US20050050317A1 - A system and method of exploiting the security of a secure communication channel to secure a non-secure communication channel - Google Patents
A system and method of exploiting the security of a secure communication channel to secure a non-secure communication channel Download PDFInfo
- Publication number
- US20050050317A1 US20050050317A1 US10/709,806 US70980604A US2005050317A1 US 20050050317 A1 US20050050317 A1 US 20050050317A1 US 70980604 A US70980604 A US 70980604A US 2005050317 A1 US2005050317 A1 US 2005050317A1
- Authority
- US
- United States
- Prior art keywords
- client
- application
- ticket
- server
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/085—Payment architectures involving remote charge determination or related payment systems
- G06Q20/0855—Payment architectures involving remote charge determination or related payment systems involving a third party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
- G06Q20/3674—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2115—Third party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Definitions
- the invention relates generally to client-server computer networks. More specifically, the invention relates to a system and method for securely accessing software applications using a remote display protocol.
- Software applications that are requested to be remotely displayed on a client computer, or client, are commonly accessed with a graphical or windowing terminal session.
- the application executes on a server and typically the input information (e.g., mouse and keyboard information) and display information are transmitted from the server computer to the client computer.
- Graphical or windowing terminal sessions often make use of unauthenticated connections between the client and the server.
- the graphical or windowing terminal session may authenticate the connection between the client and the server with the user supplying his password to the server.
- transmitting information such as password information
- transmitting information allows the information to be viewed by a server that is not trusted by the client.
- the non-secure connection permits an eavesdropper to intercept a user's password for future use.
- the client and server are typically authenticated using conventional cryptographic techniques.
- One type of cryptographic technique used by networks is a ticket-based authentication scheme. Most current ticket-based authentication schemes transmit a ticket.
- the ticket which can typically be used only one time, may contain an encryption key to be used in future communications and/or may contain a secret password to support the future communications.
- the client and the server both have the encryption key, they can communicate securely.
- the current ticket-based authentication schemes are limited in several areas.
- the ticket is typically transmitted to the client over a non-secure communication channel, thereby allowing an eavesdropper to intercept the ticket and retrieve the encryption key.
- the eavesdropper can pose as the server to the client or as the client to the server.
- the current schemes do not take advantage of secure web pages.
- current ticket-based authentication schemes make transactions over the internet, such as purchases, unsafe because proprietary information, such as a purchaser's credit card information, can be transmitted to a non-secure web page.
- software applications executing on a server are commonly transmitted over a nonsecure communication channel for display on a remote display protocol on a client machine.
- networks may consist of specialized application servers (e.g., Metaframe for Windows, manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla.), to execute specific applications which are typically transmitted to a remote display service over a non-secure communication channel.
- the ticket can typically be used only one time (i.e., making it a “one-time use” ticket) and having no further value after its first use, the one-time use ticket does not protect the user's password (which is used for login into an operating system or an application) from an eavesdropper on the ticket's first transmission. Therefore, the user's password is still not completely protected from interception and the server is consequently not authenticated to the client.
- the present invention features a system and method for establishing a secure communication channel between a client and an application server.
- a ticket service generates a ticket having an identifier and a session key.
- a communications device obtains the ticket from the ticket service and transmits the ticket to a client over a secure communication channel.
- the client transmits the identifier of the ticket to an application server over an application communication channel.
- the application server then obtains a copy of the session key of the ticket from the ticket service. Communications exchanged between the client and the application server over the application communication channel are then encrypted using the session key to establish the application communication channel as a secure communication channel.
- a web browser executing on a client establishes communications with a web server over a secure web communication channel.
- the client receives a ticket having an identifier and a session key from the web server over the secure web communication channel.
- the client then transmits the identifier of the ticket to the application server over the application communication channel to provide the application server with information for obtaining a copy of the session key.
- the invention relates to a method for establishing a secure communication channel between a client and an application server.
- the client receives a ticket having an identifier and a session key from a web server over a secure web communication channel.
- the client transmits the identifier of the ticket to the application server over an application communication channel to provide the application server with information for obtaining a copy of the session key.
- the client establishes a secure communication channel over the application communication channel by using the session key to encrypt and decrypt communications to and from the application server.
- the identifier is a nonce.
- the client and the web server use secure socket layer technology to establish the secure web communication channel.
- the invention in another aspect, relates to a communications system that establishes a secure communication channel.
- the communications system includes a client, an application server, a communications device, and a ticket service.
- the ticket service generates a ticket having an identifier and a session key.
- the communications device is in communication with the ticket service to obtain the ticket.
- the client is in communication with the communications device over a secure communication channel to receive the ticket from the communications device.
- the application server is in communication with the client over an application communication channel to receive the identifier of the ticket from the client and in communication with the ticket service to obtain a copy of the session key from the ticket service.
- the application server and the client exchange communications over the application communication channel as a secure communication channel.
- the ticket service resides on the communications device.
- the communications device is a web server.
- FIG. 1 shows a block diagram of an embodiment of a communication system 100 including a client 10 in communication with an application server 15 over an application communication channel 25 and in communication with a communications device 20 over a communication channel 30 .
- the communication channel 30 and the application communication channel 25 pass through a network 27 .
- the communication channel 30 and the application channel 25 pass through other, different networks.
- the communication channel 30 can pass through a first network (e.g., the World Wide Web) and the application communication channel 30 can pass through a second network (e.g., a direct dial-up modem connection).
- the communication channel 30 is a secure communication channel in that communications are encrypted.
- the application server 15 is additionally in communication with the communications device 20 over a server communication channel 35 .
- the application server 15 and the communications device 20 are part of a server network 33 .
- the communication system 100 establishes a secure communication link over the non-secure application communication channel 25 to remotely display desktop applications securely on the client 10 .
- the network 27 and the server network 33 can be a local-area network (LAN) or a wide area network (WAN), or a network of networks such as the Internet or the World Wide Web (i.e., web).
- the communication channel 30 can be any secure communication channel.
- the communication channel 30 (hereafter web communication channel 30 ) supports communications over the web.
- the server network 33 is a protected network that is inaccessible by the public.
- the server communication channel 35 traverses the server network 33 and therefore can be a non-secure communication channel.
- Example embodiments of the communication channels 25 , 30 , 35 include standard telephone lines, LAN or WAN links (e.g., T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections.
- the connections over the communication channels 25 , 30 , 35 can be established using a variety of communication protocols (e.g., HTTP, TCP/IP, IPX, SPX, Net-BIOS, Ethernet, RS232, and direct asynchronous connections).
- the client 10 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of communicating over the secure web communication channel 30 .
- the client 10 operates according to a server-based computing model. In a server-based computing model, the execution of application programs occurs entirely on the application server 15 and the user interface, keystrokes, and mouse movements are transmitted over the application communication channel 25 to the client 10 .
- the user interface can be text driven (e.g., DOS) or graphically driven (e.g., Windows). Platforms that can be supported by the client 10 include DOS and Windows CE for windows-based terminals.
- the client 10 includes a web browser 40 , such as Internet ExplorerTM developed by Microsoft Corporation in Redmond, Wash., to connect to the web.
- the web browser 40 uses the existing Secure Socket Layer (SSL) support, developed by Netscape in Mountain View, Calif., to establish the secure web communication channel 30 to communications devices such as the communications device 20 .
- the web browser 40 also has a user interface that may be text driven or graphically driven.
- the output of an application executing on the application server 15 can be displayed at the client 10 via the user interface of the client 10 or the user interface of the web browser 40 .
- the client 10 includes an application client 41 for establishing and exchanging communications with the application server 15 over the application communication channel 25 .
- the application client 41 is the Independent Computing Architecture (ICA) client, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla., and is hereafter referred to as ICA client 41 .
- ICA client 41 Independent Computing Architecture
- Other embodiments of the application client 41 include the Remote Display Protocol (RDP), developed by Microsoft Corporation of Redmond, Wash., X-Windows, developed by Massachusetts Institute of Technology of Cambridge, Mass., a data entry client in a traditional client/server application, and a Java applet.
- RDP Remote Display Protocol
- the application server 15 hosts one or more application programs that can be accessed by the client 10 .
- Applications made available to the client 10 for use are referred to as published applications. Examples of such applications include word processing programs such as MICROSOFT WORD® and spreadsheet programs such as MICROSOFT EXCEL®, both manufactured by Microsoft Corporation of Redmond, Wash., financial reporting programs, customer registration programs, programs providing technical support information, customer database applications, or application set managers.
- the application server 15 is a member of a server farm (not shown).
- a server farm is a logical group of one or more servers that are administered as a single entity.
- the communications device 20 (hereafter web server 20 ) is a computer that delivers web pages to the client 10 .
- the communications device 20 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of establishing the secure web communication channel 30 with the client 10 .
- the web server 20 also includes a ticket service 60 .
- the ticket service 60 controls communication security.
- the ticket service 60 generates a ticket containing an encryption key.
- the ticket is transmitted to the client 10 (i.e., the web browser 40 ) over the secure web communication channel 30 .
- the transmission of the ticket to the client 10 over the secure web communication channel 30 facilitates the establishment of secure communications over the application communication channel 25 between the client 10 and the application server 15 in accordance with the principles of the invention.
- the ticket service 60 ′ resides on another server 20 ′.
- the server 20 ′ (and ticket service 60 ′) is in communication with the web server 20 and the application server 15 over a server communication channel 35 ′.
- the ticket service 60 is a separate component (not shown) of the server network 33 .
- the web browser 40 then sends the ticket to the ICA client 41 .
- a technique often used to transmit application data from applications executing on the application server 15 over a secure connection to the client 10 is to transmit the application data to the client 10 through the web server 20 over the secure connection between the client 10 and the web server 20 .
- This technique is inefficient in that communication between the application server 15 and the client 10 takes an additional “hop”; namely the web server 20 .
- the present invention uses the ticketing mechanism to establish a secure communication link directly between the application server 15 and the client 10 , thereby eliminating the intermediate transmission of application data from the application server 15 to the web server 20 .
- a client user requesting an application or server desktop, for example, to be remotely displayed on the client 10 first establishes a communication link 32 with the web server 20 over the web communication channel 30 and passes login and password information to the web server 20 .
- the client user uses the web browser 40 to request an application from the web server 20 that is listed on a web page displayed by the web browser 40 .
- the web browser 40 uses SSL to establish the secure web communication channel 30 .
- the web browser 40 or an application executing on the client 10 attempts to connect to a secure web page on the web server 20 .
- the web server 20 then asserts the web server's identity to the client 10 by transmitting a secure web server certificate to the client 10 .
- a certification authority (CA) issues the secure web server certificate to the web server 20 .
- Web browsers 40 have a list of trusted CAs (i.e., public key of the CA) embedded within the software of the web browser 40 .
- the client 10 verifies the web server certificate by decrypting the signature of the CA in the web server's certificate with the public key of the CA embedded in the web browser 40 (or application). Therefore, in order to establish a secure communication channel using SSL, the web browser 40 or the application executing on the client 10 has the public key of the CA embedded in the software prior to attempting to connect to the secure web page.
- the web browser 40 can connect to the web server 20 over the web communication channel 30 using other security protocols, such as, but not limited to, Secure Hypertext Transfer Protocol (SHTTP) developed by Terisa Systems of Los Altos, Calif., HTTP over SSL (HTTPS), Private Communication Technology (PCT) developed by Microsoft Corporation of Redmond, Wash., Secure Electronic Transfer (SET), developed by Visa International, Incorporated and Mastercard International, Incorporated of Purchase, N.Y., Secure-MIME (S/MIME) developed by RSA Security of Bedford, Mass., and the like.
- SSL Secure Hypertext Transfer Protocol
- HTTPS Hypertext Transfer Protocol
- HTTPS Hypertext Transfer Protocol
- PCT Private Communication Technology
- SET Secure Electronic Transfer
- S/MIME Secure-MIME
- the web server 20 Once the communication link 32 is established, the web server 20 generates a ticket for the communication session.
- the ticket includes a first portion and a second portion.
- the first portion also referred to as a session identifier (ID) or nonce, is a cryptographic random number that can be used within a certain time period determined by the web server 20 .
- the second portion is an encryption key, hereafter referred to as a session key.
- the web server 20 stores the ticket in local memory and then transmits (arrow 34 ) a copy of the ticket to the web browser 40 on the client 10 .
- the ticket includes additional information, such as the network address of the application server 15 .
- the web server 20 independently transmits the address of the application server 15 to the client 10 .
- the web server 20 converts the application name into the network address of the application.
- Examples of the additional information included in the ticket are, but not limited to, the time that the ticket is valid, the screen size of the application when displayed on the client 10 , the bandwidth limits of the web communication channel 30 and/or the application communication channel 25 , and billing information.
- the web server 20 also associates the user's login information, such as the user's password, with the ticket stored in local memory for future retrieval by the application server 15 .
- the ICA client 41 obtains the ticket from the web browser 40 and subsequently transmits (arrow 42 ) the session ID (i.e., the first potion) of the ticket to the application server 15 .
- the session ID can be transmitted in encrypted or cleartext form.
- the application server 15 decrypts the session ID, if encrypted, and transmits (arrow 44 ) a request to the web server 20 for a session key that corresponds to the session ID received from the client 10 .
- the web server 20 verifies the session ID, as described below, and sends (arrow 48 ) the corresponding session key to the application server 15 over the server communication channel 35 .
- Both the application server 15 and the client 10 now possess a copy of the session key without requiring the transmission of the ticket or the session key over the non-secure application communication channel 25 .
- the client 10 and the application server 25 establish (arrow 50 ) a secure communication link 50 over the application communication channel 25 .
- the user's login information e.g., password
- the present invention strengthens (arrow 50 ) the security of the communication link 50 over the non-secure application communication channel 25 by not exposing sensitive information, such as the user's password, to eavesdroppers intercepting communications over the non-secure application communication channel 25 .
- sensitive information such as the user's password
- the application server 15 and the client 10 communicate with the same session key, they share a secret that was transmitted by the ticket service 60 .
- the ticket service 60 indirectly authenticates the application server 15 and the client 10 , and the ticket service 60 is vouching for each. Therefore, the authentication server 15 and the client 10 perform mutual authentication.
- the client 10 again transmits the user's password over the web communication channel 30 to the web server 20 to provide compatibility with legacy systems (e.g., an unmodified operating system login sequence on the web server 20 that requires the client 10 to transmit the user's password multiple times).
- legacy systems e.g., an unmodified operating system login sequence on the web server 20 that requires the client 10 to transmit the user's password multiple times.
- FIG. 2 shows embodiments of a process performed by the communications system 100 to establish a secure communication link 50 over the application communication channel 25 between the client 10 and the application server 15 .
- the web browser 40 lists (step 200 ) web links to software applications or server desktops on the web page that the user of the client 10 views.
- the client user using the web browser 40 , requests (step 205 ) a software application from the web server 20 .
- the web browser 40 establishes the secure web communication channel 30 using the previously described SSL protocol.
- the client 10 e.g., the web browser 40
- the client 10 is also authenticated to the web server 20 using a public key certificate.
- the web server 20 authenticates the user when the user uses the web browser 40 to request an application from the web server 20 .
- the web server 20 requests the user's login information, which includes the user's login name and password, with a request displayed on the web browser 40 .
- the user provides (step 210 ) the user's login information to the web browser 40 .
- the web browser 40 subsequently transmits (step 220 ) the user's login name and password to the web server 20 over the secure web communication channel 30 .
- the user's login information is any code or method that the web server 20 accepts to identify the user's account on the web server 20 .
- the web server 20 transmits (step 230 ) the user's login information to the ticket service 60 .
- the ticket service 60 verifies (step 240 ) the user's login information and determines whether the user is entitled to access the requested application. Depending on the declared communication security policy for that application, the ticket service 60 either refuses or grants access to the application by the user. If the ticket service 60 denies access, the web browser 40 displays an HTML error or an error web page on the client 10 .
- the ticket service 60 grants access to the requested application, the ticket service 60 generates (step 245 ) a ticket for the session and transmits (step 250 ) the ticket to the web server 20 .
- the ticket includes a session ID and a session key.
- the session ID can be used once within a certain time period and makes the ticket a “one-time use” ticket having no further value after its first use.
- the web server 20 then stores (step 253 ) the ticket in local memory.
- the web server 20 associates the login information provided by the user in step 210 and other security information used to authorize the session, such as the requested application name, with the stored ticket for later retrieval by the application server 15 .
- the web server 20 subsequently transmits (step 255 ) the ticket to the client 10 over the secure web communication channel 30 .
- the web browser 40 extracts (step 260 ) the session ID from the ticket and presents (step 265 ) the session ID to the application server 15 .
- the application server 15 checks the session ID to ensure that the session ID has not been used previously with this client 10 .
- the application server 15 monitors (e.g., stores in local memory) each ticket (i.e., session ID) that the client 10 transmits to the application server 15 .
- the ticket service 60 checks the session ID to ensure that the session ID has not been used previously with this client 10 .
- the ticket service monitors each ticket that the ticket service 60 transmits to the web server 20 to ensure that each session ID is transmitted to the ticket service 60 only once.
- the application server 15 uses the session ID to determine the session key associated with the presented session ID. To accomplish this, the application server 15 transmits the session ID to the ticket service 60 and requests (step 270 ) the session key from the ticket service 60 of the web server 20 in response to the session ID. The ticket service 60 accesses local memory and uses the session ID as an index to retrieve the ticket information associated with the session ID. The ticket service 60 then returns (step 280 ) the session key associated with the session ID to the application server 15 .
- the web server 20 transmits (shown as phantom step 266 ) to the application server 15 additional information (e.g., the requested application name, the user's login information) that was previously associated with the ticket in step 253 .
- the application server 15 retrieves (phantom step 267 ) the additional ticket information and authorizes the communication session from this additional information.
- This additional information such as the user's password and/or the name of the requested application, was not transmitted to the application server 15 by the client 10 over the non-secure application communication channel 25 , thereby protecting the information from potential attackers.
- the application server 15 verifies (phantom step 268 ) the additional information.
- the application server 15 refuses (phantom step 269 ) access to the requested application by the user. If the additional information is valid, the application server 15 grants access to the requested application and, as described above, requests (step 270 ) the session key from the ticket service 60 .
- the ticket service 60 performs additional checks on the session ID. For example, the ticket service 60 performs checks on the session ID for early detection of replay (i.e., checking that the session ID has not been previously transmitted to the ticket service 60 ) and/or Denial of Service (DoS) attacks (i.e., flooding and eventually disabling a remote server with illegitimate packets of data).
- the web server 20 transmits the first and second portion of the ticket to the application server 15 before the application server 15 requests it (step 270 ), thus eliminating the request in step 270 .
- the application server 15 stores the session key in its local memory and retrieves from its local memory the session key after the client 10 presents (step 265 ) the session ID to the application server 15 .
- the application server 15 uses the session key to encrypt communications to the client 10 and to decrypt communications from the client 10 over the application communication channel 25 .
- the client 10 uses the session key that the client 10 obtained from the ticket transmitted over the secure web communication channel 30 to decrypt communications from the application server 15 and to encrypt communications to the application server 15 . Because the client 10 and the application server 15 use the session key to encrypt and decrypt communications over the application communication channel 25 , the client 10 and the application server 15 establish (step 290 ) the secure communication link 50 over the previously non-secure application communication channel 25 .
- the client 10 and the application server 15 have the session key without transmitting the ticket over the non-secure application communication channel 25 (and thus potentially revealing the session key to third parties), the client 10 and the application server 15 strengthen the security of the communication link 50 over the previously non-secure application communication channel 25 .
- the application communication channel is made secure using the SSL protocol.
- the ticket service 60 substitutes an application server certificate for the session key in the ticket.
- the client 10 uses the application server certificate to communicate with the application server 15 .
