WO2015076658A1 - A system and method for secure transaction log for server logging - Google Patents
A system and method for secure transaction log for server logging Download PDFInfo
- Publication number
- WO2015076658A1 WO2015076658A1 PCT/MY2014/000111 MY2014000111W WO2015076658A1 WO 2015076658 A1 WO2015076658 A1 WO 2015076658A1 MY 2014000111 W MY2014000111 W MY 2014000111W WO 2015076658 A1 WO2015076658 A1 WO 2015076658A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- log
- server
- information
- client
- logging
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Definitions
- the present invention relates to a system and method for server logging particularly by utilizing single use token.
- Any client platform is able to log in to the data storage device or insert data to the data storage device as there is no authorization mechanism to validate authorization of a user.
- Server A is able to view the data or log information from Server B as there is no access control.
- privacy is an issue for users of machine readable technology as there is no filtering process to ensure that only valid and authorize user is able to access the system as currently any user is able to access the service and execute a function.
- WO2013045874 A1 entitled “Controlled Access”
- the WO 874 Publication provides that a user must be authenticated by the network to establish user identity and a user must also be authorized by the network to establish authenticated contents to identity association with the user to allow access.
- Cookie-based authentication and authorization for network which is implemented by policy server, policy store and web agents in combination with token-based access control implemented by authorization server and resource server are provided.
- the WO 874 Publication does not require user registration to access to the data storage device as compared to the present invention which requires registration of the authorized client.
- US 632 Patent provides privacy for data being stored in the data storage device wherein only validated client is allowed to view and retrieve the said data through a privacy module that is responsible for enforcing data ownership, logging data access for accountability, obtaining and enforcing client consent, and verifying the accuracy of information entered concerning a given client.
- the US 632 Patent does not provide means for modifying data stored in the data storage device as compared to the present invention which allows authorized client to delete or amend data stored in the data storage device.
- the present invention relates to a system and method for server logging particularly by utilizing single use tokens.
- One aspect of the present invention provides a system (100) for enabling secure transaction log for server logging
- the system comprising at least one client platform (102); at least one application platform (104) and at least one storage device (106) having capacity for storing information.
- the at least one client platform (102) further comprising at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction while the at least one application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data
- the at least one user token (102a) for identifying user credentials is a single use token for authentication for client to login to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
- Another aspect of the invention provides a method (200) for enabling secure transaction log for server logging by utilizing single use token.
- the method comprising steps of obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206).
- the step for logging into server for transaction log further comprising steps of logging into server by client using at least one user token (302,402); verifying said user token by secure transaction log (304,404); extracting log information by secure transaction log upon successful verification of said user token (306, 406); verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408); returning verification status to secure transaction log system (310, 410); recording log information into storage (312, 412); returning recording status from storage to secure transaction log system (314, 414); and returning status from secure transaction system to client (316, 416).
- the step for verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage requires client to be registered with said secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage.
- the said method further comprising a step for protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
- step of logging into server by client using at least one user token further comprising steps of requesting token from client by client platform (402a); and obtaining token (402b) and returning token with user information to secure transaction log system (402c).
- in yet another aspect of the invention is the step for enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206, 500, 600) which further comprising steps of obtaining user credentials to authenticate client for server logging (502, 602); verifying said user token by secure transaction log (504, 604); extracting log information by secure transaction log upon successful verification of said user token (506, 606); verifying said log information against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608); returning verification status to secure transaction log system (510, 610); filtering request information from server identity value (512, 612); returning status and log information from storage to secure transaction log web server (514, 614); and returning status and log information from secure transaction system to client (516, 518, 616).
- the step of filtering request information from server identity value only allows owner of log information to request said log information as access control is applied to ensure that only owner of said log information is authorized to request and view said log information.
