Protected client system mandate processing for accessing web-based resources

FIELD: information technology.

SUBSTANCE: registration page with the interface for user mandate input is available on the client system and the entered mandate is sent to the server. As a response to receipt of the user mandate, the server generates a unique session identifier for the client system. The server also receives a digital signature for the user mandate based on the current key in the memory of cyclically changed keys and unique session identifier. Then the server encrypts the digital signature and the user mandate based on the encryption key obtained from the current key and unique session identifier. The encrypted mandate being received with the client system, the keys from the memory of cyclically changed keys are used for checking validity of the mandate. With the user mandate not approved, the user is again transferred to the registration page.

EFFECT: provision of encrypted user mandate processing.

12 cl, 7 dwg

 

Background of the invention

References to related applications

This application claims the priority of provisional patent application U.S. No. 60/428,152, dated November 20, 2002 for "System and method for authentication based on cookies (a cookie stored on the client system)", and mentioned prior application is hereby incorporated into this description by reference.

The technical field

The present invention relates to computer networks, and more particularly to secure processing of the mandate of the client system to access resources on the Web.

Prior art

Computer systems and related technology have an impact on many aspects of society. In fact, the possibilities of computer systems for information processing has transformed the way of life and human activities. Computer systems now commonly perform a lot of tasks (e.g., word processing, scheduling, database management), which before the advent of computers has to be done manually. Later computer systems were connected to each other for forming both wired and wireless computer networks, in which a computer system can perform electronic information exchange for sharing data. As a result, the number of tasks that the imp is used on a computer system (e.g., voice communication, access to electronic mail, electronic conferencing, viewing Web pages on the Internet), include the electronic exchange of information with one or more other computer systems via wired and/or wireless computer networks.

In particular e-mail has become an important means of communication. E-mail systems typically include a client component and e-mail server component of the e-mail. These components typically are software applications that are configured for execution on computer systems (for example, servers, personal computers (PCs), laptop computers and personal digital assistants (PDAs). The client component of the e-mail and the server component of the e-mail in a typical case are designed and configured for the particular work with each other. The client component of the e-mail and the server component of the e-mail in General communicate with each other using specialized protocols, such as RPC (remote procedure call), which allows, for example, the application program on the client computer system to execute the program on a server computer system. For example, a client whom onent e-mail can send a message to the server component of the e-mail with the appropriate arguments (parameters), and the server component of the e-mail will return the e-mail message.

Some types of e-mail servers are configured to allow access to email through the "zero-touch" (not affected by) the client system, such as client computer system with a Web browser, not as a specialized client e-mail system. In these types of e-mail servers Web browser interacts with the e-mail server, and any functions that are required to run on the client system, run through a Web browser. For example, client computer system can download the instructions and scripts, hypertext markup language (HTML) (dynamically generated by a technology such as active server pages)that allows a Web browser to interact with the e-mail server. Thus, browser-based "zero-touch" client system allows the user to access their emails and other related mail information (such as calendar, shared folder) to any server computer system that is connected to a common network (e.g., WWW) browser-based "zero-touch" client system. Accordingly, protocols such as, for example, an http Protocol (hypertext transfer the x files), used to access Web-based content in the WWW, can be used to access e-mail and other related mail information.

However, the main on the browser access to email and other related mail information also leads to potential problems of security, and some of those security issues associated with the caching of credentials (account settings of the user generated after successful authentication) in memory of the Web browser. In the environment of Web content and requests the information content in General are transported using the http Protocol. For example, the request http Protocol to access content that is initiated by the user in the browser-based client system and then sent from the browser-based client system through the network. The request is then accepted by the Web server on the server computer system, which processes the request to determine whether the user is authorized based on the browser on the client system to access the requested content. If the user is authorized to access the requested content, then the Web server sends the content back to the basis of the Noi on the browser client to the system message of the http Protocol.

Some versions of the http Protocol (for example, http/1.0) not use information about the state. That is, the transfer Protocol http (for example, the request e-mail message) is performed without knowledge of any previous transfer server (for example, other previous requests e-mail). As such, these versions of the http Protocol does not support the concept of "session", when the user must register at the login (log-in) and logout ("log-out"). Other versions of the http Protocol (for example, http/1.1) support message confirming the activity ("keep-alive")that are sent between the client system and the server system to maintain the activity of the connection of the http Protocol. However, the use of acknowledgement messages activity is somewhat unreliable, and even if you use the message confirming the activity, however, there is no guarantee that the connection of the http Protocol can be maintained active. In addition, since the requests of the client systems often pass through an intermediary intermediary servers that share a supported active channels among multiple users, then the server has no way to determine whether the received request sent previously authenticated client system. Relevant to the military, regardless of whether transfer Protocol http does not use information about the condition or use a message confirming the activity, each request for access to information content, which is transported via the http Protocol ("http-request")must include the appropriate authentication information of the http Protocol.

Accordingly, the authentication information of the http Protocol can be included in http requests through a special header called header WWW-authorization and has the following format: "WWW-authorization:[Authentication Type] [the Mandate]". For the first time, when the Web browser tries to access content that requires authentication (for example, the representation of the user entered mandate), a Web server typically fails to provide the requested information content and instead will return a message of the http 401 status "Not authorized". Response message to the http Protocol includes a header format: "WWW-Authenticate: [authentication Method] [realm= realm value][Supporting information]".

When hiring a Web browser response message http Protocol determines the representation of the Web browser requesting the mandate of the dialog window, such as user name and the advanced user password. After the user enters the mandate, the Web browser sends the original http request header WWW-authorization, which includes introduced a mandate. If the Web server receives the user-entered the mandate as a valid and returns the requested content (e.g., email), Web browser caches the user entered mandate in the browser's memory. Thus, in subsequent requests to the same URL (uniform resource locator) or the corresponding derivative relative URL associated with the same content, cached mandate is retrieved from the browser's memory and is included in the corresponding header WWW-authorization of the http Protocol. Accordingly, even if the http Protocol does not use status information, the user is freed from having to re-enter mandate for each request on the same or a derived relative URL.

Unfortunately, Web browsers typically support cached credentials in browser memory essentially indeterminate way up until the Web browser will not execute exit by exit your Web browser, or re-boot or shutdown of a computer system or client device). Thus, the mandate of the CE the data user, who had access to the protected content may be cached in the browser cache after the user no longer uses a Web browser. If a privileged user leaves the computer system, another unprivileged user can log into it and use the reverse lookup browser or archival tool for attempts to access the protected content. Since the mandate of the root user is still cached in the memory of the browser, the Web browser will retrieve the cached mandate and submit it with the request unprivileged user to access the protected content. Thus, an unprivileged user can access the protected content without having to enter specific mandate in a Web browser.

Cached mandate can be particularly problematic in locations where there are public computers and/or computer systems that do not allow you to close the Web browser. An example of such a computer system is an Internet kiosk (computer connected to the Internet and shared for users). Internet kiosks are often located in places of public access, such as libraries, Internet cafes, the center of the x conference, to ensure public access to the Internet. Internet kiosks are designed to allow any user who has approached the kiosk, get fast access to the Internet, without first finding and starting the Web browser. So many Internet kiosks are configured in such a way that a Web browser is always active and cannot be closed.

Although this provides efficient access to the Internet, however, leads to the fact that the cached mandate remains in the memory of the browser essentially indefinitely. For example, if the root user enters the mandate (for example, to access the protected content in an Internet kiosk, the mandate of the root user is cached in the browser's memory. Because a Web browser is not closed, essentially there is no way to delete the cached mandate without removing power from the kiosk. Thus, even if a privileged user knows how to clear the cached data of the mandate (for example, by closing the Web browser), the root user may not be able to do it.

Use cached credentials to access the protected content is particularly important for browser-based e-mail applications. For example, an unprivileged Paul the user may be able to view the pages in reverse order to gain access to e-mail a privileged user, which could contain sensitive data. In addition to access to e-mail superuser cached mandate also allows an unprivileged user to impersonate the root user. For example, an unprivileged user may be able to send e-mail with the account associated with the root user.

A possible solution to this problem is forcing users to re-authenticate every time, when the requested content. However, this would require users to manually enter the authentication information for each http request for access to information content. Since a typical interaction with a Web site may consist of tens or even hundreds of http requests, it would be that the user would need to re-enter the mandate of the tens and hundreds of times. Thus, the re-input of the mandate for each http request for access to information content would lead to a significant increase in the amount of time and data. This solution is too cumbersome for most users, who prefer to enter its mandate once per session. Therefore, the preferred would be the system methods, computer program products for secure processing of the client's credentials used to access resources on the Web.

The invention

The above-mentioned problems inherent in the prior art, are overcome by the principles underlying the present invention, which are directed to methods, systems, computer program products and data structures for protected handling client's credentials used to access resources on the Web. The client computer system (hereinafter referred to as "client") and the server computer system (hereinafter referred to as "server") is connected to a public network, such as, for example, the Internet. A server configured to provide access to resources such as, for example, e-mail, and related e-mail data. The client is configured with a browser that can request access to resources based on Web and to provide resources based on Web user on the client computer system.

The client sends the first request to access resources on the server. For example, the client may send the access request to the e-mail message stored on the server. The server receives the first request and because the client is not authenticated, the server redirects the client to the page reg is only in response to receiving the first request. Forwarding the client may include the transfer from server to client response, which contains the divert indicator (for example, message Protocol (http code 302 status "moved Temporarily"), together with a universal resource identifier (URI) to the registration page. The registration page can be one of active server pages (ASP), which provides an interface for a user on a client computer system to enter the credentials of a user. The client accesses the registration page and uses the registration page for a view of the mandate of the user to the server. The client may submit the mandate, for example, using SSL (secure socket layer) to protect the departure of the http Protocol.