- the application server certificate is downloaded to the client 10 over the web communication channel 30 in response to a request for the ticket. Therefore, because the application server certificate is downloaded to the client 10 over a secure link (i.e., the web communication channel 30 ), the application server certificate does not need to be signed by a well-known public CA.
- the client 10 did not have the application server's certificate or the CA key in advance, an authenticated secure connection is established over the application communication channel 25 using the application server certificate included in the ticket.
- the client 10 can use the application server certificate transmitted in the ticket to establish an authenticated secure connection over the application communication channel 25 . More specifically, the client 10 uses the application server certificate transmitted in the ticket when the client 10 does not have a CA root certificate stored in its local memory that is associated with the requested SSL component (or when the client 10 has an incomplete list of CA certificates that does not include a CA certificate for the requested SSL component) and the client 10 cannot access the CA database of the web browser 40 .
- another SSL component e.g., a separate instance or implementation of the requested software application
- the client 10 does not have the CA certificate in its local memory (e.g., database, local disk, RAM, ROM)
- the client 10 can use the application server certificate transmitted in the ticket to establish an authenticated secure connection over the application communication channel 25 . More specifically, the client 10 uses the application server certificate transmitted in the ticket when the client 10 does not have a CA root certificate stored in its local memory that is associated with the requested SSL component (or when the client 10 has an incomplete list of CA certificates that does not include a CA
- the application server 15 stores a private key for decryption of messages that are encrypted with a corresponding public key.
- the ticket service 60 consequently transmits the corresponding public key of the application server 15 to the client 10 to encrypt communications.
- the session ID still provides additional value, in that it ensures that the client 10 can gain access to the requested application and can gain access one time because ticket service 60 (or web server 20 ) monitors the ticket (i.e., the session ID). Furthermore, if the application server 15 and the client 10 use different session keys to encrypt and decrypt communications over the application communication channel 25 , an eavesdropper cannot modify the session ID transmitted by the client 10 to the application server 15 because the session ID and the cryptographic checksum do not match the checksum expected by the application server 15 (i.e., integrity check). Therefore, the client 10 and the application server 15 determine when different session keys are used (e.g., “man-in-the-middle” attack) by the application server 15 and the client 10 to encrypt and decrypt communications over the application communication channel 25 .
- session keys e.g., “man-in-the-middle” attack
- the session key is substantially equivalent to a null value (i.e., the ticket contains only a nonce or a nonce and a constant value for the session key).
- the client 10 does not transmit the user's login information (e.g., password) between the client 10 and the application server 15 over the non-secure application communication channel 25 . Therefore, because the ticket is only valid for a single use and only grants access to a previously authorized resource (e.g., the ICA client 41 ), the external password exposure can be avoided and individual session level access control can be achieved, even with a null or fixed session key value.
- the present method is a “zero-install” solution for secure access to desktop applications over the web.
- the web browser 40 receives the ticket and the ICA client 41 from the web server 20 over the communication channel 30 .
- the web server 20 transmits the ticket and a MIME type document, as described above, specifying that the data includes a “document” for the ICA client 41 (as a helper application).
- the MIME type document invokes the ICA client 41 and the web browser 40 transfers the ticket to the ICA client 41 , thus allowing the exploitation of the security of the communication channel 30 to secure the application communication channel 25 without having the ICA client 41 pre-installed on the client 10 .
- FIG. 1 shows a block diagram of an embodiment of a communication system 100 including a client 10 in communication with an application server 15 over an application communication channel 25 and in communication with a communications device 20 over a communication channel 30 .
- the communication channel 30 and the application communication channel 25 pass through a network 27 .
- the communication channel 30 and the application channel 25 pass through other, different networks.
- the communication channel 30 can pass through a first network (e.g., the World Wide Web) and the application communication channel 30 can pass through a second network (e.g., a direct dial-up modem connection).
- the communication channel 30 is a secure communication channel in that communications are encrypted.
- the application server 15 is additionally in communication with the communications device 20 over a server communication channel 35 .
- the application server 15 and the communications device 20 are part of a server network 33 .
- the communication system 100 establishes a secure communication link over the non-secure application communication channel 25 to remotely display desktop applications securely on the client 10 .
- the network 27 and the server network 33 can be a local-area network (LAN) or a wide area network (WAN), or a network of networks such as the Internet or the World Wide Web (i.e., web).
- the communication channel 30 can be any secure communication channel.
- the communication channel 30 (hereafter web communication channel 30 ) supports communications over the web.
- the server network 33 is a protected network that is inaccessible by the public.
- the server communication channel 35 traverses the server network 33 and therefore can be a non-secure communication channel.
- Example embodiments of the communication channels 25 , 30 , 35 include standard telephone lines, LAN or WAN links (e.g., T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections.
- the connections over the communication channels 25 , 30 , 35 can be established using a variety of communication protocols (e.g., HTTP, TCP/IP, IPX, SPX, Net-BIOS, Ethernet, RS232, and direct asynchronous connections).
- the client 10 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of communicating over the secure web communication channel 30 .
- the client 10 operates according to a server-based computing model. In a server-based computing model, the execution of application programs occurs entirely on the application server 15 and the user interface, keystrokes, and mouse movements are transmitted over the application communication channel 25 to the client 10 .
- the user interface can be text driven (e.g., DOS) or graphically driven (e.g., Windows). Platforms that can be supported by the client 10 include DOS and Windows CE for windows-based terminals.
- the client 10 includes a web browser 40 , such as Internet ExplorerTM developed by Microsoft Corporation in Redmond, Wash., to connect to the web.
- the web browser 40 uses the existing Secure Socket Layer (SSL) support, developed by Netscape in Mountain View, Calif., to establish the secure web communication channel 30 to communications devices such as the communications device 20 .
- the web browser 40 also has a user interface that may be text driven or graphically driven.
- the output of an application executing on the application server 15 can be displayed at the client 10 via the user interface of the client 10 or the user interface of the web browser 40 .
- the client 10 includes an application client 41 for establishing and exchanging communications with the application server 15 over the application communication channel 25 .
- the application client 41 is the Independent Computing Architecture (ICA) client, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla., and is hereafter referred to as ICA client 41 .
- ICA client 41 Independent Computing Architecture
- Other embodiments of the application client 41 include the Remote Display Protocol (RDP), developed by Microsoft Corporation of Redmond, Wash., X-Windows, developed by Massachusetts Institute of Technology of Cambridge, Mass., a data entry client in a traditional client/server application, and a Java applet.
- RDP Remote Display Protocol
- the application server 15 hosts one or more application programs that can be accessed by the client 10 .
- Applications made available to the client 10 for use are referred to as published applications. Examples of such applications include word processing programs such as MICROSOFT WORD® and spreadsheet programs such as MICROSOFT EXCEL®, both manufactured by Microsoft Corporation of Redmond, Wash., financial reporting programs, customer registration programs, programs providing technical support information, customer database applications, or application set managers.
- the application server 15 is a member of a server farm (not shown).
- a server farm is a logical group of one or more servers that are administered as a single entity.
- the communications device 20 (hereafter web server 20 ) is a computer that delivers web pages to the client 10 .
- the communications device 20 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of establishing the secure web communication channel 30 with the client 10 .
- the web server 20 also includes a ticket service 60 .
- the ticket service 60 controls communication security.
- the ticket service 60 generates a ticket containing an encryption key.
- the ticket is transmitted to the client 10 (i.e., the web browser 40 ) over the secure web communication channel 30 .
- the transmission of the ticket to the client 10 over the secure web communication channel 30 facilitates the establishment of secure communications over the application communication channel 25 between the client 10 and the application server 15 in accordance with the principles of the invention.
- the ticket service 60 ′ resides on another server 20 ′.
- the server 20 ′ (and ticket service 60 ′) is in communication with the web server 20 and the application server 15 over a server communication channel 35 ′.
- the ticket service 60 is a separate component (not shown) of the server network 33 .
- the web browser 40 then sends the ticket to the ICA client 41 .
- a technique often used to transmit application data from applications executing on the application server 15 over a secure connection to the client 10 is to transmit the application data to the client 10 through the web server 20 over the secure connection between the client 10 and the web server 20 .
- This technique is inefficient in that communication between the application server 15 and the client 10 takes an additional “hop”; namely the web server 20 .
- the present invention uses the ticketing mechanism to establish a secure communication link directly between the application server 15 and the client 10 , thereby eliminating the intermediate transmission of application data from the application server 15 to the web server 20 .
- a client user requesting an application or server desktop, for example, to be remotely displayed on the client 10 first establishes a communication link 32 with the web server 20 over the web communication channel 30 and passes login and password information to the web server 20 .
- the client user uses the web browser 40 to request an application from the web server 20 that is listed on a web page displayed by the web browser 40 .
- the web browser 40 uses SSL to establish the secure web communication channel 30 .
- the web browser 40 or an application executing on the client 10 attempts to connect to a secure web page on the web server 20 .
- the web server 20 then asserts the web server's identity to the client 10 by transmitting a secure web server certificate to the client 10 .
- a certification authority (CA) issues the secure web server certificate to the web server 20 .
- Web browsers 40 have a list of trusted CAs (i.e., public key of the CA) embedded within the software of the web browser 40 .
- the client 10 verifies the web server certificate by decrypting the signature of the CA in the web server's certificate with the public key of the CA embedded in the web browser 40 (or application). Therefore, in order to establish a secure communication channel using SSL, the web browser 40 or the application executing on the client 10 has the public key of the CA embedded in the software prior to attempting to connect to the secure web page.
- the web browser 40 can connect to the web server 20 over the web communication channel 30 using other security protocols, such as, but not limited to, Secure Hypertext Transfer Protocol (SHTTP) developed by Terisa Systems of Los Altos, CA, HTTP over SSL (HTTPS), Private Communication Technology (PCT) developed by Microsoft Corporation of Redmond, Wash., Secure Electronic Transfer (SET), developed by Visa International, Incorporated and Mastercard International, Incorporated of Purchase, N.Y., Secure-MIME (S/MIME) developed by RSA Security of Bedford, Mass., and the like.
- SSL Secure Hypertext Transfer Protocol
- HTTPS Hypertext Transfer Protocol
- HTTPS Hypertext Transfer Protocol
- PCT Private Communication Technology
- SET Secure Electronic Transfer
- S/MIME Secure-MIME
- the web server 20 Once the communication link 32 is established, the web server 20 generates a ticket for the communication session.
- the ticket includes a first portion and a second portion.
- the first portion also referred to as a session identifier (ID) or nonce, is a cryptographic random number that can be used within a certain time period determined by the web server 20 .
- the second portion is an encryption key, hereafter referred to as a session key.
- the web server 20 stores the ticket in local memory and then transmits (arrow 34 ) a copy of the ticket to the web browser 40 on the client 10 .
- the ticket includes additional information, such as the network address of the application server 15 .
- the web server 20 independently transmits the address of the application server 15 to the client 10 .
- the web server 20 converts the application name into the network address of the application.
- Examples of the additional information included in the ticket are, but not limited to, the time that the ticket is valid, the screen size of the application when displayed on the client 10 , the bandwidth limits of the web communication channel 30 and/or the application communication channel 25 , and billing information.
- the web server 20 also associates the user's login information, such as the user's password, with the ticket stored in local memory for future retrieval by the application server 15 .
- the ICA client 41 obtains the ticket from the web browser 40 and subsequently transmits (arrow 42 ) the session ID (i.e., the first potion) of the ticket to the application server 15 .
- the session ID can be transmitted in encrypted or cleartext form.
- the application server 15 decrypts the session ID, if encrypted, and transmits (arrow 44 ) a request to the web server 20 for a session key that corresponds to the session ID received from the client 10 .
- the web server 20 verifies the session ID, as described below, and sends (arrow 48 ) the corresponding session key to the application server 15 over the server communication channel 35 .
- Both the application server 15 and the client 10 now possess a copy of the session key without requiring the transmission of the ticket or the session key over the non-secure application communication channel 25 .
- the client 10 and the application server 25 establish (arrow 50 ) a secure communication link 50 over the application communication channel 25 .
- the user's login information e.g., password
- the present invention strengthens (arrow 50 ) the security of the communication link 50 over the non-secure application communication channel 25 by not exposing sensitive information, such as the user's password, to eavesdroppers intercepting communications over the non-secure application communication channel 25 .
- sensitive information such as the user's password
- the application server 15 and the client 10 communicate with the same session key, they share a secret that was transmitted by the ticket service 60 .
- the ticket service 60 indirectly authenticates the application server 15 and the client 10 , and the ticket service 60 is vouching for each. Therefore, the authentication server 15 and the client 10 perform mutual authentication.
- the client 10 again transmits the user's password over the web communication channel 30 to the web server 20 to provide compatibility with legacy systems (e.g., an unmodified operating system login sequence on the web server 20 that requires the client 10 to transmit the user's password multiple times).
- legacy systems e.g., an unmodified operating system login sequence on the web server 20 that requires the client 10 to transmit the user's password multiple times.
- FIG. 2 shows embodiments of a process performed by the communications system 100 to establish a secure communication link 50 over the application communication channel 25 between the client 10 and the application server 15 .
- the web browser 40 lists (step 200 ) web links to software applications or server desktops on the web page that the user of the client 10 views.
- the client user using the web browser 40 , requests (step 205 ) a software application from the web server 20 .
- the web browser 40 establishes the secure web communication channel 30 using the previously described SSL protocol.
- the client 10 e.g., the web browser 40
- the client 10 is also authenticated to the web server 20 using a public key certificate.
- the web server 20 authenticates the user when the user uses the web browser 40 to request an application from the web server 20 .
- the web server 20 requests the user's login information, which includes the user's login name and password, with a request displayed on the web browser 40 .
- the user provides (step 210 ) the user's login information to the web browser 40 .
- the web browser 40 subsequently transmits (step 220 ) the user's login name and password to the web server 20 over the secure web communication channel 30 .
- the user's login information is any code or method that the web server 20 accepts to identify the user's account on the web server 20 .
- the web server 20 transmits (step 230 ) the user's login information to the ticket service 60 .
- the ticket service 60 verifies (step 240 ) the user's login information and determines whether the user is entitled to access the requested application. Depending on the declared communication security policy for that application, the ticket service 60 either refuses or grants access to the application by the user. If the ticket service 60 denies access, the web browser 40 displays an HTML error or an error web page on the client 10 .
- the ticket service 60 grants access to the requested application, the ticket service 60 generates (step 245 ) a ticket for the session and transmits (step 250 ) the ticket to the web server 20 .
- the ticket includes a session ID and a session key.
- the session ID can be used once within a certain time period and makes the ticket a “one-time use” ticket having no further value after its first use.
- the web server 20 then stores (step 253 ) the ticket in local memory.
- the web server 20 associates the login information provided by the user in step 210 and other security information used to authorize the session, such as the requested application name, with the stored ticket for later retrieval by the application server 15 .
- the web server 20 subsequently transmits (step 255 ) the ticket to the client 10 over the secure web communication channel 30 .
- the web browser 40 extracts (step 260 ) the session ID from the ticket and presents (step 265 ) the session ID to the application server 15 .
- the application server 15 checks the session ID to ensure that the session ID has not been used previously with this client 10 .
- the application server 15 monitors (e.g., stores in local memory) each ticket (i.e., session ID) that the client 10 transmits to the application server 15 .
- the ticket service 60 checks the session ID to ensure that the session ID has not been used previously with this client 10 .
- the ticket service monitors each ticket that the ticket service 60 transmits to the web server 20 to ensure that each session ID is transmitted to the ticket service 60 only once.
- the application server 15 uses the session ID to determine the session key associated with the presented session ID. To accomplish this, the application server 15 transmits the session ID to the ticket service 60 and requests (step 270 ) the session key from the ticket service 60 of the web server 20 in response to the session ID. The ticket service 60 accesses local memory and uses the session ID as an index to retrieve the ticket information associated with the session ID. The ticket service 60 then returns (step 280 ) the session key associated with the session ID to the application server 15 .
- the web server 20 transmits (shown as phantom step 266 ) to the application server 15 additional information (e.g., the requested application name, the user's login information) that was previously associated with the ticket in step 253 .
- the application server 15 retrieves (phantom step 267 ) the additional ticket information and authorizes the communication session from this additional information.
- This additional information such as the user's password and/or the name of the requested application, was not transmitted to the application server 15 by the client 10 over the non-secure application communication channel 25 , thereby protecting the information from potential attackers.
- the application server 15 verifies (phantom step 268 ) the additional information.
- the application server 15 refuses (phantom step 269 ) access to the requested application by the user. If the additional information is valid, the application server 15 grants access to the requested application and, as described above, requests (step 270 ) the session key from the ticket service 60 .
- the ticket service 60 performs additional checks on the session ID. For example, the ticket service 60 performs checks on the session ID for early detection of replay (i.e., checking that the session ID has not been previously transmitted to the ticket service 60 ) and/or Denial of Service (DoS) attacks (i.e., flooding and eventually disabling a remote server with illegitimate packets of data).
- the web server 20 transmits the first and second portion of the ticket to the application server 15 before the application server 15 requests it (step 270 ), thus eliminating the request in step 270 .
- the application server 15 stores the session key in its local memory and retrieves from its local memory the session key after the client 10 presents (step 265 ) the session ID to the application server 15 .
- the application server 15 uses the session key to encrypt communications to the client 10 and to decrypt communications from the client 10 over the application communication channel 25 .
- the client 10 uses the session key that the client 10 obtained from the ticket transmitted over the secure web communication channel 30 to decrypt communications from the application server 15 and to encrypt communications to the application server 15 . Because the client 10 and the application server 15 use the session key to encrypt and decrypt communications over the application communication channel 25 , the client 10 and the application server 15 establish (step 290 ) the secure communication link 50 over the previously non-secure application communication channel 25 .
- the client 10 and the application server 15 have the session key without transmitting the ticket over the non-secure application communication channel 25 (and thus potentially revealing the session key to third parties), the client 10 and the application server 15 strengthen the security of the communication link 50 over the previously non-secure application communication channel 25 .
- the application communication channel 25 is made secure using the SSL protocol.
- the ticket service 60 substitutes an application server certificate for the session key in the ticket.
- the client 10 uses the application server certificate to communicate with the application server 15 .
- the application server certificate is downloaded to the client 10 over the web communication channel 30 in response to a request for the ticket. Therefore, because the application server certificate is downloaded to the client 10 over a secure link (i.e., the web communication channel 30 ), the application server certificate does not need to be signed by a well-known public CA.
- the client 10 did not have the application server's certificate or the CA key in advance, an authenticated secure connection is established over the application communication channel 25 using the application server certificate included in the ticket.
- the client 10 can use the application server certificate transmitted in the ticket to establish an authenticated secure connection over the application communication channel 25 . More specifically, the client 10 uses the application server certificate transmitted in the ticket when the client 10 does not have a CA root certificate stored in its local memory that is associated with the requested SSL component (or when the client 10 has an incomplete list of CA certificates that does not include a CA certificate for the requested SSL component) and the client 10 cannot access the CA database of the web browser 40 .
- another SSL component e.g., a separate instance or implementation of the requested software application
- the client 10 does not have the CA certificate in its local memory (e.g., database, local disk, RAM, ROM)
- the client 10 can use the application server certificate transmitted in the ticket to establish an authenticated secure connection over the application communication channel 25 . More specifically, the client 10 uses the application server certificate transmitted in the ticket when the client 10 does not have a CA root certificate stored in its local memory that is associated with the requested SSL component (or when the client 10 has an incomplete list of CA certificates that does not include a CA
- the application server 15 stores a private key for decryption of messages that are encrypted with a corresponding public key.
- the ticket service 60 consequently transmits the corresponding public key of the application server 15 to the client 10 to encrypt communications.
- the session ID still provides additional value, in that it ensures that the client 10 can gain access to the requested application and can gain access one time because ticket service 60 (or web server 20 ) monitors the ticket (i.e., the session ID). Furthermore, if the application server 15 and the client 10 use different session keys to encrypt and decrypt communications over the application communication channel 25 , an eavesdropper cannot modify the session ID transmitted by the client 10 to the application server 15 because the session ID and the cryptographic checksum do not match the checksum expected by the application server 15 (i.e., integrity check). Therefore, the client 10 and the application server 15 determine when different session keys are used (e.g.,“man-in-the-middle” attack) by the application server 15 and the client 10 to encrypt and decrypt communications over the application communication channel 25 .
- session keys e.g.,“man-in-the-middle” attack
- the session key is substantially equivalent to a null value (i.e., the ticket contains only a nonce or a nonce and a constant value for the session key).
- the client 10 does not transmit the user's login information (e.g., password) between the client 10 and the application server 15 over the non-secure application communication channel 25 . Therefore, because the ticket is only valid for a single use and only grants access to a previously authorized resource (e.g., the ICA client 41 ), the external password exposure can be avoided and individual session level access control can be achieved, even with a null or fixed session key value.
- the present method is a “zero-install” solution for secure access to desktop applications over the web.
- the web browser 40 receives the ticket and the ICA client 41 from the web server 20 over the communication channel 30 .
- the web server 20 transmits the ticket and a MIME type document, as described above, specifying that the data includes a “document” for the ICA client 41 (as a helper application).
- the MIME type document invokes the ICA client 41 and the web browser 40 transfers the ticket to the ICA client 41 , thus allowing the exploitation of the security of the communication channel 30 to secure the application communication channel 25 without having the ICA client 41 pre-installed on the client 10 .
Abstract
The present invention features a system and method for establishing a secure communication channel between a client and an application server. In one embodiment, a ticket service generates a ticket having an identifier and a session key. A communications device obtains the ticket from the ticket service and transmits the ticket to a client over a secure communication channel. The client transmits the identifier of the ticket to an application server over an application communication channel. The application server then obtains a copy of the session key of the ticket from the ticket service. Communications exchanged between the client and the application server over the application communication channel are then encrypted using the session key to establish the application communication channel as a secure communication channel.
Description
- This Application is a Continuation of application Ser. No. 09/706117 filed on Nov. 3, 2000.
- The invention relates generally to client-server computer networks. More specifically, the invention relates to a system and method for securely accessing software applications using a remote display protocol.
- Software applications that are requested to be remotely displayed on a client computer, or client, are commonly accessed with a graphical or windowing terminal session. When a user requests an application on a client computer, the application executes on a server and typically the input information (e.g., mouse and keyboard information) and display information are transmitted from the server computer to the client computer. Graphical or windowing terminal sessions often make use of unauthenticated connections between the client and the server. Alternatively, the graphical or windowing terminal session may authenticate the connection between the client and the server with the user supplying his password to the server.
- The aforementioned techniques employed by the terminal sessions have various shortcomings. For example, transmitting information, such as password information, to an unauthenticated server allows the information to be viewed by a server that is not trusted by the client. The non-secure connection permits an eavesdropper to intercept a user's password for future use.
- To avoid these problems, the client and server are typically authenticated using conventional cryptographic techniques. One type of cryptographic technique used by networks is a ticket-based authentication scheme. Most current ticket-based authentication schemes transmit a ticket. The ticket, which can typically be used only one time, may contain an encryption key to be used in future communications and/or may contain a secret password to support the future communications. When the client and the server both have the encryption key, they can communicate securely.
- However, the current ticket-based authentication schemes are limited in several areas. First, the ticket is typically transmitted to the client over a non-secure communication channel, thereby allowing an eavesdropper to intercept the ticket and retrieve the encryption key. Using the encryption key, the eavesdropper can pose as the server to the client or as the client to the server. Second, the current schemes do not take advantage of secure web pages. For example, current ticket-based authentication schemes make transactions over the internet, such as purchases, unsafe because proprietary information, such as a purchaser's credit card information, can be transmitted to a non-secure web page. Third, software applications executing on a server are commonly transmitted over a nonsecure communication channel for display on a remote display protocol on a client machine. For instance, networks may consist of specialized application servers (e.g., Metaframe for Windows, manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla.), to execute specific applications which are typically transmitted to a remote display service over a non-secure communication channel. Fourth, although the ticket can typically be used only one time (i.e., making it a “one-time use” ticket) and having no further value after its first use, the one-time use ticket does not protect the user's password (which is used for login into an operating system or an application) from an eavesdropper on the ticket's first transmission. Therefore, the user's password is still not completely protected from interception and the server is consequently not authenticated to the client.
- The present invention features a system and method for establishing a secure communication channel between a client and an application server. A ticket service generates a ticket having an identifier and a session key. A communications device obtains the ticket from the ticket service and transmits the ticket to a client over a secure communication channel. The client transmits the identifier of the ticket to an application server over an application communication channel. The application server then obtains a copy of the session key of the ticket from the ticket service. Communications exchanged between the client and the application server over the application communication channel are then encrypted using the session key to establish the application communication channel as a secure communication channel.
- In one embodiment, a web browser executing on a client establishes communications with a web server over a secure web communication channel. The client receives a ticket having an identifier and a session key from the web server over the secure web communication channel. The client then transmits the identifier of the ticket to the application server over the application communication channel to provide the application server with information for obtaining a copy of the session key.
- In one aspect, the invention relates to a method for establishing a secure communication channel between a client and an application server. The client receives a ticket having an identifier and a session key from a web server over a secure web communication channel. The client then transmits the identifier of the ticket to the application server over an application communication channel to provide the application server with information for obtaining a copy of the session key. The client establishes a secure communication channel over the application communication channel by using the session key to encrypt and decrypt communications to and from the application server. The identifier is a nonce. In one embodiment, the client and the web server use secure socket layer technology to establish the secure web communication channel.
- In another aspect, the invention relates to a communications system that establishes a secure communication channel. The communications system includes a client, an application server, a communications device, and a ticket service. The ticket service generates a ticket having an identifier and a session key. The communications device is in communication with the ticket service to obtain the ticket. The client is in communication with the communications device over a secure communication channel to receive the ticket from the communications device. The application server is in communication with the client over an application communication channel to receive the identifier of the ticket from the client and in communication with the ticket service to obtain a copy of the session key from the ticket service. The application server and the client exchange communications over the application communication channel as a secure communication channel. In one embodiment, the ticket service resides on the communications device. In one embodiment, the communications device is a web server.
-
FIG. 1 shows a block diagram of an embodiment of acommunication system 100 including aclient 10 in communication with anapplication server 15 over anapplication communication channel 25 and in communication with acommunications device 20 over acommunication channel 30. Thecommunication channel 30 and theapplication communication channel 25 pass through anetwork 27. In other embodiments, thecommunication channel 30 and theapplication channel 25 pass through other, different networks. For example, thecommunication channel 30 can pass through a first network (e.g., the World Wide Web) and theapplication communication channel 30 can pass through a second network (e.g., a direct dial-up modem connection). Thecommunication channel 30 is a secure communication channel in that communications are encrypted. Theapplication server 15 is additionally in communication with thecommunications device 20 over aserver communication channel 35. Theapplication server 15 and thecommunications device 20 are part of aserver network 33. By exploiting the security of the secure communications between theclient 10 and thecommunications device 20 over thesecure communication channel 30, thecommunication system 100 establishes a secure communication link over the non-secureapplication communication channel 25 to remotely display desktop applications securely on theclient 10. - The
network 27 and theserver network 33 can be a local-area network (LAN) or a wide area network (WAN), or a network of networks such as the Internet or the World Wide Web (i.e., web). Thecommunication channel 30 can be any secure communication channel. In one embodiment, the communication channel 30 (hereafter web communication channel 30) supports communications over the web. In one embodiment, theserver network 33 is a protected network that is inaccessible by the public. Theserver communication channel 35 traverses theserver network 33 and therefore can be a non-secure communication channel. Example embodiments of thecommunication channels communication channels - The
client 10 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of communicating over the secureweb communication channel 30. In one embodiment, theclient 10 operates according to a server-based computing model. In a server-based computing model, the execution of application programs occurs entirely on theapplication server 15 and the user interface, keystrokes, and mouse movements are transmitted over theapplication communication channel 25 to theclient 10. The user interface can be text driven (e.g., DOS) or graphically driven (e.g., Windows). Platforms that can be supported by theclient 10 include DOS and Windows CE for windows-based terminals. - In one embodiment, the
client 10 includes aweb browser 40, such as Internet Explorer™ developed by Microsoft Corporation in Redmond, Wash., to connect to the web. In a further embodiment, theweb browser 40 uses the existing Secure Socket Layer (SSL) support, developed by Netscape in Mountain View, Calif., to establish the secureweb communication channel 30 to communications devices such as thecommunications device 20. Theweb browser 40 also has a user interface that may be text driven or graphically driven. The output of an application executing on theapplication server 15 can be displayed at theclient 10 via the user interface of theclient 10 or the user interface of theweb browser 40. Additionally, theclient 10 includes anapplication client 41 for establishing and exchanging communications with theapplication server 15 over theapplication communication channel 25. In one embodiment, theapplication client 41 is the Independent Computing Architecture (ICA) client, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla., and is hereafter referred to asICA client 41. Other embodiments of theapplication client 41 include the Remote Display Protocol (RDP), developed by Microsoft Corporation of Redmond, Wash., X-Windows, developed by Massachusetts Institute of Technology of Cambridge, Mass., a data entry client in a traditional client/server application, and a Java applet. - The
application server 15 hosts one or more application programs that can be accessed by theclient 10. Applications made available to theclient 10 for use are referred to as published applications. Examples of such applications include word processing programs such as MICROSOFT WORD® and spreadsheet programs such as MICROSOFT EXCEL®, both manufactured by Microsoft Corporation of Redmond, Wash., financial reporting programs, customer registration programs, programs providing technical support information, customer database applications, or application set managers. In another embodiment, theapplication server 15 is a member of a server farm (not shown). A server farm is a logical group of one or more servers that are administered as a single entity. - In one embodiment, the communications device 20 (hereafter web server 20) is a computer that delivers web pages to the
client 10. In other embodiments, thecommunications device 20 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of establishing the secureweb communication channel 30 with theclient 10. - In one embodiment, the
web server 20 also includes aticket service 60. Theticket service 60 controls communication security. Theticket service 60 generates a ticket containing an encryption key. The ticket is transmitted to the client 10 (i.e., the web browser 40) over the secureweb communication channel 30. The transmission of the ticket to theclient 10 over the secureweb communication channel 30 facilitates the establishment of secure communications over theapplication communication channel 25 between theclient 10 and theapplication server 15 in accordance with the principles of the invention. In another embodiment, theticket service 60′ resides on anotherserver 20′. Theserver 20′ (andticket service 60′) is in communication with theweb server 20 and theapplication server 15 over aserver communication channel 35′. In yet another embodiment, theticket service 60 is a separate component (not shown) of theserver network 33. Theweb browser 40 then sends the ticket to theICA client 41. A technique often used to transmit application data from applications executing on theapplication server 15 over a secure connection to theclient 10 is to transmit the application data to theclient 10 through theweb server 20 over the secure connection between theclient 10 and theweb server 20. This technique is inefficient in that communication between theapplication server 15 and theclient 10 takes an additional “hop”; namely theweb server 20. The present invention uses the ticketing mechanism to establish a secure communication link directly between theapplication server 15 and theclient 10, thereby eliminating the intermediate transmission of application data from theapplication server 15 to theweb server 20. - A client user requesting an application or server desktop, for example, to be remotely displayed on the
client 10 first establishes acommunication link 32 with theweb server 20 over theweb communication channel 30 and passes login and password information to theweb server 20. In one embodiment, the client user uses theweb browser 40 to request an application from theweb server 20 that is listed on a web page displayed by theweb browser 40. - In a further embodiment, the
web browser 40 uses SSL to establish the secureweb communication channel 30. To use the SSL protocol to establish the secureweb communication channel 30, theweb browser 40 or an application executing on theclient 10 attempts to connect to a secure web page on theweb server 20. Theweb server 20 then asserts the web server's identity to theclient 10 by transmitting a secure web server certificate to theclient 10. A certification authority (CA) issues the secure web server certificate to theweb server 20.Web browsers 40 have a list of trusted CAs (i.e., public key of the CA) embedded within the software of theweb browser 40. Theclient 10 verifies the web server certificate by decrypting the signature of the CA in the web server's certificate with the public key of the CA embedded in the web browser 40 (or application). Therefore, in order to establish a secure communication channel using SSL, theweb browser 40 or the application executing on theclient 10 has the public key of the CA embedded in the software prior to attempting to connect to the secure web page. Besides using the SSL protocol to establish the secureweb communication channel 30, theweb browser 40 can connect to theweb server 20 over theweb communication channel 30 using other security protocols, such as, but not limited to, Secure Hypertext Transfer Protocol (SHTTP) developed by Terisa Systems of Los Altos, Calif., HTTP over SSL (HTTPS), Private Communication Technology (PCT) developed by Microsoft Corporation of Redmond, Wash., Secure Electronic Transfer (SET), developed by Visa International, Incorporated and Mastercard International, Incorporated of Purchase, N.Y., Secure-MIME (S/MIME) developed by RSA Security of Bedford, Mass., and the like. - Once the
communication link 32 is established, theweb server 20 generates a ticket for the communication session. The ticket includes a first portion and a second portion. In one embodiment, the first portion, also referred to as a session identifier (ID) or nonce, is a cryptographic random number that can be used within a certain time period determined by theweb server 20. The second portion is an encryption key, hereafter referred to as a session key. Theweb server 20 stores the ticket in local memory and then transmits (arrow 34) a copy of the ticket to theweb browser 40 on theclient 10. - In one embodiment, the ticket includes additional information, such as the network address of the
application server 15. In another embodiment, theweb server 20 independently transmits the address of theapplication server 15 to theclient 10. For example, if theclient 10 requests an application by name from theweb server 20, theweb server 20 converts the application name into the network address of the application. Examples of the additional information included in the ticket are, but not limited to, the time that the ticket is valid, the screen size of the application when displayed on theclient 10, the bandwidth limits of theweb communication channel 30 and/or theapplication communication channel 25, and billing information. As described more fully below, theweb server 20 also associates the user's login information, such as the user's password, with the ticket stored in local memory for future retrieval by theapplication server 15. - The
ICA client 41 obtains the ticket from theweb browser 40 and subsequently transmits (arrow 42) the session ID (i.e., the first potion) of the ticket to theapplication server 15. The session ID can be transmitted in encrypted or cleartext form. Theapplication server 15 decrypts the session ID, if encrypted, and transmits (arrow 44) a request to theweb server 20 for a session key that corresponds to the session ID received from theclient 10. Theweb server 20 verifies the session ID, as described below, and sends (arrow 48) the corresponding session key to theapplication server 15 over theserver communication channel 35. - Both the
application server 15 and the client 10 (i.e., the ICA client 41) now possess a copy of the session key without requiring the transmission of the ticket or the session key over the non-secureapplication communication channel 25. By using the session key to encrypt and decrypt the communications over the previously non-secureapplication communication channel 25, theclient 10 and theapplication server 25 establish (arrow 50) asecure communication link 50 over theapplication communication channel 25. Moreover, the user's login information (e.g., password) is not transmitted between theclient 10 and theapplication server 15 over the non-secureapplication communication channel 25. Therefore, the present invention strengthens (arrow 50) the security of thecommunication link 50 over the non-secureapplication communication channel 25 by not exposing sensitive information, such as the user's password, to eavesdroppers intercepting communications over the non-secureapplication communication channel 25. Additionally, because theapplication server 15 and theclient 10 communicate with the same session key, they share a secret that was transmitted by theticket service 60. Theticket service 60 indirectly authenticates theapplication server 15 and theclient 10, and theticket service 60 is vouching for each. Therefore, theauthentication server 15 and theclient 10 perform mutual authentication. In one embodiment, theclient 10 again transmits the user's password over theweb communication channel 30 to theweb server 20 to provide compatibility with legacy systems (e.g., an unmodified operating system login sequence on theweb server 20 that requires theclient 10 to transmit the user's password multiple times). - In more detail,
FIG. 2 shows embodiments of a process performed by thecommunications system 100 to establish asecure communication link 50 over theapplication communication channel 25 between theclient 10 and theapplication server 15. Theweb browser 40 lists (step 200) web links to software applications or server desktops on the web page that the user of theclient 10 views. The client user, using theweb browser 40, requests (step 205) a software application from theweb server 20. In one embodiment, theweb browser 40 establishes the secureweb communication channel 30 using the previously described SSL protocol. In this embodiment, the client 10 (e.g., the web browser 40) authenticates theweb server 20 using a public key (e.g., X509) certificate. In a further embodiment, theclient 10 is also authenticated to theweb server 20 using a public key certificate. - In another embodiment, the
web server 20 authenticates the user when the user uses theweb browser 40 to request an application from theweb server 20. For example, theweb server 20 requests the user's login information, which includes the user's login name and password, with a request displayed on theweb browser 40. The user provides (step 210) the user's login information to theweb browser 40. Theweb browser 40 subsequently transmits (step 220) the user's login name and password to theweb server 20 over the secureweb communication channel 30. In another embodiment, the user's login information is any code or method that theweb server 20 accepts to identify the user's account on theweb server 20. - The
web server 20 transmits (step 230) the user's login information to theticket service 60. Theticket service 60 verifies (step 240) the user's login information and determines whether the user is entitled to access the requested application. Depending on the declared communication security policy for that application, theticket service 60 either refuses or grants access to the application by the user. If theticket service 60 denies access, theweb browser 40 displays an HTML error or an error web page on theclient 10. When theticket service 60 grants access to the requested application, theticket service 60 generates (step 245) a ticket for the session and transmits (step 250) the ticket to theweb server 20. - As described above, the ticket includes a session ID and a session key. The session ID can be used once within a certain time period and makes the ticket a “one-time use” ticket having no further value after its first use. The
web server 20 then stores (step 253) the ticket in local memory. In a further embodiment, theweb server 20 associates the login information provided by the user instep 210 and other security information used to authorize the session, such as the requested application name, with the stored ticket for later retrieval by theapplication server 15. Theweb server 20 subsequently transmits (step 255) the ticket to theclient 10 over the secureweb communication channel 30. - The
web browser 40 extracts (step 260) the session ID from the ticket and presents (step 265) the session ID to theapplication server 15. Theapplication server 15 checks the session ID to ensure that the session ID has not been used previously with thisclient 10. In one embodiment, theapplication server 15 monitors (e.g., stores in local memory) each ticket (i.e., session ID) that theclient 10 transmits to theapplication server 15. In another embodiment, theticket service 60 checks the session ID to ensure that the session ID has not been used previously with thisclient 10. In yet another embodiment, the ticket service monitors each ticket that theticket service 60 transmits to theweb server 20 to ensure that each session ID is transmitted to theticket service 60 only once. - The
application server 15 then uses the session ID to determine the session key associated with the presented session ID. To accomplish this, theapplication server 15 transmits the session ID to theticket service 60 and requests (step 270) the session key from theticket service 60 of theweb server 20 in response to the session ID. Theticket service 60 accesses local memory and uses the session ID as an index to retrieve the ticket information associated with the session ID. Theticket service 60 then returns (step 280) the session key associated with the session ID to theapplication server 15. - To increase optimization of the communications between the
application server 15 and theweb server 20, in an alternate embodiment theweb server 20 transmits (shown as phantom step 266) to theapplication server 15 additional information (e.g., the requested application name, the user's login information) that was previously associated with the ticket instep 253. Theapplication server 15 retrieves (phantom step 267) the additional ticket information and authorizes the communication session from this additional information. This additional information, such as the user's password and/or the name of the requested application, was not transmitted to theapplication server 15 by theclient 10 over the non-secureapplication communication channel 25, thereby protecting the information from potential attackers. In this embodiment, theapplication server 15 verifies (phantom step 268) the additional information. If the additional information is not valid, theapplication server 15 refuses (phantom step 269) access to the requested application by the user. If the additional information is valid, theapplication server 15 grants access to the requested application and, as described above, requests (step 270) the session key from theticket service 60. - In another embodiment, the
ticket service 60 performs additional checks on the session ID. For example, theticket service 60 performs checks on the session ID for early detection of replay (i.e., checking that the session ID has not been previously transmitted to the ticket service 60) and/or Denial of Service (DoS) attacks (i.e., flooding and eventually disabling a remote server with illegitimate packets of data). In yet another embodiment, theweb server 20 transmits the first and second portion of the ticket to theapplication server 15 before theapplication server 15 requests it (step 270), thus eliminating the request instep 270. In this embodiment, theapplication server 15 stores the session key in its local memory and retrieves from its local memory the session key after theclient 10 presents (step 265) the session ID to theapplication server 15. - After the
application server 15 obtains (step 280) the session key, theapplication server 15 uses the session key to encrypt communications to theclient 10 and to decrypt communications from theclient 10 over theapplication communication channel 25. Similarly, theclient 10 uses the session key that theclient 10 obtained from the ticket transmitted over the secureweb communication channel 30 to decrypt communications from theapplication server 15 and to encrypt communications to theapplication server 15. Because theclient 10 and theapplication server 15 use the session key to encrypt and decrypt communications over theapplication communication channel 25, theclient 10 and theapplication server 15 establish (step 290) thesecure communication link 50 over the previously non-secureapplication communication channel 25. Moreover, because theclient 10 and theapplication server 15 have the session key without transmitting the ticket over the non-secure application communication channel 25 (and thus potentially revealing the session key to third parties), theclient 10 and theapplication server 15 strengthen the security of thecommunication link 50 over the previously non-secureapplication communication channel 25. - In one embodiment, the application communication channel is made secure using the SSL protocol. In this embodiment, the
