Method and apparatus for distributing, interpreting, and storing heterogeneous certificates in a homogenous public key infrastructure

US 6,895,501 B1
Filed: 03/13/2000
Issued: 05/17/2005
Est. Priority Date: 03/13/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for establishing a secure network connection between a web browser on a client and a service, said web browser having a virtual machine, said web browser having access to a first key, said client web browser and virtual machine being of the type that downloads and executes applets while protecting against at least some client resources from being updated based on said applet execution, said method comprising:

establishing an insecure network connection with said client web browser;

downloading, over said insecure connection, at least one digitally signed applet to the client web browser, said at least one applet including;

(a) a second key, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to use the stored second key to establish a secure network connection with said service;

before the client virtual machine executes the digitally signed applet, verifying the digitally signed applet at the client using the first key;

executing the downloaded applet code with the client virtual machine, thereby causing the client to store the second key corresponding to the service; and

further executing said at least one applet to cause said at least one applet to use the stored second key to authenticate the service and establish the secure network connection with the service.

View all claims

25 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A connection is established between a server and a web browser having access to a first, trusted public key. The server downloads a digitally signed archive to the browser, the archive including a second public key. The browser verifies the digitally signed archive using the first public key, and stores the second public key in response to the verification. The browser then uses the stored second public key to authenticate the server and establish a secure connection with the server. The second public key and its chain of trust need not be known by the browser beforehand, and the archive may include program fragments that store the key in an area where the browser (or an applet running under the browser) can access and use it. The archive may also include a program fragment that performs certificate validation for the client—enabling the client to handle certificate types it does not know about. Advantages include allowing the archive to be transmitted over any insecure connection since it is integrity protected and authenticated; and allowing the client to make a direct connection to the server without having to access certificate stores on the platform.

76 Citations

View as Search Results

18 Claims

1. A method for establishing a secure network connection between a web browser on a client and a service, said web browser having a virtual machine, said web browser having access to a first key, said client web browser and virtual machine being of the type that downloads and executes applets while protecting against at least some client resources from being updated based on said applet execution, said method comprising:
- establishing an insecure network connection with said client web browser;
  
  downloading, over said insecure connection, at least one digitally signed applet to the client web browser, said at least one applet including;
  
  (a) a second key, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to use the stored second key to establish a secure network connection with said service;
  
  before the client virtual machine executes the digitally signed applet, verifying the digitally signed applet at the client using the first key;
  
  executing the downloaded applet code with the client virtual machine, thereby causing the client to store the second key corresponding to the service; and
  
  further executing said at least one applet to cause said at least one applet to use the stored second key to authenticate the service and establish the secure network connection with the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the applet further includes program code that controls the client to use the stored second key to verify a signature subsequently provided by the server.
  - 3. The method of claim 1 wherein the executing step includes controlling the client virtual machine to store, at the client, the second key in the form of a digital certificate corresponding to the server, and the further executing step comprises receiving a digital signature from the server, and authenticating the received digital signature under control of the executing applet through use of the stored digital certificate corresponding to the server.
  - 4. The method of claim 1 wherein the further executing step includes having the executing applet invoke a further applet to establish a secure connection.
  - 5. The method of claim 1 wherein the applet comprises a signed Archive containing a digital certificate corresponding to the server, and a program fragment that stores the digital certificate in a predetermined location on the client that permits the client to later retrieve the stored digital certificate.
  - 6. The method of claim 1 wherein the applet includes a second key payload and further includes first program code that controls the client to store the second key to a non-volatile memory.
  - 7. The method of claim 6 wherein the non-volatile memory comprises a disk.
  - 8. The method of claim 6 wherein the applet further includes second program code that controls the client to use the stored second key to verify a signature subsequently provided by the server.

9. A web browser on a client for establishing a secure network connection with a service over a network, said client web browser including a virtual machine, said client web browser and virtual machine being of the type that downloaded and execute applets while protecting against at least some resources of said client from being updated by said applet execution, said client comprising:
- an applet receiver that receives at least one digitally signed applet from the service over an insecure network connection, said at least one applet including;
  
  (a) a key, (b) code executable on the client virtual machine to cause the client to store the key, and (c) code executable on the client virtual machine to establish a secure network connection with said service, said applet being executed by the client virtual machine to cause the client to store the key delivered with the applet, the stored key allowing authentication between the client and the service;
  
  wherein the client web browser includes an applet verifier that, before executing the applet, verifies the digitally signed applet using a key different from the key delivered with the applet;
  
  wherein the client virtual machine further includes an applet executor that executes the applet, thereby controlling the client to store the key delivered with the applet, said delivered key corresponding to the server, and uses the stored delivered key to authenticate the server and establish a secure network connection between the client and the server.

