[go: up one dir, main page]

EP2409455A2 - Method of generating a proxy certificate - Google Patents

Method of generating a proxy certificate

Info

Publication number
EP2409455A2
EP2409455A2 EP10753743A EP10753743A EP2409455A2 EP 2409455 A2 EP2409455 A2 EP 2409455A2 EP 10753743 A EP10753743 A EP 10753743A EP 10753743 A EP10753743 A EP 10753743A EP 2409455 A2 EP2409455 A2 EP 2409455A2
Authority
EP
European Patent Office
Prior art keywords
certificate
proxy certificate
user
proxy
digest
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP10753743A
Other languages
German (de)
French (fr)
Inventor
Chong Seak Sea
Kang Siong Ng
Fui Bee Tan
Galoh Rashidah Haron
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mimos Bhd
Original Assignee
Mimos Bhd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Bhd filed Critical Mimos Bhd
Publication of EP2409455A2 publication Critical patent/EP2409455A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to a method for generating a proxy certificate to a web portal from a user certificate residing in computer with a web browser.
  • a personal computer is widely used in a company or by a person. In some cases, confidential data is stored in the PC. To prevent such secret data from being accessed by an unauthorized user, techniques of preventing information stored in a PC from being leaked have been developed.
  • One known technique for this function is to identify a user on the basis of a password input by the user or on the basis of biotic information of the user.
  • a public key infrastructure is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through a registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, a user identity, the public key, their binding, validity conditions and other attributes in public key certificates issued by the CA is unable to be duplicated.
  • RA Registration Authority
  • PKI applications and services remotely and automatically send public key information to other sources on the behalf of the users. For example, a job running on some remote web portal is required to be able to communicate with other web portals to transfer information pr files, and therefore the proof of user identity is required. The method is not secure for the system may send users information to other sources without user's notification.
  • a method of enabling direct issuance and creation of a proxy certificate via the web browser to web portal using a user certificate comprises the steps of inserting a smart card into a card reader, establishing a user certificate based mutual authentication using a web browser to a web portal via PKCS#11 or CSP, generating a proxy certificate, displaying a web browser request for a validation period in hour(s), inputting user validation period required for the proxy certificate, sending the user validation period in hour(s) to the web portal, generating a new public and private key pair, storing the key pair in the web portal, retrieving the user certificate from Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) session, extracting user information from the user certificate, combining the validation period and a new generated public key to create an unsigned X.509 format partial proxy certificate, calculating a proxy certificate digest based on the unsigned X.509 format partial proxy certificate, generating a hypertext markup language (HTML) page
  • Figure 1 is a diagram to show a chain of trust to proxy certificates
  • Figure 2 is a diagram to show a chain of trust to numbers of proxy certificates.
  • Figure 3 is a diagram to show a complete sequence diagram of issuing a proxy certificate.
  • the present invention relates to method for generating a proxy certificate.
  • this specification will describe the present invention according to the preferred embodiments of the present invention. However, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned that those skilled in the art may devise various modifications and equivalents without departing from the scope of the appended claims.
  • the present invention consists of several hardware components that include a server equipped with one or more processors to process data, one or more network cards for networking a system, a plurality of port interfaces to connect external devices and one or more hard drives to store operating system and data.
  • a server equipped with one or more processors to process data
  • one or more network cards for networking a system a plurality of port interfaces to connect external devices
  • one or more hard drives to store operating system and data.
  • a user will have a separate system to act as access terminal and is equipped with a card reader.
  • the present invention further consists of several components that include a web portal, a web server, a web application, a browser extension program, a module library and an electronic card.
  • the web portal centralized web application running on the web server, which has access to various applications within the same enterprise to share information across applications.
  • the web portal enables various users with different roles accessing application and prefers to have a single access point to all of them over the internet.
  • the web browser is software that runs on the user's computer. Users interact with the web browser to display the web information such as display text, video, audio and other web activity. Most web browsers are compatible with the present invention (e.g. Microsoft Internet Explorer and Mozilla Firefox).
  • the Web Application is a Common Gateway Interface (CGI) activated by a web server or other server running on an operating system. Its function is to extract user certificate information, create proxy certificate, construct HTML file that contains embedded tag to activate the browser extension program that is executed on the user computer, and generate private as well as public key pair.
  • CGI Common Gateway Interface
  • the browser extension program is software programmed to activate the browser to carry out proxy certificate creation based on the parameters in the browser embedded tag and interface to the module library that obtains user private key from user electronic card. It is appreciated by a person skilled in the art that the present invention also can be applied to situation where user's private key is stored in web browser or the smart card and any other storage medium.
  • the module library is a cryptographic token interface known as PKCS#11 and CSP 1 module library that can be loaded into Microsoft Internet Explorer while PKCS#11 module library serves the same purpose for Mozilla Firefox browser.
  • These cryptographic token interface libraries allow the web browsers and browser extension software program to interact with cryptographic tokens to perform RSA private key related operations that involved the use of the smart card or virtual memory storage.
