WO2009066978A2 - Method and system for generating a proxy digital certificate to a grid portal in distributed computing infrastructure by data transfer across a public network - Google Patents

Method and system for generating a proxy digital certificate to a grid portal in distributed computing infrastructure by data transfer across a public network Download PDF

Info

Publication number
WO2009066978A2
WO2009066978A2 PCT/MY2008/000115 MY2008000115W WO2009066978A2 WO 2009066978 A2 WO2009066978 A2 WO 2009066978A2 MY 2008000115 W MY2008000115 W MY 2008000115W WO 2009066978 A2 WO2009066978 A2 WO 2009066978A2
Authority
WO
WIPO (PCT)
Prior art keywords
key
web browser
web server
digital certificate
web
Prior art date
Application number
PCT/MY2008/000115
Other languages
French (fr)
Other versions
WO2009066978A3 (en
WO2009066978A9 (en
Inventor
Hau Keong Wong
Galoh Rashidah Haron
Fui Bee Tan
Chong Seak Sea
Kang Siong Ng
Azhar Bin Abu Talib
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2009066978A2 publication Critical patent/WO2009066978A2/en
Publication of WO2009066978A3 publication Critical patent/WO2009066978A3/en
Publication of WO2009066978A9 publication Critical patent/WO2009066978A9/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • This invention concerns a method and a system for the issuance of a proxy digital certificate to a grid portal in distributed computing infrastructure through data transfer across a public network. More specifically, the invention concerns a method and a system for proxy digital 10 certificate issuance from an end entity certificate to a grid portal of a distributed or grid computing infrastructure via a web browser, where the proxy digital certificate resides in a web server and the issuance of the proxy digital certificate may be applied on any web based application through a public network such as the Internet.
  • grid computing In the quest of building computers with more computation power, distributed computing or grid computing has gained in popularity over recent years.
  • a primary advantage of grid computing is that each node within the grid computing infrastructure can be purchased as a commodity hardware unit. When the commodity hardware units are ' combined . in this manner, grid 20 computing can achieve similar computing performance comparable to a many-central processing unit (CPU) supercomputer, and at a lower financial cost. .
  • CPU central processing unit
  • proxy digital certificate that conforms to IETF RFC 3820 can be used by GSI for job delegation and single sign-on to multiple computing nodes.
  • GTK 1 grid portal By providing a web interface to GTK 1 grid portal allows an end user to interact with computing grids using a common and mature user interface technology. Due to the fact that grid portal acts as the man-in-the-middle between GTK and the end user using a web browser, the proxy certificate issuance capability provided by GTK is not usable in the situation that involves wsb browser.
  • FIG. 1 shows one conventional system 200 that allows the user to create proxy credential in the form of private key and proxy certificate using a dedicated client program.
  • the user can access the user's credential with standard web browser using a userlD and passphrase.
  • the user can also instruct the client 202 through grid portal 48 to generate proxy-proxy certificate based on the proxy certificate residing in the server 204.
  • step 1 the user 12 interacts with server 204 through client 202 software.
  • UserlD and passphrase are required for the user 12 to gain access to server 204, and the user can instruct the client 202 running on the user's computer to initiate a PrOXy 1 certificate creation using the user's certificate which resides in the same user's computer 12.
  • the proxy., certificate acts on behalf of the user so that the user certificate is not required all of the time.
  • step 2 the user can access grid portal 48 using a standard web browser 42.
  • the user can request client to issue proxy 2 certificate based on the proxy, certificate created in server in step 1.
  • the preconditions for this operation to be successful are that the proxy i certificate created in step 1 is not expired; and to access the server, useriD and passphrase "are provided by the user.
  • step 3 the server responds to the request from Grid Porta! to create proxy 2 certificate (level 1)
  • the proxy 2 certificate is used by the grid porta) via GTK to establish digital certificate based mutual authentication to GTK computing grids.
  • a limitation is that the secondary path is required for the user to create proxy certificate on the server, such that the user needs to use the dedicated client to establish connection to the server.
  • This secondary path exposes the system to a potential breach of the system and opens up for potential unauthorized exploitation.
  • authentication is limited to userlD and passphrase.
  • the weakest link in the entire system coincides with the part of the system that is opened to public and invites attacks from potentially large number of internet users.
  • anyone who manages to get hold of the right combination of UserlD and passphrase can impersonate the legitimate user to access the computing grids.
  • a method of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol comprises a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public network using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web " browser.
  • the public network is the Internet.
  • the protocol is hyper text transfer protocol.
  • the web browser obtains the user key from a smart card.
  • the web server generates the key pair using an RSA asymmetric algorithm.
  • the web server generates the i key pair using an ECC asymmetric algorithm.
  • the web server sends the public key and additional information to the web browser across the public network using the protocol.
  • the web browser generates the proxy digital certificate by signing the public key and the additional information received from the web server using the user key.
  • the web browser calculates a hash value using the user key and signs the public key received from the web server using the hash value.
  • the proxy digital certificate is in X.509 format.
  • the proxy digital certificate includes a name and an e-mail address of a user that uses the web browser.
  • the proxy digital certificate includes a validity period for the proxy digital certificate.
  • a system of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol comprises a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public neiwork using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web browser.
  • a computer program compres program instructions for causing a computer to generate a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol, comprising a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public network using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the " protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web browser.
  • FIG. 1 illustrates a conventional method for proxy certificate issuance
  • FlG. 2 shows a block diagram of a system architecture in accordance with an embodiment of the Invention
  • FIG. 3 shows a simplified block diagram of FIG. 2 of the system architecture in accordance with an embodiment of the invention
  • FIG. 4 illustrates a chain of trust from a certification authority (CA) within the system architecture in accordance with an embodiment of the invention
  • FIG. 5 shows a sequence diagram of a process in accordance with an embodiment of the invention.
  • CA certification authority
  • FIG. 1 A method and system for of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol.
  • An embodiment of the invention is shown in FIG. 1 of a system architecture diagram of a system 10.
  • FIGS. 1-5 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the present invention may be implemented.
  • the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer.
  • program modules include routines, programs, characters, components, data structures, to perform particular tasks or implement particular abstract data types.
  • the invention may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable user electronics, network PCs, minicomputers, mainframe computers, and the like.
  • the invention may be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote memory storage devices.
  • the system as shown in FIG. 2 in accordance with an embodiment comprises a person or user at a user workstation 12 holding a private key and a corresponding digital certificate that are connected to a web browser 42 with a browser plug-in module or browser extension program 54 to issue a proxy digital certificate to a web server 22 via hyper text transfer protocol (HTTP).
  • HTTP hyper text transfer protocol
  • a smartcard 52 and smart card reader 60 is connected via user workstation
  • the hash value of the proxy certificate is signed by the private
  • the user work station 12 may comprise a memory 14, processor 16 and an interface 18 for interfacing with a public network
  • the proxy " certificate can be implemented and created, for example, at-the single-sign-on server or protocol server such that the server can login to multiple - subsequent servers using the proxy certificate. In this configuration, the user only needs to login to the single-sign-on server.
