Secure client-side key storage for web applications

US 8,694,784 B1
Filed: 10/09/2012
Issued: 04/08/2014
Est. Priority Date: 10/09/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure client-side key storage for authentication tracking, the method being executed using one or more processors and comprising:

establishing, by a browser executed on a client-side computing device, a mutual authentication between the client-side computing device and a server-side computing device, the client-side computing device comprising the one or more processors, and the server-side computing device executing an application;

in response to establishing the mutual authentication, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain comprising a static script that handles the SSK and that selectively provides request signatures;

receiving, at the sub-domain, a message requesting a request signature;

determining that the message originated from an authentic origin; and

in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for secure client-side key storage for authentication tracking. Implementations include actions of determining, at a browser executed on a client-side computing device, that an application is authentic, the application being executed on a server-side computing device, in response to determining that the application is authentic, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain including a static script that handles the SSK and that selectively provides request signatures, receiving, at the sub-domain, a message requesting a request signature, determining that the message originated from an authentic origin, and in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.

25 Citations

View as Search Results

10 Claims

1. A computer-implemented method for secure client-side key storage for authentication tracking, the method being executed using one or more processors and comprising:
- establishing, by a browser executed on a client-side computing device, a mutual authentication between the client-side computing device and a server-side computing device, the client-side computing device comprising the one or more processors, and the server-side computing device executing an application;
  
  in response to establishing the mutual authentication, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain comprising a static script that handles the SSK and that selectively provides request signatures;
  
  receiving, at the sub-domain, a message requesting a request signature;
  
  determining that the message originated from an authentic origin; and
  
  in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining that the message originated from an authentic origin comprises:
    - comparing a target origin attribute of the message to one or more authentic origins, the one or more authentic origins comprising the authentic origin; and
      
      determining that the target origin is identical to the authentic origin.
  - 3. The method of claim 2, wherein the message comprises a postMessage that is received through a postMessage application program interface (API).
  - 4. The method of claim 1, wherein the static script stores the SSK upon receiving the SSK.
  - 5. The method of claim 4, wherein the SSK is stored in at least one or local storage and session storage.
  - 6. The method of claim 1, wherein the static script is provided in a document hosted on the sub-domain, the document being included in a web page of the application domain using an invisible iframe.
  - 7. The method of claim 1, wherein the SSK is provided as a client-side SSK that is generated during a mutual authentication scheme to mutually authenticate a user of the client-side computing device and the application to each other.
  - 8. The method of claim 1, further comprising determining that an expiration time of the SSK has lapsed and, in response, deleting the SSK from memory.

9. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for secure client-side key storage for authentication tracking, the operations comprising:
- establishing, by a browser executed on a client-side computing device, a mutual authentication between the client-side computing device and a server-side computing device, the client-side computing device comprising the one or more processors, and the server-side computing device executing an application;
  
  in response to establishing the mutual authentication, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain comprising a static script that handles the SSK and that selectively provides request signatures;
  
  receiving, at the sub-domain, a message requesting a request signature;
  
  determining that the message originated from an authentic origin; and
  
  in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.

10. A system, comprising:
- a client-side computing device; and
  
  a computer-readable storage device coupled to the client-side computing device and having instructions stored thereon which, when executed by the client-side computing device, cause the client-side computing device to perform operations for secure client-side key storage for authentication tracking, the operations comprising;
  
  establishing, by a browser executed on a client-side computing device, a mutual authentication between the client-side computing device and a server-side computing device, the client-side computing device comprising one or more processors, and a server-side computing device executing an application;
  
  in response to establishing the mutual authentication, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain comprising a static script that handles the SSK and that selectively provides request signatures;
  
  receiving, at the sub-domain, a message requesting a request signature;
  
  determining that the message originated from an authentic origin; and
  
  in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Lekies, Sebastian, Johns, Martin
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US13/647,593
Publication Number

US 20140101446A1
Time in Patent Office

546 Days
Field of Search

713/169
US Class Current

713/169
CPC Class Codes

H04L 63/0869   for achieving mutual authen...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3273   for mutual authentication n...

Secure client-side key storage for web applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Secure client-side key storage for web applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links