The server accepts presents mandate. The server sends the encrypted information, which is the mandate of the user and time-dependent digital signature. It may be that the server sends the encrypted information after authentication delegation presented the mandate of the authority empowered to perform authentication. The server generates the encrypted data using the key from memory keys with circular shift (cyclically exchangeable keys). Each key in the memory keys with circular shift automatically terminate the later of the certain time interval (for example, 10 minutes). After a certain time interval, the server can enter a new key in a memory key with a cyclic shift and output terminated key memory key with a cyclic shift. The number of keys supported in-memory key with a cyclic shift and a certain time interval can be configured by the administrator.

When receiving the mandate of the user, the server associates the mandate of the user with a unique identifier (for example, the globally unique identifier - GUID). The server receives the signature key, which can be used for digital signature data by hashing (e.g., using hashing algorithms SHA-1 or MD-5) combination of the most recent key memory key with a cyclic shift, the unique identifier and the first constant sequence. The server then uses the signature key to generate a digital signature (for example, authentication code hashed message - HMAC) from the combination of the unique identifier and the mandate of the user.

The server also receives the encryption key, which can be used to encrypt the data by hashing a combination of the most recent key memory key with a cyclic shift, the unique identifier and the second constant sequence. The server then uses luciferase to encrypt the combination of digital signatures and mandate of the user in the encrypted information. The server transmits the unique identifier and the encrypted information to the client. The client receives the unique identifier and the encrypted information, and stores the unique identifier and the encrypted information (e.g., in the corresponding cookie - identification file stored on the client system).

The client sends a second request that includes the unique identifier and the encrypted information to access the resource on the server. The server receives the second request and tries to verify the validity of the mandate of the user using the last key in a memory key with a cyclic shift. The server displays the key of interpretation, which can be used for interpretation of data by hashing a combination of the most recent key memory key with a cyclic shift, the unique identifier and the second constant sequence. The server uses the key decoding for decoding the encrypted information, thereby showing the digital signature and the mandate of the user. The server displays the key validating that can be used to authenticate the data by hashing a combination of the most recent key memory key with a cyclic shift, the unique identifier and the first constant sequence. Server COI is lesuit key signature validation to obtain the digital signature validation of the combination of the unique identifier and the mandate of the user.

The server compares the digital signature verification digital signature. If the digital signature verification digital signature match, the mandate of the user is confirmed. On the other hand, if the digital signature verification digital signature do not match, the mandate of the user is not confirmed. If the mandate of the user is not verified when using the very last key in memory keys with circular shift, use the last key in the memory keys with circular shift in an attempt to confirm the mandate of the user (for example, by using the penultimate key to generate the key decoding and digital signature verification). The server may attempt to verify the validity of the mandate of the user using each key memory key with a cyclic shift. Confirmed the mandate of the user is sent to the module (e.g., email server)that controls access to the requested resource (e.g. e-mail).

If the mandate of the user is confirmed using the key from memory keys with circular shift, which is not the last key, the server determines which must be received updated information encrypted. The server uses the last key and the memory key with a cyclic shift to obtain the updated encrypted data (for example, by obtaining an updated digital signature and an updated encryption key from the most recent key). If confirmed the mandate of the user is matched, then the client returns the requested resource and, if required, also updated the encrypted information. The client receives a resource and an updated encrypted information. The client stores the updated encrypted information, overwriting the previous encrypted information corresponding to the unique identifier. If the mandate of the user cannot be confirmed using any of the exchangeable keys memory keys with circular shift, the client is redirected to the registration page where you want to put the new mandate of the user.

In some embodiments, the implementation of the registration page includes an interface for selecting a communication properties (for example, support for gzip compression, the client computer system is private or untrusted client, the client is improved customer who would rather simplified content), which can change how the message handling http Protocol. Communication properties are selected on the registration page and sent in a communication filter to specify a communication filter, how the image of the m should be handled at client transfer Protocol http. Selected communication properties accepted on the server.

The server requests the client to determine supported by the selected communication properties of the client system, as well as to identify other relevant communication properties. The server configures the communication filter for processing the transmission of the http Protocol on the client system in accordance with any selected communication properties and identified other relevant communication properties supported by the client system. Based on the fact that the client is not in a protected position, the server may use a different memory keys with circular shift, which has a shorter period of shear and supports a reduced number of keys.

Further properties and advantages of the invention set forth in the following description and will be partly obvious from the description or can be learned in the practical implementation of the invention. The characteristics and advantages of the invention may be realized and obtained by means of the mechanisms and combinations particularly described in the claims. These and other features of the present invention will be clear from the following description and claims, or may be examined in the practical implementation of izopet the deposits.

Brief description of drawings

In order to describe the method, which can be obtained from the above-described and other advantages and characteristics, a more particular description of the invention briefly described above will be illustrated with reference to specific embodiments of which are illustrated by the accompanying drawings. Based on the fact that these drawings depict only typical embodiments of the invention and therefore should not be construed as limiting its scope, the invention will be described and explained with additional clarification and detail using illustrative drawings showing the following:

Fig. 1 is a suitable operating environment for implementing the principles of the present invention.

Fig. 2A is an example of a network architecture that provides protection mandate from the client system when the client requests access to a resource on the server in accordance with the present invention.

Fig. 2B is an example of a network architecture that provides a secure mandate from the client system to access a resource on the server in accordance with the present invention.

Fig. 3 is an example flowchart of a method of providing security mandate from the client system when the client requests access to a resource on the server where the availa able scientific C with the present invention.

Fig. 4 is an example flowchart of a method of using a secure mandate from the client system to access a resource on the server in accordance with the present invention.

Fig. 5 is an example flowchart of a method of determining the communication of properties associated with the client, in accordance with the principles of the present invention.

Fig. 6 is an example of a registration page that accepts the mandate and choices of communication properties in accordance with the principles of the present invention.

Detailed description of preferred embodiments of the invention

The principles of the present invention provide secure processing of client's credentials used to access resources on the Web. The server supports at least one memory keys with a cyclic shift for storing one or more keys. Each key in the memory keys with circular shift automatically terminates after a specific time interval (for example, ten minutes). After a certain time interval, the server introduces a new key in a memory key with a cyclic shift, and outputs terminated key memory key with a cyclic shift. The number of keys supported in-memory key with a cyclic shift, and a specific time interval can be configured, adminis is the operator (for example, there are three key and the keys cyclically shifted every five minutes). The server provides protection mandate of the user by generating a digital signature of the mandate of the user and encrypt the credentials of the user based on the keys in memory keys with a cyclic shift.

The registration page interface for input of the mandate of the user is represented on the client system. The mandate of the user entered on the client system, is sent to the server. In response to the reception of the mandate of the user, the server generates a unique session ID for the client. The server displays the digital signature for the mandate of the user based on the most recent key memory key with a cyclic shift and a unique session ID. The server then encrypts the digital signature and the mandate of the user on the basis of the encryption key obtained from the most recent key memory key with a cyclic shift and a unique session ID. When encrypted, the mandate is returned back to the client, keys, memory keys with a cyclic shift used in an attempt to verify the validity of the mandate. If the key from memory keys with circular shift, originally used to encrypt the credentials of a user who is removed from memory keys with circular shift, the client is redirected to the page Regis the radio to enter a new mandate.

Options for implementation included in the scope of the present invention include machine-readable media for transferring or storing machine-readable instructions or data structures stored on them. Such machine-readable media can be any available media that can access the universal or specialized computer system. For example, but not as a limitation, such machine-readable media can comprise physical storage media such as RAM, ROM), EEPROM (electronically-erasable programmable read-only memory - EEPROM), CD-ROM on CD-ROM) or other memory devices, optical disks, magnetic disks or other magnetic memory, or other recording media that can be used to carry or store desired program code means in the form of executable computer instructions or data structures, and access to which can be made universal or specialized computer system.

In this description and in the subsequent claims, the term "network" is defined as one or more data transmission channels, which provide the transport of electronic data between computer systems and/or modules. And when the formation is transported or provided over a network or another communications connection (either wired wireless, or combination of wired and wireless connection) to a computer system, the connection is properly viewed as machine-readable medium (media). Thus, any such connection is properly defined as machine-readable media. Combinations of the above should also be included within the scope of machine-readable mediums (media). Machine-readable instructions include, for example, instructions and data which cause the execution of the General-purpose computer system or a specialized computer system for a specific function or group of functions. Executable computer instructions can represent, for example, a binary instructions, the intermediate format instructions such as Assembly language, or even source code.

In this description and in the subsequent claims, the term "computer system" is defined as one or more software modules, one or more hardware modules, or combinations thereof, which work together to perform operations on electronic data. For example, the definition of computer system includes hardware components of a personal computer and software modules such as operating system is the subject of the personal computer. The physical configuration of the modules is not that important. A computer system may include one or more computers connected through a network. Similarly, a computer system may include a single physical device (such as a mobile phone or personal digital assistant), where internal modules (such as memory and processor) work together to perform operations on electronic data.

Specialists in the art it should be clear that the invention can be implemented in network computing environments with many types of configurations of computer systems, including personal computers, laptop computers, handheld devices, multiprocessor systems, microprocessor-based or programmable consumer electronic devices, network PCs, mini-computers, General-purpose computers (mainframes), mobile phones, personal digital assistants (PDAs to perform special functions), pagers, etc. of the Invention may also be implemented in distributed system environments where local and remote computer systems that are linked (either wired the data transmission lines, or wireless data transmission lines, or lines that represent a combination of wired and besprovodnoy the data lines) through the network and perform tasks. In a distributed system environment, program modules may be located in local or remote memory devices.

Fig. 1 and the subsequent discussion are intended to provide a brief generalized description of a suitable computing environment in which can be implemented in the invention. Although not required, however, the invention is described in the generalized context of executable computer instructions, such as program modules, executed by the computer system. In the General case, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Executable computer instructions, associated data structures, and program modules represent examples of program code means for executing the action methods disclosed in the present description. As shown in Fig. 1, shown for an example system for implementing the invention includes a General-purpose computing device in the form of a computer system 120 that includes the block 121 processing, system memory 122, and a system bus 123 that connects various system components including the system memory 122, block 121 processing. Block 121 processing can execute instructions intended for IP is filling up computer ensuring implementation of the signs of a computer system 120, including the characteristics of the present invention. The system bus 123 may be any of various types of bus structures including a memory bus or memory controller, a peripheral bus devices, a local bus using any of a variety of bus architectures. The system memory includes a ROM 124 and RAM 125. The system basic input/output system (BIOS) 126, containing the basic routines that help to transfer information between elements within computer system 120, such as at startup, can be stored in ROM 124.

Computer system 120 may also include a drive 127 on hard magnetic disks to read from the hard magnetic disk 139 and write on it, the drive 129 on magnetic disks to read from a removable magnetic disk 129 and write on it and drive 130 on the optical disk to read from a removable optical disk 131 or writing to an optical disk, such as, for example, ROM-CD (CD-ROM) or other optical recording media. Drive 127 on hard drives, memory 128 on magnetic disks and the tape drive 130 on the optical drives connected to the system bus 123 via an interface 132 of the hard drive, interface 133 drive on magnetic disks and interface 134 on the optical disk corresponding the no. The drives and their associated machine-readable media provide non-volatile memory executable computer instructions, data structures, program modules and other data for the computer system 120. Although the described sample environment uses a rigid magnetic disk 139, a removable magnetic disk 129 and a removable optical disk 131, may be used and other types of machine-readable media for storing data, such as magnetic cassettes, flash memory card, digital multi disks, Bernoulli cartridges, RAM, ROM, etc.

Means software code that contains one or more software modules may be stored on the hard disk 139, magnetic disk 129, optical disk 131, ROM 124 or RAM 125, including an operating system 135, one or more application programs (applications) 136, other program modules 137, and program data 138. The user can enter commands and information into computer system 120 via the keypad 140, a pointing device 142, or other input devices (not shown), such as, for example, a microphone, joystick, game pad, scanner, etc. These and other input devices can be connected to the block 121 processing via the interface 146 I/o associated with the system bus 123. Interface 146 I/o logical representation is employed, any of a wide variety of interfaces, such as, for example, a serial port, PS/2 interface, parallel port interface, a USB (universal serial bus), or IEEE (Institute of electrical and electronics engineers) 1394 (e.g., FireWire (standard for high performance serial bus IEEE 1394), or even can logically be a combination of different interfaces.

Monitor 147 or other display device is also connected to system bus 123 via a video adapter 148. The 169 speakers or other output device is also connected to system bus 123 via an interface 149. Other peripheral output devices (not shown), for example, printers can also be connected to computer system 120. Computer system 120 may be connected to the network, such as an office network or a computer network, home network, intranet and/or Internet. Computer system 120 may through such networks to exchange data with external sources, such as remote computer system, remote applications and/or remote database.

Computer system 120 includes a network interface 153, through which the computer system 120 receives data from external sources and/or transmits data to external sources. As shown in the Fig., network interface 153 enables the exchange of data with remote computer system 183 through line 151 communication. Network interface 153 can logically represent one or more software modules and/or hardware, such as network interface card and the corresponding stack (NDIS interface specification network driver). Line 151 communication is part of a network (e.g. an Ethernet segment), and remote computer system 183 represents a node in the network. For example, remote computer system 183 may be a server computer system that provides a computer system 120 access Web-based resources (e.g., email messages). On the other hand, the remote computer system 183 may be a client computer system that uses access Web-based access to resources from the computer system 120.

Similarly, computer system 120 includes an interface 146 I/o through which a computer system receives data from external sources and/or transmits data to external sources. Interface 1467 input/output associated with the modem 154 (e.g., standard modem, cable modem or modem, digital subscriber line (DSL)) via line 159 connection through which the computer system 120 receive the em data from external sources and/or transmits data to external sources. As shown in Fig. 1, the interface 146 I/o and the modem 154 enable the exchange of data with remote computer system 193 through the line 152 connected. Line 152 communication is part of a network and a remote computer system 193 represents a node in the network. For example, remote computer system 193 may be a server computer system that provides a computer system 120 access Web-based resources (e.g., email messages). On the other hand, the remote computer system 193 may be a client computer system that uses access Web-based access to resources from the computer system 120.

Although Fig. 1 represents a suitable operating environment for the present invention, the principles of the present invention can be used in any system which is capable, with appropriate modifications, if necessary, to implement the principles of the present invention. The environment shown in Fig. 1 is illustrative and in no case not to characterize even a small part of the wide diversity of environments that can be used the principles of the present invention.

The modules of the present invention, as well as associated program data may be retained and be available for access from any machine-readable media (with the u), associated with the computer system 120. For example, parts of such modules and parts of the associated program data may be included in the operating system 135, application programs 136, program modules 137, and/or program data 138 for storage in system memory 122. If the mass memory device, such as a hard magnetic disk 139, associated with the computer system 120, such modules and associated program data may also be recorded in the mass memory device. In a networked environment, program modules described in connection with the computer system 120 or parts thereof, may be stored in remote memory devices, such as system memory and/or mass memory, associated with the remote computer system 183 and/or remote computer system 193. The execution of such modules can be implemented in a distributed environment, as described above.

Fig. 2 illustrates an example network architecture 200 that provides protection mandate client side when the client computer system requests access to the resource on the server. The client computer system 201 and the server computer system 211 may be connected to a common network, such as a local area network (LAN), wide area network (WAN) or even from the Internet. The client computer system 201 includes a browser 202, to the that can be used to query the Web-based access to resources and representation of the received resources on the client computer system 201. Cookies (cookies that are stored on the client system) 203 may include one or more of these cookies, which remain part of the data previously received from the server computer system. The data in the cookies can be sent to the appropriate server computer system to specify personalized information or preferences server computer system and/or to free the user from having to manually enter the part of the stored information.

The server computer system 211 includes a server 212 e-mail, which provides access to resources of e-mail, such as, for example, email messages, address book information, calendar information. After authorization to access resources e-mail from the user may be prompted to enter a mandate to server 212 e-mail to be authenticated on the server 212 e-mail. The server 212 e-mail can compare the mandate authorized mandate in the database 213 data mandates to determine whether to be satisfied with the access request to mail resources. If the user is authorized, the server 212 e-mail may return the requested resources e-mail requesting client take machine vision into production the th system. If the user is not authorized, the server 212 e-mail may return a message to the absence of authorization (for example, the message Protocol http status code 401 "not authorized") to the requesting client computer system.

The server computer system 211 also includes module 214 key generation. Module 214 key generation can generate and enter the new keys in the composition of the cyclically exchangeable keys 220 and may output the keys, the validity of which has expired, cyclically exchangeable keys 220. Module 214 key generation can be configured to maintain one or more storage devices cyclically exchangeable keys. For example, in network architecture 200 module 214 key generation supports untrusted memory 221 cyclically exchangeable keys and closed the memory 231 cyclically exchangeable keys.

Specific interval of time for which the keys are cyclically changed, is configurable. That is, the module 214 key generation can be configured to enter into the cycle of change of the newly generated key and remove it from memory cyclically exchangeable those keys, the validity of which has expired, at certain intervals of time. For example, the module 214 key generation can enter the new key and delete obsolete key from the private memory 231 cycle is Cesky exchangeable keys every 10 minutes. The number of keys maintained in memory cyclically exchangeable keys, is also configurable. That is, the module 214 key generation may also be configured to maintain a certain number of keys in memory cyclically exchangeable keys. For example, the module 214 key generation can be configured to maintain the 3 keys in untrusted memory 221 cyclically exchangeable keys.

The number of supported keys and intervals may vary for memory blocks cyclically exchangeable keys. For example, the module 214 key generation can support 3 key with a certain interval of cyclic shifts is equal to 5 minutes, in untrusted memory 221 key and four keys with a certain interval of cyclic shifts of 1 hour, in a closed memory 231 of the keys. Depending on the properties associated with the client computer system, the various memory blocks of keys can be used to implement the principles of the present invention. The arrows shown under the keys in memory cyclically exchangeable keys indicates that the keys are moved down when adding a new key as long as the key is expired will not be removed from memory cyclically exchangeable keys. For example, when a new key is added to the restricted memory cyclically exchangeable keys, key 232 will move the position of the key 233.

The server computer system 211 also includes page 217 of registration. Page 217 registration can be a Web page (e.g. a page from ASP (active server pages), which provides an interface to present the user mandate and select properties information exchange associated with the client computer system. In response to the access from the client computer system to a uniform resource locator (URL)corresponding to page 217 of registration, the server computer system 211 may send page 217 registration on the client computer system. The browser of the client computer system may submit page 217 registration on the client computer system. User credentials and choices of communication properties presented on page 217 of registration may be sent to the server computer system 211.

The server computer system 211 also includes a communication filter 243. Communication filter 243 can intercept the transmission of the http Protocol such as, for example, queries, replies, and messages that are transmitted to the server computer system 211 and from it. Communication filter 243 can access the state information of the client system included in an encrypted cookie (cookies, stored on the client system), to determine whether to change the transmission of the http Protocol between server computer system 211 and the client computer system (e.g., by modifying the headers of the http Protocol). Communication filter 243 can also implement cryptographic algorithms (using keys from memory cyclically exchangeable keys) for decoding and validating user credentials.

