Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1999-06-19
2001-10-09
Swann, Tod (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
Reexamination Certificate
active
06301661
ABSTRACT:
FIELD OF THE INVENTION
The present invention generally relates to information technology, and more particularly relates to enhancing security for applications employing downloadable executable content over a computer network.
BACKGROUND OF THE INVENTION
In basic terms, people often wish to communicate with one another with a degree of privacy or confidentiality. Accordingly, in a computer network environment, a message may be enciphered before being transmitted over an insecure network, such as the Internet. The enciphered message has thus been converted from “plaintext” to “ciphertext.” The intended receiver of the message may then decipher the “ciphertext” message to obtain a “plaintext” version thereof. The terms encipher and decipher are used instead of the terms encrypt and decrypt in accordance with ISO 7498-2.
In the computer network environment, confidentiality is one goal among others. Other goals include authentication, authorization, data integrity, and nonrepudiation. By authentication, it is meant that it should be possible for the receiver of information to ascertain its origin to mitigate against the possibility of an interloper masquerading as the sender. By authorization, it is meant that is should be possible to ascertain whether a user is permitted to perform an operation. By data integrity, it is meant that it should be possible for the receiver of data to verify that it has not been modified in transit to mitigate against the possibility of an intruder introducing false data. By nonrepudiation, it is meant that a sender should not be able to falsely deny origination of a message sent by them. Thus, enhancing security of a computer network may include enhancing one or more of these goals of confidentiality, authentication, authorization, data integrity, and nonrepudiation.
As mentioned above, plaintext is converted into ciphertext to enhance security. This transformation conventionally uses a cryptographic algorithm or cipher. Moreover, a cipher is conventionally used to convert the ciphertext back to plaintext. For either type of conversion, a cipher is conventionally a mathematical function for enciphering or deciphering a message.
Modern cryptography employs one or more “keys.” A “key” in a cryptographic sense is employed to “lock” (encipher) or “unlock” (decipher) a message. However, a “key” in cryptographic sense is conventionally one or more numbers. In a security system premised on secrecy of keys and not secrecy of algorithms using the keys, algorithms may be widely published without significantly adversely harming security.
Security protocols have been developed using one or more ciphers to achieve one or more of the above-mentioned goals of confidentiality, authentication, authorization, data integrity, and nonrepudiation. Two examples of such protocols are Kerberos and Secure Sockets Layer (SSL). Each of these protocols are described in more detail in allowed co-pending U.S. patent application, application Ser. No. 08/799,402, filed Feb. 12, 1997, entitled “Method for Providing Secure Remote Command Execution Over an Insecure Computer Network” to the named inventor herein (hereinafter referred to as “Shambroom-I”).
In Shambroom-I, an approach for increasing security of data transmission between a client and a server is described. However, Shambroom-I does not provide enhance security with a “mobile code” technology, including without limitation Java (Java is a trademark of Sun Microsystems, Inc.). Java is one example of a platform-independent object-oriented programming language used for writing “applets” that are downloadable over a network (for example, the Internet) by a client and executable on the client's machine. “Applets” are applications programs that downloadable and run in a client's web browser or applet viewer. In other words, Shambroom-I does not provide enhanced security for applications employing downloadable executable content.
Accordingly, it would be desirable to provide enhanced security for applications employing downloadable executable content.
SUMMARY OF THE INVENTION
The present invention provides method and computer network for enhanced security for an application using downloadable executable content. Enciphered communication is established between a client and a gateway, and login information is provided from the client to the gateway. Communication is established between the gateway and an authentication server. Client-identifying information associated with the login information is provided to the authentication server, and in return client-authenticating information is obtained from the authentication server. The client-authenticating information is encoded and provided to the client. The encoded client-authenticating information may subsequently be provided to the gateway, which information may be accompanied by remote login information. This encoded client-authenticating information and remote login information may be used to dynamically create one or more parameter values. The one or more parameter values, as well as downloadable executable content, are provided from the gateway to the client. The application may execute the downloadable executable content on the client using the one or more parameter values.
After which, the remote login information and the one or more parameter values may be provided from the client to an execution server of the gateway. The parameter values are decoded to obtain the encoded client-authenticating information. The encoded client-authenticating information is then decoded. At least a portion of the decoded client-authenticating information may be provided to the authentication server for receipt of one or more keys and/or other authenticating credentials for communication with a remote host. The one or more keys and/or other authenticating credentials and at least a portion of the remote login information may be used to establish communication with the remote host to provide a bi-directional data path between the remote login host and the client through the gateway. The bi-directional data path may comprise enciphered communication over an insecure network between the client and the gateway and between the gateway and the remote host.
Accordingly, it should be appreciated that one or more security protocols may be employed in accordance with the present invention to establish enciphered communication over the insecure network portions. This enciphered communication, along with the above-mentioned method and computer network may be used for enhanced security for a subsequent login session, including without limitation a remote login session. Advantageously, method and computer network in accordance with the present invention may be employed for remote maintenance of a computer or computer network, electronic commerce (“e-commerce”), and the like where enhanced security is desirable. Additionally, it should be appreciated that such method and computer network allows for a security protocol, which may not be supported by a particular client, to be supported owing to the downloadable executable content.
These and other features, advantages, objects and embodiments of the present invention will become more apparent from reading the following Detailed Description of the Preferred Embodiments or by practicing the present invention.
REFERENCES:
patent: 5313521 (1994-05-01), Torii et al.
patent: 5349643 (1994-09-01), Cox et al.
patent: 5416842 (1995-05-01), Aziz
patent: 5511122 (1996-04-01), Atkinson
patent: 5590199 (1996-12-01), Krajewski, Jr. et al.
patent: 5604803 (1997-02-01), Aziz
patent: 5764687 (1998-06-01), Kells et al.
patent: 5768504 (1998-06-01), Kells et al.
patent: 5862325 (1999-01-01), Reed et al.
patent: 5875296 (1999-02-01), Shi et al.
patent: 5884312 (1999-03-01), Dustan et al.
patent: 6092194 (2000-07-01), Touboul et al.
patent: 6154844 (2000-11-01), Touboul et al.
Ladd et al, Using HTML 3.2, JAVA 1.1 and CGI, Nov. 96, Que Corporation, Chapter 46, pp. 1047-1063.*
Gradient Technologies, Inc., Web Integration Strategies: Believe It or Not-Gradient Technologies&
Smithers Matthew
Suchyta Leonard Charles
Swann Tod
Verizon Labortories Inc.
LandOfFree
Enhanced security for applications employing downloadable... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Enhanced security for applications employing downloadable..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Enhanced security for applications employing downloadable... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2612777