CN1354934A - System and method for enabling secure acess to service in computer network - Google Patents

System and method for enabling secure acess to service in computer network Download PDF

Info

Publication number
CN1354934A
CN1354934A CN98814246.5A CN98814246A CN1354934A CN 1354934 A CN1354934 A CN 1354934A CN 98814246 A CN98814246 A CN 98814246A CN 1354934 A CN1354934 A CN 1354934A
Authority
CN
China
Prior art keywords
client computer
service
client
privilege
described system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN98814246.5A
Other languages
Chinese (zh)
Other versions
CN1227858C (en
Inventor
马克·D·里金斯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BlackBerry Ltd
Original Assignee
Visto Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visto Corp filed Critical Visto Corp
Publication of CN1354934A publication Critical patent/CN1354934A/en
Application granted granted Critical
Publication of CN1227858C publication Critical patent/CN1227858C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

A global server incldues a communications engine for establishing a communications link with a client; security means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and a keysafe for storing a key which enables access to the secured service. The global server may be coupled to multiple sites, wherein each site provides multiple services. Each site may be protected by a firewall. Accordingly, the global server stores the keys for enabling communication via the firewalls with the services.

Description

Realization is to the system and method for the secure access of serving in the computer network
Present invention generally relates to computer network, be more particularly to the system and method for realization the secure access of serving in the computer network.
In the early stage, the Internet provides the environment of research oriented, and user and main frame are very interested in the freedom of information there, open exchange, and user and main frame are trusted mutually there.Yet the internet increases dramatically, at present nearly 100,000 interconnected computer networks and millions of user.Because the scale and the publicity of internet, it has become Data Theft, data alteration and other mischief-making target.
In fact, on the internet everyone is vulnerable.Before connecting, the pros and cons of Internet connection and fail safe loss can be weighed by company.Current safe practice is used to provide client-server authentication, data confidentiality, system integrity and system's access control etc.
Most popular in the current safe practice is fire compartment wall, and it is included in an intermediate system of settling between reliable network and the Internet.For avoiding the communication of unauthenticated between trusted-network and the Internet, fire compartment wall provides the external parameter of security performance.A fire compartment wall can comprise shielding router, acting server and ALG.
In order to visit the service that is protected in the reliable network, the user on the Internet need be with someway, for example enters password or utilize hardware token to finish answer for inquiry, provides identity to fire compartment wall.By appropriate authentication, the user can enter LAN by fire compartment wall, but it is limited within the service be scheduled to is provided with usually, for example Email, FTP (file transfer protocol (FTP)) or the like.
Some LAN administrators just are placed on server outside the fire compartment wall, and this server often is called as " lamb of dedication ", those non-confidential datas that can be easy to visit by the long-distance user of this server stores, thereby have seldom security performance.
Demilitarized Zone or DMZ are in and are used for protecting between two fire compartment walls of trusted-network.In DMZ, external firewall protection server when allowing Hypertext Transfer Protocol (HTTP) request is avoided outside threat.If a server is endangered in DMZ, interior firewall will be protected reliable network.Many companies utilize DMZ to safeguard their webserver.
The safe practice of another kind of protection computer network is the distribution and the use of public key certificates.Certificate agency is distributed to the user to public key certificates, and user's identity is come into force and issues a certificate of describing address name and Public key by a certain method.As the evidence of reliability, utilize my private secret key, this certificate agency certificate of counting method mark user.
Like this, when the user is connected on the station server via a client computer, this client computer will with the server exchange public key certificates.By the signature that the Public key of certificate of utility mechanism comes inspection certificate, each user can check the reliability of this acceptance certificate.Then, by with server public-key encryption information, the user can send the safe communication contact to server, and with user's public-key encryption information, server can send secure communication to the user and get in touch with.Though Any user can provide a public key certificates, only there are this real user and this true main frame just to have the required corresponding private secret key of decryption information.The example of the computer safety system of authentication and encryption key distribution comprises by the KerberosTM safety system of Massachusetts Institute of Technology's exploitation and the NetSPTM safety system of being developed by IBM Corporation.
These safe practices can't solve and roam (moving) user-dependent problem.For the roamer, safeguard that for example password, certificate, key or the like are loaded down with trivial details processing procedures for identification and authentication information.In addition, the visit multimachine system requires a plurality of keys, and this often makes tracking and utilization become too complicated.And can jeopardize security performance to the direct visit of the system after the fire compartment wall.Therefore, easily, safely Computer Service is realized that the system and method for remote access is essential.
The invention provides a kind of system and method for realizing the secure access of serving in the computer network.This network system comprises a global server, is connected with computer server via a computer network.Global server comprises a communication engines, is used to set up the liaison with client computer; Safety device is used for being connected with the communication engines of definite client computer privilege; A servlet that is connected with safety device (servlet) main frame engine provides an applet based on the client computer privilege to client computer, and this program makes can carry out the I/O operation between client computer and the security service; And key preserves (file), is used to store make it possible to secret key that security service is conducted interviews.Global server can be connected with a plurality of websites, and wherein each website provides multiple service.Each website can be by firewall protection.Correspondingly, global server is stored this secret key, is used for communicating by fire compartment wall and service.
