Method for improving network application security and the system thereof

US 8,719,915 B2
Filed: 03/18/2010
Issued: 05/06/2014
Est. Priority Date: 05/31/2009
Status: Active Grant

First Claim

Patent Images

1. A method for improving network application security, wherein the method comprising:

a proxy server in a customer terminal host receiving a protocol message generated and sent by customer terminal software according to information input by a user, parsing the protocol message according to a predetermined protocol, and obtaining protocol content, wherein the proxy server is software installed in the customer terminal host; and

the proxy server determining whether critical information, which is predetermined by the proxy server, a smart key device and an application server, is included in the protocol content;

upon determining that the critical information is included in the protocol content, the proxy server sending the protocol content to the smart key device and the smart key device parsing the protocol content to obtain the critical information, and outputting the critical information for user'"'"'s confirmation;

determining whether the critical information is confirmed correct by the user; and

upon determining that the critical information is confirmed correct by the user, the smart key device signing the protocol content and returning a signature result to the proxy server, and then the proxy server generating a new protocol message according to the signature result and the protocol content, and sending it to the application server, wherein the new protocol message is obtained by adding a new requirement head field to a second protocol content, wherein the second protocol content is obtained by inserting the signature result into the protocol content;

orupon determining that the critical information is not confirmed correct by the user within a predetermined time period, the smart key device performing an exception handling;

upon determining that the critical information is not included in the protocol content, the proxy server sending the protocol message to the application server, wherein the step of the proxy server determining whether critical information, which is predetermined by the proxy server, the smart key device and the application server, is included in the protocol content, comprises;

the proxy server finding the field predefined by the proxy server, the smart key device and the application server, in the protocol content, determining whether there is data in the field, upon determining that there is, determining that the critical information is included in the protocol content;

orthe proxy server determining whether a critical information identification, predetermined by the proxy server, the smart key device and the application server, is included in the protocol content, upon determining that it is, the proxy server determining that the critical information is included in the protocol content,wherein both the protocol message and the new protocol message comprise a requirement head field, in which the address of the application server is recorded,wherein the step of the proxy server sending the protocol content to the smart key device further comprises;

the proxy server parsing the requirement head field of the protocol message and determining whether the address of the application server in the requirement head field matches with an address of the application server stored in the proxy server, upon determining that it does, the proxy server sending the protocol content to the smart key device;

upon determining that it does not, the proxy server prompting the user of an error in the application server, and the procedure being completed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for improving network application security and the system thereof are disclosed in the invention, relating to the field of information security. The method includes: a proxy server in a customer terminal host receives a protocol message, generated and sent by the customer terminal software according to the information input by a user, and obtains the protocol content after parsing the protocol message, and determines whether critical information is included in the protocol content, if it is, the server sends the protocol content to the smart key device; and the smart key device obtains the critical information by parsing it and sends it to the user, and after a confirmation information is gotten from the user, the smart key device signs the protocol content and sends the signature result to the server; and then the server generates a new protocol message to an application server according to the signature result and the protocol content; after an error confirmation or no confirmation is received within a predetermined time period by the user, the smart key device performs the exception handling. The system includes a smart key device and a proxy server in the customer terminal host. The invention improves network application security on the premise of no change to the customer terminal, and it is usable and compatible.

14 Citations

13 Claims

1. A method for improving network application security, wherein the method comprising:
- a proxy server in a customer terminal host receiving a protocol message generated and sent by customer terminal software according to information input by a user, parsing the protocol message according to a predetermined protocol, and obtaining protocol content, wherein the proxy server is software installed in the customer terminal host; and
  
  the proxy server determining whether critical information, which is predetermined by the proxy server, a smart key device and an application server, is included in the protocol content;
  
  upon determining that the critical information is included in the protocol content, the proxy server sending the protocol content to the smart key device and the smart key device parsing the protocol content to obtain the critical information, and outputting the critical information for user'"'"'s confirmation;
  
  determining whether the critical information is confirmed correct by the user; and
  
  upon determining that the critical information is confirmed correct by the user, the smart key device signing the protocol content and returning a signature result to the proxy server, and then the proxy server generating a new protocol message according to the signature result and the protocol content, and sending it to the application server, wherein the new protocol message is obtained by adding a new requirement head field to a second protocol content, wherein the second protocol content is obtained by inserting the signature result into the protocol content;
  
  orupon determining that the critical information is not confirmed correct by the user within a predetermined time period, the smart key device performing an exception handling;
  
  upon determining that the critical information is not included in the protocol content, the proxy server sending the protocol message to the application server, wherein the step of the proxy server determining whether critical information, which is predetermined by the proxy server, the smart key device and the application server, is included in the protocol content, comprises;
  
