SECURE CLIENT-SIDE COMMUNICATION BETWEEN MULTIPLE DOMAINS

US 20130326210A1
Filed: 08/06/2013
Published: 12/05/2013
Est. Priority Date: 03/30/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing authentication information of a user for a first domain and a second domain;

receiving a set of instructions and cryptographic construct data, the set of instructions including information mapping one or more operations to at least one instruction ID;

identifying a first instruction ID from the set of instructions corresponding to a first set of one or more operations;

generating, using one or more processors in one or more computer systems, a first message using the cryptographic construct data; and

sending the first message to a recipient.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for secure client-side communication between multiple domains is provided. Such methods and systems can provide for decreased communication latency particularly effective for dynamic multi-domain and/or multi-tenant environments while allowing for granular security or specific security of messages and operations with regard to users, user sessions, groups, organizations, permissions sets, applications, or any other logical delineation. Such methods and systems may involve a variety of security components, for example, at least one set of instructions including a plurality of defined instruction to be utilized by users of the set of instructions to communicate, and cryptographic construct data in order to verify the data integrity and the authenticity of messages sent and received using the secure client-side communication between multiple domains.

Citations

21 Claims

1. A method comprising:
- providing authentication information of a user for a first domain and a second domain;
  
  receiving a set of instructions and cryptographic construct data, the set of instructions including information mapping one or more operations to at least one instruction ID;
  
  identifying a first instruction ID from the set of instructions corresponding to a first set of one or more operations;
  
  generating, using one or more processors in one or more computer systems, a first message using the cryptographic construct data; and
  
  sending the first message to a recipient.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the set of instructions includes information mapping each operation of the one or more operations to a unique instruction ID.
  - 3. The method of claim 2, wherein each unique instruction ID is unique within the instruction set and with respect to other instruction sets received from a remote source providing the instruction set.
  - 4. The method of claim 1, wherein each instruction ID includes a random value.
  - 5. The method of claim 1, wherein each operation is not associated with the corresponding instruction ID except by the mapping in the set of instructions.
  - 6. The method of claim 1, further comprising:
    - requesting the set of instructions from a server by a client, wherein the receiving of the set of instruction and the cryptographic construct data is performed by the client.
  - 7. The method of claim 1, wherein the receiving of the set of instructions is by a client and the set of instructions is received from a source remote from the client.
  - 8. The method of claim 7, wherein the receiving of the set of instructions is by a first browser frame provided by the client.
  - 9. The method of claim 8, wherein the first browser frame has a secure connection with the first domain and does not have a secure connection with the second domain.
  - 10. The method of claim 9, wherein the recipient is a second browser frame provided by the client.
  - 11. The method of claim 8, wherein the second browser frame has a secure connection with the second domain and does not have a secure connection with the first domain.
  - 12. The method of claim 1, wherein the at least one instruction ID of the set of instructions includes one or more instruction IDs associated with a time-to-live (TTL) that indicates when the one or more instructions will no longer be recognized by the recipient.
  - 13. The method of claim 12, wherein the TTL of at least one of the instruction IDs that is mapped to one or more operations that are high-risk is substantially less than the TTL of at least one of the instruction IDs that is mapped to one or more operations that are low-risk.
  - 14. The method of claim 1, wherein the at least one instruction ID of the set of instructions includes one or more instruction IDs associated with user privilege data indicating a privilege level required of the user in order for the one or more operations mapped to the one or more instruction IDs to be performed in response to a request by the user.
  - 15. The method of claim 1, further comprising:
    - detecting a second message;
      
      validating the second message using the cryptographic construct data;
      
      identifying a second set of one or more operations corresponding to a second instruction ID determined from the second message; and
      
      performing the second set of operations.
  - 16. The method of claim 15, wherein:
    - the receiving of the set of instructions is by a first browser frame provided by a client,the recipient is a second browser frame provided by the clientthe sending the first message is by the first browser frame, andthe second message is produced by the second browser frame.
  - 17. The method of claim 1, wherein the identifying the first instruction ID further comprises matching the first set of operations with the one or more operations mapped to the first instruction ID.
  - 18. The method of claim 1, wherein the cryptographic construct data includes a secret key and an HMAC function.
  - 19. The method of claim 15, wherein a first signature is generated by combining the first message with the secret key using the HMAC function and the first signature is sent to the recipient.

20. An apparatus comprising:
- at least one processor;
  
  a memory; and
  
  at least one communications interface, wherein;
  
  the at least one processor, the memory, and the at least one communications interface are communicatively connected with one another, andthe memory stores computer-executable instructions for controlling the at least one processor to;
  
  obtain authentication information of a user for a first domain and a second domain;
  
  receive a set of instructions and cryptographic construct data via the at least one communications interface, the set of instructions including information mapping one or more operations to at least one instruction ID;
  
  identify a first instruction ID from the set of instructions corresponding to a first set of one or more operations;
  
  generate a first message using the cryptographic construct data; and
  
  send the first message to a recipient via the at least one communications interface.

21. A non-transitory, machine-readable medium storing computer-executable instructions for controlling at least one processor to:
- obtain authentication information of a user for a first domain and a second domain;
  
  receive a set of instructions and cryptographic construct data via at least one communications interface, the set of instructions including information mapping one or more operations to at least one instruction ID;
  
  identify a first instruction ID from the set of instructions corresponding to a first set of one or more operations;
  
  generate a first message using the cryptographic construct data; and
  
  send the first message to a recipient via the at least one communications interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
O'Connor, Brendan, Gluck, Yoel

Granted Patent

US 8,904,166 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 9/3242   involving keyed hash functi...

SECURE CLIENT-SIDE COMMUNICATION BETWEEN MULTIPLE DOMAINS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE CLIENT-SIDE COMMUNICATION BETWEEN MULTIPLE DOMAINS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links