WO2015076658A1 - A system and method for secure transaction log for server logging - Google Patents

A system and method for secure transaction log for server logging Download PDF

Info

Publication number
WO2015076658A1
WO2015076658A1 PCT/MY2014/000111 MY2014000111W WO2015076658A1 WO 2015076658 A1 WO2015076658 A1 WO 2015076658A1 MY 2014000111 W MY2014000111 W MY 2014000111W WO 2015076658 A1 WO2015076658 A1 WO 2015076658A1
Authority
WO
WIPO (PCT)
Prior art keywords
log
server
information
client
logging
Prior art date
Application number
PCT/MY2014/000111
Other languages
French (fr)
Inventor
Nor Izyani Daud
Chong Seak Sea
Kang Siong Ng
Galoh Rashidah Haron
Dharmadharshni MANIAM
Hon Loon WONG
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2015076658A1 publication Critical patent/WO2015076658A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the present invention relates to a system and method for server logging particularly by utilizing single use token.
  • Any client platform is able to log in to the data storage device or insert data to the data storage device as there is no authorization mechanism to validate authorization of a user.
  • Server A is able to view the data or log information from Server B as there is no access control.
  • privacy is an issue for users of machine readable technology as there is no filtering process to ensure that only valid and authorize user is able to access the system as currently any user is able to access the service and execute a function.
  • WO2013045874 A1 entitled “Controlled Access”
  • the WO 874 Publication provides that a user must be authenticated by the network to establish user identity and a user must also be authorized by the network to establish authenticated contents to identity association with the user to allow access.
  • Cookie-based authentication and authorization for network which is implemented by policy server, policy store and web agents in combination with token-based access control implemented by authorization server and resource server are provided.
  • the WO 874 Publication does not require user registration to access to the data storage device as compared to the present invention which requires registration of the authorized client.
  • US 632 Patent provides privacy for data being stored in the data storage device wherein only validated client is allowed to view and retrieve the said data through a privacy module that is responsible for enforcing data ownership, logging data access for accountability, obtaining and enforcing client consent, and verifying the accuracy of information entered concerning a given client.
  • the US 632 Patent does not provide means for modifying data stored in the data storage device as compared to the present invention which allows authorized client to delete or amend data stored in the data storage device.
  • the present invention relates to a system and method for server logging particularly by utilizing single use tokens.
  • One aspect of the present invention provides a system (100) for enabling secure transaction log for server logging
  • the system comprising at least one client platform (102); at least one application platform (104) and at least one storage device (106) having capacity for storing information.
  • the at least one client platform (102) further comprising at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction while the at least one application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data
  • the at least one user token (102a) for identifying user credentials is a single use token for authentication for client to login to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
  • Another aspect of the invention provides a method (200) for enabling secure transaction log for server logging by utilizing single use token.
  • the method comprising steps of obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206).
  • the step for logging into server for transaction log further comprising steps of logging into server by client using at least one user token (302,402); verifying said user token by secure transaction log (304,404); extracting log information by secure transaction log upon successful verification of said user token (306, 406); verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408); returning verification status to secure transaction log system (310, 410); recording log information into storage (312, 412); returning recording status from storage to secure transaction log system (314, 414); and returning status from secure transaction system to client (316, 416).
  • the step for verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage requires client to be registered with said secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage.
  • the said method further comprising a step for protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
  • step of logging into server by client using at least one user token further comprising steps of requesting token from client by client platform (402a); and obtaining token (402b) and returning token with user information to secure transaction log system (402c).
  • in yet another aspect of the invention is the step for enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206, 500, 600) which further comprising steps of obtaining user credentials to authenticate client for server logging (502, 602); verifying said user token by secure transaction log (504, 604); extracting log information by secure transaction log upon successful verification of said user token (506, 606); verifying said log information against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608); returning verification status to secure transaction log system (510, 610); filtering request information from server identity value (512, 612); returning status and log information from storage to secure transaction log web server (514, 614); and returning status and log information from secure transaction system to client (516, 518, 616).
  • the step of filtering request information from server identity value only allows owner of log information to request said log information as access control is applied to ensure that only owner of said log information is authorized to request and view said log information.
  • step for obtaining user credentials to authenticate client for server logging (202, 502, 602) which further comprising steps of obtaining token from user to generate user credentials (702); logging in to client application (704); logging in to secure transaction log web service client by providing user token (706); verifying said user token (708); returning status to user (710); and providing token containing user credentials (712).
  • FIG. 1 illustrates the system overview of the present invention.
  • FIG. 2 is a flowchart illustrating the general methodology of an embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
  • FIG. 4 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
  • FIG. 5 is a flowchart illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage.
  • FIG. 6 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage.
