Secure customer interface for web based data management

US 8,479,259 B2
Filed: 09/30/2009
Issued: 07/02/2013
Est. Priority Date: 09/26/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

establishing a secure session with a web server;

receiving a message over the secure session from a browser application via the web server, wherein the message is encrypted using a first encryption key;

decrypting the received message to determine a user identifier associated with the browser application;

verifying that the user identifier associated with the browser application is entitled to access a communication service;

reencrypting the message using a second encryption key; and

selectively forwarding the reencrypted message to an application proxy corresponding to the communication service based on the verification of the user identifier.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An integrated series of security protocols is disclosed that protect remote user communications with remote enterprise services, and simultaneously protect the enterprises services from third parties. In the first layer, an implementation of the Secure Sockets Layer (SSL) version of HTTPS provides communications security, including authentication of the enterprise web server and the security of the transmitted data. The protocols provide for an identification of the user, and an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system. Session security is described, particularly as to the differences between a remote user'"'"'s copper wire connection to a legacy system and a user'"'"'s remote connection to the enterprise system over a “stateless” public Internet, where each session is a single transmission, rather than an interval of time between logon and logoff, as is customary in legacy systems. Security for the enterprise network and security for the data maintained by the various enterprise applications is also described.

Citations

20 Claims

1. A method comprising:
- establishing a secure session with a web server;
  
  receiving a message over the secure session from a browser application via the web server, wherein the message is encrypted using a first encryption key;
  
  decrypting the received message to determine a user identifier associated with the browser application;
  
  verifying that the user identifier associated with the browser application is entitled to access a communication service;
  
  reencrypting the message using a second encryption key; and
  
  selectively forwarding the reencrypted message to an application proxy corresponding to the communication service based on the verification of the user identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein the message is received from the web server through a firewall, the web server being part of a web server cluster.
  - 3. A method according to claim 2, wherein the browser application communicates with the web server over a public data network through another firewall coupled to the web server.
  - 4. A method according to claim 1, wherein the message includes an outer protocol layer, the method further comprising:
    - unwrapping the outer protocol layer from the message.
  - 5. A method according to claim 1, wherein the application proxy is an application specific daemon residing on an intranet server.
  - 6. A method according to claim 1, wherein the application proxy is an application specific daemon residing on an intranet server, and is configured to access another service provided by another intranet server.
  - 7. A method according to claim 1, wherein the first encryption key and the second encryption key are associated with a public key encryption scheme.
  - 8. A method according to claim 1, wherein the secure session includes a session cookie corresponding to the browser application.

9. An apparatus comprising:
- a processor configured to initiate establishment of a secure session with a web server; and
  
  a communication interface coupled to the processor and configured to receive a message over the secure session from a browser application via the web server, wherein the message is encrypted using a first encryption key,wherein the processor is further configured to decrypt the received message to determine a user identifier associated with the browser application, to verify that the user identifier associated with the browser application is entitled to access a communication service, to reencrypt the message using a second encryption key, and to selectively forward the reencrypted message to an application proxy corresponding to the communication service based on the verification of the user identifier.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. An apparatus according to claim 9, wherein the message is received from the web server through a firewall, the web server being part of a web server cluster.
  - 11. An apparatus according to claim 10, wherein the browser application communicates with the web server over a public data network through another firewall coupled to the web server.
  - 12. An apparatus according to claim 9, wherein the message includes an outer protocol layer, the processor being further configured to unwrap the outer protocol layer from the message.
  - 13. An apparatus according to claim 9, wherein the application proxy is an application specific daemon residing on an intranet server.
  - 14. An apparatus according to claim 9, wherein the application proxy is an application specific daemon residing on an intranet server, and is configured to access another service provided by another intranet server.
  - 15. An apparatus according to claim 9, wherein the first encryption key and the second encryption key are associated with a public key encryption scheme.
  - 16. An apparatus according to claim 9, wherein the secure session includes a session cookie corresponding to the browser application.

