DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0027] As illustrated in FIG. 1, at least one known network-connected device 10 is provided. Network-connected devices 10 may include a number of digital devices that provide connectivity to a network of computers. For example, network-connected device 10 may include a known WAP device, cell phone, PDA or the like.
[0028] The network-connected device 10 is connected to the Internet in a manner that is known. Specifically in relation to FIG. 1, the connection of a network-connected device 10 that is a known WAP device to the Internet is illustrated, whereby a known WAP to WEB gateway 107 is provided, in a manner that is also known.
[0029] Also connected to the Internet 12, is a web server 106 which is provided using known hardware and software utilities so as to enable provisioning of the network-connected device 10, in a manner that is known. Web server 106 is connected to a database 14 in a manner that is known, including for storing data received from network-connected devices 10. Web server 106 also includes a web application 16. The web application 106 provides a number of functions. First, the web application 106 provides a web page 18 accessible via the Internet 12. Second, the web application 106 is adapted to provision the network-connected devices 10. The provisioning contemplated by the present invention may include any manner of data transactions such as e-commerce transactions, on-line prescriptions, secure messaging, transfer of patient files, data transaction involving sensitive corporate information, or sensitive government information, etc. Third, the web application 106 is adapted to execute the PKI operations referenced below.
[0030] Each of the network-connected devices 10 also includes a browser 20. The browser can be a standard Internet based browser, such as Netscape's Navigator™ or Microsoft's Internet Explorer™ or a known mini browser for wireless products such as cell phones or PDAs.
[0031] Each of the network-connected devices 10 also includes the application 22 of the present invention. In one particular embodiment of the present invention, application 22 is best understood as a browser extension or plug-in that is provided in a manner that is known. Specifically, the application 22 and the browser 20 inter-operate by means of, for example, customized HTML tags.
[0032] It should also be understood, however, that the resources of the application 22 could also be provided by integration of the features of the application 22 in a browser or mini-browser, as opposed to a standalone application.
[0033] Application 22 preferably provides necessary resources, as particularized below, to function with any third party PKI system, including for example, ENTRUST™, MICROSOFT™, BALTIMORE™, RSA™ and so forth.
[0034] Application 22 includes a cryptographic utility 24, provided in a manner that is known, that is adapted to perform at network-connected device 10 a series of cryptographic operations, including but not limited to:
[0035] Digital signature of data in form fields;
[0036] Encryption of data in form fields;
[0037] Decryption of data in form fields;
[0038] Verification of signature of data in form fields;
[0039] Digital signature and encryption of data in form fields;
[0040] Verification of Digital signature and decryption of data in form fields;
[0041] Digital signature of full pages;
[0042] Verification of digital signature of full pages; and
[0043] Encryption of full pages.
[0044] The system of the present invention is best understood as an overall system for providing PKI enabled data transactions between one or more network-connected devices 10 and a web server 106. Another aspect of the present invention is the system provided by each of the network connected devices 10 including the application 22 of the present invention, for PKI enabled data transactions with the web server 106. Yet another aspect of the present invention is a system provided by the web server 106 including the web application 16, for PKI enabled data transactions with the network-connected devices 10.
[0045] It should be understood from the above that an important advantage of the present invention is that it permits a wide range of PKI operations, including at a wireless device, which permits flexible PKI enablement of a wide variety of data transactions.
[0046] Posting Data on a Secure Basis
[0047] FIG. 2A and FIGS. 5 and 6 illustrate the operation of the present invention in relation to PKI enabled data transactions as between a network-connected device 10, namely a WAP device or Web browser, on the one hand, and web server 106 on the other.
[0048] User, on a network-connected device 10, requests web page 18 from the web server 106 by connecting to web server application 16. Web application 16 presents a specific web page 18 responsive to the request from the network-connected device 10. The web page 18 is downloaded to the User through network-connected device 10. Specifically in relation to a network-connected device 10 that is a WAP device, web page 18 is downloaded to the WAP device's browser through the WAP to Web gateway 107 as illustrated in FIG. 1, in a manner that is known. WAP to Web gateway 107 functions as a translator in that it converts wireless device requests to web protocol (HTTP) requests. This translation enables User on the WAP device to access the web page 18 via the wireless network 108, again as illustrated in FIG. 1.
[0049] It should be understood, that the present invention also contemplates PKI enabled data communications with other users associated with other network connected devices 10. One or more of these other network-connected devices 10 may be a typical personal computer having a known web browser, and connected to the Internet 12 in a manner that is known, as also illustrated in FIG. 1.
[0050] In one particular embodiment of the present invention, web page 18 includes a web form 26 in a known format preferably including a plurality of fields. The present invention contemplates a series of web forms 26, each being identified by a “SUBJECT” or equivalent, depending on the function of the web form 26, as explained below. In one particular embodiment of the web form 26 of the present invention, web form 26 comprises mark-up language representing the required input from User, and instructions for cryptographic utility 24 to conduct certain specific cryptographic operations for the particular web form 26, as described below. One aspect of a particular embodiment of the present invention is that certain of these instructions, and resultant cryptographic operations, may apply to specific fields included in the web form 26.
[0051] The web form 26 is also provided, in a manner that is known, with triggers or instructions that are received by web application 16 for executing functions using the data provided by User to the web form 26, as also particularized below. Again, these triggers or instructions may result in operations by web application 16 involving data contained in particular fields of web form 26. These operations effectively permits PKI enabled Internet provisioning in accordance with the present invention.
[0052] User provides the data requested by web form 26 and then either the application 22 or the User will determine the location of the Recipient of this data. It should be understood that in some implementations of the present invention, the Recipient will be web server 106. In other implementations of the present invention, the Recipient will be one or more remote network-connected devices 10, also including the application 22 of the present invention. Or the Recipient may be both one or more remote network-connected devices 10 and web server 106. User and Recipient may also be individuals, for example, a doctor communicating with a patient for the purposes of secure on-line approval of a prescription.
[0053] In either case, the User submits the web form 26, typically by clicking on a “SUBMIT” button or equivalent, for sending the contents thereof to the Recipient. The cryptographic utility 24 is responsive to this action to perform a number of functions which are described below. It should be understood that the steps or functions described below could be combined into a lesser number of steps or functions, or expanded to a greater number of steps or functions, without departing from the scope of the present invention.
[0054] Cryptographic utility 24 gathers from the memory 28 certain cryptographic operation parameters corresponding to the “SUBJECT” of the particular web form 26, including common name, distinguished name, email address or other information of User and/or Recipient; cryptographic mode, and the specific web form 26 fields to operate on.
[0055] Cryptographic utility 24 contacts a known Certificate Authority 103 via the communication facility (not shown) provided by network-connected device 10 to obtain information required to provide PKI enabled data to web server 106. Specifically, Certificate Authority 103 controls a Directory 105 that is also connected to the Internet that functions in a manner that is known. Cryptographic utility 24 retrieves certificates for the Recipient from Directory 105 associated with Certificate Authority 103.
[0056] Cryptographic utility 24 also interfaces with a known Certificate Revocation List 34, also associated with the Certificate Authority 103, to validate the Recipient's certificate, check for expiration, check for revocation, and also to obtain key usage data to permit use of the Recipient's certificate to conduct a PKI process.
[0057] Cryptographic utility 24 authenticates the User for PKI transaction, including for the purpose of preparing for use of the User's private key for digitally signing data included in web form 26 (as explained below).
[0058] Cryptographic utility 24 then conducts a series of cryptographic operations which generally include signing data included in web form 26 and/or encryption thereof. It should be understood that in the present invention, cryptographic utility 24 is adapted to perform specific cryptographic operations in relation to specific fields of web form 26 because they are marked for processing by the coding included in web form 26. For example, a particular web form 26 may call for each specified data element to be encoded in PKCS#7 format, or using some other custom data format involving digitally signing and/or encrypting. Data in other fields may remain unmodified.