The method comprises the following steps: to set up liaison with client computer; Identification and authentication client; Determine the client computer privilege; Based on the client computer privilege, provide an applet to client computer, this program makes can carry out the I/O operation between client computer and the security service; Retrieval makes access security service secret key;
System and method of the present invention provides globally accessible reliable third party, i.e. global server better.This reliable third party stores secret key safely, plays a part single identification and authentication service.Other system can be accessed by global server.Global server uses the secret key of storage to authenticate user under a certain identity, and this identity is understanded by the existing security service of another system, and set up and required service between secured communication channel.Because global fire compartment wall, global server is protected very significantly, to avoid outside threat.Correspondingly, by the fire compartment wall that is connected with service, global server provides secure communication for the client computer through authentication.Global server can provide multi-level identification and authentication service.Correspondingly, based on the intensity of User Status, identification and authentication and the confidentiality of communication port, global server can provide multi-level resource access.
Because global fire compartment wall and identification and the authentication service carried out by global server, company can store the information of secret relatively on global server, is used for using for certified client computer.Yet the company that the invention enables only can keep their a part of confidential information at global server, and this limited loss just can be compromised by reliable third party system and be handled like this.In addition, global server can play the effect of client proxy easily, is used to control the use of visit to service, record secret key and to the visit of record resource.
Fig. 1 is a block diagram, illustrates one according to roamer's network access system of the present invention;
Fig. 2 is a block diagram, illustrates the details of a routine client computer shown in Figure 1;
Fig. 3 is a block diagram, illustrates the details of global server shown in Figure 1;
Fig. 4 is a block diagram, illustrates the details of a routine server shown in Figure 1;
Fig. 5 is a flow chart, illustrates a kind of method that is used for a security service of remote access;
Fig. 6 is a flow chart, illustrates the details that produces the step shown in Figure 5 that connects between client computer and global server;
Fig. 7 illustrates an exemplary webpage;
Fig. 8 A is a flow chart, illustrates the details of access services step shown in Figure 5 according to first embodiment;
Fig. 8 B is a flow chart, illustrates the details of access services step shown in Figure 5 according to second embodiment;
Fig. 8 C is a flow chart, illustrates the details of access services step shown in Figure 5 according to the 3rd embodiment;
Fig. 1 is a block diagram, illustrates one according to exemplary roamer's network access system 100 of the present invention.System 100 comprises a computer interconnection network, is meant the Internet 102 here.System 100 comprises first company's network 112, second company's network 118, information station (kiosk) network 138 and an Internet Service Provider (ISP) network 143 in addition, and each network all is connected on the Internet.
Company's network 112 comprises a fire compartment wall 116, is connected between the Internet 102 and the client computer 114a.Company's network 118 comprises a fire compartment wall, is connected between the Internet 102 and the internal network signal bus 126.Company's network 118 comprises in addition: first server 108a is used to provide the first service 110a; Second server 108b is used to provide the second service 110b; A client computer 114b is used to store the program that the 3rd service 110c is provided; And one second client computer 114c; And each all is connected to signal bus 126.These services 110a-110d comprises an E-mail service program, an address book service, a calendar service program, a paging service routine and a company data library services.
Infestation network 138 comprises the first client computer 114d and the second client computer 114e, and each all is connected on the Internet 102.ISP network 143 comprises an ISP148, and it is connected on the first client computer 114f by radio channel 146, and is connected on the second client computer 114g by modulator-demodulator 152,156 and transmission line 154.
The Internet 102 comprises the global server 106 of global fire compartment wall 104 protections of quilt, and comprises a server 108e who is used to provide service 110d.Intercommunication between client computer 114a-114g and the service 110a-110d is finished via global server 106.For example, if any one user of client computer 114a-114g thinks access services 110a-110d (this service is provided at the website of user's the unknown in the system 100), he just can utilize a known URL(uniform resource locator) (URL) that the webpage that is provided by global server 106 is provided so.An exemplary webpage 300 is shown in Fig. 7, describes.Fire compartment wall 104 protection global servers 106 in the whole world are avoided outside threat.
Before the access privileges of the function that obtains global server 106 is provided, the user must at first obtain the mandate of global server 106.Obtaining the authorization requires to carry out User Recognition and authentication usually, for example utilizes public secret key certificate.In case authenticate, global server 106 provides serving the visit of 110a-110d for the user.Should be appreciated that based on identification and the change intensity of authentication and the confidentiality of communication port, the user will be granted the variation rank to service 110a-110d visit.
For making the user can visit and control service 110a-110d, global server 106 can use conventional applet, servlet (servlets) or acting server in distributed network environment, such as the JavaTM distributed environment that is provided by Netscape company.Global server 106 provides serving visit and the control of 110a-110d for user's client computer.Global server 106 can be redirected by the client computer to the user and visit service 110a-110d itself; Global server 106 can access services 110a-110d itself and is provided I/O by the agency to client computer; Perhaps global server 106 can provide service 110a-110d itself.With reference to figure 8A-8C, will three kinds of different access modules to service 110a-110d be described.
