JP2003518820A - Method and apparatus for a circular encryption and decryption process - Google Patents

Abstract

(57) SUMMARY A scheme for encrypting and decrypting data between two computer stations operating in an Internet environment uses a cookie sent from server 67 for encryption and decryption. The key 75 is transmitted. Key 75 may be a cookie value, that is, the cookie value may include or include some form of key 75 known to both machines. The server 67 can use the key 75 to encrypt data for the client 79, and the key 75 is also sent to the client 79 in a cookie, which then retrieves the key 75 and stores the retrieved key. The data used and transmitted can be decrypted. The server 67 can also use different schemes to encrypt the data on the client machine 79. A similar scheme can be used for two servers.

Description

Detailed Description of the Invention

FIELD OF THE INVENTION The present invention is in the field of Internet navigation and secure login and transaction methods, and more particularly is routinely sent from one computer to another over a data packet network. A method and apparatus for data encryption and decryption.

BACKGROUND OF THE INVENTION The information network, known as the world-wide-web (WWW), which is a well-known subset of the Internet, is perhaps the most complete publicly accessible source of information available. is there. Anyone with a suitable internet device, such as a personal computer with a standard internet connection, can access the information pages (
You can access (online) and navigate to a web (called a web page) to get information and to initiate transactions with the host of such servers and pages.

Many companies offer various subscription registration services accessible via the Internet. For example, many people now have access to the Internet for banking, stock trading, shopping, etc. from their own comfortable homes. Generally, users subscribe to get access to personalized, secure WEB pages for such features. By entering a username and password or personal identification code, a user can obtain information, initiate a transaction, buy a stock, or accomplish a myriad of other tasks.

There are many methods known in the art for providing a secure strategy for online service users. A secure connection is protected by a firewall, an authenticated certificate that authenticates the origin of the information, an encryption method, and so on. In one or another aspect, many of these methods are insufficient to provide complete security to the end user. For example, some encryption programs store both the program and the key on an end-user station where unauthorized users can compromise both. Many secure connections and servers are not entirely immune to attacks by computer hackers attempting to intercept or steal private data. Some encryption and decryption programs can be gradually compromised by hacker addicts trying to break the encryption scheme.

The inventor has also experienced that there was a potential for compromise of confidential information even when encrypted and sent to a user station for login. Unauthorized users are
It is possible to find the decryption key on the user station under certain circumstances.
Once found, the key can be used to decrypt and steal all kinds of encrypted sensitive information. Furthermore, a higher level of security must be protected against secure auto-login as well as other confidential transactions between servers and from server to user station.

Clearly, there is a need for more secure methods for encrypted and decrypted data transferred between computers.

SUMMARY OF THE INVENTION A preferred embodiment of the present invention provides a method for encrypting and transmitting data from a server to a client and allowing the client to decrypt the data in a client-server system. And (a) when the server receives the login and data request from the client, the steps of (b) sending a cookie containing the key value used to decrypt the data to the client and (b) the data sent to the client It includes the steps of: encrypting using an encryption / decryption engine and a key value; and (c) sending the encrypted data to the client. There may be other steps for the client to retrieve the key value from the cookie, perform a copy of the decryption engine, and decrypt the data. In some cases, the server sends a copy of the encryption / decryption engine to the client, which copy may be discarded after use. Further new keys may be sent for each session.

In another aspect of the invention, a protected client / server system is provided,
It includes an encryption / decryption engine, access to data, and a server with code to send cookies to a user who logs into the server, as well as a client. Upon receiving the data request from the client, the server sends a cookie to the client, the value of the cookie contains the encryption / decryption key, and the server sends the data requested by the client to the key before transmitting to the client. Use and encrypt.

In a preferred embodiment, the client, after receiving the encrypted data from the server, retrieves the key from the cookie value and uses the key and the encryption / decryption engine to decrypt the data. In some cases, the server sends a copy of the encryption / decryption engine to the client, which copy may be discarded after use.
Further, in some cases, a new key is sent every time the client logs in to the server.

According to another aspect of the present invention, there is provided a method for encrypting data existing in a client from a server in a client server system, the method comprising: (a) encrypting the data when the server receives the login of the client. A cookie containing a key value used for encryption is sent to the client, an indication of the data to be encrypted is sent, and (b) the client accesses the sent cookie key value. (C) including an encryption / decryption engine and the step of encrypting the data at the client using the value of the key retrieved from the cookie value. In some cases, the server sends a copy of the encryption / decryption engine to the client, which copy may be discarded after use. In addition, a new key may be sent for each session.

In yet another aspect, a protected client / server system is provided that includes an encryption / decryption engine, access to data, and a server having code for sending a cookie to a user who logs into the server. , As well as the client. In this system, when the login from the client is received,
The server sends the cookie to the client, the cookie value contains the encryption / decryption key, the server sends an indication of the data to be encrypted, and the client retrieves the key value from the cookie and uses the key. The data instructed by the server is encrypted. Again, in some cases the server sends a copy of the encryption / decryption engine to the client, which copy may be discarded after use. In addition, a new key may be sent for each session.

In yet another aspect of the invention, there is provided a method for transferring protected data between a first and a second server, the method comprising: (a) a first server requesting the data; Two
(B) the second server sends a cookie to the first server, the value of the cookie including a key value for encryption / decryption, and (c) It includes the steps of encrypting the data using the key value prior to transmission from the second server, and (d) sending the encrypted data to the second server. The second server sends a copy of the encryption / decryption engine to the first server, and the first server uses the copy and the retrieved key to perform the decryption.

Various embodiments of the present invention, which are taught in as much detail as possible in the following sections, first provide a secure means of data transfer, in which the key for encryption / decryption is a cookie. It is transferred as a part of.

DESCRIPTION OF THE PREFERRED EMBODIMENTS A preferred embodiment of the present invention provides a unique method for encrypting, decrypting, and transmitting protected data over a data packet network, Can be automatically encrypted or decrypted under the control of the sending node. Such methods are described in as much detail as possible in the following sections.

FIG. 1 illustrates a WE for a client station according to an embodiment of the present invention.
FIG. 6 is a block diagram illustrating a circular encryption / decryption process initiated from a B server. A WEB server 67 is provided and configured to function as an internet file server as is known in the art. The server 67 can be configured to provide portal services, message services, HTTP services, proxy services, or any other WEB service known to clients or ordinary users subscribing to such services.

The client station 79 is provided as an internet-compatible device,
It is configured. Station 79 then has sufficient memory, processing power, and software suitable for navigating the Internet and interacting with server 67. The client station 79 is configured to access the server 67 by any known internet connection means.
Here, the means used to connect to the server 67 is a standard modem / ISP type Internet access connection, which is the most prevalent in general access.

The server 67 has a software login interface 71, which is provided and configured so that the user can access all the services provided. The login from the station 79 to the server 67 is illustrated by the arrow indicating the direction indicated as "login" in this specification. To access, the user must enter the username and password as is conventional in the art. Once logged in, the user can interact with the server 67 according to the services offered, as is commonly known in the art.

The server 67 is provided with a data encryption / decryption software engine 73 and is configured to encrypt and decrypt any data stored in or controlled by the server 67. In this example, user data block 69 represents data requested by the user and designated for transmission to the user. In a preferred embodiment, the engine 73 is a Java-based encryption / decryption program, many of which are known in the art and are commonly used to encrypt and decrypt data. There is. Engine 73 generates and uses encryption / decryption key 75 for the purpose of encrypting or decrypting data, as indicated by the double-headed arrow located between components 73 and 69. Key 75 is typically a line code generated for and used in connection with engine 73 for each encryption and decryption process. For example, the data must be encrypted according to the key and decrypted according to the same key.

The server 67 is provided with a “cookie” generation software engine,
It is configured to generate "cookies". A "cookie" is a text file commonly used to track user navigation on the Internet and known in the art. Generally, WEB sites generate a cookie and send the cookie to a user who logs in or accesses a particular WEB page stored by the server or hosted by the server. Once the WEB cookie is sent to the user, the WEB cookie is stored in the cache memory of the user's machine and returned to the server the next time the user logs in, as is known in the art. Only the web site that acts as a host controls the generation of cookies for that web site.

Cookies in the art generally have both a name and a value, and this value may change again under the control of the server each time the cookie is sent. According to a preferred embodiment of the present invention, the decryption key 75 becomes a cookie value, is added to the cookie value, is otherwise combined or added and becomes part of the cookie value. , Encrypts or decrypts the data transmitted to the user and stored in the user's machine or the data transmitted from the server 67 to the user.

In this example, the client station 79 has the illustrated data block 81, which represents the data block 69 after it has been received by the client station 79. In one embodiment, encryption / decryption program 83 represents a temporary copy of program 73 after it has been sent from server 67 to station 79. After successfully logging in, the data block 81 and the engine 83 are downloaded to the user's WEB browser displayed by the component number 82. This is illustrated herein by the directional arrow labeled "Send Data / Program". The data block 81 can be any type of data requested by the user from the server 67. In other embodiments, encryption / decryption engine 83 may reside at station 79, possibly associated with WEB browser 82 as a plug-in.

The cookie 84 illustrated as residing in the WEB cache 85 provided in the station 79 represents a cookie containing the value of the key 75. Key 75
Are incorporated into the cookie 84 when the cookie is generated. In this case, key 75 is an encryption key used to encrypt data block 81 at station 79 using engine 83.

In practicing the present invention, the user operating the client station 79 logs in to the server 67, as illustrated by the arrow indicating the direction “logged in” going from the station 79 to the login interface 71. . The login interface 71 is configured to prompt the user for a user name and password in order to confirm that the user is who he / she is and to access all services provided by the server 67.

In one embodiment, once the user authentication is successful and the data request is confirmed, the server 67 activates the engine 73, as illustrated by the double-headed arrow labeled “Encrypted”. According to the key 75 used, all the data requested by the user, represented by the data block 69, is encrypted. After the encryption is completed, the server 67
Illustrates a temporary copy of the encrypted data block 69 and the encryption / decryption program 73 (if not already possessed by the user) by means of the directional arrow labeled "Send encryption program". To send to users over the internet. The received versions of block 69 and engine 73 are downloaded to browser 82 and displayed as component 81 (user data) and component 83 (encryption / decryption engine), respectively.

The key 75 used to encrypt and decrypt the user data 69 at the server 67 is software 77, as illustrated by the arrow going from the engine 73 to the key 75 and then to the generator 77. The value is added to the text cookie created by. The cookie (cookie 84) is then sent to the client station 79, where it resides in the WEB cache 85 as cookie 84, as illustrated by the directional arrow labeled "Send Cookie." As used herein, in one embodiment, any data stored on the server 67 and intended for transmission to the user is stored by the user on the server 67.
Note that each time you log in to and access the service, you can encrypt with the new key 75. In other embodiments, encryption is probably 1
The frequency base can be reduced to about 0 sessions. It can be applied as often as you like.

After successfully logging in to the server 67 and transferring the data, the user who operates the station 79 next receives all the data requested by himself in the encrypted form,
There is a program to decrypt the data, a key that the program uses to automatically decrypt the data. The engine 83 retrieves the cookie 84 from the cache 85, accesses the cookie value key, and uses that key for decryption, as illustrated by the double-headed arrow labeled "Search Key". The data 81 received by the client station 79 is automatically decrypted. In this example, the server 67 first encrypts the requested data and (if needed) it
Send to client with temporary encryption / decryption program and key (in cookie). The method described above ensures that the user can be assured that no one can intercept or decrypt the data received from the server. Furthermore, only the sending server can change the cookie value and key combination.

In another embodiment, the server 67 sends back to the server 67 via the Internet, or if the server 67 is a proxy, the proxy transmits information necessary for the transaction to another server, etc. For that purpose, the data residing on the client station 79 can be encrypted. The transaction data block 86 is displayed within the browser 82 at station 79 and represents any data that the user needs to send to the server. A transaction dialog box, represented herein by component 87, is displayed in browser window 82 during the transaction process with the server, as is generally known in the WEB navigation art. Box 87 can be a form required for credit cards or other sensitive information used to purchase goods or provide services.

In this example, the server 67 is a proxy server and uses the clear text data in block 86 of the client station 79 first using the engine 83 (downloaded from the server 67) and the cookie 84 (including the key 75). Shall be encrypted. This process is illustrated by the bidirectional arrow labeled "Search Key" and the arrow indicating the direction from component 83 to component 86. The server 67
The encryption / decryption program and the cookie containing the key 75 should also be sent to any WEB server that transacts with the station 79 operated by the user. This process is represented by the arrow indicating the direction displayed as “WEB service” in the server 67. The target server (WEB service) receives the encrypted data from the station 79, as illustrated by the station 79, as indicated by the directional arrow labeled "WEB service". The WEB service also has a key 75 from the server 67 and a program 73. Therefore, the target server automatically decrypts the data from station 79 and allows the form fields to be filled. The method and apparatus of the present invention can be used with any dialog or transaction interface provided by any WEB service.

In yet another embodiment, the server 67 may encrypt the data at station 79 for return to the server 67 via the Internet. In this embodiment, the server 67 holds the key 75 for later decryption process. The security of all the described embodiments is enhanced because the value of the cookie containing the key 75 can only be modified by the originating server and not by a third party. Furthermore, the key 75 is received by the cache memory and cannot be manually tampered with because it is used by the program 83 to encrypt or decrypt information. The server 67 may encrypt the data differently and send a new cookie / key combination each time the user logs on to receive the data, which overwrites the previous cookie / key between caches, This further increases the security of the data in transit. The new encryption / decryption program can be sent with each new key so that the new encryption / decryption program is not retained when the user logs off.

In yet another embodiment of the present invention, the method taught above can be implemented between two WEB servers running server software. One such embodiment is described below.

FIG. 2 is a block diagram illustrating a circular encryption / decryption process used in server-to-server mode. In this example, two Internet servers are illustrated as the WEB server 89 and the WEB server 91. And in the case of this example, WEB
The server 89 is designated as the "sending" server, and the WEB server 91 is designated as the "receiving" server.

The server 89 is provided with a resident encryption / decryption engine 95, and is configured to perform encryption and decryption of data as described with reference to FIG. The data block 93 illustrated in the server 89 represents any data that is encrypted by the engine 95, as illustrated by the double-headed arrow labeled "Encrypted." Decryption key 97 is illustrated in server 89 and represents the key generated to decrypt and encrypt the data in block 93. The server 89 also has a communication interface 101, which is installed and configured for communication with other servers. A cookie generator is also provided and is configured to generate and send cookies, as is known in the art.

The data block 103 is illustrated in the server 91 and represents the encrypted data 93 received from the server 89. In this example, the server 91 is in the reception mode. The server 91 has an illustrated encryption / decryption engine 105, which is configured to encrypt and decrypt data, as illustrated by the double-headed arrow labeled "Decrypt". ing. In one embodiment, engine 105 uses data 1
03 is a temporary program received from the server 89. In this example,
The server 89 should always be the control server. In another embodiment, server 91 is configured to have all encryption / decryption and key generation functions so that neither server 89 nor 91 is a control server.

In this example, the server 91, which is the receiving server, has W (received from the server 89).
There is a WEB cache 109 containing an EB cookie 110 and a decryption key 97 retrieved from the cookie 110 for decrypting the data. Both servers have communication interfaces installed, namely interface 101 (for server 89) and interface 111 (for server 91), allowing communication over the Internet as is known in the art. It is configured like this.

Next, it is assumed that the server 91 establishes a connection data request with the server 89 from the communication interface 111 to the communication interface 101 via the Internet. After the communication connection is established between the servers 89 and 91, the data (93) is encrypted using the key 97 encryption / decryption engine, as illustrated by the double-headed arrow labeled "Encryption". It is encrypted by 95. The encrypted data 93 is transmitted to the server 91 via the open connection (interfaces 101 to 111). The value of the key 97 is embedded in the cookie generated by the cookie generator 99, transmitted to the server 91, and resides in the cache 109 as the WEB cookie 110.
This begins with the component 95 and finally with the arrow pointing to the communication interface 101 of the server 89 and the communication interface 1 of the server 91.
It is illustrated by arrows indicating directions starting from 11 and finally reaching each component.

At the server 91, the encryption / decryption engine 105 retrieves the key 97 from the WEB cookie 110 of the cache 109, as illustrated by the double-headed arrow placed between the involved components. The engine 105 then uses the key 97 to decrypt the data 103 to use. In the above example, the server 89 is the control server, and sends the temporary encryption / decryption program and the key to the server that requested the protected data. In this embodiment, the data may be encrypted differently with a new key each time there is a request from a server and the control server grants the server a connection for data transmission.

In another embodiment, the server 89 first sends the program 105 and the key 97 to encrypt the data returned by the requesting server so that the server 89 will be sent back to the other server that is returning to the server 89 itself. The stored data can be encrypted. In this case, the server 89 would keep a copy of the key 97 for decryption.

In yet another embodiment, both servers 89 and 91 may be configured as control servers, each capable of sending to the other a temporary encryption program and a key for decryption. . There are many potential uses.

The method and apparatus of the present invention may be applied to cookies, HTTP (Hyper-Text-Transfer-Protoco) without departing from the spirit and scope of the present invention.
l), and any other suitable data packet network that supports the use of the Internet Protocol (IP). For example, for commercial use, the method can be used as a process for transferring protected data using a company's local area network (LAN) or wide area network (WAN).

In yet another embodiment, the control server configured to send the encryption / decryption program and the key ensures that all recipients get the same encrypted data without the fear of compromise. , Sensitive data can be multicast to multiple receiving servers or client stations.

The method and apparatus of the present invention should cover the widest possible range in light of the embodiments described. The spirit and scope of the invention are limited only by the following claims.

[Brief description of drawings]

FIG. 1 is a block diagram illustrating a circular encryption / decryption process initiated by a protected server on behalf of a client station, according to one embodiment of the invention.

FIG. 2 is a block diagram illustrating a circular encryption / decryption process used in server-to-server mode.

[Figure 3]   3 is a flow chart illustrating a method of practicing the present invention.

─────────────────────────────────────────────────── ─── Continued front page    (81) Designated countries EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, I T, LU, MC, NL, PT, SE, TR), OA (BF , BJ, CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, G M, KE, LS, MW, MZ, SD, SL, SZ, TZ , UG, ZW), EA (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), AE, AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, B Z, CA, CH, CN, CR, CU, CZ, DE, DK , DM, DZ, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, J P, KE, KG, KP, KR, KZ, LC, LK, LR , LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, MZ, NO, NZ, PL, PT, R O, RU, SD, SE, SG, SI, SK, SL, TJ , TM, TR, TT, TZ, UA, UG, UZ, VN, YU, ZA, ZW (72) Inventor Shakha, Day Marker             California, 95051, USA,             Santa Clara, Poinciana Dry             Bu 3707, Apartment 154 (72) Inventor Rajyan, Threelanga Pee             California, 95051, USA,             Santa Clara, Granada Avenue             3475, number 320 F term (reference) 5B085 AE02 AE23 AE29 BE03 BG07                 5J104 AA12 AA16 AA34 EA04 EA09                       EA16 JA03 NA02 PA07

Claims (20)

[Claims] 1. A method for encrypting data in a client-server system, transmitting the data from the server to the client, and enabling the decryption by the client, wherein the server comprises: Sending a cookie containing a key value used to decrypt the data to the client upon receiving a login and a data request; (b) using an encryption / decryption engine and the key value A method comprising: encrypting the data sent to the client; and (c) sending the encrypted data to the client. 2. The client retrieves the key value from the cookie,
The method of claim 1, further comprising the step of performing a copy of the decryption engine to decrypt the data. 3. The method of claim 1 including the step of the server sending a copy of the encryption / decryption engine to the client. 4. The method of claim 3, wherein the copy of the encryption / decryption engine is discarded after use. 5. The method of claim 1, wherein a new key is sent each time a client logs in to the server. 6. A server comprising a encryption / decryption engine, access to data, and code for sending a cookie to a user logging in to the server, and a client, when a data request by the client is received. , The server sends a cookie to the client, the value of the cookie includes an encryption / decryption key, and the server sends the data requested by the client to the client before transmitting the data to the client. A protected client / server system characterized by being used and encrypted. 7. The client retrieves the encrypted data from the server, retrieves the key from the cookie value, and decrypts the data using the key and the encryption / decryption engine. The system according to claim 6, which is realized. 8. The system of claim 6, wherein the server sends a copy of the encryption / decryption engine to the client. 9. The system of claim 8, wherein the copy of the encryption / decryption engine is discarded after use. 10. The system of claim 6, wherein a new key is sent each time a client logs in to the server. 11. A method for encrypting data on a client from a server in a client server system, comprising: (a) for encrypting the data when the server receives the login of the client. A cookie containing a key value to be used is sent to the client, an indication of the data to be sent is sent, and (b) the client accessing the key value of the sent cookie. , (C) using the encryption / decryption engine and the key value retrieved from the cookie value to encrypt the data at the client. 12. The method of claim 11, wherein the server includes the step of sending a copy of the encryption / decryption engine to the client. 13. The method of claim 12, wherein the copy of the encryption / decryption engine is discarded after use. 14. The method of claim 11, wherein a new key is sent each time a client logs in to the server. 15. A server, comprising a server having an encryption / decryption engine, access rights to data, and code for sending a cookie to a user who logs in to the server, and a client, when the login by the client is received, The server sends a cookie to the client, the value of the cookie includes an encryption / decryption key, the server sends an indication of the data to be encrypted, and the client retrieves the key value from the cookie. A protected client / server system, characterized in that it retrieves and encrypts the data indicated by the server using the key. 16. The system of claim 15, wherein the server sends a copy of the encryption / decryption engine to the client. 17. The system of claim 16, wherein a copy of the encryption / decryption engine is discarded after use. 18. The system of claim 15, wherein a new key is sent each time a client logs in to the server. 19. A method for transferring protected data between a first and a second server, the method comprising the steps of: (a) contacting the second server for requesting the data by the first server. (B) the second server sending a cookie to the first server, the value of the cookie including a key value for encryption / decryption; (c) the second A method comprising: encrypting data using the key value prior to transmission from a server; and (d) sending the encrypted data to the second server. 20. The second server sends a copy of the encryption / decryption engine to the first server, and the first server uses the copy and the retrieved key to perform decryption. The method according to claim 19.