10. A method for establishing a secure network connection with a web browser on a client, said client web browser including a virtual machine and having access to a first key, said client web browser and virtual machine being of the type that download and execute applets while protecting at least some of client resources from being affected by said applet execution, the method comprising:
- downloading, over an insecure network connection, at least one executable applet to the client virtual machine, said at least one applet including;
  
  (a) a second key corresponding to the server, (b) code executable on the client virtual machine to cause the client to store the further key corresponding to the server, and (c) code executable on the client virtual machine to establish a secure network connection with said server, the digitally signed applet being digitally signed such that the client virtual machine can verify the digitally signed applet using the first key, the at least one digitally signed applet including the further key and code executable by the client virtual machine that controls the client virtual machine to store the further key;
  
  sending a digital credential to the client, said digital credential being verifiable by the client applet using the stored further key delivered with the at least one applet; and
  
  establishing a secure network communication with the executing client applet based on said digital credential as verified by the client applet.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10 wherein the applet further includes further code that controls the client to use the stored further key to verify the digital credential.
  - 12. The method of claim 10 further including sending a further applets to the client in response to an invocation of the further applet by the at least one applet.
  - 13. The method of claim 10 wherein the applet comprises a signed Archive containing a digital certificate, and a program fragment that stores the digital certificate in a predetermined location on the client that permits the client to later retrieve the stored digital certificate.
  - 14. The method of claim 10 wherein the applet code controls the client to store the further key to a non-volatile memory.
  - 15. The method of claim 14 wherein the non-volatile memory comprises a disk.

16. A server for establishing a secure network connection with a web browser on a client over a network, said client having resources including the web browser and a virtual machine, said client web browser and virtual machine being of the type that download and execute applets while protecting at least some of said client resources from being affected by said applet execution, said server comprising:
- an applet transmitter that transmits at least one digitally signed applet to the client over an insecure network connection, the at least one applet being digitally signed using a first key the client possesses independently of the applet, said at least one applet including;
  
  (a) a second key corresponding to the server, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to establish a secure network connection with said server, the applet being executable by the client virtual machine to control the client to store the second key corresponding to the server;
  
  a digital credential transmitter that transmits a digital credential to the client executing the applet, the digital credential being authenticatable by the client using the second key; and
  
  a secure network connector that establishes a secure network connection with the client under control of the executing applet and based at least in part on the digital credential being authenticated by the second key delivered over the insecure network connection.

17. A method for establishing a secure network connection between a server and a web browser on a client having access to a firstkey and also having a virtual machine, said web browser and virtual machine downloading and executing applets while protecting resources from being updated by said applet execution, said method comprising:
- downloading, to the browser over an insecure network connection, at least one digitally signed applet, the applet including;
  
  (a) a second key associated with the server, (b) code executable on the client virtual machine to cause the client to store the second key, and (c) code executable on the client virtual machine to establish a secure network connection with said server;
  
  verifying the digitally signed applet at the browser using the first key;
  
  executing the applet with the virtual machine to cause the client to store the second key;
  
  using the stored second key to authenticate a further credential delivered by the server; and
  
  based on said authentication of the said further credential, establishing, under control of the executing applet, a secure network connection between the web browser and the server.
- View Dependent Claims (18)
- - 18. A method as in claim 17 wherein the applet comprises an archive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Attachmate Corporation (Open Text Corporation)
Original Assignee
WRQ, Inc. (Open Text Corporation)
Inventors
Salowey, Joseph A.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Lipman, Jacob

Application Number

US09/524,272
Time in Patent Office

1,891 Days
Field of Search

713/168, 717168-174
US Class Current

713/168
CPC Class Codes

H04L 63/126 the source of the received ...

Method and apparatus for distributing, interpreting, and storing heterogeneous certificates in a homogenous public key infrastructure

First Claim

25 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for distributing, interpreting, and storing heterogeneous certificates in a homogenous public key infrastructure

First Claim

25 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links