Network addresss of all service 110a-110d of global server 106 preservations, user's public and private secret key, user's symbolization of accounts and firewall authentication information or the like.Firewall authentication information comprises necessary identification, password and transmission fire compartment wall 116 and the certificate of 120 needs.Correspondingly, the user only needs to preserve URL and the identification and the authentication information of global server 106, such as a password or be used for using the hardware tab of global server 106 functions.Like this, this roamer can access computer serve 110a-110d by any terminal that is connected to the Internet 102.
Fig. 2 is a block diagram, illustrates the details of client computer 114, and wherein each of client computer 114a-114d all is a kind of situation of client computer 114.Client computer 114 comprises a central processing unit (CPU) 210, such as the PC of a Motorola microprocessor or intel pentium microprocessor.An input equipment 220 (for example keyboard and mouse) and an output device 230 (such as the cathode ray tube (CRT) display) are connected to CPU210 via signal bus 240.Communication interface 250, a data storage device 260 (for example ROM chip (ROM) or disk) and a random-access memory (ram) 270 also are connected to CPU210 via signal bus 240.The communication interface 250 of client computer 114 is connected to the Internet 102 as shown in Figure 1, and will describe with reference to figure 1.
Operating system 280 comprises the program that is used for Controlled CPU 210 processing procedures, and it is stored in the data storage device 260 usually and is used among the RAM270 that packs into carrying out.Operating system 280 comprises a communication engines 282, is used to produce information packet and transfers them to the Internet 106 or receive information packet from the Internet via communication interface 250.
Operating system 280 further comprises an internet engine, such as a web browser 284, and for example NetscapeTM web browser that provides by Netscape or the IE browser that provides by Microsoft.Web browser 284 comprises the crypto engine 285 of the public and private secret key enciphered message of usefulness, with an applet engine 286, be used to carry out the applet of downloading from global server 106, make that client computer can access computer service 110a-110d.The applet of downloading 288 can comprise Secure Application small routine 290, is used for execution and serves for example User Recognition and authentication, information completely sex service and certificate check.Browser 284 further receives web datas (391, Fig. 3), configuration data 390 and discerns one group of information that is used for selecting to serve 110a-110d, and utilizes this information to show this webpage (700, Fig. 7).This web browser 284 makes the user selectively to carry out a kind of among the 110a-110d of service by client computer 114a-114b.
Should be appreciated that client computer 114a-114g for example client computer 114b can comprise a service-Engine 490 (Fig. 4), be used to provide service 110a-110d for example to serve 110c.Like this, for the user of a client computer 114b,, be possible to the visit of serving 110c via global server 106 requests not knowing that client computer 114b provides under the situation of service 110c.Correspondingly, global server 106 will provide an applet 288 for client computer 114, and purpose is the interface I/O that the service 110c that gets back to client computer 114b is provided for the user.
Fig. 3 is a block diagram, illustrates the details of global server 106, and this server comprises a CPU310 for example PC of a Motorola microprocessor or an intel pentium microprocessor.Input equipment 320 for example keyboard and mouse and output device 330 for example a CRT monitor be connected on the CPU310 by signal bus 340.Communication interface 350, data storage device 360 be read-only memory or disk and a RAM370 for example, also is connected to CPU310 via signal bus 340.Communication interface 350 is connected to client computer 114 as the part of the Internet 102 as usual.Should be appreciated that though global server 106 is described to single computer, it can be understood that to comprise simultaneously a plurality of computers that constitute network.
Operating system 380 comprises the program that is used for Controlled CPU 310 processing procedures, and is stored on the data storage device 260 usually and is loaded into and be used among the RAM370 carrying out.Operating system 380 comprises that a communication engines 382 is used to produce information packet and via communication interface 350 and client computer 114 exchange message packets.
Operating system 380 further comprises the security service 384 as a global fire compartment wall part, is used for passage open and telex network.For example, when a client computer attempts to visit global server 106, this security service 384 determines that at first whether global server 106 has received (in-bound) communication that enters from particular port (not showing), and determine to be connected to this particular port in the servlet main frame engine 3 86 that is described below and whether passed through authentication.If be, via this particular port, security service 384 will allow communication engines 382 to open into the communication port of client computer 114a-114b.Otherwise, incite somebody to action not open channel.
Operating system 380 further comprises a webpage engine 3 87, it is sent to client computer 114a-114g to the information of web data 391 and one group of available service 110a-110d of identification based on user's identification, the intensity of authentification of user and the confidentiality of communication channel.An exemplary webpage 700 is displayed among Fig. 7, and is described with reference to figure 7.Webpage engine 3 87 makes the user can select service 110a-110d from webpage 700.
Webpage engine 3 87 comprises a servlet main frame engine 286, it can download to the Secure Application small routine 290 that comprises an authentication application small routine (not having to show) on the client computer 114, and correspondingly carry out the authentication servlet 397 of servlet 398, to finish identification and authentication service.Authentication application small routine 290 prompting users import identification and authentication information, then this information are communicated to authentication servlet 397.Whether authentication servlet 397 checking informations are correct.Should be appreciated that, user's authentication information not necessarily be sent to the authentication servlet 397, but will with a kind of safety method for example a safety mix existence and the correctness that proves it.Servlet main frame engine 3 86 further comprises a secure communication engine 3 96, and it can utilize public key certificates and client computer 114 discussion secured communication channels.
