WO2010107298A2 - Method of generating a proxy certificate - Google Patents

Method of generating a proxy certificate Download PDF

Info

Publication number
WO2010107298A2
WO2010107298A2 PCT/MY2010/000028 MY2010000028W WO2010107298A2 WO 2010107298 A2 WO2010107298 A2 WO 2010107298A2 MY 2010000028 W MY2010000028 W MY 2010000028W WO 2010107298 A2 WO2010107298 A2 WO 2010107298A2
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
proxy certificate
user
proxy
digest
Prior art date
Application number
PCT/MY2010/000028
Other languages
French (fr)
Other versions
WO2010107298A3 (en
Inventor
Chong Seak Sea
Kang Siong Ng
Fui Bee Tan
Galoh Rashidah Haron
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Priority to EP10753743A priority Critical patent/EP2409455A2/en
Publication of WO2010107298A2 publication Critical patent/WO2010107298A2/en
Publication of WO2010107298A3 publication Critical patent/WO2010107298A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to a method for generating a proxy certificate to a web portal from a user certificate residing in computer with a web browser.
  • a personal computer is widely used in a company or by a person. In some cases, confidential data is stored in the PC. To prevent such secret data from being accessed by an unauthorized user, techniques of preventing information stored in a PC from being leaked have been developed.
  • One known technique for this function is to identify a user on the basis of a password input by the user or on the basis of biotic information of the user.
  • a public key infrastructure is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through a registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, a user identity, the public key, their binding, validity conditions and other attributes in public key certificates issued by the CA is unable to be duplicated.
  • RA Registration Authority
  • PKI applications and services remotely and automatically send public key information to other sources on the behalf of the users. For example, a job running on some remote web portal is required to be able to communicate with other web portals to transfer information pr files, and therefore the proof of user identity is required. The method is not secure for the system may send users information to other sources without user's notification.
  • a method of enabling direct issuance and creation of a proxy certificate via the web browser to web portal using a user certificate comprises the steps of inserting a smart card into a card reader, establishing a user certificate based mutual authentication using a web browser to a web portal via PKCS#11 or CSP, generating a proxy certificate, displaying a web browser request for a validation period in hour(s), inputting user validation period required for the proxy certificate, sending the user validation period in hour(s) to the web portal, generating a new public and private key pair, storing the key pair in the web portal, retrieving the user certificate from Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) session, extracting user information from the user certificate, combining the validation period and a new generated public key to create an unsigned X.509 format partial proxy certificate, calculating a proxy certificate digest based on the unsigned X.509 format partial proxy certificate, generating a hypertext markup language (HTML) page
  • Figure 1 is a diagram to show a chain of trust to proxy certificates
  • Figure 2 is a diagram to show a chain of trust to numbers of proxy certificates.
  • Figure 3 is a diagram to show a complete sequence diagram of issuing a proxy certificate.
  • the present invention relates to method for generating a proxy certificate.
  • this specification will describe the present invention according to the preferred embodiments of the present invention. However, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned that those skilled in the art may devise various modifications and equivalents without departing from the scope of the appended claims.
  • the present invention consists of several hardware components that include a server equipped with one or more processors to process data, one or more network cards for networking a system, a plurality of port interfaces to connect external devices and one or more hard drives to store operating system and data.
  • a server equipped with one or more processors to process data
  • one or more network cards for networking a system a plurality of port interfaces to connect external devices
  • one or more hard drives to store operating system and data.
  • a user will have a separate system to act as access terminal and is equipped with a card reader.
  • the present invention further consists of several components that include a web portal, a web server, a web application, a browser extension program, a module library and an electronic card.
  • the web portal centralized web application running on the web server, which has access to various applications within the same enterprise to share information across applications.
  • the web portal enables various users with different roles accessing application and prefers to have a single access point to all of them over the internet.
  • the web browser is software that runs on the user's computer. Users interact with the web browser to display the web information such as display text, video, audio and other web activity. Most web browsers are compatible with the present invention (e.g. Microsoft Internet Explorer and Mozilla Firefox).
  • the Web Application is a Common Gateway Interface (CGI) activated by a web server or other server running on an operating system. Its function is to extract user certificate information, create proxy certificate, construct HTML file that contains embedded tag to activate the browser extension program that is executed on the user computer, and generate private as well as public key pair.
  • CGI Common Gateway Interface
  • the browser extension program is software programmed to activate the browser to carry out proxy certificate creation based on the parameters in the browser embedded tag and interface to the module library that obtains user private key from user electronic card. It is appreciated by a person skilled in the art that the present invention also can be applied to situation where user's private key is stored in web browser or the smart card and any other storage medium.
  • the module library is a cryptographic token interface known as PKCS#11 and CSP 1 module library that can be loaded into Microsoft Internet Explorer while PKCS#11 module library serves the same purpose for Mozilla Firefox browser.
  • These cryptographic token interface libraries allow the web browsers and browser extension software program to interact with cryptographic tokens to perform RSA private key related operations that involved the use of the smart card or virtual memory storage.