17. A system comprising:
- a web server cluster configured to communicate with a browser application; and
  
  a dispatcher configured to establish a secure session with the web server cluster, wherein the dispatcher is further configured to receive a message over the secure session from the browser application via the web server cluster, the message being encrypted using a first encryption key,wherein the dispatcher is further configured to decrypt the received message to determine a user identifier associated with the browser application, to verify that the user identifier associated with the browser application is entitled to access a communication service, to reencrypt the message using a second encryption key, and to selectively forward the reencrypted message to an application proxy corresponding to the communication service based on the verification of the user identifier.
- View Dependent Claims (18, 19, 20)
- - 18. A system according to claim 17, wherein the web server is part of a web server cluster, the system further comprising:
    - a firewall coupled to the web server cluster and the dispatcher, wherein the message is received from the web server cluster through the firewall.
  - 19. A system according to claim 18, further comprising:
    - another firewall coupled to the web server cluster and a public data network, wherein the browser application communicates with the web server cluster over the public data network through the other firewall.
  - 20. A system according to claim 17, wherein the application proxy is an application specific daemon, the system further comprising:
    - an intranet server configured to execute the application specific daemon.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Business Global LLC (Verizon Communications Inc.), Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Devine, Carol Y., Shifrin, Gerald A., Shoulberg, Richard W.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US12/570,868
Publication Number

US 20100024012A1
Time in Patent Office

1,371 Days
Field of Search

None
US Class Current

726/3
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0757   by exceeding a time limit, ...

G06F 11/0769   Readable error formats, e.g...

G06F 11/0775   Content or structure detail...

G06F 11/0781   Error filtering or prioriti...

G06F 11/0784   Routing of error reports, e...

G06F 11/202   where processing functional...

G06F 11/32   with visual or acoustical i...

G06F 11/324   Display of status information

G06F 11/327   Alarm or error message display

G06F 11/328   Computer systems status dis...

G06F 11/3495   for systems

G06F 16/972   Access to data in other rep...

G06F 21/00   Security arrangements for p...

G06F 21/41   where a single sign-on prov...

G06F 21/552   involving long-term monitor...

G06F 2201/81   Threshold

G06F 2201/86   Event-based monitoring

G06F 2201/875   Monitoring of systems inclu...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2149 : Restricted operating enviro...

G06Q 10/10 : Office automation; Time man...

G06Q 10/107 : Computer-aided management o...

G06Q 20/102 : Bill distribution or payments

G06Q 20/382 : insuring higher security of...

G06Q 30/02 : Marketing; Price estimation...

G06Q 30/06 : Buying, selling or leasing ...

G06Q 30/0601 : Electronic shopping [e-shop...

G06Q 30/0609 : Buyer or seller confidence ...

G06Q 30/0635 : Processing of requisition o...

G06Q 99/00 : Subject matter not provided...

H04L 12/14 : Charging , metering or bill...

H04L 12/1428 : Invoice generation, e.g. cu...

H04L 41/0213 : Standardised network manage...

H04L 41/0233 : Object-oriented techniques,...

H04L 41/024 : using relational databases ...

H04L 41/0253 : using browsers or web-pages...

H04L 41/06 : Management of faults, event...

H04L 41/0681 : Configuration of triggering...

H04L 41/08 : Configuration management of...

H04L 41/0803 : Configuration setting

H04L 41/0879 : Manual configuration throug...

H04L 41/0895 : Configuration of virtualise...

H04L 41/122 : of virtualised topologies, ...

H04L 41/142 : using statistical or mathem...

H04L 41/18 : Delegation of network manag...

H04L 41/22 : comprising specially adapte...

H04L 41/28 : Restricting access to netwo...

H04L 41/5009 : Determining service level p...

H04L 41/5022 : by giving priorities, e.g. ...

H04L 41/5029 : Service quality level-based...

H04L 41/5032 : Generating service level re...

H04L 41/5061 : characterised by the intera...

H04L 41/5064 : Customer relationship manag...

H04L 41/5067 : Customer-centric QoS measur...

H04L 41/5074 : Handling of user complaints...

H04L 41/5083 : wherein the managed service...

