WO2000011832A1 - System and method for enabling secure access to services in a computer network - Google Patents

System and method for enabling secure access to services in a computer network Download PDF

Info

Publication number
WO2000011832A1
WO2000011832A1 PCT/US1998/017410 US9817410W WO0011832A1 WO 2000011832 A1 WO2000011832 A1 WO 2000011832A1 US 9817410 W US9817410 W US 9817410W WO 0011832 A1 WO0011832 A1 WO 0011832A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
service
privileges
applet
engine
Prior art date
Application number
PCT/US1998/017410
Other languages
French (fr)
Inventor
Mark D. Riggins
Original Assignee
Visto Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visto Corporation filed Critical Visto Corporation
Priority to IL14153098A priority Critical patent/IL141530A0/en
Priority to CA002341213A priority patent/CA2341213C/en
Priority to PCT/US1998/017410 priority patent/WO2000011832A1/en
Priority to JP2000566987A priority patent/JP2002523973A/en
Priority to CN98814246.5A priority patent/CN1227858C/en
Priority to EP98943309A priority patent/EP1105996A4/en
Priority to EA200100257A priority patent/EA003374B1/en
Publication of WO2000011832A1 publication Critical patent/WO2000011832A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • This invention relates generally to computer networks, and more particularly to a system and method for enabling secure access to services in a computer network.2. Description of the Background Art
  • the Internet provided a research-oriented environment where users and hosts were interested in a free and open exchange of information, and where users and hosts mutually trusted one another.
  • the Internet has grown dramatically, currently interconnecting about 100,000 computer networks and several million users. Because of its size and openness, the Internet has become a target of data theft, data alteration and other mischief. Virtually everyone on the Internet is vulnerable. Before connecting, companies balance the rewards of an Internet connection against risks of a security breach. Current security techniques help provide client and server authentication, data confidentiality, system integrity and system access control.
  • the most popular of the current security techniques is a firewall, which includes an intermediate system positioned between a trusted network and the Internet.
  • the firewall represents an outer perimeter of security for preventing unauthorized communication between the trusted network and the Internet.
  • a firewall may include screening routers, proxy servers and application-layer gateways.
  • sacrificial lamb For users on the internet to gain access to protected services on the trusted network, they may be required to provide their identity to the firewall by some means such as entering a password or by computing a response to a challenge using a hardware token. With proper authentication, the user is allowed to pass through the firewall into the local network, but is typically limited to a predetermined set of services such as e-mail, FTP, etc.
  • Some local network managers place just outside the firewall a server, often referred to as a "sacrificial lamb" for storing non-confidential data which is easily accessible by the remote user but providing little security.
  • a De-Militarized Zone sits between two firewalls protecting a trusted network.
  • the external firewall protects servers in the DMZ from external threats while allowing HyperText Transfer Protocol (HTTP) requests.
  • HTTP HyperText Transfer Protocol
  • the internal firewall protects the trusted network in the event that one of the servers in the DMZ is compromised.
  • Many companies use DMZs to maintain their web servers.
  • Public key certificates are issued to a party by a certificate authority, which via some method validates the party's identity and issues a certificate stating the party's name and public key. As evidence of authenticity, the certificate authority digitally signs the party's certificate using the certificate authority's private key.
  • the client computer and server exchange public key certificates.
  • Each party verifies the authenticity of the received certificates by using the certificate authority's public key to verify the signature of the certificate. Then, by encrypting messages with the server's public key the user can send secure communications to the server, and by encrypting messages with the user's public key the server can send secure communications to the user.
  • any party might present a public key certificate, only the real user and the real host have the corresponding private key needed to decrypt the message. Examples of authentication and key distribution computer security systems include the KerberosTM security system developed by the Massachusetts Institute of Technology and the NetSPTM security system developed by the IBM Corporation.
  • the present invention provides a system and method for enabling secure access to services in a computer network.
  • the network system includes a global server coupled via a computer network to computer services.
  • the global server includes a communications engine for establishing a communications link with a client; security means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and a keysafe for storing keys which enable access to the secured services.
  • the global server may be coupled to multiple sites, wherein each site provides multiple services. Each site may be protected by a firewall. Accordingly, the global server stores the keys for enabling communication via the firewalls with the services.
  • the method includes the steps of establishing a communications link with a client; identifying and authenticating the client; determining client privileges; providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and retrieving a key which enables access to the secured service.
  • the system and method of the present invention advantageously provide a globally- accessible trusted third party, i.e., the global server.
  • This trusted third party securely stores keys, and acts as a single identification and authentication service. Other systems may be accessed through the global server.
  • the global server uses the stored keys to authenticate the user under an identity that is understood by the other system's existing security services, and establishes a secure communications channel to the desired service. Because of a global firewall, the global server is substantially protected from external threats. Accordingly, the global server provides authorized clients with secure communication through firewalls with services.
  • the global server may enable multiple levels of identification and authentication services. Accordingly, the global server may enable multiple levels of resource access based on the user's status, the strengths of the identification and the authentication and on the privacy of the communications channel.
  • the global server advantageously may act as a client proxy for controlling access to services, logging use of keys and logging access of resources.
  • FIG. 1 is a block diagram illustrating a roaming-user network access system, in accordance with the present invention
  • FIG. 2 is a block diagram illustrating details of an example client of FIG. 1;
  • FIG. 3 is a block diagram illustrating details of the global server of FIG. 1;
  • FIG. 4 is a block diagram illustrating details of an example service server of FIG. 1 ;
  • FIG. 5 is a flowchart illustrating a method for remotely accessing a secure service;
  • FIG. 6 is a flowchart illustrating details of the FIG. 5 step of creating a link between a client and the global server of;
  • FIG. 7 illustrates an example web page;
  • FIG. 8 A is a flowchart illustrating details of the FIG. 5 step of accessing a service in a first embodiment
  • FIG. 8b is a flowchart illustrating details of the FIG. 5 step of accessing a service in a second embodiment
  • FIG. 8C is a flowchart illustrating details of the FIG. 5 step of accessing a service in a third embodiment.
  • FIG. 1 is a block diagram illustrating an exemplary roaming-user network access system 100 in accordance with the present invention.
  • System 100 includes an interconnected network of computers referred to herein as an "Internet" 102.
  • System 100 further includes a first company network 112, a second company network 118, a kiosk network 138 and an Internet Service Provider (ISP) network 143, each network being coupled to the Internet 102.
  • Company network 112 includes a firewall 116 coupled between the Internet 102 and a client computer 114a.
  • Company network 118 includes a firewall 120 coupled between the Internet 102 and an internal network signal bus 126.
  • Company network 118 further includes a first server 108a for providing a first service 110a, a second server 108b for providing a second service 110b, a first client computer 114b storing a program for providing a third service 110c and a second client computer 114c, each being coupled to signal bus 126.
  • Example services 1 lOa-1 lOd include an e-mail service program, an address book service program, a calendar service program, a paging service program, and a company database service program.
  • the kiosk network 138 includes a first client computer 114d and a second client computer 114e, each being coupled to the Internet 102.
  • the ISP network 143 includes an ISP 148 coupled via a wireless channel 146 to a first client computer 114f and coupled via modems 152 and 156 and via transmission line 154 to a second client computer 114g.
  • the Internet 102 includes a global server 106 which is protected by a global firewall
  • the global firewall 104 protects the global server 106 from external threats.
  • the user Before obtaining access privileges to the functionality provided by the global server 106, the user must first obtain authorization from the global server 106. Obtaining authorization typically requires user identification and authentication, for example, using public-key certificates. Once authenticated, the global server 106 provides the user with access to the services 110a- 11 Od. It will be appreciated that varying levels of access to services 1 lOa-1 lOd will be granted based on varying strengths of identification and authentication and on the privacy of the communications channel.
  • the global server 106 may use conventional applets, servlets or agents in a distributed network environment, such as the JavaTM distributed environment produced by the Netscape Corporation.
  • the global server 106 provides the user's client with access to and control of the service 1 lOa-1 lOd.
  • the global server 106 may redirect the user's client to access the service 1 lOa-1 lOd itself, the global server 106 may access the service 1 lOa-1 lOd itself and provide I/O to the client by proxy, or the global server 106 may provide the service 1 lOa-1 lOd itself.
  • the global server 106 maintains the network addresses of all the services 1 lOa-1 lOd, the user's public and private keys, the user's account numbers, firewall authentication information, etc.
  • Firewall authentication information includes the necessary identification, passwords and certificates needed to pass firewalls 116 and 120. Accordingly, the user need only maintain the URL of the global server 106, and identification and authentication information such as a password or hardware token for obtaining access to the functionality of the global server 106.
  • the roaming user can access computer services 1 lOa-l lOd using any computer terminal which is connected to the Internet 102.
  • FIG. 2 is a block diagram illustrating details of a client computer 114, such that each of clients 114a-l 14d is an instance of the client 114.
  • the client 114 includes a Central Processing Unit (CPU) 210 such as a Motorola Power PC ® microprocessor or an Intel Pentium ® microprocessor.
  • An input device 220 such as a keyboard and mouse, and an output device 230 such as a Cathode Ray Tube (CRT) display are coupled via a signal bus 240 to CPU 210.
  • a communications interface 250, a data storage device 260 such as Read Only Memory (ROM) or a magnetic disk, and a Random-Access Memory (RAM) 270 are further coupled via signal bus 240 to CPU 210.
  • the communications interface 250 of client computer 114 is coupled to the Internet 102 as shown in and described with reference to FIG. 1.
  • An operating system 280 includes a program for controlling processing by CPU 210, and is typically stored in data storage device 260 and loaded into RAM 270 for execution.
  • Operating system 280 includes a communication engine 282 for generating and transferring message packets to and from the internet 106 via the communications interface 250.
  • Operating system 280 further includes an internet engine such as a web browser 284, e.g., the NetscapeTM web browser produced by the Netscape Corporation or the Internet ExplorerTM web browser produced by the Microsoft Corporation.
  • the web browser 284 includes an encryption engine 285 for encrypting messages using public and private keys, and an applet engine 286 for executing applets 288 downloaded from the global server 106 to enable the access to computer services 1 lOa-1 lOd.
  • Downloaded applets 288 may include security applets 290 for performing services such as user identification and authentication, message integrity services, and certificate verification.
  • the browser 284 further receives web page data (391, FIG.
  • configuration data 390 and information identifying a set of selectable services 1 lOa-1 lOd, and uses the information to display the web page (700, FIG. 7).
  • the web browser 284 enables a user via the client 114a-l 14g to select one of the services 1 lOa-1 lOd for execution.
  • a client 114a-l 14g such as client 114b may include a service engine 490 (see FIG. 4) for providing a service 1 lOa-1 lOd such as service 110c.
  • a client 114b user may request access to service 1 10c via the global server 106, without knowing that the service 110c is provided by client 114b.
  • the global server 106 will provide client 1 14 with an applet 288 for providing user interface I/O of service 110c back to client 114b.
  • FIG. 3 is a block diagram illustrating details of the global server 106, which includes a CPU 310 such as a Motorola Power PC ® microprocessor or an Intel Pentium ® microprocessor.
  • An input device 320 such as a keyboard and mouse, and an output device 330 such as a CRT display are coupled via a signal bus 340 to CPU 310.
  • a communications interface 350, a data storage device 360 such as ROM or a magnetic disk, and a RAM 370 are further coupled via signal bus 340 to CPU 310.
  • the communications interface 350 is conventionally coupled as part of the Internet 102 to the clients 114.
  • the global server 106 is described as a single computer, it will be appreciated that the global server 106 may include multiple computers networked together.
