Method enabling secure access by a station to at least one server, and device using same

US 6,657,956 B1
Filed: 11/05/1997
Issued: 12/02/2003
Est. Priority Date: 03/07/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A process for protecting accesses, through a network, to at least one application server, an access originating from a user station, using a multisession, multiport telecommunication protocol to establish an application session between the user station and an application server, said process comprising the steps of:

interposing a security processor between the user station and the application server;

transmitting, from the user station towards the application server, an access request for establishing an application session with the application server;

establishing, between the user station and the security processor, a security session for running in parallel with the requested application session;

defining a security script for the parallel security session among a plurality of scripts;

providing the user station with access to the application server, under the control of the security processor running the parallel security session and using the defined security script, for establishing the requested application session in parallel with the security session; and

cyclically initiating security sessions as security checks on the application session.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for protecting accesses to at least one server (30) is characterized in that it makes it possible to protect accesses originating from user stations (2) whose destination is at least one application server through a network (42) using a multisession, multiport telecommunication protocol, said process consisting of a step for the systematic establishment of a parallel security session between the user station (2) and a security processor (1) interposed between the user station to be protected during application sessions and the server or servers (30) to be protected and a step for the cyclic initiation of security sessions.

Citations

38 Claims

1. A process for protecting accesses, through a network, to at least one application server, an access originating from a user station, using a multisession, multiport telecommunication protocol to establish an application session between the user station and an application server, said process comprising the steps of:
- interposing a security processor between the user station and the application server;
  
  transmitting, from the user station towards the application server, an access request for establishing an application session with the application server;
  
  establishing, between the user station and the security processor, a security session for running in parallel with the requested application session;
  
  defining a security script for the parallel security session among a plurality of scripts;
  
  providing the user station with access to the application server, under the control of the security processor running the parallel security session and using the defined security script, for establishing the requested application session in parallel with the security session; and
  
  cyclically initiating security sessions as security checks on the application session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The process for protecting accesses to at least one application server according to claim 1, wherein the step of establishing a security session comprises:
3. The process for protecting accesses to at least one application server according to claim 2, wherein the security script associated with the requested application comprises directly establishing a link between the user station and the remote server chosen by the security processor.
4. The process for protecting accesses to at least one application server according to claim 1, wherein the defined security script stored in a table, makes possible a step of selecting at least one function from a group of security functions comprising user authentication, user identification, verification of user rights, certification, encryption key calculation, signature calculation, and verification of user profiles, wherein said at least one selected function provides selective access to the requested application session.
5. The process for protecting accesses to at least one application server according to claim 2, wherein the security processor stores a journal in a memory comprising at least two information elements selected from the group comprising sequential connection number, connection dates and beginning and end times, the source IP address and the at least one port number, an identifier of a security object user, name of the remote server chosen, the IP address and the port number, and execution rules.
6. The process for protecting accesses to at least one application server according to claim 2, wherein the security processor stores in a table of a memory a list of at least three information elements selected from the group comprising a list of applications processed by the processor, operations to be executed as a function of connection type, the plurality of security scripts, access rights of users as defined by a black list, a white list and a subscriber list, and schedules for authorizing access to remote servers.
7. The process for protecting accesses to at least one application server according to claim 3, wherein the security processor stores a journal in a memory comprising at least two information elements selected from the group comprising sequential connection number, connection dates and beginning and end times, the source IP address and the at least one port number, an identifier of a security object used, name of the remote server chosen, the destination IP address and the port number, and execution rules.
8. The process for protecting accesses to at least one application server according to claim 4, wherein the security processor stores a journal in a memory comprising at least two information elements selected from the group comprising sequential connection number, connection dates and beginning and end times, the source IP address and the at least one port number, an identifier of a security object used, name of the remote server chosen, the IP address and the port number, and execution rules.
9. The process for protecting accesses to at least one application server according to claim 3, wherein the security processor stores in a second table of a memory a list of at least three information elements selected from a group comprising a list of applications processed by the processor, operations to be executed as a function of connection type, the plurality of security scripts, access rights of users as defined by a black list, a white list and a subscriber list, and schedules for authorizing access to remote servers.
10. The process for protecting accesses to at least one application server according to claim 4, wherein the security processor stores in a second table of a memory a list of at least three information elements selected from the group comprising a list of applications processed by the processor, operations to be executed as a function of connection type, the plurality of security scripts, access rights of users as defined by a black list, a white list and a subscriber list, and schedules for authorizing access to remote servers.
11. The process for protecting accesses to at least one application server according to claim 5, wherein the security processor stores in a second table of a memory a list of at least three information elements selected from the group comprising a list of applications processed by the processor, operations to be executed as a function of connection type, the plurality of security scripts, access rights of users as defined by a black list, a white list and a subscriber list, and schedules for authorizing access to remote servers.
12. The process for protecting accesses to at least one application server according claim 3, additionally comprising the step of installing security software in the security processor, wherein an installer defines, in an initialization file a security delay which allows the security processor to close a security connection established with the user station if there has been no application connection since the defined security delay, and an inactivity delay which allows the processor to close the security connection and an application connection established with the user station if there have been no data exchanges in the application connection since the defined inactivity delay.
13. The process for protecting accesses to at least one application server according claim 4, further comprising installing security software in the security processor, wherein an installer defines, in an initialization file a security delay which allows the security processor to close a security connection established with the user station if there has been no application connection since the defined security delay, and an inactivity delay which allows the processor to close the security connection and an application connection established with a the user station if there have been no data exchanges in the application connection since the defined inactivity delay.
14. The process for protecting accesses to at least one application server according claim 5, further comprising installing security software in the security processor, wherein an installer defines, in an initialization file a security delay which allows the security processor to close a security connection established with the user station if there has been no application connection since the defined security delay, and an inactivity delay which allows the processor to close the security connection and an application connection established with the user station if there have been no data exchanges in the application connection since the defined inactivity delay.

15. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server; and
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts;
  
  wherein the step of systematically establishing a security session comprises;
  
  transmitting by the station through the network of a source IP address and at least one port number associated with the application requested by the station;
  
  searching by the security processor for the security script associated with the application;
  
  establishing the security session between the security processor and the station;
  
  searching by the security processor in a local file of the processor for the name and address of a remote server used for the application; and
  
  opening a connection with the at least one remote server by communicating an IP address and a port number, wherein the security processor stores in a second table of a memory a list of at least three information elements including the applications processed by the processor, the operations to be executed as a function of the connection type, the security scripts to be implemented, the access rights of the users as defined by a black list, a white list and a subscriber list, and the schedules for the authorization of access to the remote servers.

16. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server; and
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts, wherein the security script associated with an application comprises the step of directly establishing the link between the station and the remote server chosen by the security processor.

17. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server; and
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts;
  
  wherein the step of systematically establishing a security session comprises;
  
  transmitting by the station through the network of a source IP address and at least one port number associated with the application requested by the station;
  
  searching by the security processor for the security script associated with the application;
  
  establishing the security session between the security processor and the station;
  
  searching by the security processor in a local file of the processor for the name and address of a remote server used for the application; and
  
  opening a connection with the at least one remote server by communicating an IP address and a port number, wherein the security script to be implemented, defined in a stored table, makes possible a choice of at least one security function selected from a group of security functions including user authentication, user identification, verification of the user'"'"'s rights, certification, encryption key calculation, signature calculation, verification of user profiles, said at least one security function to provide selective access to applications requested from the server.

18. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server; and
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts;
  
  wherein the step of systematically establishing a security session comprises;
  
  transmitting by the station through the network of a source IP address and at least one port number associated with the application requested by the station;
  
  searching by the security processor for the security script associated with the application;
  
  establishing the security session between the security processor and the station;
  
  searching by the security processor in a local file of the processor for the name and address of a remote server used for the application; and
  
  opening a connection with the at least one remote server by communicating an IP address and a port number, wherein the security processor stores a journal in a memory comprising at least two information elements including a sequential connection number, the connection dates and beginning and end times, the source IP address and at least one port number, the identifier of the security object used, the name of the remote server chosen, the destination IP address and port number, and the execution rules.

19. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server; and
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts, wherein the security script to be implemented, defined in a stored table, makes possible the step of selecting at least one function from a group of security functions including data display and capture, source and destination IP address verification, access control by password, and access control by a smart card, wherein said access control makes possible execution of an identification of a cardholder.

20. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server; and
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts;
  
  wherein the step of systematically establishing a security session comprises;
  
  transmitting by the station through the network of a source IP address and at least one port number associated with the application requested by the station;
  
  searching by the security processor for the security script associated with the application;
  
  establishing the security session between the security processor and the station;
  
  searching by the security processor in a local file of the processor for the name and address of a remote server used for the application and;
  
  opening a connection with the at least one remote server by communicating an IP address and a port number, wherein the security script to be implemented, defined in a stored table, makes possible the step of selecting at least one function from a group of security functions including data display and capture, source and destination IP address verification, access control by password, and access control by a smart card, wherein said access control makes possible execution of an identification of a cardholder.

21. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server;
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts; and
  
  installing security software in the security processor, wherein an installer defines, in an initialization file a security delay which allows the security processor to close a security connection established with a client station if there has been no application connection since the defined security delay, and an inactivity delay which allows the processor to close the security connection and the application connections established with a client station if there have been no data exchanges in the application connections since the defined inactivity delay.

22. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server; and
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts;
  
  wherein the step of systematically establishing a security session comprises the following steps;
  
  transmitting by the station through the network of a source IP address and at least one port number associated with the application requested by the station;
  
  searching by the security processor for the security script associated with the application;
  
  establishing the security session between the security processor and the station;
  
  searching by the security processor in a local file of the processor for the name and address of a remote server used for the application;
  
  opening a connection with the at least one remote server by communicating an IP address and a port number; and
  
  installing security software in the security processor, wherein an installer defines, in an initialization file a security delay which allows the security processor to close a security connection established with a client station if there has been no application connection since the defined security delay, and an inactivity delay which allows the processor to close the security connection and the application connections established with a client station if there have been no data exchanges in the application connections since the defined inactivity delay.

23. A process for protecting accesses originating from a user station whose destination is at least one application server through a network using a multisession, multiport telecommunication protocol, said process comprising:
- systematically establishing a parallel security session between the user station and a security processor interposed between the user station to be protected during application sessions and the at least one application server;
  
  cyclically initiating security sessions, wherein a security script of the parallel security session is defined among a plurality of scripts, wherein the security processor stores in a second table of a memory a list of at least three information elements including the applications processed by the processor, the operations to be executed as a function of the connection type, the security scripts to be implemented, the access rights of the users as defined by a black list, a white list and a subscriber list, and the schedules for the authorization of access to the remote servers; and
  
  installing security software in the security processor, wherein an installer defines, in an initialization file a security delay which allows the security processor to close a security connection established with a client station if there has been no application connection since the defined security delay, and an inactivity delay which allows the processor to close the security connection and the application connections established with a client station if there have been no data exchanges in the application connections since the defined inactivity delay.

24. Equipment which enables a process for protecting accesses to at least one application server through a network, resulting from access requests for an application session originating from a user station, using a multisession, multiport telecommunication protocol, said equipment comprising:
- a user station having security software for managing data exchanges with at least one portable object and at least one portable object reader associated with the user station, and data exchanges with a security processor using a multisession, multiport communication protocol; and
  
