System and Method for Securing Software Applications

US 20080276309A1
Filed: 07/06/2006
Published: 11/06/2008
Est. Priority Date: 07/06/2006
Status: Abandoned Application

First Claim

Patent Images

1. A computer network system for securing user communication with a software application comprising:

a) a digital credential comprising at least one user cryptographic key that is unique to an authorized user of a software application;

b) an access client installed on a computing device, said client having access to the cryptographic key stored on said digital credential and capable of using said cryptographic key to encrypt at least a portion of a communication intended for the application and capable of decrypting an encrypted portion of a received communication intended for the user;

c) a secure access server in digital communication with the access client, said server having access to stored cryptographic keys and capable of using the stored keys to decrypt communication from the client and encrypt communication to the client; and

d) an application server comprising the software application, said application server in digital communication with said secure server;

wherein, all communication between the user and the software application passes from the access client to the secure access server and then to the application server, and wherein the communication between the access client and the secure server is encrypted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for securing software applications installed on a computer network is disclosed. An authorized user is provided a digital credential and loads a secure access client onto a computerized device that can be connected to the network. The secure access client communicates with a secure access server within the network to authenticate the user and determine which applications the user is allowed to access. When the user sends a communication intended for a secured application, the secure access client intercepts the communication and uses cryptographic keys from the digital credential to encrypt and digitally sign the communication. The secure access server has access to cryptographic keys corresponding to those on the digital credential and is able to decrypt the communication and verify the digital credential. The decrypted message is then sent to an application server hosting the secured application.

Citations

36 Claims

1. A computer network system for securing user communication with a software application comprising:
- a) a digital credential comprising at least one user cryptographic key that is unique to an authorized user of a software application;
  
  b) an access client installed on a computing device, said client having access to the cryptographic key stored on said digital credential and capable of using said cryptographic key to encrypt at least a portion of a communication intended for the application and capable of decrypting an encrypted portion of a received communication intended for the user;
  
  c) a secure access server in digital communication with the access client, said server having access to stored cryptographic keys and capable of using the stored keys to decrypt communication from the client and encrypt communication to the client; and
  
  d) an application server comprising the software application, said application server in digital communication with said secure server;
  
  wherein, all communication between the user and the software application passes from the access client to the secure access server and then to the application server, and wherein the communication between the access client and the secure server is encrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer network system of claim 1 further comprising a secured application list accessible to the access client, said secured application list comprising the addresses for communications intended for the network system, wherein the access client monitors communications intended for transmission by the computing device and intercepts only those communications intended for the network system for decryption.
  - 3. The computer network system of claim 1 wherein said digital credential is stored on a portable digital medium.
  - 4. The computer network system of claim 1 wherein said digital credential is encrypted with a pass phrase known to the user so that the user must provide the pass phrase to the access client for said access client to access said cryptographic key.
  - 5. The computer network system of claim 1 wherein said digital credential comprises at least two keys used for asymmetric cryptography, a user private key and a master public key, and wherein the stored cryptographic keys accessible to the secure access server include two corresponding asymmetric cryptographic keys, a user public key and a master private key.
  - 6. The computer network system of claim 1 wherein:
    - (i) said digital credential comprises at least two keys used for asymmetric cryptography, a user private key and a master public key, and wherein the stored cryptographic keys accessible to the secure access server include two corresponding asymmetric cryptographic keys, a user public key and a master private key; and
      
      (ii) said digital credential is stored on a portable digital medium and is encrypted with a pass phrase known to the user so that the user must provide the pass phrase to said access client in order for said access client to access said cryptographic keys.
  - 7. The computer network system of claim 5 wherein the access client comprises a means for generating a shared secret for symmetric cryptography and a message digest algorithm, and wherein the encryption and decryption of communication from the access client to the secure access server comprises the following steps:
    - (i) a shared secret for symmetric cryptography is generated;
      
      (ii) the communication is processed with the message digest algorithm to generate a message digest;
      