The server computer system 211 also includes means 216 validation item registration. The tool 216 verification element can adopt the submitted user credentials entered on page 217 registration, and to implement a cryptographic algorithm (using keys from memory cyclically exchangeable keys for digital signatures and encryption is passed to the custom of the mandate. The tool 216 validation item registration may also generate a unique session identifiers (e.g., a GUID (globally unique identifiers)for the client computer systems that request access Web-based resources of the server computer system 211. The tool 216 verification element can send a unique identificat the market session and encrypted information, including user credentials and a time-dependent digital signature on the client computer system. For example, the tool 216 verification element can send a unique session IDs and encrypted information on a client computer system 201 for storing in cookies (cookies) 203.

In Fig. 3 shows an example flowchart of a method 300 of security mandate from the client system when the client requests access to a resource on the server in accordance with the present invention. The method 300 is described below relative to the client computer system and server computer system shown in Fig. 2A. Method 300 includes an act of transmitting the first request to the server (step 301). The act 301 can include the transfer of the client computer system a first request to access Web-based resource (e.g. e-mail) to the server.

For example, client computer system 201 may send a request 251, which includes a URI 267 mail server on the server computer system 211. URI 267 mail server can be a URI that corresponds to the server 212 e-mail. That is, users who wish to access resources e-mail, server-supported electricity is Onna-mail may try to access Web-based resources e-mail by accessing the URI of the mail server 267. Accordingly, it may be that a user on a client computer system 201 enters commands to the browser 202 to ensure that the sending client computer system 201 request 251.

Method 300 includes an act of receiving a first request from a client system (step 306). The step 306 may include receiving a server computer system a first request to access Web-based resource (e.g. e-mail) on the server. For example, a server computer system 211 may accept the request 251, which includes the URI 267 mail server, from a client computer system 201. As shown by the dashed line passing through the communication filter 243, the communication filter 243 can be configured to pass the request 251 without changing request 251. Accordingly, the request 251 may be sent to the server 212 e-mail without modification.

The method 300 includes a functional result-oriented step for the protection mandate of the client side (step 311). Step 311 may include any appropriate action to ensure the protection of the mandate of the client-side. However, in the shown in Fig. 3 example, the tap 311 includes corresponding action redirect the client system to the registration page in response to the first request (step 307). Action 307 may include forwarding the server computer system to the client computer system to the registration page in response to the first request.

In response to the request 251 server 212 e-mail can send a reply 252, which includes a pointer 272 "not authorized". Reply 252 may be a message of http 401 status "not authorized"returned in the query result 251, which did not include the user credentials. Communication filter 243 can be configured to intercept messages that include pointers "not authorized". Accordingly, the communication filter 243 can intercept the message 252.

Communication filter 243 can modify the contents of the reply 252 (for example, by modifying the header of the http Protocol) to ensure the forwarding of the client computer system 201 to the registration page, which provides an interface for entering user credentials. For example, the communication filter 243 can delete the pointer 272 "not authorized" response 252 and enter the URI 263 registration pages and index 271 forwarding in response 252, forming as a result, the response A. Answer A can represent message Protocol (http code 302 status "detected". URI 263 registration pages can present is a URI, used to access page 217 of registration. Accordingly, the response I can specify the client computer system 201 that the requested resource (e.g. e-mail), instead, is available at URI 263 page.

The method 300 includes the step of forwarding to the registration page (step 302). The step 302 may include forwarding the client computer system to the registration page, which provides an interface for receiving user credentials. For example, client computer system 201 may be redirected to a page 217 of registration. In response to reception of the response A client computer system 201 may send a request 257, which includes the URI 263 the registration page, on the server computer system 211. In response to the request 257 server computer system 211 can send you a reply 258, which includes a page 217 of registration, the client computer system 201. The registration page can be a Web page, such as page from active server pages (ASP).

The browser 202 may submit page 217 registration on the client computer system 201. Going from Fig. 3 to Fig. 6, it can be seen that Fig. 6 illustrates an example of a registration page, which can take the mandate and options selection of the communication of properties in accordance with the principles of the present invention. Page 217 registration may be similar page 600 registration. Page 600 registration includes box 606, which may take the user ID field 607, which may take the appropriate password.

The switch 601 may be used for receiving selection of the communication of properties, indicating that the browser client-side is "client high level". The switch 602 can be used for receiving selection of the communication properties, indicating that the browser client-side is "client low level". Client high level may include functionality to perform sophisticated processing, such as the execution of scripts or view multimedia output. On the other hand, the client is low may not include the functionality to perform sophisticated processing. Accordingly, the degree of completeness of the content returned from the server, may be appropriately adjusted depending on the capabilities of the browser on the client side. When the client high level connects to the server through the connection with reduced bandwidth and/or high latency (for example, a connection over a telephone line), the choice of the customer is as low levels can reduce the amount of content, returned from the server.

The selector 603 may be used for receiving selection of the communication properties, indicating that the browser client-side is "untrusted client computer system". Switch 604 may be used for receiving selection of the communication properties, indicating that the browser client-side is "private client computer system". Private client computer system may be a home or corporate client computer system that has limited public access (or no). Untrusted client computer system may be a client computer system, which has enhanced public access, such as in the case of an Internet kiosk in the hotel or the airport. Accordingly, the security associated with the content returned from the server, may be appropriately configured depending on the degree of trust the client computer system. The switch 608 may be selected for sending the entered user-defined mandate and the selected communication properties on the server computer system.

Moving from Fig. 6 to Fig. 5, it can be seen that Fig. 5 illustrates an example of the block of the diagram of method 500 of determining the properties of a transmission, associated with the client, in accordance with the principles of the present invention. The method 500 is described below relative to the client computer system and server computer system shown in network architecture 200. Method 500 includes an act of passing the registration page to the client (step 501). Action 501 may include the transfer server computer system, the registration page, which includes an interface for selecting one or more communication properties that can change the way to handle messages of the http Protocol. For example, a server computer system 211 may send page 600 of registration (or similar registration page) to the client computer system 201.

Method 500 includes an act of receiving a registration page from the server (step 505). The step 505 may include receiving client computer system, the registration page, which includes an interface for selecting one or more communication properties that can change the way the server processes the message of the http Protocol. For example, client computer system 201 may take the page 600 of registration (or similar registration page). Method 500 includes an act of presenting the registration page in the client system is Birmingham (step 506). Action 506 may include a representation of a browser of the client computer system, the registration page on the client computer system. For example, the browser 202 may be a page 600 of registration (or similar registration page) on the client computer system 201.

Method 500 includes an act of receiving selections of at least one of the one or more communication properties (step 507). Action 507 may include receiving client computer system choices at least one of the one or more communication properties on the registration page. For example, a user on a client computer system 201 may manipulate an input device (e.g. keyboard and/or mouse to input choices communication properties page 600 registration. Page 600 can receive user-entered selections. For example, page 600 can receive user-entered options or switch 601 or switch 602 and the user's choices or switch 603, or switch 604 (possibly together with receiving user input of a mandate in the field 606 and 607).

Method 500 includes an act of passing options communications the district properties to communication filter on the server (step 508). Action 508 may include the sending client computer system options communication properties in the communication filter on the server computer system. For example, client computer system 201 may send options communication properties (for example, with user-entered data mandate) on the server computer system. Method 500 includes an act of receiving at least one selection of the communication properties from the client system (step 502). Action 502 may include receiving server computer system at least one of the at least one or more selectable options communication properties that can be selected from the registration page. For example, the communication filter 243 can take one or several options for communication properties (for example, selected from page 600 of registration) from the client computer system 201.

Method 500 includes an act of requesting client system to determine if adopted at least one choice of the communication of properties, as well as to identify other relevant communication properties supported by the client system (step 503). Action 503 can include with the BOJ querying the server computer system to the client computer system to determine do you support the adopted choices of communication properties, and to identify other relevant communication properties supported by the client system. For example, the server computer system may determine the capabilities of the client computer system using a header of the http user-agent and a priori knowledge about the client computer system. Additional features of the client computer system can be determined through the registration pages and scripts (for example, scripts, Java), which are executed within the registration page on the client computer system.

An alternative to the requesting client computer system may include sending a query to the client computer system that cause providing the client computer system configuration information of the server computer system. For example, a server computer system 211 may send requests to the client computer system 201, the requesting browser configuration 202. In response, the browser 202 may specify configuration information, such as version number, and then, if the browser supports 202 compression on the http Protocol, such as gzip compression. Based on the version number of the server computer system 211 may determine whether correct is the option "client high level" on page 600 of the Desk. For example, the server computer system may be able to determine what version of the browser 202 does not support scripts. Thus, even if you selected "client high level", the server computer system may provide simplified information content to the client computer system 201.

The simplification of the information content may include reduction in the amount of content delivered to a client computer system. For example, in response to a request from the client system low on the provision of Advisory information to the server computer system may return an abbreviated (more concise consultation information). On the other hand, in response to a request Advisory information from the client system high level server computer system may return more extended consultation information, for example, including scripts, search and other advanced features. The server computer system may also modify the delivered content based on the trust of the client computer system. For example, the server computer system may provide Advisory information about how to access vulnerable (secret) information, private clientsconsulting system, but cannot provide the same information to untrusted client computer system.

The server computer system 211 may test the browser 202 to verify that the claimed features are supported properly. For example, if the browser 202 indicates support for gzip compression, the server computer system 211 may send a compressed mode gzip content on the client computer system 201 to determine if the browser handles 202 gzip-compressed content properly. The client computer system 201 may configure the appropriate request header indicating support for gzip compression. The client computer system 201 may include a corresponding request header in the client request, which is sent to the server computer system 211 and accepted it. In response, the server computer system 211 may request the client computer system 201 to determine the appropriate way whether the client computer system 201 caches compressed mode gzip content and processes the compressed mode gzip content in such a way that there is a negative impact on the security and integrity of the application Web-based.