  • FIGs. 7 and 8 are sequence diagrams illustrating the steps of an embodiment of the method of the present invention for protecting and securing logging information in said storage by using hash function.
  • the present invention relates to a system and method for server logging particularly by utilizing single use tokens.
  • Secure transaction log system is a centralized system that logs all application transactions from different servers and applications.
  • the system (100) for enabling secure transaction log for server logging by utilizing single use token comprising a client platform (102), an application platform (104) and storage (106) having capacity for storing information.
  • the client platform (102) further comprises a user token (102a) for identifying user credentials; and a physical machine (102c) for processing client transaction while the application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and a secure transaction web service (104a, 104b) for validating client transaction and processing log data.
  • the user token (102a) for identifying user credentials is a single use token for authentication for client to log to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
  • the general methodology (200) of an embodiment of the present invention is as illustrated in FIG. 2.0.
  • the method comprising steps of obtaining user credentials to authenticate client for server logging (202) before proceeding to logging into server for transaction log (204). Thereafter, viewing of logging information of authorized users is enabled for users to record and view information to or from a storage(206).
  • the said method further comprising steps of protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
  • the steps for logging into server for transaction log comprising steps of client logging into server by using a user token (302, 402) as the said user token contains client certificate for client to login to the system.
  • client is required to request for user token through the client platform from the application server (402a).
  • said token is returned to the application server (402c) and said token which contains user information together with the log information is sent to the secure transaction log system (402d).
  • the secure transaction system verifies the user token (304, 404).
  • Log information is extracted (306, 406) upon successful verification (304) of the user token by the secure transaction log system.
  • the extracted log information will be verified by the secure transaction system against the storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408).
  • client In order to execute the verification process of the extracted log information against the storage, client is required to be registered with the secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage.
  • the log information may include server identification, IP (Internet Protocol) address, server distinguish name and timestamp.
  • verification status is returned to secure transaction log system (310, 410) and said log information is recorded into storage (312, 412). The recording status is returned from the storage to the secure transaction log system and to the client (316, 416).
  • FIGs. 5.0 and 6.0 A more detailed description for enabling viewing of logging information of authorized users to record and view information to or from at least one storage is illustrated in FIGs. 5.0 and 6.0 wherein user credentials are first obtained to authenticate client for server logging (502, 602).
  • the detailed steps to obtain user credentials to authenticate client further comprising steps of obtaining token from user to generate user credentials (702) for client to login to client application (704) and thereafter client logs in to secure transaction log web service client by providing said user token (706).
  • the said user token is verified (708) and the status is returned to user (710).
  • the user token containing user credentials (712) are provided to execute the secure transaction log system.
  • the said user token is verified by secure transaction log system (504, 604).
  • log information is extracted by secure transaction log system (506, 606) and the extracted log information is verified against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608).
  • the verification status is returned to the secure transaction log system (510, 610).
  • the request information is filtered from server identity value (512, 612) wherein the filtering process is applied to allow owner of log information to request said log information as access control to ensure that only owner of said log information is authorized to request and view said log information.
  • Status and log information is returned from storage to secure transaction log web server (514, 614) and thereafter status and log information is returned from secure transaction system to client (516, 518, 616). Further, FIGs.
  • 7.0 and 8.0 provides the illustration for protecting and securing the storage information by using the hash function method wherein hash function is used for authorization of user (718) and server (816) to ensure that only validated user (7 8) and server (816) is able to log in or retrieve log information to and from said storage.
  • the present invention addresses privacy issues wherein only authenticated and authorized servers are granted access to the secure transaction log system by utilizing a single use token.
  • the secure logging system of the present invention which utilizes a single use token provides an authentication method for client to log in to the logging system and an authorization method to verify that only registered servers are able to record and view data to or from the storage.
  • the authentication and authorization method further prevents from deletion of information by unauthorized users.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Secure transaction log system is used as an audit trail mechanism as said secure logging system is a centralized system that logs all application transactions from different servers wherein it provides an authentication method for client to login to the logging system and an authorization method to verify that only registered servers are able to record and view data to or from the storage. The system comprising at least one client platform (102); at least one application platform (104) and at least one storage device (106) having capacity for storing information. The at least one client platform (102) further comprising at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction while the at least one application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data. To enable secure transaction log for server logging, the general methodology of the present invention comprising steps of obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and enabling viewing of logging information of authorized users to record and view information to or from at least one storage. Further, storage information is protected and secured by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.