  • Operating system 380 includes a program for controlling processing by CPU 310, and is typically stored in data storage device 260 and loaded into RAM 370 for execution. Operating system 380 includes a communication engine 382 for generating and transferring message packets to and from client computers 114 via the communications interface 350.
  • Operating system 380 further includes, as part of global firewall 104, security services 384 for opening a communications channel with users. For example, when a client attempts to access the global server 106, the security services 384 first determines whether the global server 106 accepts in-bound communications from a particular port (not shown) and whether the servlet host engine 386, described below, is authorized to connect to that particular port. If so, the security services 384 allows the communications engine 382 to open a communications channel via the particular port to the client 114a- 114g. Otherwise, no channel will be opened.
  • the operating system 380 further includes a web engine 387 which, based on user's identification, the strength of the user's authentication and the privacy of the communications channel, forwards web page data 391 and information identifying a set of available services 1 lOa-1 lOd to the client 114a-l 14g.
  • An example web page 700 is shown and described with reference to FIG. 7.
  • the web engine 387 enables a user to select a service 1 lOa-l lOd from the web page 700.
  • the web engine 387 includes a servlet host engine 286, which downloads security applets 290 including an authentication applet (not shown) to the client computer 114 and accordingly executes an authentication servlet 397 of servlets 398 for performing identification and authentication services.
  • the authentication applet 290 prompts the user for identification and authentication information, and then communicates the information to the authentication servlet 397.
  • the authentication servlet 397 verifies that the information is correct. It will be noted that the user's authentication information is not necessarily sent to the authentication servlet 397, but rather its existence and correctness is proven via a secure means such as a secure hash.
  • the servlet host engine 386 further includes a secure communications engine 396 which may use public key certificates to negotiate a secure communications channel with the client computer 114.
  • the servlet host engine 386 downloads a corresponding applet 388, corresponding configuration data 390 and corresponding user data 392 and may download corresponding service address information 394 to the client computer 114.
  • Configuration data 390 includes information for configuring the user's web browser 284, for configuring the downloaded applets 288, and for configuring the selected service 1 lOa-1 lOd.
  • User data 392 may include user-and-service-specific information such as stored bookmarks, calendar data, pager numbers, etc. which was specifically stored on the global server 106 for easy access.
  • Service address information 394 identifies the location of the services 1 lOa-1 lOd provided in system 100 by the global server 106.
  • the client computer 114 executes the corresponding downloaded applet 288, which via the servlet host engine 386 (possibly using a corresponding servlet 398) enables the user to access and to control the corresponding services 1 lOa-l lOd.
  • the downloadable applets 388, configuration data 390, user data 392 and service address information 394 may be stored on the data storage device 360.
  • a keysafe 395 is a data file for storing each user's identification information, each user's public and private keys, each firewall's password information, etc.
  • the keysafe 395 is organized in a linked list format so that, based on the selected service 1 lOa-l lOd, the global server 106 can retrieve the appropriate firewall's password information, the appropriate user's identification information and keys, etc.
  • the keysafe 395 may be stored on the data storage device 360.
  • FIG. 4 is a block diagram illustrating details of a service server 108, such that servers 108a-108c and client 114b are instances of server 108.
  • Server 108 includes a CPU 410 such as a Motorola Power PC ® microprocessor or an Intel Pentium ® microprocessor.
  • An input device 420 such as a keyboard and mouse, and an output device 430 such as a CRT display are coupled via a signal bus 440 to CPU 410.
  • a communications interface 450, a data storage device 460 such as ROM or a magnetic disk, and a RAM 470 are further coupled via signal bus 440 to CPU 410.
  • the communications interface 450 is coupled to the clients 114 as shown in and described with reference to FIG. 1.
  • the operating system 480 includes a program for controlling processing by CPU 410, and is typically stored in data storage device 460 and loaded into RAM 470 for execution. Operating system 480 also includes a communications engine 482 for generating and transferring message packets via the communications interface 450 to and from clients 114 or to and from global server 106. Operating system 480 further includes security services 484 for negotiating a secure channel with users, a secure communications engine 486 for opening the secure channel with the users, and a service engine 490 for providing a service 1 lOa-1 lOd to the users.
  • the service engine 490 includes a service interface 492 for receiving and translating messages to and from downloaded applets 288 currently executing on the client 1 14, and includes a service processor 494 and service data 496 for processing the service requests from the user.
  • the service data 496 may include previously-generated documents, database information, etc. It will be appreciated that the service data 496 is similar to the user data 392, such that it includes the same type of information but is maintained on the service server 108 instead of on the global server 108.
  • FIG. 5 is a flowchart illustrating a method 500 enabling a user to access services 1 lOa-1 lOd in computer network system 100.
  • Method 500 begins by the client 114 in step 505 creating a communications link with the global server 106. Step 505 is described in greater detail with reference to FIG. 6.
  • the global server 106 in step 510 confirms that the user has privileges to access the functionality of the global server 106. Confirming user access privileges may include examining a user certificate, obtaining a secret password, using digital signature technology, etc.
  • the security services 384 may cause the servlet host engine 386 to forward a security applet 389 via the communications channel to the client 114 for performing user authentication.
  • the web page engine 387 of the global server 106 in step 515 downloads web page data 391 and configuration data 390 to the client 114.
  • the browser 284 of the client 114 in step 520 uses the web page data 391 and the configuration data 390 to display a web page 700 (FIG. 7) on the output device 230 of the client 114 and to enable access to the services 1 lOa-1 lOd which are offered by the global server 106.
  • An example web page 700 is shown and described with reference to FIG. 7.
  • the user in step 525 via input device 220 selects a service 1 lOa-l lOd.
  • the servlet host engine 386 of the global server 106 in step 530 downloads the corresponding applet(s) 388, applet configuration data 390, user data 392 and possibly service address information 394 to the client 114.
  • Applet configuration data 390 preferably includes user-specific preferences, such as user-preferred fonts, for configuring the selected service 1 lOa-1 lOd.
  • User data 392 may include user-specific and service-specific information such as stored bookmarks, calendar data, pager numbers, etc.
  • Service address information 394 identifies the location of the selected service 110a- 1 lOd.
  • the corresponding applet(s) 388, applet configuration data 390, user data 392 and service address information 394 could have been downloaded in step 515 with the web page data 391 and the configuration data 390.
  • the applet engine 286 of the client 114 in step 535 executes the corresponding downloaded applet 288.
  • the service server 108 in step 537 initiates the service engine 490.
  • the global server 106 in step 538 selects one of the three modes of access described in FIGs. 8A-8C for enabling the client computer 114 to communicate with the corresponding service engine 490. For example, if the user selects the service 1 lOd on server 108c, which is not protected by a separate firewall, then the global server 106 may provide the user with direct access. If the user selects service 110a provided by server 108a within company network 118, then the global server 106 may access the service 110a as a proxy for the user.
  • each firewall 106 and 120 may store policies establishing the proper mode of access the global server 106 should select. Other factors for selecting mode of access may include user preference, availability and feasibility.
  • the global server 106 in step 540 provides the client 114 user with access to the selected service 1 lOa-1 lOd. Step 540 is described in greater detail with reference to FIGs. 8A, 8B and 8C.
  • FIG. 6 is a flowchart illustrating details of step 505, which begins by the client 114 user in step 605 using a known Uniform Resource Locator (URL) to call the global server 106.
  • the global server 106 and the client 114 in step 607 create a secure communications channel therebetween, possibly by applying Secure Sockets Layer (SSL) technology. That is, the security services 384 of the global server 106 in step 610 determine if in-bound secure communications are permitted and, if so, creates a communications channel with the client 114.
  • the browser 284 of the client 114 and the security services 384 of the global server 106 in step 615 negotiate secure communications channel parameters, possibly using public key certificates.
  • An example secure communications channel is RSA with RC4 encryption.
  • Step 615 thus may include selecting one of the encryption protocols which is common to both the global server 106 and the client 1 14.
  • the encryption engine 285 of the client 114 and secure communications engine 396 of the global server 114 in step 620 use the secure channel parameters to create the secure communications channel.
  • Method 505 then ends.
  • FIG. 7 illustrates an example URL-addressable HyperText Markup Language
  • the web page 700 includes a title 710 "Web Page," a listing of the provided services 715 and a pointer 770 for selecting one of the provided services 715.
  • the provided services 715 may include an e-mail service 720, a calendaring service 730, an internet access service 740, a paging service 750 and a fax sending service 760.
  • other services such as bookmarking, QuickCardTM, etc. may be included in the web page 700.
  • FIG. 8 A is a flowchart illustrating details of step 540 in a first embodiment, referred to as step 540a, wherein the global server 106 provides the client 114 with a direct connection to the service 1 lOa-1 lOd.
  • Step 540a begins by the downloaded applet 288 in step 805 retrieving the service address 394 of the selected service 1 lOa-1 lOd from data storage device 360 and the authentication information for the service 1 lOa-1 lOd from the keysafe 395.
  • the communications engine 282 in step 810 creates a direct and secure connection with the communications engine 482 of the service server 108 at the retrieved service address, and uses the authentication information to authenticate itself.
  • the applet 288 in step 815 acts as the I/O interface with the service engine. Step 540a then ends.
  • FIG. 8B is a flowchart illustrating details of step 540 in a second embodiment, referred to as step 540b, wherein the global server 106 acts for the client 114 as a proxy to the service 1 lOa-1 lOd .
  • Step 540b begins with the applet 288 in step 840 retrieving the "service" address, which results in directing it to the global server 106.
  • the applet 288 in step 845 creates a connection with the global server 106.
  • the servlet host engine 386 of the global server 106 in step 850 retrieves the service address of the selected service 1 lOa-1 lOd and the authentication information for the selected service 1 lOa-1 lOd from the keysafe 395.
  • the secure communications engine 396 of the global server 106 in step 855 negotiate secure channel parameters for creating a secure channel with the secure communications engine 486 of the service server 108. Thereafter, the applet 288 in step 860 acts as the I/O interface (enables the user to make requests of the service engine 490) with the secure communications engine 396 of the global server 106. If the servlet host engine 386 in step 865 determines that it is unauthorized to perform a client 114 user's request, then the servlet host engine 386 in step 870 determines whether the method 540b ends, e.g., whether the user has quit. If so, then method 820b ends. Otherwise, method 540b returns to step 860 to obtain another request.
  • the servlet host engine 386 in step 865 determines that it is authorized to perform the client 114 user's request, then the servlet host engine 386, possibly using servlets 398, acts as the proxy for the client 114 to the service engine 490. As proxy, the servlet host engine 386 forwards the service request to the service 1 lOa-1 lOd for the applet 288 and forwards responses to the requesting applet 288 currently executing on the client 114. Method 540b then returns to step 870.
  • FIG. 8C is a flowchart illustrating details of step 540 in a third embodiment, referred to as step 540c, wherein the service 1 lOa-1 lOd being requested is located on the global server 106.
  • Step 540c begins with the applet 288 in step 880 retrieving the service address for the service 110a- 1 lOd, which results in providing the applet 288 with the service address of the service 110a- 1 lOd on the global server 106.
  • the applet 288 in step 882 creates a secure connection with the global server 106. No additional step of identification and authentication is needed since the client 114 has already identified and authenticated itself to the global server 106 in step 510 of FIG. 5.
  • step 884 a determination is made whether the service 1 lOa-1 lOd is currently running. If so, then in step 886 a determination is made whether the service 1 lOa-1 lOd can handle multiple users. If not, then the global server 106 in step 890 creates an instance for the user, and the applet 288 in step 892 acts as the I/O interface with the service 1 lOa-l lOd on the global server 106. Otherwise, if the service 1 lOa-1 lOd in step 886 determines that it cannot handle multiple users, then method 540a proceeds to step 892. Further, if in step 884 the global server 106 determines that the service 1 lOa-1 lOd is not currently running, then the global server 106 in step 888 initializes the service 110a- 1 lOd and proceeds to step 886.