ticket service 60 substitutes an application server certificate for the session key in the ticket. Theclient 10 uses the application server certificate to communicate with theapplication server 15. The application server certificate is downloaded to theclient 10 over theweb communication channel 30 in response to a request for the ticket. Therefore, because the application server certificate is downloaded to theclient 10 over a secure link (i.e., the web communication channel 30), the application server certificate does not need to be signed by a well-known public CA. Although theclient 10 did not have the application server's certificate or the CA key in advance, an authenticated secure connection is established over theapplication communication channel 25 using the application server certificate included in the ticket. - For example, if the
client 10 requests another SSL component (e.g., a separate instance or implementation of the requested software application) and theclient 10 does not have the CA certificate in its local memory (e.g., database, local disk, RAM, ROM), theclient 10 can use the application server certificate transmitted in the ticket to establish an authenticated secure connection over theapplication communication channel 25. More specifically, theclient 10 uses the application server certificate transmitted in the ticket when theclient 10 does not have a CA root certificate stored in its local memory that is associated with the requested SSL component (or when theclient 10 has an incomplete list of CA certificates that does not include a CA certificate for the requested SSL component) and theclient 10 cannot access the CA database of theweb browser 40. Furthermore, because a signed CA certificate is needed for theweb server 20 but is not needed for an application server 15 (i.e., eachapplication server 15 that is a member of a server farm), the costs (and overhead) of obtaining the required number of signed CA certificates for secure communication is reduced. In another embodiment, theapplication server 15 stores a private key for decryption of messages that are encrypted with a corresponding public key. Theticket service 60 consequently transmits the corresponding public key of theapplication server 15 to theclient 10 to encrypt communications. - In this embodiment, the session ID still provides additional value, in that it ensures that the
client 10 can gain access to the requested application and can gain access one time because ticket service 60 (or web server 20) monitors the ticket (i.e., the session ID). Furthermore, if theapplication server 15 and theclient 10 use different session keys to encrypt and decrypt communications over theapplication communication channel 25, an eavesdropper cannot modify the session ID transmitted by theclient 10 to theapplication server 15 because the session ID and the cryptographic checksum do not match the checksum expected by the application server 15 (i.e., integrity check). Therefore, theclient 10 and theapplication server 15 determine when different session keys are used (e.g., “man-in-the-middle” attack) by theapplication server 15 and theclient 10 to encrypt and decrypt communications over theapplication communication channel 25. - In a further embodiment, the session key is substantially equivalent to a null value (i.e., the ticket contains only a nonce or a nonce and a constant value for the session key). When the session key is substantially equivalent to a null value, the
client 10 does not transmit the user's login information (e.g., password) between theclient 10 and theapplication server 15 over the non-secureapplication communication channel 25. Therefore, because the ticket is only valid for a single use and only grants access to a previously authorized resource (e.g., the ICA client 41), the external password exposure can be avoided and individual session level access control can be achieved, even with a null or fixed session key value. - Additionally, because no information is pre-configured into the
web browser 40 or theclient 10 in order to remotely display the requested application (i.e., because theclient 10 does not need to be populated with a server certificate or a CA certificate), the present method is a “zero-install” solution for secure access to desktop applications over the web. Further, theweb browser 40 receives the ticket and theICA client 41 from theweb server 20 over thecommunication channel 30. In this embodiment, theweb server 20 transmits the ticket and a MIME type document, as described above, specifying that the data includes a “document” for the ICA client 41 (as a helper application). The MIME type document invokes theICA client 41 and theweb browser 40 transfers the ticket to theICA client 41, thus allowing the exploitation of the security of thecommunication channel 30 to secure theapplication communication channel 25 without having theICA client 41 pre-installed on theclient 10. Having described certain embodiments of the invention, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the invention may be used. Therefore, the invention should not be limited to certain embodiments, but rather should be limited only by the spirit and scope of the following claims. -
FIG. 1 shows a block diagram of an embodiment of acommunication system 100 including aclient 10 in communication with anapplication server 15 over anapplication communication channel 25 and in communication with acommunications device 20 over acommunication channel 30. Thecommunication channel 30 and theapplication communication channel 25 pass through anetwork 27. In other embodiments, thecommunication channel 30 and theapplication channel 25 pass through other, different networks. For example, thecommunication channel 30 can pass through a first network (e.g., the World Wide Web) and theapplication communication channel 30 can pass through a second network (e.g., a direct dial-up modem connection). Thecommunication channel 30 is a secure communication channel in that communications are encrypted. Theapplication server 15 is additionally in communication with thecommunications device 20 over aserver communication channel 35. Theapplication server 15 and thecommunications device 20 are part of aserver network 33. By exploiting the security of the secure communications between theclient 10 and thecommunications device 20 over thesecure communication channel 30, thecommunication system 100 establishes a secure communication link over the non-secureapplication communication channel 25 to remotely display desktop applications securely on theclient 10. - The
network 27 and theserver network 33 can be a local-area network (LAN) or a wide area network (WAN), or a network of networks such as the Internet or the World Wide Web (i.e., web). Thecommunication channel 30 can be any secure communication channel. In one embodiment, the communication channel 30 (hereafter web communication channel 30) supports communications over the web. In one embodiment, theserver network 33 is a protected network that is inaccessible by the public. Theserver communication channel 35 traverses theserver network 33 and therefore can be a non-secure communication channel. Example embodiments of thecommunication channels communication channels - The
client 10 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of communicating over the secureweb communication channel 30. In one embodiment, theclient 10 operates according to a server-based computing model. In a server-based computing model, the execution of application programs occurs entirely on theapplication server 15 and the user interface, keystrokes, and mouse movements are transmitted over theapplication communication channel 25 to theclient 10. The user interface can be text driven (e.g., DOS) or graphically driven (e.g., Windows). Platforms that can be supported by theclient 10 include DOS and Windows CE for windows-based terminals. - In one embodiment, the
client 10 includes aweb browser 40, such as Internet Explorer™ developed by Microsoft Corporation in Redmond, Wash., to connect to the web. In a further embodiment, theweb browser 40 uses the existing Secure Socket Layer (SSL) support, developed by Netscape in Mountain View, Calif., to establish the secureweb communication channel 30 to communications devices such as thecommunications device 20. Theweb browser 40 also has a user interface that may be text driven or graphically driven. The output of an application executing on theapplication server 15 can be displayed at theclient 10 via the user interface of theclient 10 or the user interface of theweb browser 40. Additionally, theclient 10 includes anapplication client 41 for establishing and exchanging communications with theapplication server 15 over theapplication communication channel 25. In one embodiment, theapplication client 41 is the Independent Computing Architecture (ICA) client, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla., and is hereafter referred to asICA client 41. Other embodiments of theapplication client 41 include the Remote Display Protocol (RDP), developed by Microsoft Corporation of Redmond, Wash., X-Windows, developed by Massachusetts Institute of Technology of Cambridge, Mass., a data entry client in a traditional client/server application, and a Java applet. - The
application server 15 hosts one or more application programs that can be accessed by theclient 10. Applications made available to theclient 10 for use are referred to as published applications. Examples of such applications include word processing programs such as MICROSOFT WORD® and spreadsheet programs such as MICROSOFT EXCEL®, both manufactured by Microsoft Corporation of Redmond, Wash., financial reporting programs, customer registration programs, programs providing technical support information, customer database applications, or application set managers. In another embodiment, theapplication server 15 is a member of a server farm (not shown). A server farm is a logical group of one or more servers that are administered as a single entity. - In one embodiment, the communications device 20 (hereafter web server 20) is a computer that delivers web pages to the
client 10. In other embodiments, thecommunications device 20 can be any personal computer (e.g., 286, 386, 486, Pentium, Pentium II, Macintosh computer), Windows-based terminal, Network Computer, wireless device (e.g., cellular phone), information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, or other communications device that is capable of establishing the secureweb communication channel 30 with theclient 10. - In one embodiment, the
web server 20 also includes aticket service 60. Theticket service 60 controls communication security. Theticket service 60 generates a ticket containing an encryption key. The ticket is transmitted to the client 10 (i.e., the web browser 40) over the secureweb communication channel 30. The transmission of the ticket to theclient 10 over the secureweb communication channel 30 facilitates the establishment of secure communications over theapplication communication channel 25 between theclient 10 and theapplication server 15 in accordance with the principles of the invention. In another embodiment, theticket service 60′ resides on anotherserver 20′. Theserver 20′ (andticket service 60′) is in communication with theweb server 20 and theapplication server 15 over aserver communication channel 35′. In yet another embodiment, theticket service 60 is a separate component (not shown) of theserver network 33. Theweb browser 40 then sends the ticket to theICA client 41. A technique often used to transmit application data from applications executing on theapplication server 15 over a secure connection to theclient 10 is to transmit the application data to theclient 10 through theweb server 20 over the secure connection between theclient 10 and theweb server 20. This technique is inefficient in that communication between theapplication server 15 and theclient 10 takes an additional “hop”; namely theweb server 20. The present invention uses the ticketing mechanism to establish a secure communication link directly between theapplication server 15 and theclient 10, thereby eliminating the intermediate transmission of application data from theapplication server 15 to theweb server 20. - A client user requesting an application or server desktop, for example, to be remotely displayed on the
client 10 first establishes acommunication link 32 with theweb server 20 over theweb communication channel 30 and passes login and password information to theweb server 20. In one embodiment, the client user uses theweb browser 40 to request an application from theweb server 20 that is listed on a web page displayed by theweb browser 40. - In a further embodiment, the
web browser 40 uses SSL to establish the secureweb communication channel 30. To use the SSL protocol to establish the secureweb communication channel 30, theweb browser 40 or an application executing on theclient 10 attempts to connect to a secure web page on theweb server 20. Theweb server 20 then asserts the web server's identity to theclient 10 by transmitting a secure web server certificate to theclient 10. A certification authority (CA) issues the secure web server certificate to theweb server 20.Web browsers 40 have a list of trusted CAs (i.e., public key of the CA) embedded within the software of theweb browser 40. Theclient 10 verifies the web server certificate by decrypting the signature of the CA in the web server's certificate with the public key of the CA embedded in the web browser 40 (or application). Therefore, in order to establish a secure communication channel using SSL, theweb browser 40 or the application executing on theclient 10 has the public key of the CA embedded in the software prior to attempting to connect to the secure web page. Besides using the SSL protocol to establish the secureweb communication channel 30, theweb browser 40 can connect to theweb server 20 over theweb communication channel 30 using other security protocols, such as, but not limited to, Secure Hypertext Transfer Protocol (SHTTP) developed by Terisa Systems of Los Altos, CA, HTTP over SSL (HTTPS), Private Communication Technology (PCT) developed by Microsoft Corporation of Redmond, Wash., Secure Electronic Transfer (SET), developed by Visa International, Incorporated and Mastercard International, Incorporated of Purchase, N.Y., Secure-MIME (S/MIME) developed by RSA Security of Bedford, Mass., and the like. - Once the
communication link 32 is established, theweb server 20 generates a ticket for the communication session. The ticket includes a first portion and a second portion. In one embodiment, the first portion, also referred to as a session identifier (ID) or nonce, is a cryptographic random number that can be used within a certain time period determined by theweb server 20. The second portion is an encryption key, hereafter referred to as a session key. Theweb server 20 stores the ticket in local memory and then transmits (arrow 34) a copy of the ticket to theweb browser 40 on theclient 10. - In one embodiment, the ticket includes additional information, such as the network address of the
application server 15. In another embodiment, theweb server 20 independently transmits the address of theapplication server 15 to theclient 10. For example, if theclient 10 requests an application by name from theweb server 20, theweb server 20 converts the application name into the network address of the application. Examples of the additional information included in the ticket are, but not limited to, the time that the ticket is valid, the screen size of the application when displayed on theclient 10, the bandwidth limits of theweb communication channel 30 and/or theapplication communication channel 25, and billing information. As described more fully below, theweb server 20 also associates the user's login information, such as the user's password, with the ticket stored in local memory for future retrieval by theapplication server 15. - The
ICA client 41 obtains the ticket from theweb browser 40 and subsequently transmits (arrow 42) the session ID (i.e., the first potion) of the ticket to theapplication server 15. The session ID can be transmitted in encrypted or cleartext form. Theapplication server 15 decrypts the session ID, if encrypted, and transmits (arrow 44) a request to theweb server 20 for a session key that corresponds to the session ID received from theclient 10. Theweb server 20 verifies the session ID, as described below, and sends (arrow 48) the corresponding session key to theapplication server 15 over theserver communication channel 35. - Both the
application server 15 and the client 10 (i.e., the ICA client 41) now possess a copy of the session key without requiring the transmission of the ticket or the session key over the non-secureapplication communication channel 25. By using the session key to encrypt and decrypt the communications over the previously non-secureapplication communication channel 25, theclient 10 and theapplication server 25 establish (arrow 50) asecure communication link 50 over theapplication communication channel 25. Moreover, the user's login information (e.g., password) is not transmitted between theclient 10 and theapplication server 15 over the non-secureapplication communication channel 25. Therefore, the present invention strengthens (arrow 50) the security of thecommunication link 50 over the non-secureapplication communication channel 25 by not exposing sensitive information, such as the user's password, to eavesdroppers intercepting communications over the non-secureapplication communication channel 25. Additionally, because theapplication server 15 and theclient 10 communicate with the same session key, they share a secret that was transmitted by theticket service 60. Theticket service 60 indirectly authenticates theapplication server 15 and theclient 10, and theticket service 60 is vouching for each. Therefore, theauthentication server 15 and theclient 10 perform mutual authentication. In one embodiment, theclient 10 again transmits the user's password over theweb communication channel 30 to theweb server 20 to provide compatibility with legacy systems (e.g., an unmodified operating system login sequence on theweb server 20 that requires theclient 10 to transmit the user's password multiple times). - In more detail,
FIG. 2 shows embodiments of a process performed by thecommunications system 100 to establish asecure communication link 50 over theapplication communication channel 25 between theclient 10 and theapplication server 15. Theweb browser 40 lists (step 200) web links to software applications or server desktops on the web page that the user of theclient 10 views. The client user, using theweb browser 40, requests (step 205) a software application from theweb server 20. In one embodiment, theweb browser 40 establishes the secureweb communication channel 30 using the previously described SSL protocol. In this embodiment, the client 10 (e.g., the web browser 40) authenticates theweb server 20 using a public key (e.g., X509) certificate. In a further embodiment, theclient 10 is also authenticated to theweb server 20 using a public key certificate. - In another embodiment, the
web server 20 authenticates the user when the user uses theweb browser 40 to request an application from theweb server 20. For example, theweb server 20 requests the user's login information, which includes the user's login name and password, with a request displayed on theweb browser 40. The user provides (step 210) the user's login information to theweb browser 40. Theweb browser 40 subsequently transmits (step 220) the user's login name and password to theweb server 20 over the secureweb communication channel 30. In another embodiment, the user's login information is any code or method that theweb server 20 accepts to identify the user's account on theweb server 20. - The
web server 20 transmits (step 230) the user's login information to theticket service 60. Theticket service 60 verifies (step 240) the user's login information and determines whether the user is entitled to access the requested application. Depending on the declared communication security policy for that application, theticket service 60 either refuses or grants access to the application by the user. If theticket service 60 denies access, theweb browser 40 displays an HTML error or an error web page on theclient 10. When theticket service 60 grants access to the requested application, theticket service 60 generates (step 245) a ticket for the session and transmits (step 250) the ticket to theweb server 20. - As described above, the ticket includes a session ID and a session key. The session ID can be used once within a certain time period and makes the ticket a “one-time use” ticket having no further value after its first use. The
web server 20 then stores (step 253) the ticket in local memory. In a further embodiment, theweb server 20 associates the login information provided by the user instep 210 and other security information used to authorize the session, such as the requested application name, with the stored ticket for later retrieval by theapplication server 15. Theweb server 20 subsequently transmits (step 255) the ticket to theclient 10 over the secureweb communication channel 30. - The
web browser 40 extracts (step 260) the session ID from the ticket and presents (step 265) the session ID to theapplication server 15. Theapplication server 15 checks the session ID to ensure that the session ID has not been used previously with thisclient 10. In one embodiment, theapplication server 15 monitors (e.g., stores in local memory) each ticket (i.e., session ID) that theclient 10 transmits to theapplication server 15. In another embodiment, theticket service 60 checks the session ID to ensure that the session ID has not been used previously with thisclient 10. In yet another embodiment, the ticket service monitors each ticket that theticket service 60 transmits to theweb server 20 to ensure that each session ID is transmitted to theticket service 60 only once. - The
application server 15 then uses the session ID to determine the session key associated with the presented session ID. To accomplish this, theapplication server 15 transmits the session ID to theticket service 60 and requests (step 270) the session key from theticket service 60 of theweb server 20 in response to the session ID. Theticket service 60 accesses local memory and uses the session ID as an index to retrieve the ticket information associated with the session ID. Theticket service 60 then returns (step 280) the session key associated with the session ID to theapplication server 15. - To increase optimization of the communications between the
application server 15 and theweb server 20, in an alternate embodiment theweb server 20 transmits (shown as phantom step 266) to theapplication server 15 additional information (e.g., the requested application name, the user's login information) that was previously associated with the ticket instep 253. Theapplication server 15 retrieves (phantom step 267) the additional ticket information and authorizes the communication session from this additional information. This additional information, such as the user's password and/or the name of the requested application, was not transmitted to theapplication server 15 by theclient 10 over the non-secureapplication communication channel 25, thereby protecting the information from potential attackers. In this embodiment, theapplication server 15 verifies (phantom step 268) the additional information. If the additional information is not valid, theapplication server 15 refuses (phantom step 269) access to the requested application by the user. If the additional information is valid, theapplication server 15 grants access to the requested application and, as described above, requests (step 270) the session key from theticket service 60. - In another embodiment, the
ticket service 60 performs additional checks on the session ID. For example, theticket service 60 performs checks on the session ID for early detection of replay (i.e., checking that the session ID has not been previously transmitted to the ticket service 60) and/or Denial of Service (DoS) attacks (i.e., flooding and eventually disabling a remote server with illegitimate packets of data). In yet another embodiment, theweb server 20 transmits the first and second portion of the ticket to theapplication server 15 before theapplication server 15 requests it (step 270), thus eliminating the request instep 270. In this embodiment, theapplication server 15 stores the session key in its local memory and retrieves from its local memory the session key after theclient 10 presents (step 265) the session ID to theapplication server 15. - After the
application server 15 obtains (step 280) the session key, theapplication server 15 uses the session key to encrypt communications to theclient 10 and to decrypt communications from theclient 10 over theapplication communication channel 25. Similarly, theclient 10 uses the session key that theclient 10 obtained from the ticket transmitted over the secureweb communication channel 30 to decrypt communications from theapplication server 15 and to encrypt communications to theapplication server 15. Because theclient 10 and theapplication server 15 use the session key to encrypt and decrypt communications over theapplication communication channel 25, theclient 10 and theapplication server 15 establish (step 290) thesecure communication link 50 over the previously non-secureapplication communication channel 25. Moreover, because theclient 10 and theapplication server 15 have the session key without transmitting the ticket over the non-secure application communication channel 25 (and thus potentially revealing the session key to third parties), theclient 10 and theapplication server 15 strengthen the security of thecommunication link 50 over the previously non-secureapplication communication channel 25. - In one embodiment, the
application communication channel 25 is made secure using the SSL protocol. In this embodiment, theticket service 60 substitutes an application server certificate for the session key in the ticket. Theclient 10 uses the application server certificate to communicate with theapplication server 15. The application server certificate is downloaded to theclient 10 over theweb communication channel 30 in response to a request for the ticket. Therefore, because the application server certificate is downloaded to theclient 10 over a secure link (i.e., the web communication channel 30), the application server certificate does not need to be signed by a well-known public CA. Although theclient 10 did not have the application server's certificate or the CA key in advance, an authenticated secure connection is established over theapplication communication channel 25 using the application server certificate included in the ticket. - For example, if the
client 10 requests another SSL component (e.g., a separate instance or implementation of the requested software application) and theclient 10 does not have the CA certificate in its local memory (e.g., database, local disk, RAM, ROM), theclient 10 can use the application server certificate transmitted in the ticket to establish an authenticated secure connection over theapplication communication channel 25. More specifically, theclient 10 uses the application server certificate transmitted in the ticket when theclient 10 does not have a CA root certificate stored in its local memory that is associated with the requested SSL component (or when theclient 10 has an incomplete list of CA certificates that does not include a CA certificate for the requested SSL component) and theclient 10 cannot access the CA database of theweb browser 40. Furthermore, because a signed CA certificate is needed for theweb server 20 but is not needed for an application server 15 (i.e., eachapplication server 15 that is a member of a server farm), the costs (and overhead) of obtaining the required number of signed CA certificates for secure communication is reduced. In another embodiment, theapplication server 15 stores a private key for decryption of messages that are encrypted with a corresponding public key. Theticket service 60 consequently transmits the corresponding public key of theapplication server 15 to theclient 10 to encrypt communications. - In this embodiment, the session ID still provides additional value, in that it ensures that the
client 10 can gain access to the requested application and can gain access one time because ticket service 60 (or web server 20) monitors the ticket (i.e., the session ID). Furthermore, if theapplication server 15 and theclient 10 use different session keys to encrypt and decrypt communications over theapplication communication channel 25, an eavesdropper cannot modify the session ID transmitted by theclient 10 to theapplication server 15 because the session ID and the cryptographic checksum do not match the checksum expected by the application server 15 (i.e., integrity check). Therefore, theclient 10 and theapplication server 15 determine when different session keys are used (e.g.,“man-in-the-middle” attack) by theapplication server 15 and theclient 10 to encrypt and decrypt communications over theapplication communication channel 25. - In a further embodiment, the session key is substantially equivalent to a null value (i.e., the ticket contains only a nonce or a nonce and a constant value for the session key). When the session key is substantially equivalent to a null value, the
client 10 does not transmit the user's login information (e.g., password) between theclient 10 and theapplication server 15 over the non-secureapplication communication channel 25. Therefore, because the ticket is only valid for a single use and only grants access to a previously authorized resource (e.g., the ICA client 41), the external password exposure can be avoided and individual session level access control can be achieved, even with a null or fixed session key value. - Additionally, because no information is pre-configured into the
web browser 40 or theclient 10 in order to remotely display the requested application (i.e., because theclient 10 does not need to be populated with a server certificate or a CA certificate), the present method is a “zero-install” solution for secure access to desktop applications over the web. Further, theweb browser 40 receives the ticket and theICA client 41 from theweb server 20 over thecommunication channel 30. In this embodiment, theweb server 20 transmits the ticket and a MIME type document, as described above, specifying that the data includes a “document” for the ICA client 41 (as a helper application). The MIME type document invokes theICA client 41 and theweb browser 40 transfers the ticket to theICA client 41, thus allowing the exploitation of the security of thecommunication channel 30 to secure theapplication communication channel 25 without having theICA client 41 pre-installed on theclient 10. Having described certain embodiments of the invention, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the invention may be used. Therefore, the invention should not be limited to certain embodiments, but rather should be limited only by the spirit and scope of the following claims.