Description

A SYSTEM AND METHOD FOR SECURE TRANSACTION LOG FOR SERVER
LOGGING
FIELD OF INVENTION
The present invention relates to a system and method for server logging particularly by utilizing single use token.
BACKGROUND ART
Current systems and methods which utilize machine readable technology for implementation of server logging allows any user to access and view data in the data storage device even if the data does not belong to the user. Any client platform is able to log in to the data storage device or insert data to the data storage device as there is no authorization mechanism to validate authorization of a user. For example, two client platform with two servers (Server A and Server B); Server A is able to view the data or log information from Server B as there is no access control. More particularly, privacy is an issue for users of machine readable technology as there is no filtering process to ensure that only valid and authorize user is able to access the system as currently any user is able to access the service and execute a function.
One example of controlling user access to a protected resource by providing access token is proposed in International Patent Publication No. WO2013045874 A1 entitled "Controlled Access" (hereinafter referred to as the WO 874 Publication). The WO 874 Publication provides that a user must be authenticated by the network to establish user identity and a user must also be authorized by the network to establish authenticated contents to identity association with the user to allow access. Cookie-based authentication and authorization for network which is implemented by policy server, policy store and web agents in combination with token-based access control implemented by authorization server and resource server are provided. The WO 874 Publication does not require user registration to access to the data storage device as compared to the present invention which requires registration of the authorized client. Further, data is not required to be stored in a data storage device as proposed in the present invention. A general example that provide authentication for login by validating user login token is proposed in United States Patent No. US 8275632 B2 entitled "Privacy Compliant Consent and Data Access Management System and Methods" (hereinafter referred to as the US 632 Patent). The US 632 Patent provides privacy for data being stored in the data storage device wherein only validated client is allowed to view and retrieve the said data through a privacy module that is responsible for enforcing data ownership, logging data access for accountability, obtaining and enforcing client consent, and verifying the accuracy of information entered concerning a given client. However, the US 632 Patent does not provide means for modifying data stored in the data storage device as compared to the present invention which allows authorized client to delete or amend data stored in the data storage device.
Another mechanism which utilize file access token for file access authorization is proposed in an IEEE paper entitled "Authorization of Data Access in Distributed Storage Systems" by Derek Feichtinger, Andreas J. Peters; IEEE, 2005. In the said paper, access token namely access envelope from an organization file catalogue is utilized upon execution of a file name resolution request for file access authorization between storage system and Grid Services. Public key infrastructure (PKI) is utilized to digitally sign the envelope for encryption. Further, a storage device that authorizes a file access is provided without establishing a connection to external authorization service. However, the proposal in the said IEEE paper does not provide registration to access a data storage device as the authentication is based on the access envelop which comprises of all storage URLs (Uniform Resource Locators) and access permission. In contrast, the present invention requires for registration of the authorized client.
SUMMARY OF INVENTION
The present invention relates to a system and method for server logging particularly by utilizing single use tokens.
One aspect of the present invention provides a system (100) for enabling secure transaction log for server logging The system comprising at least one client platform (102); at least one application platform (104) and at least one storage device (106) having capacity for storing information. The at least one client platform (102) further comprising at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction while the at least one application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data, the at least one user token (102a) for identifying user credentials is a single use token for authentication for client to login to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage. Another aspect of the invention provides a method (200) for enabling secure transaction log for server logging by utilizing single use token. The method comprising steps of obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206). The step for logging into server for transaction log (204, 300, 400) further comprising steps of logging into server by client using at least one user token (302,402); verifying said user token by secure transaction log (304,404); extracting log information by secure transaction log upon successful verification of said user token (306, 406); verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408); returning verification status to secure transaction log system (310, 410); recording log information into storage (312, 412); returning recording status from storage to secure transaction log system (314, 414); and returning status from secure transaction system to client (316, 416). Further, the step for verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage requires client to be registered with said secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage. The said method further comprising a step for protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