  • the electronic card is a cryptographic smart card that is capable of performing RSA private key operations using stored private key. The smart card can also be replaced by virtual memory storage to perform a similar private key operation.
  • the web portal will create a temporary new public-private key pairs, and the created public key will be digitally signed by users own private key.
  • the proxy private key is used for certificate based authentication with another server.
  • the proxy private key and proxy certificate (containing proxy public key) is at the web portal.
  • the proxy certificate and private key is used to perform certificate based authentication to other servers from the web portal. This is because for some situations or by design, the user is unable to connect to the server; but rather the connection is routed via the web portal. So you have a web portal sitting in between the user computer and another server.
  • the server asks for certificate based authentication from the web portal but the web portal does not have the user's private key.
  • the solution is to create a proxy certificate and proxy private key at the web portal.
  • the proxy private key and the proxy certificate are used to authenticate the other server on behalf of the user certificate and user's private key.
  • the proxy certificate subject information contains as shown.
  • C MY
  • CN ABCProxyCert
  • the new proxy certificate signed by user's private key, rather than a Certification Authority (CA). This establishes a chain of trust from the CA to proxy certificate through the user.
  • CA Certification Authority
  • a chain of trust certificate is used to prove the trust of the proxy certificate.
  • the proxy certificate has a short activation lifespan, typically 12 hours.
  • the proxy private key In the event security term of a proxy certificate is compromised, the proxy private key must be treated with care.
  • anyone who steals the proxy private key can perform any activity pretending to be authorized user.
  • the action taken must be immediate by discontinuing the use of the stolen proxy certificate.
  • the proxy certificate has a lifetime of only few hours (depending on the policy the maximum validity period of time allowed), so the potential damage is limited.
  • proxy certificate issuing process explains the methods and descriptions of the present invention by way of an example.
  • a user inserts a smart card to a smart card reader.
  • the user initiates the web browser and activates CSP for Microsoft Internet explorer or PKCS#11 for Mozilla Firefox to perform a HTTPS SSL mutual authentication with web portal running Apache web server or other servers. Verifying the user certificate will be carried out by the web server to ensue only authorized user can login to the web portal. Successful authenticated user can presume on to the next phase beginning the issuing proxy certificate process.
  • the first web page displayed is requesting user to enter the proxy certificate validation period (in hour).
  • the validation period will submit HTTPS POST command to the web server and activate a relevant CGI application.
  • the CGI application initiates the public- private key pair generation, extracts user certificate info and constructs an unsigned proxy certificate.
  • the CGI application Upon successful key pair generation, the CGI application than stores the key pair in a storage device. After the immediate completion of the public-private key pair generation by the CGI application is to construct a partial X.509 format proxy certificate that complies with the requirement of IETF RFC 3820 for proxy certificate format.
  • the web browser receives the HTML page with the embedded tag containing the proxy certificate digest.
  • the browser extension program that has been configured to associate with the browser is activated.
  • the browser extension program receives the proxy certificate digest, this digest is sent to the smart card via PKCS#11 (Mozilla Firefox) or CSP (Microsoft Internet Explorer) interface to be signed using the user private key in the smart card.
  • PKCS#11 Mozilla Firefox
  • CSP Microsoft Internet Explorer
  • a certificate-digest or hash value is calculated from the partial X.509 format proxy certificate, and the CGI application embedded the proxy certificate digest in the hypertext markup language (HTML).
  • the signed proxy certificate is then sent back to the web browser through the web portal and completes the proxy certificate issuance process.
  • the private key in the smart card or in any other storage medium signs the certificate digest.
  • the signed proxy certificate digest is returned to the browser extension program.
  • the signed proxy certificate digest is then sent to the CGI application through the PKCS#11 or CSP (depending on the web browser application of either the Explorer or Mozilla Firefox), the browser extension program, the web browser and the web portal.
  • the web browser extension program initiates the web browser to send a POST command to deliver the signed proxy cert digest to web portal via secure Hypertext Transfer Protocol (HTTPS).
  • HTTPS secure Hypertext Transfer Protocol
  • This POST command and its payload of signed proxy certificate digest are g received by the CGI program running at web portal.
  • the CGI application now constructs a signed proxy certificate.
  • the CGI application can read the user certificate from TLS/SSL digital certificate mutual authentication process, and then extract the necessary information from the user certificate which will become the issuance proxy certificate or an 5 End Entity Certificate (EEC).
  • EEC 5 End Entity Certificate
  • the partial X.509 proxy certificate is constructed based on the information above and also inclusive of the user validation period (in hour) and new generated pubic key. Below is the algorithm used to illustrate an example of the embedded tags for Microsoft Internet Explore and Mozila Firefox.
  • the concluding phase is when the CGI application combined with the partial X.509 format proxy certificate to form a 10 complete proxy certificate.
  • VALUE https : //webportal .mimos .my/cgi-bin/cgisignedcert . cgi">
  • parameter mDIGEST included in the embedded 30 tag in both browsers is values of proxy certificate digest calculate from partial X.509 format proxy certificate.
  • Other parameter mURL is a target uniform resource locator (URL) where the browser extension program activated and do the POST command request to the web portal to execute the CGI application.
  • mTARGET is the target HTML frame name to display the result. ,35
  • Maintaining proxy certificate authentication is possible on entire communication channels to all computing nodes. Maintaining proxy certificate also requires no user ID or paraphrase (password) to maintain connection and reduces maintenance cost for utility computing service.

