Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-04-15
2001-06-26
Grant, William (Department: 2121)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06253325
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention generally relates to computers and software, and more particularly, to security involved in accessing a web resource on a server with a client browser.
2. Description of Related Art
As known in the art, the Internet is a world-wide collection of networks and gateways that use the TCP/IP suite of protocols to communicate with one another. At the heart of the Internet is a backbone of high speed data communication lines between major nodes or host computers consisting of thousands of commercial government educational and other computer systems that route data and messages.
World Wide Web (WWW) refers to the total set of interlinked hypertext documents residing on hypertext transfer protocol (HTTP) servers all around the world. Documents on the WWW, called pages or web pages, are written in hypertext mark-up language (HTML) identified by uniform resource locators (URL) that specify the particular machine and pathname by which a file can be accessed and transmitted from node to node to the end user under HTTP. A web site is a related group of these documents and associated files, scripts, subprocedures, and databases that are served up by an HTTP server on the WWW.
Users need a browser program and an Internet connection to access a web site. Browser programs, also called “web browsers,” are client applications that enable a user to navigate the Internet and view HTML documents on the WWW, another network, or the user's computer. Web Browsers also allow users to follow codes called “tags” imbedded in an HTML document, which associate particular words and images in the document with URLs so that a user can access another file that may be half way around the world, at the press of a key or the click of a mouse.
These files may contain text (in a variety of fonts and styles), graphic images, movie files, and sounds as well as java applets, perl applications, other scripted languages, active X-controls, or other small imbedded software programs that execute when the user activates them by clicking on a link. Scripts are applications that are executed by a HTTP server in response to a request by a client user. These scripts are invoked by the HTTP daemon to do a single job, and then they exit.
One type of script is a common gateway interface (CGI) script. Generally, a CGI script is invoked when a user clicks on an element in a web page, such as a link or image. CGI scripts are used to provide interactivity in a Web page. CGI scripts can be written in many languages including C, C++, and Perl. A CGI-BIN is a library of CGI scripts applications that can be executed by a HTTP server.
A key difficulty with access to these documents and associated files, scripts, subprocedures, and databases that are served up by an HTTP server on the WWW is that of security. How does one ensure that only allowed users from allowed client systems are permitted access to the server application and also ensure that access cannot be perverted to malicious purposes?
The method currently being used involves use of a “cookie.” Cookies are blocks of data that a server returns to a client in response to a request from the client. The block of data is then stored on a client's system. When the client returns to the same web site, the client sends a copy of the cookie back to the server, thereby identifying the client to the server. Cookies are used to identify users, to instruct the server to send a customized version of the requested web page, to submit account information for the user, and for other administrative purposes. On most systems, a cookie program is run during user logon.
The prior solution for providing security when accessing web resources suffers from the following security weaknesses. It will be shown later how the present invention addresses and overcomes certain of these difficulties.
A problem with the prior solutions is that the host addresses and user names (i.e., user logon information) are sent in plain text that is very open to “spoofing”. A knowledgeable hacker can transmit packets pretending to be from another machine or another user to thereby gain unauthorized access to the server.
Yet another problem arises when multiple levels of user security are attempted. The cookie method only allows a single level of security. Moreover, the use of cookies does not allow for a user application to be integrated with a security system. Currently, cookies are part of the client browser program and are separate from a user application.
Another problem in the prior art is that the authentication is weak. This is because the server accepts the user and host name as identified in the transmission without proof. Furthermore, there is a problem in that no state is maintained since each command transaction stands alone. This leaves these methods open to “replay attacks” wherein a hacker captures a valid network packet, alters some details (like the name of the user or the command to execute) and resends it.
However, until now, network systems have lacked the ability to provide flexible and heightened security for web documents on the Internet or other types of networks.
SUMMARY OF THE INVENTION
Certain objects, advantages, and novel features of the invention will be set forth in part in the description that follows and in part will become apparent to those skilled in the art upon examination of the following or may be learned with the practice of the invention. The objects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the appended claims.
To achieve the advantages and novel features, the present invention is generally directed to an apparatus and method for providing flexible and heightened security for accessing web resources with a client browser, where the web resources are on a server.
In accordance with one embodiment of the present invention, a client user interface (browser) generates a token. That token is sent to a security server to provide third party validation of a client user request for service. The client user interface then makes a call to a server application for service, and the client user interface sends with the call to the server application the token as an argument of the call for service.
The server application receives the request for service from the client user interface and then performs its own login authorization of the client user. If the authorization is okay, then it performs a call to the required CGI-BIN application program for the requested service.
The CGI-BIN program called for the requested service receives the requested service identifier and arguments among which is the client user interface generated token. The requested program establishes a connection to the security server, and then sends the token received as an argument to the security server for verification.
The security server receives the token for verification from the requested program and verifies the token received from the requested program with the token received from the client user interface. If the tokens match, then the security server returns to the requested program the indication that the token is verified. Upon verifying a token for a requested user program, the security server returns to the state of waiting to receive a token from a client user interface.
The requested program then executes the requested program and sends the output to the server application before exiting. The server application receives the output from the requested program and returns the data to the client user interface (browser) for display to the client user at which point the server application returns back to the state of waiting for a request for service from a client user interface.
In accordance with another embodiment of the present invention, multiple levels of user security and are implemented for protection of web resources.
In accordance with yet another embodiment of the present invention, an apparatus and method f
Bryant Craig W.
Goin Todd M.
Steele Douglas W.
Grant William
Hartman, Jr. Ronald
Hewlett--Packard Company
LandOfFree
Apparatus and method for securing documents posted from a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus and method for securing documents posted from a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus and method for securing documents posted from a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2438946