A selection with respect to service 110a-110d, servlet main frame engine 3 86 is downloaded application corresponding small routine 388, corresponding configuration data 390 and corresponding user data 392, and can download to client computer 114 to corresponding address of service information 394.Configuration data 390 comprises the information that is used for configure user web browser 284, be used to dispose the information of applet 288 of download and the information that is used to dispose the service 110a-110d that chooses.User data 392 can comprise the user and serve institute's information specific, and for example Cun Chu bookmark, calendar data, beep-pager are numbered or the like, and this information expressly is stored on the global server 106, so that access easily.The website of address of service information 394 identification service 110a-110d, these services offer system 100 by global server 106.Client computer 114 is carried out the application corresponding small routine of downloading 288, and this program makes the user can visit and control its corresponding service 110a-110d via servlet main frame engine 3 86 (may use a corresponding servlet 398).Downloadable applet 388, configuration data 390, user data 392 and address of service information 394 can be stored in this data storage device 360.
It is data files that key preserves 395, is used to store each user's authentication information, the public and secret key of private, password information of each fire compartment wall or the like.Key preserves 395 with the linked list format tissue, and like this, based on the service 110a-110d that chooses, global server 106 can be retrieved suitable fire compartment wall password information, appropriate users authentication information and secret key or the like.Key is preserved 395 and can be stored on the data storage device 360.
Fig. 4 is a block diagram, illustrates the details of server 108, and server 108a-108c and client computer 114b are respectively the different instances of server 108 like this.Server 108 comprises a CPU410, for example the PC of a Motorola microprocessor or an intel pentium microprocessor.Input equipment 420 is keyboard and mouse and output device 430 CRT monitor for example for example, is connected to CPU410 via signal bus 440.Communication interface 450, data storage device 460 for example ROM or disk and a RAM470 also are connected to CPU410 via signal bus.As described in reaching as shown in Figure 1, communication interface 450 is connected on the client computer 114.
Operating system 480 comprises a program that is used for Controlled CPU 410 processing procedures, is stored in data storage device 460 usually and is loaded into RAM470 to be used for carrying out.Operating system 480 also comprises a communication engines 482, is used to produce information packet and via communication interface 450 and client computer 114 or global server 106 exchange message packets.Operating system 480 further comprises and is used to discuss and the security service 484 of user's escape way, a communication engines 486 and a service-Engine 490 that is used to the user that service 110a-110d is provided that is used for the escape way between open and the user.
Service-Engine 490 comprises a service interface 492, be used to receive and translate the current information that exchange at client computer 114 applets 288 that carry out and download, and comprise that a service processor 494 and service data 496 are used to handle the service request from the user.Service data 496 can comprise file, database information of previous generation or the like.Should be appreciated that service data 496 is similar to user data 392, to such an extent as to comprise identical information type, but it is maintained on workspace server 108, is not on global server 108.
Fig. 5 is a flow chart, illustrate make the user can be on computer network system 100 method 500 of access services 110a-110d.With step 505 beginning, this step produces a liaison with global server 106 to this method 500 by client computer 114.With reference to figure 6, step 505 will be described in more detail.In step 510, global server 106 confirms that the user has the privilege of the function of visit global server 106.The step of confirming the user capture privilege can comprise the inspection user certificate, obtains secret password, utilize digital signature technology or the like.Should be appreciated that security service 384 can be so that servlet main frame engine 3 86 be sent to client computer 114 to Secure Application small routine 389 via communication port, to be used to carry out authentification of user.
After the user capture privilege was identified, the webpage engine 3 87 of global server 106 downloaded to client computer 114 to web data 391 and configuration data 390 in step 515.In step 520, the browser 284 of client computer 114 utilizes web data 391 and configuration data 390, display web page 700 (Fig. 7) and make it that the service 110a-110d that is provided by global server 106 can be provided on the output device of client computer 114.An exemplary webpage 700 will be shown and describe as Fig. 7.
In step 525, via input equipment 220, the user selects a service 110a-110d from webpage 700 options of listing.In response, in step 530, the main frame engine 3 86 of global server 106 downloads to client computer 114 to application corresponding small routine (s) 388, applet configuration data 390, user data 392 and possible address of service information 394.Applet configuration data 390 preferably includes the specific parameter of user and selects for example font of user's preferences, is used to dispose the service 110a-110d that chooses.User data 392 can comprise the user specific and the service information specific, for example Cun Chu bookmark, calendar data, beep-pager are numbered or the like.The website of the service 110a-110d that information 394 identifications in address of service are chosen.Also can, application corresponding small routine 388, applet configuration data 390, user data 392 and address of service information 394 are downloaded with web data 391 and configuration data 390 in step 515.
In step 535, the applet engine 286 of client computer 114 is carried out the corresponding applet of downloading 288.Workspace server 108 is initialization service-Engine 490 in step 537.Global server 106 is selected one of three kinds of access modules described in Fig. 8 A-8C in step 538, be used to make client computer 114 to get in touch with corresponding service-Engine 490.For example, if the user selects the service 110d on the server 108c, the firewall protection that it is not separated, global server 106 may make the user directly visit so.If the service 110a that user's selection is provided by the server 108a in company's network 118, global server 106 can provide direct visit for the user so.Should be appreciated that each fire compartment wall 106 and 120 can storage policy, this kind strategy is set up the correct pattern of the visit that global server 106 should select.Other selects the factor of access module can comprise user preference, validity and feasibility.In step 540, global server 106 is provided to the visit of the service 110a-110d that chooses for client computer 114.With reference to figure 8A, 8B and 8C, step 540 will be described in more detail.
