System and apparatus for storage and transfer of secure data on web

US 6,985,953 B1
Filed: 11/30/1999
Issued: 01/10/2006
Est. Priority Date: 11/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for transferring secure data on a network comprising:

a) a client capable of presenting conforming client data;

b) a server capable of using said conforming client data to create at least two secure cookies, each of said at least two secure cookies including;

i) a domain field capable of holding domain data to associate said secure cookie to a domain where said secure cookie is valid;

ii) at least one name field capable of holding name data;

iii) at least one value field capable of holding value data derived from said conforming client data; and

iv) an expiration field capable of holding cookie expiration data;

c) a network capable of transporting at least one of said at least two secure cookies between said server and said client;

d) a client storage means capable of storing at least one of said at least two secure cookies; and

e) a secure attribute service between said client and said server using said at least one of said at least two secure cookies,wherein;

i) at least one of said at least two secure cookies is a key cookie containing an encrypted session key, said session key capable of encrypting said value data contained in another of said at least two secure cookies; and

ii) said secure attribute service includes said server being configured to authenticate said client by comparing said conforming client data with said value data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to methods and systems for creating secure cookies. The methods can be used to create, receive, and transmit secure cookies, confidential cookies, and authentication cookies.

Citations

39 Claims

1. A system for transferring secure data on a network comprising:
- a) a client capable of presenting conforming client data;
  
  b) a server capable of using said conforming client data to create at least two secure cookies, each of said at least two secure cookies including;
  
  i) a domain field capable of holding domain data to associate said secure cookie to a domain where said secure cookie is valid;
  
  ii) at least one name field capable of holding name data;
  
  iii) at least one value field capable of holding value data derived from said conforming client data; and
  
  iv) an expiration field capable of holding cookie expiration data;
  
  c) a network capable of transporting at least one of said at least two secure cookies between said server and said client;
  
  d) a client storage means capable of storing at least one of said at least two secure cookies; and
  
  e) a secure attribute service between said client and said server using said at least one of said at least two secure cookies,wherein;
  
  i) at least one of said at least two secure cookies is a key cookie containing an encrypted session key, said session key capable of encrypting said value data contained in another of said at least two secure cookies; and
  
  ii) said secure attribute service includes said server being configured to authenticate said client by comparing said conforming client data with said value data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 27)
- - 2. A system according to claim 1, wherein said client is a web browser.
  - 3. A system according to claim 1, wherein at least one of said at least two secure cookies is an authentication cookie.
  - 4. A system according to claim 3, wherein said authentication cookie is an IP cookie and said conforming client data includes the IP address of said client.
  - 5. A system according to claim 3, wherein said authentication cookie is a password cookie and said conforming client data includes a password.
  - 6. A system according to claim 5, wherein said password is processed using a hashing algorithm.
  - 7. A system according to claim 5, wherein said password is processed using an encryption algorithm.
  - 8. A system according to claim 3, wherein said authentication cookie is a sign cookie and said conforming client data includes a digital signature on a timestamp.
  - 9. A system according to claim 3, further including a secret-key based authentication service.
  - 10. A system according to claim 9, and wherein said authentication cookie is a KT cookie and said conforming client data includes a Kerberos ticket created using a Kerberos protocol.
  - 11. A system according to claim 1, wherein at least one of said at least two secure cookies includes a multitude of secure cookies.
  - 12. A system according to claim 1, wherein at least one of said at least one name field and at least one of said at least one value field are a pair.
  - 13. A system according to claim 1, wherein at least one of said at least two secure cookies further includes a flag, said flag specifying whether all machines within said domain referenced by said domain data can access said value data.
  - 14. A system according to claim 1, wherein at least one of said at least two secure cookies is used in an electronic transaction.
  - 15. A system according to claim 1, wherein said system is part of a role based access control system and at least one of said at least two secure cookies is used in assigning client roles.
  - 16. A method according to claim 15, wherein at least one of said at least two secure cookies is an authentication cookie.
  - 27. A method according to claim 8, wherein at least one of said at least two secure cookies is an authentication cookie.

17. A method for transferring secure data on a network including the steps of:
- a) a client making a request from a server;
  
  b) said server retrieving conforming client data;
  
  c) said server creating at least two secure cookies, each of said at least two secure cookies including selected conforming client data, said selected conforming data including at least some of said conforming client data;
  
  d) said server transmitting at least one of said at least two secure cookies to said client;
  
  e) said client storing at least one of said at least two secure cookies;
  
  f) said client presenting to a related server at least one of said stored at least two secure cookies with a second request, said related server residing on the same domain as said server;
  
  g) said related server making a determination of whether at least one of said at least one retrieved stored at least two secure cookies contains said selected conforming client data; and
  
  h) said related server fulfilling said second request if said determination is positive;
  