Abstract

This invention method for generating proxy certificate on web portal is a means of secure and reliable access to a web portal. This system will prevent identity fraud over the web and is a secure means of accessing personal information online.

Description

METHOD OF GENERATING A PROXY CERTIFICATE
FIELD OF INVENTION
The present invention relates to a method for generating a proxy certificate to a web portal from a user certificate residing in computer with a web browser.
BACKGROUND OF INVENTION
A personal computer (PC) is widely used in a company or by a person. In some cases, confidential data is stored in the PC. To prevent such secret data from being accessed by an unauthorized user, techniques of preventing information stored in a PC from being leaked have been developed. One known technique for this function is to identify a user on the basis of a password input by the user or on the basis of biotic information of the user. A public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through a registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, a user identity, the public key, their binding, validity conditions and other attributes in public key certificates issued by the CA is unable to be duplicated.
PKI applications and services remotely and automatically send public key information to other sources on the behalf of the users. For example, a job running on some remote web portal is required to be able to communicate with other web portals to transfer information pr files, and therefore the proof of user identity is required. The method is not secure for the system may send users information to other sources without user's notification. SUMMARY OF INVENTION
Accordingly, there is provided a method of enabling direct issuance and creation of a proxy certificate via the web browser to web portal using a user certificate, wherein the method comprises the steps of inserting a smart card into a card reader, establishing a user certificate based mutual authentication using a web browser to a web portal via PKCS#11 or CSP, generating a proxy certificate, displaying a web browser request for a validation period in hour(s), inputting user validation period required for the proxy certificate, sending the user validation period in hour(s) to the web portal, generating a new public and private key pair, storing the key pair in the web portal, retrieving the user certificate from Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) session, extracting user information from the user certificate, combining the validation period and a new generated public key to create an unsigned X.509 format partial proxy certificate, calculating a proxy certificate digest based on the unsigned X.509 format partial proxy certificate, generating a hypertext markup language (HTML) page and associate the proxy certificate digest value embedded in a browser extension program, activating the browser extension program to send the proxy certificate digest to the smart card via PKCS#11 or CSP interface to be digitally signed using the user private key in the smart card, returning the signed proxy certificate to browser extension program, performing a HTTP POST to the web portal by the browser extension, receiving a Common Gateway Interface (CGI) application user signed proxy certificate digest and combining sighed proxy certificate digest with the unsigned partial proxy certificate to form a final complete signed proxy certificate.
The present invention consists of several novel features and a combination of parts hereinafter fully described and illustrated in the accompanying description and drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be fully understood from the detailed description given herein below and the accompanying drawings which are given by way of illustration only, and thus are not limitative of the present invention, wherein:
Figure 1 is a diagram to show a chain of trust to proxy certificates;
Figure 2 is a diagram to show a chain of trust to numbers of proxy certificates; and
Figure 3 is a diagram to show a complete sequence diagram of issuing a proxy certificate.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to method for generating a proxy certificate. Hereinafter, this specification will describe the present invention according to the preferred embodiments of the present invention. However, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned that those skilled in the art may devise various modifications and equivalents without departing from the scope of the appended claims.
The following detailed description of the preferred embodiments will now be described in accordance with the attached drawings, either individually or in combination.
The present invention consists of several hardware components that include a server equipped with one or more processors to process data, one or more network cards for networking a system, a plurality of port interfaces to connect external devices and one or more hard drives to store operating system and data. A user will have a separate system to act as access terminal and is equipped with a card reader.