Fig. 6 is a flow chart, illustrates the details of step 505, and this step is from step 605, and the user utilizes known URL to call global server 106 by client computer 114 in step 605.In step 607, set up a secured communication channel between global server 106 and the client computer 114, might be by application safety groove layer (SSL) technology.Promptly in step 610, whether the security service 384 of global server 106 is determined to connect secure communications and is permitted, and if permission, set up a communication port with client computer 114.In step 615, the secured communication channel parameter is consulted in the browser 284 of client computer 114 and the security service 384 of global server 106, might be to utilize public secret key to identify.The RSA that one routine secured communication channel is to use RC4 to encrypt.Should be appreciated that global server 106 can be configured to utilize a kind of in ten kinds of cryptographic protocols, and client computer 114 can be activated to utilize a kind of in five kinds of cryptographic protocols.Therefore, step 615 can comprise select a kind of to the general cryptographic protocol of global server 106 and client computer 114.In step 620, the crypto engine 285 of client computer 114 and the secure communication engine 3 96 of global server utilize the escape way parameter to set up secured communication channel.Afterwards, method 505 also just is through with.
Fig. 7 illustrates an exemplary webpage 700 based on URL addressable HTML(Hypertext Markup Language), and this webpage is safeguarded by servlet main frame engine 3 86.Tabulation and a pointer 770 that is used to select a kind of alternative service 715 of the service 715 that webpage 700 comprises a title 710 " webpage ", provide.As illustrated, the service 715 that provides can comprise an E-mail service 720, calendar service 730, the Internet access service 740,750 and facsimile transmission services 760 of paging service.Though not shown in the figures, webpage 700 can comprise that other for example serves bookmark, searches card (QuickCard) or the like fast.
Fig. 8 A is a flow chart, illustrates the details of step 540 among first embodiment, refers to step 540a here, and wherein global server 106 connects for the orientation that client computer 114 is provided to service 110a-110d.Step 540 is by applet 288 beginnings of downloading in the step 805, the address of service of choosing of retrieval service 110a-110d and preserve the authentication information that 395 retrievals are used to serve 110a-110d from key from data storage device 360.In step 810, communication engines 282 is set up direct, safe being connected at the place, address of service of retrieval with the communication engines 482 of workspace server 108, and utilizes authentication information authentication itself.In step 815, applet 288 serve as and service-Engine between input/output interface.Step 540 just finishes then.
Fig. 8 B is a flow chart, illustrates the details of step 540 among second embodiment, refers to step 540b here, and wherein global server 106 is as the agency of client computer 114 to service 110a-110d.Step 540b starts from step 840, in step 840, and applet 288 retrieval service addresses, this address causes step 540b to be indicated to global server 106.Like this, in step 845, set up between applet 288 and the global server 106 and be connected.In step 850, the servlet main frame engine 3 86 of global server 106, the address of service of the service 110a-110d that chooses of retrieval and the authentication information that this chooses service 110a-110d that is used for of preserving 395 from key.In step 855, be the escape way between the secure communication engine 486 of creating one and workspace server 108, the secure communication engine 3 96 of global server 106 is consulted the escape way parameters.
Afterwards, in step 860, applet 288 serve as and the secure communication engine 3 96 of global server 106 between input/output interface (making the user can make the request of service-Engine 490).In step 865, if servlet main frame engine 3 86 determines that execution client computer 114 users' request is a unauthenticated, servlet main frame engine 3 86 will determine whether that in step 870 method 540b finishes so, and for example whether the user withdraws from.If be, method 820b will finish so.Otherwise method 540b turns back to step 860 to obtain another request.In step 865, be through authentication if servlet main frame engine 3 86 is determined execution client computer 114 users' request, servlet main frame engine 3 86 just may utilize servlet 398 to serve as the agency of client computer 114 to service-Engine 490.As the agency, servlet main frame engine 3 86 is sent to service 110a-110d to service request for applet 288, and response is sent to the applet 288 that current execution is being asked on client computer 114.Method 540b then returns step 870.
Fig. 8 C is a flow chart, illustrates the details of step 540 among the 3rd embodiment, refers to step 540c here, and wherein requested service 110a-110d is positioned at global server 106.Step 540e starts from step 880, and in step 880, applet 288 is service 110a-110d retrieval service address, and the address of service of the service 110a-110d on the global server 106 will be provided for applet 288 like this.Like this, having set up one between applet 288 and the global server 106 in step 882 is connected.Because in step 510 shown in Figure 5, client computer 114 is itself identification and authenticate on the global server 106, just no longer needs the identification step that adds.
In step 884, judge that whether service 110a-110d is in current running.If so will judge in step 886 so whether service 110a-110d can handle a plurality of users.If not, global server 106 can be set up an example (instance) for the user in step 890 so, and in step 532 applet 288 serve as and global server 106 on service 110a-110d between input/output interface.Otherwise in step 886, if service 110a-110d determines to handle a plurality of users, method 540a will enter step 892 so.Further, in step 884, if global server 106 determines that current service 110a-110d does not carry out, global server 106 will start service 110a-110d in step 888 so, and enters into step 886.
The description of most preferred embodiment of the present invention mentioned above only is for example, and other variation and the method for the foregoing description also can be by the invention provides.Parts of the present invention can realize by following method, utilize the programmable universal digital computer, utilize the specific integrated circuit of application program or utilize the network of interconnected conventional components and circuit.Describe the embodiment that is used to illustrate at this, but be not restricted to this.According to instruction above, can produce many variations, make many improvement.The present invention is only by following claim restriction.