  • the electronic card is a cryptographic smart card that is capable of performing RSA private key operations using stored private key. The smart card can also be replaced by virtual memory storage to perform a similar private key operation.
  • the web portal will create a temporary new public-private key pairs, and the created public key will be digitally signed by users own private key.
  • the proxy private key is used for certificate based authentication with another server.
  • the proxy private key and proxy certificate (containing proxy public key) is at the web portal.
  • the proxy certificate and private key is used to perform certificate based authentication to other servers from the web portal. This is because for some situations or by design, the user is unable to connect to the server; but rather the connection is routed via the web portal. So you have a web portal sitting in between the user computer and another server.
  • the server asks for certificate based authentication from the web portal but the web portal does not have the user's private key.
  • the solution is to create a proxy certificate and proxy private key at the web portal.
  • the proxy private key and the proxy certificate are used to authenticate the other server on behalf of the user certificate and user's private key.
  • the proxy certificate subject information contains as shown.
  • C MY
  • CN ABCProxyCert
  • the new proxy certificate signed by user's private key, rather than a Certification Authority (CA). This establishes a chain of trust from the CA to proxy certificate through the user.
  • CA Certification Authority
  • a chain of trust certificate is used to prove the trust of the proxy certificate.
  • the proxy certificate has a short activation lifespan, typically 12 hours.
  • the proxy private key In the event security term of a proxy certificate is compromised, the proxy private key must be treated with care.
  • anyone who steals the proxy private key can perform any activity pretending to be authorized user.
  • the action taken must be immediate by discontinuing the use of the stolen proxy certificate.
  • the proxy certificate has a lifetime of only few hours (depending on the policy the maximum validity period of time allowed), so the potential damage is limited.
  • proxy certificate issuing process explains the methods and descriptions of the present invention by way of an example.
  • a user inserts a smart card to a smart card reader.
  • the user initiates the web browser and activates CSP for Microsoft Internet explorer or PKCS#11 for Mozilla Firefox to perform a HTTPS SSL mutual authentication with web portal running Apache web server or other servers. Verifying the user certificate will be carried out by the web server to ensue only authorized user can login to the web portal. Successful authenticated user can presume on to the next phase beginning the issuing proxy certificate process.
  • the first web page displayed is requesting user to enter the proxy certificate validation period (in hour).
  • the validation period will submit HTTPS POST command to the web server and activate a relevant CGI application.
  • the CGI application initiates the public- private key pair generation, extracts user certificate info and constructs an unsigned proxy certificate.
  • the CGI application Upon successful key pair generation, the CGI application than stores the key pair in a storage device. After the immediate completion of the public-private key pair generation by the CGI application is to construct a partial X.509 format proxy certificate that complies with the requirement of IETF RFC 3820 for proxy certificate format.
  • the web browser receives the HTML page with the embedded tag containing the proxy certificate digest.
  • the browser extension program that has been configured to associate with the browser is activated.
  • the browser extension program receives the proxy certificate digest, this digest is sent to the smart card via PKCS#11 (Mozilla Firefox) or CSP (Microsoft Internet Explorer) interface to be signed using the user private key in the smart card.
  • PKCS#11 Mozilla Firefox
  • CSP Microsoft Internet Explorer
  • a certificate-digest or hash value is calculated from the partial X.509 format proxy certificate, and the CGI application embedded the proxy certificate digest in the hypertext markup language (HTML).
  • the signed proxy certificate is then sent back to the web browser through the web portal and completes the proxy certificate issuance process.
  • the private key in the smart card or in any other storage medium signs the certificate digest.
  • the signed proxy certificate digest is returned to the browser extension program.
  • the signed proxy certificate digest is then sent to the CGI application through the PKCS#11 or CSP (depending on the web browser application of either the Explorer or Mozilla Firefox), the browser extension program, the web browser and the web portal.
  • the web browser extension program initiates the web browser to send a POST command to deliver the signed proxy cert digest to web portal via secure Hypertext Transfer Protocol (HTTPS).
  • HTTPS secure Hypertext Transfer Protocol
  • This POST command and its payload of signed proxy certificate digest are g received by the CGI program running at web portal.
  • the CGI application now constructs a signed proxy certificate.
  • the CGI application can read the user certificate from TLS/SSL digital certificate mutual authentication process, and then extract the necessary information from the user certificate which will become the issuance proxy certificate or an 5 End Entity Certificate (EEC).
  • EEC 5 End Entity Certificate
  • the partial X.509 proxy certificate is constructed based on the information above and also inclusive of the user validation period (in hour) and new generated pubic key. Below is the algorithm used to illustrate an example of the embedded tags for Microsoft Internet Explore and Mozila Firefox.
  • the concluding phase is when the CGI application combined with the partial X.509 format proxy certificate to form a 10 complete proxy certificate.
  • VALUE https : //webportal .mimos .my/cgi-bin/cgisignedcert . cgi">
  • parameter mDIGEST included in the embedded 30 tag in both browsers is values of proxy certificate digest calculate from partial X.509 format proxy certificate.
  • Other parameter mURL is a target uniform resource locator (URL) where the browser extension program activated and do the POST command request to the web portal to execute the CGI application.
  • mTARGET is the target HTML frame name to display the result. ,35
  • Maintaining proxy certificate authentication is possible on entire communication channels to all computing nodes. Maintaining proxy certificate also requires no user ID or paraphrase (password) to maintain connection and reduces maintenance cost for utility computing service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

