Enhanced security for applications employing downloadable executable content

US 6,301,661 B1
Filed: 06/19/1999
Issued: 10/09/2001
Est. Priority Date: 02/12/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for enhanced security for a remote login, comprising:

providing a client;

providing a gateway adapted for communication with the client;

providing an authentication server adapted for communication with the gateway;

providing authentication information from the client to the gateway;

obtaining from the authentication server client-authenticating information;

encoding the client-authenticating information;

providing the encoded client-authenticating information from the gateway to the client;

providing remote login information and the encoded client-authenticating information from the client to the gateway; and

using the remote login information and the encoded client-authenticating information to provide downloadable executable content to the client.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and computer network for enhanced security for applications using downloadable executable content is described. More particularly, a client is operatively coupled to an authentication server and a remote host through a gateway. In an initial login session, authentication information is provided from the client to the gateway for obtaining client-authenticating credentials from the authentication server. These client-authenticating credentials may be encoded to be in a form of a data string and provided to the client, for example as the value of an HTTP cookie. The encoded data string may be provided to the client as one or more parameter values. These parameter values may be employed along with requested downloadable executable content, such as one or more Java classes, for running on the client. The Java classes may communicate the parameter values to an execution server of the gateway for decoding the encoded data string in order to extract the client-authenticating credentials therefrom. These client-authenticating credentials may then be used to obtain from the authentication server one or more keys and/or other authenticating credentials to establish a remote login session or other interactive communication with the remote host.

Citations

55 Claims

1. A method for enhanced security for a remote login, comprising:
- providing a client;
  
  providing a gateway adapted for communication with the client;
  
  providing an authentication server adapted for communication with the gateway;
  
  providing authentication information from the client to the gateway;
  
  obtaining from the authentication server client-authenticating information;
  
  encoding the client-authenticating information;
  
  providing the encoded client-authenticating information from the gateway to the client;
  
  providing remote login information and the encoded client-authenticating information from the client to the gateway; and
  
  using the remote login information and the encoded client-authenticating information to provide downloadable executable content to the client.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising:
3. The method of claim 2, wherein the encoded client-authenticating information is a Hypertext Transport Protocol (HTTP) cookie, and wherein the application is web browser.

4. A method for enhanced security for a remote login, comprising:
- providing a client workstation;
  
  providing a web server in communication with the client workstation;
  
  establishing enciphered communication between the client workstation and the web server;
  
  providing login information from the client workstation to the web server;
  
  invoking by the web server a service interface;
  
  providing the login information to an initialization client using the service interface;
  
  providing client-identifying information associated with the login information to the authentication server;
  
  obtaining from the authentication server client-authenticating information in response to the client-identifying information provided;
  
  encoding the client-authenticating information;
  
  enciphering the encoded client-authenticating information;
  
  providing the enciphered encoded client-authenticating information from the web server to the client workstation as a character data string;
  
  providing remote login information and the character data string from the client to the gateway;
  
  using the remote login information and the character data string to provide downloadable executable content to the client workstation; and
  
  operating an application on the client workstation using the downloadable executable content.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The method of claim 4, wherein the web server is a portion of a gateway, the gateway comprising at least one programmed computer having an operating system and web server software.
  - 6. The method of claim 5, wherein the client workstation and the web server are operatively coupled via an insecure network.
  - 7. The method of claim 6, wherein the initialization client and the authentication server are operatively coupled via an insecure network.
  - 8. The method of claim 7, wherein the insecure network is a portion the Internet.