Method 500 includes an act of configuring a communication filter in accordance with the selected is burnt and identified communication properties (step 504). Action 504 may include configuring the server computer system communication filter for processing information exchange http Protocol from a client system in accordance with the selected communication properties and identified other relevant properties supported by the client system. For example, a server computer system 211 may configure the communication filter 243 for processing information exchange http Protocol from a client computer system 201 in accordance with the choices of communication properties (for example, client computer system "high level" and "untrusted client system") and identified other relevant communication characteristics (e.g., support information exchange Protocol (http) browser 202.

When the message of the http Protocol must be sent from the server computer system 211 to the client computer system 201, the communication filter 243 can change the message headers of the http Protocol and the message contents of the http Protocol to ensure that the content corresponded to the communication properties for a client computer system 201. For example, if the server 212 e-mail sends a message with uncompressed info is an information e-mail on the client computer system 201, communication filter 243 can intercept the message, compress mode gzip content and change the message header to indicate that the information e-mail compressed mode gzip. Alternatively, other modules of the server computer system, such as server modules the Internet information services (IIS), can implement the zip compression. Accordingly, the content may be presented on a client computer system in a way that makes the best use of the capabilities of the client computer system in accordance with the desires of the user.

When the server computer system receives the option selection indicating that the browser client-side corresponds to the "private client computer system, to protect the user of the mandate can be used closed memory cyclically exchangeable keys, such as a closed memory 231 of the keys. On the other hand, when the server computer system 211 receives a selection indicating that the browser client-side is "untrusted client computer system, to protect the user of the mandate can be used in untrusted memory 221 cyclically exchangeable keys.

According Fig. 3, the method 300 includes the step of using the registration page is La view of the mandate to the server (step 303). The act 303 can include a client computer system a registration page for a view of the mandate on the server computer system. For example, client computer system 201 may use page 217 registering mandate (possibly together with the choices of communication properties) on the server computer system 211. User credentials and choices of communication properties can be included as elements of registration in an email message that is sent to a means of validating the format of the elements of the Desk. For example, client computer system 201 can send a mail message 254, which includes elements 273 registration on the server computer system.

Method 300 includes an act of receiving user-defined mandate, which was presented on the registration page (step 308). Action 308 may include receiving server computer system user-defined mandate, which was presented on the registration page. For example, a server computer system 211 may receive user credentials (possibly together with the choices of communication properties) from the client computer system 201. The mandate and choices of communication properties could the t can be taken as elements of registration in an email message. For example, a server computer system 211 may receive an email message 254, which includes elements 273 registration from the client computer system 201. As shown by the dashed line through the communication filter 243, the communication filter 243 can be configured to allow the passage of the mail message 254 without changing this email message 254. Accordingly, the e-mail message 254 may be sent to the tool 216 validation of elements of the Desk without modification. If required, between the client computer system and server computer system may be installed in connection with mutual authentication, for example using transport layer security (TLS) or secure socket layer (SSL), to reduce the likelihood of hostile processes or user packet analysis and to reduce the likelihood of attacks by unauthorized users.

The tool 216 validation of elements of the Desk can also generate a unique identifier such as a globally unique identifier (GUID) for the client computer system 201. The tool 216 validation elements can use the digital signature and encryption algorithms for secure reception of the user is of mandate (for example, included in the elements 273 registration). For example, the tool 216 validation elements can generate a digital signature used for further validation of the received user credentials. The tool 216 validation elements can receive a key signature, which can be used for the authentication of the data, a digital signature by hashing (e.g., using hash algorithms SHA1 or MD-5) combinations of the last key in the memory cyclically exchangeable keys generated unique identifier and the first constant sequence. In some embodiments, the implementation of a digital signature is represented as authentication code hash of the message. Accordingly, the signature key can be obtained by the formula

KSIG=SHA-1(KMOST CURRENT ROTATING,GUID HMACKeyString).

In the formula (1) KMOST CURRENT ROTATINGis the last key in the corresponding memory cyclically exchangeable keys. For example, if the browser 202 corresponds to the "private client computer system (e.g., as specified in the option of selecting a communication properties), KMOST CURRENT ROTATINGis the last key in the private memory 231 cyclically exchangeable keys (such as key 232). The GUID is a unique identifier within the relevant client computer system 201. HMACKeyString represents a constant string of text. Of KSIGcan be generated authentication code hash of the message in accordance with the formula

Digital signature =HMAC(KSIG,(GUID,{username:password},Flags)).

In the formula (2) HMAC is the authentication code algorithm hashed message such as described in Request for comments (RFC) 2104. Part of the formula (2) (GUID,{username:password},Flags) represents that the GUID, user credentials and flags representing the choices of communication properties included as text in the authentication code algorithm hashed message. If required, user credentials can be converted into text format (e.g. by base64 encoding, user-defined mandate) for compatibility with the authentication code algorithm hashed message. Although the algorithm described in terms of the authentication code hash of the message, however, used to generate the digital signature algorithm is not important, and essentially you can use any digital signature, digest (combination) or the authentication code algorithm.

The tool 216 validation of elements of the Desk can also get the encryption key, which can be used to encrypt the data by hashing a combination of the last key in memory and cyclically exchangeable keys, the unique identifier and the second constant sequence. Accordingly, the encryption key may be obtained in accordance with the formula

KENC=SHA-1(KMOST CURRENT ROTATING,GUID EncryptKeyString).

In the formula (3) KMOST CURRENT ROTATINGis the last key in the memory cyclically exchangeable key that was used when generating the signature key. Thus, if the key 232 was used to generate the KSIGthe key 232 may also be used for generation of KENC. The GUID is a unique identifier corresponding to the client computer system 201. EncryptKeyString represents a constant string of text, which differs from HMACKeyString. Accordingly, the encrypted information can be generated in accordance with the equation

Encrypted information = KENC[Digital signature, {username: password}, Flags].

In the formula (4) Digital signature is a Digital signature generated by the formula (2), {username: password} represents the user credentials and Flags represents the choices of communication properties.

Step 311 includes a corresponding act of sending encrypted data, which represents at least part of the user of the mandate and time-dependent signature (step 309). Action 309 may include the transfer server computer system is encrypted information, which is at least part of the user of the mandate and time-dependent signature, the client computer system. For example, the tool 216 verification element can send a message 255, which includes the GUID 274 and encrypted mandate 275, on the client computer system 201. As shown by the dashed line through the communication filter 243, the communication filter 243 can be configured to allow the passage of messages 255 without changing the message 255. Accordingly, the message 255 can be sent to client computer system 201 without changes.

Method 300 includes an act of receiving encrypted data, which represents at least part of the user of the mandate and time-dependent signature (step 304). The step 304 may include receiving client computer system, the encrypted information that represents at least part of the user of the mandate and time-dependent signature, from the server computer system. For example, client computer system 201 may receive a message 255, which includes the GUID 274 and encrypted mandate 275 from the server computer system 211. Message 255 may be configured to preserve the client to mutarnee system GUID 201 274 and encrypted mandate 275 in cookies (cookies, stored in the client system) 203. For example, the message 255 may be configured as follows:

Set-Cookie:sessionid={GUID};path=/

Set-Cookie:creddata={Encrypted Information};path=/

Method 300 includes an act of transmitting the second request that includes the encrypted information (step 305). Action 305 may include the transfer of the client computer system a second request to access the resource based on the Web (for example, an e-mail message requested in the first request). For example, client computer system 201 may send a request 256, which includes a URI 267, GUID 274 and encrypted mandate 275, on the server computer system 211. Method 300 includes an act of receiving the second request, which contains encrypted information (step 310). Action 310 may include receiving a server computer system a second request to access the resource based on the Web (for example, an e-mail message requested in the first request). For example, a server computer system 211 may accept the request 256, which includes a URI 267 mail server, GUID 274 and encrypted mandate 275, from the client computer system 201.

In some embodiments, the implementation of the client computer system already stores the appropriate cookies (cookies) with the GUID and the encrypted data is in the memory of the browser. Saved GUID and the encrypted information can be used to request access to the resource based on the Web (for example, to e-mail data) on the server. In Fig. 2B illustrates an example network architecture that provides a secure mandate the client side to access the resource on the server in accordance with the present invention. In Fig. 4 illustrates an example flowchart of a method 400 of using a secure mandate the client side to access the resource on the server in accordance with the present invention. The method 400 is described with respect to the client computer system and server computer system depicted in Fig. 2B.

Method 400 includes an act of passing the request that includes the session identifier and the encrypted user credentials to access the resource based on the Web server (step 401). Action 401 may include the transfer of the client computer system requesting access to the resource based on the Web server computer system. For example, client computer system 201 may send a request 291, which includes the URI 267 mail server, GUID 274 and encrypted mandate 275, on the server computer system 211. URI 267 mail server is a URI that provides access to resources of e-mail,managed server 212 e-mail. GUID 274 represents a unique session identifier that was previously sent from the server computer system 211 to the client computer system 201. Encrypted mandate 275 is encrypted user credentials and a time-dependent signature that were previously sent from the server computer system 211 on the client computer system 201. Encrypted mandate 275 can be generated from a key in the corresponding memory cyclically exchangeable keys.

Method 400 includes an act of receiving a request that includes the session identifier and the encrypted user credentials to access the resource based on the Web server (step 404). The step 404 may include receiving server computer system requesting access to the resource based on the Web server computer system. For example, a server computer system 211 may accept the request 291, which includes the URI 267 mail server, GUID 274 and encrypted mandate 275, from the client computer system 201.