  • An input device 34 and display 32 is provided for a user to interface with the user workstation for inputting and displaying data.
  • a web server 22 may comprise a web server memory 24, processor 26 and interface 28 for interfacing and communicating and transfer of data with the public network 20.
  • the web server 22 may also comprise a key module 36 for generating keys and a key store 38 for storing the key information.
  • the web server is arranged to allow digital certificate in web browser to issue proxy digital certificate.
  • database 44 may also be in a location remote to the web server 22 for storage of key data 46.
  • a grid portal 48 for access to GTK computing grids 50 of a distributed computing or grid computing environment is accessible via the public network 20.
  • FIG 3. shows a simplified block diagram of the system of FIG. 2 in accordance with an embodiment of the invention that allows a proxy digital certificate to be issued by a user certificate via a standard web browser to a grid portal.
  • the steps involved include in step 1 , the user 12 logins to grid portal 48 hosting on a standard web or HTTP server 22 using a standard web browser 42, such as Firefox, via a strong digital certificate, such as for example transport layer security (TLS)/ secure socket layer (SSL) (TLS/SSL) digital certificate based mutual authentication.
  • PrOXy 1 certificate is issued 60 by the user certificate through a web extension program 54 and the web extension program's corresponding CGI program 50 running on the grid portal 48.
  • the grid portal 48 can utilize the newly generated proxyi certificate to engage globus toolkit (GTK) based computing grids using digital certificate based mutual authentication with GTK client 50 running on the grid portal 48.
  • GTK globus toolkit
  • Globus security infrastructure is the portion of the GTK that provides the fundamental security services needed to support grid computing.
  • the primary motivations behind GSI are that the need for secure communication (authenticated and perhaps confidential) between elements of a computing grid; the need to support security across organizational boundaries, thus prohibiting a centrally-managed security system; and the need to support "single sign-on" for users of the Grid, " including delegation of credentials for computations that involve multiple resources and/or sites.
  • PKI Public Key Infrastructure
  • Digital certificate contains a globally unique name known as Distinguish Name (DN)
  • DN Distinguish Name
  • Authentication within the GSI is a matter of proving that the user is the entity identified by the DN coded in the digital certificate.
  • Digital certificates are signed by a trusted Certification Authority's (CA) private key. The integrity and origin of the digital certificate can be verified using the Certification Authority's (CA) public key extracted from CA's digital certificate, called root certificate.
  • CA Certification Authority's
  • Transport Layer Security TLS
  • SSL Secure Socket Layer
  • a proxy consists of a new CA root certificate 152 (proxy certificate with a public key) and a corresponding private key 160. The key pair that is used for the proxy is regenerated for each proxy created.
  • the new certificate 154 contains the user's identity with additional information to indicate that it is a proxy.
  • the new certificate is signed by the user's private key 162, rather than a certification authority (CA) as depicted in FIG. 4Error! Reference source not found..
  • the proxy certificate 156 contains a validity period specified by the user for a limited time to act as proxy.
  • the proxy's private key 156 must be kept secure, but because the proxy isn't valid for very long, it does not have to be kept quite as secure as the owner's private key.
  • the user 12 or the system can use the proxy certificate 156 and private key 164 for digital certificate based mutual authentication. When proxies are used, the mutual authentication process differs slightly.
  • the remote party receives not only the proxy's certificate (signed by the user's private key), but also the user's certificate 154.
  • the user's public key obtained from her certificate is used to validate the signature on the proxy certificate.
  • the CA's public key is then used to validate the signature on the owner's certificate, This establishes a chain of trust from the CA to the proxy through the user.
  • Multiple level of proxy certificate 158 can be created, i.e. a proxy certificate can issue a proxy-proxy certificate by using proxy certificate's 156 private key 164 to sign the proxy-proxy certificate public key.
  • a user 12 initiates a web browser 42 in the user workstation 12 to send (102) a request issuance to a grid portal 48 that may be hosted on a web server 22 via the public network 20 via, for example hyper text transfer protocol (HTTP).
  • HTTP hyper text transfer protocol
  • one configuration is that browser plug-in or browser extension program 54 and web browser 42 ⁇ may be collapsed into a single client, while web server CGI program 50 of grid portal 48 may be collapsed into the server component in the client-server environment.
  • the CGI program 50 may run on the grid portal 48.
  • the CGI program 50 may be activated via common gateway
  • CGI 'interface
  • the grid porta! is a portal for computing grids running on a web server that acts as a hyper text transfer protocol (HTTP) server.
  • HTTP hyper text transfer protocol
  • the grid portal provides a web interface for user to interact with computing grids.
  • the web browser 42 may be an HTTP browser that runs on the user computer 12 and interacts with a web server 22.
  • Such web browsers that may be implemented are browsers such as Microsoft Internet Explorer, Mozilla Firefox, and a number of other browsers available commercially or freely obtained open sourced.
  • the browser extension program 54 may be initiated by the web browser to carry out proxy certificate creation based on the parameters in the embedded tag and interfaces to PKCS#11 or CSP library that links with private key storage devices.
  • CSP provides interface for Microsoft Internet Explorer while PKCS#11 integrates with Mozilla Firefox.
  • PKCS#11 (RSA Laboratorise, "PKCS#11: Cryptographic Token Interface Standard", June 2004), is a cryptographic token interface library that can be loaded into Mozilla Firefox while CSP serves the same purpose for Microsoft internet Explorer.
  • These cryptographic token interface libraries allow the browsers and browser extension programs to interact with cryptographic tokens to perform RSA private key related operations that involved the use of smart card or virtual memory storage.
  • the smart card 52 may be a cryptographic smart card that is capable of performing RSA private key operations using the stored private key. Malaysian national identity card, MyKad, is capable of performing such operation and therefore can also be used for the purpose stated in this paper.
  • the smart card can also be replaced by virtual memory storage of private key with the necessary cryptographic functions to
  • the grid portal on the web server initiates a software program to request (104) and generate (106) a key pair.
  • the generation of a key pair comprises generation of a private and public key (108),
  • the key pair may be an asymmetric algorithm key-pair, such as for example RSA, error correcting code (ECC), and the like algorithms.
  • RSA and ECC asymmetric algorithms for key- pair specify the mathematical conditions where an arbitrary two numbers may be considered as a pair of interrelated numbers called key-pair.
  • the computer carries out the following operations in key-pair generation process, for example, two random numbers are generated, and mathematical test or tests are run and conducted based on the selected asymmetric algorithm, such as for example RSA and ECC, on the two random numbers
  • the key pair is generated by CGI program 50 and transmitted (108) to grid portal 48 for storage (110) the key pair in a proper location for future retrieval by other software 48,50 (112),
  • the task of program such as C ⁇ I program 50 is to generate a key pair
  • the task of program grid portal 48 is to store the key pair in computer memory storage 46,38, etc.
  • the storage of the key pair for example may be in key data 46 of database 44 or key store 38 of web server.
  • the programs A 1 B (such as grid portal 48, CGI program 50, or other such programs) transmit (108) the public key to the web server 22.
  • the web server 22 sends or transmits (110) the public key of the generated key pair and all necessary information for proxy certificate generation back to the web browser 42 via the public network 20 via HTTP.
  • the web browser 42 activates (112) a web browser plug-in module 54 or software to calculate (114) hash value to generate a proxy digital certificate by signing the received public key and information from web server using the private key that belongs to the user, for example, within a smart card 52.
