Data Certification Methods and Apparatus

US 20080163337A1
Filed: 08/16/2005
Published: 07/03/2008
Est. Priority Date: 09/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method of providing an electronic signature to a server, the method comprising:

receiving data for said server at a proxy system for said server;

reading said received data to identify a signature request;

obtaining a signature for a portion of data associated with said request, responsive to said request, andproviding said signature from said proxy system to said server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention generally relates methods, computer program code, data processing apparatus, and signals for certifying data, in particular by means of an electronic signature. Embodiments of the invention can be implemented on a user terminal without the need for dedicated hardware or software and may be termed “zero-footprint” data certification methods. A method of providing an electronic signature to-a-server; the method including receiving data for said server at a proxy system for said server; reading said received data to identify a signature request; obtaining a signature for a portion of said received data associated with said request responsive to said request, and providing said signature from said proxy system to said server. The use of a signature-enabled reverse proxy enables the use of a zero footprint user terminal, that is without the need to add additional functionality to the terminal for the purposes of signature creation in the context of a distributed application architecture.

119 Citations

View as Search Results

62 Claims

1. A method of providing an electronic signature to a server, the method comprising:
- receiving data for said server at a proxy system for said server;
  
  reading said received data to identify a signature request;
  
  obtaining a signature for a portion of data associated with said request, responsive to said request, andproviding said signature from said proxy system to said server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14, 15)
- - 2. A method as claimed in claim 1 wherein said signature comprises a signature of a user of said server, the method further comprising:
    - authenticating said user prior to providing said signature.
  - 3. A method as claimed in claim 1 wherein said portion of data for which said signature is obtained comprises a portion of said received data.
  - 4. A method as claimed in claim 2 wherein said portion of data for which said signature is obtained comprises data received from said user at said proxy system.
  - 5. A method as claimed in claim 2 wherein said portion of data for which said signature is obtained comprises data received from said server at said proxy system and forwarded by said proxy system to said user.
  - 6. A method as claimed in claim 2 wherein said data receiving comprises receiving data from a plurality of different users;
    - wherein a said signature is common to a group of said users; and
      
      further comprising providing a user identifier to said server in association with a said common signature.
  - 7. A method as claimed in claim 2 further comprising sending a request to said user, said request including said portion of received data to be signed, for confirmation of signing;
    - and receiving confirmation data from said user; and
      
      wherein said signature obtaining is responsive to said confirmation data.
  - 8. A method as claimed in claim 1 wherein said signature request comprises a signature request tag, the method further comprising:
    - receiving said signature request tag from said server at said proxy system in association with a request for additional data;
      
      forwarding said signature request tag and said request for additional data to a remote system; and
      
      receiving data comprising said signature request tag and said additional data from said remote system at said proxy system, said portion of data for signature comprising a portion of said additional data.
  - 9. A method as claimed in claim 1 further comprising authenticating said proxy system to a sender of said data portion.
  - 10. A method as claimed in claim 1 wherein said providing of said signature to said server additionally or alternatively comprises providing said signature to a second server.
  - 11. A method as claimed in claim 2 further comprising filtering data received from said server for providing to the said user, to control provision of data to said user for establishing connections other than via said proxy system.
  - 14. A carrier carrying computer program code to, when running, implement the method of claim 1.
  - 15. A computer system including a proxy system comprising the carrier of claim 14 and at least one said server, said proxy system and said at least one server being coupled by a secure link.

12. A method of providing an electronic signature to a server, the method comprising:
- receiving data to be signed from said server at a proxy system;
  
  sending said data to be signed from said proxy system to a user;
  
  receiving a signature request for said data to be signed at said proxy system;
  
  obtaining a signature for said data to be signed responsive to said signature request, andproviding said signature from said proxy system to said server.