- step for obtaining user credentials to authenticate client for server logging (202, 502, 602) which further comprising steps of obtaining token from user to generate user credentials (702); logging in to client application (704); logging in to secure transaction log web service client by providing user token (706); verifying said user token (708); returning status to user (710); and providing token containing user credentials (712).
- FIG. 1 illustrates the system overview of the present invention.
- FIG. 2 is a flowchart illustrating the general methodology of an embodiment of the present invention.
- FIG. 3 is a flowchart illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
- FIG. 4 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
- FIG. 5 is a flowchart illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage.
- FIG. 6 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage.
- FIGs. 7 and 8 are sequence diagrams illustrating the steps of an embodiment of the method of the present invention for protecting and securing logging information in said storage by using hash function.
- the present invention relates to a system and method for server logging particularly by utilizing single use tokens.
- Secure transaction log system is a centralized system that logs all application transactions from different servers and applications.
- the system (100) for enabling secure transaction log for server logging by utilizing single use token comprising a client platform (102), an application platform (104) and storage (106) having capacity for storing information.
- the client platform (102) further comprises a user token (102a) for identifying user credentials; and a physical machine (102c) for processing client transaction while the application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and a secure transaction web service (104a, 104b) for validating client transaction and processing log data.
- the user token (102a) for identifying user credentials is a single use token for authentication for client to log to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
- the general methodology (200) of an embodiment of the present invention is as illustrated in FIG. 2.0.
- the method comprising steps of obtaining user credentials to authenticate client for server logging (202) before proceeding to logging into server for transaction log (204). Thereafter, viewing of logging information of authorized users is enabled for users to record and view information to or from a storage(206).
- the said method further comprising steps of protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
- the steps for logging into server for transaction log comprising steps of client logging into server by using a user token (302, 402) as the said user token contains client certificate for client to login to the system.
- client is required to request for user token through the client platform from the application server (402a).
- said token is returned to the application server (402c) and said token which contains user information together with the log information is sent to the secure transaction log system (402d).
- the secure transaction system verifies the user token (304, 404).
- Log information is extracted (306, 406) upon successful verification (304) of the user token by the secure transaction log system.
- the extracted log information will be verified by the secure transaction system against the storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408).
- client In order to execute the verification process of the extracted log information against the storage, client is required to be registered with the secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage.
- the log information may include server identification, IP (Internet Protocol) address, server distinguish name and timestamp.
- verification status is returned to secure transaction log system (310, 410) and said log information is recorded into storage (312, 412). The recording status is returned from the storage to the secure transaction log system and to the client (316, 416).
- FIGs. 5.0 and 6.0 A more detailed description for enabling viewing of logging information of authorized users to record and view information to or from at least one storage is illustrated in FIGs. 5.0 and 6.0 wherein user credentials are first obtained to authenticate client for server logging (502, 602).
- the detailed steps to obtain user credentials to authenticate client further comprising steps of obtaining token from user to generate user credentials (702) for client to login to client application (704) and thereafter client logs in to secure transaction log web service client by providing said user token (706).
- the said user token is verified (708) and the status is returned to user (710).
- the user token containing user credentials (712) are provided to execute the secure transaction log system.
- the said user token is verified by secure transaction log system (504, 604).
- log information is extracted by secure transaction log system (506, 606) and the extracted log information is verified against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608).
- the verification status is returned to the secure transaction log system (510, 610).
- the request information is filtered from server identity value (512, 612) wherein the filtering process is applied to allow owner of log information to request said log information as access control to ensure that only owner of said log information is authorized to request and view said log information.
- Status and log information is returned from storage to secure transaction log web server (514, 614) and thereafter status and log information is returned from secure transaction system to client (516, 518, 616). Further, FIGs.
- 7.0 and 8.0 provides the illustration for protecting and securing the storage information by using the hash function method wherein hash function is used for authorization of user (718) and server (816) to ensure that only validated user (7 8) and server (816) is able to log in or retrieve log information to and from said storage.
