Browser security module
First Claim
1. A computer-implemented method of cryptographic secret use, comprising:
- under control of one or more computer systems configured with executable instructions,receiving a set of security credentials to a client device, the set of security credentials including at least a key;
causing at least the key to be stored in a security module associated with a browser on the client device, at least one processor on the client device executing instructions to provide the security module;
enabling active content executing in the browser to contact the security module to sign data using the stored key, wherein the active content is able to submit the data to the security module using an interface for a type of the active content, and wherein the browser and the active content are unable to access at least the key stored in the security module; and
enabling the active content executing in the browser to receive, from the security module, the signed data that was signed by the security module using at least the key, the active content operable to forward the signed data to at least one target destination,wherein the security module is configured to sign the data for the active content executing in the browser without exposing the key to the active content,wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the signed data, andwherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the data is signed using the key.
1 Assignment
0 Petitions
Accused Products
Abstract
Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.
-
Citations
28 Claims
-
1. A computer-implemented method of cryptographic secret use, comprising:
under control of one or more computer systems configured with executable instructions, receiving a set of security credentials to a client device, the set of security credentials including at least a key; causing at least the key to be stored in a security module associated with a browser on the client device, at least one processor on the client device executing instructions to provide the security module; enabling active content executing in the browser to contact the security module to sign data using the stored key, wherein the active content is able to submit the data to the security module using an interface for a type of the active content, and wherein the browser and the active content are unable to access at least the key stored in the security module; and enabling the active content executing in the browser to receive, from the security module, the signed data that was signed by the security module using at least the key, the active content operable to forward the signed data to at least one target destination, wherein the security module is configured to sign the data for the active content executing in the browser without exposing the key to the active content, wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the signed data, and wherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the data is signed using the key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computer-implemented method of providing cryptographic operations, comprising:
-
causing a set of security credentials including at least a secure key to be stored in a security module associated with a browser on a client device; enabling an operation associated with active content executing in the browser to contact the security module to produce a result using the stored key, wherein the browser and the active content are unable to access at least the secure key stored in the security module, the active content able to contact the security module to sign the result using the stored key and to submit the result to the security module; and enabling the active content executing in the browser to receive, from the security module, the result that was produced using the key stored in the security module without exposing the key to the active content, the active content operable to forward the result to at least one target destination, wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, and wherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the result is signed using the key. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-implemented method of providing access to a resource, comprising:
-
obtaining a set of security credentials including at least a key to enable access to specific content offered by a provider; causing the key to be stored in a security module associated with a browser on a client device; enabling third party content to be executed in the browser on the client device; and enabling the third party content executing in the browser to obtain, from the security module, a result that was generated using the key stored in the security module, wherein the browser and the active content are unable to access the key stored in the security module, and wherein the third party content is able to access the specific content offered by the provider using the result, the third party content operable to forward the result to at least one target destination, wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, and wherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the result was generated using the key. - View Dependent Claims (21, 22)
-
-
23. A computing device, comprising:
-
a device processor; a security module associated with a browser application on the computing device; and memory including instructions that, when executed by the device processor, cause the computing device to; cause a set of security credentials including at least a secure key to be stored in the security module associated with the browser on the computing device; enable an operation associated with active content executing in the browser to contact the security module to produce a result, the result being produced by the security module using the key stored in the security module, wherein the browser and the active content are unable to access at least the secure key stored in the security module; and enable the active content to receive the result from the security module without exposing the key to the active content, the active content operable to forward the result to at least one target destination, wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, and wherein an entity at the target destination is enabled to authenticate an identity of the computing device by decoding the client token to obtain a copy of the key and determining that the result is signed using the key. - View Dependent Claims (24, 25, 26)
-
-
27. A non-transitory computer-readable storage medium including instructions for enabling cryptographic operations, the instructions when executed by a processor of a computing device causing the computing device to:
-
cause a set of security credentials including at least a secure key to be stored in a security module associated with a browser on the computing device; enable an operation associated with active content executing in the browser to contact the security module to produce a result, the result being produced by the security module using the key stored in the security module, wherein the browser and the active content are unable to access the secure key stored in the security module; and enable the active content to receive the result from the security module without exposing the key to the active content, the active content operable to forward the result to at least one target destination, wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, and wherein an entity at the target destination is enabled to authenticate an identity of the computing device by decoding the client token to obtain a copy of the key and determining that the result is signed using the key. - View Dependent Claims (28)
-
Specification