Abstract

A global server (106) includes a communications engine for establishing a communications link with a client (114a); security means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to the client (114a), based on the client privileges, an applet which enables I/O with a secured service (110a); and a keysafe for storing a key which enables access to the secured service (110a). The global server may be coupled to multiple sites, wherein each site provides multiple services. Each site may be protected by a firewall (116). Accordingly, the global server stores the keys for enabling communication via the firewalls (116) with the services (110a).

Description

SYSTEM AND METHOD FOR ENABLING SECURE ACCESS TO SERVICES IN A
COMPUTER NETWORK
BACKGROUND OF THE INVENTION 1. Field of the Invention
This invention relates generally to computer networks, and more particularly to a system and method for enabling secure access to services in a computer network.2. Description of the Background Art
In its infancy, the Internet provided a research-oriented environment where users and hosts were interested in a free and open exchange of information, and where users and hosts mutually trusted one another. However, the Internet has grown dramatically, currently interconnecting about 100,000 computer networks and several million users. Because of its size and openness, the Internet has become a target of data theft, data alteration and other mischief. Virtually everyone on the Internet is vulnerable. Before connecting, companies balance the rewards of an Internet connection against risks of a security breach. Current security techniques help provide client and server authentication, data confidentiality, system integrity and system access control.
The most popular of the current security techniques is a firewall, which includes an intermediate system positioned between a trusted network and the Internet. The firewall represents an outer perimeter of security for preventing unauthorized communication between the trusted network and the Internet. A firewall may include screening routers, proxy servers and application-layer gateways.
For users on the internet to gain access to protected services on the trusted network, they may be required to provide their identity to the firewall by some means such as entering a password or by computing a response to a challenge using a hardware token. With proper authentication, the user is allowed to pass through the firewall into the local network, but is typically limited to a predetermined set of services such as e-mail, FTP, etc. Some local network managers place just outside the firewall a server, often referred to as a "sacrificial lamb" for storing non-confidential data which is easily accessible by the remote user but providing little security.
A De-Militarized Zone, or DMZ, sits between two firewalls protecting a trusted network. The external firewall protects servers in the DMZ from external threats while allowing HyperText Transfer Protocol (HTTP) requests. The internal firewall protects the trusted network in the event that one of the servers in the DMZ is compromised. Many companies use DMZs to maintain their web servers.
Another security technique for protecting computer networks is the issuance and use of a public key certificates. Public key certificates are issued to a party by a certificate authority, which via some method validates the party's identity and issues a certificate stating the party's name and public key. As evidence of authenticity, the certificate authority digitally signs the party's certificate using the certificate authority's private key.
Thus, when a user via a client computer connects to a server, the client computer and server exchange public key certificates. Each party verifies the authenticity of the received certificates by using the certificate authority's public key to verify the signature of the certificate. Then, by encrypting messages with the server's public key the user can send secure communications to the server, and by encrypting messages with the user's public key the server can send secure communications to the user. Although any party might present a public key certificate, only the real user and the real host have the corresponding private key needed to decrypt the message. Examples of authentication and key distribution computer security systems include the Kerberos™ security system developed by the Massachusetts Institute of Technology and the NetSP™ security system developed by the IBM Corporation.
These security techniques do not solve problems associated with the roaming (traveling) user. For the roaming user, maintaining identification and authentication information such as passwords, certificates, keys, etc. is a cumbersome process. Further, accessing multiple systems requires multiple keys, which often are too complex to track and use. Also, direct access to systems behind firewalls compromises security. Therefore, a system and method are needed to enable remote access to computer services easily and securely.
SUMMARY OF THE INVENTION The present invention provides a system and method for enabling secure access to services in a computer network. The network system includes a global server coupled via a computer network to computer services. The global server includes a communications engine for establishing a communications link with a client; security means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and a keysafe for storing keys which enable access to the secured services. The global server may be coupled to multiple sites, wherein each site provides multiple services. Each site may be protected by a firewall. Accordingly, the global server stores the keys for enabling communication via the firewalls with the services. The method includes the steps of establishing a communications link with a client; identifying and authenticating the client; determining client privileges; providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and retrieving a key which enables access to the secured service.
The system and method of the present invention advantageously provide a globally- accessible trusted third party, i.e., the global server. This trusted third party securely stores keys, and acts as a single identification and authentication service. Other systems may be accessed through the global server. The global server uses the stored keys to authenticate the user under an identity that is understood by the other system's existing security services, and establishes a secure communications channel to the desired service. Because of a global firewall, the global server is substantially protected from external threats. Accordingly, the global server provides authorized clients with secure communication through firewalls with services. The global server may enable multiple levels of identification and authentication services. Accordingly, the global server may enable multiple levels of resource access based on the user's status, the strengths of the identification and the authentication and on the privacy of the communications channel.
Because of the global firewall and the identification and authentication services performed by the global server, corporations can store relatively secret information on the global server for use by authorized clients. Yet, the present invention also enables corporations to maintain only a portion of their secret information on the global server, so that there would be only this limited loss should the trusted third party system be compromised. Further, the global server advantageously may act as a client proxy for controlling access to services, logging use of keys and logging access of resources.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram illustrating a roaming-user network access system, in accordance with the present invention;
FIG. 2 is a block diagram illustrating details of an example client of FIG. 1; FIG. 3 is a block diagram illustrating details of the global server of FIG. 1;
FIG. 4 is a block diagram illustrating details of an example service server of FIG. 1 ; FIG. 5 is a flowchart illustrating a method for remotely accessing a secure service; FIG. 6 is a flowchart illustrating details of the FIG. 5 step of creating a link between a client and the global server of; FIG. 7 illustrates an example web page;
FIG. 8 A is a flowchart illustrating details of the FIG. 5 step of accessing a service in a first embodiment;
FIG. 8b is a flowchart illustrating details of the FIG. 5 step of accessing a service in a second embodiment; and FIG. 8C is a flowchart illustrating details of the FIG. 5 step of accessing a service in a third embodiment.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT FIG. 1 is a block diagram illustrating an exemplary roaming-user network access system 100 in accordance with the present invention. System 100 includes an interconnected network of computers referred to herein as an "Internet" 102. System 100 further includes a first company network 112, a second company network 118, a kiosk network 138 and an Internet Service Provider (ISP) network 143, each network being coupled to the Internet 102. Company network 112 includes a firewall 116 coupled between the Internet 102 and a client computer 114a. Company network 118 includes a firewall 120 coupled between the Internet 102 and an internal network signal bus 126. Company network 118 further includes a first server 108a for providing a first service 110a, a second server 108b for providing a second service 110b, a first client computer 114b storing a program for providing a third service 110c and a second client computer 114c, each being coupled to signal bus 126. Example services 1 lOa-1 lOd include an e-mail service program, an address book service program, a calendar service program, a paging service program, and a company database service program.
The kiosk network 138 includes a first client computer 114d and a second client computer 114e, each being coupled to the Internet 102. The ISP network 143 includes an ISP 148 coupled via a wireless channel 146 to a first client computer 114f and coupled via modems 152 and 156 and via transmission line 154 to a second client computer 114g. The Internet 102 includes a global server 106 which is protected by a global firewall
104 and includes a server 108c for providing a service 1 lOd. Intercommunication between client computers 114a-l 14g and services 1 lOa-l lOd is accomplished via the global server 106. If, for example, a user of any one of the client computers 114a-l 14g wants to access a service 1 lOa-l lOd (which is provided at a location within system 100 that is unknown to the user), then the user applies a known Uniform Resource Locator (URL) to access a web page operated by global server 106. An example web page 700 is shown in and described with reference to FIG. 7. The global firewall 104 protects the global server 106 from external threats. Before obtaining access privileges to the functionality provided by the global server 106, the user must first obtain authorization from the global server 106. Obtaining authorization typically requires user identification and authentication, for example, using public-key certificates. Once authenticated, the global server 106 provides the user with access to the services 110a- 11 Od. It will be appreciated that varying levels of access to services 1 lOa-1 lOd will be granted based on varying strengths of identification and authentication and on the privacy of the communications channel.
To enable user access to and control of the services 1 lOa-1 lOd, the global server 106 may use conventional applets, servlets or agents in a distributed network environment, such as the Java™ distributed environment produced by the Netscape Corporation. The global server 106 provides the user's client with access to and control of the service 1 lOa-1 lOd. The global server 106 may redirect the user's client to access the service 1 lOa-1 lOd itself, the global server 106 may access the service 1 lOa-1 lOd itself and provide I/O to the client by proxy, or the global server 106 may provide the service 1 lOa-1 lOd itself. These three different modes of access to the services 1 lOa-1 lOd are described with reference to FIGs. 8A- 8C.
The global server 106 maintains the network addresses of all the services 1 lOa-1 lOd, the user's public and private keys, the user's account numbers, firewall authentication information, etc. Firewall authentication information includes the necessary identification, passwords and certificates needed to pass firewalls 116 and 120. Accordingly, the user need only maintain the URL of the global server 106, and identification and authentication information such as a password or hardware token for obtaining access to the functionality of the global server 106. Thus, the roaming user can access computer services 1 lOa-l lOd using any computer terminal which is connected to the Internet 102.
FIG. 2 is a block diagram illustrating details of a client computer 114, such that each of clients 114a-l 14d is an instance of the client 114. The client 114 includes a Central Processing Unit (CPU) 210 such as a Motorola Power PC® microprocessor or an Intel Pentium® microprocessor. An input device 220 such as a keyboard and mouse, and an output device 230 such as a Cathode Ray Tube (CRT) display are coupled via a signal bus 240 to CPU 210. A communications interface 250, a data storage device 260 such as Read Only Memory (ROM) or a magnetic disk, and a Random-Access Memory (RAM) 270 are further coupled via signal bus 240 to CPU 210. The communications interface 250 of client computer 114 is coupled to the Internet 102 as shown in and described with reference to FIG. 1.
An operating system 280 includes a program for controlling processing by CPU 210, and is typically stored in data storage device 260 and loaded into RAM 270 for execution. Operating system 280 includes a communication engine 282 for generating and transferring message packets to and from the internet 106 via the communications interface 250.
Operating system 280 further includes an internet engine such as a web browser 284, e.g., the Netscape™ web browser produced by the Netscape Corporation or the Internet Explorer™ web browser produced by the Microsoft Corporation. The web browser 284 includes an encryption engine 285 for encrypting messages using public and private keys, and an applet engine 286 for executing applets 288 downloaded from the global server 106 to enable the access to computer services 1 lOa-1 lOd. Downloaded applets 288 may include security applets 290 for performing services such as user identification and authentication, message integrity services, and certificate verification. The browser 284 further receives web page data (391, FIG. 3), configuration data 390 and information identifying a set of selectable services 1 lOa-1 lOd, and uses the information to display the web page (700, FIG. 7). The web browser 284 enables a user via the client 114a-l 14g to select one of the services 1 lOa-1 lOd for execution.
It will be appreciated that a client 114a-l 14g such as client 114b may include a service engine 490 (see FIG. 4) for providing a service 1 lOa-1 lOd such as service 110c. Thus, it is possible for a client 114b user to request access to service 1 10c via the global server 106, without knowing that the service 110c is provided by client 114b. Accordingly, the global server 106 will provide client 1 14 with an applet 288 for providing user interface I/O of service 110c back to client 114b.
FIG. 3 is a block diagram illustrating details of the global server 106, which includes a CPU 310 such as a Motorola Power PC® microprocessor or an Intel Pentium® microprocessor. An input device 320 such as a keyboard and mouse, and an output device 330 such as a CRT display are coupled via a signal bus 340 to CPU 310. A communications interface 350, a data storage device 360 such as ROM or a magnetic disk, and a RAM 370 are further coupled via signal bus 340 to CPU 310. The communications interface 350 is conventionally coupled as part of the Internet 102 to the clients 114. Although the global server 106 is described as a single computer, it will be appreciated that the global server 106 may include multiple computers networked together.