The present invention further consists of several components that include a web portal, a web server, a web application, a browser extension program, a module library and an electronic card.
The web portal centralized web application running on the web server, which has access to various applications within the same enterprise to share information across applications. The web portal enables various users with different roles accessing application and prefers to have a single access point to all of them over the internet. The web browser is software that runs on the user's computer. Users interact with the web browser to display the web information such as display text, video, audio and other web activity. Most web browsers are compatible with the present invention (e.g. Microsoft Internet Explorer and Mozilla Firefox).
The Web Application is a Common Gateway Interface (CGI) activated by a web server or other server running on an operating system. Its function is to extract user certificate information, create proxy certificate, construct HTML file that contains embedded tag to activate the browser extension program that is executed on the user computer, and generate private as well as public key pair.
The browser extension program is software programmed to activate the browser to carry out proxy certificate creation based on the parameters in the browser embedded tag and interface to the module library that obtains user private key from user electronic card. It is appreciated by a person skilled in the art that the present invention also can be applied to situation where user's private key is stored in web browser or the smart card and any other storage medium.
The module library is a cryptographic token interface known as PKCS#11 and CSP1 module library that can be loaded into Microsoft Internet Explorer while PKCS#11 module library serves the same purpose for Mozilla Firefox browser. These cryptographic token interface libraries allow the web browsers and browser extension software program to interact with cryptographic tokens to perform RSA private key related operations that involved the use of the smart card or virtual memory storage. The electronic card is a cryptographic smart card that is capable of performing RSA private key operations using stored private key. The smart card can also be replaced by virtual memory storage to perform a similar private key operation.
Generating a proxy certificate, the web portal will create a temporary new public-private key pairs, and the created public key will be digitally signed by users own private key.
The proxy private key is used for certificate based authentication with another server. The proxy private key and proxy certificate (containing proxy public key) is at the web portal. The proxy certificate and private key is used to perform certificate based authentication to other servers from the web portal. This is because for some situations or by design, the user is unable to connect to the server; but rather the connection is routed via the web portal. So you have a web portal sitting in between the user computer and another server. The server asks for certificate based authentication from the web portal but the web portal does not have the user's private key. The solution is to create a proxy certificate and proxy private key at the web portal. The proxy private key and the proxy certificate are used to authenticate the other server on behalf of the user certificate and user's private key.
To illustrate an example of the present invention, the proxy certificate subject information contains as shown. C=MY, CN= JOHN DOE / serialNumber= 1234567890, CN=ABCProxyCert, issuer information contains C=MY, CN=JOHN DOE /serialNumber=1234567890. As depicted in Figure 1 the new proxy certificate signed by user's private key, rather than a Certification Authority (CA). This establishes a chain of trust from the CA to proxy certificate through the user.
As depicted in Figure 2 a chain of trust certificate is used to prove the trust of the proxy certificate.
The proxy certificate has a short activation lifespan, typically 12 hours. In the event security term of a proxy certificate is compromised, the proxy private key must be treated with care. Anyone who steals the proxy private key can perform any activity pretending to be authorized user. There is no mechanism for revoking the proxy certificate. The action taken must be immediate by discontinuing the use of the stolen proxy certificate. The proxy certificate has a lifetime of only few hours (depending on the policy the maximum validity period of time allowed), so the potential damage is limited. Hereinafter is complete proxy certificate issuing process explains the methods and descriptions of the present invention by way of an example.