  the proxy server finding the field predefined by the proxy server, the smart key device and the application server, in the protocol content, determining whether there is data in the field, upon determining that there is, determining that the critical information is included in the protocol content;
  
  orthe proxy server determining whether a critical information identification, predetermined by the proxy server, the smart key device and the application server, is included in the protocol content, upon determining that it is, the proxy server determining that the critical information is included in the protocol content,wherein both the protocol message and the new protocol message comprise a requirement head field, in which the address of the application server is recorded,wherein the step of the proxy server sending the protocol content to the smart key device further comprises;
  
  the proxy server parsing the requirement head field of the protocol message and determining whether the address of the application server in the requirement head field matches with an address of the application server stored in the proxy server, upon determining that it does, the proxy server sending the protocol content to the smart key device;
  
  upon determining that it does not, the proxy server prompting the user of an error in the application server, and the procedure being completed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method for improving network application security of claim 1, wherein the step of the smart key device parsing the protocol content and obtaining the critical information in the protocol content, comprises:
    - the smart key device obtaining the field predefined by the proxy server, the smart key device and the application server, in the protocol content, and determining whether there is data in the field, upon determining that there is, the smart key device reading the data and obtaining the critical information;
      
      or the smart key device determining whether a critical information identification predetermined by the proxy server, the smart key device and the application server, is included in the protocol content, upon determining that it is, the smart key device obtaining the critical information with the critical information identification.
  - 3. The method for improving network application security of claim 1, wherein the step of outputting the critical information for user'"'"'s confirmation comprises:
    - the smart key device outputting the critical information for user'"'"'s confirmation by a LCD display or voice broadcast.
  - 4. The method for improving network application security of claim 1, wherein the step of the smart key device performing an exception handling comprises:
    - the smart key device notifying the proxy server of stopping all operations and prompting the user of an operation failure;
      
      or the smart key device returning a fault signature result to the proxy server.
  - 5. The method for improving network application security of claim 1, wherein the step of the smart key device signing the protocol content comprises:
    - the smart key device authenticating a user'"'"'s identification according to his personal identification code or personal biometrics, wherein, the personal biometrics comprise fingerprints, iris or vein identification; and
      
      signing the protocol content after a successful authentication or refusing to sign the protocol content after a authentication failure.
  - 6. The method for improving network application security of claim 1, wherein the step of the proxy server generating a new protocol message according to the signature result and the protocol content, comprises:
    - the proxy server inserting the received signature result to the protocol content and obtaining a new protocol content, and adding a requirement head field to the new protocol content to obtain a new protocol message;
      
      orthe proxy server replacing the designated part of the protocol content with the received signature result to obtain a new protocol content, adding a requirement head field to the new protocol content, and obtaining a new protocol message.
  - 7. The method for improving network application security of claim 1, wherein the predetermined protocol comprises the Hypertext Transfer Protocol and/or the Hypertext Transfer Protocol over Secure Socket Layer.

8. A system for improving network application security, wherein the system comprising:
- a smart key device;
  
  a customer terminal host, comprising a first processor and first memory; and
  
  a proxy server, wherein the proxy server is software installed in the customer terminal host;
  
  wherein the proxy server comprises a plurality of first program modules stored on the first memory, wherein the plurality of first program modules are configured to be executed by the first processor, the plurality of first program modules comprising;
  
  a first interface module for receiving a protocol message generated and sent by customer terminal software according to information input by a user, for communicating with the smart key device, for sending a protocol content to the smart key device, and for receiving a signature result from the smart key device and sending a new protocol message to the application server, wherein the new protocol message is obtained by adding a new requirement head field to a second protocol content, wherein the second protocol content is obtained by inserting the signature result into the protocol content;
  
  a parsing module for parsing the protocol message received by the first interface module and obtaining the protocol content;
  
  a determining module for determining whether critical information, predetermined by the proxy server, the smart key device and the application server, is included in the protocol content gotten by the parsing module, upon determining that it is, sending the protocol content to the smart key device with the first interface module;
  
  otherwise sending the protocol to the application server with the first interface module; and
  
  a message generating module for generating a new protocol message with the signature result received by the first interface module and the protocol content gotten by the parsing module, and for sending the new protocol message to the application server with the first interface module;
  
  wherein the smart key device comprises a second processor, second memory, and a plurality of second program modules stored on the second memory, wherein the plurality of second program modules are configured to be executed by the second processor, the plurality of second program modules comprising;
  
  a second interface module for communicating with the proxy server and receiving the protocol content sent by the proxy server, and for sending the signature result to the proxy server;
  
  a filtering module for parsing the protocol content received by the second interface module and obtaining the critical information;
  
  an outputting module for outputting the critical information gotten by the filtering module for user'"'"'s confirmation;
  
  a confirmation module for receiving the confirmation signal, of whether the critical information is correct or not, input by the user;
  