In another aspect of the invention there is provided that the step of logging into server by client using at least one user token (402) further comprising steps of requesting token from client by client platform (402a); and obtaining token (402b) and returning token with user information to secure transaction log system (402c).
In yet another aspect of the invention is the step for enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206, 500, 600) which further comprising steps of obtaining user credentials to authenticate client for server logging (502, 602); verifying said user token by secure transaction log (504, 604); extracting log information by secure transaction log upon successful verification of said user token (506, 606); verifying said log information against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608); returning verification status to secure transaction log system (510, 610); filtering request information from server identity value (512, 612); returning status and log information from storage to secure transaction log web server (514, 614); and returning status and log information from secure transaction system to client (516, 518, 616).
In a further aspect of the invention there is provided that the step of filtering request information from server identity value only allows owner of log information to request said log information as access control is applied to ensure that only owner of said log information is authorized to request and view said log information.
In still another aspect of the invention there is provided with the step for obtaining user credentials to authenticate client for server logging (202, 502, 602) which further comprising steps of obtaining token from user to generate user credentials (702); logging in to client application (704); logging in to secure transaction log web service client by providing user token (706); verifying said user token (708); returning status to user (710); and providing token containing user credentials (712). The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings in which: FIG. 1 illustrates the system overview of the present invention.
FIG. 2 is a flowchart illustrating the general methodology of an embodiment of the present invention. FIG. 3 is a flowchart illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
FIG. 4 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for logging into server for transaction log.
FIG. 5 is a flowchart illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage. FIG. 6 is a sequence diagram illustrating the steps of an embodiment of the method of the present invention for enabling viewing of logging information of authorized users to record and view information to or from at least one storage.
FIGs. 7 and 8 are sequence diagrams illustrating the steps of an embodiment of the method of the present invention for protecting and securing logging information in said storage by using hash function. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to a system and method for server logging particularly by utilizing single use tokens.
Hereinafter, this specification will describe the present invention according to the preferred embodiments. It is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
Referring to FIG. 1.0, the secure transaction log system (100) according to the present invention is illustrated. Secure transaction log system is a centralized system that logs all application transactions from different servers and applications. The system (100) for enabling secure transaction log for server logging by utilizing single use token comprising a client platform (102), an application platform (104) and storage (106) having capacity for storing information. The client platform (102) further comprises a user token (102a) for identifying user credentials; and a physical machine (102c) for processing client transaction while the application platform (104) further comprising log information which at least comprises a set of data containing user credentials, server identity, IP address, server distinguish name and timestamp; and a secure transaction web service (104a, 104b) for validating client transaction and processing log data. The user token (102a) for identifying user credentials is a single use token for authentication for client to log to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
