Browser security module

US 9,225,690 B1
Filed: 12/06/2011
Issued: 12/29/2015
Est. Priority Date: 12/06/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of cryptographic secret use, comprising:

under control of one or more computer systems configured with executable instructions,receiving a set of security credentials to a client device, the set of security credentials including at least a key;

causing at least the key to be stored in a security module associated with a browser on the client device, at least one processor on the client device executing instructions to provide the security module;

enabling active content executing in the browser to contact the security module to sign data using the stored key, wherein the active content is able to submit the data to the security module using an interface for a type of the active content, and wherein the browser and the active content are unable to access at least the key stored in the security module; and

enabling the active content executing in the browser to receive, from the security module, the signed data that was signed by the security module using at least the key, the active content operable to forward the signed data to at least one target destination,wherein the security module is configured to sign the data for the active content executing in the browser without exposing the key to the active content,wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the signed data, andwherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the data is signed using the key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

Citations

28 Claims

1. A computer-implemented method of cryptographic secret use, comprising:
- under control of one or more computer systems configured with executable instructions,receiving a set of security credentials to a client device, the set of security credentials including at least a key;
  
  causing at least the key to be stored in a security module associated with a browser on the client device, at least one processor on the client device executing instructions to provide the security module;
  
  enabling active content executing in the browser to contact the security module to sign data using the stored key, wherein the active content is able to submit the data to the security module using an interface for a type of the active content, and wherein the browser and the active content are unable to access at least the key stored in the security module; and
  
  enabling the active content executing in the browser to receive, from the security module, the signed data that was signed by the security module using at least the key, the active content operable to forward the signed data to at least one target destination,wherein the security module is configured to sign the data for the active content executing in the browser without exposing the key to the active content,wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the signed data, andwherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the data is signed using the key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the active content includes an active script executing in the browser, the security module including at least one interface dedicated to a type of the active script.
  - 3. The computer-implemented method of claim 1, wherein receiving the set of security credentials to the client device includes receiving the set of security credentials from a user through a secure channel to the security module, the secure channel being inaccessible to the active content.
  - 4. The computer-implemented method of claim 1, further comprising:
    - causing the client device to contact a scripting server to obtain the active content to be executed in the browser, the device contacting the scripting server without sending the set of security credentials to the scripting server.
  - 5. The computer-implemented method of claim 1, wherein the security module further includes at least one of a hardware chip installed in the client device, a plug-in card of the client device, or an external security device in communication with the client device.
  - 6. The computer-implemented method of claim 1, wherein the set of security credentials further includes at least one policy governing at least one of access to or use of the stored key.
  - 7. The computer-implemented method of claim 6, wherein the security module is further operable to enforce the at least one policy.

8. A computer-implemented method of providing cryptographic operations, comprising:
- causing a set of security credentials including at least a secure key to be stored in a security module associated with a browser on a client device;
  
  enabling an operation associated with active content executing in the browser to contact the security module to produce a result using the stored key, wherein the browser and the active content are unable to access at least the secure key stored in the security module, the active content able to contact the security module to sign the result using the stored key and to submit the result to the security module; and
  
  enabling the active content executing in the browser to receive, from the security module, the result that was produced using the key stored in the security module without exposing the key to the active content, the active content operable to forward the result to at least one target destination,wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, andwherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the result is signed using the key.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 9. The computer-implemented method of claim 8, wherein the security module is provided at least in part through instructions executed by a processor of the client device.
  - 10. The computer-implemented method of claim 8, wherein the secure key is received through a secure channel from a user or generated by the security module.
  - 11. The computer-implemented method of claim 8, wherein the operation associated with the active content is capable of contacting the security module using an interface for a type of the active content.
  - 12. The computer-implemented method of claim 8, wherein the security module is further operable to provide an encrypted token including the key with the result, the active content is unable to decrypt the encrypted token to access the key.
  - 13. The computer-implemented method of claim 8, wherein the result includes at least one of a request signed using the key, a request verified using the key, data encrypted using the key, or data decrypted using the key.
  - 14. The computer-implemented method of claim 8, wherein the key is obtained from an authentication entity through use of a fragment of a link provided to the client device.
  - 15. The computer-implemented method of claim 8, wherein the security module is further operable to store and enforce policies on use of the key by the active content.
  - 16. The computer-implemented method of claim 8, wherein the security module is further operable to generate one-time passwords or site-specific passwords using the stored key.
  - 17. The computer-implemented method of claim 8, wherein the user is able to communicate with the security module using a first secure channel for the entry of secure information and using a second secure channel for the manipulation of metadata pertaining to the authorized use of that secure information.
  - 18. The computer-implemented method of claim 8, wherein the operation associated with the active content executing in the browser is determined to be able to contact the security module to produce a result using the stored key based at least in part upon at least one policy associated with the stored key.
  - 19. The computer-implemented method of claim 8, wherein the at least one policy is received by the security module with the secure key to be stored in the security module.