  a signature module for signing the protocol content received by the second interface module while the signal received by the confirmation module is confirmed correct by the user, and for returning the signature result to the proxy server with the second interface module of the smart key device; and
  
  an exception handling module for making exception handling upon determining that the signal received by the confirmation module is a signal confirmed incorrect by the user, or upon determining that the signal sent by the user is not received by the confirmation module within a predetermined time period,wherein the determining module further comprises;
  
  a first determining unit for finding the field predetermined by the proxy server, the smart key device and the application server, in the protocol content received by the parsing module, and for determining whether there is data in the field or not, upon determining that there is, determining the critical information is included in the protocol content and sending the protocol content to the smart key device with the first interface module;
  
  otherwise, determining the critical information is not included in the protocol content and sending the protocol message to the application server with the first interface module;
  
  ora second determining unit for determining whether the critical information identification, predetermined by the proxy server, the smart key device and the application server, is included in the protocol content received by the parsing module, upon determining that it is, determining the critical information is included in the protocol content and sending the protocol content to the smart key device with the first interface module;
  
  otherwise, determining the critical information is not included in the protocol content and sending the protocol message to the application server with the first interface module,wherein both the protocol message and the new protocol message comprise the requirement head field in which an address of the application server is recorded, and the determining module further comprises;
  
  a determining unit for determining whether the critical information, predetermined by the proxy server, the smart key device and the application server, is included in the protocol content gotten by the parsing module;
  
  a first processing unit for parsing the requirement head field in the protocol message received by the first interface module of the proxy server upon determining that the determining module determines that the critical information is included in the protocol content, and for determining whether the address of the application server recorded in the requirement head field matches with an address of the application server stored in the proxy server, upon determining that it does, sending the protocol content to the smart key device with the first interface module of the proxy server;
  
  otherwise, prompting the user of an error in the application server; and
  
  a second processing unit for sending the protocol message to the application server with the first interface module after the determining module determining that the critical information is not included in the protocol content.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system for improving network application security of claim 8, wherein the filtering module further comprises:
    - a first filtering unit for finding the field predetermined by the proxy server, the smart key device and the application server, in the protocol content received by the second interface module of the smart key device, and for determining whether there is data in the field, upon determining that there is, reading the data and obtaining the critical information;
      
      or a second filtering unit for determining whether a critical information identification predetermined by the proxy server, the smart key device and the application server, is included in the protocol content received by the second interface module of the smart key device, upon determining that it is, obtaining the critical information according to the critical information identification.
  - 10. The system for improving network application security of claim 8, wherein the outputting module is a LCD display or an audio device.
  - 11. The system for improving network application security of claim 8, wherein the exception handling module further comprises a first exception handling unit for notifying the proxy server of stopping all operations and prompting the user of a failure after the information received by confirmation module is information that the user confirms the critical information incorrect, or the confirmation information from the user is not received by the confirmation module within a predetermined time period;
    - or a second exception handling unit for returning a fault signature result to the proxy server with the second interface module of the smart key device after the information received by confirmation module is information that the user confirms the critical information incorrect, or the confirmation information from the user is not received by the confirmation module within a predetermined time period.
  - 12. The system for improving network application security of claim 8, wherein the signature module of the smart key device further comprises:
    - a signature unit for authenticating the user'"'"'s identification by his personal identification code or personal biometrics which include fingerprints, iris or vein, upon determining that the signal received by the confirmation module is a signal that the user confirms the critical information correct, and for signing the protocol content and returning the signature result to the proxy server with the second interface module of the smart key device after a successful authentication;
      
      or for refusing to sign the protocol content after a failed authentication.
  - 13. The system for improving network application security of claim 8, wherein the message generating module of the proxy server comprises a first generating unit for inserting the signature result, received by the first interface module of the proxy server, to the protocol content and obtaining a new protocol content, and for adding a requirement head field to the new protocol content and obtaining a new protocol message, and for sending the new protocol message to the application server with the first interface module or a second generating unit for replacing the signature result, received by the first interface module of the proxy server, with the designated part of the protocol content and obtaining new protocol content, and for adding a requirement head field to the new protocol content and obtaining a new protocol message, and for sending the new protocol message to the application server with the first interface module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Feitian Technologies Company Limited
Original Assignee
ZTE Corporation
Inventors
Lu, Zhou, Yu, Huazhang
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ZAIDI, SYED A

Application Number

US12/808,166
Publication Number

US 20110119750A1
Time in Patent Office

1,510 Days
Field of Search

726/12
US Class Current

726/12
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/00   Network architectures or ne...

H04L 63/0281   Proxies

H04L 63/123   received data contents, e.g...

H04L 69/18   Multiprotocol handlers, e.g...

Method for improving network application security and the system thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method for improving network application security and the system thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links