Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
First Claim
1. A method for establishing a secure communication between a client and a server comprising:
- using a first server to authenticate and authorize a client, then dynamically delivering a credential from the first server to the authenticated and authorized client without the client caching the delivered credential, then using the delivered non-cached credential to authenticate and authorize the client to a second server; and
then establishing a secure communication between the second server and the client.
25 Assignments
0 Petitions
Accused Products
Abstract
The technology herein can be used to dynamically deploy secure credentials including but not limited to digital certificates in a secure manner to provide higher levels of security and control than in some other previous arrangements. In one exemplary non-limiting illustrative arrangement, a management server acts as a repository for a plurality of user certificates corresponding to a plurality of users. When a user wishes to access a remote computer such as a secure-enabled host requiring a secure credential, her computer sends a request message to the management server. The management server may perform its own validity checking (e.g., based on password protection, directory information including user authorization, or a variety of other techniques). Once the management server is satisfied that the requesting user is authorized to access the secure host or other remote computer, the management server sends the user the necessary secure credential in a manner that is on demand (in other words, at the time the client certificate or key pair is needed to complete the connection to another server and not before); is secure during transmission; and is provided in a manner which prevents the client from using the client certificate or key pair to commence a new session to the SSL or SSH hosts after the User'"'"'s session with server A has ended. In one example arrangement, the user'"'"'s computer does not persistently store the secure credential but rather maintains the secure credential in volatile memory such as for example random access memory or other memory that will be reliable erased (e.g., by overwriting with other information).
102 Citations
10 Claims
-
1. A method for establishing a secure communication between a client and a server comprising:
-
using a first server to authenticate and authorize a client, then dynamically delivering a credential from the first server to the authenticated and authorized client without the client caching the delivered credential, then using the delivered non-cached credential to authenticate and authorize the client to a second server; and
then establishing a secure communication between the second server and the client. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A storage medium storing instructions that control the operation of a client, said stored instructions including:
-
first stored instructions that at least in part establish secure communications with a server, second stored instructions that permit said server to authenticate and authorize the client, third stored instructions that dynamically receive a credential from the server without locally caching the delivered credential, fourth stored instructions that present the delivered non-cached credential to be authenticated and authorized by a further server, and fifth stored instructions that establish a secure communication with the further server.
-
-
9. A client authentication method comprising:
-
receiving and verifying a public key certificate from a server;
receiving a request from said server to present a client credential;
sending a message requesting the client credential;
receiving the requested client credential without caching said received client credential; and
sending the received client credential to the server in response to a challenge.
-
-
10. A method for use with a computer entity that delivers an applet to a browser on demand, the method comprising:
-
executing the applet at the browser, said execution of the applet having the effect of establishing a trusted communication with a first computer entity;
said applet execution controlling said browser to send a credential request to the first computer entity;
receiving the requested credential with the browser;
avoiding persistent storage of said delivered credential at said browser; and
using said requested credential to establish a trusted communication with a second computer entity different from said first computer entity.
-
Specification