This invention method for generating proxy certificate on web portal is a means of secure and reliable access to a web portal. This system will prevent identity fraud over the web and is a secure means of accessing personal information online.

Description

METHOD OF GENERATING A PROXY CERTIFICATE
FIELD OF INVENTION
The present invention relates to a method for generating a proxy certificate to a web portal from a user certificate residing in computer with a web browser.
BACKGROUND OF INVENTION
A personal computer (PC) is widely used in a company or by a person. In some cases, confidential data is stored in the PC. To prevent such secret data from being accessed by an unauthorized user, techniques of preventing information stored in a PC from being leaked have been developed. One known technique for this function is to identify a user on the basis of a password input by the user or on the basis of biotic information of the user. A public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. The binding is established through a registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, a user identity, the public key, their binding, validity conditions and other attributes in public key certificates issued by the CA is unable to be duplicated.
PKI applications and services remotely and automatically send public key information to other sources on the behalf of the users. For example, a job running on some remote web portal is required to be able to communicate with other web portals to transfer information pr files, and therefore the proof of user identity is required. The method is not secure for the system may send users information to other sources without user's notification. SUMMARY OF INVENTION
Accordingly, there is provided a method of enabling direct issuance and creation of a proxy certificate via the web browser to web portal using a user certificate, wherein the method comprises the steps of inserting a smart card into a card reader, establishing a user certificate based mutual authentication using a web browser to a web portal via PKCS#11 or CSP, generating a proxy certificate, displaying a web browser request for a validation period in hour(s), inputting user validation period required for the proxy certificate, sending the user validation period in hour(s) to the web portal, generating a new public and private key pair, storing the key pair in the web portal, retrieving the user certificate from Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) session, extracting user information from the user certificate, combining the validation period and a new generated public key to create an unsigned X.509 format partial proxy certificate, calculating a proxy certificate digest based on the unsigned X.509 format partial proxy certificate, generating a hypertext markup language (HTML) page and associate the proxy certificate digest value embedded in a browser extension program, activating the browser extension program to send the proxy certificate digest to the smart card via PKCS#11 or CSP interface to be digitally signed using the user private key in the smart card, returning the signed proxy certificate to browser extension program, performing a HTTP POST to the web portal by the browser extension, receiving a Common Gateway Interface (CGI) application user signed proxy certificate digest and combining sighed proxy certificate digest with the unsigned partial proxy certificate to form a final complete signed proxy certificate.
The present invention consists of several novel features and a combination of parts hereinafter fully described and illustrated in the accompanying description and drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be fully understood from the detailed description given herein below and the accompanying drawings which are given by way of illustration only, and thus are not limitative of the present invention, wherein:
Figure 1 is a diagram to show a chain of trust to proxy certificates;
Figure 2 is a diagram to show a chain of trust to numbers of proxy certificates; and
Figure 3 is a diagram to show a complete sequence diagram of issuing a proxy certificate.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to method for generating a proxy certificate. Hereinafter, this specification will describe the present invention according to the preferred embodiments of the present invention. However, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned that those skilled in the art may devise various modifications and equivalents without departing from the scope of the appended claims.
The following detailed description of the preferred embodiments will now be described in accordance with the attached drawings, either individually or in combination.
The present invention consists of several hardware components that include a server equipped with one or more processors to process data, one or more network cards for networking a system, a plurality of port interfaces to connect external devices and one or more hard drives to store operating system and data. A user will have a separate system to act as access terminal and is equipped with a card reader.
The present invention further consists of several components that include a web portal, a web server, a web application, a browser extension program, a module library and an electronic card.
The web portal centralized web application running on the web server, which has access to various applications within the same enterprise to share information across applications. The web portal enables various users with different roles accessing application and prefers to have a single access point to all of them over the internet. The web browser is software that runs on the user's computer. Users interact with the web browser to display the web information such as display text, video, audio and other web activity. Most web browsers are compatible with the present invention (e.g. Microsoft Internet Explorer and Mozilla Firefox).
The Web Application is a Common Gateway Interface (CGI) activated by a web server or other server running on an operating system. Its function is to extract user certificate information, create proxy certificate, construct HTML file that contains embedded tag to activate the browser extension program that is executed on the user computer, and generate private as well as public key pair.
The browser extension program is software programmed to activate the browser to carry out proxy certificate creation based on the parameters in the browser embedded tag and interface to the module library that obtains user private key from user electronic card. It is appreciated by a person skilled in the art that the present invention also can be applied to situation where user's private key is stored in web browser or the smart card and any other storage medium.
The module library is a cryptographic token interface known as PKCS#11 and CSP1 module library that can be loaded into Microsoft Internet Explorer while PKCS#11 module library serves the same purpose for Mozilla Firefox browser. These cryptographic token interface libraries allow the web browsers and browser extension software program to interact with cryptographic tokens to perform RSA private key related operations that involved the use of the smart card or virtual memory storage. The electronic card is a cryptographic smart card that is capable of performing RSA private key operations using stored private key. The smart card can also be replaced by virtual memory storage to perform a similar private key operation.
Generating a proxy certificate, the web portal will create a temporary new public-private key pairs, and the created public key will be digitally signed by users own private key.
The proxy private key is used for certificate based authentication with another server. The proxy private key and proxy certificate (containing proxy public key) is at the web portal. The proxy certificate and private key is used to perform certificate based authentication to other servers from the web portal. This is because for some situations or by design, the user is unable to connect to the server; but rather the connection is routed via the web portal. So you have a web portal sitting in between the user computer and another server. The server asks for certificate based authentication from the web portal but the web portal does not have the user's private key. The solution is to create a proxy certificate and proxy private key at the web portal. The proxy private key and the proxy certificate are used to authenticate the other server on behalf of the user certificate and user's private key.
To illustrate an example of the present invention, the proxy certificate subject information contains as shown. C=MY, CN= JOHN DOE / serialNumber= 1234567890, CN=ABCProxyCert, issuer information contains C=MY, CN=JOHN DOE /serialNumber=1234567890. As depicted in Figure 1 the new proxy certificate signed by user's private key, rather than a Certification Authority (CA). This establishes a chain of trust from the CA to proxy certificate through the user.
As depicted in Figure 2 a chain of trust certificate is used to prove the trust of the proxy certificate.
The proxy certificate has a short activation lifespan, typically 12 hours. In the event security term of a proxy certificate is compromised, the proxy private key must be treated with care. Anyone who steals the proxy private key can perform any activity pretending to be authorized user. There is no mechanism for revoking the proxy certificate. The action taken must be immediate by discontinuing the use of the stolen proxy certificate. The proxy certificate has a lifetime of only few hours (depending on the policy the maximum validity period of time allowed), so the potential damage is limited. Hereinafter is complete proxy certificate issuing process explains the methods and descriptions of the present invention by way of an example.
A user inserts a smart card to a smart card reader. The user initiates the web browser and activates CSP for Microsoft Internet explorer or PKCS#11 for Mozilla Firefox to perform a HTTPS SSL mutual authentication with web portal running Apache web server or other servers. Verifying the user certificate will be carried out by the web server to ensue only authorized user can login to the web portal. Successful authenticated user can presume on to the next phase beginning the issuing proxy certificate process.
The first web page displayed is requesting user to enter the proxy certificate validation period (in hour). The validation period will submit HTTPS POST command to the web server and activate a relevant CGI application. The CGI application initiates the public- private key pair generation, extracts user certificate info and constructs an unsigned proxy certificate. Upon successful key pair generation, the CGI application than stores the key pair in a storage device. After the immediate completion of the public-private key pair generation by the CGI application is to construct a partial X.509 format proxy certificate that complies with the requirement of IETF RFC 3820 for proxy certificate format.
The web browser receives the HTML page with the embedded tag containing the proxy certificate digest. The browser extension program that has been configured to associate with the browser is activated. The browser extension program receives the proxy certificate digest, this digest is sent to the smart card via PKCS#11 (Mozilla Firefox) or CSP (Microsoft Internet Explorer) interface to be signed using the user private key in the smart card.
A certificate-digest or hash value is calculated from the partial X.509 format proxy certificate, and the CGI application embedded the proxy certificate digest in the hypertext markup language (HTML). The signed proxy certificate is then sent back to the web browser through the web portal and completes the proxy certificate issuance process.
The private key in the smart card or in any other storage medium, signs the certificate digest. The signed proxy certificate digest is returned to the browser extension program. The signed proxy certificate digest is then sent to the CGI application through the PKCS#11 or CSP (depending on the web browser application of either the Explorer or Mozilla Firefox), the browser extension program, the web browser and the web portal.
The web browser extension program initiates the web browser to send a POST command to deliver the signed proxy cert digest to web portal via secure Hypertext Transfer Protocol (HTTPS). This POST command and its payload of signed proxy certificate digest are g received by the CGI program running at web portal. The CGI application now constructs a signed proxy certificate. The CGI application can read the user certificate from TLS/SSL digital certificate mutual authentication process, and then extract the necessary information from the user certificate which will become the issuance proxy certificate or an 5 End Entity Certificate (EEC). The partial X.509 proxy certificate is constructed based on the information above and also inclusive of the user validation period (in hour) and new generated pubic key. Below is the algorithm used to illustrate an example of the embedded tags for Microsoft Internet Explore and Mozila Firefox. The concluding phase is when the CGI application combined with the partial X.509 format proxy certificate to form a 10 complete proxy certificate.
Example of embedded tag for Microsoft Internet Explorer
<OBJECT I D=" IEProxyCert" 15 CLASSI D ="CLSID : 7D40EB7A-OA97-4OC7-9669-CD70BA776ES8 ">
<PARAM NAME="mDIGEST" VALUE="EOlSDB6A8ADA998S660BlE837AA8B 078 ">
< PARAM NAME= "mURL"
VALUE="https : //webportal .mimos .my/cgi-bin/cgisignedcert . cgi">
<PARAM NAME="mTARGET" VALUE=" self"> 20 </0BJECT>
Example of embedded tag for Mozilla Firefox
<embed type="application/pc-plugin" width=100 height=5O 25 itiDIGEST ="EOlSDB6A8ADA9985660BlE837AASB078 " mURL="https : / /webportal .mimos .my/cgi-bin/cgisignedcert . cgi " mTARGET="_sel f ">
Referring to embedded tags above the parameter mDIGEST included in the embedded 30 tag in both browsers is values of proxy certificate digest calculate from partial X.509 format proxy certificate. Other parameter mURL is a target uniform resource locator (URL) where the browser extension program activated and do the POST command request to the web portal to execute the CGI application. mTARGET is the target HTML frame name to display the result. ,35 The elimination of the proxy client and server means there is no need for secondary paths and reduces the number of cascading proxy certificate required. Maintaining proxy certificate authentication is possible on entire communication channels to all computing nodes. Maintaining proxy certificate also requires no user ID or paraphrase (password) to maintain connection and reduces maintenance cost for utility computing service.

Claims

1. A method of enabling direct issuance and creation of a proxy certificate via the web browser to web portal using a user certificate, wherein the method comprises the steps of;
i. inserting a smart card into a card reader; ii. establishing a user certificate based mutual authentication using a web browser to a web portal via PKCS#11 or CSP;
iii. generating a proxy certificate;
iv. displaying a web browser request for a validation period in hour(s);
v. inputting user validation period required for the proxy certificate;
vi. sending the user validation period in hour(s) to the web portal;
vii. generating a new public and private key pair;
viii. storing the key pair in the web portal;
ix. retrieving the user certificate from Secure Sockets Layer (SSL)/ Transport
Layer Security (TLS) session;
x. extracting user information from the user certificate;
xi. combining the validation period and a new generated public key to create an unsigned X.509 format partial proxy certificate;
xii. calculating a proxy certificate digest based on the unsigned X.509 format partial proxy certificate; xiii. generating a hypertext markup language (HTML) page and associate the proxy certificate digest value embedded in a browser extension program;
xiv. activating the browser extension program to send the proxy certificate digest to the smart card via PKCS#11 or CSP interface to be digitally signed using the user private key in the smart card;
XV. returning the signed proxy certificate to browser extension program;
xvi. performing a HTTP POST to the web portal by the browser extension;
xvii. receiving a Common Gateway Interface (CGI) application user signed proxy certificate digest; and
xviii. combining sighed proxy certificate digest with the unsigned partial proxy certificate to form a final complete signed proxy certificate.
2. The method as claimed in claim 1 wherein, the CSP is a cryptographic token interface module library for Microsoft Internet Explorer.
3. The method as claimed in claim 1 wherein, the PKCS#11 is a module library for Mozilla Firefox.
4. A method as claimed in claim 1, wherein step (vii), (vi), (xiv), and (xv) are processed by a CGI application to generate private and public key pair, extract user certificate information, create unsigned X.509 partial proxy certificate, calculate unsigned proxy certificate digest and construct HTML file that contains embedded tag to activate the browser extension program.
5. A method as claimed in claim 1 step (x) and (xi), wherein the browser extension program contains the unsigned proxy certificate digest and present the digest to user smart card to perform digital signature via PKCS#11 or CSP interface.
6. A method as claimed in claim 2 , wherein the portal CGI application received the signed proxy certificate digest and then combine with unsigned partial proxy certificate to form a final complete signed proxy certificate.
EP10753743A 2009-03-16 2010-03-04 Method of generating a proxy certificate Withdrawn EP2409455A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI20091055 MY150173A (en) 2009-03-16 2009-03-16 Method of generating a proxy certificate
PCT/MY2010/000028 WO2010107298A2 (en) 2009-03-16 2010-03-04 Method of generating a proxy certificate

