Opaque cryptographic web application data protection

US 7,765,310 B2
Filed: 07/22/2005
Issued: 07/27/2010
Est. Priority Date: 06/23/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a computing system, for protecting Web application data between a server and a client comprising:

building, by the server, a response for the client;

invoking, by the server, a data protection service for the response, the response comprising a first data having a first state;

modifying, by the server, the response by replacing the first data with a protected data;

sending, by the server, the modified response to the client;

receiving, in the server, a request with the protected data from the client;

passing, by the server, the received protected data to the data protection service for verification;

restoring, by the server, the request corresponding to the first state of the response at the data protection service; and

sending, by the server, the request to a Web application, wherein;

the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied,the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data,the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client,the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user,at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms for external and distributed protection of Web application data against prying, tampering, and impersonation using cryptographic mechanisms are provided. The protection is offered opaquely so as to not expose the cryptographic mechanism to the Web application. Protection against prying prevents users from looking at data the Web application considers private. When protected against prying, protect data may be sent to the client but the user will not be able to understand it. Protection against tampering, guaranties the Web application that the data it is receiving originated from a trusted source, usually the Web application itself. A user session state stored client-side is a good candidate for tampering protection. Protection against impersonation ensures the Web application that the data it is receiving comes from a specific user.

Citations

23 Claims

1. A method, in a computing system, for protecting Web application data between a server and a client comprising:
- building, by the server, a response for the client;
  
  invoking, by the server, a data protection service for the response, the response comprising a first data having a first state;
  
  modifying, by the server, the response by replacing the first data with a protected data;
  
  sending, by the server, the modified response to the client;
  
  receiving, in the server, a request with the protected data from the client;
  
  passing, by the server, the received protected data to the data protection service for verification;
  
  restoring, by the server, the request corresponding to the first state of the response at the data protection service; and
  
  sending, by the server, the request to a Web application, wherein;
  
  the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied,the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data,the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client,the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user,at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20, 21, 22, 23)
- - 2. The method as claimed in claim 1, wherein the first data is protected based on protection rules in the data protection service.
  - 3. The method as claimed in claim 1, further comprising providing a data characteristic to the data protection service by the Web application;
    - whereby the data protection service decides protection logic of the data protection service to be applied to the first data.
  - 4. The method as claimed in claim 1, wherein a plurality of data protection services are invoked, and wherein the data protection services are external to the multiple Web applications.
  - 5. The method as claimed in claim 4 wherein the plurality of data protection services are shared between the multiple Web applications.
  - 6. The method as claimed in claim 1, wherein modifying the response further comprises replacing the parameter values with a replacement protected value.
  - 7. The method as claimed in claim 1, wherein the data protection service comprises an interface to the Web application providing services for protection against at least one of prying, tampering, or impersonation;
    - thereby hiding cryptographic details from the Web application.
  - 8. The method as claimed in claim 1, wherein the data protection service encodes the data for safe travel between the client and server.
  - 19. The method of claim 1, wherein the first value is one of a GET request query parameter, a form POST body parameter, or an XML element.
  - 20. The method of claim 1, wherein modifying the response by replacing the first data with a protected data comprises applying one of a confidentiality protection operation, an integrity protection operation, or an origin authentication operation to the first data to thereby generate the protected data.
  - 21. The method of claim 2, wherein the protection rules specify that the restoring the request operation is to be skipped in the data protection service, and wherein the restoring the request operation is skipped such that the request that is sent to the Web application is the request received from the client with the protected data.
  - 22. The method of claim 21, further comprising:
    - performing a call by the Web application to an application firewall in response to receiving the request in the Web application, the call being a request for a restore operation to restore the request to a state corresponding to the first state of the response, and wherein the data protection service of the application firewall performs the restore operation in response to the call.
  - 23. The method of claim 1, further comprising:
    - forwarding the request with the protected data to the Web application; and
      
      receiving a call from the Web application, the call being for a restoration operation for restoring the request with the protected data to a state corresponding to the first state, wherein the restoring the request and sending the request operations are performed in response to receiving the call.