9. A method for enhanced security for an application using downloadable executable content in a computer network, the method comprising:
- providing the computer network with a first and a second client, and a first and a second server;
  
  operatively coupling the first client to the first server;
  
  establishing enciphered communication between the first client and the first server using a first security protocol;
  
  providing login information from the first client to the first server;
  
  invoking a service interface with the first server;
  
  providing the login information to the second client using the service interface;
  
  operatively coupling the second client to the second server;
  
  providing client-identifying information associated with the login information to the second server;
  
  providing to the second client client-authenticating information from the second server in response to the client-identifying information provided;
  
  encoding the client-authenticating information with the service interface;
  
  enciphering the encoded client-authenticating information with the first server; and
  
  providing the enciphered encoded client-authenticating information from the first server to the first client as a character data string.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the character data string is a value of a Hypertext Transport Protocol (HTTP) cookie.
  - 11. The method of claim 10, wherein the client identification information comprises a portion of the login information.
  - 12. The method of claim 10, wherein the first client comprises a first computer having a web browser, and the first server comprises a second computer having a web server.
  - 13. The method of claim 12, wherein the first security protocol is a Secure Sockets Layer protocol, and wherein the second security protocol comprises at least a portion of a Kerberos protocol.
  - 14. The method of claim 13, wherein the first client and the first server are operatively coupled via an insecure network, and the second server and the second client are operatively coupled via the insecure network.
  - 15. The method of claim 14, wherein the insecure network is a portion of the Internet.

16. A method for enhanced security for an application using downloadable executable content in a computer network, comprising:
- providing a client workstation, the client workstation comprising a programmed computer having a web browser;
  
  providing a gateway, the gateway comprising another programmed computer having a web server;
  
  operatively coupling the web browser to the web server using a World Wide Web network;
  
  exchanging information between the web browser and the web server using a protocol stack;
  
  establishing enciphered communication between the web browser and the web server using a security layer of the protocol stack;
  
  providing login information from the web browser to the web server;
  
  invoking by the web server a service interface;
  
  providing the login information to a initialization client using the service interface;
  
  operatively coupling the initialization client to an authentication server;
  
  providing client-identifying information associated with the login information to the authentication server;
  
  providing client-authenticating information to the initialization client in response to the client-identifying information provided to the authentication server;
  
  encoding the client-authenticating information with the service interface;
  
  enciphering the encoded client-authenticating information; and
  
  providing the enciphered encoded client-authenticating information from the web server to the web browser as a value of a Hypertext Transport Protocol (HTTP) cookie.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The method of claim 16, wherein the initialization client is a Kerberos initialization client.
  - 18. The method of claim 17, wherein the login information comprises a Kerberos user principal name and a Kerberos user password, and the client-identifying information comprises a Kerberos user principal name.
  - 19. The method of claim 16, wherein the service interface is a Common Gateway Interface service interface process.
  - 20. The method of claim 16, wherein the client-authenticating information is American Standard Code for Information Interchange (ASCII) encoded.
  - 21. The method of claim 16, wherein the client-authenticating information is Uniform Resource Locator (URL) encoded.
  - 22. The method of claim 16, wherein the client-authenticating information is American Standard Code for Information Interchange (ASCII) and Uniform Resource Locator (URL) encoded.
  - 23. The method of claim 16, further comprising the step of temporarily storing the client-authenticating information.

24. A method for enhanced security for an application using downloadable executable content in a computer network, comprising:
- providing a client, the client comprising a computer having a web browser and a data character string temporarily stored in the client, the data character string comprising client-authenticating information from a prior login session;
  
  providing a gateway, the gateway comprising another computer having a web server and comprising an archive of programs, the gateway and the client using a security protocol for enciphered communication;
  
  providing remote login data and the client-authenticating information from the client to the gateway;
  
  invoking by the gateway a service interface;
  
  providing the remote login data and the client-authenticating information to the service interface;
  
  providing from the service interface at least one determined parameter value associated with the remote login data and the client-authenticating information;
  
  providing the at least one determined parameter value from the gateway to the client;
  
  requesting by the client at least one program from the archive of programs;
  
  providing to the client the at least one program requested from the archive; and
  
  operating a virtual machine on the client using the at least one parameter value and the at least one program.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein the remote login data comprises at least one remote host name and at least one remote user name.
  - 26. The method of claim 24, wherein the remote login data comprises at least one pair of remote host and user names.
  - 27. The method of claim 24, wherein the remote login data comprises a single remote user name and a plurality of remote host names.