13. (canceled)

16. (canceled)

17. A method of authenticating electronic data supplied by a user of a source device to a remote device, the method comprising:
- receiving input data including data for authentication from the source device;
  
  identifying authentication request information in the input data;
  
  obtaining authentication data for said data for authentication responsive to said identifying, andoutputting the authentication data for said remote device;
  
  wherein the authentication data authenticates that the supplier of the data is the user.
- View Dependent Claims (18, 19, 20, 21, 23)
- - 18. A method as claimed in claim 17 wherein said obtaining of authentication data comprises:
    - sending data to be authenticated to authentication apparatus, said data to be authenticated being determined from said input data; and
      
      receiving said authentication data from said authentication apparatus.
  - 19. A method according to claim 18, wherein the authenticating apparatus comprises a signing apparatus and the authentication data comprises a digital signature.
  - 20. A method according to claim 17, the method further comprising:
    - outputting the input data to a said remote device.
  - 21. A method according to claim 17, the method further comprising:
    - outputting the input data to a second remote device.
  - 23. A computer readable medium storing a computer program to, when running, carry out the method steps of claim 17.

22. (canceled)

24. A data processing apparatus for processing electronic data supplied by a user of a source device to be signed, the apparatus comprising;
- a communication interface for inputting and outputting data;
  
  a data memory operable to store data to be processed;
  
  an instruction memory storing processor implementable instructions; and
  
  a processor coupled to said data memory and to said instruction memory and operable to read and process the stored data in accordance with the instructions in the instruction memory; and
  
  wherein the instructions stored in the instruction memory comprise instructions for controlling the processor to;
  
  receive input data including data for authentication from a source device;
  
  identifying authentication request information in the input data;
  
  obtain authentication data for said data for authentication; and
  
  output the authentication data for a recipient device;
  
  wherein the authentication data authenticates that the supplier of the data is the user.
- View Dependent Claims (25, 26, 27)
- - 25. An apparatus according to claim 24, including certifying apparatus comprising a signing device, and wherein the certification data comprises a digital signature.
  - 26. An apparatus according to claim 24, wherein the instructions stored in the instruction memory further comprise instructions for controlling the processor to output the input data to the recipient device.
  - 27. An apparatus according to claim 24, wherein the instructions stored in the instruction memory further comprise instructions for controlling the processor to output the input data to a second recipient device.

28. A method of supplying electronic data to a remote device for signing, the method comprising:
- receiving data at a user terminal from a first remote device, said received data incorporating a request for user input data and signature request data;
  
  inputting user data in accordance with said request; and
  
  outputting to a second remote device data incorporating said user input data and said signature request data.
- View Dependent Claims (29, 30)
- - 29. A method according to claim 28, wherein the first and second remote devices comprise the same device.
  - 30. A computer program to, when running, carry out the method steps of claim 28.

31. (canceled)

32. A processing apparatus for processing electronic data to be signed, the apparatus comprising:
- a communication interface for inputting and outputting data;
  
  a data memory operable to store data to be processed;
  
  an instruction memory storing processor implementable instructions; and
  
  a processor operable to read and process the stored data in accordance with the instructions in the instruction memory; and
  
  wherein the instructions stored in the instruction memory comprise instructions for controlling the processor to;
  
  receive from a first remote device data incorporating a request for user input data and signature request data;
  
  input user data in accordance with said request; and
  
  output to a second remote device data incorporating said user input data and said signature request data.
- View Dependent Claims (33)
- - 33. An apparatus according to claim 32, wherein the first and second remote devices comprise the same device.

34. A reverse proxy device, the device comprisingmeans to authenticate an application to a user of a user terminal;
- means to obtain an authentication for said user of said user terminal;
  
