Authentication of untrusted gateway without disclosure of private information
First Claim
1. A method for authorizing use of a server on a mobile platform without providing the server with sensitive information, said method comprising:
- providing a local server having no encryption capabilities and no decryption capabilities;
establishing a secure authorization link between a user interface and a remote authorization server utilizing a user interface web browser, the local server being configured between the user interface and the remote authorization server such that all communications between the user interface and the remote authorization, including the authorization link, are required to pass through the local server, and where the authorization link is unreadable by the local server;
sending user authorization data from the user interface to the authorization server, via the authorization link, and through the local server without any encryption or modification of the user authorization data by the local server, and by utilizing the user interface web browser;
returning a redirected validation message from the authorization server through the local server to the user interface, via the authorization link, with the redirected validation message being unreadable by the local server, the redirected validation message further including a uniform resource locator (URL) that includes information useable by the local server to permit or deny access to a requested service;
using the redirected validation message to provide an instruction to the user interface that causes the user interface to automatically forward the redirected validation message back to the local server, the redirected validation message including data for authorizing use of the local server by the user interface to enable the user interface to access the requested service; and
using the local server to receive the forwarded, redirected validation message, which causes the local server to establish an unsecured local link between the user interface and the local server based on the data included in the redirected validation message, the local link established utilizing the user interface web browser, and the local server adapted to read only unencrypted communications received from the user interface.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method provides user authorization for use of a server without providing the server with sensitive user information. A secure authorization link is established between a user interface and a remote authentication server. The authorization link passes through a local server while being unreadable by the local server. User authorization data is sent from the user interface to the authorization server, via the authorization link. The authorization server then returns a redirected validation message to the user interface, via the authorization link. A local link is established between the user interface and the local server based on data included in the redirected validation message. All communication between the user interface, the local server and authorization server is performed utilizing the user interface web browser. Thus, authorization for use of services controlled by the local server is accomplished without the need to load specialized software on the user interface for establishing such links and performing such communications.
29 Citations
35 Claims
-
1. A method for authorizing use of a server on a mobile platform without providing the server with sensitive information, said method comprising:
-
providing a local server having no encryption capabilities and no decryption capabilities; establishing a secure authorization link between a user interface and a remote authorization server utilizing a user interface web browser, the local server being configured between the user interface and the remote authorization server such that all communications between the user interface and the remote authorization, including the authorization link, are required to pass through the local server, and where the authorization link is unreadable by the local server; sending user authorization data from the user interface to the authorization server, via the authorization link, and through the local server without any encryption or modification of the user authorization data by the local server, and by utilizing the user interface web browser; returning a redirected validation message from the authorization server through the local server to the user interface, via the authorization link, with the redirected validation message being unreadable by the local server, the redirected validation message further including a uniform resource locator (URL) that includes information useable by the local server to permit or deny access to a requested service; using the redirected validation message to provide an instruction to the user interface that causes the user interface to automatically forward the redirected validation message back to the local server, the redirected validation message including data for authorizing use of the local server by the user interface to enable the user interface to access the requested service; and using the local server to receive the forwarded, redirected validation message, which causes the local server to establish an unsecured local link between the user interface and the local server based on the data included in the redirected validation message, the local link established utilizing the user interface web browser, and the local server adapted to read only unencrypted communications received from the user interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A communication system comprising:
-
a connection port adapted to provide a connection for a user interface; a remote authorization server; a local server on a mobile platform including a local processor and a local storage device having local server (LS) software stored thereon executable by the local processor, the local server being configured between the user interface and the remote authorization server such that all communications between the user interface and the remote authorization are required to pass through the local server, and where a secure authorization link sent from the remote authorization server is unreadable by the local server and the local server is devoid of encryption and decryption capabilities, and wherein the local processor is configured to; execute the LS software to send a login notification from the local server to the user interface when the user interface is communicatively connected to the connection port, wherein the login notification is utilized by a user to make a user request that requests access to a service controlled by the local server; execute the LS software to establish the secure authorization link between the user interface and the authorization server in response to the user request, wherein the authorization link is established utilizing a user interface web browser absent other specialized software stored in the user interface for establishing the authorization link, the authorization link passing through the local server, without any encryption being applied by the local server, and being unreadable by the local server; use the authorization server to generate a redirected validation message that is sent over the authorization link back to the user interface web browser, through the local server without being read or encrypted by the local server, the redirected validation message containing user authorization data and verified utilizing a public key of the authorization server, and the redirected validation message further including a uniform resource locator (URL) that includes information useable by the local server to permit or deny access to a requested service; use the user interface web browser to recognize an instruction in the redirected validation message to forward the redirected validation message, without requiring a response by the user via the user interface web browser, back to the local server; use the local server to execute the LS software to verify the redirected validation message sent by the authorization server, the redirected validation message being verified utilizing a public key of the authorization server; and use the software to execute the LS software to establish an unsecured local link between the user interface and the local server according to the authorization data, the link established utilizing the user interface web browser absent other specialized software stored in the user interface for establishing the local link, and the local server adapted to read only unencrypted communications from the user interface. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for authorizing use of a service controlled by an onboard server of an aircraft without disclosing confidential information to the onboard server, said method comprising:
-
configuring the onboard server without encryption capability and without decryption capability, and such that the onboard server is disposed between a user interface having a web browser and a remotely located ground based server; sending a login notification from the onboard server to the user interface, the login notification utilized by a user to request access to the service controlled by the onboard server; establishing a secure authorization link between the user interface and the ground based server, the authorization link being established utilizing the user interface web browser absent other specialized software stored in the user interface for establishing the authorization link, the authorization link passing through the onboard server and being unreadable by the onboard server; sending user authorization data from the user interface to the ground based server via the authorization link, the authorization data passing through the onboard server without being encrypted or read by the onboard server, and utilizing the user interface web browser absent other specialized software stored in the user interface for establishing the authorization link; validating the user authorization data utilizing the ground based server; causing the ground based server to generate and send a redirected validation message back to the user interface using the authorization link, the redirected validation message including authorization and authorized service related data including a uniform resource locator (URL) that includes information useable by the local server to permit or deny access to a requested service, the redirected validation message being transmitted within the authorization link and passing through the onboard server but being unreadable by the onboard server; including an instruction in the redirected validation message that causes the user interface web browser to automatically forward the redirected validation message, upon receipt thereof, back to the onboard server without requiring specialized software stored in the user interface for communicating with the onboard server; using the onboard server to verify that the redirected validation message received from the user interface web browser is valid by utilizing a public key of the ground based server; and establishing an unsecured local link between the user interface and the onboard server utilizing the user interface web browser absent other specialized software stored in the user interface for communicating with the onboard server, the onboard server being able to read only unencrypted communications from the user interface. - View Dependent Claims (31, 32, 33, 34, 35)
-
Specification