Operating system 380 includes a program for controlling processing by CPU 310, and is typically stored in data storage device 260 and loaded into RAM 370 for execution. Operating system 380 includes a communication engine 382 for generating and transferring message packets to and from client computers 114 via the communications interface 350.
Operating system 380 further includes, as part of global firewall 104, security services 384 for opening a communications channel with users. For example, when a client attempts to access the global server 106, the security services 384 first determines whether the global server 106 accepts in-bound communications from a particular port (not shown) and whether the servlet host engine 386, described below, is authorized to connect to that particular port. If so, the security services 384 allows the communications engine 382 to open a communications channel via the particular port to the client 114a- 114g. Otherwise, no channel will be opened. The operating system 380 further includes a web engine 387 which, based on user's identification, the strength of the user's authentication and the privacy of the communications channel, forwards web page data 391 and information identifying a set of available services 1 lOa-1 lOd to the client 114a-l 14g. An example web page 700 is shown and described with reference to FIG. 7. The web engine 387 enables a user to select a service 1 lOa-l lOd from the web page 700.
The web engine 387 includes a servlet host engine 286, which downloads security applets 290 including an authentication applet (not shown) to the client computer 114 and accordingly executes an authentication servlet 397 of servlets 398 for performing identification and authentication services. The authentication applet 290 prompts the user for identification and authentication information, and then communicates the information to the authentication servlet 397. The authentication servlet 397 verifies that the information is correct. It will be noted that the user's authentication information is not necessarily sent to the authentication servlet 397, but rather its existence and correctness is proven via a secure means such as a secure hash. The servlet host engine 386 further includes a secure communications engine 396 which may use public key certificates to negotiate a secure communications channel with the client computer 114.
Upon selection of a service 1 lOa-1 lOd, the servlet host engine 386 downloads a corresponding applet 388, corresponding configuration data 390 and corresponding user data 392 and may download corresponding service address information 394 to the client computer 114. Configuration data 390 includes information for configuring the user's web browser 284, for configuring the downloaded applets 288, and for configuring the selected service 1 lOa-1 lOd. User data 392 may include user-and-service-specific information such as stored bookmarks, calendar data, pager numbers, etc. which was specifically stored on the global server 106 for easy access. Service address information 394 identifies the location of the services 1 lOa-1 lOd provided in system 100 by the global server 106. The client computer 114 executes the corresponding downloaded applet 288, which via the servlet host engine 386 (possibly using a corresponding servlet 398) enables the user to access and to control the corresponding services 1 lOa-l lOd. The downloadable applets 388, configuration data 390, user data 392 and service address information 394 may be stored on the data storage device 360. A keysafe 395 is a data file for storing each user's identification information, each user's public and private keys, each firewall's password information, etc. The keysafe 395 is organized in a linked list format so that, based on the selected service 1 lOa-l lOd, the global server 106 can retrieve the appropriate firewall's password information, the appropriate user's identification information and keys, etc. The keysafe 395 may be stored on the data storage device 360.
FIG. 4 is a block diagram illustrating details of a service server 108, such that servers 108a-108c and client 114b are instances of server 108. Server 108 includes a CPU 410 such as a Motorola Power PC® microprocessor or an Intel Pentium® microprocessor. An input device 420 such as a keyboard and mouse, and an output device 430 such as a CRT display are coupled via a signal bus 440 to CPU 410. A communications interface 450, a data storage device 460 such as ROM or a magnetic disk, and a RAM 470 are further coupled via signal bus 440 to CPU 410. The communications interface 450 is coupled to the clients 114 as shown in and described with reference to FIG. 1.
The operating system 480 includes a program for controlling processing by CPU 410, and is typically stored in data storage device 460 and loaded into RAM 470 for execution. Operating system 480 also includes a communications engine 482 for generating and transferring message packets via the communications interface 450 to and from clients 114 or to and from global server 106. Operating system 480 further includes security services 484 for negotiating a secure channel with users, a secure communications engine 486 for opening the secure channel with the users, and a service engine 490 for providing a service 1 lOa-1 lOd to the users.
The service engine 490 includes a service interface 492 for receiving and translating messages to and from downloaded applets 288 currently executing on the client 1 14, and includes a service processor 494 and service data 496 for processing the service requests from the user. The service data 496 may include previously-generated documents, database information, etc. It will be appreciated that the service data 496 is similar to the user data 392, such that it includes the same type of information but is maintained on the service server 108 instead of on the global server 108.
FIG. 5 is a flowchart illustrating a method 500 enabling a user to access services 1 lOa-1 lOd in computer network system 100. Method 500 begins by the client 114 in step 505 creating a communications link with the global server 106. Step 505 is described in greater detail with reference to FIG. 6. The global server 106 in step 510 confirms that the user has privileges to access the functionality of the global server 106. Confirming user access privileges may include examining a user certificate, obtaining a secret password, using digital signature technology, etc. It will be appreciated that the security services 384 may cause the servlet host engine 386 to forward a security applet 389 via the communications channel to the client 114 for performing user authentication.
After user access privileges are confirmed, the web page engine 387 of the global server 106 in step 515 downloads web page data 391 and configuration data 390 to the client 114. The browser 284 of the client 114 in step 520 uses the web page data 391 and the configuration data 390 to display a web page 700 (FIG. 7) on the output device 230 of the client 114 and to enable access to the services 1 lOa-1 lOd which are offered by the global server 106. An example web page 700 is shown and described with reference to FIG. 7.
From the options listed on the web page 700, the user in step 525 via input device 220 selects a service 1 lOa-l lOd. In response, the servlet host engine 386 of the global server 106 in step 530 downloads the corresponding applet(s) 388, applet configuration data 390, user data 392 and possibly service address information 394 to the client 114. Applet configuration data 390 preferably includes user-specific preferences, such as user-preferred fonts, for configuring the selected service 1 lOa-1 lOd. User data 392 may include user-specific and service-specific information such as stored bookmarks, calendar data, pager numbers, etc. Service address information 394 identifies the location of the selected service 110a- 1 lOd. Alternatively, the corresponding applet(s) 388, applet configuration data 390, user data 392 and service address information 394 could have been downloaded in step 515 with the web page data 391 and the configuration data 390.
The applet engine 286 of the client 114 in step 535 executes the corresponding downloaded applet 288. The service server 108 in step 537 initiates the service engine 490. The global server 106 in step 538 selects one of the three modes of access described in FIGs. 8A-8C for enabling the client computer 114 to communicate with the corresponding service engine 490. For example, if the user selects the service 1 lOd on server 108c, which is not protected by a separate firewall, then the global server 106 may provide the user with direct access. If the user selects service 110a provided by server 108a within company network 118, then the global server 106 may access the service 110a as a proxy for the user. It will be appreciated that each firewall 106 and 120 may store policies establishing the proper mode of access the global server 106 should select. Other factors for selecting mode of access may include user preference, availability and feasibility. The global server 106 in step 540 provides the client 114 user with access to the selected service 1 lOa-1 lOd. Step 540 is described in greater detail with reference to FIGs. 8A, 8B and 8C.
FIG. 6 is a flowchart illustrating details of step 505, which begins by the client 114 user in step 605 using a known Uniform Resource Locator (URL) to call the global server 106. The global server 106 and the client 114 in step 607 create a secure communications channel therebetween, possibly by applying Secure Sockets Layer (SSL) technology. That is, the security services 384 of the global server 106 in step 610 determine if in-bound secure communications are permitted and, if so, creates a communications channel with the client 114. The browser 284 of the client 114 and the security services 384 of the global server 106 in step 615 negotiate secure communications channel parameters, possibly using public key certificates. An example secure communications channel is RSA with RC4 encryption. It will be appreciated that the global server 106 may be configured to use one often encryption protocols and the client 114 may be enabled to use one of five encryption protocols. Step 615 thus may include selecting one of the encryption protocols which is common to both the global server 106 and the client 1 14. The encryption engine 285 of the client 114 and secure communications engine 396 of the global server 114 in step 620 use the secure channel parameters to create the secure communications channel. Method 505 then ends.
FIG. 7 illustrates an example URL-addressable HyperText Markup Language
(HTML)-based web page 700, as maintained by the servlet host engine 386. The web page 700 includes a title 710 "Web Page," a listing of the provided services 715 and a pointer 770 for selecting one of the provided services 715. As illustrated, the provided services 715 may include an e-mail service 720, a calendaring service 730, an internet access service 740, a paging service 750 and a fax sending service 760. Although not shown, other services such as bookmarking, QuickCard™, etc. may be included in the web page 700.
FIG. 8 A is a flowchart illustrating details of step 540 in a first embodiment, referred to as step 540a, wherein the global server 106 provides the client 114 with a direct connection to the service 1 lOa-1 lOd. Step 540a begins by the downloaded applet 288 in step 805 retrieving the service address 394 of the selected service 1 lOa-1 lOd from data storage device 360 and the authentication information for the service 1 lOa-1 lOd from the keysafe 395. The communications engine 282 in step 810 creates a direct and secure connection with the communications engine 482 of the service server 108 at the retrieved service address, and uses the authentication information to authenticate itself. The applet 288 in step 815 acts as the I/O interface with the service engine. Step 540a then ends.
FIG. 8B is a flowchart illustrating details of step 540 in a second embodiment, referred to as step 540b, wherein the global server 106 acts for the client 114 as a proxy to the service 1 lOa-1 lOd . Step 540b begins with the applet 288 in step 840 retrieving the "service" address, which results in directing it to the global server 106. Thus, the applet 288 in step 845 creates a connection with the global server 106. The servlet host engine 386 of the global server 106 in step 850 retrieves the service address of the selected service 1 lOa-1 lOd and the authentication information for the selected service 1 lOa-1 lOd from the keysafe 395. The secure communications engine 396 of the global server 106 in step 855 negotiate secure channel parameters for creating a secure channel with the secure communications engine 486 of the service server 108. Thereafter, the applet 288 in step 860 acts as the I/O interface (enables the user to make requests of the service engine 490) with the secure communications engine 396 of the global server 106. If the servlet host engine 386 in step 865 determines that it is unauthorized to perform a client 114 user's request, then the servlet host engine 386 in step 870 determines whether the method 540b ends, e.g., whether the user has quit. If so, then method 820b ends. Otherwise, method 540b returns to step 860 to obtain another request. If the servlet host engine 386 in step 865 determines that it is authorized to perform the client 114 user's request, then the servlet host engine 386, possibly using servlets 398, acts as the proxy for the client 114 to the service engine 490. As proxy, the servlet host engine 386 forwards the service request to the service 1 lOa-1 lOd for the applet 288 and forwards responses to the requesting applet 288 currently executing on the client 114. Method 540b then returns to step 870.
FIG. 8C is a flowchart illustrating details of step 540 in a third embodiment, referred to as step 540c, wherein the service 1 lOa-1 lOd being requested is located on the global server 106. Step 540c begins with the applet 288 in step 880 retrieving the service address for the service 110a- 1 lOd, which results in providing the applet 288 with the service address of the service 110a- 1 lOd on the global server 106. Thus, the applet 288 in step 882 creates a secure connection with the global server 106. No additional step of identification and authentication is needed since the client 114 has already identified and authenticated itself to the global server 106 in step 510 of FIG. 5.
In step 884, a determination is made whether the service 1 lOa-1 lOd is currently running. If so, then in step 886 a determination is made whether the service 1 lOa-1 lOd can handle multiple users. If not, then the global server 106 in step 890 creates an instance for the user, and the applet 288 in step 892 acts as the I/O interface with the service 1 lOa-l lOd on the global server 106. Otherwise, if the service 1 lOa-1 lOd in step 886 determines that it cannot handle multiple users, then method 540a proceeds to step 892. Further, if in step 884 the global server 106 determines that the service 1 lOa-1 lOd is not currently running, then the global server 106 in step 888 initializes the service 110a- 1 lOd and proceeds to step 886.
The foregoing description of the preferred embodiments of the invention is by way of example only, and other variations of the above-described embodiments and methods are provided by the present invention. Components of this invention may be implemented using a programmed general purpose digital computer, using application specific integrated circuits, or using a network of interconnected conventional components and circuits. The embodiments described herein have been presented for purposes of illustration and are not intended to be exhaustive or limiting. Many variations and modifications are possible in light of the foregoing teaching. The invention is limited only by the following claims.