Publications (1)

Publication Number Publication Date
EP2409455A2 true EP2409455A2 (en) 2012-01-25

Family

ID=42740157

Family Applications (1)

Application Number Title Priority Date Filing Date
EP10753743A Withdrawn EP2409455A2 (en) 2009-03-16 2010-03-04 Method of generating a proxy certificate

Country Status (3)

Country Link
EP (1) EP2409455A2 (en)
MY (1) MY150173A (en)
WO (1) WO2010107298A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11538063B2 (en) 2018-09-12 2022-12-27 Samsung Electronics Co., Ltd. Online fraud prevention and detection based on distributed system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9055056B2 (en) 2013-08-14 2015-06-09 Red Hat, Inc. Managing digital content entitlements
US10033720B2 (en) 2014-05-28 2018-07-24 Futurewei Technologies, Inc. Method and system for creating a certificate to authenticate a user identity

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7496755B2 (en) * 2003-07-01 2009-02-24 International Business Machines Corporation Method and system for a single-sign-on operation providing grid access and network access
US7467303B2 (en) * 2004-03-25 2008-12-16 International Business Machines Corporation Grid mutual authorization through proxy certificate generation
US8214635B2 (en) * 2006-11-28 2012-07-03 Cisco Technology, Inc. Transparent proxy of encrypted sessions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2010107298A3 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11538063B2 (en) 2018-09-12 2022-12-27 Samsung Electronics Co., Ltd. Online fraud prevention and detection based on distributed system

Also Published As

Publication number Publication date
WO2010107298A2 (en) 2010-09-23
MY150173A (en) 2013-12-13
WO2010107298A3 (en) 2010-12-02

Similar Documents

Publication Publication Date Title
EP3424176B1 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
JP7083892B2 (en) Mobile authentication interoperability of digital certificates
US8924714B2 (en) Authentication with an untrusted root
US8438383B2 (en) User authentication system
US10362019B2 (en) Managing security credentials
US20170171183A1 (en) Authentication of access request of a device and protecting confidential information
US9767262B1 (en) Managing security credentials
CN101479987A (en) Biometric credential verification framework
EP2251810A1 (en) Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method
CN114666168B (en) Decentralized identity certificate verification method and device, and electronic equipment
JP6465426B1 (en) Electronic signature system, certificate issuing system, key management system, and electronic certificate issuing method
CN109981287A (en) A kind of code signature method and its storage medium
JP7351873B2 (en) Information processing device, information processing method, and information processing program
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
CN115134144B (en) Enterprise-level business system authentication method, device and system
Diebold et al. Self-sovereign identity using smart contracts on the ethereum blockchain
EP2530868A1 (en) Method for generating an anonymous routable unlinkable identification token
EP2409455A2 (en) Method of generating a proxy certificate
Alsaid et al. Preventing phishing attacks using trusted computing technology
CN112235276A (en) Master-slave device interaction method, apparatus, system, electronic device and computer medium
KR20170130963A (en) Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same
TWI698113B (en) Identification method and systerm of electronic device
Sánchez García et al. University authentication system based on java card and digital X. 509 certificate
JP2005157845A (en) Server system, client server system, and login method to client server system
CN102739398A (en) Online bank identity authentication method and apparatus thereof

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20111014

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20161001