A user inserts a smart card to a smart card reader. The user initiates the web browser and activates CSP for Microsoft Internet explorer or PKCS#11 for Mozilla Firefox to perform a HTTPS SSL mutual authentication with web portal running Apache web server or other servers. Verifying the user certificate will be carried out by the web server to ensue only authorized user can login to the web portal. Successful authenticated user can presume on to the next phase beginning the issuing proxy certificate process.
The first web page displayed is requesting user to enter the proxy certificate validation period (in hour). The validation period will submit HTTPS POST command to the web server and activate a relevant CGI application. The CGI application initiates the public- private key pair generation, extracts user certificate info and constructs an unsigned proxy certificate. Upon successful key pair generation, the CGI application than stores the key pair in a storage device. After the immediate completion of the public-private key pair generation by the CGI application is to construct a partial X.509 format proxy certificate that complies with the requirement of IETF RFC 3820 for proxy certificate format.
The web browser receives the HTML page with the embedded tag containing the proxy certificate digest. The browser extension program that has been configured to associate with the browser is activated. The browser extension program receives the proxy certificate digest, this digest is sent to the smart card via PKCS#11 (Mozilla Firefox) or CSP (Microsoft Internet Explorer) interface to be signed using the user private key in the smart card.
A certificate-digest or hash value is calculated from the partial X.509 format proxy certificate, and the CGI application embedded the proxy certificate digest in the hypertext markup language (HTML). The signed proxy certificate is then sent back to the web browser through the web portal and completes the proxy certificate issuance process.
The private key in the smart card or in any other storage medium, signs the certificate digest. The signed proxy certificate digest is returned to the browser extension program. The signed proxy certificate digest is then sent to the CGI application through the PKCS#11 or CSP (depending on the web browser application of either the Explorer or Mozilla Firefox), the browser extension program, the web browser and the web portal.
The web browser extension program initiates the web browser to send a POST command to deliver the signed proxy cert digest to web portal via secure Hypertext Transfer Protocol (HTTPS). This POST command and its payload of signed proxy certificate digest are g received by the CGI program running at web portal. The CGI application now constructs a signed proxy certificate. The CGI application can read the user certificate from TLS/SSL digital certificate mutual authentication process, and then extract the necessary information from the user certificate which will become the issuance proxy certificate or an 5 End Entity Certificate (EEC). The partial X.509 proxy certificate is constructed based on the information above and also inclusive of the user validation period (in hour) and new generated pubic key. Below is the algorithm used to illustrate an example of the embedded tags for Microsoft Internet Explore and Mozila Firefox. The concluding phase is when the CGI application combined with the partial X.509 format proxy certificate to form a 10 complete proxy certificate.
Example of embedded tag for Microsoft Internet Explorer
<OBJECT I D=" IEProxyCert" 15 CLASSI D ="CLSID : 7D40EB7A-OA97-4OC7-9669-CD70BA776ES8 ">
<PARAM NAME="mDIGEST" VALUE="EOlSDB6A8ADA998S660BlE837AA8B 078 ">
< PARAM NAME= "mURL"
VALUE="https : //webportal .mimos .my/cgi-bin/cgisignedcert . cgi">
<PARAM NAME="mTARGET" VALUE=" self"> 20 </0BJECT>
Example of embedded tag for Mozilla Firefox
<embed type="application/pc-plugin" width=100 height=5O 25 itiDIGEST ="EOlSDB6A8ADA9985660BlE837AASB078 " mURL="https : / /webportal .mimos .my/cgi-bin/cgisignedcert . cgi " mTARGET="_sel f ">
Referring to embedded tags above the parameter mDIGEST included in the embedded 30 tag in both browsers is values of proxy certificate digest calculate from partial X.509 format proxy certificate. Other parameter mURL is a target uniform resource locator (URL) where the browser extension program activated and do the POST command request to the web portal to execute the CGI application. mTARGET is the target HTML frame name to display the result. ,35 The elimination of the proxy client and server means there is no need for secondary paths and reduces the number of cascading proxy certificate required. Maintaining proxy certificate authentication is possible on entire communication channels to all computing nodes. Maintaining proxy certificate also requires no user ID or paraphrase (password) to maintain connection and reduces maintenance cost for utility computing service.

