Browser security module

US 10,313,112 B2
Filed: 12/28/2015
Issued: 06/04/2019
Est. Priority Date: 12/06/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a secure key via a link received at a browser on a client device from an authentication server;

receiving first active content at the browser;

executing the first active content, wherein the first active content causes the secure key to be stored in a security module associated with the browser, the security module having an interface enabling active content executing in the browser to cause the security module to perform one or more operations using the secure key;

receiving, at the browser, second active content associated with a domain, the second active content, when executed, contacting the security module;

performing, by the security module, an operation of the one or more operations using the secure key, the operation based at least in part on a characteristic of the second active content or the domain associated with the active content; and

enabling the second active content to obtain a result of the operation from the security module and send a request using the result to a server to obtain content from the server upon authentication by the server that the result was produced using the secure key, without exposing the secure key to the second active content.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving a secure key via a link received at a browser on a client device from an authentication server;
  
  receiving first active content at the browser;
  
  executing the first active content, wherein the first active content causes the secure key to be stored in a security module associated with the browser, the security module having an interface enabling active content executing in the browser to cause the security module to perform one or more operations using the secure key;
  
  receiving, at the browser, second active content associated with a domain, the second active content, when executed, contacting the security module;
  
  performing, by the security module, an operation of the one or more operations using the secure key, the operation based at least in part on a characteristic of the second active content or the domain associated with the active content; and
  
  enabling the second active content to obtain a result of the operation from the security module and send a request using the result to a server to obtain content from the server upon authentication by the server that the result was produced using the secure key, without exposing the secure key to the second active content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the security module has bindings to one or more types of active content or active script, the one or more types of active content or active script enabling the secure key to be managed by the security module.
  - 3. The computer-implemented method of claim 1, further comprising:
    - receiving, by the security module, an outbound request to a server generated by the active content, the outbound request including information indicating the outbound request is to be signed using a specific key or credential stored at the security module;
      
      replacing, by the security module, the information with a signature generated at least in part using the specific key or credential; and
      
      causing, by the security module, the outbound request with the signature to be sent to the server.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving, by the security module, an inbound message to the active content, the inbound message including at least one of a credential or signature;
      
      removing, by the security module, the at least one of a credential or signature from the inbound message; and
      
      sending, by the security module, the inbound message to the active content.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving the secure key to the client device through a secure channel to the security module, the secure channel being inaccessible to the active content.
  - 6. The computer-implemented method of claim 1, wherein the security module is operable to provide an encrypted token including the secure key with the result, the active content being unable to decrypt the encrypted token to access the secure key.
  - 7. The computer-implemented method of claim 1, wherein the secure key is obtained by the client device by using a link fragment provided to the client device.
  - 8. The computer-implemented method of claim 1, wherein a user is able to communicate with the security module using a first secure channel for the entry of secure information and using a second secure channel for the manipulation of metadata pertaining to an authorized use of the secure information.
  - 9. The computer-implemented method of claim 1, wherein the result includes at least one of a request signed using the secure key, a request verified using the secure key, data encrypted using the secure key, or data decrypted using the secure key.

10. A computer-implemented method, comprising:
- receiving a set of security credentials via a link received a browser on a client device from an authentication server;
  
  receiving first active script at the browser,executing the first active script, wherein the first active script causes the set of security credentials, including at least a secure key encoded by a client token, to be stored in a security module associated with the browser, the security module having an interface enabling active content executing in the browser to cause the security module to perform one or more operations using the secure key;
  
  receiving second active content, wherein the second active content, when executed in the browser, contacts the security module to produce a result using the secure key, the result including the client token;
  
  performing, by the security module, an operation of the one or more operations using the secure key, the operation based at least in part on a characteristic of the second active content;
  
  enabling the active content executing in the browser to receive-the result of the operation from the security module, without exposing the secure key to the second active content; and
  
  sending, via the second active content, a request using the result to a server to obtain content upon authentication by the server that the result was produced using the secure key.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer-implemented method of claim 10, wherein the secure key is received through a secure channel from a user or generated by the security module.
  - 12. The computer-implemented method of claim 10, wherein the security module has bindings to one or more types of active content or active script, the one or more types of active content or active script enabling the secure key to be managed by the security module.
  - 13. The computer-implemented method of claim 10, wherein the result includes at least one of a request signed using the secure key, a request verified using the secure key, data encrypted using the secure key, or data decrypted using the secure key.
  - 14. The computer-implemented method of claim 10, wherein the secure key is obtained from an authentication entity through use of a fragment of the link provided to the client device.
  - 15. The computer-implemented method of claim 10, wherein a user is able to communicate with the security module using a first secure channel for the entry of secure information and using a second secure channel for the manipulation of metadata pertaining to an authorized use of that secure information.
  - 16. The computer-implemented method of claim 10, wherein the active content executing in the browser is determined to be able to contact the security module to produce a result using the secure key based at least in part upon at least one policy associated with the secure key.
  - 17. The computer-implemented method of claim 10, wherein the browser and the active content are unable to access at least the secure key, the active content operable to contact the security module to sign the result using the secure key and to submit the result to the security module.

18. A computing device, comprising:
- a device processor;
  
  a security module associated with a browser application on the computing device; and
  
  memory including instructions that, when executed by the device processor, cause the computing device to;
  
  receive a secure key via a link at a browser on a client device;
  
  receive first active content at the browser;
  
  execute the first active content, wherein the first active content causes the secure key to be stored in a security module associated with the browser, the security module having an interface enabling active content executing in the browser to cause the security module to perform one or more operations using the secure key;
  
  receive, at the browser, second active content, the second active content, when executed, contacting the security module to produce a result using the secure key;
  
  perform, by the security module, an operation of the one or more operations using the secure key, the operation based at least in part on a characteristic of the second active content;
  
  enable the second active content to receive the result of the operation without exposing the key to the active content; and
  
  sending, via the second active content, a request using the result to a server to obtain content upon authentication by the server that the result was produced using the secure key.
- View Dependent Claims (19, 20)
- - 19. The computing device of claim 18, wherein the secure key is obtained from an authentication entity through use of a fragment of the link provided to the client device.
  - 20. The computing device of claim 18, wherein the instructions, when executed, further cause the computing device to:
    - enforce at least one policy indicating which active content of a plurality of active content is permitted to perform certain operations using the secure key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Fitch, Nathan R., Roth, Gregory B., Baer, Graeme D.
Primary Examiner(s)
Tolentino, Roderick

Application Number

US14/980,033
Publication Number

US 20170187521A1
Time in Patent Office

1,254 Days
Field of Search

726 2- 10
US Class Current
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 67/02   based on web technology, e....

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Browser security module

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Browser security module

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links