End-to-end security of transactions between a mobile terminal and an internet server at the application level
First Claim
1. A method for end-to-end securing of transactions between a mobile terminal and an Internet server on an application level, in which method, for unambiguous identification of an application transaction, an Internet server application transmits transaction identification records to a transaction partner application and receives transaction identification records that are transmitted back to the Internet server application from the transaction partner application, for unambiguous identification of the application transaction, the method comprising:
- transmitting a cryptographic transaction identification record, which is directed to transaction partner applications in the mobile terminal, from the Internet server to a proxy server;
storing, on the proxy server assigned to the mobile terminal, the cryptographic transaction identification record;
transmitting to the mobile terminal by the proxy server using a wireless protocol that does not support cookies, in each case, a first record identification corresponding to the stored cryptographic transaction identification record in the proxy server;
transmitting to the mobile terminal a first proxy record from the proxy server, said first proxy record calculated by the proxy server from the stored cryptographic transaction identification record, and said first proxy record produced being of a different form from the stored cryptographic transaction identification record;
taking in each case by the proxy server from messages directed by the mobile terminal to the Internet server application a second record identification and a second proxy record, said second proxy record based on the first proxy record received at the mobile terminal from the proxy server;
checking for a correspondence of the second proxy record with the first proxy record; and
transmitting, in a case of there being a positive correspondence between the first and second proxy records, to the Internet server application the stored cryptographic transaction identification record, determined through the first record identification.
3 Assignments
0 Petitions
Accused Products
Abstract
For end-to-end securing of transactions between a mobile terminal and an Internet server on the application layer, cryptographic transaction identification records, which are directed by the Internet server application to transaction partner applications in the mobile terminal, are stored, assigned to the mobile terminal, in a proxy server. In each case a record identification is transmitted to the mobile terminal for a stored transaction identification record as well as a proxy record, which is calculated by the proxy server from the respective stored transaction identification record. In each case a record identification and a proxy record are taken by the proxy server from the messages directed by the mobile terminal to the Internet server application. The correspondence of the taken proxy record with the proxy record is checked, which is calculable from the stored transaction identification record determined through the taken record identification, and, in the case of agreement, the stored transaction identification record determined through the taken record identification is transmitted to the Internet server application.
21 Citations
19 Claims
-
1. A method for end-to-end securing of transactions between a mobile terminal and an Internet server on an application level, in which method, for unambiguous identification of an application transaction, an Internet server application transmits transaction identification records to a transaction partner application and receives transaction identification records that are transmitted back to the Internet server application from the transaction partner application, for unambiguous identification of the application transaction, the method comprising:
-
transmitting a cryptographic transaction identification record, which is directed to transaction partner applications in the mobile terminal, from the Internet server to a proxy server; storing, on the proxy server assigned to the mobile terminal, the cryptographic transaction identification record; transmitting to the mobile terminal by the proxy server using a wireless protocol that does not support cookies, in each case, a first record identification corresponding to the stored cryptographic transaction identification record in the proxy server; transmitting to the mobile terminal a first proxy record from the proxy server, said first proxy record calculated by the proxy server from the stored cryptographic transaction identification record, and said first proxy record produced being of a different form from the stored cryptographic transaction identification record; taking in each case by the proxy server from messages directed by the mobile terminal to the Internet server application a second record identification and a second proxy record, said second proxy record based on the first proxy record received at the mobile terminal from the proxy server; checking for a correspondence of the second proxy record with the first proxy record; and transmitting, in a case of there being a positive correspondence between the first and second proxy records, to the Internet server application the stored cryptographic transaction identification record, determined through the first record identification.
-
-
2. The method according to claim 1, wherein the first record identification and the first proxy record to be transmitted to the mobile terminal are transmitted in a data element that is automatically inserted by the transaction partner application in the mobile terminal in each case into messages that are directed to the Internet server application.
-
3. The method according to claim 1, wherein the first proxy record is calculated from the stored cryptographic transaction identification record by a one-way hash function.
-
4. The method according to claim 1, wherein during the storing of the cryptographic transaction identification record in the proxy server, assignment to the mobile terminal takes place by an IP address of the mobile terminal.
-
5. The method according to claim 1, wherein a protocol data file is kept in the proxy server, in which protocol data file are stored data about replacement of transaction identification records with proxy records, respectively of proxy records with transaction identification records, data about a point in time of the replacement, and data about the transaction partners participating in the transaction for which the replacement is made.