Claims

1. A method of enabling direct issuance and creation of a proxy certificate via the web browser to web portal using a user certificate, wherein the method comprises the steps of;
i. inserting a smart card into a card reader; ii. establishing a user certificate based mutual authentication using a web browser to a web portal via PKCS#11 or CSP;
iii. generating a proxy certificate;
iv. displaying a web browser request for a validation period in hour(s);
v. inputting user validation period required for the proxy certificate;
vi. sending the user validation period in hour(s) to the web portal;
vii. generating a new public and private key pair;
viii. storing the key pair in the web portal;
ix. retrieving the user certificate from Secure Sockets Layer (SSL)/ Transport
Layer Security (TLS) session;
x. extracting user information from the user certificate;
xi. combining the validation period and a new generated public key to create an unsigned X.509 format partial proxy certificate;
xii. calculating a proxy certificate digest based on the unsigned X.509 format partial proxy certificate; xiii. generating a hypertext markup language (HTML) page and associate the proxy certificate digest value embedded in a browser extension program;
xiv. activating the browser extension program to send the proxy certificate digest to the smart card via PKCS#11 or CSP interface to be digitally signed using the user private key in the smart card;
XV. returning the signed proxy certificate to browser extension program;
xvi. performing a HTTP POST to the web portal by the browser extension;
xvii. receiving a Common Gateway Interface (CGI) application user signed proxy certificate digest; and
xviii. combining sighed proxy certificate digest with the unsigned partial proxy certificate to form a final complete signed proxy certificate.
2. The method as claimed in claim 1 wherein, the CSP is a cryptographic token interface module library for Microsoft Internet Explorer.
3. The method as claimed in claim 1 wherein, the PKCS#11 is a module library for Mozilla Firefox.
4. A method as claimed in claim 1, wherein step (vii), (vi), (xiv), and (xv) are processed by a CGI application to generate private and public key pair, extract user certificate information, create unsigned X.509 partial proxy certificate, calculate unsigned proxy certificate digest and construct HTML file that contains embedded tag to activate the browser extension program.
5. A method as claimed in claim 1 step (x) and (xi), wherein the browser extension program contains the unsigned proxy certificate digest and present the digest to user smart card to perform digital signature via PKCS#11 or CSP interface.
6. A method as claimed in claim 2 , wherein the portal CGI application received the signed proxy certificate digest and then combine with unsigned partial proxy certificate to form a final complete signed proxy certificate.
PCT/MY2010/000028 2009-03-16 2010-03-04 Method of generating a proxy certificate WO2010107298A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP10753743A EP2409455A2 (en) 2009-03-16 2010-03-04 Method of generating a proxy certificate

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI20091055 MY150173A (en) 2009-03-16 2009-03-16 Method of generating a proxy certificate
MYPI20091055 2009-03-16

