Method and apparatus for serving content from a semi-trusted server

US 6,986,047 B2
Filed: 05/10/2001
Issued: 01/10/2006
Est. Priority Date: 05/10/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

enabling at least one client to access restricted information from an origin web-server through a semi-trusted web-server including the steps of;

authenticating said at least one client;

creating a client credential having client-specific environment information for each said at least one client;

presenting the client credential to the semi-trusted web-server;

correlating said at least one client with the client credential; and

providing said access to said at least one client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention provides methods and apparatus for enabling access to restricted information contained at a semi-trusted web-server. Restricted information is information that is only available to a selected group of authorized clients. A client desiring access to the restricted information authenticates itself with a trusted web-server, and obtains a client credential. The client then contacts the semi-trusted web-server with the credential and obtains access to the restricted content. The restricted information may be encrypted at the semi-trusted web-server, so that the restricted information is secure even if the semi-trusted web-server is not completely secure.

36 Citations

View as Search Results

46 Claims

1. A method comprising:
- enabling at least one client to access restricted information from an origin web-server through a semi-trusted web-server including the steps of;
  
  authenticating said at least one client;
  
  creating a client credential having client-specific environment information for each said at least one client;
  
  presenting the client credential to the semi-trusted web-server;
  
  correlating said at least one client with the client credential; and
  
  providing said access to said at least one client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. A method as recited in claim 1, further comprising serving the restricted information to said at least one client through the semi-trusted web-server.
  - 3. A method as in claim 1, wherein the step of creating comprises storing the client-specific environment information and the client credential in a cookie in said at least one client'"'"'s browser.
  - 4. A method as in claim 1, wherein the step of presenting comprises:
    - sending the client credential to the semi-trusted web-server; and
      
      using HTTP redirection to refer said at least one client to the semi-trusted web-server.
  - 5. A method as in claim 1, wherein the step of presenting comprises:
    - sending said at least one client credential to a directory accessible to the semi-trusted web-server; and
      
      the origin web-server using HTTP redirection to send said at least one client to the semi-trusted web-server.
  - 6. A method as in claim 1, wherein the step of creating comprises:
    - collecting the client-specific environment information; and
      
      storing the client-specific environment information in the client credential.
  - 7. A method as in claim 6, wherein the client-specific environment information includes:
    - a hash of the HTTP-Request header of said at least one client request;
      
      a hash of the IP address of the machine used by said at least one client;
      
      a process identity of said at least one client browser;
      
      a hash of a user identity used by said at least one client program; and
      
      /or any combination of these.
  - 8. A method as in claim 6, wherein the step of collecting the client-specific environment information is performed by the origin web-server, andthe origin web-server storing the client-specific environment information in the client credential.
  - 9. A method as in claim 1, wherein the step of creating comprises:
    - placing a first client-side program at said at least one client;
      
      collecting a first set of the client-specific environment information using the first client-side program;
      
      sending the first set of the client-specific environment information to the origin web-server; and
      
      storing the first set of the client-specific environment information in the client credential.
  - 10. A method as in claim 9, wherein the step of correlating includes:
    - the semi-trusted web-server placing a second client-side program at said at least one client;
      
      collecting a second set of the client-specific environment information with the second client-side program;
      
      sending the second set of the client-specific environment information to the semi-trusted web-server; and
      
      correlating the second set of the client-specific environment information to the client credential.
  - 11. A method as in claim 10, wherein the first and/or the second client-specific environment information includes:
    - a hash of the HTTP-Request header of said at least one client request;
      
      a hash of the IP address of the machine used by said at least one client;
      
      a process identity of said at least one client browser;
      
      a hash of a user identity used by said at least one client program; and
      
      /or any combination of these.
  - 12. A method as in claim 1, further comprising the semi-trusted web-server accessing an encrypted version of the restricted information, and wherein the step of creating the client credential includes adding a decryption key to the client credential.
  - 13. A method as in claim 12 wherein the decryption key is a partial key, and the step of providing includes the semi-trusted web-server supplying information to said at least one client enabling conversion of the partial key to a full key.
  - 14. A method as in claim 1 wherein the step of authenticating includes employing a user-password scheme.
  - 15. A method as in claim 1, wherein the step of authenticating includes deploying at least one certificate.
  - 16. A method as in claim 8, wherein the steps of placing and the step of storing is performed by the origin web-server.
  - 17. A method as recited in claim 1, wherein the semi-trusted web-server is a proxy web-server.
  - 18. A method as recited in claim 1, wherein the step of creating a credential for said at least one client is at an origin web-server.
  - 19. A method as recited in claim 1, wherein the step of correlating said at least one client and the client credential is performed by the semi-trusted web-server.
  - 20. A method as recited in claim 1, wherein the step of authenticating said at least one client is performed at the origin web-server.
  - 21. An article of manufacture comprising a computer usable medium having computer readable program code means embodied therein for enabling at least one client to access restricted information from an origin web-server through a semi-trusted web-server, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to effect the steps of claim 1.
  - 22. An article of manufacture as recited in claim 21, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect the steps of claim 13.
  - 23. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for enabling at least one client to access restricted information from an origin web-server through a semi-trusted web-server, said method steps comprising the steps of claim 1.

24. An apparatus for enabling at least one client to access restricted information from an origin web-server through a semi-trusted web-server, said apparatus comprising:
- an authenticator to validate said at least one client;
  
  a credential creator to create a client credential having client-specific environment information for each said at least one client; and
  
  a correlator for matching said at least one client to the client credential, and for working in combination with said authenticator and said credential creator to enable said at least one client to safely access restricted information from the origin web-server through the semi-trusted web-server.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing enablement of at least one client to access restricted information from an origin web-server through a semi-trusted web-server, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the apparatus of claim 24.
  - 26. The apparatus as in claim 24, wherein the credential creator stores the client-specific environment information in a cookie set in said at least one client'"'"'s browser.
  - 27. An apparatus as in claim 24, wherein the credential creator presents the credential to the semi-trusted web-server.
  - 28. The apparatus as in claim 24, wherein the credential creator stores a client-side program in said at least one client'"'"'s browser.
  - 29. The apparatus as in claim 24, wherein the correlator stores a second client-side program in the client'"'"'s browser.
  - 30. The apparatus as in claim 24, wherein the semi-trusted web-server has access only to an encrypted version of the restricted information, and the credential creator adds a decryption key to the client credential.
  - 31. The apparatus as in claim 30, wherein the decryption key is a partial key and the semi-trusted web-server includes an information supplier to supply said at least one client with information to enable conversion of the partial key to a full key.

32. An apparatus comprising:
- means for enabling at least one client to access restricted information from an origin web-server through a semi-trusted web-server including;
  
  means for authenticating said at least one client;
  
  means for creating a client credential having client-specific environment information for each said at least one client;
  
  means for presenting the client credential to the semi-trusted web-server;
  
  means for correlating said at least one client with the client credential; and
  
  means for providing said access to said at least one client.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 33. An apparatus as recited in claim 32, further comprising means for serving the restricted information to said at least one client through the semi-trusted web-server.
  - 34. An apparatus as in claim 32, further comprising means for storing the client-specific environment information and the client credential in a cookie in said at least one client'"'"'s browser.
  - 35. An apparatus as in claim 32, further comprising means for:
    - sending the client credential to the semi-trusted web-server; and
      
      using HTTP redirection to refer said at least one client to the semi-trusted web-server.
  - 36. An apparatus as in claim 32, wherein the origin web-server uses HTTP redirection to send said at least one client to the semi-trusted web-server, and further comprising means for sending said at least one client credential to a directory accessible to the semi-trusted web-server.
  - 37. An apparatus as in claim 32, further comprising means for:
    - collecting the client-specific environment information; and
      
      storing the client-specific environment information in the client credential.
  - 38. An apparatus as in claim 37, wherein the client-specific environment information includes:
    - a hash of the HTTP-Request header of said at least one client request;
      
      a hash of the IP address of the machine used by said at least one client;
      
      a process identity of said at least one client browser;
      
      a hash of a user identity used by said at least one client program; and
      
      /or any combination of these.
  - 39. An apparatus as in claim 32, further comprising means for:
    - placing a first client-side program at said at least one client;
      
      collecting a first set of the client-specific environment information using the first client-side program;
      
      sending the first set of the client-specific environment information to the origin web-server; and
      
      storing the first set of the client-specific environment information in the client credential.
  - 40. An apparatus as in claim 39, further comprising means for:
    - the semi-trusted web-server to place a second client-side program at said at least one client;
      
      collecting a second set of the client-specific environment information with the second client-side program;
      
      sending the second set of the client-specific environment information to the semi-trusted web-server; and
      
      correlating the second set of the client-specific environment information to the client credential.
  - 41. An apparatus as in claim 40, wherein the first and/or the second client-specific environment information includes:
    - a hash of the HTTP-Request header of said at least one client request;
      
      a hash of the IP address of the machine used by said at least one client;
      
      a process identity of said at least one client browser;
      
      a hash of a user identity used by said at least one client program;
      
      and/or any combination of these.
  - 42. An apparatus as in claim 32, further comprising means for the semi-trusted web-server to access an encrypted version of the restricted information, and means for adding a decryption key to the client credential during creation.
  - 43. An apparatus as in claim 42, wherein the decryption key is a partial key comprising means for the semi-trusted web-server to supply information to said at least one client enabling conversion of the partial key to a full key.
  - 44. An apparatus as in claim 32, further comprising of a means for authenticating by employing a user-password scheme.
  - 45. An apparatus as in claim 32, further comprising of a means for authenticating by deploying at least one certificate.
  - 46. A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing enablement of at least one client to access restricted information from an origin web-server through a semi-trusted web-server, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the apparatus of claim 32.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Giles, James Ryan, Verma, Dinesh Chandra, Sailer, Reiner
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US09/853,164
Publication Number

US 20020169961A1
Time in Patent Office

1,706 Days
Field of Search

713170-176, 713200-201, 713150-156, 709223-225
US Class Current

713/175
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2151   Time stamp

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

Method and apparatus for serving content from a semi-trusted server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for serving content from a semi-trusted server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links