  • the calculated hash value is sent (114) from the browser plug-in 54 to the smart card 52 and the private key signs (116) hash value, and the signed hash value is sent (118,120) from the smart card 52 to the browser plug-in 52.
  • the web browser plug-in software initiates the web browser to construct (122) partial proxy digital certificate in a format such as X.509 format.
  • the proxy certificate is constructed (134) after the complete process (124,126,128,130,132) to send hash to be signed.
  • the proxy is then constructed (134) at browser extension program 54 of web browser (42), and sends (136,138) the proxy digital certificate to grid portal 48 of web server 22 via the public network 20 in HTTP for example.
  • the web server initiates (140) another software program such as CGI program 50 to store (142) proxy digital certificate in a proper location for future retrieval by another software such as CGI program 50, grid portal 48 and the like.
  • another software such as CGI program 50, grid portal 48 and the like.
  • the proxy digital certificate contains information about the user, for example name and e-mail address, the validity period of the proxy certificate, and other information about issuance of the proxy certificate.
  • the proxy certificate may be coded, for example in X.509 format.
  • the user initiates the web browser to submit HTTP GET request to grid portal running on web server to activate the relevant CGI program that later initiates public-private key pair generation.
  • the CGl program Upon successful key pair generation, the CGl program
  • HTML file An example of the embedded tag included in the HTML file is as follows:
  • mKEY "AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxa.. " ⁇ /EMBED>
  • One parameter called mKEY is included in the embedded tag.
  • the based64 format encoded data that tails the mKEY is the public key generated by the CGl program. For example, when the web browser receives the HTML file with embedded tag containing the public key, the appropriate browser extension program that has been configured to associate with x-mgt application is activated.
  • the browser extension program is pre-installed on the computer running the web browser and has been configured to associate itself with x-mgt application.
  • the first task executed by the browser extension program is to construct a partial X.509 proxy certificate that also complies with the requirement of IETF RFC 3820 Tuechke et a!., "Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile", IETF, RFC 3820, June 2004 (http://www.ietf.org/rfc/rfc3820.txt), for proxy certificate format.
  • the browser extension program reads the user certificate from the smart card via PKCS#11 or CSP and extracts the necessary information from the user certificate which will become the issuance certificate or end entity certificate (EEC).
  • EEC end entity certificate
  • the public key is extracted from the variable field mKEY from the embedded tag.
  • the partial X.509 proxy certificate is constructed based on the above mentioned information. Certificate-digest or hash value is calculated from the partial X.509 format proxy certificate. This hash value is sent to the smart card via PKCS#11 or CSP interface to be signed using the private key in the smart card. The signed hash value is returned to the browser extension program and is combined with the partial proxy certificate to form a complete proxy certificate.
  • the final task of the browser extension program is to initiate the web browser to send a POST command to deliver the proxy certificate to the Grid Portal via hyper text transfer protocol (HTTP).
  • HTTP hyper text transfer protocol
  • This POST command and its payload of proxy certificate are received by the CGI program running at the grid portal to store it to the appropriate location for proxy certificate storage. This concludes the entire proxy certificate issuance process.
  • the proxy certificate and its corresponding private key will be used by GTK client to initiate digital certificate based mutual authentication with other GTK computing nodes.
  • partial X.509 proxy certificate can be done at the CGI program instead of at the browser extension program.
  • the CGI program In order to ensure compliance that the subject name of the proxy certificate must be the same as the subject name of the issuer or user certificate as per the requirement of IETF RFC 3820, the CGI program must have the capability to access the user certificate for the purpose of extracting the subject name from the user certificate.
  • the user certificate is at the smart card and can be accessed by the browser extension program running at the user computer via PKCS#11 or CSP as per the solution mentioned above.
  • the user certificate As the user certificate has been transmitted to the web browser via TLS/SSL digital certificate mutual authentication process, the user certificate can be accessed by the CG! program from the grid portal on web server SSL session variable. This situation makes it possible for the CG! program to generate the partial X.509 proxy certificate and subsequently the hash value.
  • the information exchange between the CGI program and the browser extension program is as described.
  • the hash value can be sent to the browser extension -program using the same mechanism of putting the parameter in the embedded tag.
  • the signed hash value is returned to the CGi program using the similar mechanism as the above mentioned method. Hash value and signed hash value are being exchanged instead of public key and a complete proxy certificate.
  • the CGl program Upon receipt of the signed hash value, the CGl program constructs the complete proxy certificate at the machine running the grid portal.
  • This solution Variant achieves the same goal of direct proxy certificate issuance via web browser. It will be appreciated that other configurations may be envisaged without departing from the scope of the invention, for example, components of the system may be collapsed into client- server environment as discussed.
  • the devices and subsystems of the exemplary methods and systems described with respect to the figures may communicate, for example, over a communication network, and may include any suitable servers, workstations, personal computers (PCs), laptop computers, handheld devices, with visual displays and/or monitors, telephones, cellular telephones, wireless devices, PDAs, Internet appliances, set top boxes, modems, other devices, and the like, capable of performing the processes of the disclosed exemplary embodiments.
  • the devices and subsystems may communicate with each other using any suitable protocol and may be implemented using a general-purpose computer system and the like.
  • One or more interface mechanisms may be employed, for example, including Internet access, telecommunications in any suitable form, such as voice, modem, and the like, wireless communications media, and the like.
  • network 30 may include, for example, wireless communications networks, cellular communications network, Public Switched Telephone Networks (PSTNs), Packet Data Networks (PDNs), the Internet, intranets, hybrid communications networks, combinations thereof, and the like.
  • PSTNs Public
  • the embodiments are for exemplary purposes, as many variations of the specific hardware used to implement the disclosed exemplary embodiments are possible.
  • the functionality of the devices and the subsystems of the embodiments may be implemented via one or more programmed computer system or devices.
  • a single computer system may be programmed to perform the functions of one or more of the devices and subsystems of the exemplary systems.
  • two or more programmed computer systems or devices may be substituted for any one of the devices and subsystems of the exemplary systems.
  • principles and advantages of distributed processing such as redundancy, replication, and the like, also may be implemented, as desire ' d, for. example, to increase robustness and performance of the exemplary systems described with respect to the figures.
  • the exemplary systems described with respect to the figures may be used to store information relating to various processes described herein.
  • This information may be stored in one or more memories, such as hard disk, optical disk, magneto-optical disk, RAM, and the like, of the devices* and sub-systems of the embodiments.
  • One or more databases of the devices and subsystems may store the information used to implement the exemplary embodiments.
  • the databases may be organized using data structures, such as records, tables, arrays, fields, graphs, trees, lists, and the like, included in one or more memories, such as the memories listed above.
  • All or a portion of the exemplary systems described with respect to figures may be conveniently implemented using one or more general-purpose computer systems, microprocessors, digital signal processors, micro-controllers, and the like, programmed according to the teachings of the disclosed exemplary embodiments.
  • Appropriate software may be readily prepared by programmers of ordinary skill based on the teachings of the disclosed exemplary embodiments.
  • the exemplary systems may be implemented by the preparation of application-specific integrated circuits or by interconnecting an appropriate network of component circuits.