28. A method for enhanced security for an application using downloadable executable content in a computer network, comprising:
- providing a client, the client comprising a computer having a web browser and a data character string temporarily stored at the client, the data character string comprising client-authenticating information from a prior login session, the data character string representing a value of a Hypertext Transport Protocol cookie;
  
  providing a gateway, the gateway comprising another computer having a web server operatively coupled to a Java classes archive, the web server and the browser using a security protocol for enciphered communication;
  
  providing remote login data and the client-authenticating information from the web browser to the web server;
  
  invoking a service interface by the web server;
  
  providing the remote login data and the client-authenticating information to the service interface;
  
  dynamically creating parameter values using the remote login data and the client-authenticating information provided to the service interface;
  
  providing the parameter values from the service interface to the web browser;
  
  providing a request from the web browser to the web server for a Java class download from the Java classes archive;
  
  providing to the web browser at least one Java class requested from the Java classes archive; and
  
  operating a Java virtual machine on the client using the parameter values and the at least one Java class requested.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28, wherein the remote login data comprises at least one remote host name and at least one remote user name.
  - 30. The method of claim 28, wherein the remote login data comprises at least one pair of remote host and user names.
  - 31. The method of claim 28, wherein the remote login data comprises a single remote user name and a plurality of remote host names.

32. A method for enhanced security for an application using downloadable executable content in a computer network, comprising:
- providing a client, the client comprising a computer having a web browser and a data character string temporarily stored at the client, the data character string comprising client-authenticating information from a prior login session, the data character string representing a value a Hypertext Transport Protocol cookie;
  
  providing a gateway, the gateway comprising another computer having a web server operatively coupled to a Java classes archive, the web server and the browser using a security protocol for enciphered communication;
  
  providing remote login data and the client-authenticating information from the web browser to the web server, the remote login data selected from at least one remote host name and at least one remote user name, at least one pair of remote host and user names, and a single remote user name and a plurality of remote host names;
  
  invoking a Common Gateway Interface (“
  
  CGI”
  
  ) service by the web server;
  
  providing the remote login data and the client-authenticating information to the CGI service;
  
  using the CGI service to dynamically create parameter values from the remote login data and the client-authenticating information provided thereto;
  
  providing the parameter values from the CGI service to the web server and then to the web browser;
  
  providing a request from the web browser to the web server for at least one Java class;
  
  providing from the web server to the web browser the at least one Java class requested from a Java classes archive; and
  
  operating a Java virtual machine on the client using the parameter values and the at least one Java class, the Java virtual machine comprising a Java applet.
- View Dependent Claims (33)
- - 33. The method of claim 32, wherein the parameter values provided from the CGI service are sent in a Hypertext Markup Language (“
    - HTML”
      
      ) document, the HTML document comprising a reference to the at least one Java class.

34. A method for enhanced security for an application using downloadable executable content in a computer network, comprising:
- providing a client, the client comprising a programmed computer having the downloadable executable content, the downloadable executable content comprising encoded client-authenticating information from a prior login session;
  
  providing a gateway, the gateway comprising an execution server and a remote login client, the execution server and the downloadable executable content using a security protocol for enciphered communication over an insecure network;
  
  invoking by the execution server a first interface;
  
  providing remote login data and the encoded client-authenticating information from the downloadable executable content to the execution server and to the first interface;
  
  providing a name from the execution server to the first interface;
  
  invoking with the first interface a second interface associated with the name;
  
  providing the encoded client-authenticating information and the remote login data from the first interface to the second interface;
  
  decoding the encoded client-authenticating information to provide decoded client-authenticating information;
  
  invoking with the second interface a remote login client;
  
  providing the decoded client-authenticating information to the remote login client; and
  
  using the remote login client to obtain a previously created key and a previously created credential from the client-authenticating information.
- View Dependent Claims (35, 36)
- - 35. The method of claim 34, further comprising:
36. The method of claim 35, further comprising:
- establishing enciphered communication with a remote host over the insecure network;
  
  providing the remote login data from the remote login client to a remote login server of the remote login host; and
  
  using the remote login data provided to establish a bi-directional data path between the remote login host and the client through the gateway;
  
  wherein the bi-directional data path comprises enciphered communication over the insecure network between the client and the gateway and between the gateway and the remote host.