Claims (90)
1. A method for establishing a secure communication channel between a client and an application server, the method comprising the steps of:
(a) obtaining, by a web server, a MIME type document and a ticket associated with a client, the MIME type document comprising a client application program, the ticket having an identifier and a session key;
(b) receiving, by a web browser, the MIME type document and the ticket from the web server;
(c) invoking, by the web browser, the received client application program;
(d) establishing an application communication channel between the client and the application server;
(e) transmitting, by the client application program, the identifier from the ticket to the application server over the application communication channel;
(f) obtaining, by the application server, a copy of the session key from the web server using the identifier; and
(g) encrypting communications between the client application program and the application server over the application communication channel using the session key.
2. The method of claim 1 wherein step (a) further consists of establishing a secure web communication channel between the web browser and the web server.
3. The method of claim 1 wherein step (c) further consists of transferring, by the web browser, the ticket to the client application program.
4. The method of claim 1 wherein step (g) further comprises decrypting communications between the client application program and the application server using the session key.
5. The method of claim 1 wherein step (a) further comprises receiving, at the web server, a request from the client to have an application program executed on the application server and to have output from the application program executing on the application server transmitted to the client application program.
6. The method of claim 5 wherein step (g) further comprises executing, by the application server, the application program identified in the request, and transmitting, by the application server, the output of the application program over the application communication channel via a remote display protocol.
7. The method of claim 1 wherein step (a) further comprises obtaining a MIME type document having a remote display client for the client application program.
8. The method of claim 1 wherein step (c) further comprises installing the client application program for a first time on the client.
9. The method of claim 1 wherein step (a) further comprises obtaining a ticket having an application server certificate for the identifier.
10. The method of claim 1 wherein step (a) further comprises obtaining a ticket having a session key substantially equivalent to a null value.
11. The method of claim 1 wherein step (a) further comprises obtaining a ticket granting access for a single use.
12. The method of claim 1 wherein step (a) further comprises obtaining a ticket granting access to a previously authorized resource.
13. The method of claim 1 wherein step (e) further comprises transmitting a password to the application server.
14. The method of claim 1 wherein step (a) further comprises obtaining the MIME type document from the application server.
15. The method of claim 6 wherein step (g) further comprises using the Independent Computing Architecture protocol for the remote display protocol.
16. The method of claim 6 wherein step (g) further comprises using the Remote Display Protocol for the remote display protocol.
17. A client system for establishing a secure communication channel with an application server, the client system comprising:
a web browser associated with a client;
a web server in communication with the web browser over a web communication channel, the web server obtaining a MIME type document and a ticket associated with the client, the MIME type document comprising a client application program, the ticket having an identifier and a session key;
the web browser receiving, from the web server, the ticket and the MIME type document,
the web browser invoking the received client application program;
an application server, in communication with the client over an application communication channel, receiving the identifier from the client application program, and the application server, in communication with the web server, obtaining a copy of the session key by using the identifier; and
the application server and the client application program encrypting communications over the application communication channel using the session key.
18. The system of claim 17 wherein the web communication channel is secure.
19. The system of claim 17 wherein the web browser transfers the ticket to the client application program.
20. The system of claim 17 wherein the application server and the client application program decrypt communications over the application communication channel using the session key.
21. The system of claim 17 wherein the web server receives a request from the client to have an application program executed on the application server and to have output from the application program executing on the application server transmitted to the client application program.
22. The system of claim 21 wherein the application server executes the application program identified in the request, and transmits the output of the application program to the client application program over the application communication channel via a remote display protocol.
23. The system of claim 17 wherein the client application program is a remote display client.
24. The system of claim 17 wherein the client application program is installed for a first time on the client.
25. The system of claim 17 wherein the identifier is an application server certificate.
26. The system of claim 17 wherein the session key is substantially equivalent to a null value.
27. The system of claim 17 wherein the ticket grants access for a single use.
28. The system of claim 17 wherein the ticket grants access to a previously authorized resource.
29. The system of claim 17 wherein the client transmits a password to the application server.
30. The system of claim 17 wherein the web server obtains the MIME type document from the application server.
31. The system of claim 22 wherein the remote display protocol is the Independent Computing Architecture protocol.
32. The system of claim 22 wherein the remote display protocol is the Remote Display Protocol.
33. A method for establishing a secure communication channel with an application server, the method comprising the steps of:
(a) receiving a MIME type document and a ticket from the web server, the ticket having an identifier and a session key, and the MIME type document comprising a client application program;
(b) invoking the received client application program;
(c) establishing an application communication channel with an application server;
(d) transmitting the identifier from the ticket to the application server over the application communication channel to provide the application server with information for obtaining a copy of the session key; and
(e) encrypting communications to the application server over the application communication channel using the session key.
34. The method of claim 33 wherein step (e) further comprises decrypting communications from the application server using the session key.
35. The method of claim 33 wherein step (a) further comprises establishing a secure web communication channel between a web browser and the web server.
36. The method of claim 35 wherein step (g) further comprises transferring the ticket from the web browser to the client application program.
37. The method of claim 33 wherein step (a) further comprises sending, to the web server, a request to have an application program executed on the application server and to receive output from the application program executing on the application server.
38. The method of claim 37 wherein step (e) further comprises executing, by the application server, the application program identified in the request, and transmitting, by the application server, the output of the application program over the application communication channel via a remote display protocol.
39. The method of claim 33 wherein step (e) further comprises obtaining a MIME type document having a remote display client for the client application program.
40. The method of claim 33 wherein step (a) further comprises installing the client application program for a first time.
41. The method of claim 33 wherein step (a) further comprises obtaining a ticket having an application server certificate for the identifier.
42. The method of claim 33 wherein step (a) further comprises obtaining a ticket having a session key substantially equivalent to a null value.
43. The method of claim 33 wherein step (a) further comprises obtaining a ticket granting access for a single use.
44. The method of claim 33 wherein step (a) further comprises obtaining a ticket granting access to a previously authorized resource.
45. The method of claim 33 wherein step (d) further comprises transmitting a password to the application server.
46. The method of claim 38 wherein step (e) further comprises using the Independent Computing Architecture protocol for the remote display protocol.
47. The method of claim 38 wherein step (e) further comprises using the Remote Display Protocol for the remote display protocol.
48. A client system for establishing a secure communication channel with a client, the client system comprising:
a web browser in communication with a web server over a web communication channel, the web browser receiving, from the web server, a MIME type document and a ticket, the MIME type document comprising a client application program, the ticket having an identifier and a session key;
a client application program invoked by the web browser; and
the client application program establishing an application communication channel with the application server, the client application program transmitting the identifier over the application communication channel, and the client application program encrypting communications to the application server over the application communication channel using the session key.
49. The system of claim 48 wherein the client application program decrypts communications from the application server over the application communication channel using the session key.
50. The system of claim 48 wherein the web browser transfers the ticket to the client application program.
51. The system of claim 48 wherein the web browser transmits a request to have an application program executed on the application server and to have output of the application program executing on the application server transmitted to the client application program.
52. The system of claim 51 wherein the application server executes the application program identified in the request, and transmits the output of the application program to the client application program over the application communication channel via a remote display protocol.
53. The system of claim 48 wherein the client application program is a remote display client.
54. The system of claim 48 wherein the client application program is installed for a first time on the client.
55. The system of claim 48 wherein the identifier is an application server certificate.
56. The system of claim 48 wherein the session key is substantially equivalent to a null value.
57. The system of claim 48 wherein the ticket grants access for a single use.
58. The system of claim 48 wherein the ticket grants access to a previously authorized resource.
59. The system of claim 52 wherein the remote display protocol is the Independent Computing Architecture protocol.
60. The system of claim 52 wherein the remote display protocol is the Remote Display Protocol.
61. A method for establishing a secure communication channel with a client, the method comprising the steps of:
(a) obtaining, by a web server, a MIME type document and a ticket associated with a client, the MIME type document comprising a client application program, the ticket having an identifier and a session key;
(b) transmitting, by the web server, the MIME type document and the ticket to a web browser over a web communication channel;
(c) invoking, by the web browser, the received client application program;
(d) establishing an application communication channel with the client;
(e) receiving, from the client application program, the identifier from the ticket over the application communication channel;
(f) obtaining a copy of the session key from the web server using the identifier; and
(g) encrypting communications to the client application program over the application communication channel using the session key.
62. The method of claim 61 wherein step (g) further comprises decrypting communications from the client application program using the session key.
63. The method of claim 61 wherein step (b) further comprises establishing a secure web communication channel between a web browser and the web server.
64. The method of claim 63 wherein step (b) further comprises transferring, by the web browser, the ticket to the client application program.
65. The method of claim 61 wherein step (a) further comprises receiving, at the web server, a request from the client to have an application program executed on the client's behalf and to have output from the application program, as it is executing, transmitted to the client application program.
66. The method of claim 65 wherein step (g) further comprises executing the application program identified in the request, and transmitting the output of the application program over the application communication channel via a remote display protocol.
67. The method of claim 61 wherein step (g) further comprises using a remote display client for the client application program.
68. The method of claim 61 wherein step (e) further comprises installing the client application program for a first time on the client.
69. The method of claim 61 wherein step (a) further comprises obtaining a ticket having an application server certificate for an identifier.
70. The method of claim 61 wherein step (b) further comprises obtaining a ticket having a session key substantially equivalent to a null value.
71. The method of claim 61 wherein step (a) further comprises obtaining a ticket granting access for a single use.
72. The method of claim 61 wherein step (a) further comprises obtaining a ticket granting access to a previously authorized resource.
73. The method of claim 61 wherein step (e) further comprises receiving a password from the client.
74. The method of claim 61 wherein step (a) further comprises obtaining the MIME type document from an application server.
75. The method of claim 66 wherein step (g) further comprises using the Independent Computing Architecture protocol for the remote display protocol.
76. The method of claim 66 wherein step (g) further comprises using the Remote Display Protocol for the remote display protocol.
77. A server system for establishing a secure communication channel with a client, the server system comprising:
a ticket service generating a ticket associated with a client, the ticket having an identifier and a session key;
a web server in communication with the ticket service, the web server transmitting a MIME type document and the ticket to the client over a web communication channel, the MIME type document comprising a client application program; and
an application server receiving the identifier from the ticket from the client, obtaining a copy of the session key from the web server, establishing an application communication channel with the client, and encrypting communications to the client over the application communication channel using the session key.
78. The system of claim 77 wherein the application server decrypts communications from the client over the application communication channel using the session key.
79. The system of claim 77 wherein the web server receives a request from the client to have an application program executed on the client's behalf and to have output from the application program, as it is executing, transmitted to the client.
80. The system of claim 77 wherein the application server executes the application program identified in the request, and transmits the output of the application program to the client application program over the application communication channel via a remote display protocol.