  means to obtain a signature for user data; and
  
  means to receive from said terminal user data for signature and a signature request, and responsive to said signature request, to obtain a signature for said user data and forward said signature and said user data to said application.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 45)
- - 35. A proxy device as claimed in claim 34 wherein said means to obtain an authentication for said user of said user terminal comprises means to send data to and receive data from an authentication server.
  - 36. A proxy device as claimed in claim 34 wherein said means to obtain a signature for user data comprises means to send data to and receive data from a signature server.
  - 37. A proxy device as claimed in claim 34 wherein said means to authenticate said application comprises means to authenticate said proxy device to said user.
  - 38. A proxy device as claimed in claim 34 further comprising means to send a confirmation of said user data to be signed to said user, and to receive a user confirmation;
    - and wherein said signing is responsive to said user confirmation.
  - 39. A proxy device as claimed in claim 38 wherein said user confirmation comprises authentication data for authentication of said user.
  - 40. A proxy device as claimed in claim 34 wherein a common key is employed for signing data of a plurality of users.
  - 41. A proxy device as claimed in claim 34 wherein the device is configured to operate in a public key infrastructure.
  - 42. A proxy device as claimed in claim 34 wherein the device comprises an Internet proxy server.
  - 43. A proxy device as claimed in claim 34 including a user authenticator and/or a user data signer, and wherein said means to obtain an authentication for said user of said user terminal and/or said means to obtain a signature for user data is configured to communicate with said user authenticator and/or user data signer.
  - 45. A carrier carrying computer program code comprising the means of the proxy device as claimed in claim 34.

44. (canceled)

46. (canceled)

47. (canceled)

48. A method of protecting a link between a user terminal and an application server via a proxy system for said application server, the method comprising:
- receiving data from said application server at said proxy system;
  
  determining whether said received data includes data for establishing a connection between said user terminal and an address to which connection is forbidden; and
  
  forwarding said received data to said user terminal responsive to said determining.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 49. A method as claimed in claim 48 wherein said forwarding responsive to said determining comprises inhibiting said forwarding when said determining establishes that said received data includes data for establishing a connection between said user terminal and an address to which connection is forbidden.
  - 50. A method as claimed in claim 48 wherein said forwarding responsive to said determining comprises modifying said received data to remove said data for establishing a connection between said user terminal and an address to which connection is forbidden prior to said forwarding.
  - 51. A method as claimed in claim 48 wherein said data for establishing a connection between said user terminal and an address to which connection is forbidden comprises data for establishing a connection with said user terminal other than via said proxy system.
  - 52. A method as claimed in claim 48 wherein said determining comprises comparing data in said received data with a list of permitted addresses.
  - 53. A method as claimed in claim 48 wherein said determining comprises comparing data in said received data with a list of forbidden addresses.
  - 54. A method as claimed in claim 48 wherein said link comprises a packet data link and wherein said received data comprises packet payload data.
  - 55. A method as claimed in claim 48 wherein said determining comprises parsing said received data for a connection address.
  - 56. A method as claimed in claim 48, the method further comprising:
    - outputting audit data to an audit log responsive to said determining.
  - 57. A method as claimed in claim 48, the method further comprising:
    - outputting system management data responsive to said determining, wherein the system management data provides an alert when said determining establishes that said received data includes data for establishing a connection between said user terminal and an address to which connection is forbidden.
  - 58. A carrier carrying processor control code to, when running, implement the method of claim 48.
  - 59. A reverse proxy server configured to implement the method of claim 48.
  - 60. A method of providing a secure link between a user terminal and an application server, the method comprising:
    - establishing a secure link between said user terminal and a proxy system for said application server; and
      
      using the method of claim 48 to protect said secure link.

61. Data processing apparatus for protecting a link between a user terminal and an application server via a proxy system for said application server, the apparatus comprising:
- a communication interface for inputting and outputting data;
  
  a data memory operable to store data to processed;
  
  an instruction memory storing processor implementable instructions; and
  
  a processor coupled to said data memory and to said instruction memory and operable to read and process the stored data in accordance with the instructions in the instruction memory; and
  
  wherein the instructions stored in the instruction memory comprise instructions for controlling the processor to;
  
  receive data from said application server via said proxy system;
  
  determine whether said received data includes data for establishing a connection between said user terminal and an address to which connection is forbidden; and
  
  forward said received data via said proxy system to said user terminal responsive to said determining.
- View Dependent Claims (62)
- - 62. Data processing apparatus as claimed in claim 61 configured to operate as a reverse proxy server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptomathic Ltd
Original Assignee
Cryptomathic Ltd
Inventors
Tuliani, Jonnathan Roshan, Bursell, Michael

Granted Patent

US 8,635,457 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/123   received data contents, e.g...

H04L 63/1483   service impersonation, e.g....

Data Certification Methods and Apparatus

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

Data Certification Methods and Apparatus

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links