Claims (30)

1. system comprises:
A communication engines is used to set up the liaison with client computer;
The safety device that is connected with the communication engines of definite client computer privilege;
A servlet main frame engine that is connected with safety device provides an applet based on the client computer privilege for client computer, and this applet makes can carry out the I/O operation between client computer and the security service; And key preserves, and is used to store the secret key that makes that client computer can the access security service.
2. according to the described system of claim 1, wherein, communication engines utilizes the SSL technology to set up the secure communication that interrelates with client computer.
3. according to the described system of claim 1, wherein, the communication engines negotiation is used for the cryptographic protocol with clients exchange information.
4. according to the described system of claim 1, wherein, for clients exchange information, communication engines utilizes Public key to identify.
5. according to the described system of claim 1, wherein, safety device utilizes public key certificates to come authentication client.
6. according to the described system of claim 1, wherein, for determining the client computer privilege, safety device is checked the rank of client identity and authentication.
7. according to the described system of claim 1, wherein, be authentication client, safety device is checked a global certificate.
8. according to the described system of claim 1, wherein, safety device utilizes digital signature technology to come authentication client.
9. according to the described system of claim 1, wherein, servlet main frame engine transmits a Secure Application small routine and gives client computer, so that client computer can be carried out the security protocol of an approval by this safety device.
10. according to the described system of claim 1, wherein, service is to guarantee safety by common fire compartment wall, and the configuration of secret key has realized the communication undertaken by fire compartment wall.
11., further comprise the global fire compartment wall of protection system according to the described system of claim 1.
12., further comprise the address of service of an identification security service website according to the described system of claim 1.
13. according to the described system of claim 1, wherein, applet is connected for client computer provides with the orientation of security service.
14. according to the described system of claim 1, further comprise an agency who gets in touch with security service, and wherein, applet makes and can carry out I/O between system and the agency.
15. a method may further comprise the steps:
Set up liaison with client computer;
Determine the client computer privilege;
Based on the client computer privilege, for client computer provides an applet, this program realizes the security service of I/O;
Retrieval make client computer can access security the secret key of service.
16., wherein, set up liaison and comprise the step of utilizing secure communication between foundation of SSI technology and client computer according to the method for claim 15.
17., wherein, set up liaison and be included as the step of discussing cryptographic protocol with clients exchange information according to the method for claim 15.
18., wherein, set up liaison and be included as the step of utilizing public key certificates with clients exchange information according to the method for claim 15.
19., wherein, determine that the client computer privilege comprises the step of utilizing the public key certificates authentication client according to the method for claim 15.
20., wherein, determine that the client computer privilege is included as the step of determining the client computer privilege and checking client identity and certification level according to the method for claim 15.
21. according to the method for claim 15, wherein, wherein the client computer privilege is included as authentication client and checks the step of global certificate.
22., wherein, determine that the client computer privilege is included as authentication client and utilizes the step of digital signature technology according to the method for claim 15.
23., wherein, set up liaison and comprise for client computer can carry out the security protocol of approval and transmit little security application to client computer according to the method for claim 15.
24. the method according to claim 15 further may further comprise the steps: utilize secret key to transmit security service by fire compartment wall.
25. according to the method for claim 15, wherein, the method is carried out by global server, and it has further comprised and utilizes global firewall protection global server.
26., further comprise the address of service of an identification security service website according to the method for claim 15.
27., wherein, be included as client computer directed step of connecting with security service be provided according to the method for claim 15.
28. according to the method for claim 15, further comprise and utilize the agency who gets in touch with security service, and wherein, applet makes and can carry out I/O between system and the agency.
29. a system comprises:
Be used to set up device with the liaison of client computer;
Be used for determining the device of client computer privilege;
Based on the client computer privilege, for client computer provides the device of applet, this program realizes the security service of I/O;
Be used to retrieve make client computer can access security the device of secret key of service;
30. a computer based information storage medium is used to store and makes computer carry out the program of following steps:
Set up liaison with client computer;
Determine the client computer privilege;
Based on the client computer privilege, for client computer provides an applet, this program realizes the security service of I/O;
Retrieval makes it possible to the secret key of access security service.
CN98814246.5A 1998-08-21 1998-08-21 System and method for enabling secure acess to service in computer network Expired - Lifetime CN1227858C (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US1998/017410 WO2000011832A1 (en) 1998-08-21 1998-08-21 System and method for enabling secure access to services in a computer network