The general methodology (200) of an embodiment of the present invention is as illustrated in FIG. 2.0. To enable secure transaction log for server logging by utilizing single use token, the method comprising steps of obtaining user credentials to authenticate client for server logging (202) before proceeding to logging into server for transaction log (204). Thereafter, viewing of logging information of authorized users is enabled for users to record and view information to or from a storage(206). The said method further comprising steps of protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
As will be discussed in detail below with reference to FIGs. 3.0 and 4.0, the steps for logging into server for transaction log (204, 300, 400) comprising steps of client logging into server by using a user token (302, 402) as the said user token contains client certificate for client to login to the system. In order for client to login to the system using said user token, client is required to request for user token through the client platform from the application server (402a). Upon obtaining the token (402b), said token is returned to the application server (402c) and said token which contains user information together with the log information is sent to the secure transaction log system (402d). Thereafter, the secure transaction system verifies the user token (304, 404). Log information is extracted (306, 406) upon successful verification (304) of the user token by the secure transaction log system. The extracted log information will be verified by the secure transaction system against the storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408). In order to execute the verification process of the extracted log information against the storage, client is required to be registered with the secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage. The log information may include server identification, IP (Internet Protocol) address, server distinguish name and timestamp. Upon successful verification of log information against storage, verification status is returned to secure transaction log system (310, 410) and said log information is recorded into storage (312, 412). The recording status is returned from the storage to the secure transaction log system and to the client (316, 416).
A more detailed description for enabling viewing of logging information of authorized users to record and view information to or from at least one storage is illustrated in FIGs. 5.0 and 6.0 wherein user credentials are first obtained to authenticate client for server logging (502, 602). With reference to Fig. 7.0, the detailed steps to obtain user credentials to authenticate client further comprising steps of obtaining token from user to generate user credentials (702) for client to login to client application (704) and thereafter client logs in to secure transaction log web service client by providing said user token (706). The said user token is verified (708) and the status is returned to user (710). The user token containing user credentials (712) are provided to execute the secure transaction log system. The said user token is verified by secure transaction log system (504, 604). Upon successful verification of the user token, log information is extracted by secure transaction log system (506, 606) and the extracted log information is verified against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608). The verification status is returned to the secure transaction log system (510, 610). The request information is filtered from server identity value (512, 612) wherein the filtering process is applied to allow owner of log information to request said log information as access control to ensure that only owner of said log information is authorized to request and view said log information. Status and log information is returned from storage to secure transaction log web server (514, 614) and thereafter status and log information is returned from secure transaction system to client (516, 518, 616). Further, FIGs. 7.0 and 8.0 provides the illustration for protecting and securing the storage information by using the hash function method wherein hash function is used for authorization of user (718) and server (816) to ensure that only validated user (7 8) and server (816) is able to log in or retrieve log information to and from said storage.
The present invention addresses privacy issues wherein only authenticated and authorized servers are granted access to the secure transaction log system by utilizing a single use token. The secure logging system of the present invention which utilizes a single use token provides an authentication method for client to log in to the logging system and an authorization method to verify that only registered servers are able to record and view data to or from the storage. The authentication and authorization method further prevents from deletion of information by unauthorized users.
The present invention may be embodied in other specific forms without departing from its essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore indicated by the appended claims rather than by the foregoing description. All changes, which come within the meaning and range of equivalency of the claims, are to be embraced within their scope.

Claims

1. A system (100) for enabling secure transaction log for server logging comprising:
at least one client platform (102) comprising:
at least one user token (102a) for identifying user credentials; and at least one physical machine (102c) for processing client transaction
at least one application platform (104) comprising:
log information which at least comprises a set of data containing user credentials, server identity, jP address, server distinguish name and timestamp; and
at least one secure transaction web service (104a, 104b) for validating client transaction and processing log data
at least one storage device (106) having capacity for storing information
characterized in that
the at least one user token (102a) for identifying user credentials is a single use token for authentication for client to login to logging system and for authorization and verification that only registered server is able to record and view information to or from said storage.
2. A method (200) for enabling secure transaction log for server logging by utilizing single use token comprising steps of:
obtaining user credentials to authenticate client for server logging (202); logging into server for transaction log (204); and
enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206)
characterized in that
logging into server for transaction log (204, 300, 400) comprising steps of: logging into server by client using at least one user token
(302,402);
verifying said user token by secure transaction log (304,404); extracting log information by secure transaction log upon successful verification of said user token (306, 406); verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408);
returning verification status to secure transaction log system (310, 410);
recording log information into storage (312, 412);
returning recording status from storage to secure transaction log system (314, 414); and
returning status from secure transaction system to client (316, 416).
A method according to Claim 2, wherein logging into server by client using at least one user token (402) further comprising steps of:
requesting token from client by client platform (402a); and
obtaining token (402b) and returning token with user information to secure transaction log system (402c).
A method according to Claim 2, wherein said log information may include server identification, IP (Internet Protocol) address, server distinguish name and timestamp.
A method according to Claim 2, wherein enabling viewing of logging information of authorized users to record and view information to or from at least one storage (206, 500, 600) further comprising steps of:
obtaining user credentials to authenticate client for server logging (502,
602);
verifying said user token by secure transaction log (504, 604);
extracting log information by secure transaction log upon successful verification of said user token (506, 606);
verifying said log information against storage to ensure that only authorized server with valid log information is able to view log information in said storage (508, 608);
returning verification status to secure transaction log system (510, 610); filtering request information from server identity value (512, 612); returning status and log information from storage to secure transaction log web server (514, 614); and
returning status and log information from secure transaction system to client (516, 518, 616).
A method according to Claim 2, wherein verifying said log information against storage to ensure that only authorized server with valid log information is able to log data into said storage (308, 408) requires client to be registered with said secure transaction system to perform any transaction which provides an authorization to ensure that only registered server identity is able to log said log information into said storage.
A method according to Claim 5, wherein filtering request information from server identity value only allows owner of log information to request said log information as access control is applied to ensure that only owner of said log information is authorized to request and view said log information.
A method according to Claims 2 and 5, wherein obtaining user credentials to authenticate client for server logging (202, 502, 602) further comprising steps of: obtaining token from user to generate user credentials (702);
logging in to client application (704);
logging in to secure transaction log web service client by providing user token (706);
verifying said user token (708);
returning status to user (710); and
providing token containing user credentials (712).
A method according to Claim 2, further comprising steps of protecting and securing logging information in said storage by using hash function (716) wherein hash function is used for authorization of user (718) to ensure that only validated user is able to log in or retrieve log information to and from said storage.
PCT/MY2014/000111 2013-11-25 2014-05-23 A system and method for secure transaction log for server logging WO2015076658A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2013004236A MY175074A (en) 2013-11-25 2013-11-25 A system and method for secure transaction log for server logging
MYPI2013004236 2013-11-25

Publications (1)

Publication Number Publication Date
WO2015076658A1 true WO2015076658A1 (en) 2015-05-28

Family

ID=51541228

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2014/000111 WO2015076658A1 (en) 2013-11-25 2014-05-23 A system and method for secure transaction log for server logging

Country Status (2)

Country Link
MY (1) MY175074A (en)
WO (1) WO2015076658A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105391724A (en) * 2015-11-25 2016-03-09 用友网络科技股份有限公司 Authorization management method and authorization management device used for information system
CN107332911A (en) * 2017-07-03 2017-11-07 珠海金山网络游戏科技有限公司 It is a kind of based on client release number distribute can game server method and apparatus
CN110110516A (en) * 2019-01-04 2019-08-09 北京车和家信息技术有限公司 Log recording method, apparatus and system
CN114629929A (en) * 2022-03-16 2022-06-14 北京奇艺世纪科技有限公司 Log recording method, device and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8275632B2 (en) 2004-07-23 2012-09-25 Privit, Inc. Privacy compliant consent and data access management system and methods
WO2013045874A1 (en) 2011-09-30 2013-04-04 British Telecommunications Public Limited Company Controlled access

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8275632B2 (en) 2004-07-23 2012-09-25 Privit, Inc. Privacy compliant consent and data access management system and methods
WO2013045874A1 (en) 2011-09-30 2013-04-04 British Telecommunications Public Limited Company Controlled access

