EA003374B1 - System and method for enabling secure access to services in a computer network - Google Patents

Abstract

1. A system comprising: a communications engine for establishing a communications link with a client; security means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and a keysafe for storing a key which enables access to the secured service. 2. The system of claim 1, wherein the communications engine uses SSL technology to create a secure communications link with the client. 3. The system of claim 1, wherein communications engine negotiates an encryption protocol for transferring messages to and from the client. 4. The system of claim 1, wherein the communications engine uses public key certificates for transferring messages to and from the client. 5. The system of claim 1, wherein the security means uses public key certificates to authenticate the client. 6. The system of claim 1, wherein the security means examines client identity and the level of authentication to determine client privileges. 7. The system of claim 1, wherein the security means examines a global certificate to authenticate the client. 8. The system of claim 1, wherein the security means uses digital signature technology to authenticate the client. 9. The system of claim 1, wherein the servlet host engine forwards to the client a security applet for enabling the client to perform a security protocol recognized by the security means. 10. The system of claim 1, wherein the service is secured by a corporate firewall and the key is configured to enable communication through the firewall. 11. The system of claim 1, further comprising a global firewall for protecting the system. 12. The system of claim 1, further comprising a service address for identifying the location of the secured service. 13. The system of claim 1, wherein the applet provides to the client a direct connection with the secured service. 14. The system of claim 1, further comprising a proxy in communication with the secured service, and wherein the applet enables I/O with the proxy. 15. A method comprising the steps of: establishing a communications link with a client; determining client privileges; providing to the client, based on the client privileges, an applet which enables I/O with a secured service ; and retrieving a key which enables access to the secured service. 16. The method of claim 15, wherein establishing a communications link includes the step of using SSL technology to create a secure communications link with the client. 17. The method of claim 15, wherein establishing a communications link includes the step of negotiating an encryption protocol for transferring messages to and from the client. 18. The method of claim 15, wherein establishing a communications link includes the step of using public key certificates for transferring messages to and from the client. 19. The method of claim 15, wherein determining client privileges includes the step of using public key certificates to authenticate the client. 20. The method of claim 15, wherein determining client privileges includes the step of examining client identity and the level of authentication to determine client privileges. 21. The method of claim 15, wherein determining client privileges includes the step of examining a global certificate to authenticate the client. 22. The method of claim 15, wherein determining client privileges includes the step of using digital signature technology to authenticate the client. 23. The method of claim 15, wherein establishing a communications link includes forwarding to the client a security applet for enabling the client to perform a recognized security protocol. 24. The method of claim 15, further comprising the step of using the key to communicate through a firewall to the secured service. 25. The method of claim 15, wherein the method is performed by a global server and further comprising using a global firewall to protect the global server. 26. The method of claim 15, further comprising using a service address to identify the location of the secured service. 27. The method of claim 15, wherein providing includes the step of providing to the client a direct connection with the secured service. 28. The method of claim 15, further comprising using a proxy in communication with the secured service, and wherein providing includes enabling I/O with the proxy. 29. A system comprising: means for establishing a communications link with a client; means for determining client privileges; means for providing to the client, based on the client privileges, an applet which enables I/O with a secured service; and means for retrieving a key which enables access to the secured service. 30. A computer-based storage medium storing a program for causing a computer to perform the steps of: establishing a communications link with a client; determining client privileges; providing to the client, based on the client privileges, an applet which enables I/O with a secured service ; and retrieving a key which enables access to the secured service.

Description

The invention relates to computer networks and, more specifically, to a system and method for providing secure access to services in a computer network.

The level of technology

At an early stage of development, the Internet represented a search-oriented environment where users and host computers were interested in the free and open exchange of information and where users and host computers trusted each other mutually. However, the Internet has expanded significantly and currently connects about 100,000 computer networks and several million users. Due to the large size and openness of the Internet, it has become commonplace to steal data, replace data and cause other harm.

Virtually everyone on the Internet is vulnerable. Before establishing a connection, companies compare the benefits of providing an Internet connection with the risks of security breaches. Modern security technologies help to ensure client and server authentication, data confidentiality, system security control and system access control.