Claims

WHAT IS CLAIMED IS: 1. A system comprising: a communications engine for establishing a communications link with a client; security means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and a keysafe for storing a key which enables access to the secured service.
2. The system of claim 1, wherein the communications engine uses SSL technology to create a secure communications link with the client.
3. The system of claim 1, wherein communications engine negotiates an encryption protocol for transferring messages to and from the client.
4. The system of claim 1 , wherein the communications engine uses public key certificates for transferring messages to and from the client.
5. The system of claim 1, wherein the security means uses public key certificates to authenticate the client.
6. The system of claim 1 , wherein the security means examines client identity and the level of authentication to determine client privileges.
7. The system of claim 1 , wherein the security means examines a global certificate to authenticate the client.
8. The system of claim 1, wherein the security means uses digital signature technology to authenticate the client.
9. The system of claim 1 , wherein the servlet host engine forwards to the client a security applet for enabling the client to perform a security protocol recognized by the security means.
10. The system of claim 1 , wherein the service is secured by a corporate firewall and the key is configured to enable communication through the firewall.
11. The system of claim 1 , further comprising a global firewall for protecting the system.
12. The system of claim 1, further comprising a service address for identifying the location of the secured service.
13. The system of claim 1 , wherein the applet provides to the client a direct connection with the secured service.
14. The system of claim 1, further comprising a proxy in communication with the secured service, and wherein the applet enables I/O with the proxy.
15. A method comprising the steps of: establishing a communications link with a client; determining client privileges; providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and retrieving a key which enables access to the secured service.
16. The method of claim 15, wherein establishing a communications link includes the step of using SSL technology to create a secure communications link with the client.
17. The method of claim 15, wherein establishing a communications link includes the step of negotiating an encryption protocol for transferring messages to and from the client.
18. The method of claim 15, wherein establishing a communications link includes the step of using public key certificates for transferring messages to and from the client.
19. The method of claim 15, wherein determining client privileges includes the step of using public key certificates to authenticate the client.
20. The method of claim 15, wherein determining client privileges includes the step of examining client identity and the level of authentication to determine client privileges.
21. The method of claim 15 , wherein determining client privileges includes the step of examining a global certificate to authenticate the client.
22. The method of claim 15, wherein determining client privileges includes the step of using digital signature technology to authenticate the client.
23. The method of claim 15, wherein establishing a communications link includes forwarding to the client a security applet for enabling the client to perform a recognized security protocol.
24. The method of claim 15, further comprising the step of using the key to communicate through a firewall to the secured service.
25. The method of claim 15, wherein the method is performed by a global server and further comprising using a global firewall to protect the global server.
26. The method of claim 15, further comprising using a service address to identify the location of the secured service.
27. The method of claim 15, wherein providing includes the step of providing to the client a direct connection with the secured service.
28. The method of claim 15, further comprising using a proxy in communication with the secured service, and wherein providing includes enabling I/O with the proxy.
29. A system comprising: means for establishing a communications link with a client; means for determining client privileges; means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and means for retrieving a key which enables access to the secured service.
30. A computer-based storage medium storing a program for causing a computer to perform the steps of: establishing a communications link with a client; determining client privileges; providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and retrieving a key which enables access to the secured service.
PCT/US1998/017410 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network WO2000011832A1 (en)

Priority Applications (7)

Application Number Priority Date Filing Date Title
IL14153098A IL141530A0 (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network
CA002341213A CA2341213C (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network
PCT/US1998/017410 WO2000011832A1 (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network
JP2000566987A JP2002523973A (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network
CN98814246.5A CN1227858C (en) 1998-08-21 1998-08-21 System and method for enabling secure acess to service in computer network
EP98943309A EP1105996A4 (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network
EA200100257A EA003374B1 (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US1998/017410 WO2000011832A1 (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network

Publications (1)

Publication Number Publication Date
WO2000011832A1 true WO2000011832A1 (en) 2000-03-02

Family

ID=22267718

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/017410 WO2000011832A1 (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network

Country Status (7)

Country Link
EP (1) EP1105996A4 (en)
JP (1) JP2002523973A (en)
CN (1) CN1227858C (en)
CA (1) CA2341213C (en)
EA (1) EA003374B1 (en)
IL (1) IL141530A0 (en)
WO (1) WO2000011832A1 (en)

Cited By (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1061709A2 (en) * 1999-06-14 2000-12-20 Sun Microsystems, Inc. Methods and apparatus for providing customizable security and logging protocols in a servlet engine
WO2001073522A2 (en) * 2000-03-29 2001-10-04 Netfish Technologies, Inc. Methods and apparatus for securing access to a computer
JP2001283062A (en) * 2000-04-03 2001-10-12 Cybozu Inc Electric transaction system using groupware
WO2001078349A2 (en) * 2000-04-11 2001-10-18 Science Applications International Corporation System and method for projecting content beyond firewalls
WO2001080522A2 (en) * 2000-04-12 2001-10-25 Openreach.Com Methods and systems for hairpins in virtual networks
EP1158745A1 (en) * 2000-05-26 2001-11-28 International Business Machines Corporation Method and system for secure pervasive access
WO2002017587A2 (en) * 2000-08-25 2002-02-28 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
EP1249981A1 (en) * 2001-04-02 2002-10-16 NuMeme Limited A security service system and method
WO2003041360A2 (en) 2001-11-02 2003-05-15 Neoteris, Inc. Method and system for providing secure access to resources on private networks
EP1333385A1 (en) * 2000-10-31 2003-08-06 Cybozu, Inc. Information registration assisting system
US6671757B1 (en) 2000-01-26 2003-12-30 Fusionone, Inc. Data transfer and synchronization system
WO2004017598A1 (en) * 2002-08-19 2004-02-26 Axalto Sa Secured method to exchange data between a browser and a web site
US6738789B2 (en) 2000-01-25 2004-05-18 Fusionone, Inc. Data package including synchronization data
US6859879B2 (en) 2000-05-26 2005-02-22 International Business Machine Corporation Method and system for secure pervasive access
US6925476B1 (en) 2000-08-17 2005-08-02 Fusionone, Inc. Updating application data including adding first change log to aggreagate change log comprising summary of changes
US6944651B2 (en) 2000-05-19 2005-09-13 Fusionone, Inc. Single click synchronization of data from a public information store to a private information store
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
WO2006029166A2 (en) 2004-09-07 2006-03-16 Route 1 Inc. System and method for accessing host computer via remote computer
US7028333B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
US7047424B2 (en) 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US7085817B1 (en) 2000-09-26 2006-08-01 Juniper Networks, Inc. Method and system for modifying requests for remote resources
US7136896B1 (en) 2000-09-26 2006-11-14 Juniper Networks, Inc. Dynamic toolbar for markup language document
US7146403B2 (en) 2001-11-02 2006-12-05 Juniper Networks, Inc. Dual authentication of a requestor using a mail server and an authentication server
CN1298194C (en) * 2004-03-22 2007-01-31 西安电子科技大学 Radio LAN security access method based on roaming key exchange authentication protocal
US7181766B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
EP1777912A1 (en) * 2001-11-02 2007-04-25 Juniper Networks, Inc. Method and system for providing secure access to resources on private networks
CN100392626C (en) * 2001-11-20 2008-06-04 森维公司 Access and control system for network-enabled devices
US7395354B2 (en) 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
US7603435B2 (en) 2006-11-15 2009-10-13 Palm, Inc. Over-the-air device kill pill and lock
US7620719B2 (en) 2002-06-06 2009-11-17 Juniper Networks, Inc. Method and system for providing secure access to private networks
US7631084B2 (en) 2001-11-02 2009-12-08 Juniper Networks, Inc. Method and system for providing secure access to private networks with client redirection
WO2010012094A1 (en) 2008-07-30 2010-02-04 John Henry Dunstan System and method for providing a secure network on another secure network
US7748046B2 (en) 2005-04-29 2010-06-29 Microsoft Corporation Security claim transformation with intermediate claims
US7774455B1 (en) 2000-09-26 2010-08-10 Juniper Networks, Inc. Method and system for providing secure access to private networks
US7788404B2 (en) 1999-12-02 2010-08-31 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US7865569B1 (en) 2000-09-26 2011-01-04 Juniper Networks, Inc. Method and system for modifying script portions of requests for remote resources
US8135798B2 (en) 2006-11-15 2012-03-13 Hewlett-Packard Development Company, L.P. Over-the-air device services and management
US8473355B2 (en) 2002-12-06 2013-06-25 Facebook, Inc. System and method for electronic wallet conversion
US8693996B2 (en) 2000-12-22 2014-04-08 Blackberry Limited Wireless router system and method
US8694650B2 (en) 2001-12-07 2014-04-08 Blackberry Limited System and method of managing information distribution to mobile stations
US8793374B2 (en) 1999-12-02 2014-07-29 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US8943428B2 (en) 2010-11-01 2015-01-27 Synchronoss Technologies, Inc. System for and method of field mapping
US9037685B2 (en) 2006-11-15 2015-05-19 Qualcomm Incorporated Intelligent migration between devices having different hardware or software configuration
US9049071B2 (en) 2001-10-26 2015-06-02 Blackberry Limited System and method for controlling configuration settings for mobile communication devices and services
US9059891B2 (en) 2005-04-18 2015-06-16 Blackberry Limited Method for providing wireless application privilege management
US9191443B2 (en) 1999-12-02 2015-11-17 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9258372B2 (en) 2007-05-09 2016-02-09 Blackberry Limited Wireless router system and method
US9325774B2 (en) 2001-11-01 2016-04-26 Benhov Gmbh, Llc Local agent for remote file access system
US9344839B2 (en) 1998-05-29 2016-05-17 Blackberry Limited System and method for pushing information from a host system to a mobile communication device
US9348864B1 (en) 1999-12-02 2016-05-24 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9542076B1 (en) 2004-05-12 2017-01-10 Synchronoss Technologies, Inc. System for and method of updating a personal profile
US9615221B1 (en) 2003-07-21 2017-04-04 Synchronoss Technologies, Inc. Device message management system
US9807147B1 (en) 1999-12-02 2017-10-31 Western Digital Technologies, Inc. Program recording webification

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2682249C (en) * 2007-03-29 2014-05-20 Christopher Murphy Methods and systems for internet security via virtual software
CN104717192B (en) * 2013-12-16 2018-05-18 腾讯科技(深圳)有限公司 Legality identification method and intermediate server

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2191505A1 (en) * 1995-12-29 1997-06-30 Mark Alan Jones Universal Connection Point for Resources and Communication
US5644354A (en) * 1992-10-09 1997-07-01 Prevue Interactive, Inc. Interactive video system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5586260A (en) * 1993-02-12 1996-12-17 Digital Equipment Corporation Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
CA2202118A1 (en) * 1996-04-29 1997-10-29 Mitel Corporation Protected persistent storage access for mobile applications
EP0966822A2 (en) * 1997-03-10 1999-12-29 Internet Dynamics, Inc. Methods and apparatus for controlling access to information
US5987523A (en) * 1997-06-04 1999-11-16 International Business Machines Corporation Applet redirection for controlled access to non-orginating hosts
US5870544A (en) * 1997-10-20 1999-02-09 International Business Machines Corporation Method and apparatus for creating a secure connection between a java applet and a web server

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5644354A (en) * 1992-10-09 1997-07-01 Prevue Interactive, Inc. Interactive video system
CA2191505A1 (en) * 1995-12-29 1997-06-30 Mark Alan Jones Universal Connection Point for Resources and Communication

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"Verisign Enhances Digital IDS to Enable Universal Website Login and One-step Registration, Especially 2nd Paragraph", VERISIGN PRESS RELEASE, XP002925016, Retrieved from the Internet <URL:www.verisign.com/press/product/isv.html> *
KNUDSEN J: "JAVA CRYPTOGRAPHY, PASSAGE", JAVA CRYPTOGRAPHY, XX, XX, 1 January 1998 (1998-01-01), XX, pages 77 - 91, XP002925015 *
See also references of EP1105996A4 *
TANENBAUM ANDREW: "computer networks", 1996, THIRD EDITION, PRENTICE-HALL, XP002925014 *