-
6. A proxy server, which is insertable in a communication path between a mobile terminal and an Internet server, which Internet server comprises at least one Internet server application, which, for unambiguous identification of an application transaction, transmits transaction identification records to a transaction partner application and receives transaction identification records that are transmitted back to the Internet server application by the transaction partner application, for unambiguous identification of the application transaction, the proxy server comprising:
-
first means for transmitting a cryptographic transaction identification record, which is directed to transaction partner applications in the mobile terminal, from the Internet server to a proxy server; second, means for storing, on the proxy server, the cryptographic transaction identification record that is directed to the transaction partner applications in the mobile terminal, whereby the storing takes place assigned to the mobile terminal; third, means for calculating a first proxy record from the stored cryptographic transaction identification record and for transmitting to the mobile terminal, using a wireless protocol that does not support cookies, the first proxy record as well as a first record identification for corresponding to the stored cryptographic transaction identification record, said first proxy record produced being of a different form from the stored cryptographic transaction identification record; fourth, means for taking a second record identification and a second proxy record from messages that are directed from the mobile terminal to the Internet server application, said second proxy record based on the first proxy record received at the mobile terminal from the proxy server, and for checking for a correspondence of the second proxy record to the first proxy record; and fifth, means for transmitting, in a case of there being a positive correspondence between the first and second proxy records, to the Internet server application the stored cryptographic transaction identification record determined through the first record identification.
-
-
7. The proxy server according to claim 6, wherein the second means are set to transmit in a data stream the first record identification and the first proxy record to be transmitted to the mobile terminal, the first record identification and the first proxy record being automatically inserted by the transaction partner application in the mobile terminal into messages that are directed to the Internet server application.
-
8. The proxy server according to claim 6, wherein the second means comprises a one-way hash function by which the first proxy record is calculated from the stored cryptographic transaction identification record.
-
9. The proxy server according to claim 6, wherein the first means are set such that, during storing of the cryptographic transaction identification record, the first means carries out assignment to the mobile terminal by an IP address of the mobile terminal.
-
10. The proxy server according to claim 6, wherein the proxy server comprises further means for keeping a protocol data file in which are stored data about replacement of transaction identification records with proxy records, respectively of proxy records with transaction identification records, data about a point in time of the replacement, and data about the transaction partners taking part in the transaction for which the replacement is made.
-
11. The proxy server according to claim 6, wherein the proxy server is implemented with the Internet server on a common computer and is in a communication path between the Internet server application and a transport security layer of the Internet server.
-
12. The proxy server according to claim 6, wherein the proxy server is implemented with a gateway, connecting together a mobile radio network and the Internet, on a common computer, and is in a communication path between a transport security layer of the mobile radio network and a transport security layer of the Internet.
-
13. A proxy server, which is insertable in a communication path between a mobile terminal and an Internet server, which Internet server comprises at least one Internet server application, which, for unambiguous identification of an application transaction, transmits transaction identification records to a transaction partner application and receives transaction identification records that are transmitted back to the Internet server application by the transaction partner application, for unambiguous identification of the application transaction, the proxy server comprising:
-
a transmitter configured to transmitting a cryptographic transaction identification record, which is directed to transaction partner applications in the mobile terminal, from the Internet server to a proxy server; a memory unit configured to store, on the proxy server, the cryptographic transaction identification record that is directed to the transaction partner applications in the mobile terminal, whereby the storing takes place assigned to the mobile terminal; a first unit configured to calculate a first proxy record from the stored cryptographic transaction identification record and to transmit to the mobile terminal, using a wireless protocol that does not support cookies, the first proxy record and a first record identification corresponding to the stored cryptographic transaction identification record, said first proxy record produced being of a different form from the stored cryptographic transaction identification record; and a second unit configured to obtain a second record identification and a second proxy record from messages directed from the mobile terminal to the Internet server application, wherein said second proxy record is based on the first proxy record received at the mobile terminal from the proxy server; and said second unit is configured to check for a correspondence of the second proxy record to the first proxy record and to transmit, in a case of there being a positive correspondence between the first and second proxy records, to the Internet server application the stored cryptographic transaction identification record determined through the first record identification.
-
-
14. The method according to claim 1, wherein the transmitting to the mobile terminal a first proxy record comprises transmitting a record of shorter length than the stored cryptographic transaction identification record.
-
15. The method according to claim 1, wherein the transmitting to the mobile terminal a first proxy record comprises transmitting a record in which a tuple replaced the stored cryptographic transaction identification record.
-
16. The proxy server according to claim 6, wherein the first proxy record comprises a record of shorter length than the stored cryptographic transaction identification record.
-
17. The proxy server according to claim 6, wherein the first proxy record comprises a tuple replacing the stored cryptographic transaction identification record.
-
18. The proxy server according to claim 13, wherein the first proxy record comprises a record of shorter length than the stored cryptographic transaction identification record.
-
19. The proxy server according to claim 13, wherein the first proxy record comprises a tuple replacing the stored cryptographic transaction identification record.
Specification