[go: up one dir, main page]

WO2000041535A2 - Secure data transfer - Google Patents

Secure data transfer Download PDF

Info

Publication number
WO2000041535A2
WO2000041535A2 PCT/US2000/000701 US0000701W WO0041535A2 WO 2000041535 A2 WO2000041535 A2 WO 2000041535A2 US 0000701 W US0000701 W US 0000701W WO 0041535 A2 WO0041535 A2 WO 0041535A2
Authority
WO
WIPO (PCT)
Prior art keywords
client
resource
web
data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2000/000701
Other languages
French (fr)
Other versions
WO2000041535A3 (en
Inventor
Steven M. Orrin
James P. Russell
Brian D. Goldberg
Zbigniew T. Olik
Mordechai Ovits
Paul Benenson
Daniel H. Marcellus
Bruce Schneier
Niels Ferguson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LOCKSTAR Inc
Original Assignee
LOCKSTAR Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LOCKSTAR Inc filed Critical LOCKSTAR Inc
Priority to AU29641/00A priority Critical patent/AU2964100A/en
Publication of WO2000041535A2 publication Critical patent/WO2000041535A2/en
Publication of WO2000041535A3 publication Critical patent/WO2000041535A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/14Multichannel or multilink protocols

Definitions

  • each intermediate point through which it travels may conceivably access the data. Even if such data is retrieved through a secure connection with a web server, the web server itself will be privy to the data. While the web server is beneficial in that it acts as intermediary between a client and a remote resource, it would be advantageous to utilize the services of the web server without having to compromise the data.
  • Figure 1 is a block diagram of a system affording secure data transfer
  • FIGS 2 and 3 are flow charts of the operation of the system of Figure 1.
  • Secure transfer of data between a client and back-end resources over the Internet can be achieved in part by establishing a secure path between the two points. Formatting and protocol issues not requiring access to secure data can be delegated to conventional elements in the path.
  • a client 10 accesses a back-end system 20 on which a back-end resource 22 resides, through a client-accessible system 30.
  • the back-end resource 22 may be a database or some other source of data or device that the client wishes to access.
  • the interconnection 14 between the client 10 and the client- accessible system 30 can be over a network such as the Internet or through some other medium.
  • the interconnection 16 between the client-accessible system 30 and the back-end system 20 can be over a network such as the Internet or through some other data link.
  • the data transfer process can be described in two parts: a download procedure ( Figure 2), where data is transferred from the back-end resource to the client, and an upload procedure ( Figure 3), where data travels from the client to the back-end resource. Either can be used alone, in concert with each other, or with other processes as appropriate. Download Procedure
  • the client 10 can initiate a download of information by sending a request to the web server 32, which passes the request on to the enabler 24.
  • the enabler 24 issues one or more resource locators and passes them to the web server 32.
  • these resource locators are addresses that point to data resources on the back end system 20.
  • the web server 32 treats the resource locators it receives from the enabler 24 as data.
  • the web server 32 assembles a web page placing the resource locators in the web page where it would otherwise insert data. It then sends the formatted web page to the browser 12 at the client 10.
  • the resource locators cause the browser 12 to access the back-end system through a router 34 on the client-accessible system 30.
  • the enabler 24 will send the browser 12 the appropriate data in response to the resource locator, and the browser 12 will simply insert each datum in the formatted page at the location dictated by the physical location of each resource locator on the page.
  • the path between the browser 12 and the enabler 24 through the router 34 is secure, having invoked a secure protocol such as SSL ("secure socket layer").
  • the data has thus been sent from the back-end resource 20 to the browser 12 via a path secure with respect to the elements of the client-accessible system 30 and interconnections 14 and 16, i.e., bypassing the web server 32.
  • the client 10 desires to send data to the back-end resource 22, but in a manner in which the data is not accessible or readable by the client-accessible system 30 or interconnections 14 and 16.
  • the client 10 establishes a secure session with the enabler 24 through the router 34, optionally insuring authentication of the back-end system 20 and/or the client 10.
  • the client 10 then sends the data to the enabler 24 over the secure path.
  • the enabler 24 does not have a service request and as such cannot utilize the data at this point. Therefore, the data is stored on the back-end system 20 for later retrieval and, in response to the original message, the enabler 24 issues a redirect command and a resource locator and passes them back to the client 10 through the router 34.
  • the redirect can assume the form: https://ws:443/arg:xyz, where ws:443 designates the secure port 443 on the web server 32 and "xyz" is the resource locator that the web server 32 will use when referring to the data earlier passed to the enabler 24.
  • the client 10 now executes the redirect command, establishing a session with the web server 32.
  • the client 10 sends the resource locator to the web server 32. Again, this can be done over a secure path.
  • the web server 32 in turn generates a service request for the back-end system 20, using the resource locator in lieu of the actual data, and passes this to the enabler 24 on the back-end system 20.
  • the enabler 24 receives the resource locator, the enabler 24 will fetch the data corresponding to the resource locator and associate it with the service request.
  • authentication can be performed using any method including the method described in provisional patent application No. 60/106,290, titled “Secure Authentication for Access to Back-End Resources,” and filed October 30, 1998, incorporated by reference herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Communication Control (AREA)

