Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Central trusted authority provides computer authentication
Reexamination Certificate
1999-03-31
2004-03-23
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Central trusted authority provides computer authentication
C713S157000
Reexamination Certificate
active
06711679
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates to a computer networking system, and deals more particularly with a method, system, and computer-readable code for delegating authentication and authority from a client to a server in order that the server can establish a secure connection to a back-end application on behalf of the client.
2. Related Art
As the amount of commerce continues to increase over networks, such as the Internet, security becomes a much larger issue. Unfortunately, the protocols underlying the Internet such as TCP/IP (Transmission Control Protocol/Internet Protocol), were not designed to provide secure data transmission. The Internet was originally designed with the academic and scientific communities in mind, and it was assumed that the users of the network would be working in non-adversarial, cooperative manners. As the Internet began to expand into a public network, usage outside these communities was relatively limited, with most of the new users located in large corporations. These corporations had the computing facilities to protect their user's data with various security procedures, such as firewalls, that did not require security to be built into the Internet itself. In the past several years, however, Internet usage has skyrocketed. Millions of people now use the Internet and the Web on a regular basis. (Hereinafter, the terms “Internet” and “Web” are used synonymously unless otherwise indicated.) These users perform a wide variety of tasks, from exchanging electronic mail messages to searching for information to performing business transactions. These users may be accessing the Internet from home, from their cellular phone, or from a number of other environments where security procedures are not commonly available.
To support the growth of business on the Internet, often referred to as “electronic commerce” or simply “e-commerce,” easily-accessible and inexpensive security procedures had to be developed. A first commonly used security measure involves a Public Key Infrastructure (hereinafter “PKI”). PKI utilizes certificates as a basis for a security infrastructure. Certificates utilize public keys and third party verification entities to allow servers to decode client transmissions and authenticate the clients identity. In operation, a first node in a network can encrypt a message with their own private key. The message can be read by a second node with the first node's public key. A public key can only be used to decrypt messages created by the private key and cannot be used to encrypt messages. Thus, the first node is free to distribute their public key. One way in which public keys are distributed is by including them in certificates. There are a number of standards for certificates including the X0.509 standard, which defines a standard format for certificates. X0.509 is an ITU Recommendation and International Standard that defines a framework for providing authentication. (See “ITU Recommendation X0.509 (1997) Information Technology—Open Systems Interconnection—The Directory: Authentication Framework”, hereinafter “Directory specification”, dated 11/93. This information is also published in International Standard ISDO/IEC 9594-8 (1995).) A certificate format is defined in this standard. Certificates created according to this international standard, in the defined format, are referred to as “X0.509 certificates”.
In addition, Secure Sockets Layer, or “SSL” is also utilized to set up encrypted communication links and make use of certificates. SSL is commonly used with applications that send and receive data using the HyperText Transfer Protocol (“HTTP”). HTTP is the protocol most commonly used for accessing that portion of the Internet referred to as the Web. When HTTP is used with SSL to provide secure communications, the combination is referred to as “HTTPS.” Non-commercial Internet traffic can also benefit from the security SSL provides. SSL has been proposed for use with data transfer protocols other than HTTP, such as Simple Mail Transfer Protocol (“SMTP”) and Network News Transfer Protocol (“NNTP”).
SSL is a networking protocol developed by Netscape Communications Corp. and RSA Data Security, Inc. to enable secure network communications in a non-secure environment, where it operates as a protocol layer above the TCP/IP layers. The application code then resides above SSL in the networking protocol stack. After an application (such as a browser) creates data to be sent to a peer in the network, the data is passed to the SSL layer where various security procedures are performed on it, and the SSL layer then passes the transformed data on to the TCP layer. On the receiver's side of the connection, after the TCP layer receives incoming data, the data is passed upward to the SSL layer where procedures are performed to restore the data to its original form, and that restored data is then passed to the receiving application. The most recent version of SSL is described in detail in “the SSL Protocol, Version 3.0,” dated Nov. 18, 1996 and available on the World Wide Web (“Web”) at http ://home.netscape.com/eng/ss 13/draft302.txt (hereinafter, “SSL specification”).
These security features are very powerful, and provide a high degree of protection for Internet users. However, both PKI and SSL were designed as two-party protocols, to be used in a simple client/server environment. The SSL protocol allows a client to request a secure communication session by sending a message to a server application. The server then responds, and a sequence of messages are exchanged in a handshaking protocol where the various security-related parameters are negotiated. The encryption algorithms to be used for message privacy and data integrity are agreed upon, and both the client and server may authenticate each other's identity. Authentication is performed during the handshake by exchanging digital certificates. The server sends its certificate to the client, enabling the client to authenticate the server's identity. The server then requests the client's certificate, which the client sends in order that the server can also authenticate the client's identify. If the authentication results are acceptable, the parties complete the handshake, and begin to exchange encrypted application data over the secure session they have established.
While the aforementioned security measures have proved to be useful for a two-party protocol, the traditional client-server model for network computing is being extended in the web environment to what is referred to as a “multi-tier architecture.” This architecture may be characterized as a chain of nodes (e.g., a client and multiple servers) wherein a middle-tier or intermediate server may need to contact an end-tier server on behalf of the client. In such a case, the middle-tier server is said to be acting as a delegate of the client, and the process is generally referred to as delegation. In general, there is no limitation on the number of nodes involved in a delegation process. Thus, a first-tier server in contact with a client may be required to act as a delegate of the client by contacting a second-tier server on the client's behalf, and the second-tier server may be required to contact a third-tier server on behalf of either/both the second-tier server or the client.
This multi-tiered architecture recognizes the fact that many client requests do not simply require the location and return of static data by the first server, but require an application program to perform processing of the client's request in order to dynamically create and format the data to be returned. For example, during a commercial transaction between a client and a first server, the first server may need to contact a second server to collect financial information or perform a financial transaction on behalf of the client. In turn, the second server may need to collect a credit history on behalf of the client from a third server, etc. During each such new request in such a chain, it is of
Guski Richard H.
Hahn Timothy J.
Baum Ronald
Samodovitz Arthur J.
Schmeiser Olsen & Watts
Wright Norman M.
LandOfFree
Public key infrastructure delegation does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Public key infrastructure delegation, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Public key infrastructure delegation will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3220513