      (iii) the message digest is digitally signed with the user'"'"'s private key;
      
      (iv) the communication and the digitally signed message digest are symmetrically encrypted using the shared secret;
      
      (v) the shared secret is asymmetrically encrypted using the master public key;
      
      (vi) the access client sends the encrypted communication and message digest to the secure access server;
      
      (vii) the secure access server uses the master private key to decrypt the shared secret;
      
      (viii) the decrypted shared secret is used to decrypt the communication and message digest; and
      
      (ix) the user'"'"'s public key is used to authenticate the digital signature.
  - 8. The computer network system of claim 7 wherein the means for generating a shared secret comprises a random number generator and the shared secret is created from a random number of bytes generated by the random number generator.

9. A computer network system for securing user communication with a software application comprising:
- a) a user digital credential comprising at least one user cryptographic key that is unique to an authorized user of a software application;
  
  b) a user access client installed on a computing device, said user access client having access to the cryptographic key stored on said user digital credential and capable of using said cryptographic key to encrypt at least a portion of a communication intended for the application and capable of decrypting an encrypted portion of a received communication intended for the user;
  
  c) a secure access server in digital communication with the user access client, said server having access to stored cryptographic keys and capable of using the stored keys to decrypt the encrypted portion of a communication from the user access client and encrypt at least a portion of a communication to the client, and capable of encrypting of using the stored keys to encrypt at least a portion of a communication intended for the application and to decrypt the an encrypted portion of a communication from the application; and
  
  d) an application server in digital communication with the secure access server, said application server comprising the software application, an application digital credential including at least one cryptographic key, and an application access client having access to the cryptographic key stored on the application digital credential and capable of using said cryptographic key to decrypt the encrypted portion of a communication from the secure access server and to encrypt at least a portion of a communication to the secure access server;
  
  wherein, all communication between the user and the software application passes through the secure access server, and wherein the communication between the user access client and the secure access server is encrypted, and communication between the secure access sever and the application access client is encrypted.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer network system of claim 9 further comprising a secured application list accessible to the access client, said secured application list comprising the addresses for communications intended for the network system, wherein the access client monitors communications intended for transmission by the computing device and intercepts only those communications intended for the network system for decryption.
  - 11. The computer network system of claim 9 wherein said user digital credential is stored on a portable digital medium.
  - 12. The computer network system of claim 11 wherein said user digital credential is encrypted with a pass phrase known to the user so that the user must provide the pass phrase to the access client for said access client to access said cryptographic key.
  - 13. The computer network system of claim 9 wherein said application digital credential comprises at least two keys used for asymmetric cryptography, a user private key and a master public key, and wherein the stored cryptographic keys accessible to the secure access server include two corresponding asymmetric cryptographic keys, a user public key and a master private key.
  - 14. The computer network system of claim 13 wherein the user access client comprises a means for creating a shared secret for symmetric cryptography and a message digest algorithm, and wherein the encryption and decryption of communication from the user access client to the secure access server comprises the following steps:
    - (i) a shared secret for symmetric cryptography is created;
      
      (ii) the communication is processed with the message digest algorithm to generate a message digest;
      
      (iii) the message digest is digitally signed with the user'"'"'s private key;
      
      (iv) the communication and the digitally signed message digest are symmetrically encrypted using the shared secret;
      
      (v) the shared secret is asymmetrically encrypted using the master public key;
      
      (vi) the access client sends the encrypted communication and message digest to the secure access server;
      
      (vii) the secure access server uses the master private key to decrypt the shared secret;
      
      (viii) the decrypted shared secret is used to decrypt the communication and message digest; and
      
      (ix) the user'"'"'s public key is used to authenticate the digital signature.
  - 15. The computer network system of claim 14 wherein the means for creating a shared secret comprises a random number generator and the shared secret is created from a random number of bytes generated by the random number generator.
  - 16. The computer network system of claim 9 further comprising a second application server having a second secured application wherein communication between the secure access server and the second application server is not encrypted.

17. A method for securing user communication with a software application comprising:
- a) providing a digital credential comprising at least one user cryptographic key that is unique to an authorized user of the software application;
  
  b) a first encryption step in which an access client installed on a computing device and having access to the cryptographic key stored on said digital credential uses the cryptographic key to encrypt at least a portion of a communication input by the user and intended for a software application;
  
  c) a first sending step in which the encrypted user communication is sent to a secure access server;
  
  d) a first decryption step in which the secure access server utilizes at least one stored cryptographic key to decrypt the encrypted portion of the user communication;
  
  e) a second sending step in which the decrypted user communication is sent to an application server comprising the software application;
  
  f) a response step in which the application prepares a new communication responsive to the communication it received from the user;
  
  g) a third sending step in which the application communication in response to the user communication is sent by the application server to the secure server;
  
  h) a second encryption step in which the secure server utilizes at least one stored cryptographic key to encrypt at least a portion of the application communication;
  
  i) a fourth sending step in which the encrypted application communication is sent to the access client; and
  
  j) a second decryption step in which the access client uses the user cryptographic key to decrypt the encrypted portion of the application communication.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The method of claim 17 wherein said digital credential is stored on a portable digital medium.
  - 19. The method of claim 18 wherein said digital credential is encrypted with a pass phrase known to the user so that the user must provide the pass phrase to the access client for said access client to access said cryptographic key.
  - 20. The method of claim 17 wherein said digital credential comprises at least two keys used for asymmetric cryptography, a user private key and a master public key, and wherein the stored cryptographic keys accessible to the secure access server include two corresponding asymmetric cryptographic keys, a user public key and a master private key.
  - 21. The method of claim 20 wherein said access client comprises a means for creating a shared secret for symmetric cryptography and a message digest algorithm, and wherein said first encryption step comprises the following steps:
    - (i) a shared secret for symmetric cryptography is created;
      
      (ii) the communication is processed with the message digest generator to generate a message digest;
      
      (iii) the message digest is digitally signed with the user'"'"'s private key;
      
      (iv) the communication and the digitally signed message digest are symmetrically encrypted using the shared secret; and
      
      (v) the shared secret is asymmetrically encrypted using the master public key.
  - 22. The method of claim 21 wherein the means for creating a shared secret comprises a random number generator and the shared secret is created from a random number of bytes generated by the random number generator.
  - 23. The method of claim 21 wherein the first decryption step comprises the following steps:
    - (i) the secure access server uses the master private key to decrypt the shared secret;
      
      (ii) the decrypted shared secret is used to decrypt the communication and message digest; and
      
      (iii) the user'"'"'s public key is used to authenticate the digital signature.
  - 24. The method of claim 17 further comprising a communication interception step before the first encryption step wherein the access client monitors communications intended for transmission by the computing device and intercepts only those communications intended for the network system for decryption.

25. A method for securing user communication with a software application comprising:
- a) providing a digital credential comprising at least one user cryptographic key that is unique to an authorized user of a software application;
  
  b) a first encryption step in which a user access client installed on a computing device and having access to the cryptographic key stored on said digital credential uses the cryptographic key to encrypt at least a portion of a communication input by a user and intended for the software application;
  
  c) a first sending step in which the encrypted user communication is sent to a secure access server;
  
  d) a first decryption step in which the secure access server utilizes at least one stored cryptographic key to decrypt the encrypted portion of the user communication;
  
  e) a second encryption step in which the secure server utilizes at least one stored cryptographic key to re-encrypt at least a portion of the user communication;
  
  f) a second sending step in which the re-encrypted user communication is sent to an application server comprising the software application;
  
  g) a second decryption step in which an application client installed on the application server uses at least one stored cryptographic key to decrypts the re-encrypted user communication;
  
  h) a response step in which the application prepares a new communication intended for the user;
  
  i) a third encryption step in which the application access client uses a stored cryptographic key to encrypt at least a portion of the application communication;
  
  j) a third sending step in which the encrypted application communication is sent from the application access client to the secure access server;
  
  k) a third decryption step in which the secure access server utilizes at least one stored cryptographic key to decrypt the encrypted portion of the application communication;
  
  l) a fourth encryption step in which the secure server utilizes at least one stored cryptographic key to re-encrypt at least a portion of the application communication;
  
  m) a fourth sending step in which the encrypted application communication is sent to the user access client; and
  
  n) a fourth decryption step in which the user access client uses the user cryptographic key to decrypt the encrypted portion of the application communication.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The method of claim 25 wherein said digital credential is stored on a portable digital medium.
  - 27. The method of claim 26 wherein said digital credential is encrypted with a pass phrase known to the user so that the user must provide the pass phrase to the user access client in order for said user access client to access said cryptographic key.
  - 28. The method of claim 26 wherein said digital credential comprises at least two keys used for asymmetric cryptography, a user private key and a master public key, and wherein the stored cryptographic keys accessible to the secure access server include two corresponding asymmetric cryptographic keys, a user public key and a master private key.
  - 29. The method of claim 28 wherein said access client comprises a means for creating a shared secret for symmetric cyrptography and a message digest algorithm, and wherein said first encryption step comprises the following steps:
    - (i) a shared secret for symmetric cryptography is created;
      
      (ii) the communication is processed with the message digest generator to generate a message digest;
      
      (iii) the message digest is digitally signed with the user'"'"'s private key;
      
      (iv) the communication and the digitally signed message digest are symmetrically encrypted using the shared secret; and
      
      (v) the shared secret is asymmetrically encrypted using the master public key.
  - 30. The method of claim 29 wherein the first decryption step comprises the following steps:
    - (i) the secure access server uses the master private key to decrypt the shared secret;
      
      (ii) the decrypted shared secret is used to decrypt the communication and message digest; and
      
      (iii) the user'"'"'s public key is used to authenticate the digital signature.
  - 31. The method of claim 30 further comprising a communication interception step before the first encryption step wherein the access client monitors communications intended for transmission by the computing device and intercepts only those communications intended for the network system for decryption.

32. A method of authenticating and securing user communication with a computer network comprising:
- (a) providing a user digital credential comprising at least two cryptographic keys, at least one of which is unique to the user;
  
  (b) providing an access client installed on a computing device in digital communication with the computer network, said access client capable of using cryptographic keys to encrypt and digitally sign a communication intended for the computer network such that said communication may be decrypted and authenticated by the computer network;
  
  (c) providing the access client with the location of the digital credential so that the access client may access the cryptographic keys of the digital credential to encrypt and digitally sign a communication intended for the computer network.
- View Dependent Claims (33, 34, 35, 36)
- - 33. The method of claim 32 wherein said digital credential is stored on a portable digital medium.
  - 34. The method of claim 33 wherein said digital credential is encrypted with a pass phrase known to the user so that the user must enter the pass phrase into the computing device in order for said access client to access said cryptographic keys.
  - 35. The method of claim 32 wherein said digital credential is created by the following steps:
    - (i) using a computing device, a user initiates communication with a network server programmed to verify the user;
      
      (ii) the network server verifies the identity of the user; and
      
      (iii) the network server generates cryptographic keys and creates the digital credential.
  - 36. The method of claim 35 wherein the network server has access to previously saved challenge questions and answers and verifies the user by presenting the user with a set challenge questions and requiring the user to provide correct answers to said questions, such that the user is verified if the user'"'"'s answers match the saved answers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Identity Verification Systems LLC
Original Assignee
Identity Verification Systems LLC
Inventors
Edelman, Lance F.

Application Number

US11/456,039
Publication Number

US 20080276309A1
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/629   to features or functions of...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

System and Method for Securing Software Applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Securing Software Applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links