81. The system of claim 77 wherein the client application program is a remote display client.
82. The system of claim 77 wherein the client application program is installed for a first time on the client.
83. The system of claim 77 wherein the identifier is an application server certificate.
84. The system of claim 77 wherein the session key is substantially equivalent to a null value.
85. The system of claim 77 wherein the ticket grants access for a single use.
86. The system of claim 77 wherein the ticket grants access to a previously authorized resource.
87. The system of claim 77 wherein the application server receives a password from the client.
88. The system of claim 77 wherein the web server obtains the MIME type document from the application server.
89. The system of claim 80 wherein the remote display protocol is the Independent Computing Architecture protocol.
90. The system of claim 80 wherein the remote display protocol is the Remote Display Protocol.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/709,806 US20050050317A1 (en) | 2000-11-03 | 2004-05-28 | A system and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/706,117 US6986040B1 (en) | 2000-11-03 | 2000-11-03 | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
US10/709,806 US20050050317A1 (en) | 2000-11-03 | 2004-05-28 | A system and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/706,117 Continuation US6986040B1 (en) | 2000-11-03 | 2000-11-03 | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050050317A1 true US20050050317A1 (en) | 2005-03-03 |
Family
ID=24836276
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/706,117 Expired - Lifetime US6986040B1 (en) | 2000-11-03 | 2000-11-03 | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
US10/709,806 Abandoned US20050050317A1 (en) | 2000-11-03 | 2004-05-28 | A system and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/706,117 Expired - Lifetime US6986040B1 (en) | 2000-11-03 | 2000-11-03 | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
Country Status (11)
Country | Link |
---|---|
US (2) | US6986040B1 (en) |
EP (1) | EP1332599B1 (en) |
JP (1) | JP2004531914A (en) |
KR (1) | KR100783208B1 (en) |
CN (1) | CN100583871C (en) |
AU (2) | AU3514902A (en) |
CA (1) | CA2427699C (en) |
HK (1) | HK1054281A1 (en) |
IL (2) | IL155698A0 (en) |
RU (1) | RU2279186C2 (en) |
WO (1) | WO2002044858A2 (en) |
Cited By (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040199761A1 (en) * | 2003-04-01 | 2004-10-07 | Philips Andrew B. | Method and apparatus for digitally signing electronic mail that originates from a browser |
US20050120214A1 (en) * | 2003-12-02 | 2005-06-02 | Microsoft Corporation | Systems and methods for enhancing security of communication over a public network |
US20060029062A1 (en) * | 2004-07-23 | 2006-02-09 | Citrix Systems, Inc. | Methods and systems for securing access to private networks using encryption and authentication technology built in to peripheral devices |
US20060037072A1 (en) * | 2004-07-23 | 2006-02-16 | Citrix Systems, Inc. | Systems and methods for network disruption shielding techniques |
US20060195547A1 (en) * | 2004-12-30 | 2006-08-31 | Prabakar Sundarrajan | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
US20060288120A1 (en) * | 2005-05-11 | 2006-12-21 | Kazuyoshi Hoshino | Service network system and server device |
US7314169B1 (en) * | 2004-09-29 | 2008-01-01 | Rockwell Automation Technologies, Inc. | Device that issues authority for automation systems by issuing an encrypted time pass |
US20090158418A1 (en) * | 2003-11-24 | 2009-06-18 | Rao Goutham P | Systems and methods for providing a vpn solution |
US20090235347A1 (en) * | 2008-03-12 | 2009-09-17 | Yahoo! Inc. | Method and system for securely streaming content |
US20120179749A1 (en) * | 2009-09-24 | 2012-07-12 | Sony Corporation | Communication method, communication system, server and program |
CN102647462A (en) * | 2012-03-29 | 2012-08-22 | 奇智软件(北京)有限公司 | Application acquisition and sending method and device |
US8255456B2 (en) | 2005-12-30 | 2012-08-28 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US8261057B2 (en) | 2004-06-30 | 2012-09-04 | Citrix Systems, Inc. | System and method for establishing a virtual private network |
US8301839B2 (en) | 2005-12-30 | 2012-10-30 | Citrix Systems, Inc. | System and method for performing granular invalidation of cached dynamically generated objects in a data communication network |
US20130080636A1 (en) * | 2011-09-28 | 2013-03-28 | Robert U. Friedman | Conveyance of configuration information in a network |
US8495305B2 (en) | 2004-06-30 | 2013-07-23 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
US8499057B2 (en) | 2005-12-30 | 2013-07-30 | Citrix Systems, Inc | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
US8677466B1 (en) * | 2009-03-10 | 2014-03-18 | Trend Micro Incorporated | Verification of digital certificates used for encrypted computer communications |
US8706877B2 (en) | 2004-12-30 | 2014-04-22 | Citrix Systems, Inc. | Systems and methods for providing client-side dynamic redirection to bypass an intermediary |
US8739274B2 (en) | 2004-06-30 | 2014-05-27 | Citrix Systems, Inc. | Method and device for performing integrated caching in a data communication network |
US20140215572A1 (en) * | 2013-01-30 | 2014-07-31 | Hewlett-Packard Development Company, L.P. | Authenticating Applications to a Network Service |
US20140229732A1 (en) * | 2013-02-12 | 2014-08-14 | Amazon Technologies, Inc. | Data security service |
US20140229739A1 (en) | 2013-02-12 | 2014-08-14 | Amazon Technologies, Inc. | Delayed data access |
US8856777B2 (en) | 2004-12-30 | 2014-10-07 | Citrix Systems, Inc. | Systems and methods for automatic installation and execution of a client-side acceleration program |
US8954595B2 (en) | 2004-12-30 | 2015-02-10 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering |
US9049025B1 (en) * | 2011-06-20 | 2015-06-02 | Cellco Partnership | Method of decrypting encrypted information for unsecure phone |
US9306934B2 (en) | 2012-04-17 | 2016-04-05 | Intel Corporation | Trusted service interaction |
US20160330220A1 (en) * | 2015-05-07 | 2016-11-10 | Cyber-Ark Software Ltd. | Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks |
US9547771B2 (en) | 2013-02-12 | 2017-01-17 | Amazon Technologies, Inc. | Policy enforcement with associated data |
US9590959B2 (en) | 2013-02-12 | 2017-03-07 | Amazon Technologies, Inc. | Data security service |
US9608813B1 (en) | 2013-06-13 | 2017-03-28 | Amazon Technologies, Inc. | Key rotation techniques |
US9705674B2 (en) | 2013-02-12 | 2017-07-11 | Amazon Technologies, Inc. | Federated key management |
US20170201510A1 (en) * | 2014-07-28 | 2017-07-13 | Encryptier Co., Ltd. | User information management system; user information management method; program, and recording medium on which it is recorded, for management server; program, and recording medium on which it is recorded, for user terminal; and program, and recording medium on which it is recorded, for service server |
US9866392B1 (en) | 2014-09-15 | 2018-01-09 | Amazon Technologies, Inc. | Distributed system web of trust provisioning |
US9942036B2 (en) | 2014-06-27 | 2018-04-10 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
US20180121633A1 (en) * | 2000-11-10 | 2018-05-03 | Oath Inc. | Digital content distribution and subscription sysem |
US20180176203A1 (en) * | 2016-12-21 | 2018-06-21 | Apple Inc. | Techniques for providing authentication information to external and embedded web browsers |
US10055594B2 (en) | 2012-06-07 | 2018-08-21 | Amazon Technologies, Inc. | Virtual service provider zones |
US10075295B2 (en) | 2013-02-12 | 2018-09-11 | Amazon Technologies, Inc. | Probabilistic key rotation |
US10075471B2 (en) | 2012-06-07 | 2018-09-11 | Amazon Technologies, Inc. | Data loss prevention techniques |
US10084818B1 (en) | 2012-06-07 | 2018-09-25 | Amazon Technologies, Inc. | Flexibly configurable data modification services |
US10211977B1 (en) | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Secure management of information using a security module |
US10262146B2 (en) * | 2016-12-15 | 2019-04-16 | Vmware, Inc. | Application-to-application messaging over an insecure application programming interface |
US20190260719A1 (en) * | 2016-06-24 | 2019-08-22 | Sony Corporation | Data communications |
US10469477B2 (en) | 2015-03-31 | 2019-11-05 | Amazon Technologies, Inc. | Key export techniques |
US10467422B1 (en) | 2013-02-12 | 2019-11-05 | Amazon Technologies, Inc. | Automatic key rotation |
US10721075B2 (en) | 2014-05-21 | 2020-07-21 | Amazon Technologies, Inc. | Web of trust management in a distributed system |
US11036869B2 (en) | 2013-02-12 | 2021-06-15 | Amazon Technologies, Inc. | Data security with a security module |
US11288381B2 (en) | 2019-07-19 | 2022-03-29 | Eaglys Inc. | Calculation device, calculation method, calculation program and calculation system |
Families Citing this family (136)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6928469B1 (en) * | 1998-12-29 | 2005-08-09 | Citrix Systems, Inc. | Apparatus and method for determining a program neighborhood for a client node in a client-server network using markup language techniques |
US7343413B2 (en) | 2000-03-21 | 2008-03-11 | F5 Networks, Inc. | Method and system for optimizing a network by independently scaling control segments and data flow |
US7117239B1 (en) | 2000-07-28 | 2006-10-03 | Axeda Corporation | Reporting the state of an apparatus to a remote computer |
US7412605B2 (en) * | 2000-08-28 | 2008-08-12 | Contentguard Holdings, Inc. | Method and apparatus for variable encryption of data |
US8108543B2 (en) | 2000-09-22 | 2012-01-31 | Axeda Corporation | Retrieving data from a server |
US7185014B1 (en) | 2000-09-22 | 2007-02-27 | Axeda Corporation | Retrieving data from a server |
US20030021417A1 (en) * | 2000-10-20 | 2003-01-30 | Ognjen Vasic | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
US6986040B1 (en) * | 2000-11-03 | 2006-01-10 | Citrix Systems, Inc. | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
US7237257B1 (en) * | 2001-04-11 | 2007-06-26 | Aol Llc | Leveraging a persistent connection to access a secured service |
US7493651B2 (en) * | 2001-05-17 | 2009-02-17 | Nokia Corporation | Remotely granting access to a smart environment |
CA2404550C (en) * | 2001-09-21 | 2010-02-09 | Corel Corporation | System and method for web services packaging |
US7254601B2 (en) | 2001-12-20 | 2007-08-07 | Questra Corporation | Method and apparatus for managing intelligent assets in a distributed environment |
US7707416B2 (en) | 2002-02-01 | 2010-04-27 | Novell, Inc. | Authentication cache and authentication on demand in a distributed network environment |
US8135843B2 (en) * | 2002-03-22 | 2012-03-13 | Citrix Systems, Inc. | Methods and systems for providing access to an application |
US7178149B2 (en) * | 2002-04-17 | 2007-02-13 | Axeda Corporation | XML scripting of soap commands |
AU2003261124A1 (en) * | 2002-07-02 | 2004-01-23 | America Online Incorporated | Seamless cross-site user authentication status detection and automatic login |
US9621538B2 (en) * | 2002-07-10 | 2017-04-11 | Hewlett-Packard Development Company, L.P. | Secure resource access in a distributed environment |
GB0215911D0 (en) * | 2002-07-10 | 2002-08-21 | Hewlett Packard Co | Method and apparatus for encrypting data |
CA2394451C (en) * | 2002-07-23 | 2007-11-27 | E-Witness Inc. | System, method and computer product for delivery and receipt of s/mime-encrypted data |
US7360096B2 (en) * | 2002-11-20 | 2008-04-15 | Microsoft Corporation | Securely processing client credentials used for Web-based access to resources |
US7865931B1 (en) * | 2002-11-25 | 2011-01-04 | Accenture Global Services Limited | Universal authorization and access control security measure for applications |
US7461260B2 (en) * | 2002-12-31 | 2008-12-02 | Intel Corporation | Methods and apparatus for finding a shared secret without compromising non-shared secrets |
US7966418B2 (en) | 2003-02-21 | 2011-06-21 | Axeda Corporation | Establishing a virtual tunnel between two computer programs |
US20050021976A1 (en) * | 2003-06-23 | 2005-01-27 | Nokia Corporation | Systems and methods for controlling access to an event |
US7660845B2 (en) | 2003-08-01 | 2010-02-09 | Sentillion, Inc. | Methods and apparatus for verifying context participants in a context management system in a networked environment |
JP4587158B2 (en) * | 2004-01-30 | 2010-11-24 | キヤノン株式会社 | Secure communication method, terminal device, authentication service device, computer program, and computer-readable recording medium |
US7281068B2 (en) * | 2004-07-15 | 2007-10-09 | International Business Machines Corporation | Wireless-boot diskless mobile computing |
KR101075316B1 (en) * | 2004-10-29 | 2011-10-19 | 톰슨 라이센싱 | Secure authenticated channel |
US8166174B2 (en) * | 2005-10-27 | 2012-04-24 | Microsoft Corporation | Methods and systems for providing proprietary access to a server |
KR100722265B1 (en) * | 2005-11-14 | 2007-05-28 | 엘지전자 주식회사 | Plasma Display Panel |
US7581244B2 (en) * | 2006-01-25 | 2009-08-25 | Seiko Epson Corporation | IMX session control and authentication |
US8087075B2 (en) * | 2006-02-13 | 2011-12-27 | Quest Software, Inc. | Disconnected credential validation using pre-fetched service tickets |
CN101479984B (en) * | 2006-04-25 | 2011-06-08 | 斯蒂芬·L.·博伦 | Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks |
US7992203B2 (en) | 2006-05-24 | 2011-08-02 | Red Hat, Inc. | Methods and systems for secure shared smartcard access |
US7822209B2 (en) | 2006-06-06 | 2010-10-26 | Red Hat, Inc. | Methods and systems for key recovery for a token |
US8495380B2 (en) | 2006-06-06 | 2013-07-23 | Red Hat, Inc. | Methods and systems for server-side key generation |
US8098829B2 (en) * | 2006-06-06 | 2012-01-17 | Red Hat, Inc. | Methods and systems for secure key delivery |
US8364952B2 (en) * | 2006-06-06 | 2013-01-29 | Red Hat, Inc. | Methods and system for a key recovery plan |
US8180741B2 (en) | 2006-06-06 | 2012-05-15 | Red Hat, Inc. | Methods and systems for providing data objects on a token |
US8332637B2 (en) * | 2006-06-06 | 2012-12-11 | Red Hat, Inc. | Methods and systems for nonce generation in a token |
US9769158B2 (en) * | 2006-06-07 | 2017-09-19 | Red Hat, Inc. | Guided enrollment and login for token users |
US8099765B2 (en) | 2006-06-07 | 2012-01-17 | Red Hat, Inc. | Methods and systems for remote password reset using an authentication credential managed by a third party |
US8707024B2 (en) * | 2006-06-07 | 2014-04-22 | Red Hat, Inc. | Methods and systems for managing identity management security domains |
US8412927B2 (en) | 2006-06-07 | 2013-04-02 | Red Hat, Inc. | Profile framework for token processing system |
US8589695B2 (en) * | 2006-06-07 | 2013-11-19 | Red Hat, Inc. | Methods and systems for entropy collection for server-side key generation |
US8787566B2 (en) * | 2006-08-23 | 2014-07-22 | Red Hat, Inc. | Strong encryption |
US8806219B2 (en) | 2006-08-23 | 2014-08-12 | Red Hat, Inc. | Time-based function back-off |
US8356342B2 (en) * | 2006-08-31 | 2013-01-15 | Red Hat, Inc. | Method and system for issuing a kill sequence for a token |
US8074265B2 (en) * | 2006-08-31 | 2011-12-06 | Red Hat, Inc. | Methods and systems for verifying a location factor associated with a token |
US8977844B2 (en) | 2006-08-31 | 2015-03-10 | Red Hat, Inc. | Smartcard formation with authentication keys |
US9038154B2 (en) * | 2006-08-31 | 2015-05-19 | Red Hat, Inc. | Token Registration |
US8370479B2 (en) | 2006-10-03 | 2013-02-05 | Axeda Acquisition Corporation | System and method for dynamically grouping devices based on present device conditions |
US7996376B2 (en) * | 2006-10-27 | 2011-08-09 | Verizon Patent And Licensing Inc. | Method and apparatus for managing session data across multiple applications |
JP2007043750A (en) * | 2006-11-02 | 2007-02-15 | Nomura Research Institute Ltd | Method for performing encryption communication after autentication, system and method for authentication |
WO2008068976A1 (en) * | 2006-12-04 | 2008-06-12 | Nec Corporation | Network system, server, client, and communication method in network system |
US8693690B2 (en) * | 2006-12-04 | 2014-04-08 | Red Hat, Inc. | Organizing an extensible table for storing cryptographic objects |
US8065397B2 (en) | 2006-12-26 | 2011-11-22 | Axeda Acquisition Corporation | Managing configurations of distributed devices |
US8813243B2 (en) * | 2007-02-02 | 2014-08-19 | Red Hat, Inc. | Reducing a size of a security-related data object stored on a token |
US8832453B2 (en) | 2007-02-28 | 2014-09-09 | Red Hat, Inc. | Token recycling |
US8639940B2 (en) * | 2007-02-28 | 2014-01-28 | Red Hat, Inc. | Methods and systems for assigning roles on a token |
US9081948B2 (en) * | 2007-03-13 | 2015-07-14 | Red Hat, Inc. | Configurable smartcard |
CA2587239A1 (en) * | 2007-05-02 | 2008-11-02 | Kryptiva Inc. | System and method for ad-hoc processing of cryptographically-encoded data |
NL2000632C2 (en) * | 2007-05-07 | 2008-11-10 | Spectator Intellectual Propert | System and method for exchanging data between a first data processing system and a second data processing system via, at least partially public communication network. |
KR100914771B1 (en) * | 2007-05-09 | 2009-09-01 | 주식회사 웰비아닷컴 | System and method for security using one-time execution code |
US7841523B2 (en) * | 2007-05-17 | 2010-11-30 | Shift4 Corporation | Secure payment card transactions |
US7891563B2 (en) | 2007-05-17 | 2011-02-22 | Shift4 Corporation | Secure payment card transactions |
US8295306B2 (en) * | 2007-08-28 | 2012-10-23 | Cisco Technologies, Inc. | Layer-4 transparent secure transport protocol for end-to-end application protection |
US8761402B2 (en) | 2007-09-28 | 2014-06-24 | Sandisk Technologies Inc. | System and methods for digital content distribution |
CN101159639B (en) * | 2007-11-08 | 2010-05-12 | 西安西电捷通无线网络通信有限公司 | One-way access authentication method |
GB2459529A (en) * | 2008-04-28 | 2009-11-04 | Ice Organisation | Online transaction authentication using two servers |
US8094560B2 (en) * | 2008-05-19 | 2012-01-10 | Cisco Technology, Inc. | Multi-stage multi-core processing of network packets |
US8667556B2 (en) * | 2008-05-19 | 2014-03-04 | Cisco Technology, Inc. | Method and apparatus for building and managing policies |
US8677453B2 (en) * | 2008-05-19 | 2014-03-18 | Cisco Technology, Inc. | Highly parallel evaluation of XACML policies |
US20090288104A1 (en) * | 2008-05-19 | 2009-11-19 | Rohati Systems, Inc. | Extensibility framework of a network element |
US8943560B2 (en) * | 2008-05-28 | 2015-01-27 | Microsoft Corporation | Techniques to provision and manage a digital telephone to authenticate with a network |
US20100070471A1 (en) * | 2008-09-17 | 2010-03-18 | Rohati Systems, Inc. | Transactional application events |
TW201015940A (en) * | 2008-10-01 | 2010-04-16 | Avermedia Tech Inc | Network authorization method and application thereof |
JP4631974B2 (en) | 2009-01-08 | 2011-02-16 | ソニー株式会社 | Information processing apparatus, information processing method, program, and information processing system |
US8887242B2 (en) | 2009-04-14 | 2014-11-11 | Fisher-Rosemount Systems, Inc. | Methods and apparatus to provide layered security for interface access control |
US9083685B2 (en) | 2009-06-04 | 2015-07-14 | Sandisk Technologies Inc. | Method and system for content replication control |
US8706887B2 (en) * | 2009-06-29 | 2014-04-22 | Sap Ag | Multi-channel sessions |
US8566593B2 (en) * | 2009-07-06 | 2013-10-22 | Intel Corporation | Method and apparatus of deriving security key(s) |
US10721269B1 (en) | 2009-11-06 | 2020-07-21 | F5 Networks, Inc. | Methods and system for returning requests with javascript for clients before passing a request to a server |
US9054913B1 (en) | 2009-11-30 | 2015-06-09 | Dell Software Inc. | Network protocol proxy |
US8769686B2 (en) * | 2010-02-26 | 2014-07-01 | Futurewei Technologies, Inc. | System and method for securing wireless transmissions |
MX2012011985A (en) * | 2010-04-15 | 2012-12-17 | Qualcomm Inc | Apparatus and method for signaling enhanced security context for session encryption and integrity keys. |
US20110255691A1 (en) | 2010-04-15 | 2011-10-20 | Qualcomm Incorporated | Apparatus and method for transitioning enhanced security context from a utran-based serving network to a geran-based serving network |
US9084110B2 (en) | 2010-04-15 | 2015-07-14 | Qualcomm Incorporated | Apparatus and method for transitioning enhanced security context from a UTRAN/GERAN-based serving network to an E-UTRAN-based serving network |