The most common modern security technology is the firewall (access protection system), which includes an intermediate system located between the trust network and the Internet. A firewall is an external security perimeter to prevent unauthorized communication between the trust network and the Internet. A firewall can include browsing routers, proxy servers (mediation modules or server mediators), and application level gateways.

In order for users to access secured services in the trust network via the Internet, they may be required to provide their details to the firewall using certain techniques, such as entering a password, or by calculating a call response using a hardware key (authentication device). With proper authentication, the user is allowed to go through the firewall to the local network, but in a typical case, the user's capabilities are limited to a predetermined group of services, for example, e-mail, receiving files using the PTP protocol (Rbe TgapkGeg Pro1eoo1 - file transfer protocol), etc.

Some local area administrators, directly in front of the firewall on the outside, install a server to store non-confidential data, often called a “sacrificial sheep”, which is easily accessible to a remote user but provides a low degree of security.

Between the two firewalls that protect the trust network, there is a “demilitarized zone” (ΌΜΖ, Oe-ScApcheb 2oie). An external firewall protects servers located in zone ΌΜΖ from an external threat, while at the same time making it possible to make requests using the HTTP protocol (NuregTech! Target Header Proto1 - hypertext transfer protocol). The internal firewall protects the trust network in case one of the servers in zone ΌΜΖ is in danger. Many companies use the ΌΜΖ zones to maintain the functioning of their \ uye-servers.

Another security technology used to protect computer networks is the issuance and use of public key certificates. Certificates of public keys are issued to the person by the certificate provider, who, using a certain method, certifies the details of the person and issues a certificate indicating the name of the person and the public key. To prove the authenticity, the certificate provider shall electronically sign the person’s certificate using the certificate provider’s private key.

Thus, when a user connects to a server through a client computer, the client computer and the server exchange public key certificates. Each party verifies the authenticity of the received certificates using the public key of the certificate provider to verify the signature on the certificate. Then, by encrypting messages using a public server key, a user can securely transfer data to the server, and by encrypting messages using a public user key, the server can securely transmit data to the user. Although a public key certificate can be presented by any person, only the real user and the real host computer have the corresponding private key necessary to decrypt the message. Examples of computer security systems with key distribution and authentication are the Kegögök ™ security system, developed by the Massachusetts Institute of Technology, and Security System No. 18Р ™, developed by ΙΒΜ Sogrogaboi.

These security technologies do not solve the problems associated with a roaming (roaming) user. For a roaming user, maintaining identification and authentication information, such as passwords, certificates, keys, etc., is a burdensome process. In addition, access to different systems requires different keys, which are often difficult to track and use. Moreover, direct access to systems puts security at risk. Therefore, there is a need for a system and method for providing remote access to computer services in an easy and secure manner.

Summary of Invention

In accordance with the invention, a system and method for providing secure access to services in a computer network is proposed. The network system includes a global server connected via computer network with computer services. The global server includes a communication subsystem designed to establish a communication link with a client; security tool associated with the communication subsystem designed to determine the rights of the client; the main servlet management subsystem associated with a security tool designed to provide the client, based on client rights, with an applet that makes it possible to exchange data (Ι / Ο ίηριιΐ / οιιΐριιΐ) with a secure service; and a key library for storing keys that make it possible to access secure services. A global server can be associated with a variety of sites, where each site provides multiple services. Each site can be protected by a firewall. Accordingly, the global server stores the keys to provide communication through the firewalls with these services.

The method includes the steps of establishing a communication line with a client; customer identification and authentication; determining client rights; providing the client, on the basis of the rights of the client, an applet that makes it possible to exchange data with a secure service; and retrieving a key that makes it possible to access a secure service.

The advantage of the system and method of the present invention is to provide a globally accessible third party trust, i.e. global server. This trust third party stores keys securely and works as a single identification and authentication service. Access to other systems can be done through a global server. The global server uses the stored keys to authenticate the user under credentials that are perceived by existing security services of other systems, and establishes a secure communication channel with the required service. Thanks to the global firewall, the global server is essentially protected from external threats. Accordingly, the global server provides authorized clients with secure communications through firewalls with services. A global server can provide identification and authentication services at multiple levels. Accordingly, the global server can provide several levels of access to resources, based on the status of the user, the degree of identification and authentication, and the confidentiality of the communication channel.

Thanks to the global firewall and the identity and authentication services provided by the global server, corporations can store relatively secret information on the global server for use by authorized clients. Also, the present invention allows corporations to place on the global server only a part of their secret information, as a result of which, if the third-party trust system is in danger, only this limited amount of information will be lost. In addition, the advantage of the global server is that it acts as a client mediation module designed to control access to services, register key usage and register access to resources.

List of drawings

FIG. 1 is a block diagram illustrating a network access system with roaming users according to the present invention;

FIG. 2 is a diagram illustrating the detailed structure of the exemplary client shown in FIG. one;

FIG. 3 is a diagram illustrating the detailed structure of the global server shown in FIG. one;

FIG. 4 is a diagram illustrating the detailed structure of an exemplary service representing server represented in FIG. one;

FIG. 5 is a flowchart illustrating a method for remote access to a secure service;

FIG. 6 is a block diagram illustrating the detailed structure shown in FIG. 5 stages of creating a communication line between the client and the global server shown in FIG. one;

FIG. 7 is an example of an AsL page;

FIG. 8a is a block diagram illustrating the detailed structure shown in FIG. 5 stages of access to the service in the first embodiment of the invention;

FIG. 8b is a block diagram illustrating the detailed structure shown in FIG. 5 stages of access to the service according to the second embodiment of the invention; and FIG. 8c is a block diagram illustrating the detailed structure shown in FIG.

stages of access to the service according to the third embodiment of the invention.

Detailed Description of the Preferred Embodiment of the Invention

FIG. 1 is a block diagram illustrating an exemplary roaming user network access system 100 according to the present invention. The system 100 includes a network of interconnected computers, referred to herein as the “Internet” 102. In addition, the system 100 includes a first company network 112, a second company network 118, a kiosk network 138 and an Internet provider network 143 (“8” - 1n1gsgps1 8etu1se Retout) however, each of the networks is connected to the Internet 102.

The company network 112 includes a firewall 116 installed between the Internet 102 and the client computer 114a. The company's network 118 includes a firewall 120 installed between the Internet 102 and the internal network signal transmission backbone 126. The company network 118 further includes a first server 108a for providing the first service 110a, a second server 108b for providing the second service 110b, a first client computer 114b storing a program for providing the third service 110c and a second client computer 114c, while each of the computers is connected to the signal transmission highway 126. Approximate services 110a110y contain an e-mail service program, an address book service program, a diary service program, a paging service program, and a company database service program.

The kiosk network 138 includes the first client computer 114th and the second client computer 114e, each of which is connected to the Internet 102. The ISP network 143 includes the ISP 148 connected via the wireless channel 146 to the first client computer 114G and the associated via modems 152 and 156 and wired line 154 with a second client computer 114d.

The Internet 102 includes a global server 106, which is protected by global firewall 104, as well as a server 108c designed to provide a 110th service. The mutual exchange of data between client computers 114a-114d and services 110a-110y takes place via the global server 106. For example, if a user using any of the client computers 114a-114d wants to access service 110a-110y (which is located in an unknown user location within the system 100), then to access the \ AU-page. supported by the global server 106, the user uses the well-known IPF address (IshGogt Vekoitse Bososa - universal resource locator). An exemplary ^ eb page 700 is shown in FIG. 7 and described using this figure. The global firewall 104 protects the global server 106 from external threats.

Before obtaining access rights to the functionality provided by the global server 106, the user must first obtain permission from the global server 106. Obtaining permission typically requires identification and authentication of the user, for example, using public key certificates. Having established authenticity, the global server 105 provides the user with access to services 110a-110y. It is obvious that, depending on the different degrees of identification and authentication, as well as depending on the confidentiality of the communication channel, different levels of access to services 110a-110 will be allowed.

To provide the user with access to and control of services 110a-110y, global server 106 may use conventional applets, servlets, or agents in a distributed network environment, such as the 1ААА distributed environment created by IeSare Sotratoyop. The global server 106 provides access to and management of the 110a-110y service by the user's computer. The global server 106 can redirect the user's client computer to directly access the 110a-110y service of the client computer itself, the global server 106 itself can access the 110a-110y service and provide data exchange to the client computer using the mediator module, or the global server 106 can provide service 110a-110y itself. These three different access modes for services 110a1o are described using FIG. 8A - 8C.

The global server 106 stores the network addresses of all services 110a-110f of the public and private user keys, user account numbers, firewall authentication information, etc. The authentication information of the firewall includes the necessary identification, passwords and certificates required to pass through the firewalls 116 and 120. Accordingly, the user only needs to store the VI address of the global server 106 and identification and authentication information such as a password or hardware key needed to accessing the functionality of the global server 106. Thus, a roaming user can access computer services 110a-110f using any A computer terminal that is connected to the Internet 102.

FIG. 2 is a diagram illustrating the detailed structure of the client computer 114, with each of the clients 114a-114y being a particular case of the client 114. The client 114 includes a central processing unit (CPU) 210, for example, a mono-processor microprocessor or a microprocessor p1e1 Repyit®. The input device 220, for example, a keyboard and a mouse, and an output device 230, for example, a monitor with a CRT (CRT), are connected to the CPU 210 via a signal transmission bus 240. In addition, a communication interface 250, a data storage device 260, such as a ROM (read-only memory) or a magnetic disk, and a RAM (random access memory) 270 are connected to the CPU 210 via the signal transmission bus 240. The communication interface 250 of the client computer 114 is connected to Internet 102, as shown in FIG. 1 and described with reference to it.

Operating system 280 includes a program for controlling the processing performed by CPU 210, typically stored in storage device 260 and loaded into RAM 270 for execution. Operating system 280 includes a communications subsystem 282 for creating and forwarding message packets to the Internet 106 and receiving message packets from the Internet 106 through the communication interface 250.

In addition, the operating system 280 contains a subsystem for the Internet, such as the ^ eB browser 284, for example, the ^ eB browser No. 1 ΝανφαΙΟΓ ™. created by Yisare Sogrog1ίοη, or 1p1gpe1 Expr1grg ™, created by the Moscow Sogrogabop. ^ eB browser 284 contains an encryption subsystem 285 designed to encrypt messages using public and private keys, and an applet management subsystem 286 designed to run applets 288 downloaded from the global server 106 to allow access to computer services 110a-1106. Loaded applets 288 may include security applets 290 for implementing services such as user authentication and authentication, message integrity services, and certificate validation. In addition, the browser 284 receives (see FIG. 3) the data 391 ^ of the eB page, the configuration data 390, and information identifying the group of selectable services 110a-1106, and uses this information to display the \ UE page 700 (see FIG. 7). The ^ eB browser 284 allows the user, through the client 114a-114d, to select one of the services 110a-1106 for execution.

It is obvious that each of the clients 114a-114d, for example, the client 114b, may include a service execution subsystem 490 (see FIG. 4) designed to provide services 110a-1106, for example, the service 110c. Thus, a user using client 114b may request access to service 110c via global server 106 without knowing that service 110c is provided by client 114b. Accordingly, the global server 106 will provide the client 114 with an applet 288 that allows the user interface to communicate with the service 110c directly through the client 114b.

FIG. 3 is a schematic diagram illustrating the detailed structure of the global server 106, which includes the CPU 310, for example, the Mogilea Ro'Geg PC® microprocessor or the 1p1R1 Replicate microprocessor. An input device 320, such as a keyboard and a mouse, and an output device 330, such as a CRT monitor, are connected to the CPU 310 via a signal transmission bus 340. In addition, the communication interface 350, a storage device 360, such as a ROM or a magnetic disk, and RAM 370 are connected to the CPU 310 via the signal transmission bus 340. The communication interface 350 is connected in the usual way as part of the Internet 102 to the clients 114. Although the global server 106 is shown as one computer, it is obvious that the global server 106 may include multiple computers networked together.

The operating system 380 includes a program for managing the processing performed by the CPU 310, typically stored in the storage device 360 and loaded into the RAM 370 for execution. Operating system 380 includes a communications subsystem 382 for creating and forwarding message packets to client computers 114 and receiving packets from client computers 114 via the communications interface 350.

In addition, operating system 380 contains, as part of a global firewall 104, security services 384, designed to open a communication channel with users. For example, when a client attempts to access a global server 106, security services 384 first determine whether global server 106 is accepting intra-system data transfer from a specific port (not shown) and whether the main servlet control subsystem 386, described below, is authorized to connect to that particular by the port. If these conditions are met, security services 384 allow communication support subsystem 382 to open a communication channel through a specific port with client 114a-114d. Otherwise, the channel will not be opened.

The operating system 380 further comprises a ^ eb-mechanism 387, which, based on user identification, user authentication and confidentiality of the communication channel, sends to client 114a-114d data 391 \ hair pages and information identifying the group of available services 110a-1106. An example of page 700 is shown in FIG. 7 and described with reference to this figure. ^ eB-subsystem 387 allows the user to select service 110a-1106 on the webpage 700.

^ eB-subsystem 387 includes the main servlet management subsystem 386, which loads security applets 290, including the authentication applet (not shown), into the client computer 114 and performs the authentication servlet 397, included in the servlets 398 and designed to implement identification and authentication services. The authentication applet 290 queries the user for identification and authentication information and then reports this information to the authentication servlet 397. Authentication servlet 397 validates this information. It should be noted that user authentication information is not necessarily forwarded to the authentication servlet 397, and its existence and validity are confirmed through security measures such as cryptographic data hashing. The main servlet management subsystem 386 furthermore includes a secure communication subsystem 396 that can use public key certificates to negotiate a secure communication channel with the client computer 114.

When selecting a service 110a-1106, the main servlet management subsystem 386 loads the corresponding applet 388, the corresponding configuration data 390 and the corresponding user data 392, and, if necessary, the information 394 about the address of the corresponding service into the client computer 114. The configuration data 390 includes information intended for configuring the AEB browser 284 of the user, the configuration of the loaded applets 288, and the configuration of the selected service 110a-1106. User data 392 may include specific information regarding user interaction with the service, for example, saved bookmarks, diary data, pager numbers, etc., that are specifically stored on the global server 106 for easy access. The service address information 394 indicates the location of the services 110a-1106 provided in the system 100 by the global server 106. The client computer 114 executes the corresponding loaded applet 288, which through the main servlet control subsystem 386 (possibly using the corresponding servlet 398) allows the user to access relevant services 110a-1106 and manage them. Downloadable applets 388, configuration data 390, user data 392, and service address information 394 may be stored in the storage device 360.

The key library 395 is a data file for storing information on the identification of each user, public and private keys of each user, password information for each firewall, etc. The key library 395 is organized in a pointer list format, so that, based on the selected service 110a-1106, the global server 106 can retrieve password information for the corresponding firewall, identification information and keys for the corresponding user. The key library 395 may be stored in the storage device 360.

FIG. 4 is a diagram illustrating the detailed structure of the service server 108, wherein the servers 108a-108c and client 114b are particular cases of the server 108. The server 108 includes the CPU 410, for example, a MoneRoRo \ PC® microprocessor or an I11 Repyish microprocessor. The input device 420, for example, a keyboard and a mouse, and an output device 430, for example, a CRT monitor, are connected to the CPU 410 via a signal transmission bus 440. In addition, a communications interface 450, a data storage device 460, such as a ROM or a magnetic disk, and a RAM 470 are connected to the CPU 410 via a signal transmission bus 440. The communication interface 450 is connected to clients 114, as shown in FIG. 1 and described with reference to this figure.

Operating system 480 includes a program for controlling the processing performed by CPU 410 and is typically stored in storage device 460 and loaded into RAM 470 for execution. Operating system 480 also includes a communications subsystem 482 for creating and forwarding message packets to client computers 114 or global server 106 and receiving packets from client computers 114 or global server 106 via a communications interface 450. In addition, operating system 480 includes security services 484 for negotiating a secure channel with users, secure communication subsystem 486 for opening a secure channel with users, and a service run subsystem 490 for providing service 110a-1106 to users.

The service execution subsystem 490 includes a service interface 492 for receiving messages from downloaded applets 288 and sending messages to downloaded applets 288, which are currently being executed by the client 114, and also includes a service handler 494 and service data 496 for processing related services requests from the user. Service data 496 may include previously created documents, database information, etc. It is obvious that service data 496 is similar to user data 392, so they include the same type of information, but they are maintained on the service server 108, and not on the global server 108.

FIG. 5 is a flow chart illustrating a method 500 allowing a user to access services 110a-1106 in computer network system 100. Method 500 is initiated by client 114 in step 505 of creating a communication link with global server 106. Step 505 is described in more detail with reference to FIG.

6. The global server 106 at step 510 confirms that the user has access rights to the functionality of the global server 106. Confirming user access rights may include verifying a user's certificate, obtaining a secret password, using electronic signature technology, etc. Obviously, security services 384 may instruct the main servlet management subsystem 386 to send a security applet 389 to the client 114 through a communications channel to authenticate the user.

After the user's access rights are confirmed, the subsystem 387 Web pages of the global server 106 at step 515 loads the data 391 Web pages and configuration data 390 to the client 114. At step 520, the client browser 114 284 uses the page data 391 and configuration data 390 The page 700 (FIG. 7) on the client output device 230 230 and providing access to the services 110a-1106 that are offered by the global server 106. The example of the page 700 is shown in FIG. 7 and described with reference to this figure.

Of the options listed on the Web page 700, at step 525, the user selects service 110a-1106 using input device 220. In response to this, the main servlet management subsystem 386 of the global server 106 loads the corresponding applet (s) 388, applet configuration data 390, user data 392 and, if necessary, information 394 about the service address to the client 114 at step 530, preferably include user-specific preferences, such as user-preferred fonts for configuring the selected service 110a-1106. User data 392 may include information regarding the interaction of a particular user and a particular service, for example, saved bookmarks, diary data, pager numbers, etc. The service address information 394 indicates the location of the selected service 110a-1106. Otherwise, the corresponding applet (s) 388, applet configuration data 390, user data 392, and service address information 394 could be loaded at step 515 along with the data

391 pages and 390 configuration data.

The applet control subsystem 286 of the client 114 executes the corresponding loaded applet 288 at step 535. The service server 108 at step 537 starts the service execution subsystem 490. The global server 106 at step 538 selects one of the three access modes shown in FIG. 8A - 8C and making it possible to exchange information from the client computer 114 with the corresponding service execution subsystem 490. For example, if a user selects a service 1106 located on server 108c, which is not protected by a separate firewall, global server 106 may provide the user with direct access. If the user selects the service 110a provided by the server 108a within the company's network 118, the global server 106 may contact the service 110a as a user representative. It is obvious that each firewall 106 and 120 can store a set of rules that establish the appropriate access mode that the global server 106 should choose. Other selection criteria for the access mode may include user preferences, accessibility, and feasibility. At step 540, the global server 106 provides the user using the client 114 with access to the selected service 110a-1106. Step 540 is described in more detail with reference to FIG. 8A, 8B and 8C.

FIG. 6 is a block diagram illustrating the detailed structure of step 505, which is initiated by the user using the client 114, indicating, at step 605, a known ϋΚΕ-address for accessing the global server 106. The global server 106 and the client 114 create a secure communication channel between themselves at step 607 if necessary, applying the safety technology of 88b (8esite 8 skeleton, level of protection of the sockets). That is, the security server services 385 of the global server 106 determine at step 610 whether intra-system secure communications are enabled and, if so, create a communication channel with the client 114. At step 615, the browser 284 of the client 114 and the security services 384 of the global server 106 negotiate the parameters secure communication channel, if necessary, using certificates of public keys. An example of a secure communication channel is a channel using P8A technology (Rb'ezG 811AtAb6e1tap) EaAa 8eSigyu 1ps., Encrypted with KC4 (K.op'5 Sob 4 - encryption algorithm with a variable-size key developed by Ronest (Kop Rare) P8A Ea1a Sesyyu 1ps.). It is obvious that the configuration of the global server 106 can be carried out in such a way that it uses one of the ten encryption protocols, and the client 114 can be given the opportunity to use one of the five encryption protocols. Therefore, step 615 may include selecting one of the encryption protocols that are common to the global server 106 and the client 114. At step 620, the client encryption subsystem 285 of the client 114 and the global server 106 secure communications subsystem 396 use the secure channel parameters to create a secure channel communication. After this, the implementation of the method 505 ends.

FIG. 7 shows an example of the \ ue-page 700, available at the iK-address and created using the NTM language (Nure-Tech! Magkir bpdiade - hypertext markup language), which is supported by the main servlet control subsystem 386. ^ an eB page 700 contains the header 710 "\ yeah page". a list of 715 services provided and an index 770 for selecting one of 715 services provided. As shown in the figure, 715 services provided may include an e-mail service 720, a diary service 730, an Internet access service 740, a paging service 750, and a fax sending service 760 . Although they are not shown, other services may be included in ^ eb-page 700, for example, bookmarking for network resources, the OshekSagb ™ service, etc.

FIG. 8A is a block diagram illustrating the detailed structure of step 540 of the first embodiment of the invention, designated step 540a, where the global server 106 provides the client 114 with a direct connection to the service 110a-1106. Step 540a begins with retrieving the downloaded applet 288 in step 805 of the address 394 of the selected service 110a-1106 from the storage device 360 and authentication information for the service 110a-1106 from the key library 395. The communication support subsystem 282 at step 810 creates a direct and secure connection to the communication support subsystem 482 of the server 108 of the service located at the extracted service address and uses the authentication information for its own authentication. At step 815, the applet 288 operates as an input / output interface for exchanging data with the service execution subsystem. After this, step 540a ends.

FIG. 8B is a block diagram illustrating the detailed structure of step 540 of the second embodiment of the invention, denoted as step 540b, where the global server 106 operates as an intermediary module of the client 114 for accessing the service 110a-1106. Step 540b begins with applet 288 retrieving the “service” address at step 840, and then sending this address to the global server 106. Thus, at step 845, the applet creates a connection to the global server 106. At step 850, the main servlet control subsystem 386 of the global server 106 retrieves The address of the selected service is 110a-1106 and the authentication information for the selected service 110a-1106 from the 395 key library. At step 855, the secure communication subsystem 396 of the global server 106 negotiates the secure channel parameters to establish a secure channel with the secure communication subsystem 486 of the server 108 of the service.

Thereafter, at step 860, the applet 288 operates as an input / output interface (allows the user to make requests to the service execution subsystem 490) to communicate with the global server 106 secure communications subsystem 396. If the main servlet control subsystem 386 determines at it is not authorized to execute a user request using the client 114, then at step 870, the main servlet control subsystem 386 determines whether method 540b has ended, for example, whether the user has ended the session. If so, method 540b ends. Otherwise, control in method 540b is passed back to step 860 to receive the next request. If the main servlet management subsystem 386 determines that it is authorized to execute a user request using the client 114, then the main servlet management subsystem 386, using servlets 398, if necessary, works with the service execution subsystem 490 as an intermediary client module 114. the modular mediator, the main servlet management subsystem 386, sends a service execution request 110a to the service 110a-1106 instead of the applet 288 and sends the responses to the requesting applet currently being executed by the client 114. Then control in method 540b is transmitted back to step 870.

FIG. 8C is a block diagram illustrating the detailed structure of step 540 of a third embodiment of the invention, denoted as step 540c, where the requested service 110a-1106 is located on the global server 106. Step 540c begins by retrieving the address 110a-1106 with the applet 288 at step 880, which results in providing service 288 with the address 110a-1106 on the global server 106. Thus, at step 882, the applet 288 creates a secure connection to the global server 106. The additional step of identification and authentication is not required I, because client 114 has already identified and authenticated itself to the global server 106 at step 510 shown in FIG. five.

At step 884, it is determined whether the service 110a-1106 is currently functioning. If so, then at step 886 it is determined whether the service 110a-1106 can work with multiple users. If not, the global server 106 at step 890 creates a separate session for the user, and at step 892, the applet 288 works as an input / output interface for data exchange with the service 110a-1106 located on the global server 106. Otherwise, if the service 110- 1106 at step 886 determines that it cannot work with multiple users, then method 540a continues from step 892. Further, if at step 884 the global server 106 determines that service 110a-1106 is not functioning at the moment, then at step 888 global server 106 starts service 110a-1106 proceeds to step 886.

The preceding description of the preferred embodiments of the present invention is given only as an example, the present invention also covers various modifications of the above-described embodiments. The constituent elements in the objects of the present invention can be implemented using a general-purpose computer running programs using problem-oriented integrated circuits or using a network of interconnected conventional components and circuits. The embodiments described herein are presented for the purpose of illustration and are not intended to be exhaustive or restrictive. Within the above description, various changes and modifications are contemplated.

Claims (30)

CLAIM 1. A system that contains a communication subsystem designed to establish a communication line with a client, a security tool associated with a communication subsystem designed to determine client rights, the main servlet management subsystem associated with a security tool and designed to be provided to the client based from the rights of the client, an applet that provides the ability to exchange data with a secure service, and a key library designed to store the key second allows access to a secure service. 2. The system according to claim 1, in which the communication support subsystem uses 88b technology to create a secure communication line with the client. 3. The system according to claim 1, in which the communication support subsystem negotiates an encryption protocol for sending messages to the client and receiving messages from the client. 4. The system of claim 1, wherein the communications subsystem uses public key certificates to send messages to the client and receive messages from the client. 5. The system of claim 1, wherein the security tool uses public key certificates to authenticate the client. 6. The system according to claim 1, in which the security tool checks the details of the client and the level of authentication to determine the rights of the client. 7. The system of claim 1, wherein the security tool verifies the global certificate to authenticate the client. 8. The system of claim 1, wherein the security tool uses electronic signature technology to authenticate the client. 9. The system of claim 1, wherein the main servlet management subsystem sends the security applet to the client to establish a security protocol recognized by the security tool by the client. 10. The system according to claim 1, in which the security of the service is provided by a corporate firewall (access protection system), and the key is configured to allow communication through the firewall. 11. The system according to claim 1, which further comprises a global firewall designed to protect the system. 12. The system according to claim 1, which further comprises a service address intended to identify the location of a secure service. 13. The system according to claim 1, in which the applet provides the client with a direct connection to a secure service. 14. The system according to claim 1, which further comprises an intermediary module on a communication line with a secure service, the applet providing the ability to exchange data with the intermediary module. 15. A method comprising the steps of establishing a communication line with a client, determining the rights of the client, providing the client, based on the rights of the client, an applet that provides the ability to exchange data with a secure service, and retrieves a key that provides access to a secure service. 16. The method of claim 15, wherein the step of establishing the communication line includes the step of using 88b technology to create a secure communication line with the client. 17. The method according to clause 15, in which the step of establishing a communication line includes the step of negotiating an encryption protocol for sending messages to the client and receiving messages from the client. 18. The method according to clause 15, in which the step of establishing a communication line includes the step of using certificates of public keys to send messages to the client and receive messages from the client. 19. The method according to clause 15, in which the step of determining the rights of the client includes the step of using certificates of public keys to establish the authenticity of the client. 20. The method according to clause 15, in which the step of determining the rights of the client includes the step of checking the details of the client and the level of authentication in order to determine the rights of the client. 21. The method according to clause 15, in which the step of determining the rights of the client includes the step of verifying the global certificate to establish the authenticity of the client. 22. The method according to clause 15, in which the step of determining the rights of the client includes the step of using electronic signature technology to establish the authenticity of the client. 23. The method of claim 15, wherein the step of establishing the communication line includes sending a security applet to the client to establish a recognizable encryption protocol by the client. 24. The method according to clause 15, which further comprises the step of using a key to communicate with a secure service through a firewall. 25. The method according to clause 15, which is carried out by the global server and further comprises the step of using the global firewall to protect the global server. FIG. one 26. The method according to clause 15, which further comprises the step of using the service address to identify the location of the secure service. 27. The method according to clause 15, in which the step of providing the applet includes the step of providing the client with a direct connection to a secure service. 28. The method according to clause 15, which further comprises the step of using the intermediary module when communicating with a secure service, the step of providing an applet includes the step of enabling data exchange with the intermediary module. 29. A system comprising means for establishing a communication line with a client, means for determining client rights, means for providing a client based on client rights, an applet that enables data exchange with a secure service, and means for extracting a key that makes access possible to a safe service. 30. A computer-based storage medium that stores a program that causes the computer to complete the steps of establishing a communication line with the client, determining the rights of the client, providing the client based on the rights of the client, an applet that makes it possible to exchange data with a secure service, and extracting a key that makes access to a secure service possible.