Opaque cryptographic web application data protection

US 20060294206A1
Filed: 07/22/2005
Published: 12/28/2006
Est. Priority Date: 06/23/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting Web application data between a server and a client comprising the steps of a) building a response for the client;

b) invoking a data protection service for the response, the response comprising a first data having a first state;

c) modifying the response by replacing the first data with a protected data;

d) sending the modified response to the client;

e) receiving a request with the protected data from the client;

f) passing the received protected data to the data protection service for verification;

g) restoring the request corresponding to the first state of the response at the data protection service; and

h) sending the request to a Web application.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system for external and distributed protection of Web application data against prying, tempering, and impersonation using cryptographic mechanisms. The protection is offered opaquely so as to not expose the cryptographic mechanism to the Web application. Protection against prying prevents users from looking at data the Web application considers private. When protected against prying, protect data may be sent to the client but the user will not be able to understand it. Protection against tempering, guaranties the Web application that the data it is receiving originated from a trusted source, usually the Web application itself. A user session state stored client-side is a good candidate for tempering protection. Protection against impersonation ensures the Web application that the data it is receiving comes from a specific user.

52 Citations

View as Search Results

30 Claims

1. A method for protecting Web application data between a server and a client comprising the steps of a) building a response for the client;
- b) invoking a data protection service for the response, the response comprising a first data having a first state;
  
  c) modifying the response by replacing the first data with a protected data;
  
  d) sending the modified response to the client;
  
  e) receiving a request with the protected data from the client;
  
  f) passing the received protected data to the data protection service for verification;
  
  g) restoring the request corresponding to the first state of the response at the data protection service; and
  
  h) sending the request to a Web application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as claimed in claim 1, wherein the first data is protected based on protection rules in the data protection service.
  - 3. The method as claimed in claim 1, further comprising the step of providing a data characteristic to the data protection service by the Web application;
    - whereby the data protection service decides the protection logic to be used.
  - 4. The method as claimed in claim 1, wherein the data protection service is a stand-alone service external to the Web application.
  - 5. The method as claimed in claim 1, wherein the data protection service is provided by an application firewall.
  - 6. The method as claimed in claim 1, wherein the data protection service is shared between multiple Web applications.
  - 7. The method as claimed in claim 1, wherein more than one data protection services are invoked, the data protection services being external to the Web application.
  - 8. The method as claimed in claim 7 wherein more than one data protection services are shared between multiple Web applications.
  - 9. The method as claimed in claim 1, wherein the modifying step further comprising the step of replacing the parameter values at their original location.
  - 10. The method as claimed in claim 1, wherein the data protection service comprises an opaque interface to the Web application providing services such as protection against prying, tempering, or impersonation;
    - thereby hiding cryptographic details to the Web application.
  - 11. The method as claimed in claim 1, wherein the data protection service encodes the data for safe travel between the Web application client and server.
  - 12. The method as claimed in claim 1, further comprising the step of having the data protection service dynamically maintaining a list of parameter names requiring protection in requests based the calls from the Web application.

13. A storage medium readable by a computer encoding a computer program for execution by the computer to carry out a method for protecting Web application data between a server and a client, the computer program comprising:
- a) code means for building a response for the client;
  
  b) code means for invoking a data protection service for the response, the response comprising a first data having a first state;
  
  c) code means for modifying the response by replacing the first data with a protected data;
  
  d) code means for sending the modified response to the client;
  
  e) code means for receiving a request with the protected data from the client;
  
  f) code means for passing the received protected data to the data protection service for verification and converting to the first data;
  
  g) code means for restoring the request corresponding to the first state of the response; and
  
  h) code means for sending the request to a Web application.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The storage medium according to claim 13, wherein the first data is protected based on protection rules in the data protection service.
  - 15. The storage medium according to claim 13, further comprising code means for providing a data characteristic to the data protection service by the Web application;
    - whereby the data protection service decides the protection logic to be used.
  - 16. The storage medium according to claim 13, wherein the data protection service is a stand-alone service external to the Web application.
  - 17. The storage medium according to claim 13, wherein the data protection service is provided by an application firewall.
  - 18. The storage medium according to claim 13, wherein the data protection service is shared between multiple Web applications.
  - 19. The storage medium according to claim 13, wherein more than one data protection services are invoked, the more than one data protection services being external to the Web application.
  - 20. The storage medium according to claim 13, wherein more than one data protection services are shared between multiple Web applications.
  - 21. The storage medium according to claim 13, wherein the data protection service encodes the data for safe travel between the Web application client and server.
  - 22. The storage medium according to claim 13, further comprising code means for having the data protection service dynamically maintaining a list of parameter names requiring protection in requests based the calls from the Web application.

23. A computer system for protecting Web application data between a server and a client comprising:
- a) means for building a response for the client;
  
  b) means for invoking a data protection service for the response, the response comprising a first data having a first state;
  
  c) means for modifying the response by replacing the first data with a protected data;
  
  d) means for sending the modified response to the client;
  
  e) means for receiving a request with the protected data from the client;
  
  f) means for passing the received protected data to the data protection service for verification and converting to the first data;
  
  g) means for restoring the request corresponding to the first state of the response; and
  
  h) means for sending the request to a Web application.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The computer system according to claim 23, wherein the first data is protected based on protection rules in the data protection service.
  - 25. The computer system according to claim 23, wherein the data protection service is a stand-alone service external to the Web application.
  - 26. The computer system according to claim 23, wherein the data protection service is provided by an application firewall.
  - 27. The computer system according to claim 23, wherein the data protection service is shared between multiple Web applications.
  - 28. The computer system according to claim 23, wherein more than one data protection services are shared between multiple Web applications.
  - 29. The computer system according to claim 23, wherein the data protection service encodes the data for safe travel between the Web application client and server.
  - 30. The computer system according to claim 23, further comprising means for having the data protection service dynamically maintaining a list of parameter names requiring protection in requests based the calls from the Web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LinkedIn Corporation (Microsoft Corporation)
Original Assignee
International Business Machines Corporation
Inventors
Roy, Patrick, Graveline, Marc, Viney, Ulf

Granted Patent

US 7,765,310 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/219
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 2221/2119   Authenticating web pages, e...

H04L 2209/04   Masking or blinding

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/12   Applying verification of th...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

H04L 9/3271   using challenge-response

Opaque cryptographic web application data protection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Opaque cryptographic web application data protection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links