Abstract

Data can be securely passed between a client and a back-end resource by sending resource locators instead of the actual data. Using the protocol described here, the transfer of data is seamless, and prevents interception by any intermediate resource.

Description

SECURE DATA TRANSFER BETWEEN A CLIENT AND A BACK-END RESOURCE
Technical Field and Background Art This application claims the benefit of U.S. Provisional Application no. 60/115,835 filed January 14, 1999.
In an on-line system, when data is retrieved from a remote resource, each intermediate point through which it travels may conceivably access the data. Even if such data is retrieved through a secure connection with a web server, the web server itself will be privy to the data. While the web server is beneficial in that it acts as intermediary between a client and a remote resource, it would be advantageous to utilize the services of the web server without having to compromise the data.
Brief Description of the Drawings
Figure 1 is a block diagram of a system affording secure data transfer, and
Figures 2 and 3 are flow charts of the operation of the system of Figure 1.
Modes for Carrying Out the Invention
Secure transfer of data between a client and back-end resources over the Internet can be achieved in part by establishing a secure path between the two points. Formatting and protocol issues not requiring access to secure data can be delegated to conventional elements in the path.
In one configuration, illustrated in the block diagram of Figure 1 , a client 10, using an Internet browser 12 equipped with the means necessary to create a secure session, accesses a back-end system 20 on which a back-end resource 22 resides, through a client-accessible system 30. The back-end resource 22 may be a database or some other source of data or device that the client wishes to access. The interconnection 14 between the client 10 and the client- accessible system 30 can be over a network such as the Internet or through some other medium. Similarly, the interconnection 16 between the client-accessible system 30 and the back-end system 20 can be over a network such as the Internet or through some other data link. The data transfer process can be described in two parts: a download procedure (Figure 2), where data is transferred from the back-end resource to the client, and an upload procedure (Figure 3), where data travels from the client to the back-end resource. Either can be used alone, in concert with each other, or with other processes as appropriate. Download Procedure
As shown in Figure 2, the client 10 can initiate a download of information by sending a request to the web server 32, which passes the request on to the enabler 24. In response to the request, the enabler 24 issues one or more resource locators and passes them to the web server 32. Typically, these resource locators are addresses that point to data resources on the back end system 20. The web server 32 treats the resource locators it receives from the enabler 24 as data.
The web server 32 assembles a web page placing the resource locators in the web page where it would otherwise insert data. It then sends the formatted web page to the browser 12 at the client 10.
As the web page loads in the browser 12, the resource locators cause the browser 12 to access the back-end system through a router 34 on the client-accessible system 30. After optionally authenticating the client 10, the enabler 24 will send the browser 12 the appropriate data in response to the resource locator, and the browser 12 will simply insert each datum in the formatted page at the location dictated by the physical location of each resource locator on the page. The path between the browser 12 and the enabler 24 through the router 34 is secure, having invoked a secure protocol such as SSL ("secure socket layer").
The data has thus been sent from the back-end resource 20 to the browser 12 via a path secure with respect to the elements of the client-accessible system 30 and interconnections 14 and 16, i.e., bypassing the web server 32.
Upload Procedure
In an upload, as shown in Figure 3, the client 10 desires to send data to the back-end resource 22, but in a manner in which the data is not accessible or readable by the client-accessible system 30 or interconnections 14 and 16. To do so, the client 10 establishes a secure session with the enabler 24 through the router 34, optionally insuring authentication of the back-end system 20 and/or the client 10. The client 10 then sends the data to the enabler 24 over the secure path. The enabler 24 does not have a service request and as such cannot utilize the data at this point. Therefore, the data is stored on the back-end system 20 for later retrieval and, in response to the original message, the enabler 24 issues a redirect command and a resource locator and passes them back to the client 10 through the router 34. This may occur through a secure path. For example, the redirect can assume the form: https://ws:443/arg:xyz, where ws:443 designates the secure port 443 on the web server 32 and "xyz" is the resource locator that the web server 32 will use when referring to the data earlier passed to the enabler 24.
The client 10 now executes the redirect command, establishing a session with the web server 32. As part of executing the redirect command, the client 10 sends the resource locator to the web server 32. Again, this can be done over a secure path. The web server 32 in turn generates a service request for the back-end system 20, using the resource locator in lieu of the actual data, and passes this to the enabler 24 on the back-end system 20. When the enabler 24 receives the resource locator, the enabler 24 will fetch the data corresponding to the resource locator and associate it with the service request.
As required previously, authentication can be performed using any method including the method described in provisional patent application No. 60/106,290, titled "Secure Authentication for Access to Back-End Resources," and filed October 30, 1998, incorporated by reference herein.