Publications (2)

Publication Number Publication Date
CN1354934A true CN1354934A (en) 2002-06-19
CN1227858C CN1227858C (en) 2005-11-16

Family

ID=22267718

Family Applications (1)

Application Number Title Priority Date Filing Date
CN98814246.5A Expired - Lifetime CN1227858C (en) 1998-08-21 1998-08-21 System and method for enabling secure acess to service in computer network

Country Status (7)

Country Link
EP (1) EP1105996A4 (en)
JP (1) JP2002523973A (en)
CN (1) CN1227858C (en)
CA (1) CA2341213C (en)
EA (1) EA003374B1 (en)
IL (1) IL141530A0 (en)
WO (1) WO2000011832A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717192A (en) * 2013-12-16 2015-06-17 腾讯科技(深圳)有限公司 Validity verification method and intermediate server

Families Citing this family (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6219694B1 (en) 1998-05-29 2001-04-17 Research In Motion Limited System and method for pushing information from a host system to a mobile data communication device having a shared electronic address
US6701438B1 (en) * 1999-06-14 2004-03-02 Sun Microsystems, Inc. Methods and apparatus for providing customizable security and logging protocols in a servlet engine
US8793374B2 (en) 1999-12-02 2014-07-29 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7934251B2 (en) 1999-12-02 2011-04-26 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US9191443B2 (en) 1999-12-02 2015-11-17 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
ATE396577T1 (en) 1999-12-02 2008-06-15 Western Digital Tech Inc SYSTEM FOR REMOTE RECORDING TELEVISION PROGRAMS
US7120692B2 (en) 1999-12-02 2006-10-10 Senvid, Inc. Access and control system for network-enabled devices
US6694336B1 (en) 2000-01-25 2004-02-17 Fusionone, Inc. Data transfer and synchronization system
US6671757B1 (en) 2000-01-26 2003-12-30 Fusionone, Inc. Data transfer and synchronization system
US6631417B1 (en) * 2000-03-29 2003-10-07 Iona Technologies Plc Methods and apparatus for securing access to a computer
JP2001283062A (en) * 2000-04-03 2001-10-12 Cybozu Inc Electric transaction system using groupware
US7814208B2 (en) * 2000-04-11 2010-10-12 Science Applications International Corporation System and method for projecting content beyond firewalls
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
US7181542B2 (en) * 2000-04-12 2007-02-20 Corente, Inc. Method and system for managing and configuring virtual private networks
US7028333B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
US7047424B2 (en) 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US7181766B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
US6944651B2 (en) 2000-05-19 2005-09-13 Fusionone, Inc. Single click synchronization of data from a public information store to a private information store
EP1158745B1 (en) * 2000-05-26 2003-09-03 International Business Machines Corporation Method and system for secure pervasive access
US6859879B2 (en) 2000-05-26 2005-02-22 International Business Machine Corporation Method and system for secure pervasive access
US6925476B1 (en) 2000-08-17 2005-08-02 Fusionone, Inc. Updating application data including adding first change log to aggreagate change log comprising summary of changes
EP1524815B1 (en) * 2000-08-25 2009-09-23 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
US7865569B1 (en) 2000-09-26 2011-01-04 Juniper Networks, Inc. Method and system for modifying script portions of requests for remote resources
US7085817B1 (en) 2000-09-26 2006-08-01 Juniper Networks, Inc. Method and system for modifying requests for remote resources
US7136896B1 (en) 2000-09-26 2006-11-14 Juniper Networks, Inc. Dynamic toolbar for markup language document
US7774455B1 (en) 2000-09-26 2010-08-10 Juniper Networks, Inc. Method and system for providing secure access to private networks
JP3297037B2 (en) * 2000-10-31 2002-07-02 サイボウズ株式会社 Information registration support system, information registration support device and method, and information storage medium
CA2725700C (en) 2000-12-22 2015-11-24 Research In Motion Limited Wireless router system and method
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
EP1249981A1 (en) * 2001-04-02 2002-10-16 NuMeme Limited A security service system and method
CA2410118C (en) 2001-10-26 2007-12-18 Research In Motion Limited System and method for controlling configuration settings for mobile communication devices and services
US9332058B2 (en) 2001-11-01 2016-05-03 Benhov Gmbh, Llc Local agent for remote file access system
US7146403B2 (en) 2001-11-02 2006-12-05 Juniper Networks, Inc. Dual authentication of a requestor using a mail server and an authentication server
WO2003041360A2 (en) 2001-11-02 2003-05-15 Neoteris, Inc. Method and system for providing secure access to resources on private networks
EP1777912B1 (en) * 2001-11-02 2018-08-15 Juniper Networks, Inc. Method and system for providing secure access to resources on private networks
US7631084B2 (en) 2001-11-02 2009-12-08 Juniper Networks, Inc. Method and system for providing secure access to private networks with client redirection
CA2462448C (en) * 2001-11-20 2010-04-27 Senvid, Inc. Access and control system for network-enabled devices
ATE339053T1 (en) 2001-12-07 2006-09-15 Research In Motion Ltd METHOD AND DEVICE FOR CONTROLLING INFORMATION DISTRIBUTION TO MOBILE STATIONS
US7395354B2 (en) 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information
WO2003105010A1 (en) 2002-06-06 2003-12-18 Neoteris, Inc. Method and system for providing secure access to private networks
CA2496672A1 (en) * 2002-08-19 2004-02-26 Axalto Sa Secured method to exchange data between a browser and a web site
US8473355B2 (en) 2002-12-06 2013-06-25 Facebook, Inc. System and method for electronic wallet conversion
WO2005010715A2 (en) 2003-07-21 2005-02-03 Fusionone, Inc. Device message management system
CN1298194C (en) * 2004-03-22 2007-01-31 西安电子科技大学 Radio LAN security access method based on roaming key exchange authentication protocal
US9542076B1 (en) 2004-05-12 2017-01-10 Synchronoss Technologies, Inc. System for and method of updating a personal profile
US7814216B2 (en) * 2004-09-07 2010-10-12 Route 1 Inc. System and method for accessing host computer via remote computer
EP2565797B1 (en) 2005-04-18 2019-10-23 BlackBerry Limited Method For Providing Wireless Application Privilege Management
US7748046B2 (en) 2005-04-29 2010-06-29 Microsoft Corporation Security claim transformation with intermediate claims
US8135798B2 (en) 2006-11-15 2012-03-13 Hewlett-Packard Development Company, L.P. Over-the-air device services and management
US7603435B2 (en) 2006-11-15 2009-10-13 Palm, Inc. Over-the-air device kill pill and lock
US20080115152A1 (en) 2006-11-15 2008-05-15 Bharat Welingkar Server-controlled heartbeats
MX2009010490A (en) * 2007-03-29 2010-02-09 Christopher Murphy Methods and systems for internet security via virtual software.
US8179872B2 (en) 2007-05-09 2012-05-15 Research In Motion Limited Wireless router system and method
CA2637179A1 (en) * 2008-07-30 2010-01-30 John H. Dunstan A device and system to enable and operate the selection, sales and distribution of lottery tickets and other tickets processes
US8943428B2 (en) 2010-11-01 2015-01-27 Synchronoss Technologies, Inc. System for and method of field mapping