Method 400 includes an act of attempting to verify the authenticity of the encrypted user-defined mandate using the last key in the memory cyclically exchangeable keys (step 405). Action 405 may include an attempt validation of reliable server computer system is at least part of the user of the mandate using the last key in the memory cyclically exchangeable keys. For example, if you specify that the browser 202 is located on a private client computer system, server computer system may attempt to verify the authenticity of the encrypted mandate 275 using key 232. On the other hand, if you specify that the browser 202 is on the untrusted client computer system, server computer system may attempt to verify the authenticity of the encrypted mandate 275 using the key 222. The tool 237 validation of the mandate can get the key of interpretation, which can be used for interpretation of the data by hashing a combination of the last key from the corresponding memory cyclically exchangeable keys, a unique session ID and the second constant sequence (to be used when retrieving the encryption key). Accordingly, the key interpretation can be obtained in accordance with the formula

KDCR=SHA-1(KMOST CURRENT ROTATING,GUID EncryptKeyString).

In the formula (5) KMOST CURRENT ROTATINGis the last key in the corresponding memory cyclically exchangeable keys (such as key 232 or 222). The GUID is a unique identifier corresponding to the client computer system 201. EncryptKeyString is a constant text string to be used when retrieving the KENC.According, the tool 237 validation of the mandate can decrypt the encrypted information to obtain digital signatures, user-defined mandate and flags representing the choices of communication properties, in accordance with the formula

Digital signature,{username:password},Flags =KDCR,[Encrypted data].

The tool 237 validation of the mandate can get the key validation, which can be used to generate digital signatures to verify the authenticity by hashing a combination of the last key in the memory cyclically exchangeable keys, the unique identifier and the first constant sequence. In some embodiments, the implementation of the digital signature verification is represented as authentication code hash of the message. Accordingly, the key validation can be obtained in accordance with the formula

KVAL=SHA-1(KMOST CURRENT ROTATING,GUID HMACKeyString).

In the formula (7) KMOST CURRENT ROTATINGis the last key in the corresponding memory cyclically exchangeable keys. The GUID is a unique identifier corresponding to the client computer system 201. HMACKeyString is a constant text string that is used in obtaining the signature key. Of KVALand using the obtained uses the research mandate and flags from the formula (6) authentication code hashed message may be generated in accordance with the formula

Verifying a Digital signature =HMAC(KVAL(GUID,{username: password}, Flags)).

In the formula (8) HMAC is the authentication code algorithm hashed message. Part (GUID {username: password}, Flags) formula (8) is that the GUID, user credentials, and Flags representing the choices of communication properties included as a text input in the authentication code algorithm hashed message. Although the algorithm described in terms of the authentication code hash of the message, however, the algorithm used to generate the digital signature verification, is not fundamental, and essentially you can use any digital signature, digest, or authentication code algorithm.

If the digital signature verification is equal to the digital signature, the user credentials presented in an encrypted mandate 275, confirmed. Accordingly, the communication filter 243 forms authorization header (for example, the authorization header of the http Protocol), which includes a verified user credentials. Communication filter 243 can enter the authorization header in the request to access the resource based on the Web. For example, the communication filter 243 can delete the encrypted mandate 275 from a query 291 and enter mandate 289 in the query 291 to obtain the query result A.

If digital is I signature verification is not equal to the digital signature, your mandate is not confirmed. Accordingly, the tool 237 verification mandate repeats the functions defined by formulas (5)-(8) based on the previous key memory cyclically exchangeable keys. For example, for browser, client-side private client computer system means 237 validation of the mandate can use the key 233. On the other hand, for the browser client-side non-client computer system means 237 validation of the mandate can use the key 223. The means of verification of the mandate may attempt to verify the authenticity of the user of the mandate with the use of each key in the corresponding memory cyclically exchangeable keys. Confirmed user credentials can be included in the authorization header.

In some embodiments, the implementation together with the encrypted mandate included an index for indicating cyclically smestorage key that should be used when attempting to verify the authenticity of the encrypted credentials (for example, cyclically changes the key that was previously used to encrypt the mandate). For example, client computer system 201 may include an index that identifies the request 291 cyclically changes the key in n the trust memory 221 cyclically exchangeable keys or private memory 231 cyclically exchangeable keys. The index can have a numeric value (for example, 0, 1, 2, and so on), which identifies the generation cycle smestorage key that should be used. For example, if the client computer system 201 is a private client computer system, the index 0 can identify key 232. Similarly, if the client computer system 201 is untrusted client computer system, the index 2 can identify the key 224. Accordingly, the use of an index can improve the efficiency of the process validation. If the mandate is not confirmed by cyclically changing the key identified by the index may use a different key in the corresponding memory cyclically exchangeable keys when attempting to verify the validity of the mandate.

Method 400 includes an act of sending a request to the module that controls access to the requested resource based on the Web (step 406). Action 406 may include the sending server computer system request to the module that controls access to the resource based on the Web. For example, the communication filter 243 can request A, which includes the URI 267 mail server and mandate 289 (as detected from the encrypted mandate 275), the server 212 e-mail. The server 212 e-mail can be the t to represent a module, who controls access Web-based resources e-mail. The server 212 e-mail can compare mandate 289 data base 213 of these mandates to determine whether access is authorized based on the requested Web resource e-mail.

Method 400 includes an act of determining whether or not to display the updated user credentials from the last key in the memory cyclically exchangeable keys (step 407). Action 407 may include defining a server computer system whether to display the updated encrypted information representing the user credentials and a time-dependent signature of the last key in the memory cyclically exchangeable keys. If user credentials confirmed using the key from memory cyclically exchangeable keys other than the last key from the memory cyclically exchangeable keys, the server determines what should be displayed and updated information. For example, if the tool 237 validation confirms encrypted mandate using the key 224, the communication filter 243 can determine that it is necessary to obtain an updated encrypted mandate for user-defined mandate, presented in an encrypted mandate.

Accordingly, as represented by the dashed line the second line, communication filter 243 can optionally send a request 294 update a cookie (cookie) in the tool 216 validation of elements of the Desk. The tool 216 validation elements can use the most recent cycle is replaced by a key in the corresponding memory cyclically exchangeable keys to obtain the updated encrypted data (for example, by obtaining an updated digital signature and an updated encryption key from the most recent key). The tool 216 validation elements can return the updated GUID and updated encrypted mandate communication filter 243. For example, as shown by the dotted arrow, the tool 216 validation elements register returns the message 295, which includes updated GUID 296 and updated encrypted mandate 297 in communication filter 243.

If the mandate of the 289 is appropriate for accessing Web-based resources e-mail server 212 e-mail, the server 212 e-mail may return the resource's e-mail in response to a request A. For example, a server 212 e-mail may return the resource 292, which includes resource 293 (e.g. e-mail)communication filter 243. With d the natives hand, if the mandate 289 does not match the access Web-based resources e-mail server 212 e-mail, the server 212 e-mail may return an indication of lack of authorization in response to a request A. For example, as shown by the dotted arrow, the server 212 e-mail can respond 294, which includes a pointer 272 "not authorized" in communication filter 243. When a communication filter 243 receives a pointer "not authorized", the communication filter 243 can forward the client computer system on page 217 registration.

If confirmed by the user, the mandate is the appropriate communication filter 243 can send the requested resource to the client computer system 201. For example, if the encrypted mandate is confirmed by using the last key from the corresponding memory cyclically exchangeable keys, 292 includes resource 293, accepted communication filter 243. Communication filter 243 can send you a reply 293 on the client computer system 201. Accordingly, the resource 293 can be presented in the browser.

If confirmed by the user, the mandate is the appropriate communication filter 243 can also send the updated encrypted mandate and GUID together with the resource on the client computer system 201. For example, if the encrypted mandate 275 confirmed using the key from memory cyclically exchangeable keys, which is not the last key in memory cyclically exchangeable keys, the resource 293, updated GUID 296 and updated encrypted mandate 297 may be taken as a communication filter 243. As shown by the dotted arrow, the communication filter 243 can then send a reply 276, which includes resource 293, updated GUID 296 and updated encrypted mandate, on the client computer system 201.

Method 400 includes an act of receiving a resource along with the updated session ID and the updated encrypted mandate custom mandate of the browser on the client side (step 402). Action 402 may include receiving client computer system of the requested resource along with the updated session ID and the updated encrypted information representing at least part of the user of the mandate and the updated time-dependent signature. For example, client computer system 201 may receive from the server computer system 201 response 276, which includes resource 293, updated GUID 296 and updated encrypted user credentials 297. Method 400 includes an act of preservation obnovlennoj the session ID and the updated encrypted mandate in the relevant cookies (cookies) (step 403). Action 403 may include saving the client computer system, the updated session ID and the updated encrypted data in the relevant identification files (cookies) on the client computer system. For example, in the appropriate identification cookies 203 can be kept updated GUID 296 and updated encrypted user credentials 297 by overwriting GUID 274 and encrypted mandate 275. Resource 293 can be presented in the browser 202.

The present invention can be implemented in other specific forms without deviating from the essence or essential features of the invention. Describes the different ways of implementation should be considered in all respects only as illustrative, but not restrictive. Therefore, the scope of the invention should be determined by the claims and not the previous description. All changes that are within the scope and range of equivalency of the claims should be included in its scope.