- the present invention addresses privacy issues wherein only authenticated and authorized servers are granted access to the secure transaction log system by utilizing a single use token.
- the secure logging system of the present invention which utilizes a single use token provides an authentication method for client to log in to the logging system and an authorization method to verify that only registered servers are able to record and view data to or from the storage.
- the authentication and authorization method further prevents from deletion of information by unauthorized users.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Secure transaction log system is used as an audit trail mechanism as said secure logging system is a centralized system that logs all application transactions from different servers wherein it provides an authentication method for client to login to the logging system and an authorization method to verify that only registered servers are able to record and view data to or from the storage. The system comprising at least one client platform (102); at least one application platform (104) and at least one storage device (106) having capacity for storing information. The at least one client platform (102) further comprising at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction while the at least one application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data. To enable secure transaction log for server logging, the general methodology of the present invention comprising steps of obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and enabling viewing of logging information of authorized users to record and view information to or from at least one storage. Further, storage information is protected and secured by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
Description
A SYSTEM AND METHOD FOR SECURE TRANSACTION LOG FOR SERVER
LOGGING
FIELD OF INVENTION
The present invention relates to a system and method for server logging particularly by utilizing single use token.
BACKGROUND ART
Current systems and methods which utilize machine readable technology for implementation of server logging allows any user to access and view data in the data storage device even if the data does not belong to the user. Any client platform is able to log in to the data storage device or insert data to the data storage device as there is no authorization mechanism to validate authorization of a user. For example, two client platform with two servers (Server A and Server B); Server A is able to view the data or log information from Server B as there is no access control. More particularly, privacy is an issue for users of machine readable technology as there is no filtering process to ensure that only valid and authorize user is able to access the system as currently any user is able to access the service and execute a function.
One example of controlling user access to a protected resource by providing access token is proposed in International Patent Publication No. WO2013045874 A1 entitled "Controlled Access" (hereinafter referred to as the WO 874 Publication). The WO 874 Publication provides that a user must be authenticated by the network to establish user identity and a user must also be authorized by the network to establish authenticated contents to identity association with the user to allow access. Cookie-based authentication and authorization for network which is implemented by policy server, policy store and web agents in combination with token-based access control implemented by authorization server and resource server are provided. The WO 874 Publication does not require user registration to access to the data storage device as compared to the present invention which requires registration of the authorized client. Further, data is not required to be stored in a data storage device as proposed in the present invention.
A general example that provide authentication for login by validating user login token is proposed in United States Patent No. US 8275632 B2 entitled "Privacy Compliant Consent and Data Access Management System and Methods" (hereinafter referred to as the US 632 Patent). The US 632 Patent provides privacy for data being stored in the data storage device wherein only validated client is allowed to view and retrieve the said data through a privacy module that is responsible for enforcing data ownership, logging data access for accountability, obtaining and enforcing client consent, and verifying the accuracy of information entered concerning a given client. However, the US 632 Patent does not provide means for modifying data stored in the data storage device as compared to the present invention which allows authorized client to delete or amend data stored in the data storage device.
Another mechanism which utilize file access token for file access authorization is proposed in an IEEE paper entitled "Authorization of Data Access in Distributed Storage Systems" by Derek Feichtinger, Andreas J. Peters; IEEE, 2005. In the said paper, access token namely access envelope from an organization file catalogue is utilized upon execution of a file name resolution request for file access authorization between storage system and Grid Services. Public key infrastructure (PKI) is utilized to digitally sign the envelope for encryption. Further, a storage device that authorizes a file access is provided without establishing a connection to external authorization service. However, the proposal in the said IEEE paper does not provide registration to access a data storage device as the authentication is based on the access envelop which comprises of all storage URLs (Uniform Resource Locators) and access permission. In contrast, the present invention requires for registration of the authorized client.
SUMMARY OF INVENTION
The present invention relates to a system and method for server logging particularly by utilizing single use tokens.
