Multi-system security integration

US 8,762,731 B2
Filed: 09/14/2012
Issued: 06/24/2014
Est. Priority Date: 09/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer system including instructions recorded on a computer-readable medium and executable by at least one processor, the system comprising:

a multi-system manager configured to cause the at least one processor to perform state change calls to one or more backend systems by combining a multi-system protection token with a message component for transporting from a user agent to the one or more backend systems for validation, wherein the multi-system manager includes;

a symbol generator configured to generate an authentication code for proving authenticity of a combined data structure generated by combining a secret cryptographic data key with a portion of the message component and generating a hash code of the combined data structure;

a nonce generator configured to generate an arbitrary random number to bind the multi-system protection token to the user agent; and

a token generator configured to generate the multi-system protection token by combining the authentication code and the arbitrary random number with the message component for transporting from the user agent to the one or more backend systems for validation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with aspects of the disclosure, a system and methods are provided for managing multi-system security integration by performing state change calls to one or more backend systems by combining a multi-system protection token with a message component for transporting from a user agent to the one or more backend systems for validation by generating an authentication code for proving authenticity of a combined data structure generated by combining a secret cryptographic data key with a portion of the message component and generating a hash code of the combined data structure, generating an arbitrary random number to bind the multi-system protection token to the user agent, and generating the multi-system protection token by combining the authentication code and the arbitrary random number with the message component for transporting from the user agent to the one or more backend systems for validation.

Citations

25 Claims

1. A computer system including instructions recorded on a computer-readable medium and executable by at least one processor, the system comprising:
- a multi-system manager configured to cause the at least one processor to perform state change calls to one or more backend systems by combining a multi-system protection token with a message component for transporting from a user agent to the one or more backend systems for validation, wherein the multi-system manager includes;
  
  a symbol generator configured to generate an authentication code for proving authenticity of a combined data structure generated by combining a secret cryptographic data key with a portion of the message component and generating a hash code of the combined data structure;
  
  a nonce generator configured to generate an arbitrary random number to bind the multi-system protection token to the user agent; and
  
  a token generator configured to generate the multi-system protection token by combining the authentication code and the arbitrary random number with the message component for transporting from the user agent to the one or more backend systems for validation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein combining the multi-system protection token with the message component comprises inserting the multi-system protection token as part of a uniform resource locator or a message body for transporting from the user agent to the one or more backend systems for validation.
  - 3. The system of claim 1, wherein combining the secret cryptographic data key with the portion of the message component includes combining the secret cryptographic data key with one or more concatenated data fields of a uniform resource locator or a part of the message body.
  - 4. The system of claim 1, wherein the multi-system protection token comprises a multi-system local cross-site request forgery (XSRF) token for performing the state change calls during a short time interval.
  - 5. The system of claim 1, wherein the symbol generator comprises a hashed message authentication code (HMAC) generator, and wherein the authentication code comprises at least one of an HMAC and a digital signature including a public/private key pair.
  - 6. The system of claim 1, wherein the nonce generator comprises a random number generator configured to generate the arbitrary random number to bind the multi-system protection token to the user agent.
  - 7. The system of claim 1, further comprising:
    - an identity generator configured to generate a system identifier (SID) for identifying the computer system and for looking up the secret cryptographic data key by the one or more backend systems,wherein the token generator is further configured to generate the multi-system protection token by combining the system identifier (SID), the authentication code, and the arbitrary random number with the uniform resource locator, andwherein the secret cryptographic data key comprises a digital signature including a public/private key pair.
  - 8. The system of claim 1, further comprising:
    - a parameter generator configured to generate parameter information comprising one or more hypertext transfer protocol (HTTP) codes associated with the message component including an OK code, a GET code, and a POST code,wherein the token generator is further configured to generate the multi-system protection token by combining the parameter information, the authentication code, and the arbitrary random number with the uniform resource locator.
  - 9. The system of claim 1, further comprising:
    - a timestamp generator configured to generate an expiration timestamp that is valid only during a short time interval including within a range of greater than zero minutes and less than five minutes,wherein the token generator is further configured to generate the multi-system protection token by combining the expiration timestamp, the authentication code, and the arbitrary random number with the uniform resource locator.
  - 10. The system of claim 1, wherein the computer-readable medium is configured for storing the secret cryptographic data key in a secure manner, and the at least one processor is configured for retrieving the stored secret cryptographic data key from the computer-readable medium for generating the authentication code by the symbol generator.
  - 11. The system of claim 1, wherein at least one of the one or more backend systems comprises a configuration user interface (UI) configured for importing the secret cryptographic data key, another computer-readable medium configured for storing the imported secret cryptographic data key in a secure manner, and at least one other processor configured for retrieving the stored secret cryptographic data key from the another computer-readable medium under an identity of the computer system.
  - 12. The system of claim 10, wherein the at least one of the one or more backend systems is configured to validate the multi-system protection token by generating an expected multi-system protection token from the stored secret cryptographic data key and determining whether the multi-system protection token received from the user agent matches the expected multi-system protection token.
  - 13. The system of claim 1, wherein the computer system is configured to operate as an integration server and at least one of the one or more backend systems is configured to operate as a backend server to achieve multi-system cross-site request forgery (XSRF) protection when the user agent attempts to perform the state change calls.

14. A computer-implemented method, comprising:
- performing state change calls to one or more backend systems by combining a multi-system protection token with a message component for transporting from a user agent to the one or more backend systems for validation by;
  
  generating an authentication code for proving authenticity of a combined data structure generated by combining a secret cryptographic data key with a portion of the message component and generating a hash code of the combined data structure;
  
  generating an arbitrary random number to bind the multi-system protection token to the user agent; and
  
  generating the multi-system protection token by combining the authentication code and the arbitrary random number with the message component for transporting from the user agent to the one or more backend systems for validation.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, wherein combining the multi-system protection token with the message component comprises inserting the multi-system protection token as part of a uniform resource locator or a message body for transporting from the user agent to the one or more backend systems for validation.
  - 16. The method of claim 14, wherein combining the secret cryptographic data key with the portion of the message component includes combining the secret cryptographic data key with one or more concatenated data fields of a uniform resource locator or a part of the message body.
  - 17. The method of claim 14, wherein the multi-system protection token comprises a multi-system local cross-site request forgery (XSRF) token that is configured to disable local XSRF protection of the one or more backend systems for performing the state change calls during a short time interval.
  - 18. The method of claim 14, wherein the authentication code comprises a hashed message authentication code (HMAC).
  - 19. The method of claim 14, further comprising:
    - generating a system identifier (SID) for identifying the computer system and for looking up the secret cryptographic data key by the one or more backend systems;
      
      generating parameter information comprising one or more hypertext transfer protocol (HTTP) codes associated with the message component including an OK code, a GET code, and a POST code; and
      
      generating an expiration timestamp that is valid only during a short time interval including within a range of greater than zero minutes and less than five minutes, wherein the multi-system protection token is generated by combining one or more of the system identifier (SID), the parameter information, the expiration timestamp along with the authentication code and the arbitrary random number and with the uniform resource locator.

20. A computer program product, the computer program product being tangibly embodied on a computer-readable storage medium and comprising instructions that, when executed by at least one processor, are configured to:
- perform state change calls to one or more backend systems by combining a multi-system protection token with a message component for transporting from a user agent to the one or more backend systems for validation, wherein the instructions, when executed by the at least one processor, are further configured to;
  
  generate an authentication code for proving authenticity of a combined data structure generated by combining a secret cryptographic data key with a portion of the message component and generating a hash code of the combined data structure;
  
  generate an arbitrary random number to bind the multi-system protection token to the user agent; and
  
  generate the multi-system protection token by combining the authentication code and the arbitrary random number with the message component for transporting from the user agent to the one or more backend systems for validation.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The computer program product of claim 20, wherein combining the multi-system protection token with the message component comprises inserting the multi-system protection token as part of a uniform resource locator or a message body for transporting from the user agent to the one or more backend systems for validation.
  - 22. The computer program product of claim 20, wherein combining the secret cryptographic data key with the portion of the message component includes combining the secret cryptographic data key with one or more concatenated data fields of a uniform resource locator or a part of the message body.
  - 23. The computer program product of claim 20, wherein the multi-system protection token comprises a multi-system local cross-site request forgery (XSRF) token that is configured to disable local XSRF protection of the one or more backend systems for performing the state change calls during a short time interval.
  - 24. The computer program product of claim 20, wherein the authentication code comprises a hashed message authentication code (HMAC).
  - 25. The computer program product of claim 20, further comprising instructions that, when executed by the processor, are configured to:
    - generate a system identifier (SID) for the computer system to ensure that the secret cryptographic data key is known only by the computer system and the one or more backend systems;
      
      generate parameter information comprising one or more hypertext transfer protocol (HTTP) codes associated with the message component including an OK code, a GET code, and a POST code; and
      
      generate an expiration timestamp that is valid only during a short time interval including within a range of greater than zero minutes and less than five minutes, wherein the multi-system protection token is generated by combining one or more of the system identifier (SID), the parameter information, the expiration timestamp along with the authentication code and the arbitrary random number and with the uniform resource locator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Engler, Michael, De Boer, Martijn, Janzen, Wolfgang
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/617,962
Publication Number

US 20140082366A1
Time in Patent Office

648 Days
Field of Search

713/176, 726/26, 726/22
US Class Current

713/176
CPC Class Codes

H04L 9/3226   using a predetermined code,...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Multi-system security integration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-system security integration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links