Abstract

A method and system is disclosed for the issuance of a proxy digital certificate to a grid portal in distributed computing infrastructure through data transfer across a public network. More specifically, the invention concerns a method and a system for proxy digital certificate issuance from an end entity certificate to a grid portal of a distributed or grid computing infrastructure via a web browser, where the proxy digital certificate resides in a web server and the issuance of the proxy digital certificate may be applied on any web based application through a public network such as the Internet.

Description

METHOD AND SYSTEM FOR GENERATING A PROXY DIGITAL CERTIFICATE TO A GRID PORTAL IN DISTRIBUTED COMPUTING INFRASTRUCTURE BY DATA TRANSFER ACROSS A PUBLIC NETWORK
FIELD OF THE INVENTION
This invention concerns a method and a system for the issuance of a proxy digital certificate to a grid portal in distributed computing infrastructure through data transfer across a public network. More specifically, the invention concerns a method and a system for proxy digital 10 certificate issuance from an end entity certificate to a grid portal of a distributed or grid computing infrastructure via a web browser, where the proxy digital certificate resides in a web server and the issuance of the proxy digital certificate may be applied on any web based application through a public network such as the Internet.
15 BACKGROUND OF THE INVENTION
In the quest of building computers with more computation power, distributed computing or grid computing has gained in popularity over recent years. A primary advantage of grid computing is that each node within the grid computing infrastructure can be purchased as a commodity hardware unit. When the commodity hardware units are' combined . in this manner, grid 20 computing can achieve similar computing performance comparable to a many-central processing unit (CPU) supercomputer, and at a lower financial cost. .
In an article, Ian Foster et at., "The Anatamy of the Grid:.-. Enabling Scalable Virtual
Organizations", International journal of High. Performance Cofηpαύng Applications, vol. 15, no.
25 3,' "*'p(j;-.200-222, August 2001, a "grid problem' is ide.ntiffejd - 'as-' thfei-fclijallenge to enable coordinated resource sharing among dynamic collections; -of . intiivjduals, institutions and resources. In an effort to address this 'grid problem ', . Ian VFost^r.et/a'L'; initiated the open
. . sourcfcl. globus toolkit. (GTK) middleware for. buiiding grid cqrn^utjrjg ' biased, on commodity
_•• ■• ; ' computer Infrastructure. Even though other, software tbbjsέisVekist . for ;'.tfje construction of
30 cbrrifjijting grids, GTK is widely used and continuously maintame^aήd upgraded middleware
; toόlk|t for the.constrύctibn of computing grids.
35" to support the provide mutual example, X.509 A. proxy digital
Figure imgf000002_0001
certificate that conforms to IETF RFC 3820 can be used by GSI for job delegation and single sign-on to multiple computing nodes.
By providing a web interface to GTK1 grid portal allows an end user to interact with computing grids using a common and mature user interface technology. Due to the fact that grid portal acts as the man-in-the-middle between GTK and the end user using a web browser, the proxy certificate issuance capability provided by GTK is not usable in the situation that involves wsb browser.
Attempts have been made and a few implementations have been proposed for issuance of proxy certificates when the grid portal is between GTK and the end user using a web browser. One attempt, as disclosed by Novotny et a!., "An Online Credential Repository for the Grid: MyProxy", 1C?" IEEE International Symposium on High Performance Distributed Computing, 104, 2001, is shown in FIG. 1. FIG. 1 shows one conventional system 200 that allows the user to create proxy credential in the form of private key and proxy certificate using a dedicated client program. The user can access the user's credential with standard web browser using a userlD and passphrase. The user can also instruct the client 202 through grid portal 48 to generate proxy-proxy certificate based on the proxy certificate residing in the server 204.
The operations of the proxy certificate issuance of a conventional method is shown in steps in FIG. 1. In step 1, the user 12 interacts with server 204 through client 202 software. UserlD and passphrase are required for the user 12 to gain access to server 204, and the user can instruct the client 202 running on the user's computer to initiate a PrOXy1 certificate creation using the user's certificate which resides in the same user's computer 12. The proxy., certificate acts on behalf of the user so that the user certificate is not required all of the time. In step 2, the user can access grid portal 48 using a standard web browser 42. At this stage, the user can request client to issue proxy2 certificate based on the proxy, certificate created in server in step 1. The preconditions for this operation to be successful are that the proxy i certificate created in step 1 is not expired; and to access the server, useriD and passphrase "are provided by the user.
In step 3, the server responds to the request from Grid Porta! to create proxy2 certificate (level
- 2 proxy certificate acting on behalf of level 1 proxy certificate) on the grid portal to be used by the porta! as proxy credential for the user to access computing resources using GTK middleware.
'in step 4, the proxy2 certificate is used by the grid porta) via GTK to establish digital certificate based mutual authentication to GTK computing grids.
/With'.the configuration of the conventional system shown in FIG. 1, a limitation is that the secondary path is required for the user to create proxy certificate on the server, such that the user needs to use the dedicated client to establish connection to the server. This secondary path exposes the system to a potential breach of the system and opens up for potential unauthorized exploitation. Additionally, authentication is limited to userlD and passphrase. Even though communication between computing nodes within GTK computing grids are based on digital certificate based mutual authentication, introducing grid portal with the server does not extend the mutual authentication to the end user who uses the web browser. The problem is compounded further because the grid portal is generally exposed to the public network such as Internet. Therefore, the weakest link in the entire system coincides with the part of the system that is opened to public and invites attacks from potentially large number of internet users. Anyone who manages to get hold of the right combination of UserlD and passphrase can impersonate the legitimate user to access the computing grids.
There is thus a need to further improve and ensure the security of data transmitted on a public network environment such the Internet in a method and a system for the issuance of a proxy digital certificate to a grid portal in distributed computing infrastructure.
SUMMARY
In accordance with an aspect of the invention a method of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol, the method comprises a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public network using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web " browser.
In an embodiment the public network is the Internet. The protocol is hyper text transfer protocol. The web browser obtains the user key from a smart card. The web server generates the key pair using an RSA asymmetric algorithm. The web server generates the i key pair using an ECC asymmetric algorithm. The web server sends the public key and additional information to the web browser across the public network using the protocol. The web browser generates the proxy digital certificate by signing the public key and the additional information received from the web server using the user key. The web browser calculates a hash value using the user key and signs the public key received from the web server using the hash value. The proxy digital certificate is in X.509 format. The proxy digital certificate includes a name and an e-mail address of a user that uses the web browser. The proxy digital certificate includes a validity period for the proxy digital certificate.
