Firewalls for providing security in HTTP networks and applications

US 20030051142A1
Filed: 05/16/2001
Published: 03/13/2003
Est. Priority Date: 05/16/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of signing communications transmitted over a network, comprising:

intercepting a communication being forwarded to a first entity from a second entity over the network;

analyzing the communication;

abstracting the communication to derive parameters for the communication;

generating a signature associated with the communication based on the parameters of the communication;

encrypting the signature to generate an encrypted signature;

combining the encrypted signature with the communication;

permitting the communication with the encrypted signature to be forwarded to the first entity over the network;

wherein the encrypted signature enables a response to the communication from the first entity to be validated by the second entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide security to HTTP applications. Responses sent from a server, such as a web server, are analyzed and a signature is generated for each HTML object in that page. The signature is encrypted and sent to a client along with the contents of the page. When a client later sends a request, the system checks the signature associated with that request with the contents of the request itself. If the values, variables, lengths, and cardinality of the request are validated, then the request is forwarded to the web server. If, on the other hand, the request is invalidated, the request is blocked from reaching the web server, thereby protecting the web server from malicious attacks. The systems and methods offer security without being limited to a session or user.

208 Citations

20 Claims

1. A method of signing communications transmitted over a network, comprising:
- intercepting a communication being forwarded to a first entity from a second entity over the network;
  
  analyzing the communication;
  
  abstracting the communication to derive parameters for the communication;
  
  generating a signature associated with the communication based on the parameters of the communication;
  
  encrypting the signature to generate an encrypted signature;
  
  combining the encrypted signature with the communication;
  
  permitting the communication with the encrypted signature to be forwarded to the first entity over the network;
  
  wherein the encrypted signature enables a response to the communication from the first entity to be validated by the second entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15)
- - 2. The method as set forth in claim 1, wherein combining the encrypted signature with the communication is transparent to the first entity.
  - 3. The method as set forth in claim 1, further comprising checking if the communication is a start page and wherein intercepting does not involve intercepting the start page.
  - 4. The method as set forth in claim 1, further comprising checking if the communication is an except page and wherein intercepting does not involve intercepting the except page.
  - 5. The method as set forth in claim 1, wherein abstracting comprises setting acceptable values for the parameters.
  - 6. The method as set forth in claim 1, wherein abstracting comprises setting acceptable lengths for the parameters.
  - 7. The method as set forth in claim 1, wherein abstracting comprises setting acceptable types for the parameters.
  - 8. The method as set forth in claim 1, wherein abstracting comprises setting cardinality for the parameters.
  - 9. The method as set forth in claim 1, further comprising adding a tag to the communication, the tag being used to specify an action to perform on the communication.
  - 10. The method as set forth in claim 1, further comprising:
    - intercepting a second communication being forwarded by the first entity to the second entity;
      
      decrypting a second signature associated with the second communication;
      
      comparing the second signature with contents of the second communication;
      
      forwarding the second communication to the second entity only if the second signature corresponds with the contents of the second communication; and
      
      blocking the second communication from reaching the second entity if the second signature does not correspond with the contents of the second communication.
  - 12. The method as set forth in claim 1, wherein comparing the parameters with the actual contents comprises checking values of the parameters.
  - 13. The method as set forth in claim 1, wherein comparing the parameters with the actual contents comprises checking lengths of the parameters.
  - 14. The method as set forth in claim 1, wherein comparing the parameters with the actual contents comprises checking cardinality of the parameters.
  - 15. The method as set forth in claim 1, wherein comparing the parameters with the actual contents comprises checking types of the parameters.

11. A method of validating communications received over a network, comprising:
- intercepting a communication being forwarded by a first entity to a second entity;
  
  decrypting a signature associated with the communication to generate a decrypted signature;
  
  ascertaining parameters in the communication based on the decrypted signature;
  
  comparing the decrypted signature and the parameters with actual contents of the communication;
  
  forwarding the second communication to the second entity if the parameters in the signature correspond with the actual contents of the communication; and
  
  blocking the communication from reaching the second entity if the parameters in the decrypted signature do not correspond with the contents of the communication.

16. A system for providing security to communications over a network, comprising:
- a response interception unit for intercepting a communication being forwarded to a first entity from a second entity over the network;
  
  a parsing unit for deriving parameters in the communication;
  
  a signature creation unit for generating a signature associated with the communication based on the parameters of the communication;
  
  an encryption unit for encrypting the signature to generate an encrypted signature;
  
  the parsing combining the encrypted signature with the communication and permitting the communication with the encrypted signature to be forwarded to the first entity over the network;
  
  wherein the encrypted signature enables a response to the communication from the first entity to be validated by the second entity.
- View Dependent Claims (17, 18)
- - 17. The system as set forth in claim 16, further comprising:
    - a request interception unit for intercepting a second communication being forwarded by the first entity to the second entity;
      
      a decryption unit for decrypting a second signature associated with the second communication to generate a decrypted second signature and for ascertaining a second set of parameters in the second communication;
      
      a signature checking unit for comparing the second set of parameters defined by the decrypted signature with actual contents of the second communication;
      
      forwarding the second communication to the second entity if the second set of parameters in the decrypted signature correspond with the actual contents of the communication; and
      
      blocking the second communication from reaching the second entity if the second set of parameters in the decrypted signature do not correspond with the contents of the second communication.
  - 18. The system as set forth in claim 16, further comprising an error unit for generating errors when the second set of parameters in the decrypted signature do not correspond with the actual contents of the second communication.

19. A computer-readable medium for storing software for use in validating communications received over a network, the software for performing a method comprising:
- intercepting a communication being forwarded to a first entity from a second entity over the network;
  
  analyzing the communication;
  
  abstracting the communication to derive parameters for the communication;
  
  generating a signature associated with the communication based on the parameters of the communication;
  
  encrypting the signature to generate an encrypted signature;
  
  combining the encrypted signature with the communication;
  
  permitting the communication with the encrypted signature to be forwarded to the first entity over the network;
  
  wherein the encrypted signature enables a response to the communication from the first entity to be validated by the second entity.

20. A computer-readable medium for storing software for use in validating communications received over a network, the software for performing a method comprising:
- intercepting a communication being forwarded by a first entity to a second entity;
  
  decrypting a signature associated with the communication to generate a decrypted signature;
  
  ascertaining parameters in the communication based on the decrypted signature;
  
  comparing the decrypted signature and the parameters with actual contents of the communication;
  
  forwarding the second communication to the second entity if the parameters in the signature correspond with the actual contents of the communication; and
  
  blocking the communication from reaching the second entity if the second set of parameters in the decrypted signature do not correspond with the contents of the communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Grupo S21sec Gestion SA
Original Assignee
Grupo S21sec Gestion SA
Inventors
Lleonart, Xabier Panadero, Hidalgo, Lluis Mora

Application Number

US09/859,123
Publication Number

US 20030051142A1
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 63/04 for providing a confidentia...

Firewalls for providing security in HTTP networks and applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

208 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Firewalls for providing security in HTTP networks and applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

208 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links