One aspect of the present invention provides a system (100) for enabling secure transaction log for server logging The system comprising at least one client platform (102); at least one application platform (104) and at least one storage device (106) having capacity for storing information. The at least one client platform (102) further comprising at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction while the at least one application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data, the at least one user token (102a) for identifying user credentials is a single use token for authentication for client to login to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage. Another aspect of the invention provides a method (200) for enabling secure transaction log for server logging by utilizing single use token. The method comprising steps of obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206). The step for logging into server for transaction log (204, 300, 400) further comprising steps of logging into server by client using at least one user token (302,402); verifying said user token by secure transaction log (304,404); extracting log information by secure transaction log upon successful verification of said user token (306, 406); verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408); returning verification status to secure transaction log system (310, 410); recording log information into storage (312, 412); returning recording status from storage to secure transaction log system (314, 414); and returning status from secure transaction system to client (316, 416). Further, the step for verifying said log information against storage to ensure that only authorized
server with valid log information is able to log data into said storage requires client to be registered with said secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage. The said method further comprising a step for protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
In another aspect of the invention there is provided that the step of logging into server by client using at least one user token (402) further comprising steps of requesting token from client by client platform (402a); and obtaining token (402b) and returning token with user information to secure transaction log system (402c).
In yet another aspect of the invention is the step for enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206, 500, 600) which further comprising steps of obtaining user credentials to authenticate client for server logging (502, 602); verifying said user token by secure transaction log (504, 604); extracting log information by secure transaction log upon successful verification of said user token (506, 606); verifying said log information against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608); returning verification status to secure transaction log system (510, 610); filtering request information from server identity value (512, 612); returning status and log information from storage to secure transaction log web server (514, 614); and returning status and log information from secure transaction system to client (516, 518, 616).
In a further aspect of the invention there is provided that the step of filtering request information from server identity value only allows owner of log information to request said log information as access control is applied to ensure that only owner of said log information is authorized to request and view said log information.
In still another aspect of the invention there is provided with the step for obtaining user credentials to authenticate client for server logging (202, 502, 602) which further comprising steps of obtaining token from user to generate user credentials (702); logging
in to client application (704); logging in to secure transaction log web service client by providing user token (706); verifying said user token (708); returning status to user (710); and providing token containing user credentials (712). The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings in which: FIG. 1 illustrates the system overview of the present invention.
FIG. 2 is a flowchart illustrating the general methodology of an embodiment of the present invention. FIG. 3 is a flowchart illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
FIG. 4 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
FIG. 5 is a flowchart illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage. FIG. 6 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage.
FIGs. 7 and 8 are sequence diagrams illustrating the steps of an embodiment of the method of the present invention for protecting and securing logging information in said storage by using hash function.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to a system and method for server logging particularly by utilizing single use tokens.
Hereinafter, this specification will describe the present invention according to the preferred embodiments. It is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
Referring to FIG. 1.0, the secure transaction log system (100) according to the present invention is illustrated. Secure transaction log system is a centralized system that logs all application transactions from different servers and applications. The system (100) for enabling secure transaction log for server logging by utilizing single use token comprising a client platform (102), an application platform (104) and storage (106) having capacity for storing information. The client platform (102) further comprises a user token (102a) for identifying user credentials; and a physical machine (102c) for processing client transaction while the application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and a secure transaction web service (104a, 104b) for validating client transaction and processing log data. The user token (102a) for identifying user credentials is a single use token for authentication for client to log to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
The general methodology (200) of an embodiment of the present invention is as illustrated in FIG. 2.0. To enable secure transaction log for server logging by utilizing single use token, the method comprising steps of obtaining user credentials to authenticate client for server logging (202) before proceeding to logging into server for transaction log (204). Thereafter, viewing of logging information of authorized users is enabled for users to record and view information to or from a storage(206). The said method further comprising steps of protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of
user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
As will be discussed in detail below with reference to FIGs. 3.0 and 4.0, the steps for logging into server for transaction log (204, 300, 400) comprising steps of client logging into server by using a user token (302, 402) as the said user token contains client certificate for client to login to the system. In order for client to login to the system using said user token, client is required to request for user token through the client platform from the application server (402a). Upon obtaining the token (402b), said token is returned to the application server (402c) and said token which contains user information together with the log information is sent to the secure transaction log system (402d). Thereafter, the secure transaction system verifies the user token (304, 404). Log information is extracted (306, 406) upon successful verification (304) of the user token by the secure transaction log system. The extracted log information will be verified by the secure transaction system against the storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408). In order to execute the verification process of the extracted log information against the storage, client is required to be registered with the secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage. The log information may include server identification, IP (Internet Protocol) address, server distinguish name and timestamp. Upon successful verification of log information against storage, verification status is returned to secure transaction log system (310, 410) and said log information is recorded into storage (312, 412). The recording status is returned from the storage to the secure transaction log system and to the client (316, 416).