Claims

What is claimed is:
1. A method for downloading data from a back-end resource to a client via network-based client-accessible systems containing web servers, comprising the steps of: sending a client-originated request from the client to the back-end resource via a client-accessible system; issuing at least one back-end resource locator and passing it to a web server; formatting a web page with the resource locators and passing it to the client; and reading the web page and retrieving the data over secure connections according to the resource locators.
2. A method as set forth in claim 1 , where the step of retrieving the data over secure connections according to the resource locators comprises the step of bypassing the web server.
3. A method as set forth in claim 1 , where the step of requesting retrieval of the data comprises the step of authenticating the client.
4. A method for uploading data from a client to a back-end resource via network-based client-accessible systems containing web servers, comprising the steps of: establishing a secure session between the client and the back-end resource via a client-accessible system; sending data from the client to the back-end resource via the secure path; issuing a redirect command and a resource locator, and passing them from the back-end resource to the client; executing the redirect command and establishing a session between the client and the web-server; sending the resource locator from the client to the web-server; sending the resource locator from the web-server to the back-end resource; and locating the data at the back-end resource using the resource locator.
5. A method as set forth in claim 4, where the step of sending data from the client to the back-end resource via the secure path comprises the step of bypassing the web server.
6. A method as set forth in claim 4, where the step of establishing a secure session between the client and the back-end resource via a client- accessible system comprises the step of authenticating the back-end resource and/or the client.
7. A system for downloading data from a back-end resource to a client via network-based client-accessible systems containing web servers, comprising: a back-end system comprising a back-end resource; and an enabler, the enabler comprising means for generating at least one resource locator, the resource locator comprising a redirect command corresponding to the back-end resource; and at least one network-based client-accessible system comprising at least one web-server, the web-server comprising means for assembling a web page; and means for incorporating a resource locator in the web page; and a router comprising at least one port corresponding to a redirect command in a resource locator; means for establishing a secure path with the client; and means for communicating with the back-end resource.
8. A system as set forth in claim 7, where the enabler further comprises means for authenticating the client.
9. A system for uploading data from a client to a back-end resource via network-based client-accessible systems containing web servers, comprising: a back-end system comprising a back-end resource; and an enabler, the enabler comprising means for generating at least one resource locator, the resource locator comprising a redirect command corresponding to the back-end resource; and at least one network-based client-accessible system comprising at least one web-server, the web-server comprising means for communicating with the client and the back-end system; and a router comprising means for providing a secure connection between the client and the back-end system.
10. A system as set forth in claim 9, further comprising means for authenticating the client.
PCT/US2000/000701 1999-01-14 2000-01-12 Secure data transfer Ceased WO2000041535A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU29641/00A AU2964100A (en) 1999-01-14 2000-01-12 Secure data transfer between a client and a back-end resource