1. Way to support user-defined mandate, used to access Web-based resource on the server computer system to the client computer system, comprising steps in which the client computer system sends a request to access Web-based resource, moreover, the request includes a unique session identifier and the encrypted information, representing at least part of the user of the mandate and time-dependent digital signature and time-dependent signature is received, at least part of the user of the mandate and time-dependent signature key, the encrypted information is encrypted by using time-dependent encryption key, and time-dependent key signature and time-dependent encryption key received from the key memory cyclically exchangeable keys, the client computer system receives the requested resource along with the updated unique session identifier and the updated encrypted information on the client browser side, and the updated encrypted information is, least part of the user of the mandate and the updated time-dependent signature, with time-dependent signature is received, at least part of the user of the mandate and the updated time-dependent signature key, and the encrypted information is encrypted using the updated time-dependent encryption key, with the updated time-dependent signature key and the updated time-dependent encryption key obtained from the last key in the memory cyclically exchangeable keys, and take machine vision into production client is I, the system saves the updated session ID and the updated encrypted information in the appropriate cookies on the client computer system.

2. The method according to claim 1, characterized in that the sending client computer system requesting access Web-based resource includes the step of sending message to the HTTP Protocol, requesting access based on Web resource e-mail to the e-mail server.

3. The method according to claim 1, characterized in that the receiving client computer system of the requested resource with updated unique session identifier and the updated encrypted information in the browser client-side includes obtaining updated session ID and the updated encrypted data as a result of use when generating the encrypted data key, which is not the last key in memory cyclically exchangeable keys.

4. The method according to claim 1, characterized in that the retention action of the client computer system updated a unique session ID and the updated encrypted information in the appropriate cookies on the client computer system includes overwriting the updated unique session identifier and the updated encrypted information unique session ID, and the encrypted information in the browser's memory.

5. How to determine the authenticity of the user is andata, used to access Web-based resources on the server computer system, server computer system, comprising steps in which the server computer system receives a request from a client computer system to access Web-based resource on the server, and the request includes a unique session ID, which is unique to a particular session between the server computer system and a client computer system, and encrypted information representing at least part of the user of the mandate and time-dependent signature, and time-dependent signature is received, at least part of the user mandate and time-dependent signature key, the encrypted information is accepted from the client computer system and is encrypted using at least one key obtained from the memory cyclically exchangeable keys server computer system, and time-dependent encryption key, time-dependent signing key received from the key memory cyclically exchangeable keys on the server, and time-dependent encryption key received from the key memory cyclically exchangeable keys on the server and a unique session ID, and the module key generation server generates keys on the I memory cyclically exchangeable keys, which is transmitted to the client computer system, server computer system attempts to verify the authenticity of at least a portion of the user mandate using the last key in the memory cyclically exchangeable keys and determines that at least part of the user credentials cannot be confirmed using the last key in the memory cyclically exchangeable keys, the server computer system attempts to verify the authenticity of at least a portion of the user's mandate with other keys in memory cyclically exchangeable keys, the server computer system verifies the authenticity of the user mandate using the key in memory cyclically exchangeable keys other than the last key in the memory cyclically exchangeable keys, the server computer system sends a request to the module that controls access based on the Web to the requested resource, and in response to validating the server computer system user mandate using a key other than the most recent memory key cyclically exchangeable keys, the server computer system determines that it should be received updated encrypted information representing at least part of p is lovatelli mandate and time-dependent signature, using the last key in the memory cyclically exchangeable keys.

6. The method according to claim 5, characterized in that the validate server computer system user mandate using the key in the memory of the keys other than the last key in the memory cyclically exchangeable keys, additionally includes a step in which the server computer system determines, based on the previously generated key in memory cyclically exchangeable keys, at least part of the user of the mandate is accurate, and the previously generated key is stored cyclically exchangeable keys before the last key.

7. The method according to claim 5, characterized in that the step of determining a server computer system that the updated encrypted information representing at least part of the user of the mandate and time-dependent signature must be obtained using the last key in the memory cyclically exchangeable keys, includes determining that the updated encrypted information representing at least part of the user of the mandate and time-dependent signature must be obtained using the last key in the memory cyclically exchangeable keys.

8. the procedure according to claim 7, characterized in that the step of determining that the updated encrypted information representing at least part of the user of the mandate and time-dependent signature must be obtained using the last key in the memory cyclically exchangeable keys, includes determining that the server computer system confirmed the validity of at least part of the user of the mandate on the basis of the previously generated key in memory cyclically exchangeable keys, and the previously generated key is stored cyclically exchangeable keys before the last key.

9. The method according to claim 5, characterized in that it further includes the step of forwarding the server computer system to the client computer system to the registration page, which provides an interface to collect user credentials.

10. The method according to claim 5, characterized in that the step of determining a server computer system that the updated encrypted information representing at least part of the user of the mandate and time-dependent signature must be obtained using the last key in the memory cyclically exchangeable keys, includes obtaining an updated encrypted data and time-dependent p is desi using the last key in the memory cyclically exchangeable keys.

11. The method according to claim 10, characterized in that it further includes the step of sending the server computer system of the requested resource, updated unique session identifier and the updated encrypted data on the client computer system.

12. The method according to claim 5, characterized in that the memory is cyclically exchangeable keys holds many keys at the same time, when a new key is generated in the module key generation, the newly generated key is included in the memory cyclically exchangeable keys, and more than the old key is removed from memory cyclically exchangeable keys.



 

Same patents:

FIELD: information technology.

SUBSTANCE: publishing user is provided with the publication certificate from the DRM server, creates the content, ciphers it with the content key (CK), creates a rights mark for this content with open key of the DRM-server (PU-DRM), for generation (PU-DRM(CK)), restores (PU-ENTITY(PR-OLP)) from the publication certificate, applies secret key (PR-ENTITY) of the corresponding (PU-ENTITY) to the (PU-ENTITY(PR-OLP)) for obtaining (PR-OLP), sign the created rights mark using (PR-OLP), connects SRL and the publication certificate with encrypted content for creation a content package distributed to another user, that must connect with the DRM-server for obtaining a license with CK for playback of the content, creates the license data corresponding with the content package, with (CK), encrypted (PU-ENTITY) for generation of (PU-ENTITY(CK)), signs the license data using (PR-OLP) and attaches the publication certificate to the publication license.

EFFECT: possibility of the content publishing without initial receipt of permission from the server and license issuing for playback of the published content without permission from the server.

20 cl, 17 dwg

FIELD: technological processes.

SUBSTANCE: invention is related to the sphere of cryptographic devices and methods of checking electronic digital signature (EDS). In the method the secret key (SK) is formed, which includes three prime many-digit binary numbers ρ, q and γ. The open key (OK) is formed, which contains three many-digit binary numbers n, α and β, where n=Eρq+l, E - even number, α - number, which is related to index q by module n, and β - number, which is related to index γ by module q. Electronic document (ED) is accepted in the form of many-digit binary number H, electronic digital signature (EDS) Q is formed depending on values of SK, OK and many-digit binary number H, the first checking many-digit binary number A is formed depending on Q, intermediate many-digit binary number W is formed depending on OK and many-digit binary number H, the second checking many-digit binary number B is formed depending on W, and numbers A and B are compared. In case parameters of numbers A and B match, conclusion is drawn about authenticity of electronic digital signature.

EFFECT: reduces size of electronic digital signature without reduction of its resistance level.

8 cl

FIELD: technological processes.

SUBSTANCE: invention is related to the sphere of electrical communication, namely to the sphere of cryptographic devices and methods of electronic digital signature (EDS) check. In the method the secret key (SK) is formed, which includes three many-digit binary numbers (MDN) p, q and γ, where p, q are prime numbers and γ is composite number. The open key (OK) is formed in the form of two many-digit binary numbers n and α, where n = pq and α - number, which is related to index q by module n. Electronic document (ED) is accepted in the form of many-digit binary number H. Electronic digital signature (EDS) Q is formed depending on values of SK, OK and many-digit binary number H. The first checking many-digit binary number A is formed depending on Q. The intermediate many-digit binary number W is generated depending on OK and many-digit binary number H. The second checking many-digit binary number B is formed depending on W, and numbers A and B are compares. In case parameters of A and B numbers match, conclusion is drawn about authenticity of electronic digital signature.

EFFECT: reduces size of electronic digital signature without reduction of its resistance level.

10 cl, 6 ex

FIELD: digital rights control system.

SUBSTANCE: system contains first user device designed for query message setup and transfer, indicating transaction to be run in relation to digital content of at least one object of digital rights (OR), rights issuer aimed to receive query message from first user device, to identify transaction and to process this transaction and to provide access rights to digital content conjointly with server for second user device designed to receive information on stated access right concession. Receive of mentioned information by second user device on digital content access right concession is confirmation of execution of this right to second user device. Method describes operation of mentioned system.

EFFECT: ability of authorized user to transfer partially used or unused object of right to another user and return of OR.

49 cl, 15 dwg, 2 tbl

FIELD: portable electronic devices.

SUBSTANCE: portable electronic device includes memory to store a secret code in the form of pre-defined character sequence; rotating device with touch surface providing for user tactile impact and installed in such a manner as to provide for rotation around its axis; feedback tools separated from the rotating device to provide for feedback to user when turning the rotating device; conversion tool to convert each turn in sequence of turns of the rotating device to a character of corresponding ordered test character sequence, and verification tool to verify the test character sequence by comparing it with pre-defined character sequence.

EFFECT: user convenience during input of test character sequence along with provision of security and restriction of access to the device or to its individual functions.

33 cl, 7 dwg

FIELD: cryptography.

SUBSTANCE: in accordance to the method, cryptographic module is provided with two types of data, which may be received even from a communication partner who is not cryptographically reliable, and which either remain in cryptographic module, or are connected to the document. The information, which remains in cryptographic module, is used to protect the information in the document by generation of a check value, and information which is transferred to document, is used to confirm the fact that the document is protected by a cryptographic module, during the check of document authenticity in a control device.

EFFECT: the contact between cryptographically reliable contact device and document creator is realized directly.

2 cl, 3 dwg

FIELD: infrastructure of public keys (PKI), namely, registration and activation of PKI functions in infrastructures of public keys in SIM-cards.

SUBSTANCE: in accordance to the method, reference code and corresponding activation code are recorded in a table at protection server integrated in PKI or connected to PKI. The user inputs reference code or number in record form together with his personal data, after that the form is sent to PKI and to protection server. After registration is confirmed from the side of PKI, the confirmation information is transmitted to user and supplemented with a request to input activation code at user terminal. Simultaneously, the activation code associated with reference code in the table and identification data of smart-card of user are transmitted to activation module in PKI, then activation code together with identification data of smart-card is transmitted from terminal to activation module and on receipt thereof the activation module determines whether the data coincides with activation code and identification data, provided in advance by protection server, and in case they do, the module performs command of activation of PKI-component of smart-card.

EFFECT: reduced processing time.

13 cl

FIELD: methods and system for processing visualized digital information.

SUBSTANCE: the system for protecting visualized digital data contains a set of computing devices, where at least one of them is the main device, and at least another one is a remote computing device, where each one of aforementioned devices contains one or more processing components, configured for usage in data processing chain, consisting of components for processing protected information, subject to visualization for user, individual processing components which support one or more of such interfaces, such as authentication interface and intermediary authentication interface, where the intermediary authentication interface ensures reading of authentication identifiers and recording of authentication identifiers, and authentication identifier uses for each one of one or more lists for checking each component in each one of aforementioned one or more lists, to determine authorized components, where an authorized component may receive non-encrypted data. Methods describe operation of the system.

EFFECT: protection from unsanctioned access or duplication of unprotected information immediately after that information reaches visualization device, such as a user computer.

20 cl, 8 dwg

FIELD: online transactions.

SUBSTANCE: method for conducting an online transaction includes providing a transaction manager. Single use transaction request identification is generated, transaction manager compares transaction request identification to banking information of registered user. Registered user is provided with transaction request identification, registered user requests purchase of product or service from a merchant, where purchase requests includes providing transaction request identification to the merchant. The merchant dispatches a request to transaction manager for payment by money transfer from user to merchant, where payment request includes identification of transaction request and cost; check by transaction manager of trustworthiness of transaction request identification; and, if transaction request information is trustworthy, request for electronic transfer of money is dispatched to financial institution to transfer a sum of money from user account to another account; it is checked, whether sufficient sum of money is available on banking account of user, and, if sufficient amount is available, the financial institution conducts the transfer according to banking information; and transaction manager receives confirmation about transaction from financial institution and dispatches a confirmation to the merchant.

EFFECT: increased efficiency.

5 cl, 16 dwg

FIELD: protocols for interaction of peer entities of network structure and, in particular, concerns protective infrastructures for protocols of interaction of peer entities.

SUBSTANCE: methods are provided, which suppress capability of malicious node to disrupt normal operation of peer-to-peer network. Claimed methods allow nodes to use both protected and unprotected data about identity, ensuring self-check thereof. Then necessary or comfortable, association of ID is checked by "enclosing" a trustworthiness checking procedure into appropriate messages. Probability of connection to malicious node is initially reduced due to random selection of node with which connection is established. Also, information from malicious nodes is identified and may be discarded by recording information about previous connections, which will require a response in the future.

EFFECT: creation of protection infrastructure for a system with peer-to-peer network structure.

4 cl, 6 dwg

FIELD: physics; communication.

SUBSTANCE: invention relates to the protocol of digital signals and process for transmission or transfer of the signals between the host-device and the client-device with high speeds of data transmission. The technical result is an increase in the channel capacity of communication between the host and client devices. Proposed is the mobile interface for the transmission of digital data (MDDI) for the transmission of digital data at a high speed between the host-device and the client-device along the communication channel using packet structures, connected with each other for the forming of the protocol of connection for the transfer of the previously specified collection of digital data of management and representation. The protocol of signals is used by the channel controllers, intended for generation, transfer and reception of packages, forming the report of communication, which form the protocol of connection, and for the formation of digital data in the form of one or several types of packets of data, and, at least one of them is located on the host-device and is connected to the client by means of a communication channel. The interface provides an economic, low-power, bilateral, high-speed mechanism of data transmission on the "consecutive" communication line of a small range.

EFFECT: providing an economic, low-power, bilateral, high-speed mechanism of data transmission on the "consecutive" communication line of a small range.

18 cl, 116 dwg

FIELD: information technology.

SUBSTANCE: function is provided by the server farm with one or more farm elements; each of the elements can support a service(s) where the performance, reliability and readiness of the server function are enhanced comparing to the existing methods, by the means of sending the operation status information of at least one of the farm elements, from the name server to the farm user.

EFFECT: enhancing reliability and functionality of the server.

17 cl, 4 dwg

FIELD: data transmission networks.

SUBSTANCE: terminal device (TD) and data source (DS) use the first network protocol (FNP), at which FNP addresses are correlated with TD and DS in the first format (FF). Besides, data transmission network (DTN) uses the second network protocol (SNP), according to which SNP addresses are correlated with devices in DTN, which are represented in the second format (SF). TD is related to initial network, and this TD receives initial FNP address in initial network, which is represented in FF. Besides, TD receives secondary address of SNP, which is represented in SF. Data burst that includes initial address in FF as source address and DS address in FF as recipient address, is adapted so that adapted data burst contains secondary address in SF as source address, and as recipient address - address of initial computer, and also as additional address, address of DS represented in SF.

EFFECT: provision of application of different network protocols.

19 cl, 2 dwg

FIELD: data transfer.

SUBSTANCE: data sources control system is designed to ensure centralised control of data collection sources and distribution of multimedia data acquired on-line from different sources via various channels of two-way and single-way communication including cellular communication of multimedia messaging service (MMS) and Internet. Thus, server may control availability of data collection sources with minimum scope of installation and configuration. For this purpose, server distributes list of available data sources among users in such a way that users are able to make on-line query of data collected by sources and subject to sending to user. Hence, server contributes into optimal use of frequency band.

EFFECT: server can record multimedia data sources as data sources regardless connection method to Internet or network employing Internet protocols.

18 cl, 6 dwg

FIELD: data protection.

SUBSTANCE: invention relates to protection methods for data traffic. First terminal communicates with first network by means of one or several first session keys. Second terminal communicates with second network by means of one or several second session keys. First terminal communicates with second terminal via local interface; one or several session keys are defined in first terminal and one or several second session keys are derived from the first session keys; one or several second session keys are transmitted to the second terminal via local interface by protection protocol; second terminal is authenticated via authentication protocol in the second network by means one or several second session keys and/or keys derived from one or several second session keys.

EFFECT: advanced protection of traffic.

14 cl, 1 dwg

FIELD: network.

SUBSTANCE: method of user authentication data and traffic protection between mobile network and IMS network is proposed. When mobile user authenticates himself in mobile network and in IMS network one checks if identification of authenticated mobile user in IMS network corresponds the identification of user in mobile network. If the identifications correspond, mobile user receives confirmation message from IMS network. At that, data exchange between mobile user and IMS network is fulfilled through the protection protocol, secured with common key. At that, key for protection protocol is brought off the confirmation message.

EFFECT: possibility securing of provision of identic key material for mobile user and IMS network.

9 cl, 4 dwg

FIELD: information technologies.

SUBSTANCE: invention relates to the communication systems. One proposed system and method of system messages exchange through the protocol SIP introducing in existing structure of SIP of new information content in view of MIME and new descriptor of indicator for particular service information and receiving user reply. System messages can contain list of probable choose variants and require existence of users reply.

EFFECT: improving of user serviseability.

12 cl, 5 dwg, 10 tbl

FIELD: information technologies.

SUBSTANCE: object of data blocks processing, which has part of decisions acceptance for setting of address broadcast FA is based on identification address in accepted data block, referring to data of decision acceptance, kept in memory of decision acceptance data. Administration side is set, which is designed with ability providing network control function of decision acceptance data access in memory of decision acceptance data, for decision acceptance data changing, apart form any access, given to mobile nodes.

EFFECT: system abilities improvement, which uses identification addresses and broadcast addresses.

16 cl, 8 dwg

FIELD: physics.

SUBSTANCE: method of generation of a password for the use by the end user device to obtain access to a remote server, containing stages, at which an access request is sent from the end user device to the remote server; and access request details and the remote server identification code are sent to an authentication node in the end user device own network. An HTTP Digest call is generated in the authentication node or the remote server, using an algorithm that can generate end user passwords. The call includes the remote server identification code details and the end user device identification code details. Based on the HTTP Digest AKA call, a password is generated and memorised in the end user device, the password is related to the remote server identification code and the end user device identification code.

EFFECT: increased communication safety.

17 cl, 3 dwg

FIELD: information management systems.

SUBSTANCE: method for controlling import of content into a domain comprising number of devices consists in checking for the presence of a domain watermark in the content, and if the domain watermark is found in the content, refusing import of the content into the domain, and if the domain watermark is not found in the content, allowing import of the content into the domain and causing the domain watermark to be embedded into the content. Optionally, re-importing into the "original" domain might be allowed. The method further comprises refusing import of the content into the domain if the domain watermark is found in the content unless the identifier matches an identifier for the domain. Other payloads in the domain watermark can be used to e.g. implement location- or time-based restrictions on import.

EFFECT: providing a method for discerning the input of legitimate unencrypted content from illegally copied unencrypted content.

14 cl, 3 dwg

FIELD: information technology.

SUBSTANCE: one or more confidential documents are saved in the container; the container obtains identification; the identification data referred to this container is saved in the electronic data system; the identity of one or more containers is determined and compared with the electronic data system and, the container identity corresponding to the identification data of the container in the electronic data system, the container is destroyed.

EFFECT: creation of efficient device and method for destroying confidential documents.

26 cl

Up!