[0059] This permits fields with sensitive data, for example, to be processed on an encrypted and/or digitally signed basis, while other fields with less sensitive data may remain unencrypted and unsigned. This conserves bandwidth, as well as memory resources wherever the data included in the web form 26 may be received. This also allows flexibility in terms of data management in that less sensitive data can be “mined” while protecting sensitive data.
[0060] Cryptographic utility 24 then builds a Web compliant “POST” data structure in a manner that is known (HTTP 1.1 for example), comprising for example a field name and clear or cipher text value pairs. This “POST” data structure is then sent to the web server 106. Web application 16 is then adapted to process the data in web form 26 in a manner that is known, in accordance with the particular processes associated with a particular “SUBJECT” defined web form 26. This may involve confirming digital signatures associated with particular fields, decrypting and processing data in particular fields. One important aspect of a particular embodiment of the present invention is that the web application 16 in accordance with the present invention is adapted to store data in particular fields in an encrypted format to database 14. This improves the security that the present invention provides overall in that third parties cannot obtain data sent in accordance with the present invention, even by hacking into web server or database 14.
[0061] Retrieving Data on a Secure Basis
[0062] In another aspect of the present invention, retrieval of data stored in database 14 at one or more network-connected devices 10 is provided on a PKI enabled basis.
[0063] It should be understood that the steps or functions described below could be combined into a lesser number of steps or functions, or expanded to a greater number of steps or functions, without departing from the scope of the present invention.
[0064] Generally the retrieval of data on a secure basis in accordance with the present invention will involve a Recipient of the data, but also a Sender of the data.
[0065] Recipient, on a network-connected device 10, requests web page 18 from the web server 106 by connecting to web server application 16. Web application 16 presents a specific web page 18 responsive to the request from the network-connected device 10. The web page 18 is downloaded to the user through network-connected device 10. As stated earlier, specifically in relation to a network-connected device 10 that is a WAP device, web page 18 is downloaded to the WAP device's browser through the WAP to Web gateway 107 as illustrated in FIG. 1, in a manner that is known. WAP to Web gateway 107 functions as a translator in that it converts wireless device requests to web protocol (HTTP) requests. This translation enables user on the WAP device to access the web page 18 via the wireless network 108, again as illustrated in FIG. 1.
[0066] It should be understood, that the present invention also contemplates PKI enabled data communications with other users associated with other network connected devices 10. One or more of these other network-connected devices 10 may be a typical personal computer having a known web browser, and connected to the Internet 12 in a manner that is known, as also illustrated in FIG. 1.
[0067] The present invention contemplates that secure data from web server 106 will come in numerous different forms, depending on the precise nature of the implementation of the present invention. Each such particular form will also generally be identified by a “SUBJECT” or equivalent, depending on the use of the data received at the particular network-connected device 10.
[0068] In one particular embodiment of the web page 18 containing secure data, the web page 18 also comprises mark-up language representing the output, and instructions for cryptographic utility 24 to conduct certain specific cryptographic operations in relation to the web page 18, as described below. One aspect of a particular embodiment of the present invention is that certain of these instructions, and resultant cryptographic operations, may apply to specific data included in web page 18.
[0069] Once the web page 18 is loaded to browser 20, the cryptographic utility 24 is engaged such that cryptographic functions described below are processed.
[0070] Cryptographic utility 24 gathers from the memory 28 certain cryptographic operation parameters corresponding to the “SUBJECT” of the particular web page 18, including common name, distinguished name, email address or other information of User and/or Recipient; cryptographic mode, and the specific web mark up tags to operate on, thereby identifying specific data in the web page 18 for cryptographic processing.
[0071] Cryptographic utility 24 contacts Certificate Authority 103 via the communication facility (not shown) provided by network-connected device 10 to obtain the PKI enabled data included in web page 18.
[0072] As mentioned earlier, Certificate Authority 103 operates a Directory 105 that is connected to the Internet. Cryptographic utility 24 retrieves certificates for the Sender and the Recipient from the Directory 105 in a manner that is known.