In accordance with an aspect of the invention a system of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol, the system comprises a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public neiwork using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web browser.
In accordance with an aspect of the invention a computer program compres program instructions for causing a computer to generate a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol, comprising a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public network using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the" protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web browser.
BRIEF DESCRIPTION OF THE DRAWINGS
In order that the present Invention may be fully understood and readily put into practical effect, there shall now be described by way of non-limitative example only preferred embodiments of the present invention, the description being with reference to the accompanying illustrative drawings.
FIG. 1 illustrates a conventional method for proxy certificate issuance; FlG. 2 shows a block diagram of a system architecture in accordance with an embodiment of the Invention; FIG. 3 shows a simplified block diagram of FIG. 2 of the system architecture in accordance with an embodiment of the invention;
FIG. 4 illustrates a chain of trust from a certification authority (CA) within the system architecture in accordance with an embodiment of the invention; and FIG. 5 shows a sequence diagram of a process in accordance with an embodiment of the invention.
DETAILED DESCRIPTION
A method and system for of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol. An embodiment of the invention is shown in FIG. 1 of a system architecture diagram of a system 10. FIGS. 1-5 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the present invention may be implemented. Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer. Generally, program modules include routines, programs, characters, components, data structures, to perform particular tasks or implement particular abstract data types. As those skilled in the art will appreciate, the invention may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable user electronics, network PCs, minicomputers, mainframe computers, and the like. The invention may be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
The system as shown in FIG. 2 in accordance with an embodiment comprises a person or user at a user workstation 12 holding a private key and a corresponding digital certificate that are connected to a web browser 42 with a browser plug-in module or browser extension program 54 to issue a proxy digital certificate to a web server 22 via hyper text transfer protocol (HTTP). A smartcard 52 and smart card reader 60 is connected via user workstation
12 as shown in FIG. 2, however, it will be appreciated that other configurations may be envisaged. In the smart card, the hash value of the proxy certificate is signed by the private
key stored in the key store 58 of the smart card 52. This operation is performed in the processor 56 of the smart card 52. The private key is retrieved from the key storage 58 in the smart card, and under this configuration, the private key in the smart card remains within the
- smart card and is not transmitted from the smart card 52. The user work station 12 may comprise a memory 14, processor 16 and an interface 18 for interfacing with a public network
20 such as the Internet. The proxy "certificate can be implemented and created, for example, at-the single-sign-on server or protocol server such that the server can login to multiple - subsequent servers using the proxy certificate. In this configuration, the user only needs to login to the single-sign-on server. An input device 34 and display 32 is provided for a user to interface with the user workstation for inputting and displaying data. A web server 22 may comprise a web server memory 24, processor 26 and interface 28 for interfacing and communicating and transfer of data with the public network 20. The web server 22 may also comprise a key module 36 for generating keys and a key store 38 for storing the key information. The web server is arranged to allow digital certificate in web browser to issue proxy digital certificate. Also database 44 may also be in a location remote to the web server 22 for storage of key data 46. A grid portal 48 for access to GTK computing grids 50 of a distributed computing or grid computing environment is accessible via the public network 20.
FIG 3. shows a simplified block diagram of the system of FIG. 2 in accordance with an embodiment of the invention that allows a proxy digital certificate to be issued by a user certificate via a standard web browser to a grid portal. The steps involved include in step 1 , the user 12 logins to grid portal 48 hosting on a standard web or HTTP server 22 using a standard web browser 42, such as Firefox, via a strong digital certificate, such as for example transport layer security (TLS)/ secure socket layer (SSL) (TLS/SSL) digital certificate based mutual authentication. PrOXy1 certificate is issued 60 by the user certificate through a web extension program 54 and the web extension program's corresponding CGI program 50 running on the grid portal 48. In step 2, the grid portal 48 can utilize the newly generated proxyi certificate to engage globus toolkit (GTK) based computing grids using digital certificate based mutual authentication with GTK client 50 running on the grid portal 48.
In issuing the proxy certificate reference to FIG. 4 is mads. Globus security infrastructure (GSI) is the portion of the GTK that provides the fundamental security services needed to support grid computing. The primary motivations behind GSI are that the need for secure communication (authenticated and perhaps confidential) between elements of a computing grid; the need to support security across organizational boundaries, thus prohibiting a centrally-managed security system; and the need to support "single sign-on" for users of the Grid," including delegation of credentials for computations that involve multiple resources and/or sites.
Public Key Infrastructure (PKI) is used as the primary security measure to fulfill the above mentioned motivation for GSI. In PKI1 all entities are indentified using digital certificates and their corresponding private keys. Digital certificate contains a globally unique name known as Distinguish Name (DN), Authentication within the GSI is a matter of proving that the user is the entity identified by the DN coded in the digital certificate. Digital certificates are signed by a trusted Certification Authority's (CA) private key. The integrity and origin of the digital certificate can be verified using the Certification Authority's (CA) public key extracted from CA's digital certificate, called root certificate. Transport Layer Security (TLS) and its predecessor standard Secure Socket Layer (SSL) are used by GSI to provide strong digital certificate based mutual authentication between computing nodes that use GTK middleware to form computing grids. All messages transferred between the two computing nodes using TLS/SSL are encrypted based on the agreed encryption algorithm and key length provisioned under the TLS/SSL handshake protocol to ensure data secrecy during transmission across open network or Internet.