37. A method for enhanced security for an application using downloadable executable content in a computer network, comprising:
- providing a client, the client comprising a programmed computer having the downloadable executable content, the downloadable executable content comprising encoded client-authenticating information from a prior login session and comprising terminal emulation;
  
  providing a gateway, the gateway comprising an execution server and a remote login client, the execution server and the downloadable executable content using a security protocol for enciphered communication over an insecure network;
  
  executing by the execution server a pseudo-terminal interface;
  
  providing remote login data and the encoded client-authenticating information from the downloadable executable content to the execution server and to the pseudo-terminal interface;
  
  providing a shell service interface name from the execution server to the pseudo-terminal interface;
  
  executing by the pseudo-terminal interface a shell service interface;
  
  providing the encoded client-authenticating information and the remote login data from the pseudo-terminal interface to the shell service interface;
  
  decoding the encoded client-authenticating information to provide decoded client-authenticating information;
  
  temporarily storing the decoded client-authenticating information;
  
  executing by the shell service interface a remote login client;
  
  providing the client-authenticating information stored to the remote login client; and
  
  using the remote login client to obtain a previously created ticket granting ticket and session key from the client-authenticating information.
- View Dependent Claims (38, 39)
- - 38. The method of claim 37, further comprising:
39. The method of claim 38, further comprising:
- providing a connection request from the remote login client to a network service, the network service being a portion of a remote host;
  
  executing by the network service a remote login server;
  
  providing from the remote login client to the remote login server the server ticket and a third authenticator;
  
  receiving from the remote login server to the remote interactive login client a fourth authenticator;
  
  providing the remote login data from the remote login client to the remote login server; and
  
  accessing an access control list database with the remote login server using the remote login data to check for authorization; and
  
  executing by the remote login server an interactive command shell.

40. A method for enhanced security for an application using downloadable executable content in a computer network, comprising:
- providing a client, the client comprising a computer having a Java applet, the Java applet comprising encoded client-authenticating information from a prior login session and comprising terminal emulation;
  
  providing a gateway, the gateway comprising an execution server and a remote interactive login client, the execution server and the Java applet using a security protocol for enciphered communication over an insecure network;
  
  executing by the execution server a pseudo-terminal interface;
  
  providing remote login data and the encoded client-authenticating information from the Java applet to the execution server;
  
  providing a shell service interface name from the execution server to the pseudo-terminal interface;
  
  executing by the pseudo-terminal interface a shell service interface;
  
  providing the remote login data and the encoded client-authenticating information from the execution server and to the pseudo-terminal interface;
  
  providing the encoded client-authenticating information and the remote login data from the pseudo-terminal interface to the shell service interface;
  
  decoding the encoded client-authenticating information to provide decoded client-authenticating information;
  
  temporarily storing the decoded client-authenticating information;
  
  executing by the shell service interface a remote interactive login client;
  
  providing the decoded client-authenticating information stored to the remote interactive login client; and
  
  using the remote interactive login client to obtain a previously created ticket granting ticket and key distribution center (“
  
  KDC”
  
  ) session key from the decoded client-authenticating information.
- View Dependent Claims (41, 42)
- - 41. The method of claim 40, further comprising:
42. The method of claim 41, further comprising:
- providing a connection request from the remote interactive login client to a network service, the network service being a portion of a remote host;
  
  executing by the network service a remote interactive login server;
  
  providing from remote interactive login client to remote interactive login server the server ticket and a third authenticator;
  
  receiving from remote interactive login server to remote interactive login client a fourth authenticator;
  
  providing the remote interactive login data from the remote interactive login client to the remote interactive login server; and
  
  accessing an access control list database by the remote interactive login server using the remote interactive login data to check for authorization; and
  
  executing by the remote interactive login server an interactive command shell.