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
DEREK FEICHTINGER; ANDREAS J. PETERS: "Authorization of Data Access in Distributed Storage Systems", IEEE, 2005
HARDT D ET AL: "The OAuth 2.0 Authorization Framework; rfc6749.txt", THE OAUTH 2.0 AUTHORIZATION FRAMEWORK; RFC6749.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 13 October 2012 (2012-10-13), pages 1 - 76, XP015086448 *
LODDERSTEDT T ET AL: "OAuth 2.0 Threat Model and Security Considerations; rfc6819.txt", OAUTH 2.0 THREAT MODEL AND SECURITY CONSIDERATIONS; RFC6819.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 7 January 2013 (2013-01-07), pages 1 - 71, XP015086521 *
PAUL YOUN: "Creating a Safer OAuth User-Experience", 26 April 2011 (2011-04-26), XP055167312, Retrieved from the Internet <URL:https://www.isecpartners.com/media/11683/isec-creating_safer_oauth_experience.pdf> [retrieved on 20150204] *
VISHAL BHASIN ET AL: "How can one prevent clients from sharing OAuth tokens-Google Groups", 2 December 2012 (2012-12-02), pages 1 - 3, XP055167162, Retrieved from the Internet <URL:https://groups.google.com/forum/#!topic/api-craft/pYDiCQHwbUI> [retrieved on 20150204] *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105391724A (en) * 2015-11-25 2016-03-09 用友网络科技股份有限公司 Authorization management method and authorization management device used for information system
CN105391724B (en) * 2015-11-25 2019-04-16 用友网络科技股份有限公司 Authorization management method and empowerment management device for information system
CN107332911A (en) * 2017-07-03 2017-11-07 珠海金山网络游戏科技有限公司 It is a kind of based on client release number distribute can game server method and apparatus
CN110110516A (en) * 2019-01-04 2019-08-09 北京车和家信息技术有限公司 Log recording method, apparatus and system
CN114629929A (en) * 2022-03-16 2022-06-14 北京奇艺世纪科技有限公司 Log recording method, device and system
CN114629929B (en) * 2022-03-16 2024-03-08 北京奇艺世纪科技有限公司 Log recording method, device and system

Also Published As

Publication number Publication date
MY175074A (en) 2020-06-04

Similar Documents

Publication Publication Date Title
US7774611B2 (en) Enforcing file authorization access
US11700117B2 (en) System for credential storage and verification
US11792181B2 (en) Digital credentials as guest check-in for physical building access
US11770261B2 (en) Digital credentials for user device authentication
US11698979B2 (en) Digital credentials for access to sensitive data
CN109787988B (en) Identity strengthening authentication and authorization method and device
EP2404258B1 (en) Access control using identifiers in links
JP5889988B2 (en) HTTP-based authentication
JP4746266B2 (en) Method and system for authenticating a user for a sub-location in a network location
CN111147255B (en) Data security service system, method and computer readable storage medium
US8719912B2 (en) Enabling private data feed
US8898755B2 (en) Trusted internet identity
US11792180B2 (en) Digital credentials for visitor network access
US8407464B2 (en) Techniques for using AAA services for certificate validation and authorization
US9961069B2 (en) Ticket generator for alternate authentication environments
CN111800378B (en) Login authentication method, device, system and storage medium
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
US20170171189A1 (en) Distributed authentication system
US11522713B2 (en) Digital credentials for secondary factor authentication
WO2015076658A1 (en) A system and method for secure transaction log for server logging
US20090327704A1 (en) Strong authentication to a network
EP2359525B1 (en) Method for enabling limitation of service access
Johnson et al. Rethinking Single Sign-On: A Reliable and Privacy-Preserving Alternative with Verifiable Credentials
JP4219076B2 (en) Electronic document management method, electronic document management system, and recording medium
US11539533B1 (en) Access control using a circle of trust

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14766229

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14766229

Country of ref document: EP

Kind code of ref document: A1