Opaque cryptographic web application data protection
First Claim
1. A method, in a computing system, for protecting Web application data between a server and a client comprising:
- building, by the server, a response for the client;
invoking, by the server, a data protection service for the response, the response comprising a first data having a first state;
modifying, by the server, the response by replacing the first data with a protected data;
sending, by the server, the modified response to the client;
receiving, in the server, a request with the protected data from the client;
passing, by the server, the received protected data to the data protection service for verification;
restoring, by the server, the request corresponding to the first state of the response at the data protection service; and
sending, by the server, the request to a Web application, wherein;
the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied,the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data,the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client,the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user,at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied.
5 Assignments
0 Petitions
Accused Products
Abstract
Mechanisms for external and distributed protection of Web application data against prying, tampering, and impersonation using cryptographic mechanisms are provided. The protection is offered opaquely so as to not expose the cryptographic mechanism to the Web application. Protection against prying prevents users from looking at data the Web application considers private. When protected against prying, protect data may be sent to the client but the user will not be able to understand it. Protection against tampering, guaranties the Web application that the data it is receiving originated from a trusted source, usually the Web application itself. A user session state stored client-side is a good candidate for tampering protection. Protection against impersonation ensures the Web application that the data it is receiving comes from a specific user.
-
Citations
23 Claims
-
1. A method, in a computing system, for protecting Web application data between a server and a client comprising:
-
building, by the server, a response for the client; invoking, by the server, a data protection service for the response, the response comprising a first data having a first state; modifying, by the server, the response by replacing the first data with a protected data; sending, by the server, the modified response to the client; receiving, in the server, a request with the protected data from the client; passing, by the server, the received protected data to the data protection service for verification; restoring, by the server, the request corresponding to the first state of the response at the data protection service; and sending, by the server, the request to a Web application, wherein; the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied, the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data, the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client, the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user, at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20, 21, 22, 23)
-
-
9. A non-transitory storage medium readable by a computer encoding a computer program for execution by the computer to carry out a method for protecting Web application data between a server and a client, the computer program comprising instructions which, when executed by the computer, cause the computer to:
-
build a response for the client; invoke a data protection service for the response, the response comprising a first data having a first state; modify the response by replacing the first data with a protected data; send the modified response to the client; receive a request with the protected data from the client; pass the received protected data to the data protection service for verification and converting to the first data; restore the request corresponding to the first state of the response; and send the request to a Web application, wherein; the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix and a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied, the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data, the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client, the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user, at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer system for protecting Web application data between a server and a client comprising:
-
a processor; and a memory coupled to the processor, wherein the memory comprises one or more program modules which, when executed by the processor, cause the processor to; build a response for the client; invoke a data protection service for the response, the response comprising a first data having a first state; modify the response by replacing the first data with a protected data; send the modified response to the client; receive a request with the protected data from the client; pass the received protected data to the data protection service for verification and converting to the first data; restore the request corresponding to the first state of the response; and send the request to a Web application, wherein; the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix and a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied, the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data, the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client, the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user, at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied. - View Dependent Claims (16, 17, 18)
-
Specification