Secured web entry server

US 20030177387A1
Filed: 03/15/2002
Published: 09/18/2003
Est. Priority Date: 03/15/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for accepting a message received from an untrusted network by a secure entry server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:

receiving the message in an external partition of the server;

verifying the message protocol;

converting the message into an internal message, the internal message characterized by an internal message protocol;

transferring the internal message to an internal partition of the server;

verifying the protocol of the internal message; and

accepting the message by the secure entry server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Secure Entry Server (SES) provides for secure and traceable communication between a trusted network and an untrusted network. The SES includes a first partition in communication with the untrusted network and a second partition in communication with the trusted network. Communication between the first and second partition is preferably initiated by a request from the second partition. An incoming message is reformatted into a SES message after an initial check before being read by the second partition. The SES message is reformatted according to the protocol supported by the requested trusted resource after filtering and verification and tagged with a security label before passing into the trusted network

88 Citations

View as Search Results

64 Claims

1. A method for accepting a message received from an untrusted network by a secure entry server in communication with a trusted network, the message characterized by a message protocol, the method comprising the steps of:
- receiving the message in an external partition of the server;
  
  verifying the message protocol;
  
  converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  transferring the internal message to an internal partition of the server;
  
  verifying the protocol of the internal message; and
  
  accepting the message by the secure entry server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further including the step of attaching an access ticket to the internal message.
  - 3. The method of claim 2 further including after the step of attaching, the step of formatting the internal message according to the message protocol of the received message.
  - 4. The method of claim 1 wherein the step of verifying the message protocol includes the step of dropping the message if the message does not conform to the message protocol.
  - 5. The method of claim 1 wherein the step of verifying the internal message protocol includes the step of dropping the internal message if the internal message does not conform to the internal message protocol.
  - 6. The method of claim 2 further including the step of forwarding the accepted message to the trusted network based on the access ticket.

7. A secure entry server for accepting a message received from an untrusted network, the message characterized by a message protocol, the secure entry server in communication with a trusted network, the secure entry server comprising:
- (a) means for receiving the message in an external partition of the server;
  
  (b) means for verifying the message protocol;
  
  (c) means for converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  (d) means for transferring the internal message to an internal partition of the server;
  
  (e) means for verifying the protocol of the internal message; and
  
  (f) means for accepting the message by the secure entry server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The secure entry server of claim 7 further including means for attaching an access ticket to the internal message.
  - 9. The secure entry server of claim 8 further including means for formatting the internal message according to the message protocol of the received message.
  - 10. The secure entry server of claim 7 further including means for dropping the message if the message does not conform to the message protocol.
  - 11. The secure entry server of claim 7 further includes means for dropping the internal message if the internal message does not conform to the internal message protocol.
  - 12. The secure entry server of claim 8 further including means for forwarding the accepted message to the trusted network based on the access ticket.

13. A computer-readable medium having computer-executable instructions for performing a method for accepting a message received from an untrusted network by a secure entry server in communication with a trusted network, the message characterized by a message protocol, the method comprising:
- receiving the message in an external partition of the server;
  
  verifying the message protocol;
  
  converting the message into an internal message, the internal message characterized by an internal message protocol;
  
  transferring the internal message to an internal partition of the server;
  
  verifying the protocol of the internal message; and
  
  accepting the message by the secure entry server.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable medium of claim 13 further including computer-executable instructions for attaching an access ticket to the internal message.
  - 15. The computer-readable medium of claim 14 further including computer-executable instructions for formatting the internal message according to the message protocol of the received message.
  - 16. The computer-readable medium of claim 13 further including computer-executable instructions for dropping the message if the message does not conform to the message protocol.
  - 17. The computer-readable medium of claim 13 further including computer-executable instructions for dropping the internal message if the internal message does not conform to the internal message protocol.
  - 18. The computer-readable medium of claim 14 further including computer-executable instructions for forwarding the accepted message to the trusted network based on the access ticket.