A more detailed description for enabling viewing of logging information of authorized users to record and view information to or from at least one storage is illustrated in FIGs. 5.0 and 6.0 wherein user credentials are first obtained to authenticate client for server logging (502, 602). With reference to Fig. 7.0, the detailed steps to obtain user credentials to authenticate client further comprising steps of obtaining token from user to generate user credentials (702) for client to login to client application (704) and thereafter client logs in to secure transaction log web service client by providing said user token (706). The said user token is verified (708) and the status is returned to user
(710). The user token containing user credentials (712) are provided to execute the secure transaction log system. The said user token is verified by secure transaction log system (504, 604). Upon successful verification of the user token, log information is extracted by secure transaction log system (506, 606) and the extracted log information is verified against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608). The verification status is returned to the secure transaction log system (510, 610). The request information is filtered from server identity value (512, 612) wherein the filtering process is applied to allow owner of log information to request said log information as access control to ensure that only owner of said log information is authorized to request and view said log information. Status and log information is returned from storage to secure transaction log web server (514, 614) and thereafter status and log information is returned from secure transaction system to client (516, 518, 616). Further, FIGs. 7.0 and 8.0 provides the illustration for protecting and securing the storage information by using the hash function method wherein hash function is used for authorization of user (718) and server (816) to ensure that only validated user (7 8) and server (816) is able to log in or retrieve log information to and from said storage.
The present invention addresses privacy issues wherein only authenticated and authorized servers are granted access to the secure transaction log system by utilizing a single use token. The secure logging system of the present invention which utilizes a single use token provides an authentication method for client to log in to the logging system and an authorization method to verify that only registered servers are able to record and view data to or from the storage. The authentication and authorization method further prevents from deletion of information by unauthorized users.
The present invention may be embodied in other specific forms without departing from its essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore indicated by the appended claims rather than by the foregoing description. All changes, which come within the meaning and range of equivalency of the claims, are to be embraced within their scope.
Claims
1. A system (100) for enabling secure transaction log for server logging comprising:
at least one client platform (102) comprising:
at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction
at least one application platform (104) comprising:
log information which at least comprises a set of data containing user credentials, server identity, jP address, server distinguish name and timestamp; and
at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data
at least one storage device (106) having capacity for storing information
characterized in that
the at least one user token (102a) for identifying user credentials is a single use token for authentication for client to login to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
2. A method (200) for enabling secure transaction log for server logging by utilizing single use token comprising steps of:
obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and
enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206)
characterized in that
logging into server for transaction log (204, 300, 400) comprising steps of: logging into server by client using at least one user token
(302,402);
verifying said user token by secure transaction log (304,404); extracting log information by secure transaction log upon successful verification of said user token (306, 406);
verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408);
returning verification status to secure transaction log system (310, 410);
recording log information into storage (312, 412);
returning recording status from storage to secure transaction log system (314, 414); and
returning status from secure transaction system to client (316, 416).