9. A non-transitory storage medium readable by a computer encoding a computer program for execution by the computer to carry out a method for protecting Web application data between a server and a client, the computer program comprising instructions which, when executed by the computer, cause the computer to:
- build a response for the client;
  
  invoke a data protection service for the response, the response comprising a first data having a first state;
  
  modify the response by replacing the first data with a protected data;
  
  send the modified response to the client;
  
  receive a request with the protected data from the client;
  
  pass the received protected data to the data protection service for verification and converting to the first data;
  
  restore the request corresponding to the first state of the response; and
  
  send the request to a Web application, wherein;
  
  the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix and a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied,the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data,the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client,the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user,at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The storage medium according to claim 9, wherein the first data is protected based on protection rules in the data protection service.
  - 11. The storage medium according to claim 9, wherein the instructions further cause the computer to provide a data characteristic to the data protection service by the Web application;
    - whereby the data protection service decides protection logic of the data protection service to be applied to the first data.
  - 12. The storage medium according to claim 9, wherein a plurality of data protection services are invoked, and wherein the data protection services are external to the multiple Web applications.
  - 13. The storage medium according to claim 9, wherein the plurality of data protection services are shared between the multiple Web applications.
  - 14. The storage medium according to claim 9, wherein the data protection service encodes the data for safe travel between the client and server.

15. A computer system for protecting Web application data between a server and a client comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises one or more program modules which, when executed by the processor, cause the processor to;
  
  build a response for the client;
  
  invoke a data protection service for the response, the response comprising a first data having a first state;
  
  modify the response by replacing the first data with a protected data;
  
  send the modified response to the client;
  
  receive a request with the protected data from the client;
  
  pass the received protected data to the data protection service for verification and converting to the first data;
  
  restore the request corresponding to the first state of the response; and
  
  send the request to a Web application, wherein;
  
  the protected data comprises server state data having multiple wrappers, each wrapper having an associated data protection service recognizable prefix and a portion of the server state data to which a particular protection operation, corresponding to the data protection service recognizable prefix associated with that wrapping, has been applied,the data protection service recognizable prefix identifies a type of data protection service applied to the portion of the server state data,the protected data is built up from multiple requests sent from the client to the server, with each wrapper in the multiple wrappers being added to the protected data in response to the server processing a corresponding request from the client,the particular protection operation applied to the portion of server state data, and identified by the data protection service recognizable prefix, for each wrapper is one of a confidentiality protection operation that prevents viewing of data by entities outside the server, an integrity protection operation that ensures that data has a same value as when the data is inserted into a response to a request, or an origin authentication operation that enforces that data is received from a specific user,at least two wrappers in the multiple wrappers have different data protection service recognizable prefixes, identifying different types of data protection services, and portions of server state data to which different particular protection operations have been applied.
- View Dependent Claims (16, 17, 18)
- - 16. The computer system according to claim 15, wherein the first data is protected based on protection rules in the data protection service.
  - 17. The computer system according to claim 15, wherein the plurality of data protection services are shared between the multiple Web applications.
  - 18. The computer system according to claim 15, wherein the data protection service encodes the data for safe travel between the client and server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LinkedIn Corporation (Microsoft Corporation)
Original Assignee
International Business Machines Corporation
Inventors
Roy, Patrick, Graveline, Marc, Viney, Ulf
Primary Examiner(s)
Dharia; Rupal D
Assistant Examiner(s)
Ma; Wing

Application Number

US11/187,309
Publication Number

US 20060294206A1
Time in Patent Office

1,831 Days
Field of Search

726/2, 726/11, 726/22, 726/26, 726/28, 726/29, 726/30, 709/203, 709/217, 709/218, 709/219, 709/229, 709/246
US Class Current

709/229
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 2221/2119   Authenticating web pages, e...

H04L 2209/04   Masking or blinding

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/12   Applying verification of th...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

H04L 9/3271   using challenge-response

Opaque cryptographic web application data protection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Opaque cryptographic web application data protection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links