19. A secure entry server comprising:
- an external partition in communication with an untrusted network, the external partition configured to convert a message from the untrusted network to an internal message, the message comprising a data field and a message header, the message header comprises at least one characteristic of the message;
  
  an internal partition in communication with a trusted network; and
  
  a message airlock configured to pass the internal message between the external partition and the internal partition.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 20. The secure entry server of claim 19 wherein the message airlock is configured to pass the internal message between the external partition and the internal partition only upon a request originating from the internal partition.
  - 21. The secure entry server of claim 19 wherein the message airlock is configured to pass the internal message between the external partition and the internal partition upon a request originating from the external partition.
  - 22. The secure entry server of claim 19 wherein the external partition includes means for verifying the message.
  - 23. The secure entry server of claim 19 wherein the message airlock further comprises:
    - means for opening a logical connection between the external partition and the internal partition;
      
      means for transferring the internal message between the external partition and internal partition; and
      
      means for closing the logical connection between the external partition and the internal partition after the internal message is transferred between the external partition and the internal partition.
  - 24. The secure entry server of claim 19 wherein the internal partition includes means for verifying the internal message.
  - 25. The secure entry server of claim 19 wherein the internal partition includes means for attaching an access ticket to the internal message.
  - 26. The secure entry server of claim 19 wherein the internal partition includes a dispatcher for forwarding the internal message to a resource in the trusted network.
  - 27. The secure entry server of claim 26 wherein the dispatcher forwards the internal message based in part on an access ticket.
  - 28. The secure entry server of claim 19 wherein the internal message includes an access ticket.
  - 29. The secure entry server of claim 19 wherein the internal message includes an IMF header.
  - 30. The secure entry server of claim 29 wherein the IMF header includes at least one of the characteristic of the message in the message header.

31. A computer-readable medium having stored thereon a data structure for a secure entry server comprising:
- an internal message data field containing data conforming to an internal message protocol, the data representing a message between an untrusted network and a trusted network, the message characterized by a network protocol different from the internal message protocol; and
  
  an internal message header field containing data representing the characterization of the message data field according to the internal message protocol.
- View Dependent Claims (32)
- - 32. The computer-readable medium of claim 31 wherein the network protocol is selected from a group consisting of HTTP, XML, IIOP, POP3, IMAP, SOAP, JRMP, RMI, SNMP, XNTP, Sun-RPC, SSH, TELNET, FTP, MS Exchange, JDBC, ODBC, SAMBA, NETBIOS and SMTP.

33. A method for passing a message between an untrusted network and a resource on a trusted network, the message characterized by a network protocol, the method comprising the steps of:
- receiving the message from the untrusted network;
  
  converting the received message into an internal message, the internal message characterized by an internal message protocol different from the network protocol;
  
  verifying the contents of the internal message;
  
  converting the verified internal message to a trusted message characterized by a protocol supported by the resource on the trusted network; and
  
  forwarding the trusted message to the resource on the trusted network.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. The method of claim 33 wherein the message protocol is HTTP.
  - 35. The method of claim 33 wherein the step of converting the received message further includes the step of calculating a message digest based on the received message and attaching the calculated message digest to the internal message.
  - 36. The method of claim 33 wherein the step of converting the received message further includes the step of checking the received message for conformity to the message protocol.
  - 37. The method of claim 33 further including after the step of verifying, the step of attaching an application cookie to the verified internal message.
  - 38. The method of claim 33 wherein the step of converting the internal message further includes the step of filtering the contents of the internal message to a subset of the message protocol.
  - 39. The method of claim 38 wherein the filtering of the internal message depends on the network protocol of the received message.
  - 40. The method of claim 33 further including the step of authenticating the incoming message.
  - 41. The method of claim 40 wherein the message is authenticated based on an authentication module on the trusted network.
  - 42. The method of claim 40 wherein the message is authenticated based on an authentication proxy on the untrusted network.

