Method for secure delegation of trust from a security device to a host computer application for enabling secure access to a resource on the web

US 7,565,536 B2
Filed: 09/02/2005
Issued: 07/21/2009
Est. Priority Date: 09/02/2005
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user on a host computer to a web server, comprising:

establishing a secure communications channel between a plug-in operating on a host computer and a network security device;

authenticating the user to the network security device;

designating a web server to which a connection is desired from a browser operated by the user;

establishing a connection between the network security device and the web server;

establishing a security context by the web server;

transferring the security context from the web server to the trusted network security device;

transmitting the security context from the network security device to the plug-in;

operating the plug-in to store the security context such that the security context may be retrieved by the browser;

operating the browser to connect to the web server including transmitting the security context from the browser to the web server; and

upon presentment of the security context, granting the user access to the services of the web server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure authentication of a user on a host computer to a web server including a security device acquiring trust or a security context from the web server. The security device is operable of providing an X.509 certificate to a browser plug-in on the host computer. The browser plug-in on the host computer performing authentication of the security device and in response providing user credentials to the security device. The security device performing authentication of the user and requests a security context from the web server. In response, the web server provides a security context to the security device. The security device delegates the web server trust by transmitting the context to the host computer and enabling the user to securely access resources on the web server.

45 Citations

View as Search Results

15 Claims

1. A method for authenticating a user on a host computer to a web server, comprising:
- establishing a secure communications channel between a plug-in operating on a host computer and a network security device;
  
  authenticating the user to the network security device;
  
  designating a web server to which a connection is desired from a browser operated by the user;
  
  establishing a connection between the network security device and the web server;
  
  establishing a security context by the web server;
  
  transferring the security context from the web server to the trusted network security device;
  
  transmitting the security context from the network security device to the plug-in;
  
  operating the plug-in to store the security context such that the security context may be retrieved by the browser;
  
  operating the browser to connect to the web server including transmitting the security context from the browser to the web server; and
  
  upon presentment of the security context, granting the user access to the services of the web server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method for authenticating a user on a host computer to a web server of claim 1 wherein the security context is a SAML Assertion.
  - 3. The method for authenticating a user on a host computer to a web server of claim 1 wherein the network security device is a smart card.
  - 4. The method for authenticating a user on a host computer to a web server of claim 3 comprises operating the smart card to secure communication with other computers on the network using a standard mainstream network communication protocol selected from TCP/IP and SSL/TLS.
  - 5. The method for authenticating a user on a host computer to a web server of claim 3 wherein the network security device is a smart card and the smart card is a slave device of the host computer.
  - 6. The method for authenticating a user on a host computer to a web server of claim 3 comprising operating the smart card to:
    - establish network connection to the web server;
      
      acquire security context from the web server;
      
      delegate security context to the browser plug-in on the host computer therebyenable a user on the host computer to access resources on the web server.
  - 7. The method for authenticating a user on a host computer to a web server of claim 1 comprises operating the network smart card to store a manufacturer issued X.509 certificate and the X.509 certificate is signed by a trusted Certificate Authority.
  - 8. The method for authenticating a user on a host computer to a web server of claim 1 comprising operating the browser plug-in on the host computer to request the manufacturer issued X.509 certificate from the smart card;
    - andin response to receiving the X.509 certificate;
      
      to authenticate the network smart card; and
      
      upon authenticating the smart card, to send the user credentials to the network smart card.

9. A method for authenticating a user on a host computer to a web server, comprising:
- establishing a security context by the web server;
  
  transferring the security context from the web server to a smart card;
  
  receiving the user credential from the browser plug-in on the host computer;
  
  authenticating the user on the host computer;
  
  establishing trust between the smart card and the browser plug-in;
  
  establishing a secure channel of communication between the network security device and the browser plug-in on a host computer; and
  
  authenticating the network security device by the browser plug-in on the host computer; and
  
  in response the network security device authenticating the user on the host computer; and
  
  establishing trust between the plug-in on the host computer and the network security device; and
  
  delegating security context to a browser plug-in on a host computer by transferring the security context to the plug-in on the host computer; and
  
  authenticating the user on the host computer to the web server using the security context.
- View Dependent Claims (10)
- - 10. The method for authenticating a user on a host computer to a web server of claim 9 comprises operating the browser plug-in on the host computer to:
    - receive the delegated security context from the network smart card and;
      
      establish trust between the user on the host computer and the web server by using the security context; and
      
      to enable the user on the host computer to access resources on the web server.

11. A system for authenticating a user on a host computer to a web server, comprising:
- a security device connectable to the host computer;
  
  a browser plug-in having instructions executable on the host computer within the context of a browser, the browser plug-in comprising instructions to;
  
  establish a secure communications channel between a plug-in operating on a host computer and a network security device;
  
  authenticate the user to the network security device;
  
  designate a web server to which a connection is desired from a browser operated by the user;
  
  the security device having instructions toestablish a connection between the security device and the web server;
  
  receive a security context from the web server to a security device; and
  
  transfer the security context to a browser plug-in on the host computer;
  
  transmitting the security context from the network security device to the plug-in;
  
  the browser plug-in further having instructions to;
  
  store the security context such that the security context may be retrieved by the browser;
  
  the web server having instructions to receive the security context from the browser; and
  
  upon presentment of the security context, to grant the user access to the services of the web server.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system for authenticating a user on a host computer to a web server of claim 11 wherein the security context is a SAML Assertion.
  - 13. The system for authenticating a user on a host computer to a web server of claim 11 wherein the security device is a smart card.
  - 14. The system for authenticating a user on a host computer to a web server of claim 11 wherein the smart card comprises instructions to store a manufacturer issued X.509 certificate and the X.509 certificate is signed by a trusted Certificate Authority.
  - 15. The system for authenticating a user on a host computer to a web server of claim 11 wherein the browser plug-in on the host computer comprises instructions to:
    - request the manufacturer issued X.509 certificate from the smart card; and
      
      instructions to, in response to receiving the X.509 certificate, authenticate the smart card; and
      
      to send the user credentials to the smart card.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gemalto, Inc. (Thales SA)
Original Assignee
Gemalto, Inc. (Thales SA)
Inventors
Sachdeva, Kapil, Vassilev, Apostol
Primary Examiner(s)
Song; Hosuk

Application Number

US11/219,466
Publication Number

US 20070056025A1
Time in Patent Office

1,418 Days
Field of Search

713/168, 713172-173, 713/189, 713192-194, 726 2- 5, 726 8- 10, 726 16- 21
US Class Current

713/168
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Method for secure delegation of trust from a security device to a host computer application for enabling secure access to a resource on the web

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Method for secure delegation of trust from a security device to a host computer application for enabling secure access to a resource on the web

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others