  a security processor, comprising a communications controller arranged for controlling a communications establishing device, said security processor being arranged for running, in parallel, two communications sessions with the user station, a first session of said two sessions being a security session used by the communications controller to control a second session of said two sessions, the second session being an application session established by the communications establishing device.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 25. Equipment according to claim 24, wherein the communications establishing device and the communications controller comprise one of a first establishing device for establishing direct communication between the user station and the at least one application server and a second establishing device for establishing communication between the user station and the at least one application server after a security session controlled by a security device is established, said security device comprising a microprocessor equipped with memory required for its operation and which communicates with security control modules SAM which enables security scripts to be interpreted, as determined by a main processor which executes communication server programs and security engine programs.
  - 26. Equipment according to claim 25, wherein during installation of the security software in the security processor, an installer defines, in an initialization file, a security delay which allows the security processor to close a security connection established with the user station if there has been no application connection since the defined security delay, and an inactivity delay which allows the processor to close the security connection and an application connection established with the user station if there have been no data exchanges in the application connection since the defined inactivity delay.
  - 27. Equipment according to claim 25, wherein the communications establishing device includes two telecommunication cards, a first card linked to the user station, a second card linked to at least one server, said communications establishing device being arranged to communicate with the user station and a server using the multisession, multiport communication protocol.
  - 28. Equipment according to claim 25, further comprising a mechanism, said mechanism configured for defining, among a plurality of scripts, a script for the security session, and a mechanism for cyclically performing said security session.
  - 29. Equipment according to claim 24, wherein the communications establishing device is comprised of two telecommunication cards, a first card linked to the user station, a second card linked to at least one application server, said communications establishing device being arranged to communicate with the user station and the server using the multisession, multiport communication protocol.
  - 30. Equipment according to claim 28, wherein the mechanism configured for defining a script comprises a table of correspondence between the requested application and at least the defined security script.
  - 31. The device according to claim 30, wherein the security script to be implemented executes at least one operation selected from a group of operations including data display and capture source and destination IP address verification;
    - access control by password;
      
      access control by means of a smart card for executing an identification of the cardholder, an authentication using a SAM security module, an encryption, a signature, a certificate calculation, a reading and writing of information, a card removal check, and verification of a user'"'"'s rights to access a remote server in black lists, white lists, and subscriber lists;
      
      verification of rights to use various services of the TCP/IP telecommunication protocol; and
      
      verification of date and time slot authorized for the user or for access to a chosen machine.
  - 32. Equipment according to claim 31, wherein the access rights and lists constitute part of a table saved in a mass memory of the security process.
  - 33. Equipment according to claim 31, wherein authorized date and time slot for a user are stored in a table which includes time slots in columns and identities of users or user stations in rows.
  - 34. Equipment according to claim 30, wherein the plurality of security scripts is chosen as a function of a port number of the requested application, wherein said port number and associated script information is stored in a file which constitutes part of the table in the mass memory of the security processor.
  - 35. Equipment according to claim 34, wherein the defined security script comprises a verification mechanism configured to periodically verify that a user of the user station has been cleared by requesting a card in the user station to execute electronic data (random number) signatures chosen by the defined security script.
  - 36. Equipment according to claim 29, further comprising a mechanism, said mechanism configured for defining, among a plurality of scripts, a script of the security session, and a mechanism for cyclically performing said security session.
  - 37. Equipment according to claim 24, wherein the communications controller comprises a security engine which triggers operation of a security application card of the security processor, enabling security functions to be implemented, the security engine making it possible to configure the security network, to define a list of applications processed by the security processor, to define operations executed, to define the plurality of security scripts, and to define access rights of users and authorization schedules.
  - 38. The device according to claim 24, wherein the security processor is arranged for choosing the application server as a function of an application requested by the user station.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CP8 Technologies (Thales SA)
Original Assignee
Bull CP8 (SLB)
Inventors
Sigaud, Alain
Primary Examiner(s)
Ton, Dang
Assistant Examiner(s)
Duong, Frank

Application Number

US08/930,122
Time in Patent Office

2,218 Days
Field of Search

370/230, 370/231, 370/235, 370/401, 370/402, 380/4, 380/25, 380/50, 709/201, 709/202, 709/203, 709/228, 709/229, 713/150, 713/151, 713/153, 713/159, 713/161
US Class Current

370/230
CPC Class Codes

H04L 63/0209 Architectural arrangements,...

H04L 67/14 Session management for real...

Method enabling secure access by a station to at least one server, and device using same

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method enabling secure access by a station to at least one server, and device using same

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links