Delegation capability is supported by globus security infrastructure (GSI) to ease the burden of the user to keep using the user's private key for mutual authentication between globus toolkit (GTK) nodes and the user computer. A proxy consists of a new CA root certificate 152 (proxy certificate with a public key) and a corresponding private key 160. The key pair that is used for the proxy is regenerated for each proxy created. The new certificate 154 contains the user's identity with additional information to indicate that it is a proxy. The new certificate is signed by the user's private key 162, rather than a certification authority (CA) as depicted in FIG. 4Error! Reference source not found.. The proxy certificate 156 contains a validity period specified by the user for a limited time to act as proxy. The proxy's private key 156 must be kept secure, but because the proxy isn't valid for very long, it does not have to be kept quite as secure as the owner's private key. Once a proxy is created and stored, the user 12 or the system can use the proxy certificate 156 and private key 164 for digital certificate based mutual authentication. When proxies are used, the mutual authentication process differs slightly. The remote party receives not only the proxy's certificate (signed by the user's private key), but also the user's certificate 154. During mutual authentication, the user's public key (obtained from her certificate) is used to validate the signature on the proxy certificate. The CA's public key is then used to validate the signature on the owner's certificate, This establishes a chain of trust from the CA to the proxy through the user. Multiple level of proxy certificate 158 can be created, i.e. a proxy certificate can issue a proxy-proxy certificate by using proxy certificate's 156 private key 164 to sign the proxy-proxy certificate public key.
Referring to the sequence diagram 100 of FIG. 5, a user 12 initiates a web browser 42 in the user workstation 12 to send (102) a request issuance to a grid portal 48 that may be hosted on a web server 22 via the public network 20 via, for example hyper text transfer protocol (HTTP).
Of course, it will be appreciated that other client-server-based communication protocols may
" be used. For example, under client-server environment, with reference to FIG. 5, one configuration is that browser plug-in or browser extension program 54 and web browser 42 < may be collapsed into a single client, while web server CGI program 50 of grid portal 48 may be collapsed into the server component in the client-server environment. The CGI program 50 may run on the grid portal 48. The CGI program 50 may be activated via common gateway
'interface (CGI) by the web server 22 running on the machine. The CGI program's main
.functions are to generate private-public key pair of the proxy certificate and to construct HTML file that contains embedded tag to activate the browser extension program 54 that runs at the user computer 12. The grid porta! is a portal for computing grids running on a web server that acts as a hyper text transfer protocol (HTTP) server. The grid portal provides a web interface for user to interact with computing grids. Of course it will be appreciated that other protocols may be implemented. The web browser 42 may be an HTTP browser that runs on the user computer 12 and interacts with a web server 22. Such web browsers that may be implemented are browsers such as Microsoft Internet Explorer, Mozilla Firefox, and a number of other browsers available commercially or freely obtained open sourced. The browser extension program 54 may be initiated by the web browser to carry out proxy certificate creation based on the parameters in the embedded tag and interfaces to PKCS#11 or CSP library that links with private key storage devices. CSP provides interface for Microsoft Internet Explorer while PKCS#11 integrates with Mozilla Firefox. PKCS#11 (RSA Laboratorise, "PKCS#11: Cryptographic Token Interface Standard", June 2004), is a cryptographic token interface library that can be loaded into Mozilla Firefox while CSP serves the same purpose for Microsoft internet Explorer. These cryptographic token interface libraries allow the browsers and browser extension programs to interact with cryptographic tokens to perform RSA private key related operations that involved the use of smart card or virtual memory storage. The smart card 52 may be a cryptographic smart card that is capable of performing RSA private key operations using the stored private key. Malaysian national identity card, MyKad, is capable of performing such operation and therefore can also be used for the purpose stated in this paper. The smart card can also be replaced by virtual memory storage of private key with the necessary cryptographic functions to perform the similar private key operations.
Once the user 12 initiates the web browser to send a request issuance to a grid portal, the grid portal on the web server initiates a software program to request (104) and generate (106) a key pair. The generation of a key pair comprises generation of a private and public key (108), The key pair may be an asymmetric algorithm key-pair, such as for example RSA, error correcting code (ECC), and the like algorithms. RSA and ECC asymmetric algorithms for key- pair specify the mathematical conditions where an arbitrary two numbers may be considered as a pair of interrelated numbers called key-pair. In one embodiment, the computer carries out the following operations in key-pair generation process, for example, two random numbers are generated, and mathematical test or tests are run and conducted based on the selected asymmetric algorithm, such as for example RSA and ECC, on the two random numbers
■ generated. If all conditions specified by the algorithm are met, these two numbers are considered as a key-pair. One of the numbers is given the name as private key while the other number is named as public key. The key pair is generated by CGI program 50 and transmitted (108) to grid portal 48 for storage (110) the key pair in a proper location for future retrieval by other software 48,50 (112), In an embodiment, the task of program such as CΘI program 50 is to generate a key pair, while the task of program grid portal 48 is to store the key pair in computer memory storage 46,38, etc. In FIG. 5, when each task is successfully completed, the next task is executed as indicated. The storage of the key pair for example may be in key data 46 of database 44 or key store 38 of web server. The programs A1B (such as grid portal 48, CGI program 50, or other such programs) transmit (108) the public key to the web server 22. The web server 22 sends or transmits (110) the public key of the generated key pair and all necessary information for proxy certificate generation back to the web browser 42 via the public network 20 via HTTP. The web browser 42 activates (112) a web browser plug-in module 54 or software to calculate (114) hash value to generate a proxy digital certificate by signing the received public key and information from web server using the private key that belongs to the user, for example, within a smart card 52. The calculated hash value is sent (114) from the browser plug-in 54 to the smart card 52 and the private key signs (116) hash value, and the signed hash value is sent (118,120) from the smart card 52 to the browser plug-in 52. The web browser plug-in software initiates the web browser to construct (122) partial proxy digital certificate in a format such as X.509 format. The proxy certificate is constructed (134) after the complete process (124,126,128,130,132) to send hash to be signed. The proxy is then constructed (134) at browser extension program 54 of web browser (42), and sends (136,138) the proxy digital certificate to grid portal 48 of web server 22 via the public network 20 in HTTP for example. The web server initiates (140) another software program such as CGI program 50 to store (142) proxy digital certificate in a proper location for future retrieval by another software such as CGI program 50, grid portal 48 and the like. Once successful (144,146) as indicated in FIG. 5, the procedure is complete. In an embodiment, the proxy digital certificate contains information about the user, for example name and e-mail address, the validity period of the proxy certificate, and other information about issuance of the proxy certificate. The proxy certificate may be coded, for example in X.509 format.
Thus, in an embodiment, the user initiates the web browser to submit HTTP GET request to grid portal running on web server to activate the relevant CGI program that later initiates public-private key pair generation. Upon successful key pair generation, the CGl program
'stores the key pair in proper storage and replies to the HTTP GET request by sending back the public key that is encoded into base64 format and embedded in HTML file. An example of the embedded tag included in the HTML file is as follows:
<EMBED Type="app]ication/x-mgt" mKEY="AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxa.. " </EMBED> One parameter called mKEY is included in the embedded tag. The based64 format encoded data that tails the mKEY is the public key generated by the CGl program. For example, when the web browser receives the HTML file with embedded tag containing the public key, the appropriate browser extension program that has been configured to associate with x-mgt application is activated. The browser extension program is pre-installed on the computer running the web browser and has been configured to associate itself with x-mgt application. The first task executed by the browser extension program is to construct a partial X.509 proxy certificate that also complies with the requirement of IETF RFC 3820 Tuechke et a!., "Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile", IETF, RFC 3820, June 2004 (http://www.ietf.org/rfc/rfc3820.txt), for proxy certificate format. The browser extension program reads the user certificate from the smart card via PKCS#11 or CSP and extracts the necessary information from the user certificate which will become the issuance certificate or end entity certificate (EEC). The public key is extracted from the variable field mKEY from the embedded tag. The partial X.509 proxy certificate is constructed based on the above mentioned information. Certificate-digest or hash value is calculated from the partial X.509 format proxy certificate. This hash value is sent to the smart card via PKCS#11 or CSP interface to be signed using the private key in the smart card. The signed hash value is returned to the browser extension program and is combined with the partial proxy certificate to form a complete proxy certificate.
The final task of the browser extension program is to initiate the web browser to send a POST command to deliver the proxy certificate to the Grid Portal via hyper text transfer protocol (HTTP). This POST command and its payload of proxy certificate are received by the CGI program running at the grid portal to store it to the appropriate location for proxy certificate storage. This concludes the entire proxy certificate issuance process. The proxy certificate and its corresponding private key will be used by GTK client to initiate digital certificate based mutual authentication with other GTK computing nodes.
It will be appreciated that the above mention method is one embodiment and other variations and different configurations are possible. For example, another variation is the construction of partial X.509 proxy certificate can be done at the CGI program instead of at the browser extension program. In order to ensure compliance that the subject name of the proxy certificate must be the same as the subject name of the issuer or user certificate as per the requirement of IETF RFC 3820, the CGI program must have the capability to access the user certificate for the purpose of extracting the subject name from the user certificate. The user certificate is at the smart card and can be accessed by the browser extension program running at the user computer via PKCS#11 or CSP as per the solution mentioned above. As the user certificate has been transmitted to the web browser via TLS/SSL digital certificate mutual authentication process, the user certificate can be accessed by the CG! program from the grid portal on web server SSL session variable. This situation makes it possible for the CG! program to generate the partial X.509 proxy certificate and subsequently the hash value. In this embodiment, the information exchange between the CGI program and the browser extension program is as described. The hash value can be sent to the browser extension -program using the same mechanism of putting the parameter in the embedded tag. The signed hash value is returned to the CGi program using the similar mechanism as the above mentioned method. Hash value and signed hash value are being exchanged instead of public key and a complete proxy certificate. Upon receipt of the signed hash value, the CGl program constructs the complete proxy certificate at the machine running the grid portal. This solution Variant achieves the same goal of direct proxy certificate issuance via web browser. It will be appreciated that other configurations may be envisaged without departing from the scope of the invention, for example, components of the system may be collapsed into client- server environment as discussed. The devices and subsystems of the exemplary methods and systems described with respect to the figures may communicate, for example, over a communication network, and may include any suitable servers, workstations, personal computers (PCs), laptop computers, handheld devices, with visual displays and/or monitors, telephones, cellular telephones, wireless devices, PDAs, Internet appliances, set top boxes, modems, other devices, and the like, capable of performing the processes of the disclosed exemplary embodiments. The devices and subsystems, for example, may communicate with each other using any suitable protocol and may be implemented using a general-purpose computer system and the like. One or more interface mechanisms may be employed, for example, including Internet access, telecommunications in any suitable form, such as voice, modem, and the like, wireless communications media, and the like. Accordingly, network 30 may include, for example, wireless communications networks, cellular communications network, Public Switched Telephone Networks (PSTNs), Packet Data Networks (PDNs), the Internet, intranets, hybrid communications networks, combinations thereof, and the like.
It is to be understood that the embodiments, as described with respect to the figures, are for exemplary purposes, as many variations of the specific hardware used to implement the disclosed exemplary embodiments are possible. For example, the functionality of the devices and the subsystems of the embodiments may be implemented via one or more programmed computer system or devices. To implement such variations as well as other variations, a single computer system may be programmed to perform the functions of one or more of the devices and subsystems of the exemplary systems. On the other hand, two or more programmed computer systems or devices may be substituted for any one of the devices and subsystems of the exemplary systems. Accordingly, principles and advantages of distributed processing, such as redundancy, replication, and the like, also may be implemented, as desire'd, for. example, to increase robustness and performance of the exemplary systems described with respect to the figures.
The exemplary systems described with respect to the figures may be used to store information relating to various processes described herein. This information may be stored in one or more memories, such as hard disk, optical disk, magneto-optical disk, RAM, and the like, of the devices* and sub-systems of the embodiments. One or more databases of the devices and subsystems may store the information used to implement the exemplary embodiments. The databases may be organized using data structures, such as records, tables, arrays, fields, graphs, trees, lists, and the like, included in one or more memories, such as the memories listed above. All or a portion of the exemplary systems described with respect to figures may be conveniently implemented using one or more general-purpose computer systems, microprocessors, digital signal processors, micro-controllers, and the like, programmed according to the teachings of the disclosed exemplary embodiments. Appropriate software may be readily prepared by programmers of ordinary skill based on the teachings of the disclosed exemplary embodiments. In addition, the exemplary systems may be implemented by the preparation of application-specific integrated circuits or by interconnecting an appropriate network of component circuits.
Whilst there has been described in the foregoing description preferred embodiments of the present invention, it will be understood by those skilled in the technology concerned that many variations or modifications in details of design or construction may be made without departing from the present invention.

Claims

CLAIMS:
1. A method of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol, comprising: a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public network using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web browser.
2. The method of claim 1 , wherein the public network is the Internet.
3. The method of claim 1 , wherein the protocol is hyper text transfer protocol.
4. The method of claim 1, wherein the web browser obtains the user key from a smart card..
5. - . The method of claim 1, wherein the web server generates the key pair using an RSA -asymmetric algorithm.
6. " The method of claim 1, wherein the web server generates the key pair using an ECC asymmetric algorithm.
7. ■ The method of claim 1 , wherein;
"the web server sends the public key and additional information to the web browser across the public network using the protocol;
' " ■'•" the web browser generates the proxy digital certificate by signing the public key and the additional information received from the web server using the user key.
8. The method of claim 1 , wherein the web browser calculates a hash value using the user key and signs the public key received from the web server using the hash value.
9. The method of claim 1, wherein the proxy digital certificate is in X.509 format.
10. The method of claim 1, wherein the proxy digital certificate includes a name and an e- mail address of a user that uses the web browser.
11. The method of claim 1 , wherein the proxy digital certificate includes a validity period for the proxy digital certificate.
12. A system of generating a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol, comprising: a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol; the web server generating a key pair that includes a public key and a private key in response to the request; the web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public network using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public nejwc-rk using the protocol; and
; the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web browser.
13. A computer program comprising program instructions for causing a computer to generate a proxy digital certificate to a distributed computing infrastructure by secure data transfer across a public network using a client-server communication protocol, comprising: a web browser obtaining a user key independently of a web server; the web browser sending a request to the web server across the public network using the protocol;
- the web server generating a key pair that includes a public key and a private key in response to the request; the' web server storing the key pair at a key storage location remote to the web browser; the web server sending the public key to the web browser across the public network using the protocol; the web browser generating the proxy digital certificate by signing the public key received from the web server using the user key; the web browser sending the proxy digital certificate to the web server across the public network using the protocol; and the web server storing the proxy digital certificate received by the web browser at a certificate storage location remote to the web browser.
PCT/MY2008/000115 2007-10-05 2008-09-26 Method and system for generating a proxy digital certificate to a grid portal in distributed computing infrastructure by data transfer across a public network WO2009066978A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI20071724 2007-10-05
MYPI20071724 2007-10-05

Publications (3)

Publication Number Publication Date
WO2009066978A2 true WO2009066978A2 (en) 2009-05-28
WO2009066978A3 WO2009066978A3 (en) 2009-10-08
WO2009066978A9 WO2009066978A9 (en) 2009-11-26

Family

ID=40668013

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2008/000115 WO2009066978A2 (en) 2007-10-05 2008-09-26 Method and system for generating a proxy digital certificate to a grid portal in distributed computing infrastructure by data transfer across a public network

Country Status (1)

Country Link
WO (1) WO2009066978A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8739244B1 (en) 2011-06-07 2014-05-27 Riverbed Technology, Inc. Configuring and authenticating WAN optimization devices for accessing content delivery networks
US8782395B1 (en) 2011-09-29 2014-07-15 Riverbed Technology, Inc. Monitoring usage of WAN optimization devices integrated with content delivery networks
CN114531272A (en) * 2022-01-10 2022-05-24 网宿科技股份有限公司 HTTPS request processing method and device based on national password and international algorithm

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040015725A1 (en) * 2000-08-07 2004-01-22 Dan Boneh Client-side inspection and processing of secure content
JP2005142979A (en) * 2003-11-10 2005-06-02 National Institute Of Advanced Industrial & Technology Management device, client device and system including them
JP2005167527A (en) * 2003-12-02 2005-06-23 Hitachi Ltd Certificate management system and method thereof
US20050289084A1 (en) * 2004-06-25 2005-12-29 The Go Daddy Group, Inc. Method for a Web site with a proxy domain name registration to receive a secure socket layer certificate
US7152158B2 (en) * 2001-01-10 2006-12-19 Sony Corporation Public key certificate issuing system, public key certificate issuing method, information processing apparatus, information recording medium, and program storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040015725A1 (en) * 2000-08-07 2004-01-22 Dan Boneh Client-side inspection and processing of secure content
US7152158B2 (en) * 2001-01-10 2006-12-19 Sony Corporation Public key certificate issuing system, public key certificate issuing method, information processing apparatus, information recording medium, and program storage medium
JP2005142979A (en) * 2003-11-10 2005-06-02 National Institute Of Advanced Industrial & Technology Management device, client device and system including them
JP2005167527A (en) * 2003-12-02 2005-06-23 Hitachi Ltd Certificate management system and method thereof
US20050289084A1 (en) * 2004-06-25 2005-12-29 The Go Daddy Group, Inc. Method for a Web site with a proxy domain name registration to receive a secure socket layer certificate

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8739244B1 (en) 2011-06-07 2014-05-27 Riverbed Technology, Inc. Configuring and authenticating WAN optimization devices for accessing content delivery networks
US8843636B1 (en) * 2011-06-07 2014-09-23 Riverbed Technology, Inc. Managing digital certificates for WAN optimization over content delivery networks
US8782395B1 (en) 2011-09-29 2014-07-15 Riverbed Technology, Inc. Monitoring usage of WAN optimization devices integrated with content delivery networks
CN114531272A (en) * 2022-01-10 2022-05-24 网宿科技股份有限公司 HTTPS request processing method and device based on national password and international algorithm
CN114531272B (en) * 2022-01-10 2024-02-23 网宿科技股份有限公司 HTTPS request processing method and device based on national secret and international algorithm

Also Published As

Publication number Publication date
WO2009066978A3 (en) 2009-10-08
WO2009066978A9 (en) 2009-11-26

Similar Documents

Publication Publication Date Title
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
US11502854B2 (en) Transparently scalable virtual hardware security module
CN109922077B (en) Identity authentication method and system based on block chain
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US10630489B2 (en) Apparatus and method for managing digital certificates
US6711679B1 (en) Public key infrastructure delegation
US11095635B2 (en) Server authentication using multiple authentication chains
US9565180B2 (en) Exchange of digital certificates in a client-proxy-server network configuration
US7281128B2 (en) One pass security
US8296828B2 (en) Transforming claim based identities to credential based identities
US9021552B2 (en) User authentication for intermediate representational state transfer (REST) client via certificate authority
US11777914B1 (en) Virtual cryptographic module with load balancer and cryptographic module fleet
US20090307486A1 (en) System and method for secured network access utilizing a client .net software component
US20050021956A1 (en) Method and system for a single-sign-on operation providing grid access and network access
WO2019178942A1 (en) Method and system for performing ssl handshake
JP2002374239A (en) Method for cryptographing information
CN113328980B (en) TLS authentication method, device and system, electronic equipment and readable medium
CN116491098A (en) Certificate-based security using post-use quantum cryptography
KR20110122452A (en) Electronic signaturing verification server and electronic transaction method using the same
CN103716280A (en) Data transmission method, server and system
WO2009066978A2 (en) Method and system for generating a proxy digital certificate to a grid portal in distributed computing infrastructure by data transfer across a public network
WO2015104567A1 (en) Secure communication between a server and a client web browser
JP2014147039A (en) Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program
Alsaid et al. Preventing phishing attacks using trusted computing technology
Jesudoss et al. Enhanced certificate-based authentication for distributed environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08851114

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08851114

Country of ref document: EP

Kind code of ref document: A2