Method and apparatus for distributing, interpreting, and storing heterogeneous certificates in a homogenous public key infrastructure
First Claim
1. A method for establishing a secure network connection between a web browser on a client and a service, said web browser having a virtual machine, said web browser having access to a first key, said client web browser and virtual machine being of the type that downloads and executes applets while protecting against at least some client resources from being updated based on said applet execution, said method comprising:
- establishing an insecure network connection with said client web browser;
downloading, over said insecure connection, at least one digitally signed applet to the client web browser, said at least one applet including;
(a) a second key, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to use the stored second key to establish a secure network connection with said service;
before the client virtual machine executes the digitally signed applet, verifying the digitally signed applet at the client using the first key;
executing the downloaded applet code with the client virtual machine, thereby causing the client to store the second key corresponding to the service; and
further executing said at least one applet to cause said at least one applet to use the stored second key to authenticate the service and establish the secure network connection with the service.
25 Assignments
0 Petitions
Accused Products
Abstract
A connection is established between a server and a web browser having access to a first, trusted public key. The server downloads a digitally signed archive to the browser, the archive including a second public key. The browser verifies the digitally signed archive using the first public key, and stores the second public key in response to the verification. The browser then uses the stored second public key to authenticate the server and establish a secure connection with the server. The second public key and its chain of trust need not be known by the browser beforehand, and the archive may include program fragments that store the key in an area where the browser (or an applet running under the browser) can access and use it. The archive may also include a program fragment that performs certificate validation for the client—enabling the client to handle certificate types it does not know about. Advantages include allowing the archive to be transmitted over any insecure connection since it is integrity protected and authenticated; and allowing the client to make a direct connection to the server without having to access certificate stores on the platform.
-
Citations
18 Claims
-
1. A method for establishing a secure network connection between a web browser on a client and a service, said web browser having a virtual machine, said web browser having access to a first key, said client web browser and virtual machine being of the type that downloads and executes applets while protecting against at least some client resources from being updated based on said applet execution, said method comprising:
-
establishing an insecure network connection with said client web browser;
downloading, over said insecure connection, at least one digitally signed applet to the client web browser, said at least one applet including;
(a) a second key, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to use the stored second key to establish a secure network connection with said service;
before the client virtual machine executes the digitally signed applet, verifying the digitally signed applet at the client using the first key;
executing the downloaded applet code with the client virtual machine, thereby causing the client to store the second key corresponding to the service; and
further executing said at least one applet to cause said at least one applet to use the stored second key to authenticate the service and establish the secure network connection with the service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A web browser on a client for establishing a secure network connection with a service over a network, said client web browser including a virtual machine, said client web browser and virtual machine being of the type that downloaded and execute applets while protecting against at least some resources of said client from being updated by said applet execution, said client comprising:
-
an applet receiver that receives at least one digitally signed applet from the service over an insecure network connection, said at least one applet including;
(a) a key, (b) code executable on the client virtual machine to cause the client to store the key, and (c) code executable on the client virtual machine to establish a secure network connection with said service, said applet being executed by the client virtual machine to cause the client to store the key delivered with the applet, the stored key allowing authentication between the client and the service;
wherein the client web browser includes an applet verifier that, before executing the applet, verifies the digitally signed applet using a key different from the key delivered with the applet;
wherein the client virtual machine further includes an applet executor that executes the applet, thereby controlling the client to store the key delivered with the applet, said delivered key corresponding to the server, and uses the stored delivered key to authenticate the server and establish a secure network connection between the client and the server.
-
-
10. A method for establishing a secure network connection with a web browser on a client, said client web browser including a virtual machine and having access to a first key, said client web browser and virtual machine being of the type that download and execute applets while protecting at least some of client resources from being affected by said applet execution, the method comprising:
-
downloading, over an insecure network connection, at least one executable applet to the client virtual machine, said at least one applet including;
(a) a second key corresponding to the server, (b) code executable on the client virtual machine to cause the client to store the further key corresponding to the server, and (c) code executable on the client virtual machine to establish a secure network connection with said server, the digitally signed applet being digitally signed such that the client virtual machine can verify the digitally signed applet using the first key, the at least one digitally signed applet including the further key and code executable by the client virtual machine that controls the client virtual machine to store the further key;
sending a digital credential to the client, said digital credential being verifiable by the client applet using the stored further key delivered with the at least one applet; and
establishing a secure network communication with the executing client applet based on said digital credential as verified by the client applet. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A server for establishing a secure network connection with a web browser on a client over a network, said client having resources including the web browser and a virtual machine, said client web browser and virtual machine being of the type that download and execute applets while protecting at least some of said client resources from being affected by said applet execution, said server comprising:
-
an applet transmitter that transmits at least one digitally signed applet to the client over an insecure network connection, the at least one applet being digitally signed using a first key the client possesses independently of the applet, said at least one applet including;
(a) a second key corresponding to the server, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to establish a secure network connection with said server, the applet being executable by the client virtual machine to control the client to store the second key corresponding to the server;
a digital credential transmitter that transmits a digital credential to the client executing the applet, the digital credential being authenticatable by the client using the second key; and
a secure network connector that establishes a secure network connection with the client under control of the executing applet and based at least in part on the digital credential being authenticated by the second key delivered over the insecure network connection.
-
-
17. A method for establishing a secure network connection between a server and a web browser on a client having access to a firstkey and also having a virtual machine, said web browser and virtual machine downloading and executing applets while protecting resources from being updated by said applet execution, said method comprising:
-
downloading, to the browser over an insecure network connection, at least one digitally signed applet, the applet including;
(a) a second key associated with the server, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to establish a secure network connection with said server;
verifying the digitally signed applet at the browser using the first key;
executing the applet with the virtual machine to cause the client to store the second key;
using the stored second key to authenticate a further credential delivered by the server; and
based on said authentication of the said further credential, establishing, under control of the executing applet, a secure network connection between the web browser and the server. - View Dependent Claims (18)
-
Specification