System for providing secure remote command execution network
First Claim
1. A system having a key distribution center and having improved security for a message sent over an insecure network from a client computer to a destination server via a network server, the system comprising:
- a security protocol interface configured to establish communication over the insecure network with a first type of security between the client computer and the network server;
an authentication protocol interface configured to obtain first client-authenticating information from the key distribution center and to provide the first client-authenticating information obtained to the network server to establish communication over the insecure network with a second type of security;
the network server configured to transmit the first client-authenticating information to the client computer;
the client computer configured to transmit the message and the first client-authenticating information to the network server; and
the network server configured to obtain permission from the key distribution center to access the destination server over the insecure network using second client-authenticating information.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus is disclosed for enhancing the security of a message sent through a network server from a client computer to a destination server. A secure connection for receiving and transmitting data is established between the client computer and the network server. Using client-identifying information and a secure authentication protocol, the network server may then obtain client-authentication information from a validation center. The client-authentication information is transmitted to the client and erased from the network server. The network server then receives the client-authenticating information back from the client with an accompanying message for the destination server. The network server may use the client-authenticating information to obtain permission data from the validation center for use in accessing the destination server.
225 Citations
13 Claims
-
1. A system having a key distribution center and having improved security for a message sent over an insecure network from a client computer to a destination server via a network server, the system comprising:
-
a security protocol interface configured to establish communication over the insecure network with a first type of security between the client computer and the network server;
an authentication protocol interface configured to obtain first client-authenticating information from the key distribution center and to provide the first client-authenticating information obtained to the network server to establish communication over the insecure network with a second type of security;
the network server configured to transmit the first client-authenticating information to the client computer;
the client computer configured to transmit the message and the first client-authenticating information to the network server; and
the network server configured to obtain permission from the key distribution center to access the destination server over the insecure network using second client-authenticating information. - View Dependent Claims (2, 3, 4, 5, 6, 7)
a validation program at the destination server configured to use the message and the second client-authenticating information to validate authorization of the client computer to access the destination server.
-
-
3. The system of claim 1, wherein the network server is configured to erase the first client-authenticating information from the network server after transmitting the first client-authenticating information to the client computer.
-
4. The system of claim 1, wherein the security protocol interface utilizes a secure sockets layer protocol.
-
5. The system of claim 1, wherein the second type of security is provided using a Kerberos protocol.
-
6. The system of claim 1, wherein the first client-authenticating information is stored in a credentials cache.
-
7. The system of claim 5, wherein the credentials cache is stored in non-volatile storage.
-
8. A network comprising a client computer, a key distribution center, and a destination computer capable of being operatively coupled to a network server of the network, the network comprising:
-
a client network interface of the network server configured to receive client-identifying information from the client computer;
a security protocol network interface of the network server configured to provide at least a portion of the client-identifying information to the key distribution center and to receive first client-authenticating information from the key distribution center;
a pass-through interface of the network server configured to transmit at least a portion of the client-identifying information and a portion of first client-authenticating information to the client computer via the client networking interface, the pass-through interface configured to receive the at least a portion of the client-identifying information and the portion of the first-client-authenticating information in order to obtain second client-authenticating information from the key distribution center; and
a destination computer network interface of the network server configured to communicate with the destination computer using at least a portion of the second client-authenticating information. - View Dependent Claims (9, 10, 11, 12, 13)
a web server configured to receive the client-identifying information from the client computer;
a network server key data base, the network server key data base having a key, the key associated with a public-private key pair of a cryptographic algorithm;
a decryptor, the decryptor configured to decipher a session key generated and enciphered by the client computer using a public key of the public-private key pair of the cryptographic algorithm; and
an encryptor configured to encipher an authenticating message using the session key and the cryptographic algorithm.
-
-
12. The network of claim 8, wherein the client network interface uses at least in part a secure sockets layer protocol.
-
13. The network of claim 8, wherein the security protocol network interface uses at least a part of a Kerberos authentication protocol.
Specification