Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Security kernel or utility
Reexamination Certificate
1998-12-17
2002-04-02
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Security kernel or utility
C713S152000, C713S168000
Reexamination Certificate
active
06367009
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a computer system, and deals more particularly with a method, system, and computer-readable code for delegating authentication and authority from a client to a server in order that the server can establish a secure connection (using SSL or an analogous security protocol) to a back-end application on behalf of the client.
DESCRIPTION OF THE RELATED ART
Secure Sockets Layer, or “SSL”, is a networking protocol developed by Netscape Communications Corp. and RSA Data Security, Inc. to enable secure network communications in a non-secure environment. More particularly, SSL is designed to be used in the Internet environment, where it operates as a protocol layer above the TCP/IP (Transmission Control Protocol/Internet Protocol) layers. The application code then resides above SSL in the networking protocol stack. After an application (such as a browser) creates data to be sent to a peer in the network, the data is passed to the SSL layer where various security procedures are performed on it, and the SSL layer then passes the transformed data on to the TCP layer. On the receiver's side of the connection, after the TCP layer receives incoming data it passes that data upward to the SSL layer where procedures are performed to restore the data to its original form, and that restored data is then passed to the receiving application. The most recent version of SSL is described in detail in “The SSL Protocol, Version 3.0”, dated Nov. 18, 1996 and available on the World Wide Web (“Web”) at http://home.netscape.com/eng/ssl3/draft302.txt (hereinafter, “SSL specification”).
The protocols underlying the Internet (TCP/IP, for example) were not designed to provide secure data transmission. The Internet was originally designed with the academic and scientific communities in mind, and it was assumed that users of the network would be working in non-adversarial, cooperative manners. As the Internet began to expand into a public network, usage outside these communities was relatively limited, with most of the new users located in large corporations. These corporations had the computing facilities to protect their user's data with various security procedures, such as firewalls, that did not require security to be built into the Internet itself. In the past several years, however, Internet usage has skyrocketed. Millions of people now use the Internet and the Web on a regular basis. (Hereinafter, the terms “Internet” and “Web” are used synonymously unless otherwise indicated.) These users perform a wide variety of tasks, from exchanging electronic mail messages to searching for information to performing business transactions. These users may be accessing the Internet from home, from their cellular phone, or from a number of other environments where security procedures are not commonly available. To support the growth of the Internet as a viable place to do business, often referred to as “electronic commerce” or simply “e-commerce”, easily-accessible and inexpensive security procedures had to be developed. SSL is one popular solution, and is commonly used with applications that send and receive data using the HyperText Transfer Protocol (“HTTP”). HTTP is the protocol most commonly used for accessing that portion of the Internet referred to as the Web. When HTTP is used with SSL to provide secure communications, the combination is referred to as “HTTPS”. Non-commercial Internet traffic can also benefit from the security SSL provides. SSL has been proposed for use with data transfer protocols other than HTTP, such as Simple Mail Transfer Protocol (“SMTP”) and Network News Transfer Protocol (“NNTP”).
SSL is designed to provide several different but complementary types of security. First is message privacy. Privacy refers to protecting message content from being readable by persons other than the sender and the intended receiver(s). Privacy is provided by using cryptography to encrypt and decrypt messages. SSL uses asymmetric cryptography, also known as public-key cryptography. A message receiver can only decrypt an encrypted message if he has the proper private key and decryption algorithm that are associated with the message creator's public key. Second, SSL provides data integrity for messages being transmitted. Data integrity refers to the ability for a message recipient to detect whether the message content was altered after its creation (thus rendering the message untrustworthy). A message creator passes the message through an algorithm which creates what is called a “message digest”, or “message authentication code”. This digest is sent along with the message. When the message is received, the receiver also processes the message through an algorithm, creating another digest. If the digest computed by the receiver does not match the digest sent with the message, then it can be assumed that the message contents were altered in some way after the message was created. The third security feature SSL provides is known as authentication. Communications over the Internet take place as a sequence of electronic signals, without the communicating parties being able to see each other and visually determine with whom they are communicating. Authentication is a technique that helps to ensure that the parties are who they represent themselves to be—whether the party is a human user or an application program. For example, if a human user is buying goods over the Internet using a credit card, it is important for him to know that the application waiting on the other end of the connection for his credit card information is really the vendor he believes he is doing business with, and not an impostor waiting to steal his credit card information.
These security features are very powerful, and provide a high degree of protection for Internet users. However, SSL was designed as a two-party protocol, to be used in a client/server environment. The SSL protocol provides for a client to request a secure communication session by sending a message to a server application. The server then responds, and a sequence of messages are exchanged in a handshaking protocol where the various security-related parameters are negotiated. The encryption algorithms to be used for message privacy and data integrity are agreed upon, and both the client and server may authenticate each other's identity. (SSL also provides modes where the client and server are not authenticated, but those modes are not pertinent to the present discussion.) Authentication is performed during the handshake by exchanging digital certificates. (Digital certificates will be discussed in more detail below.) The server sends its certificate to the client, enabling the client to authenticate the server's identity. The server then requests the client's certificate, which the client sends in order that the server can also authenticate the client's. identity. If the authentication results are acceptable, the parties complete the handshake, and begin to exchange encrypted application data over the secure session they have established.
The client-server model for network computing is being extended in the Web environment to what is referred to as a “three-tier architecture”. This architecture places the Web server in the middle tier, where the added third tier typically represents a back-end legacy application, or data repositories of information that may be accessed by the Web server as part of the task of processing the client's request. This three-tiered architecture recognizes the fact that many client requests do not simply require the location and return of static data by the Web server, but require an application program to perform processing of the client's request in order to dynamically create and format the data to be returned. In this architecture, the Web server may be referred to as an “application server”, or “middle-tier server”. For example, a human user interacting with a Web browser on his computer may access a transaction server such as CICS® by sending a CICS r
Davis Mark Charles
Kuehr-McLaren David G.
Shoriak Timothy Glenn
Doubet Marcia L.
Doudnikoff Gregory M.
International Business Machines - Corporation
Peeso Thomas R.
LandOfFree
Extending SSL to a multi-tier environment using delegation... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Extending SSL to a multi-tier environment using delegation..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Extending SSL to a multi-tier environment using delegation... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2849142