CA2796511C (en) | 2010-04-16 | 2016-06-21 | Qualcomm Incorporated | Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node |
CN102238000B (en) | 2010-04-21 | 2015-01-21 | 华为技术有限公司 | Encrypted communication method, device and system |
FR2960734A1 (en) * | 2010-05-31 | 2011-12-02 | France Telecom | METHOD AND DEVICES FOR SECURE COMMUNICATIONS IN A TELECOMMUNICATIONS NETWORK |
US20110314532A1 (en) * | 2010-06-17 | 2011-12-22 | Kyle Dean Austin | Identity provider server configured to validate authentication requests from identity broker |
US10015286B1 (en) * | 2010-06-23 | 2018-07-03 | F5 Networks, Inc. | System and method for proxying HTTP single sign on across network domains |
US8347100B1 (en) | 2010-07-14 | 2013-01-01 | F5 Networks, Inc. | Methods for DNSSEC proxying and deployment amelioration and systems thereof |
US9554276B2 (en) | 2010-10-29 | 2017-01-24 | F5 Networks, Inc. | System and method for on the fly protocol conversion in obtaining policy enforcement information |
CN102546562A (en) * | 2010-12-22 | 2012-07-04 | 腾讯科技(深圳)有限公司 | Encrypting and decrypting method and system during transmission of data in web |
RU2453917C1 (en) * | 2010-12-30 | 2012-06-20 | Закрытое акционерное общество "Лаборатория Касперского" | System and method for optimising execution of antivirus tasks in local area network |
US10135831B2 (en) | 2011-01-28 | 2018-11-20 | F5 Networks, Inc. | System and method for combining an access control system with a traffic management system |
US9270766B2 (en) | 2011-12-30 | 2016-02-23 | F5 Networks, Inc. | Methods for identifying network traffic characteristics to correlate and manage one or more subsequent flows and devices thereof |
US9491620B2 (en) * | 2012-02-10 | 2016-11-08 | Qualcomm Incorporated | Enabling secure access to a discovered location server for a mobile device |
US10230566B1 (en) | 2012-02-17 | 2019-03-12 | F5 Networks, Inc. | Methods for dynamically constructing a service principal name and devices thereof |
US10148438B2 (en) * | 2012-04-03 | 2018-12-04 | Rally Health, Inc. | Methods and apparatus for protecting sensitive data in distributed applications |
DE102012103106A1 (en) * | 2012-04-11 | 2013-10-17 | Vodafone Holding Gmbh | A method of authenticating a user to a service on a service server, application and system |
US10097616B2 (en) | 2012-04-27 | 2018-10-09 | F5 Networks, Inc. | Methods for optimizing service of content requests and devices thereof |
US9680813B2 (en) | 2012-10-24 | 2017-06-13 | Cyber-Ark Software Ltd. | User provisioning |
KR101487233B1 (en) * | 2013-09-25 | 2015-01-29 | (주) 시큐어가드 테크놀러지 | Method for changing password, device for changing password, and computer readable recording medium applying the same |
US20150121517A1 (en) * | 2013-10-25 | 2015-04-30 | Stefan Dimov | Bundle-to-bundle authentication in modular systems |
US10187317B1 (en) | 2013-11-15 | 2019-01-22 | F5 Networks, Inc. | Methods for traffic rate control and devices thereof |
US9699261B2 (en) | 2014-01-14 | 2017-07-04 | Cyber-Ark Software Ltd. | Monitoring sessions with a session-specific transient agent |
US20150271162A1 (en) * | 2014-03-18 | 2015-09-24 | Cyber-Ark Software Ltd. | Systems and methods for controlling sensitive applications |
US10015143B1 (en) | 2014-06-05 | 2018-07-03 | F5 Networks, Inc. | Methods for securing one or more license entitlement grants and devices thereof |
US9712563B2 (en) | 2014-07-07 | 2017-07-18 | Cyber-Ark Software Ltd. | Connection-specific communication management |
US11838851B1 (en) | 2014-07-15 | 2023-12-05 | F5, Inc. | Methods for managing L7 traffic classification and devices thereof |
US10122630B1 (en) | 2014-08-15 | 2018-11-06 | F5 Networks, Inc. | Methods for network traffic presteering and devices thereof |
US10182013B1 (en) | 2014-12-01 | 2019-01-15 | F5 Networks, Inc. | Methods for managing progressive image delivery and devices thereof |
CN104486321A (en) * | 2014-12-11 | 2015-04-01 | 上海斐讯数据通信技术有限公司 | Web data interaction method and system and corresponding Web server |
CN104506517A (en) * | 2014-12-22 | 2015-04-08 | 中软信息系统工程有限公司 | Encryption transmission method for MIPS (Million Instructions Per Second) platform on basis of HTTP (Hyper Text Transfer Protocol) |
US11895138B1 (en) | 2015-02-02 | 2024-02-06 | F5, Inc. | Methods for improving web scanner accuracy and devices thereof |
US9712514B2 (en) | 2015-02-08 | 2017-07-18 | Cyber-Ark Software Ltd. | Super-session access to multiple target services |
US10834065B1 (en) | 2015-03-31 | 2020-11-10 | F5 Networks, Inc. | Methods for SSL protected NTLM re-authentication and devices thereof |
US10505818B1 (en) | 2015-05-05 | 2019-12-10 | F5 Networks. Inc. | Methods for analyzing and load balancing based on server health and devices thereof |
US11350254B1 (en) | 2015-05-05 | 2022-05-31 | F5, Inc. | Methods for enforcing compliance policies and devices thereof |
US11757946B1 (en) | 2015-12-22 | 2023-09-12 | F5, Inc. | Methods for analyzing network traffic and enforcing network policies and devices thereof |
US10404698B1 (en) | 2016-01-15 | 2019-09-03 | F5 Networks, Inc. | Methods for adaptive organization of web application access points in webtops and devices thereof |
US11178150B1 (en) | 2016-01-20 | 2021-11-16 | F5 Networks, Inc. | Methods for enforcing access control list based on managed application and devices thereof |
US10797888B1 (en) | 2016-01-20 | 2020-10-06 | F5 Networks, Inc. | Methods for secured SCEP enrollment for client devices and devices thereof |
US10791088B1 (en) | 2016-06-17 | 2020-09-29 | F5 Networks, Inc. | Methods for disaggregating subscribers via DHCP address translation and devices thereof |
US10505792B1 (en) | 2016-11-02 | 2019-12-10 | F5 Networks, Inc. | Methods for facilitating network traffic analytics and devices thereof |
US10812266B1 (en) | 2017-03-17 | 2020-10-20 | F5 Networks, Inc. | Methods for managing security tokens based on security violations and devices thereof |
US10972453B1 (en) | 2017-05-03 | 2021-04-06 | F5 Networks, Inc. | Methods for token refreshment based on single sign-on (SSO) for federated identity environments and devices thereof |
US11343237B1 (en) | 2017-05-12 | 2022-05-24 | F5, Inc. | Methods for managing a federated identity environment using security and access control data and devices thereof |
US11122042B1 (en) | 2017-05-12 | 2021-09-14 | F5 Networks, Inc. | Methods for dynamically managing user access control and devices thereof |
US11122083B1 (en) | 2017-09-08 | 2021-09-14 | F5 Networks, Inc. | Methods for managing network connections based on DNS data and network policies and devices thereof |
EP3490191B1 (en) * | 2017-11-22 | 2020-01-15 | Siemens Aktiengesellschaft | Processing method of service requests performed by a service provider node |
KR102309044B1 (en) * | 2017-12-01 | 2021-10-05 | 삼성에스디에스 주식회사 | Apparatus and method for establishing secure channel in message processing system |
EP3515034B1 (en) * | 2018-01-17 | 2020-05-13 | ise Individuelle Software und Elektronik GmbH | Method, devices, computer-readable media and systems for establishing certified connections with end devices in a local area network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6088451A (en) * | 1996-06-28 | 2000-07-11 | Mci Communications Corporation | Security system and method for network element access |
US6108787A (en) * | 1995-03-31 | 2000-08-22 | The Commonwealth Of Australia | Method and means for interconnecting different security level networks |
US6938057B2 (en) * | 1999-05-21 | 2005-08-30 | International Business Machines Corporation | Method and apparatus for networked backup storage |
US6986040B1 (en) * | 2000-11-03 | 2006-01-10 | Citrix Systems, Inc. | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
Family Cites Families (101)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS583283A (en) | 1981-06-30 | 1983-01-10 | Toshiba Corp | Thyristor |
GB2168831B (en) | 1984-11-13 | 1988-04-27 | Dowty Information Services Lim | Password-protected data link |
JP2585535B2 (en) | 1986-06-02 | 1997-02-26 | 株式会社日立製作所 | Process connection method in compound computer system |
JP2608400B2 (en) | 1986-06-16 | 1997-05-07 | 富士写真フイルム株式会社 | Image reconstruction method from compressed image data |
US4887204A (en) | 1987-02-13 | 1989-12-12 | International Business Machines Corporation | System and method for accessing remote files in a distributed networking environment |
US5175852A (en) | 1987-02-13 | 1992-12-29 | International Business Machines Corporation | Distributed file access structure lock |
US5202971A (en) | 1987-02-13 | 1993-04-13 | International Business Machines Corporation | System for file and record locking between nodes in a distributed data processing environment maintaining one copy of each file lock |
US5367688A (en) | 1987-09-04 | 1994-11-22 | Digital Equipment Corporation | Boot system for distributed digital data processing system |
US5390297A (en) | 1987-11-10 | 1995-02-14 | Auto-Trol Technology Corporation | System for controlling the number of concurrent copies of a program in a network based on the number of available licenses |
US5014221A (en) | 1988-01-29 | 1991-05-07 | Digital Equipment Corporation | Mechanism for arbitrating client access to a networked print server |
US4924378A (en) | 1988-06-13 | 1990-05-08 | Prime Computer, Inc. | License mangagement system and license storage key |
US5341477A (en) | 1989-02-24 | 1994-08-23 | Digital Equipment Corporation | Broker for computer network server selection |
US5560008A (en) * | 1989-05-15 | 1996-09-24 | International Business Machines Corporation | Remote authentication and authorization in a distributed data processing system |
US5305440A (en) | 1989-05-15 | 1994-04-19 | International Business Machines Corporation | File extension by clients in a distributed data processing system |
US5229864A (en) | 1990-04-16 | 1993-07-20 | Fuji Photo Film Co., Ltd. | Device for regenerating a picture signal by decoding |
AU639802B2 (en) | 1990-08-14 | 1993-08-05 | Oracle International Corporation | Methods and apparatus for providing dynamic invocation of applications in a distributed heterogeneous environment |
US5583992A (en) | 1990-09-14 | 1996-12-10 | Kabushiki Kaisha Toshiba | Computer network system for detecting global deadlock |
US5161015A (en) | 1990-12-31 | 1992-11-03 | Zenith Electronics Corporation | System for peaking a video signal with a control signal representative of the perceptual nature of blocks of video pixels |
US5164727A (en) | 1991-04-30 | 1992-11-17 | Regents Of The Unversity Of California | Optimal decoding method and apparatus for data acquisition applications of sigma delta modulators |
US5204897A (en) | 1991-06-28 | 1993-04-20 | Digital Equipment Corporation | Management interface for license management system |
US5504814A (en) | 1991-07-10 | 1996-04-02 | Hughes Aircraft Company | Efficient security kernel for the 80960 extended architecture |
US5359721A (en) | 1991-12-18 | 1994-10-25 | Sun Microsystems, Inc. | Non-supervisor mode cross address space dynamic linking |
US5349682A (en) | 1992-01-31 | 1994-09-20 | Parallel Pcs, Inc. | Dynamic fault-tolerant parallel processing system for performing an application function with increased efficiency using heterogeneous processors |
US5412717A (en) | 1992-05-15 | 1995-05-02 | Fischer; Addison M. | Computer system security method and apparatus having program authorization information data structures |
US5440719A (en) | 1992-10-27 | 1995-08-08 | Cadence Design Systems, Inc. | Method simulating data traffic on network in accordance with a client/sewer paradigm |
US5329619A (en) | 1992-10-30 | 1994-07-12 | Software Ag | Cooperative processing interface and communication broker for heterogeneous computing environments |
US5550976A (en) | 1992-12-08 | 1996-08-27 | Sun Hydraulics Corporation | Decentralized distributed asynchronous object oriented system and method for electronic data management, storage, and communication |
US5509070A (en) | 1992-12-15 | 1996-04-16 | Softlock Services Inc. | Method for encouraging purchase of executable and non-executable software |
US5325527A (en) | 1993-01-19 | 1994-06-28 | Canon Information Systems, Inc. | Client/server communication system utilizing a self-generating nodal network |
US5351293A (en) | 1993-02-01 | 1994-09-27 | Wave Systems Corp. | System method and apparatus for authenticating an encrypted signal |
FI107102B (en) | 1993-05-31 | 2001-05-31 | Nokia Networks Oy | Method for reporting call costs and subscriber unit |
US5794207A (en) | 1996-09-04 | 1998-08-11 | Walker Asset Management Limited Partnership | Method and apparatus for a cryptographically assisted commercial network system designed to facilitate buyer-driven conditional purchase offers |
US5359593A (en) | 1993-08-26 | 1994-10-25 | International Business Machines Corporation | Dynamic bandwidth estimation and adaptation for packet communications networks |
US5544246A (en) | 1993-09-17 | 1996-08-06 | At&T Corp. | Smartcard adapted for a plurality of service providers and for remote installation of same |
US5590199A (en) * | 1993-10-12 | 1996-12-31 | The Mitre Corporation | Electronic information network user authentication and authorization system |
US5455953A (en) | 1993-11-03 | 1995-10-03 | Wang Laboratories, Inc. | Authorization system for obtaining in single step both identification and access rights of client to server directly from encrypted authorization ticket |
DE69431306T2 (en) * | 1993-12-16 | 2003-05-15 | Open Market Inc | NETWORK-BASED PAYMENT SYSTEM AND METHOD FOR USING SUCH A SYSTEM |
US5564016A (en) | 1993-12-17 | 1996-10-08 | International Business Machines Corporation | Method for controlling access to a computer resource based on a timing policy |
US5515508A (en) | 1993-12-17 | 1996-05-07 | Taligent, Inc. | Client server system and method of operation including a dynamically configurable protocol stack |
US5495411A (en) | 1993-12-22 | 1996-02-27 | Ananda; Mohan | Secure software rental system using continuous asynchronous password verification |
US5491750A (en) | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for three-party entity authentication and key distribution using message authentication codes |
US5524238A (en) | 1994-03-23 | 1996-06-04 | Breakout I/O Corporation | User specific intelligent interface which intercepts and either replaces or passes commands to a data identity and the field accessed |
US5553139A (en) | 1994-04-04 | 1996-09-03 | Novell, Inc. | Method and apparatus for electronic license distribution |
CA2143874C (en) | 1994-04-25 | 2000-06-20 | Thomas Edward Cooper | Method and apparatus for enabling trial period use of software products: method and apparatus for utilizing a decryption stub |
US5757907A (en) | 1994-04-25 | 1998-05-26 | International Business Machines Corporation | Method and apparatus for enabling trial period use of software products: method and apparatus for generating a machine-dependent identification |
US5475757A (en) | 1994-06-07 | 1995-12-12 | At&T Corp. | Secure data transmission method |
US5550981A (en) | 1994-06-21 | 1996-08-27 | At&T Global Information Solutions Company | Dynamic binding of network identities to locally-meaningful identities in computer networks |
US5668876A (en) | 1994-06-24 | 1997-09-16 | Telefonaktiebolaget Lm Ericsson | User authentication method and apparatus |
US5557732A (en) | 1994-08-11 | 1996-09-17 | International Business Machines Corporation | Method and apparatus for protecting software executing on a demonstration computer |
US5604490A (en) | 1994-09-09 | 1997-02-18 | International Business Machines Corporation | Method and system for providing a user access to multiple secured subsystems |
US6865551B1 (en) * | 1994-11-23 | 2005-03-08 | Contentguard Holdings, Inc. | Removable content repositories |
US5668999A (en) | 1994-12-20 | 1997-09-16 | Sun Microsystems, Inc. | System and method for pre-verification of stack usage in bytecode program loops |
JPH08235114A (en) | 1995-02-28 | 1996-09-13 | Hitachi Ltd | Server access method and charge information managing method |
US5706349A (en) | 1995-03-06 | 1998-01-06 | International Business Machines Corporation | Authenticating remote users in a distributed environment |
EP0734144A3 (en) | 1995-03-20 | 1999-08-18 | Siemens Aktiengesellschaft | Method and apparatus for determination of user charges in a subscriber apparatus |
US5666501A (en) | 1995-03-30 | 1997-09-09 | International Business Machines Corporation | Method and apparatus for installing software |
US5689708A (en) | 1995-03-31 | 1997-11-18 | Showcase Corporation | Client/server computer systems having control of client-based application programs, and application-program control means therefor |
US5592549A (en) | 1995-06-15 | 1997-01-07 | Infosafe Systems, Inc. | Method and apparatus for retrieving selected information from a secure information source |
US5809144A (en) * | 1995-08-24 | 1998-09-15 | Carnegie Mellon University | Method and apparatus for purchasing and delivering digital goods over a network |
US5657390A (en) | 1995-08-25 | 1997-08-12 | Netscape Communications Corporation | Secure socket layer application program apparatus and method |
US5930786A (en) * | 1995-10-20 | 1999-07-27 | Ncr Corporation | Method and apparatus for providing shared data to a requesting client |
US5729734A (en) | 1995-11-03 | 1998-03-17 | Apple Computer, Inc. | File privilege administration apparatus and methods |
HUP9900026A3 (en) | 1995-11-14 | 1999-11-29 | Ibm | Information handling system for allowing a generic web browser to access servers of a plurality of different protocol types |
US5787169A (en) | 1995-12-28 | 1998-07-28 | International Business Machines Corp. | Method and apparatus for controlling access to encrypted data files in a computer system |
US6088450A (en) | 1996-04-17 | 2000-07-11 | Intel Corporation | Authentication system based on periodic challenge/response protocol |
US6226383B1 (en) | 1996-04-17 | 2001-05-01 | Integrity Sciences, Inc. | Cryptographic methods for remote authentication |
US5742757A (en) | 1996-05-30 | 1998-04-21 | Mitsubishi Semiconductor America, Inc. | Automatic software license manager |
EP0851628A1 (en) | 1996-12-23 | 1998-07-01 | ICO Services Ltd. | Key distribution for mobile network |
US5944791A (en) | 1996-10-04 | 1999-08-31 | Contigo Software Llc | Collaborative web browser |
US5881226A (en) | 1996-10-28 | 1999-03-09 | Veneklase; Brian J. | Computer security system |
US5974151A (en) | 1996-11-01 | 1999-10-26 | Slavin; Keith R. | Public key cryptographic system having differential security levels |
US6131116A (en) | 1996-12-13 | 2000-10-10 | Visto Corporation | System and method for globally accessing computer services |
US5818939A (en) * | 1996-12-18 | 1998-10-06 | Intel Corporation | Optimized security functionality in an electronic system |
US5918228A (en) * | 1997-01-28 | 1999-06-29 | International Business Machines Corporation | Method and apparatus for enabling a web server to impersonate a user of a distributed file system to obtain secure access to supported web documents |
US5923756A (en) * | 1997-02-12 | 1999-07-13 | Gte Laboratories Incorporated | Method for providing secure remote command execution over an insecure computer network |
AU6654798A (en) | 1997-02-26 | 1998-09-18 | Siebel Systems, Inc. | Method of determining visibility to a remote database client of a plurality of database transactions using a networked proxy server |
DE19718103A1 (en) | 1997-04-29 | 1998-06-04 | Kim Schmitz | Data transmission system authorise method e.g. for telebanking |
US6408174B1 (en) | 1997-05-13 | 2002-06-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication method, system, and device for reducing processor load at tariff switch |
US5991878A (en) * | 1997-09-08 | 1999-11-23 | Fmr Corp. | Controlling access to information |
US6094485A (en) * | 1997-09-18 | 2000-07-25 | Netscape Communications Corporation | SSL step-up |
NL1007409C1 (en) | 1997-10-31 | 1997-11-18 | Nederland Ptt | Authentication system for electronic transactions |
US6246771B1 (en) * | 1997-11-26 | 2001-06-12 | V-One Corporation | Session key recovery system and method |
JPH11170750A (en) * | 1997-12-17 | 1999-06-29 | Katsumi Hashimoto | Card having memory device |
US6035405A (en) | 1997-12-22 | 2000-03-07 | Nortel Networks Corporation | Secure virtual LANs |
WO1999035783A1 (en) | 1998-01-09 | 1999-07-15 | Cybersafe Corporation | Client side public key authentication method and apparatus with short-lived certificates |
US6128742A (en) | 1998-02-17 | 2000-10-03 | Bea Systems, Inc. | Method of authentication based on intersection of password sets |
JPH11282884A (en) * | 1998-03-30 | 1999-10-15 | Mitsubishi Electric Corp | Network cad system |