20. A computer-implemented method of providing access to a resource, comprising:
- obtaining a set of security credentials including at least a key to enable access to specific content offered by a provider;
  
  causing the key to be stored in a security module associated with a browser on a client device;
  
  enabling third party content to be executed in the browser on the client device; and
  
  enabling the third party content executing in the browser to obtain, from the security module, a result that was generated using the key stored in the security module, wherein the browser and the active content are unable to access the key stored in the security module, and wherein the third party content is able to access the specific content offered by the provider using the result, the third party content operable to forward the result to at least one target destination,wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, andwherein an entity at the target destination is enabled to authenticate an identity of the client device by decoding the client token to obtain a copy of the key and determining that the result was generated using the key.
- View Dependent Claims (21, 22)
- - 21. The computer-implemented method of claim 20, wherein enabling the third party content executing in the browser to obtain a result from the security module includes enabling the third party content to submit a request to be signed to an interface of the security module and enabling the third party content to receive the request signed with the key from the security module without exposing the key to the third party content.
  - 22. The computer-implemented method of claim 21, wherein the third party content is enabled to use the generated result to access the specific content by forwarding the signed request to the provider.

23. A computing device, comprising:
- a device processor;
  
  a security module associated with a browser application on the computing device; and
  
  memory including instructions that, when executed by the device processor, cause the computing device to;
  
  cause a set of security credentials including at least a secure key to be stored in the security module associated with the browser on the computing device;
  
  enable an operation associated with active content executing in the browser to contact the security module to produce a result, the result being produced by the security module using the key stored in the security module, wherein the browser and the active content are unable to access at least the secure key stored in the security module; and
  
  enable the active content to receive the result from the security module without exposing the key to the active content, the active content operable to forward the result to at least one target destination,wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, andwherein an entity at the target destination is enabled to authenticate an identity of the computing device by decoding the client token to obtain a copy of the key and determining that the result is signed using the key.
- View Dependent Claims (24, 25, 26)
- - 24. The computing device of claim 23, wherein the security module includes at least one of instructions executing on the device processor, a hardware chip installed in the client device, a plug-in card of the client device, or an external security device in communication with the client device.
  - 25. The computing device of claim 23, wherein the operation associated with the active content is capable of contacting the security module using an interface for a type of the active content.
  - 26. The computing device of claim 23, wherein the instructions, when executed, further cause the computing device to:
    - enforce at least one policy indicating which active content is permitted to perform certain operations using the stored key.

27. A non-transitory computer-readable storage medium including instructions for enabling cryptographic operations, the instructions when executed by a processor of a computing device causing the computing device to:
- cause a set of security credentials including at least a secure key to be stored in a security module associated with a browser on the computing device;
  
  enable an operation associated with active content executing in the browser to contact the security module to produce a result, the result being produced by the security module using the key stored in the security module, wherein the browser and the active content are unable to access the secure key stored in the security module; and
  
  enable the active content to receive the result from the security module without exposing the key to the active content, the active content operable to forward the result to at least one target destination,wherein the set of security credentials further includes a client token, and wherein the security module is further operable to include the client token with the result, andwherein an entity at the target destination is enabled to authenticate an identity of the computing device by decoding the client token to obtain a copy of the key and determining that the result is signed using the key.
- View Dependent Claims (28)
- - 28. The non-transitory computer-readable storage medium of claim 27, wherein the security module is further operable to provide an encrypted token including the key with the result, the active content is unable to decrypt the encrypted token to access the key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Fitch, Nathan R., Roth, Gregory B., Baer, Graeme D.
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US13/312,774
Time in Patent Office

1,484 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 67/02   based on web technology, e....

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Browser security module

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Browser security module

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links