43. A computer network for enhanced security for an application using downloadable executable content, comprising:
- a client, the client comprising a first programmed computer, the first programmed computer having first authentication means for authenticating the client;
  
  a gateway, the gateway comprising a second programmed computer, the second programmed computer comprising an execution server, a pseudo-terminal interface and a remote interactive login client, the gateway and the client having enciphering means for enciphered communication therebetween, the gateway having extracting means for obtaining at least a portion of the first authentication means;
  
  a first data link means for operatively coupling the client to the gateway for electrical communication therebetween;
  
  an authentication server, the authentication server comprising a third programmed computer, the authentication server second authentication means for authenticating the client using the at least a portion of the first authenticating means and to provide a remote login session credential;
  
  a second data link means for operatively coupling the gateway to the authentication server for electrical communication therebetween;
  
  a remote host, the remote host comprising a fourth programmed computer, the fourth programmed computer comprising a remote login server and an interactive command interface, the remote host having receiving means to receive the remote login session credential, having enciphering means for enciphered communication with the gateway and having authorization means to determine authorization status of the client; and
  
  a third data link means for operatively coupling the gateway to the remote host for electrical communication therebetween.

44. A computer network for enhanced security for an application using downloadable executable content, comprising:
- a client, the client comprising a first programmed computer, the first programmed computer comprising downloadable executable content, the downloadable executable content configured with client-authenticating information;
  
  a gateway, the gateway comprising a second programmed computer, the second programmed computer comprising an execution server, a pseudo-terminal interface and a remote interactive login client, the gateway and the client configured for enciphered communication therebetween, the gateway configured for extracting at least a portion of the client-authenticating information;
  
  a first data link configured for operatively coupling the client to the gateway for electrical communication therebetween;
  
  an authentication server, the authentication server comprising a third programmed computer, the authentication server configured to authenticate the client using the at least a portion of the client-authenticating information and to provide the remote login session credential in response to authentication of the client;
  
  a second data link configured for operatively coupling the gateway to the authentication server for electrical communication therebetween;
  
  a remote host, the remote host comprising a fourth programmed computer, the fourth programmed computer comprising a remote login server and an interactive command interface, the remote host configured to receive the remote login session credential for enciphered communication with the gateway and to determine authorization of the client; and
  
  a third data link configured for operatively coupling the gateway to the remote host for electrical communication therebetween.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 45. The computer network of claim 44, further comprising at least one security protocol for enciphered communication over the first, the second and the third data link.
  - 46. The computer network of claim 45, wherein the first, the second and the third data link comprise at least a portion of the Internet, and wherein the first computer comprises a web browser.
  - 47. The computer network of claim 44, further comprising at least two security protocols for enciphered communication over the first, the second and the third data link, the first, the second and the third data link forming a portion of an insecure network.
  - 48. The computer network of claim 47, wherein the downloadable executable content comprises a Java applet.
  - 49. The computer network of claim 47, wherein the second computer comprises a shell service interface for communication with the remote interactive login client.
  - 50. The computer network of claim 49, wherein the second computer comprises a certificate database to support enciphered communication with the client.
  - 51. The computer network of claim 50, wherein the second computer comprises volatile memory for temporary storing the client-authenticating information.
  - 52. The computer network of claim 47, wherein the third computer comprises a key distribution center and Kerberos database for the authentication.
  - 53. The computer network of claim 47, wherein the fourth computer comprises a network service configured for communication with the remote interactive login client.
  - 54. The computer network of claim 53, wherein the fourth computer comprises an access control list database and a key database.
  - 55. The computer network of claim 54, wherein the interactive command interface is an interactive command shell.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hanger Solutions, LLC (IP Investments Group LLC)
Original Assignee
Verizon Laboratories Incorporated (Verizon Communications Inc.)
Inventors
Shambroom, W. David
Primary Examiner(s)
Swann, Tod
Assistant Examiner(s)
Smithers, Matthew

Application Number

US09/336,557
Time in Patent Office

843 Days
Field of Search

713/153, 713/155, 713/156, 713/162, 713/168, 713/170, 713/200, 713/201, 713/202, 713/184
US Class Current

713/168
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

G06F 2211/007   Encryption, En-/decode, En-...

H04L 2209/60   Digital content management,...

H04L 2463/062   applying encryption of the ...

H04L 63/0442   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/40   Network security protocols

Enhanced security for applications employing downloadable executable content

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced security for applications employing downloadable executable content

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links