US6363365B1 (en) * | 1998-05-12 | 2002-03-26 | International Business Machines Corp. | Mechanism for secure tendering in an open electronic network |
US6289461B1 (en) | 1998-06-09 | 2001-09-11 | Placeware, Inc. | Bi-directional process-to-process byte stream protocol |
JP4353552B2 (en) * | 1998-06-18 | 2009-10-28 | 富士通株式会社 | Content server, terminal device, and content transmission system |
JP2000049766A (en) * | 1998-07-27 | 2000-02-18 | Hitachi Ltd | Key managing server system |
JP2000163369A (en) * | 1998-11-30 | 2000-06-16 | Nippon Telegr & Teleph Corp <Ntt> | Method, system and server device for process result decentralization management and storage medium storing process result decentralization managing program |
JP2000183866A (en) * | 1998-12-10 | 2000-06-30 | Nippon Telegr & Teleph Corp <Ntt> | Method and system for cipher communication, and recording medium stored with cipher communication program |
WO2000060484A1 (en) * | 1999-04-05 | 2000-10-12 | Neomedia Technologies, Inc. | System and method of using machine-readable or human-readable linkage codes for accessing networked data resources |
US6792424B1 (en) * | 1999-04-23 | 2004-09-14 | International Business Machines Corporation | System and method for managing authentication and coherency in a storage area network |
US6816274B1 (en) * | 1999-05-25 | 2004-11-09 | Silverbrook Research Pty Ltd | Method and system for composition and delivery of electronic mail |
US7079712B1 (en) * | 1999-05-25 | 2006-07-18 | Silverbrook Research Pty Ltd | Method and system for providing information in a document |
US6757825B1 (en) | 1999-07-13 | 2004-06-29 | Lucent Technologies Inc. | Secure mutual network authentication protocol |
US6286104B1 (en) | 1999-08-04 | 2001-09-04 | Oracle Corporation | Authentication and authorization in a multi-tier relational database management system |
US6732269B1 (en) * | 1999-10-01 | 2004-05-04 | International Business Machines Corporation | Methods, systems and computer program products for enhanced security identity utilizing an SSL proxy |
EP1439495B1 (en) * | 2003-01-17 | 2019-04-17 | QUALCOMM Incorporated | Device for ordering and validating an electronic ticket |
-
2000
- 2000-11-03 US US09/706,117 patent/US6986040B1/en not_active Expired - Lifetime
-
2001
- 2001-11-02 CA CA2427699A patent/CA2427699C/en not_active Expired - Lifetime
- 2001-11-02 RU RU2003113206/09A patent/RU2279186C2/en active
- 2001-11-02 WO PCT/US2001/045461 patent/WO2002044858A2/en active Search and Examination
- 2001-11-02 CN CN01821704A patent/CN100583871C/en not_active Expired - Lifetime
- 2001-11-02 KR KR1020037006021A patent/KR100783208B1/en active IP Right Grant
- 2001-11-02 IL IL15569801A patent/IL155698A0/en active IP Right Grant
- 2001-11-02 JP JP2002546958A patent/JP2004531914A/en active Pending
- 2001-11-02 EP EP01985503A patent/EP1332599B1/en not_active Expired - Lifetime
- 2001-11-02 AU AU3514902A patent/AU3514902A/en active Pending
- 2001-11-02 AU AU2002235149A patent/AU2002235149B2/en not_active Expired
-
2003
- 2003-04-30 IL IL155698A patent/IL155698A/en unknown
- 2003-08-29 HK HK03106205.5A patent/HK1054281A1/en not_active IP Right Cessation
-
2004
- 2004-05-28 US US10/709,806 patent/US20050050317A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6108787A (en) * | 1995-03-31 | 2000-08-22 | The Commonwealth Of Australia | Method and means for interconnecting different security level networks |
US6088451A (en) * | 1996-06-28 | 2000-07-11 | Mci Communications Corporation | Security system and method for network element access |
US6938057B2 (en) * | 1999-05-21 | 2005-08-30 | International Business Machines Corporation | Method and apparatus for networked backup storage |
US6986040B1 (en) * | 2000-11-03 | 2006-01-10 | Citrix Systems, Inc. | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel |
Cited By (105)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180121633A1 (en) * | 2000-11-10 | 2018-05-03 | Oath Inc. | Digital content distribution and subscription sysem |
US20040199761A1 (en) * | 2003-04-01 | 2004-10-07 | Philips Andrew B. | Method and apparatus for digitally signing electronic mail that originates from a browser |
US7437562B2 (en) * | 2003-04-01 | 2008-10-14 | Oracle International Corporation | Method and apparatus for digitally signing electronic mail that originates from a browser |
US8559449B2 (en) | 2003-11-11 | 2013-10-15 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
US7978716B2 (en) | 2003-11-24 | 2011-07-12 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
US20090158418A1 (en) * | 2003-11-24 | 2009-06-18 | Rao Goutham P | Systems and methods for providing a vpn solution |
US20050120214A1 (en) * | 2003-12-02 | 2005-06-02 | Microsoft Corporation | Systems and methods for enhancing security of communication over a public network |
US7568098B2 (en) * | 2003-12-02 | 2009-07-28 | Microsoft Corporation | Systems and methods for enhancing security of communication over a public network |
US8739274B2 (en) | 2004-06-30 | 2014-05-27 | Citrix Systems, Inc. | Method and device for performing integrated caching in a data communication network |
US8726006B2 (en) | 2004-06-30 | 2014-05-13 | Citrix Systems, Inc. | System and method for establishing a virtual private network |
US8495305B2 (en) | 2004-06-30 | 2013-07-23 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
US8261057B2 (en) | 2004-06-30 | 2012-09-04 | Citrix Systems, Inc. | System and method for establishing a virtual private network |
US8291119B2 (en) | 2004-07-23 | 2012-10-16 | Citrix Systems, Inc. | Method and systems for securing remote access to private networks |
US20060029062A1 (en) * | 2004-07-23 | 2006-02-09 | Citrix Systems, Inc. | Methods and systems for securing access to private networks using encryption and authentication technology built in to peripheral devices |
US7978714B2 (en) | 2004-07-23 | 2011-07-12 | Citrix Systems, Inc. | Methods and systems for securing access to private networks using encryption and authentication technology built in to peripheral devices |
US8914522B2 (en) | 2004-07-23 | 2014-12-16 | Citrix Systems, Inc. | Systems and methods for facilitating a peer to peer route via a gateway |
US8014421B2 (en) | 2004-07-23 | 2011-09-06 | Citrix Systems, Inc. | Systems and methods for adjusting the maximum transmission unit by an intermediary device |
US8019868B2 (en) | 2004-07-23 | 2011-09-13 | Citrix Systems, Inc. | Method and systems for routing packets from an endpoint to a gateway |
US8897299B2 (en) | 2004-07-23 | 2014-11-25 | Citrix Systems, Inc. | Method and systems for routing packets from a gateway to an endpoint |
US8046830B2 (en) * | 2004-07-23 | 2011-10-25 | Citrix Systems, Inc. | Systems and methods for network disruption shielding techniques |
US8892778B2 (en) | 2004-07-23 | 2014-11-18 | Citrix Systems, Inc. | Method and systems for securing remote access to private networks |
US20100002693A1 (en) * | 2004-07-23 | 2010-01-07 | Rao Goutham P | Method and systems for routing packets from an endpoint to a gateway |
US20060029063A1 (en) * | 2004-07-23 | 2006-02-09 | Citrix Systems, Inc. | A method and systems for routing packets from a gateway to an endpoint |
US20060037072A1 (en) * | 2004-07-23 | 2006-02-16 | Citrix Systems, Inc. | Systems and methods for network disruption shielding techniques |
US9219579B2 (en) | 2004-07-23 | 2015-12-22 | Citrix Systems, Inc. | Systems and methods for client-side application-aware prioritization of network communications |
US8634420B2 (en) | 2004-07-23 | 2014-01-21 | Citrix Systems, Inc. | Systems and methods for communicating a lossy protocol via a lossless protocol |
US8351333B2 (en) | 2004-07-23 | 2013-01-08 | Citrix Systems, Inc. | Systems and methods for communicating a lossy protocol via a lossless protocol using false acknowledgements |
US8363650B2 (en) | 2004-07-23 | 2013-01-29 | Citrix Systems, Inc. | Method and systems for routing packets from a gateway to an endpoint |
US7314169B1 (en) * | 2004-09-29 | 2008-01-01 | Rockwell Automation Technologies, Inc. | Device that issues authority for automation systems by issuing an encrypted time pass |
US8549149B2 (en) | 2004-12-30 | 2013-10-01 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
US8706877B2 (en) | 2004-12-30 | 2014-04-22 | Citrix Systems, Inc. | Systems and methods for providing client-side dynamic redirection to bypass an intermediary |
US8954595B2 (en) | 2004-12-30 | 2015-02-10 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering |
US8856777B2 (en) | 2004-12-30 | 2014-10-07 | Citrix Systems, Inc. | Systems and methods for automatic installation and execution of a client-side acceleration program |
US20060195547A1 (en) * | 2004-12-30 | 2006-08-31 | Prabakar Sundarrajan | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
US8788581B2 (en) | 2005-01-24 | 2014-07-22 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
US8848710B2 (en) | 2005-01-24 | 2014-09-30 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US20060288120A1 (en) * | 2005-05-11 | 2006-12-21 | Kazuyoshi Hoshino | Service network system and server device |
US20090177802A1 (en) * | 2005-05-11 | 2009-07-09 | Kazuyoshi Hoshino | Service network system and server device |
US8041822B2 (en) * | 2005-05-11 | 2011-10-18 | Hitachi, Ltd. | Service network system and server device |
US8499057B2 (en) | 2005-12-30 | 2013-07-30 | Citrix Systems, Inc | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
US8301839B2 (en) | 2005-12-30 | 2012-10-30 | Citrix Systems, Inc. | System and method for performing granular invalidation of cached dynamically generated objects in a data communication network |
US8255456B2 (en) | 2005-12-30 | 2012-08-28 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US8555367B2 (en) * | 2008-03-12 | 2013-10-08 | Yahoo! Inc. | Method and system for securely streaming content |
US20090235347A1 (en) * | 2008-03-12 | 2009-09-17 | Yahoo! Inc. | Method and system for securely streaming content |
US8677466B1 (en) * | 2009-03-10 | 2014-03-18 | Trend Micro Incorporated | Verification of digital certificates used for encrypted computer communications |
US20120179749A1 (en) * | 2009-09-24 | 2012-07-12 | Sony Corporation | Communication method, communication system, server and program |
US9049025B1 (en) * | 2011-06-20 | 2015-06-02 | Cellco Partnership | Method of decrypting encrypted information for unsecure phone |
US9397885B2 (en) * | 2011-09-28 | 2016-07-19 | Apperian, Inc. | Conveyance of configuration information in a network |
US20130080636A1 (en) * | 2011-09-28 | 2013-03-28 | Robert U. Friedman | Conveyance of configuration information in a network |
CN102647462A (en) * | 2012-03-29 | 2012-08-22 | 奇智软件(北京)有限公司 | Application acquisition and sending method and device |
US9306934B2 (en) | 2012-04-17 | 2016-04-05 | Intel Corporation | Trusted service interaction |
US9923886B2 (en) | 2012-04-17 | 2018-03-20 | Intel Corporation | Trusted service interaction |
US10834139B2 (en) | 2012-06-07 | 2020-11-10 | Amazon Technologies, Inc. | Flexibly configurable data modification services |
US10084818B1 (en) | 2012-06-07 | 2018-09-25 | Amazon Technologies, Inc. | Flexibly configurable data modification services |
US10075471B2 (en) | 2012-06-07 | 2018-09-11 | Amazon Technologies, Inc. | Data loss prevention techniques |
US10055594B2 (en) | 2012-06-07 | 2018-08-21 | Amazon Technologies, Inc. | Virtual service provider zones |
US10474829B2 (en) | 2012-06-07 | 2019-11-12 | Amazon Technologies, Inc. | Virtual service provider zones |
US10104060B2 (en) * | 2013-01-30 | 2018-10-16 | Hewlett Packard Enterprise Development Lp | Authenticating applications to a network service |
US20140215572A1 (en) * | 2013-01-30 | 2014-07-31 | Hewlett-Packard Development Company, L.P. | Authenticating Applications to a Network Service |
US10666436B2 (en) | 2013-02-12 | 2020-05-26 | Amazon Technologies, Inc. | Federated key management |
US20140229732A1 (en) * | 2013-02-12 | 2014-08-14 | Amazon Technologies, Inc. | Data security service |
US11036869B2 (en) | 2013-02-12 | 2021-06-15 | Amazon Technologies, Inc. | Data security with a security module |
US11372993B2 (en) | 2013-02-12 | 2022-06-28 | Amazon Technologies, Inc. | Automatic key rotation |
US10382200B2 (en) | 2013-02-12 | 2019-08-13 | Amazon Technologies, Inc. | Probabilistic key rotation |
US10210341B2 (en) | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Delayed data access |
US10211977B1 (en) | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Secure management of information using a security module |
US10075295B2 (en) | 2013-02-12 | 2018-09-11 | Amazon Technologies, Inc. | Probabilistic key rotation |
US20140229739A1 (en) | 2013-02-12 | 2014-08-14 | Amazon Technologies, Inc. | Delayed data access |
US9705674B2 (en) | 2013-02-12 | 2017-07-11 | Amazon Technologies, Inc. | Federated key management |
US11695555B2 (en) | 2013-02-12 | 2023-07-04 | Amazon Technologies, Inc. | Federated key management |
US9590959B2 (en) | 2013-02-12 | 2017-03-07 | Amazon Technologies, Inc. | Data security service |
US10467422B1 (en) | 2013-02-12 | 2019-11-05 | Amazon Technologies, Inc. | Automatic key rotation |
US10404670B2 (en) | 2013-02-12 | 2019-09-03 | Amazon Technologies, Inc. | Data security service |
US9547771B2 (en) | 2013-02-12 | 2017-01-17 | Amazon Technologies, Inc. | Policy enforcement with associated data |
US10313312B2 (en) | 2013-06-13 | 2019-06-04 | Amazon Technologies, Inc. | Key rotation techniques |
US11470054B2 (en) | 2013-06-13 | 2022-10-11 | Amazon Technologies, Inc. | Key rotation techniques |
US9608813B1 (en) | 2013-06-13 | 2017-03-28 | Amazon Technologies, Inc. | Key rotation techniques |
US10601789B2 (en) | 2013-06-13 | 2020-03-24 | Amazon Technologies, Inc. | Session negotiations |
US9832171B1 (en) | 2013-06-13 | 2017-11-28 | Amazon Technologies, Inc. | Negotiating a session with a cryptographic domain |
US11323479B2 (en) | 2013-07-01 | 2022-05-03 | Amazon Technologies, Inc. | Data loss prevention techniques |
US10721075B2 (en) | 2014-05-21 | 2020-07-21 | Amazon Technologies, Inc. | Web of trust management in a distributed system |
US10587405B2 (en) | 2014-06-27 | 2020-03-10 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
US11368300B2 (en) | 2014-06-27 | 2022-06-21 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
US9942036B2 (en) | 2014-06-27 | 2018-04-10 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
US10382430B2 (en) * | 2014-07-28 | 2019-08-13 | Encryptier Co., Ltd. | User information management system; user information management method; program, and recording medium on which it is recorded, for management server; program, and recording medium on which it is recorded, for user terminal; and program, and recording medium on which it is recorded, for service server |
US20170201510A1 (en) * | 2014-07-28 | 2017-07-13 | Encryptier Co., Ltd. | User information management system; user information management method; program, and recording medium on which it is recorded, for management server; program, and recording medium on which it is recorded, for user terminal; and program, and recording medium on which it is recorded, for service server |
US9866392B1 (en) | 2014-09-15 | 2018-01-09 | Amazon Technologies, Inc. | Distributed system web of trust provisioning |
US11626996B2 (en) | 2014-09-15 | 2023-04-11 | Amazon Technologies, Inc. | Distributed system web of trust provisioning |
US11374916B2 (en) | 2015-03-31 | 2022-06-28 | Amazon Technologies, Inc. | Key export techniques |
US10469477B2 (en) | 2015-03-31 | 2019-11-05 | Amazon Technologies, Inc. | Key export techniques |
US9866567B2 (en) * | 2015-05-07 | 2018-01-09 | Cyberark Software Ltd. | Systems and methods for detecting and reacting to malicious activity in computer networks |
US9866566B2 (en) * | 2015-05-07 | 2018-01-09 | Cyberark Software Ltd. | Systems and methods for detecting and reacting to malicious activity in computer networks |
US20160330221A1 (en) * | 2015-05-07 | 2016-11-10 | Cyber-Ark Software Ltd. | Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks |
US9866568B2 (en) * | 2015-05-07 | 2018-01-09 | Cyberark Software Ltd. | Systems and methods for detecting and reacting to malicious activity in computer networks |
US20170264617A1 (en) * | 2015-05-07 | 2017-09-14 | Cyber-Ark Software Ltd. | Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks |
US20170257376A1 (en) * | 2015-05-07 | 2017-09-07 | Cyber-Ark Software Ltd. | Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks |
US20160330220A1 (en) * | 2015-05-07 | 2016-11-10 | Cyber-Ark Software Ltd. | Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks |
US20170257375A1 (en) * | 2015-05-07 | 2017-09-07 | Cyber-Ark Software Ltd. | Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks |
US10044726B2 (en) * | 2015-05-07 | 2018-08-07 | Cyberark Software Ltd. | Systems and methods for detecting and reacting to malicious activity in computer networks |
US10979407B2 (en) * | 2016-06-24 | 2021-04-13 | Sony Corporation | Data communications |
US20190260719A1 (en) * | 2016-06-24 | 2019-08-22 | Sony Corporation | Data communications |
US10262146B2 (en) * | 2016-12-15 | 2019-04-16 | Vmware, Inc. | Application-to-application messaging over an insecure application programming interface |
US20180176203A1 (en) * | 2016-12-21 | 2018-06-21 | Apple Inc. | Techniques for providing authentication information to external and embedded web browsers |
US10511670B2 (en) * | 2016-12-21 | 2019-12-17 | Apple Inc. | Techniques for providing authentication information to external and embedded web browsers |
US11288381B2 (en) | 2019-07-19 | 2022-03-29 | Eaglys Inc. | Calculation device, calculation method, calculation program and calculation system |
Also Published As
Publication number | Publication date |
---|---|
KR100783208B1 (en) | 2007-12-06 |
HK1054281A1 (en) | 2003-11-21 |
WO2002044858A2 (en) | 2002-06-06 |
US6986040B1 (en) | 2006-01-10 |
JP2004531914A (en) | 2004-10-14 |
CN100583871C (en) | 2010-01-20 |
CN1505892A (en) | 2004-06-16 |
CA2427699C (en) | 2012-01-03 |
EP1332599B1 (en) | 2013-03-20 |
AU2002235149B2 (en) | 2005-12-01 |
CA2427699A1 (en) | 2002-06-06 |
WO2002044858A3 (en) | 2003-05-01 |
AU3514902A (en) | 2002-06-11 |
RU2279186C2 (en) | 2006-06-27 |
EP1332599A2 (en) | 2003-08-06 |
KR20040004425A (en) | 2004-01-13 |
IL155698A (en) | 2008-04-13 |
IL155698A0 (en) | 2003-11-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6986040B1 (en) | System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel | |
AU2002235149A1 (en) | System and method for securing a non-secure communication channel | |
CA2280869C (en) | System for providing secure remote command execution network | |
US7627896B2 (en) | Security system providing methodology for cooperative enforcement of security policies during SSL sessions | |
US7590684B2 (en) | System providing methodology for access control with cooperative enforcement | |
US7747856B2 (en) | Session ticket authentication scheme | |
US7366900B2 (en) | Platform-neutral system and method for providing secure remote operations over an insecure computer network | |
US6874084B1 (en) | Method and apparatus for establishing a secure communication connection between a java application and secure server | |
US6907530B2 (en) | Secure internet applications with mobile code | |
EP2002373B1 (en) | Providing security services using a secure device | |
US9092635B2 (en) | Method and system of providing security services using a secure device | |
US7100054B2 (en) | Computer network security system | |
RU2439692C2 (en) | Policy-controlled delegation of account data for single registration in network and secured access to network resources | |
US6785729B1 (en) | System and method for authorizing a network user as entitled to access a computing node wherein authenticated certificate received from the user is mapped into the user identification and the user is presented with the opprtunity to logon to the computing node only after the verification is successful | |
KR20060096979A (en) | Method and system for a single-sign-on access to a computer grid | |
JP2005518595A (en) | Secure traversal of network components | |
US20040143762A1 (en) | Method and system for authenticating a personal security device vis-a-vis at least one remote computer system | |
US7890751B1 (en) | Method and system for increasing data access in a secure socket layer network environment | |
KR100366403B1 (en) | Method for authenticating user in internet and system for the same | |
Brainard | SecurSight: an architecture for secure information access | |
Schäfer et al. | Security and Web Services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |