end security despite the existence of the at least one message transit point, the computer program product comprising: one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by a processor, cause a computing system to perform the method for securely receiving the notification, the method including: negotiating security information between the notification source and the notification sink out of band from the notification mechanism over which the notification source is configured to send notifications to the notification sink, which notifications are secured using the negotiated security information, the out-of-band negotiating occurring through a network connection that excludes the at least one message transit point, and such that the at least one message transit point through which the notification mechanism subsequently sends notifications from the notification source to the notification sink is bypassed during the out of band negotiating; detecting the receipt of an HTTP message from the notification source after negotiating the security information between the notification source and the notification sink, the HTTP message including an encrypted form of the notification, and the HTTP message including a PAP message containing an ESP object and at least one PAP header, wherein the at least one PAP header includes a schema document specifying an address of the notification sink for facilitating point-to-point transmission of the generated HTTP message, the HTTP message further including clear-text supplemental information that may be used by the notification sink to decrypt the notification using security information, wherein the HTTP message is received via the at least one message transit point using the notification mechanism; and using the security information previously negotiated between the notification source and notification sink along with the clear-text supplemental information included in the HTTP message to decrypt the encrypted form of the notification also included in the HTTP message. 25. A method as recited in claim 1, wherein the schema document is an XML document specifying the address of the notification sink. 26. A method as recited in claim 1, wherein negotiating security information comprises negotiating a session identifier unique within the notification sink, and wherein the generated HTTP message further includes a security association, the security association including the session identifier, an IP address of the notification sink, and a security protocol according to which the message is encrypted.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.