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5644354A (en) * 1992-10-09 1997-07-01 Prevue Interactive, Inc. Interactive video system
US5586260A (en) * 1993-02-12 1996-12-17 Digital Equipment Corporation Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
US5826039A (en) * 1995-12-29 1998-10-20 Lucent Technologies Inc. Universal connection point for resources and communication unrelated to a physical endpoint
CA2202118A1 (en) * 1996-04-29 1997-10-29 Mitel Corporation Protected persistent storage access for mobile applications
AU733109B2 (en) * 1997-03-10 2001-05-10 Internet Dynamics, Inc. Methods and apparatus for controlling access to information
US5987523A (en) * 1997-06-04 1999-11-16 International Business Machines Corporation Applet redirection for controlled access to non-orginating hosts
US5870544A (en) * 1997-10-20 1999-02-09 International Business Machines Corporation Method and apparatus for creating a secure connection between a java applet and a web server

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717192A (en) * 2013-12-16 2015-06-17 腾讯科技(深圳)有限公司 Validity verification method and intermediate server

Also Published As

Publication number Publication date
WO2000011832A1 (en) 2000-03-02
CA2341213A1 (en) 2000-03-02
CN1227858C (en) 2005-11-16
EA200100257A1 (en) 2001-12-24
EA003374B1 (en) 2003-04-24
CA2341213C (en) 2009-05-26
EP1105996A4 (en) 2005-08-17
EP1105996A1 (en) 2001-06-13
JP2002523973A (en) 2002-07-30
IL141530A0 (en) 2002-03-10

Similar Documents

Publication Publication Date Title
CN1227858C (en) System and method for enabling secure acess to service in computer network
US7287271B1 (en) System and method for enabling secure access to services in a computer network
US6766454B1 (en) System and method for using an authentication applet to identify and authenticate a user in a computer network
US7627896B2 (en) Security system providing methodology for cooperative enforcement of security policies during SSL sessions
US7360244B2 (en) Method for authenticating a user access request
US9521118B2 (en) Secure network privacy system
US6742127B2 (en) Method and apparatus for maintaining security in a push server
US8615795B2 (en) Secure network privacy system
US8312064B1 (en) Method and apparatus for securing documents using a position dependent file system
CN101331731B (en) Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider
EP1701510B1 (en) Secure remote access to non-public private web servers
US20030023880A1 (en) Multi-domain authorization and authentication
US20030131263A1 (en) Methods and systems for firewalling virtual private networks
US20050076082A1 (en) Method and system for managing the exchange of files attached to electronic mails
JP2005538434A (en) Method and system for user-based authentication in a federated environment
JP2009514050A (en) System and method for authenticating a client in a client-server environment
WO2005060202A1 (en) Method and system for analysing and filtering https traffic in corporate networks
US6782418B1 (en) Method and apparatus for secure data file uploading
US7421576B1 (en) Interception and modification of network authentication packets with the purpose of allowing alternative authentication modes
Gritzalis et al. Addressing threats and security issues in World Wide Web technology
Vacca Internet Technologies
Van Jaarsveld Internal Control with Specific Reference to the Intranet
WO2005033947A1 (en) Digital content data protection control system

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: GOOD TECHNOLOGY CO., LTD.

Free format text: FORMER NAME: VISTO CORPORATION

CP01 Change in the name or title of a patent holder

Address after: American California

Patentee after: Goodall Technologies Co.

Address before: American California

Patentee before: Visto Corp.

CP02 Change in the address of a patent holder

Address after: American Delaware

Patentee after: Goodall Technologies Co.

Address before: American California

Patentee before: Goodall Technologies Co.

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20170120

Address after: Voight, Canada

Patentee after: Good Technology Holdings Ltd.

Address before: American Delaware

Patentee before: Goodall Technologies Co.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20180119

Address after: Voight, Ontario, Canada

Patentee after: BlackBerry Ltd.

Address before: Voight, Canada

Patentee before: Good Technology Holdings Ltd.

CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20051116