Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
  • H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
  • H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/76—Proxy, i.e. using intermediary entity to perform cryptographic operations
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
  • H04L63/0281—Proxies
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

• the present invention relates to a method for generating a proxy certificate to a web portal from a user certificate residing in computer with a web browser.
• a personal computer is widely used in a company or by a person. In some cases, confidential data is stored in the PC. To prevent such secret data from being accessed by an unauthorized user, techniques of preventing information stored in a PC from being leaked have been developed.
• One known technique for this function is to identify a user on the basis of a password input by the user or on the basis of biotic information of the user.
• a public key infrastructure is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through a registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, a user identity, the public key, their binding, validity conditions and other attributes in public key certificates issued by the CA is unable to be duplicated.
• RA Registration Authority
• PKI applications and services remotely and automatically send public key information to other sources on the behalf of the users. For example, a job running on some remote web portal is required to be able to communicate with other web portals to transfer information pr files, and therefore the proof of user identity is required. The method is not secure for the system may send users information to other sources without user's notification.
• a method of enabling direct issuance and creation of a proxy certificate via the web browser to web portal using a user certificate comprises the steps of inserting a smart card into a card reader, establishing a user certificate based mutual authentication using a web browser to a web portal via PKCS#11 or CSP, generating a proxy certificate, displaying a web browser request for a validation period in hour(s), inputting user validation period required for the proxy certificate, sending the user validation period in hour(s) to the web portal, generating a new public and private key pair, storing the key pair in the web portal, retrieving the user certificate from Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) session, extracting user information from the user certificate, combining the validation period and a new generated public key to create an unsigned X.509 format partial proxy certificate, calculating a proxy certificate digest based on the unsigned X.509 format partial proxy certificate, generating a hypertext markup language (HTML) page
• Figure 1 is a diagram to show a chain of trust to proxy certificates
• Figure 2 is a diagram to show a chain of trust to numbers of proxy certificates.
• Figure 3 is a diagram to show a complete sequence diagram of issuing a proxy certificate.
• the present invention relates to method for generating a proxy certificate.
• this specification will describe the present invention according to the preferred embodiments of the present invention. However, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned that those skilled in the art may devise various modifications and equivalents without departing from the scope of the appended claims.
• the present invention consists of several hardware components that include a server equipped with one or more processors to process data, one or more network cards for networking a system, a plurality of port interfaces to connect external devices and one or more hard drives to store operating system and data.
• a server equipped with one or more processors to process data
• one or more network cards for networking a system a plurality of port interfaces to connect external devices
• one or more hard drives to store operating system and data.
• a user will have a separate system to act as access terminal and is equipped with a card reader.
• the present invention further consists of several components that include a web portal, a web server, a web application, a browser extension program, a module library and an electronic card.
• the web portal centralized web application running on the web server, which has access to various applications within the same enterprise to share information across applications.
• the web portal enables various users with different roles accessing application and prefers to have a single access point to all of them over the internet.
• the web browser is software that runs on the user's computer. Users interact with the web browser to display the web information such as display text, video, audio and other web activity. Most web browsers are compatible with the present invention (e.g. Microsoft Internet Explorer and Mozilla Firefox).
• the Web Application is a Common Gateway Interface (CGI) activated by a web server or other server running on an operating system. Its function is to extract user certificate information, create proxy certificate, construct HTML file that contains embedded tag to activate the browser extension program that is executed on the user computer, and generate private as well as public key pair.
• CGI Common Gateway Interface
• the browser extension program is software programmed to activate the browser to carry out proxy certificate creation based on the parameters in the browser embedded tag and interface to the module library that obtains user private key from user electronic card. It is appreciated by a person skilled in the art that the present invention also can be applied to situation where user's private key is stored in web browser or the smart card and any other storage medium.
• the module library is a cryptographic token interface known as PKCS#11 and CSP 1 module library that can be loaded into Microsoft Internet Explorer while PKCS#11 module library serves the same purpose for Mozilla Firefox browser.
• These cryptographic token interface libraries allow the web browsers and browser extension software program to interact with cryptographic tokens to perform RSA private key related operations that involved the use of the smart card or virtual memory storage.
• the electronic card is a cryptographic smart card that is capable of performing RSA private key operations using stored private key. The smart card can also be replaced by virtual memory storage to perform a similar private key operation.
• the web portal will create a temporary new public-private key pairs, and the created public key will be digitally signed by users own private key.
• the proxy private key is used for certificate based authentication with another server.
• the proxy private key and proxy certificate (containing proxy public key) is at the web portal.
• the proxy certificate and private key is used to perform certificate based authentication to other servers from the web portal. This is because for some situations or by design, the user is unable to connect to the server; but rather the connection is routed via the web portal. So you have a web portal sitting in between the user computer and another server.
• the server asks for certificate based authentication from the web portal but the web portal does not have the user's private key.
• the solution is to create a proxy certificate and proxy private key at the web portal.
• the proxy private key and the proxy certificate are used to authenticate the other server on behalf of the user certificate and user's private key.
• the proxy certificate subject information contains as shown.
• C MY
• CN ABCProxyCert
• the new proxy certificate signed by user's private key, rather than a Certification Authority (CA). This establishes a chain of trust from the CA to proxy certificate through the user.
• CA Certification Authority
• a chain of trust certificate is used to prove the trust of the proxy certificate.
• the proxy certificate has a short activation lifespan, typically 12 hours.
• the proxy private key In the event security term of a proxy certificate is compromised, the proxy private key must be treated with care.
• anyone who steals the proxy private key can perform any activity pretending to be authorized user.
• the action taken must be immediate by discontinuing the use of the stolen proxy certificate.
• the proxy certificate has a lifetime of only few hours (depending on the policy the maximum validity period of time allowed), so the potential damage is limited.
• proxy certificate issuing process explains the methods and descriptions of the present invention by way of an example.
• a user inserts a smart card to a smart card reader.
• the user initiates the web browser and activates CSP for Microsoft Internet explorer or PKCS#11 for Mozilla Firefox to perform a HTTPS SSL mutual authentication with web portal running Apache web server or other servers. Verifying the user certificate will be carried out by the web server to ensue only authorized user can login to the web portal. Successful authenticated user can presume on to the next phase beginning the issuing proxy certificate process.
• the first web page displayed is requesting user to enter the proxy certificate validation period (in hour).
• the validation period will submit HTTPS POST command to the web server and activate a relevant CGI application.
• the CGI application initiates the public- private key pair generation, extracts user certificate info and constructs an unsigned proxy certificate.
• the CGI application Upon successful key pair generation, the CGI application than stores the key pair in a storage device. After the immediate completion of the public-private key pair generation by the CGI application is to construct a partial X.509 format proxy certificate that complies with the requirement of IETF RFC 3820 for proxy certificate format.
• the web browser receives the HTML page with the embedded tag containing the proxy certificate digest.
• the browser extension program that has been configured to associate with the browser is activated.
• the browser extension program receives the proxy certificate digest, this digest is sent to the smart card via PKCS#11 (Mozilla Firefox) or CSP (Microsoft Internet Explorer) interface to be signed using the user private key in the smart card.
• PKCS#11 Mozilla Firefox
• CSP Microsoft Internet Explorer
• a certificate-digest or hash value is calculated from the partial X.509 format proxy certificate, and the CGI application embedded the proxy certificate digest in the hypertext markup language (HTML).
• the signed proxy certificate is then sent back to the web browser through the web portal and completes the proxy certificate issuance process.
• the private key in the smart card or in any other storage medium signs the certificate digest.
• the signed proxy certificate digest is returned to the browser extension program.
• the signed proxy certificate digest is then sent to the CGI application through the PKCS#11 or CSP (depending on the web browser application of either the Explorer or Mozilla Firefox), the browser extension program, the web browser and the web portal.
• the web browser extension program initiates the web browser to send a POST command to deliver the signed proxy cert digest to web portal via secure Hypertext Transfer Protocol (HTTPS).
• HTTPS secure Hypertext Transfer Protocol
• This POST command and its payload of signed proxy certificate digest are g received by the CGI program running at web portal.
• the CGI application now constructs a signed proxy certificate.
• the CGI application can read the user certificate from TLS/SSL digital certificate mutual authentication process, and then extract the necessary information from the user certificate which will become the issuance proxy certificate or an 5 End Entity Certificate (EEC).
• EEC 5 End Entity Certificate
• the partial X.509 proxy certificate is constructed based on the information above and also inclusive of the user validation period (in hour) and new generated pubic key. Below is the algorithm used to illustrate an example of the embedded tags for Microsoft Internet Explore and Mozila Firefox.
• the concluding phase is when the CGI application combined with the partial X.509 format proxy certificate to form a 10 complete proxy certificate.
• VALUE https : //webportal .mimos .my/cgi-bin/cgisignedcert . cgi">
• parameter mDIGEST included in the embedded 30 tag in both browsers is values of proxy certificate digest calculate from partial X.509 format proxy certificate.
• Other parameter mURL is a target uniform resource locator (URL) where the browser extension program activated and do the POST command request to the web portal to execute the CGI application.
• mTARGET is the target HTML frame name to display the result. ,35
• Maintaining proxy certificate authentication is possible on entire communication channels to all computing nodes. Maintaining proxy certificate also requires no user ID or paraphrase (password) to maintain connection and reduces maintenance cost for utility computing service.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Information Transfer Between Computers (AREA)
• Computer And Data Communications (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=42740157

Family Applications (1)

Country Status (3)

Cited By (1)

Families Citing this family (2)

Family Cites Families (3)

• 2009
  • 2009-03-16 MY MYPI20091055 patent/MY150173A/en unknown
• 2010
  • 2010-03-04 EP EP10753743A patent/EP2409455A2/de not_active Withdrawn
  • 2010-03-04 WO PCT/MY2010/000028 patent/WO2010107298A2/en not_active Ceased

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events