A method according to Claim 2, wherein logging into server by client using at least one user token (402) further comprising steps of:
requesting token from client by client platform (402a); and
obtaining token (402b) and returning token with user information to secure transaction log system (402c).
A method according to Claim 2, wherein said log information may include server identification, IP (Internet Protocol) address, server distinguish name and timestamp.
A method according to Claim 2, wherein enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206, 500, 600) further comprising steps of:
obtaining user credentials to authenticate client for server logging (502,
602);
verifying said user token by secure transaction log (504, 604);
extracting log information by secure transaction log upon successful verification of said user token (506, 606);
verifying said log information against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608);
returning verification status to secure transaction log system (510, 610); filtering request information from server identity value (512, 612);
returning status and log information from storage to secure transaction log web server (514, 614); and
returning status and log information from secure transaction system to client (516, 518, 616).
A method according to Claim 2, wherein verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408) requires client to be registered with said secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage.
A method according to Claim 5, wherein filtering request information from server identity value only allows owner of log information to request said log information as access control is applied to ensure that only owner of said log information is authorized to request and view said log information.
A method according to Claims 2 and 5, wherein obtaining user credentials to authenticate client for server logging (202, 502, 602) further comprising steps of: obtaining token from user to generate user credentials (702);
logging in to client application (704);
logging in to secure transaction log web service client by providing user token (706);
verifying said user token (708);
returning status to user (710); and
providing token containing user credentials (712).
A method according to Claim 2, further comprising steps of protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
MYPI2013004236A MY175074A (en) | 2013-11-25 | 2013-11-25 | A system and method for secure transaction log for server logging |
MYPI2013004236 | 2013-11-25 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015076658A1 true WO2015076658A1 (en) | 2015-05-28 |
Family
ID=51541228
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/MY2014/000111 WO2015076658A1 (en) | 2013-11-25 | 2014-05-23 | A system and method for secure transaction log for server logging |
Country Status (2)
Country | Link |
---|---|
MY (1) | MY175074A (en) |
WO (1) | WO2015076658A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105391724A (en) * | 2015-11-25 | 2016-03-09 | 用友网络科技股份有限公司 | Authorization management method and authorization management device used for information system |
CN107332911A (en) * | 2017-07-03 | 2017-11-07 | 珠海金山网络游戏科技有限公司 | It is a kind of based on client release number distribute can game server method and apparatus |
CN110110516A (en) * | 2019-01-04 | 2019-08-09 | 北京车和家信息技术有限公司 | Log recording method, apparatus and system |
CN114629929A (en) * | 2022-03-16 | 2022-06-14 | 北京奇艺世纪科技有限公司 | Log recording method, device and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8275632B2 (en) | 2004-07-23 | 2012-09-25 | Privit, Inc. | Privacy compliant consent and data access management system and methods |
WO2013045874A1 (en) | 2011-09-30 | 2013-04-04 | British Telecommunications Public Limited Company | Controlled access |
-
2013
- 2013-11-25 MY MYPI2013004236A patent/MY175074A/en unknown
-
2014
- 2014-05-23 WO PCT/MY2014/000111 patent/WO2015076658A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8275632B2 (en) | 2004-07-23 | 2012-09-25 | Privit, Inc. | Privacy compliant consent and data access management system and methods |
WO2013045874A1 (en) | 2011-09-30 | 2013-04-04 | British Telecommunications Public Limited Company | Controlled access |
Non-Patent Citations (5)