  wherein at least one of said at least two secure cookies is a key cookie containing an encrypted session key, said session key capable of encrypting said value data contained in another of said at least two secure cookies.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 28, 29, 30, 31, 32, 33, 34, 35)
- - 18. A method of claim 17 wherein at least some of said conforming client data is retrieved from said client.
  - 19. A method of claim 17, wherein said conforming client data includes a client'"'"'s IP address.
  - 20. A method of claim 17, wherein said conforming client data includes a password.
  - 21. A method of claim 17, wherein said conforming client data includes a Kerberos ticket.
  - 22. A method of claim 17, wherein said conforming client data includes a digital signature.
  - 23. A method of claim 22, wherein said determination further includes verifying that said digital signature belongs to said client.
  - 24. A method of claim 17, further including the step of said server encrypting at least some of said selected conforming client data.
  - 25. A method of claim 24, wherein said encrypting uses a public key.
  - 26. A method of claim 24, wherein said encrypting uses a secret key.
  - 28. A method of claim 24, further including the step of said server decrypting said encrypted selected conforming client data using a secret key.
  - 29. A method of claim 17, further including the step of said server hashing at least some of said conforming client data.
  - 30. A method of claim 17, wherein said conforming client data includes data derived from at least one item from the group consisting of:
    - a) the client'"'"'s IP address;
      
      b) a password;
      
      c) a Kerberos ticket;
      
      d) credit card data;
      
      e) social security number;
      
      f) a digital signature of the client; and
      
      g) a home address.
  - 31. A method of claim 17, wherein said determination is positive only if said selected conforming client data was retrieved by said server from said client during the current session.
  - 32. A method of claim 17, wherein said secure cookie contains a digital signature of said client on a time-stamp.
  - 33. A method of claim 17, further including the step of providing integrity to at least one of said at least two secure cookies comprising:
    - a) said server creating integrity data from at least one of said at least two secure cookies, said integrity data including at least one item selected from the group;
      
      i) encrypted said selected conforming client data;
      
      ii) a digital signature; and
      
      iii) a message digest;
      
      b) said server inputting said integrity data into a seal cookie; and
      
      c) said server storing said seal cookie.
  - 34. A method of claim 17, wherein said request is part of an electronic transaction.
  - 35. A method of claim 17, wherein said request is part of an attribute-based access control function.

36. A system for transferring secure data on a network comprising:
- a) a client capable of presenting conforming client data;
  
  b) a server capable of using said conforming client data to create at least two secure cookies, each of said at least two secure cookies including;
  
  i) a domain field capable of holding domain data to associate said secure cookie to a domain where said secure cookie is valid;
  
  ii) at least one name field capable of holding name data;
  
  iii) at least one value field capable of holding value data derived from said conforming client data; and
  
  iv) an expiration field capable of holding cookie expiration data;
  
  c) a network capable of transporting at least one of said at least two secure cookies between said server and said client;
  
  d) a client storage means capable of storing at least one of said at least two secure cookies; and
  
  e) a secure attribute service between said client and said server using said at least one of said at least two secure cookies, said secure attribute service includes said server being configured to authenticate said client by comparing said conforming client data with said value data; and
  
  wherein at least one of said at least two secure cookies is one of the following;
  
  i) a seal cookie, capable of being used by said server to determine if at least one of another of said at least two secure cookies has been altered; and
  
  ii) a key cookie containing an encrypted session key, said session key capable of encrypting said value data contained in another of said at least two secure cookies.
- View Dependent Claims (37, 38)
- - 37. A system according to claim 36, wherein said seal cookie includes an integrity check value.
  - 38. A system according to claim 36, wherein said seal cookie includes the signature of a message digest signed using a private key.

39. A method for transferring secure data on a network including the steps of:
- a) a client making a request from a server;
  
  b) said server retrieving conforming client data;
  
  c) said server creating at least two secure cookies, each of said at least two secure cookies including selected conforming client data, said selected conforming data including at least some of said conforming client data;
  
  d) said server transmitting at least one of said at least two secure cookies to said client;
  
  e) said client storing at least one of said at least two secure cookies;
  
  f) said client presenting to a related server at least one of said stored at least two secure cookies with a second request, said related server residing on the same domain as said server;
  
  g) said related server making a determination of whether at least one of said at least one retrieved stored at least two secure cookies contains said selected conforming client data; and
  
  h) said related server fulfilling said second request if said determination is positive;
  
  wherein at least one of said at least two secure cookies is one of the following;
  
  i) a seal cookie, capable of being used by said server to determine if at least one of another of said at least two secure cookies has been altered; and
  
  ii) a key cookie containing an encrypted session key, said session key capable of encrypting said value data contained in another of said at least two secure cookies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Intellectual Properties, Inc.
Original Assignee
George Mason University
Inventors
Sandhu, Ravi, Park, Joon S.
Primary Examiner(s)
DINH, KHANH Q

Application Number

US09/451,090
Time in Patent Office

2,233 Days
Field of Search

709/203, 709/206, 709/218, 709/224, 709/226, 709/230, 709/227, 709/225, 709/229, 705/51, 705/44, 705/26, 705/9, 713/201, 713/151, 713/202, 379/93.12, 707/10, 345/329
US Class Current

709/229
CPC Class Codes

G06F 16/958   Organisation or management ...

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6263   during internet communicati...

G06F 21/64   Protecting data integrity, ...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/168   above the transport layer

System and apparatus for storage and transfer of secure data on web

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

System and apparatus for storage and transfer of secure data on web

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links