Cited By (106)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9344839B2 (en) 1998-05-29 2016-05-17 Blackberry Limited System and method for pushing information from a host system to a mobile communication device
EP1061709A3 (en) * 1999-06-14 2003-06-25 Sun Microsystems, Inc. Methods and apparatus for providing customizable security and logging protocols in a servlet engine
EP1061709A2 (en) * 1999-06-14 2000-12-20 Sun Microsystems, Inc. Methods and apparatus for providing customizable security and logging protocols in a servlet engine
US6701438B1 (en) 1999-06-14 2004-03-02 Sun Microsystems, Inc. Methods and apparatus for providing customizable security and logging protocols in a servlet engine
US9191443B2 (en) 1999-12-02 2015-11-17 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9071574B1 (en) 1999-12-02 2015-06-30 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US9894141B2 (en) 1999-12-02 2018-02-13 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US8793374B2 (en) 1999-12-02 2014-07-29 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US8341275B1 (en) 1999-12-02 2012-12-25 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US9348864B1 (en) 1999-12-02 2016-05-24 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9807147B1 (en) 1999-12-02 2017-10-31 Western Digital Technologies, Inc. Program recording webification
US10382526B2 (en) 1999-12-02 2019-08-13 Western Digital Technologies, Inc. Program recording webification
US10291686B2 (en) 1999-12-02 2019-05-14 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7788404B2 (en) 1999-12-02 2010-08-31 Western Digital Technologies, Inc. Access and control system for network-enabled devices
US6757696B2 (en) * 2000-01-25 2004-06-29 Fusionone, Inc. Management server for synchronization system
US7007041B2 (en) 2000-01-25 2006-02-28 Fusionone, Inc. Synchronization system application object interface
US6738789B2 (en) 2000-01-25 2004-05-18 Fusionone, Inc. Data package including synchronization data
US6671757B1 (en) 2000-01-26 2003-12-30 Fusionone, Inc. Data transfer and synchronization system
US7415486B2 (en) 2000-01-26 2008-08-19 Fusionone, Inc. System using change log stored at a server to identify changes to user's application data for synchronizing data between systems
WO2001073522A2 (en) * 2000-03-29 2001-10-04 Netfish Technologies, Inc. Methods and apparatus for securing access to a computer
WO2001073522A3 (en) * 2000-03-29 2002-04-04 Netfish Technologies Inc Methods and apparatus for securing access to a computer
JP2001283062A (en) * 2000-04-03 2001-10-12 Cybozu Inc Electric transaction system using groupware
US8407350B2 (en) 2000-04-11 2013-03-26 Science Applications International Corporation System and method for projecting content beyond firewalls
WO2001078349A2 (en) * 2000-04-11 2001-10-18 Science Applications International Corporation System and method for projecting content beyond firewalls
WO2001078349A3 (en) * 2000-04-11 2002-05-16 Science Applic Int Corp System and method for projecting content beyond firewalls
US7814208B2 (en) 2000-04-11 2010-10-12 Science Applications International Corporation System and method for projecting content beyond firewalls
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
US7028333B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
US7047424B2 (en) 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US7181766B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
US7181542B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Method and system for managing and configuring virtual private networks
WO2001080522A2 (en) * 2000-04-12 2001-10-25 Openreach.Com Methods and systems for hairpins in virtual networks
WO2001080522A3 (en) * 2000-04-12 2002-08-29 Openreach Com Methods and systems for hairpins in virtual networks
US6944651B2 (en) 2000-05-19 2005-09-13 Fusionone, Inc. Single click synchronization of data from a public information store to a private information store
US6859879B2 (en) 2000-05-26 2005-02-22 International Business Machine Corporation Method and system for secure pervasive access
EP1158745A1 (en) * 2000-05-26 2001-11-28 International Business Machines Corporation Method and system for secure pervasive access
US6925476B1 (en) 2000-08-17 2005-08-02 Fusionone, Inc. Updating application data including adding first change log to aggreagate change log comprising summary of changes
WO2002017587A2 (en) * 2000-08-25 2002-02-28 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
US8145896B2 (en) 2000-08-25 2012-03-27 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
US7631180B2 (en) 2000-08-25 2009-12-08 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
WO2002017587A3 (en) * 2000-08-25 2002-04-18 Research In Motion Ltd System and method for implementing an enhanced transport layer security protocol
EP1524815A1 (en) * 2000-08-25 2005-04-20 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
US7865843B2 (en) 2000-09-26 2011-01-04 Juniper Networks, Inc. Dynamic toolbar for markup language document
US7865569B1 (en) 2000-09-26 2011-01-04 Juniper Networks, Inc. Method and system for modifying script portions of requests for remote resources
US9183188B2 (en) 2000-09-26 2015-11-10 Juniper Networks, Inc. Dynamic toolbar for markup language document
US7085817B1 (en) 2000-09-26 2006-08-01 Juniper Networks, Inc. Method and system for modifying requests for remote resources
US8326981B2 (en) 2000-09-26 2012-12-04 Juniper Networks, Inc. Method and system for providing secure access to private networks
US7877459B2 (en) 2000-09-26 2011-01-25 Juniper Networks, Inc. Method and system for modifying requests for remote resources
US7774455B1 (en) 2000-09-26 2010-08-10 Juniper Networks, Inc. Method and system for providing secure access to private networks
US7136896B1 (en) 2000-09-26 2006-11-14 Juniper Networks, Inc. Dynamic toolbar for markup language document
US8738731B2 (en) 2000-09-26 2014-05-27 Juniper Networks, Inc. Method and system for providing secure access to private networks
EP1333385A4 (en) * 2000-10-31 2006-07-26 Cybozu Inc Information registration assisting system
EP1333385A1 (en) * 2000-10-31 2003-08-06 Cybozu, Inc. Information registration assisting system
US9130936B2 (en) 2000-11-03 2015-09-08 Pulse Secure, Llc Method and system for providing secure access to private networks
US9444791B2 (en) 2000-11-03 2016-09-13 Pulse Secure, Llc Method and system for providing secure access to private networks
US8693996B2 (en) 2000-12-22 2014-04-08 Blackberry Limited Wireless router system and method
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
EP1249981A1 (en) * 2001-04-02 2002-10-16 NuMeme Limited A security service system and method
US10476865B2 (en) 2001-10-26 2019-11-12 Blackberry Limited System and method for controlling configuration settings for mobile communication devices and services
US9584366B2 (en) 2001-10-26 2017-02-28 Blackberry Limited System and method for controlling configuration settings for mobile communication devices and services
US11310219B2 (en) 2001-10-26 2022-04-19 Blackberry Limited System and method for controlling configuration settings for mobile communication devices and services
US9049071B2 (en) 2001-10-26 2015-06-02 Blackberry Limited System and method for controlling configuration settings for mobile communication devices and services
US9332058B2 (en) 2001-11-01 2016-05-03 Benhov Gmbh, Llc Local agent for remote file access system
US9344482B2 (en) 2001-11-01 2016-05-17 Benhov Gmbh, Llc Local agent for remote file access system
US9325774B2 (en) 2001-11-01 2016-04-26 Benhov Gmbh, Llc Local agent for remote file access system
EP1777912A1 (en) * 2001-11-02 2007-04-25 Juniper Networks, Inc. Method and system for providing secure access to resources on private networks
US7146403B2 (en) 2001-11-02 2006-12-05 Juniper Networks, Inc. Dual authentication of a requestor using a mail server and an authentication server
CN1605181B (en) * 2001-11-02 2011-09-07 丛林网络公司 Method and system for providing secure access to resources on private networks
US7958245B2 (en) 2001-11-02 2011-06-07 Juniper Networks, Inc. Method and system for providing secure access to private networks with client redirection
WO2003041360A3 (en) * 2001-11-02 2003-09-12 Neoteris Inc Method and system for providing secure access to resources on private networks
US7877440B2 (en) 2001-11-02 2011-01-25 Juniper Networks, Inc. Web resource request processing
WO2003041360A2 (en) 2001-11-02 2003-05-15 Neoteris, Inc. Method and system for providing secure access to resources on private networks
US7631084B2 (en) 2001-11-02 2009-12-08 Juniper Networks, Inc. Method and system for providing secure access to private networks with client redirection
CN100392626C (en) * 2001-11-20 2008-06-04 森维公司 Access and control system for network-enabled devices
US9369531B2 (en) 2001-12-07 2016-06-14 Blackberry Limited System and method of managing information distribution to mobile stations
US8694650B2 (en) 2001-12-07 2014-04-08 Blackberry Limited System and method of managing information distribution to mobile stations
US7395354B2 (en) 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information
US7620719B2 (en) 2002-06-06 2009-11-17 Juniper Networks, Inc. Method and system for providing secure access to private networks
WO2004017598A1 (en) * 2002-08-19 2004-02-26 Axalto Sa Secured method to exchange data between a browser and a web site
US8473355B2 (en) 2002-12-06 2013-06-25 Facebook, Inc. System and method for electronic wallet conversion
US9723460B1 (en) 2003-07-21 2017-08-01 Synchronoss Technologies, Inc. Device message management system
US9615221B1 (en) 2003-07-21 2017-04-04 Synchronoss Technologies, Inc. Device message management system
CN1298194C (en) * 2004-03-22 2007-01-31 西安电子科技大学 Radio LAN security access method based on roaming key exchange authentication protocal
US9542076B1 (en) 2004-05-12 2017-01-10 Synchronoss Technologies, Inc. System for and method of updating a personal profile
EP1787210A4 (en) * 2004-09-07 2013-12-25 Route 1 Inc System and method for accessing host computer via remote computer
EP1787210A2 (en) * 2004-09-07 2007-05-23 Route 1 Inc. System and method for accessing host computer via remote computer
WO2006029166A2 (en) 2004-09-07 2006-03-16 Route 1 Inc. System and method for accessing host computer via remote computer
US10686842B2 (en) 2005-04-18 2020-06-16 Blackberry Limited Method for providing wireless application privilege management
US10462189B2 (en) 2005-04-18 2019-10-29 Blackberry Limited Method for providing wireless application privilege management
US9059891B2 (en) 2005-04-18 2015-06-16 Blackberry Limited Method for providing wireless application privilege management
US9537896B2 (en) 2005-04-18 2017-01-03 Blackberry Limited Method for providing wireless application privilege management
US10965718B2 (en) 2005-04-18 2021-03-30 Blackberry Limited Method for providing wireless application privilege management
US20170111400A1 (en) 2005-04-18 2017-04-20 Blackberry Limited Method for providing wireless application privilege management
US7748046B2 (en) 2005-04-29 2010-06-29 Microsoft Corporation Security claim transformation with intermediate claims
US7603435B2 (en) 2006-11-15 2009-10-13 Palm, Inc. Over-the-air device kill pill and lock
US8135798B2 (en) 2006-11-15 2012-03-13 Hewlett-Packard Development Company, L.P. Over-the-air device services and management
US8903945B2 (en) 2006-11-15 2014-12-02 Qualcomm Incorporated Over the air services for mobile devices
US9037685B2 (en) 2006-11-15 2015-05-19 Qualcomm Incorporated Intelligent migration between devices having different hardware or software configuration
US9258372B2 (en) 2007-05-09 2016-02-09 Blackberry Limited Wireless router system and method
US20110126264A1 (en) * 2008-07-30 2011-05-26 John Henry Dunstan System and method for providing a secure network on another secure network
EP2314023A1 (en) * 2008-07-30 2011-04-27 John Henry Dunstan System and method for providing a secure network on another secure network
US8990918B2 (en) * 2008-07-30 2015-03-24 John Henry Dunstan System and method for providing a secure network on another secure network
EP2314023A4 (en) * 2008-07-30 2013-02-20 John Henry Dunstan System and method for providing a secure network on another secure network
US20130312080A1 (en) * 2008-07-30 2013-11-21 John Henry Dunstan System and Method for Providing a Secure Network on Another Secure Network
WO2010012094A1 (en) 2008-07-30 2010-02-04 John Henry Dunstan System and method for providing a secure network on another secure network
US8943428B2 (en) 2010-11-01 2015-01-27 Synchronoss Technologies, Inc. System for and method of field mapping

Also Published As

Publication number Publication date
EA200100257A1 (en) 2001-12-24
CA2341213C (en) 2009-05-26
CN1227858C (en) 2005-11-16
EP1105996A1 (en) 2001-06-13
EA003374B1 (en) 2003-04-24
CN1354934A (en) 2002-06-19
JP2002523973A (en) 2002-07-30
CA2341213A1 (en) 2000-03-02
IL141530A0 (en) 2002-03-10
EP1105996A4 (en) 2005-08-17

Similar Documents

Publication Publication Date Title
CA2341213C (en) System and method for enabling secure access to services in a computer network
US7287271B1 (en) System and method for enabling secure access to services in a computer network
US6766454B1 (en) System and method for using an authentication applet to identify and authenticate a user in a computer network
US7849306B2 (en) Relay method of encryption communication, gateway server, and program and program memory medium of encryption communication
US7627896B2 (en) Security system providing methodology for cooperative enforcement of security policies during SSL sessions
KR100856674B1 (en) System and method for authenticating clients in a client-server environment
EP1661362B1 (en) Method and system for stepping up to certificate-based authentication without breaking an existing ssl session
EP1766840B1 (en) Graduated authentication in an identity management system
KR100800339B1 (en) Method and system for user-determined authentication and single-sign-on in a federated environment
US6510464B1 (en) Secure gateway having routing feature
EP1254432B1 (en) Secure gateway having user identification and password authentication
CN101331731B (en) Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider
CN101009561B (en) System and method for IMX session control and authentication
EP1701510B1 (en) Secure remote access to non-public private web servers
US20150096010A1 (en) Computer security system
EP1442580B1 (en) Method and system for providing secure access to resources on private networks
US20020184507A1 (en) Centralized single sign-on method and system for a client-server environment
US20090013399A1 (en) Secure Network Privacy System
US20060294366A1 (en) Method and system for establishing a secure connection based on an attribute certificate having user credentials
KR20040089648A (en) Secure Traversal of Network Components
TW200307439A (en) Mechanism for supporting wired and wireless methods for client and server side authentication
US20060122936A1 (en) System and method for secure publication of online content
US20020165783A1 (en) Accounting in peer-to-peer data communication networks
EP1777912B1 (en) Method and system for providing secure access to resources on private networks
Allen et al. The ASP. NET Security Infrastructure

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 98814246.5

Country of ref document: CN

AK Designated states

Kind code of ref document: A1

Designated state(s): CA CN IL JP SG

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 2341213

Country of ref document: CA

Ref document number: 2341213

Country of ref document: CA

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 141530

Country of ref document: IL

WWE Wipo information: entry into national phase

Ref document number: 1998943309

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 200100257

Country of ref document: EA

WWP Wipo information: published in national office

Ref document number: 1998943309

Country of ref document: EP