Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys

US 8,214,884 B2
Filed: 06/25/2004
Issued: 07/03/2012
Est. Priority Date: 06/27/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for establishing an authorized communication over a network with a computing resource comprising:

providing a management server to manage and exercise computing resource access control, the management server delivering a requested authorization credential and executable code for execution;

in response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivering the requested authorization credential and said executable code over the network, said authorization credential comprising information that enables access to the computing resource, said delivered executable code managing the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential;

the delivered and temporarily stored non-cached authorization credential being structured to allow authorization of a communication session with the computing resource, andthe delivered executable code structured to establish a communication session with the computing resource and automatically erase the temporarily stored non-cached authorization credential once it is no longer needed for an established communication session so as to prevent the delivered instance of the temporarily-stored authorization credential from being used to commence a further secure communication session after the established session ends.

View all claims

25 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management server acts as a repository for a plurality of user certificates corresponding to a plurality of users. When a user wishes to access a remote computer such as a secure-enabled host requiring a secure credential, his/her computer sends a request message to the management server. The management server may perform its own validity checking. In response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivers the requested credential and executable code, the authorization credential comprising information that enables access to the computing resource and the delivered executable code manages the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential.

71 Citations

View as Search Results

16 Claims

1. A method for establishing an authorized communication over a network with a computing resource comprising:
- providing a management server to manage and exercise computing resource access control, the management server delivering a requested authorization credential and executable code for execution;
  
  in response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivering the requested authorization credential and said executable code over the network, said authorization credential comprising information that enables access to the computing resource, said delivered executable code managing the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential;
  
  the delivered and temporarily stored non-cached authorization credential being structured to allow authorization of a communication session with the computing resource, andthe delivered executable code structured to establish a communication session with the computing resource and automatically erase the temporarily stored non-cached authorization credential once it is no longer needed for an established communication session so as to prevent the delivered instance of the temporarily-stored authorization credential from being used to commence a further secure communication session after the established session ends.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the delivered executable code comprises a terminal emulation applet which the management server delivers on demand.
  - 3. The method of claim 1 wherein said authorization credential comprises a public/private key pair including a client authentication certificate.
  - 4. The method of claim 1 wherein using the delivered non-cached authorization credential comprises transmitting said authorization credential to a host computing resource to satisfy a challenge from the host.
  - 5. The method of claim 1 wherein said executable code automatically deletes the delivered authorization credential from memory of a client computer without requiring any user operation to cause deletion so the authorization credential is no longer available at the client computer.
  - 6. The method of claim 1 wherein the credential is part of a chain of trust within a public key infrastructure.
  - 7. The method of claim 1 wherein the authorization credential is structured to enable the computing resource to independently verify that the authorization credential is valid without having to communicate with the management server.

8. At least one non-transitory storage medium storing instructions that control the operation of a client computer for establishing a secure communication over a network with a computing resource, said stored instructions for execution by a client computer providing:
- first stored instructions that at least in part establish secure communications between the client computer and a credential management server and thereby permit said management server to authenticate a user of the client computer and to deliver over the network to the client computer a secure credential and executable instruction code to manage and exercise resource access control;
  
  second stored instructions that enable the client computer to dynamically receive the executable instruction code and the secure credential over the network from the management server conditioned on authentication and authorization of the user for access to a session with a resource that will need a secure credential, said received instruction code allowing the client computer to use but only temporarily store the secure credential only in volatile memory;
  
  third stored instructions that initiate a secure communication with the resource and present the delivered secure credential to the resource to be authenticated for access to a session; and
  
  fourth stored instructions comprising at least a portion of the executable instruction code received from the server that automatically erase or disable the temporarily stored secure credential once it is no longer needed for maintaining an established authorized secure communication session with the resource.

9. A method for implementing secure digital communication over a network between a client computer and a computer resource that requires a credential for authentication of an access-requesting entity, comprising:
- sending a request for on-demand provision of a credential;
  
  receiving a credential and executable code over the network, the code configured to allow only temporary storage of the credential;
  
  using the executable code to initiate a secure communication session with the resource and to prevent the client computer from caching or preserving the temporarily-stored credential in a manner that disables use of the cached credential once it is no longer needed for a secure digital communication session; and
  
  presenting the temporarily-stored credential to the computer resource to thereby enable the computer resource to authenticate the access-requesting entity and authorize access by the client computer to the computer resource.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9 further including establishing a secure communication session between the client computer and the computer resource at least in part in response to authentication by said computer resource based upon the presented credential.
  - 11. The method of claim 9 further including establishing a secure communication session between the client computer and the computer resource server without the management server communicating with the computer resource server.
  - 12. The method of claim 9 wherein the executable code is an applet.
  - 13. The method of claim 9 wherein the executable code is a browser plug-in.
  - 14. The method of claim 9 wherein the credential comprises a public/private key pair including a client authentication certificate.

15. A system for implementing control over digital communications over a network between a client computer and an entity requesting a credential for authentication and access to a computer resource, comprising:
- a credential management server providing on-demand delivery of a credential to said client computer to be used for access by the client computer to said resource, the management server configured to authenticate and check authorization of the client computer and, upon verifying authorization, providing over the network a client certificate or other secure credential along with executable code to said client computer, the executable code configured to initiate a secure communication to the resource and allow only temporary storage and usage of the credential by the client computer for establishing and maintaining an authorized communication session with the computer resource and then erasing or corrupting the credential, wherein the executable code must be used by the client computer to connect via the network to a particular computer resource and, once executed, prevents the client computer from permanently caching or preserving the credential once it is no longer needed for the established authorized communication.

16. A method for use with a browser for providing digital communication over a communications network between a user'"'"'s computer and a resource that requires a credential for authentication, the method comprising:
- requesting a credential from a credential-managing computer entity;
  
  upon authentication and authorization of the user'"'"'s computer by the credential managing computer entity, receiving an applet over the network from the credential managing computer entity;
  
  executing the applet at the browser, the applet execution managing the lifecycle of a credential that the resource requires for authentication and access, wherein the executed applet autonomously requests the credential from the managing computer entity and, upon receiving the credential, initiates a secure connection to the resource and forces the received credential to be erased after the credential is no longer being used for maintaining an authorized communication session between the resource and the user'"'"'s computer and prevents persistent or permanent storage of the received credential at the user'"'"'s computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Attachmate Corporation (Open Text Corporation)
Original Assignee
Attachmate Corporation (Open Text Corporation)
Inventors
Xia, Sharon, Brombaugh, Dan, Muñoz, Eduardo
Primary Examiner(s)
LaForgia, Christian
Assistant Examiner(s)
SCHMIDT, KARI L

Application Number

US10/875,606
Publication Number

US 20040268152A1
Time in Patent Office

2,930 Days
Field of Search

726/5, 726/12, 726/20, 726/18, 726/19, 713150-156, 713/171, 713/176, 713/178, 713/180, 709217-179, 709/225
US Class Current

726/5
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys

First Claim

25 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys

First Claim

25 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links