Publications (2)

Publication Number Publication Date
WO2010107298A2 true WO2010107298A2 (en) 2010-09-23
WO2010107298A3 WO2010107298A3 (en) 2010-12-02

Family

ID=42740157

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2010/000028 WO2010107298A2 (en) 2009-03-16 2010-03-04 Method of generating a proxy certificate

Country Status (3)

Country Link
EP (1) EP2409455A2 (en)
MY (1) MY150173A (en)
WO (1) WO2010107298A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9055056B2 (en) 2013-08-14 2015-06-09 Red Hat, Inc. Managing digital content entitlements
EP3149887A4 (en) * 2014-05-28 2017-06-07 Huawei Technologies Co. Ltd. Method and system for creating a certificate to authenticate a user identity

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200034020A (en) 2018-09-12 2020-03-31 삼성전자주식회사 Electronic apparatus and control method thereof

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005003934A1 (en) * 2003-07-01 2005-01-13 International Business Machines Corporation Method and system for a single-sign-on access to a computer grid
US20050216733A1 (en) * 2004-03-25 2005-09-29 International Business Machines Corporation Grid mutual authorization through proxy certificate generation
US20080126794A1 (en) * 2006-11-28 2008-05-29 Jianxin Wang Transparent proxy of encrypted sessions

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005003934A1 (en) * 2003-07-01 2005-01-13 International Business Machines Corporation Method and system for a single-sign-on access to a computer grid
US20050216733A1 (en) * 2004-03-25 2005-09-29 International Business Machines Corporation Grid mutual authorization through proxy certificate generation
US20080126794A1 (en) * 2006-11-28 2008-05-29 Jianxin Wang Transparent proxy of encrypted sessions

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9055056B2 (en) 2013-08-14 2015-06-09 Red Hat, Inc. Managing digital content entitlements
EP3149887A4 (en) * 2014-05-28 2017-06-07 Huawei Technologies Co. Ltd. Method and system for creating a certificate to authenticate a user identity
US10033720B2 (en) 2014-05-28 2018-07-24 Futurewei Technologies, Inc. Method and system for creating a certificate to authenticate a user identity

Also Published As

Publication number Publication date
EP2409455A2 (en) 2012-01-25
WO2010107298A3 (en) 2010-12-02
MY150173A (en) 2013-12-13

Similar Documents

Publication Publication Date Title
AU2021206913B2 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
US8924714B2 (en) Authentication with an untrusted root
JP7083892B2 (en) Mobile authentication interoperability of digital certificates
US8438383B2 (en) User authentication system
US10362019B2 (en) Managing security credentials
US9767262B1 (en) Managing security credentials
EP2251810B1 (en) Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method
CN114666168B (en) Decentralized identity certificate verification method and device, and electronic equipment
CN109981287A (en) A kind of code signature method and its storage medium
CN109587100A (en) A kind of cloud computing platform user authentication process method and system
CN114760070A (en) Digital certificate issuing method, digital certificate issuing center and readable storage medium
JP6465426B1 (en) Electronic signature system, certificate issuing system, key management system, and electronic certificate issuing method
CN112235276B (en) Master-slave equipment interaction method, device, system, electronic equipment and computer medium
EP2530868A1 (en) Method for generating an anonymous routable unlinkable identification token
Diebold et al. Self-Sovereign Identity using Smart Contracts on the Ethereum Blockchain
EP2409455A2 (en) Method of generating a proxy certificate
TWI698113B (en) Identification method and systerm of electronic device
CN102739398A (en) Online bank identity authentication method and apparatus thereof
JP2005157845A (en) Server system, client server system and method for logging-in client server system
JP7351873B2 (en) Information processing device, information processing method, and information processing program
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
KR100406525B1 (en) Initial certification system for wireless public key infrastructure, and its method
Sánchez García et al. University authentication system based on java card and digital X. 509 certificate
Ahn et al. Towards scalable authentication in health services
Corella et al. Techniques for implementing derived credentials

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10753743

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2010753743

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2010753743

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 7989/DELNP/2011

Country of ref document: IN