Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
First Claim
1. A method for establishing an authorized communication over a network with a computing resource comprising:
- providing a management server to manage and exercise computing resource access control, the management server delivering a requested authorization credential and executable code for execution;
in response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivering the requested authorization credential and said executable code over the network, said authorization credential comprising information that enables access to the computing resource, said delivered executable code managing the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential;
the delivered and temporarily stored non-cached authorization credential being structured to allow authorization of a communication session with the computing resource, andthe delivered executable code structured to establish a communication session with the computing resource and automatically erase the temporarily stored non-cached authorization credential once it is no longer needed for an established communication session so as to prevent the delivered instance of the temporarily-stored authorization credential from being used to commence a further secure communication session after the established session ends.
25 Assignments
0 Petitions
Accused Products
Abstract
A management server acts as a repository for a plurality of user certificates corresponding to a plurality of users. When a user wishes to access a remote computer such as a secure-enabled host requiring a secure credential, his/her computer sends a request message to the management server. The management server may perform its own validity checking. In response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivers the requested credential and executable code, the authorization credential comprising information that enables access to the computing resource and the delivered executable code manages the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential.
71 Citations
16 Claims
-
1. A method for establishing an authorized communication over a network with a computing resource comprising:
-
providing a management server to manage and exercise computing resource access control, the management server delivering a requested authorization credential and executable code for execution; in response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivering the requested authorization credential and said executable code over the network, said authorization credential comprising information that enables access to the computing resource, said delivered executable code managing the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential; the delivered and temporarily stored non-cached authorization credential being structured to allow authorization of a communication session with the computing resource, and the delivered executable code structured to establish a communication session with the computing resource and automatically erase the temporarily stored non-cached authorization credential once it is no longer needed for an established communication session so as to prevent the delivered instance of the temporarily-stored authorization credential from being used to commence a further secure communication session after the established session ends. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. At least one non-transitory storage medium storing instructions that control the operation of a client computer for establishing a secure communication over a network with a computing resource, said stored instructions for execution by a client computer providing:
-
first stored instructions that at least in part establish secure communications between the client computer and a credential management server and thereby permit said management server to authenticate a user of the client computer and to deliver over the network to the client computer a secure credential and executable instruction code to manage and exercise resource access control; second stored instructions that enable the client computer to dynamically receive the executable instruction code and the secure credential over the network from the management server conditioned on authentication and authorization of the user for access to a session with a resource that will need a secure credential, said received instruction code allowing the client computer to use but only temporarily store the secure credential only in volatile memory; third stored instructions that initiate a secure communication with the resource and present the delivered secure credential to the resource to be authenticated for access to a session; and fourth stored instructions comprising at least a portion of the executable instruction code received from the server that automatically erase or disable the temporarily stored secure credential once it is no longer needed for maintaining an established authorized secure communication session with the resource.
-
-
9. A method for implementing secure digital communication over a network between a client computer and a computer resource that requires a credential for authentication of an access-requesting entity, comprising:
-
sending a request for on-demand provision of a credential; receiving a credential and executable code over the network, the code configured to allow only temporary storage of the credential; using the executable code to initiate a secure communication session with the resource and to prevent the client computer from caching or preserving the temporarily-stored credential in a manner that disables use of the cached credential once it is no longer needed for a secure digital communication session; and presenting the temporarily-stored credential to the computer resource to thereby enable the computer resource to authenticate the access-requesting entity and authorize access by the client computer to the computer resource. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system for implementing control over digital communications over a network between a client computer and an entity requesting a credential for authentication and access to a computer resource, comprising:
a credential management server providing on-demand delivery of a credential to said client computer to be used for access by the client computer to said resource, the management server configured to authenticate and check authorization of the client computer and, upon verifying authorization, providing over the network a client certificate or other secure credential along with executable code to said client computer, the executable code configured to initiate a secure communication to the resource and allow only temporary storage and usage of the credential by the client computer for establishing and maintaining an authorized communication session with the computer resource and then erasing or corrupting the credential, wherein the executable code must be used by the client computer to connect via the network to a particular computer resource and, once executed, prevents the client computer from permanently caching or preserving the credential once it is no longer needed for the established authorized communication.
-
16. A method for use with a browser for providing digital communication over a communications network between a user'"'"'s computer and a resource that requires a credential for authentication, the method comprising:
-
requesting a credential from a credential-managing computer entity; upon authentication and authorization of the user'"'"'s computer by the credential managing computer entity, receiving an applet over the network from the credential managing computer entity; executing the applet at the browser, the applet execution managing the lifecycle of a credential that the resource requires for authentication and access, wherein the executed applet autonomously requests the credential from the managing computer entity and, upon receiving the credential, initiates a secure connection to the resource and forces the received credential to be erased after the credential is no longer being used for maintaining an authorized communication session between the resource and the user'"'"'s computer and prevents persistent or permanent storage of the received credential at the user'"'"'s computer.
-
Specification