H04L 41/5096 : wherein the managed service...

H04L 43/00 : Arrangements for monitoring...

H04L 43/024 : by adaptive sampling

H04L 43/045 : for graphical visualisation...

H04L 43/06 : Generation of reports

H04L 43/062 : related to network traffic

H04L 43/065 : related to network devices

H04L 43/067 : using time frame reporting

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0817 : by checking functioning

H04L 43/0829 : Packet loss

H04L 43/0847 : Transmission error

H04L 43/0852 : Delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0888 : Throughput

H04L 43/0894 : Packet rate

H04L 43/091 : Measuring contribution of i...

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/16 : Threshold monitoring

H04L 51/00 : User-to-user messaging in p...

H04L 51/04 : Real-time or near real-time...

H04L 51/222 : using geographical location...

H04L 63/02 : for separating internal fro...

H04L 63/0209 : Architectural arrangements,...

H04L 63/0218 : Distributed architectures, ...

H04L 63/0236 : Filtering by address, proto...

H04L 63/0272 : Virtual private networks

H04L 63/0281 : Proxies

H04L 63/0428 : wherein the data content is...

H04L 63/0442 : wherein the sending and rec...

H04L 63/0464 : using hop-by-hop encryption...

H04L 63/08 : for authentication of entit...

H04L 63/0807 : using tickets, e.g. Kerbero...

H04L 63/0815 : providing single-sign-on or...

H04L 63/0823 : using certificates cryptogr...

H04L 63/083 : using passwords cryptograph...

H04L 63/162 : at the data link layer

H04L 63/166 : at the transport layer

H04L 63/168 : above the transport layer

H04L 63/18 : using different networks or...

H04L 65/1101 : Session protocols

H04L 65/401 : wherein the services involv...

H04L 65/80 : Responding to QoS

H04M 15/00 : Arrangements for metering, ...

H04M 15/41 : Billing record details, i.e...

H04M 15/43 : Billing software details

H04M 15/44 : Augmented, consolidated or ...

H04M 15/49 : Connection to several servi...

H04M 15/51 : for resellers, retailers or...

H04M 15/58 : based on statistics of usag...

H04M 15/705 : Account settings, e.g. limi...

H04M 15/721 : using the Internet

H04M 15/745 : Customizing according to wi...

H04M 15/80 : Rating or billing plans; Ta...

H04M 15/8044 : Least cost routing

H04M 15/83 : Notification aspects

H04M 15/8351 : before establishing a commu...

H04M 15/84 : Types of notifications

H04M 2215/0104 : Augmented, consolidated or ...

H04M 2215/0108 : Customization according to ...

H04M 2215/0152 : General billing plans, rate...

H04M 2215/0164 : Billing record, e.g. Call D...

H04M 2215/0168 : On line or real-time flexib...

H04M 2215/0176 : Billing arrangements using ...

H04M 2215/018 : On-line real-time billing, ...

H04M 2215/0188 : Network monitoring; statist...

H04M 2215/42 : Least cost routing, i.e. pr...

H04M 2215/46 : Connection to several servi...

H04M 2215/54 : Resellers-retail or service...

H04M 2215/7009 : Account settings, e.g. user...

H04M 2215/7045 : Using Internet or WAP

H04M 2215/745 : Least cost routing, e.g. Au...

H04M 2215/81 : Notifying aspects, e.g. not...

H04M 2215/8108 : before establishing a commu...

H04M 2215/8129 : Type of notification

H04M 2215/82 : Advice-of-Charge [AOC], i.e...

H04M 3/5175 : Call or contact centers sup...

H04M 3/5191 : interacting with the Internet

Y10S 379/90 : Internet, e.g. Internet pho...

Y10S 707/99931 : Database or file accessing

Y10S 707/99937 : Sorting

Y10S 707/99938 : Concurrency, e.g. lock mana...

Y10S 707/99939 : Privileged access

Y10S 707/99944 : Object-oriented database st...

Y10S 715/969 : Network layout and operatio...

View All

Secure customer interface for web based data management

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure customer interface for web based data management

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links