43. A secure entry server for passing a message between an untrusted network and a resource on a trusted network, the message characterized by a network protocol, the secure entry server comprising:
- means for receiving the message from the untrusted network;
  
  means for converting the received message into an internal message, the internal message characterized by an internal message protocol different from the network protocol;
  
  means for verifying the contents of the internal message;
  
  means for converting the verified internal message to a trusted message characterized by a protocol supported by the resource on the trusted network; and
  
  means for forwarding the trusted message to the resource on the trusted network.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51)
- - 44. The secure entry server of claim 43 wherein the network protocol is HTTP.
  - 45. The secure entry server of claim 43 wherein the means for converting the received message further includes means for calculating a message digest based on the received message and attaching the calculated message digest to the internal message.
  - 46. The secure entry server of claim 43 wherein the means for converting the received message further includes means for checking the received message for conformity to the network protocol.
  - 47. The secure entry server of claim 43 further including means for attaching an application cookie to the internal message.
  - 48. The secure entry server of claim 43 further including means for removing an application cookie from the internal message.
  - 49. The secure entry server of claim 43 further including means for encrypting an application cookie attached to the internal message.
  - 50. The secure entry server of claim 43 wherein the means for converting the internal message further includes means for filtering the contents of the internal message to a subset of the network protocol.
  - 51. The secure entry server of claim 50 wherein the filtering means depends on the network protocol of the received message.

52. A computer-readable medium having computer-executable instructions for performing a method for passing a message between an untrusted network and a resource on a trusted network, the message characterized by a network protocol, the method comprising the steps of:
- receiving the message from the untrusted network;
  
  converting the received message into an internal message, the internal message characterized by an internal message protocol different from the network protocol;
  
  verifying the contents of the internal message;
  
  converting the verified internal message to a trusted message characterized by a protocol supported by the resource on a trusted network; and
  
  forwarding the trusted message to the resource on the trusted network.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 53. The computer-readable medium of claim 52 wherein the network protocol is HTTP.
  - 54. The computer-readable medium of claim 52 wherein the step of converting the received message further includes the step of calculating a message digest based on the received message and attaching the calculated message digest to the internal message.
  - 55. The computer-readable medium of claim 52 wherein the step of converting the received message further includes the step of checking the received message for conformity to the network protocol.
  - 56. The computer-readable medium of claim 52 further including after the step of verifying, the step of attaching an application cookie to the verified internal message.
  - 57. The computer-readable medium of claim 52 wherein the step of converting the internal message further includes the step of filtering the contents of the internal message to a subset of the network protocol.
  - 58. The computer-readable medium of claim 57 wherein the filtering of the internal message depends on the network protocol of the received message.
  - 59. The computer-readable medium of claim 52 further including the step of authenticating the incoming message.
  - 60. The computer-readable medium of claim 59 wherein the message is authenticated based on an authentication module on the trusted network.
  - 61. The computer-readable medium of claim 59 wherein the message is authenticated based on an authentication proxy on the untrusted network.
  - 62. The computer-readable medium of claim 52 further including the step of removing an application cookie from an outgoing message before the outgoing message is sent to the untrusted network.
  - 63. The computer-readable medium of claim 52 further including the step of encrypting an application cookie attached to an outgoing message before the outgoing message is sent to the untrusted network.

64. A secure entry server for restricted access to a resource on a trusted network from an untrusted network, the server comprising:
- an adapter for converting a message having a network protocol to and from an internal message having an internal message protocol different from the network protocol;
  
  a filter for verifying the contents of the internal message;
  
  a message airlock for transferring the internal message between the adapter and the filter;
  
  a session table configured to hold at least one characteristic of the internal message;
  
  a manager configured to maintain the session table based on a user authorization and the message;
  
  a converter for converting the internal message to and from a trusted message; and
  
  a dispatcher for receiving and forwarding the trusted message to the resource on the trusted network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seclutions AG
Original Assignee
Seclutions AG
Inventors
Osterwalder, Cyrill, Oesch, Friedrich Claude

Application Number

US10/099,762
Publication Number

US 20030177387A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 69/08   Protocols for interworking;...

Y04S 40/20   Information technology spec...

Secured web entry server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

64 Claims

Specification

Use Cases

Quick Links

Others

Secured web entry server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

64 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others