Title |
---|
DEREK FEICHTINGER; ANDREAS J. PETERS: "Authorization of Data Access in Distributed Storage Systems", IEEE, 2005 |
HARDT D ET AL: "The OAuth 2.0 Authorization Framework; rfc6749.txt", THE OAUTH 2.0 AUTHORIZATION FRAMEWORK; RFC6749.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 13 October 2012 (2012-10-13), pages 1 - 76, XP015086448 * |
LODDERSTEDT T ET AL: "OAuth 2.0 Threat Model and Security Considerations; rfc6819.txt", OAUTH 2.0 THREAT MODEL AND SECURITY CONSIDERATIONS; RFC6819.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 7 January 2013 (2013-01-07), pages 1 - 71, XP015086521 * |
PAUL YOUN: "Creating a Safer OAuth User-Experience", 26 April 2011 (2011-04-26), XP055167312, Retrieved from the Internet <URL:https://www.isecpartners.com/media/11683/isec-creating_safer_oauth_experience.pdf> [retrieved on 20150204] * |
VISHAL BHASIN ET AL: "How can one prevent clients from sharing OAuth tokens-Google Groups", 2 December 2012 (2012-12-02), pages 1 - 3, XP055167162, Retrieved from the Internet <URL:https://groups.google.com/forum/#!topic/api-craft/pYDiCQHwbUI> [retrieved on 20150204] * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105391724A (en) * | 2015-11-25 | 2016-03-09 | 用友网络科技股份有限公司 | Authorization management method and authorization management device used for information system |
CN105391724B (en) * | 2015-11-25 | 2019-04-16 | 用友网络科技股份有限公司 | Authorization management method and empowerment management device for information system |
CN107332911A (en) * | 2017-07-03 | 2017-11-07 | 珠海金山网络游戏科技有限公司 | It is a kind of based on client release number distribute can game server method and apparatus |
CN110110516A (en) * | 2019-01-04 | 2019-08-09 | 北京车和家信息技术有限公司 | Log recording method, apparatus and system |
CN114629929A (en) * | 2022-03-16 | 2022-06-14 | 北京奇艺世纪科技有限公司 | Log recording method, device and system |
CN114629929B (en) * | 2022-03-16 | 2024-03-08 | 北京奇艺世纪科技有限公司 | Log recording method, device and system |
Also Published As
Publication number | Publication date |
---|---|
MY175074A (en) | 2020-06-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7774611B2 (en) | Enforcing file authorization access | |
US11700117B2 (en) | System for credential storage and verification | |
US11792181B2 (en) | Digital credentials as guest check-in for physical building access | |
US11770261B2 (en) | Digital credentials for user device authentication | |
US11698979B2 (en) | Digital credentials for access to sensitive data | |
CN109787988B (en) | Identity strengthening authentication and authorization method and device | |
EP2404258B1 (en) | Access control using identifiers in links | |
JP5889988B2 (en) | HTTP-based authentication | |
JP4746266B2 (en) | Method and system for authenticating a user for a sub-location in a network location | |
CN111147255B (en) | Data security service system, method and computer readable storage medium | |
US8719912B2 (en) | Enabling private data feed | |
US8898755B2 (en) | Trusted internet identity | |
US11792180B2 (en) | Digital credentials for visitor network access | |
US8407464B2 (en) | Techniques for using AAA services for certificate validation and authorization | |
US9961069B2 (en) | Ticket generator for alternate authentication environments | |
CN111800378B (en) | Login authentication method, device, system and storage medium | |
KR101817152B1 (en) | Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential | |
US20170171189A1 (en) | Distributed authentication system | |
US11522713B2 (en) | Digital credentials for secondary factor authentication | |
WO2015076658A1 (en) | A system and method for secure transaction log for server logging | |
US20090327704A1 (en) | Strong authentication to a network | |
EP2359525B1 (en) | Method for enabling limitation of service access | |
Johnson et al. | Rethinking Single Sign-On: A Reliable and Privacy-Preserving Alternative with Verifiable Credentials | |
JP4219076B2 (en) | Electronic document management method, electronic document management system, and recording medium | |
US11539533B1 (en) | Access control using a circle of trust |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14766229 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14766229 Country of ref document: EP Kind code of ref document: A1 |