[0073] Cryptographic utility 24 also interfaces with a known Certificate Revocation List 34, also associated with the Certificate Authority 103, to retrieve the Certificate Revocation List 34.
[0074] Cryptographic utility 24 then authenticates the Recipient for PKI transaction, and in preparation for use of the Recipient's private key for decryption.
[0075] The cryptographic utility 24 then validates the Recipient's certificate, checks for expiration, checks for revocation, and also obtains key usage data to permit use of the Recipient's certificate to conduct a PKI process. The cryptographic utility 24 also validates the certificate of the Sender, and the integrity of the Sender's public key and appropriate usage of such public key to permit the PKI operations referenced below. All of this is provided in a manner that is known.
[0076] Cryptographic utility 24 then conducts a series of cryptographic operations which generally include decryption of data, and digital signature verification. It should be understood that in the present invention, cryptographic utility 24 is adapted to perform specific cryptographic operations in relation to specific batches of data included in the web page 18 marked for processing in the mark-up language included in the web page 18. In this manner, each specified data element could be decoded in PKCS#7 format, or using some other custom data format involving decryption and/or signature verification. Also, cryptographic utility 24 permits cipher-text in the web page 18 to be selectively decoded and displayed in clear text.
[0077] It should be understood that the data in relation to which the cryptographic operations referenced above are conducted may include all forms of data, including for example images such as gifs or jpgs. Therefore, another aspect of the present invention is, a system, computer product and method for decrypting and displaying images, including at a wireless device.
[0078] This permits fields with sensitive data, for example, to be retrieved on an encrypted and/or digitally signed basis, while other fields with less sensitive data may remain unencrypted and unsigned. This conserves bandwidth, as well as memory resources wherever the data included in the web form 26 may be received. This also encourages flexibility in data management procedures such that less sensitive data can be mined, while sensitive data is stored on a secure basis.
[0079] When considered together, FIGS. 3 to 6 illustrate that the basic architecture of the system of the present invention is designed to promote interoperability between wireless and web based wired devices. Therefore the present invention permits PKI enabled data to be transmitted and received from one wireless device to another, from a wireless device to a wired web device, and conversely from a wired web device to a wireless device.
[0080] Another aspect of the present invention is therefore a method for allocating data resources as between the web server and a wireless device such that PKI is provided on the wireless device. More specifically, the present invention permits user keys and certificates to be easily processed on a wireless device by means of a cryptographic utility that is loaded on the wireless device. The application of the present invention permits a wide range of cryptographic operations to be supported at wireless devices by means of a relatively small computer program. This permits rapid and inexpensive deployment of technology solutions that involve the use of PKI enabled data, including in relation to both wired and wireless networks.
[0081] The present invention also provides for persistent field level encryption on a selective basis throughout an Internet-based data process. This promotes efficient utilization of resources by invoking PKI operations in relation to specific elements of an Internet-based data process where security/authentication is most needed.
[0082] The present invention also provides a set of tools whereby PKI capability is added to a browser in an efficient manner.
[0083] The present invention also permits expansion of the use of web enabled applications, including at wireless devices, by providing means for client-side user authentication and cryptography. The present invention therefore provides means for PKI enablement of web applications.
[0084] The present invention should also be understood as a set of tools for complying with legal digital signature requirements, including in association with a wireless device. Specifically, the present invention allows a user to review and sign messages and transactions in a mini browser such that such messages or transactions will be legally binding.
[0085] The present invention also permits the design and implementation of Internet-based data processes whereby specific data can be sent to a remote database on an encrypted basis, and stored on an encrypted basis, including at field level.
[0086] A further aspect of the present invention is a solution to the “man in the middle” security hole of proxy based gateways between Internet and wireless networks.
[0087] A still other aspect of the present invention is a method for permitting applications to inter-operate between wireless and Internet based or other networks.
[0088] In addition to the preferred embodiment, other variations of the invention are possible, provided that data security and authentication are present.
[0089] In addition, a system, computer product and method-for decrypting and displaying encrypted images in a browser is provided.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