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11583599P 1999-01-14 1999-01-14
US60/115,835 1999-01-14

Publications (2)

Publication Number Publication Date
WO2000041535A2 true WO2000041535A2 (en) 2000-07-20
WO2000041535A3 WO2000041535A3 (en) 2000-11-02

Family

ID=22363682

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/000701 Ceased WO2000041535A2 (en) 1999-01-14 2000-01-12 Secure data transfer

Country Status (2)

Country Link
AU (1) AU2964100A (en)
WO (1) WO2000041535A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1265144A1 (en) * 2001-06-08 2002-12-11 Hewlett-Packard Company Method and apparatus for providing remote support to a computer user
EP1976181A4 (en) * 2006-01-13 2010-02-24 Huawei Tech Co Ltd A method, apparatus and data download system for controlling the validity of the download transaction
US8078670B2 (en) 2003-06-02 2011-12-13 Hewlett-Packard Development Company, L.P. Method and apparatus for providing support for an electronic device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6058250A (en) * 1996-06-19 2000-05-02 At&T Corp Bifurcated transaction system in which nonsensitive information is exchanged using a public network connection and sensitive information is exchanged after automatically configuring a private network connection
AU8050298A (en) * 1997-06-17 1999-01-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for accessing and retrieving messages

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1265144A1 (en) * 2001-06-08 2002-12-11 Hewlett-Packard Company Method and apparatus for providing remote support to a computer user
US8078670B2 (en) 2003-06-02 2011-12-13 Hewlett-Packard Development Company, L.P. Method and apparatus for providing support for an electronic device
EP1976181A4 (en) * 2006-01-13 2010-02-24 Huawei Tech Co Ltd A method, apparatus and data download system for controlling the validity of the download transaction

Also Published As

Publication number Publication date
WO2000041535A3 (en) 2000-11-02
AU2964100A (en) 2000-08-01

Similar Documents

Publication Publication Date Title
US7584500B2 (en) Pre-fetching secure content using proxy architecture
US6343323B1 (en) Resource retrieval over a source network determined by checking a header of the requested resource for access restrictions
JP4867663B2 (en) Network communication system
EP1405224B1 (en) System and method for pushing data from an information source to a mobile communication device including transcoding of the data
US6950936B2 (en) Secure intranet access
CN1820481B (en) Systems and methods for authenticating clients in a client-server environment
US7080158B1 (en) Network caching using resource redirection
US7600025B2 (en) Extending an internet content delivery network into an enterprise
US6510464B1 (en) Secure gateway having routing feature
US7237261B1 (en) Method, system and gateway allowing secured end-to-end access to WAP services
US20040093419A1 (en) Method and system for secure content delivery
JP2003503963A (en) Dynamic connection to multiple origin servers with transcoding proxy
WO2001011821A9 (en) System and method for maintaining state information between a web proxy server and its clients
AU2002239833A1 (en) Extending an internet content delivery network into an enterprise
JP2000347994A (en) Single sign-on for network systems that include multiple separately controlled limited access resources
EP1533970B1 (en) Method and system for secure content delivery
EP1379044A1 (en) Method for providing information to a web server
US20020023207A1 (en) Secure data transfer between a client and a back-end resource via an intermediary
US7546339B2 (en) Client-server apparatus and method using alternative-response protocols
US20070124477A1 (en) Load Balancing System
WO2000041535A2 (en) Secure data transfer
JP2004502216A (en) End-to-end security of transactions between mobile terminals and Internet servers at the application level
WO2000027089A1 (en) Secure authentication for access to back-end resources
KR100346788B1 (en) Proxy Server for interworking between native ATM WWW Browser and Internet WWW Server and Method for interworking WWW Service using the same
Lesniewski-Laas Ssl splitting and barnraising: Cooperative caching with authenticity guarantees

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase