Skip to main content

Full text of "USPTO Patents Application 10088784"

See other formats


WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification: 

H04L 9/00 


A1 


(11) International Publication Number: WO 00/11832 
(43) International Publication Date: 02 March 2000 (02.03.2000) 


(21) International Application Number: PCT/US98/17410 

(22) International Filing Date: 21 August 1 998 (21 .08.1 998) 

(60) Parent Application or Grant 

VISTO CORPORATION \f]; (). RIGOINS, Mark, D. [/]; 
()- SOCKOL,Marc,A.; (). 


Published 



(54) Title: SYSTEM AND METHOD FOR ENABLING SECURE ACCESS TO SERVICES IN A COMPUTER NETWORK 
(54) Titre: SYSTEME ET PROCEDE PERMETTANT L'ACCES SECURISE A DES SERVICES DANS UN RESEAU 
IN FORMATIQU E 



(57) Abstract 

A global server (106) includes a communications engine for establishing a communications link with a client (114a); security 
means coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means 
for providing to the client (114a), based on the client privileges, an applet which enables I/O with a secured service (110a); 
and a keysafe for storing a key which enables access to the secured service (110a). The global server may be coupled to multiple 
sites, wherein each site provides multiple services. Each site may be protected by a firewall (116). Accordingly, the global 
server stores the keys for enabling communication via the firewalls (116) with the services (1 10a). 

(57) Abrege 

Un serveur global (106) comprend un moteur de communications permettant d'etablir une liaison de communications avec un 
client (114a), des moyens de securisation accouples au moteur de communications, charges d'evaluer les privileges des clients, un 
moteur hote mini-serveur accouple aux moyens de securisation pour fournir au client (114a), sur la base des privileges accordes 
au client, une mini-application autorisant I/O avec un service securise, et une securite de cle pour la memorisation d'une cle 
autorisant I'acces au service securise. Le serveur global peut etre couple a des sites multiples, chaque site fournissant des 
services multiples. Chaque site peut etre protege par un coupe-feu (116). En consequence, le serveur global memorise les cles 
pour autoriser ia communication, via les coupe-feu (116), avec les services (1 10a). 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
Internal iona! Bureau 




PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 6 : 
H04L 9/00 



Al 



(11) International Publication Number: WO 00/11832 

(43) International Publication Date: 2 March 2000 (02.03.00) 



(21) International Application Number: PCT/US98/ 17410 

(22) International Filing Date: 21 August 1998 (21.08.98) 



(71) Applicant: VISTO CORPORATION [US/US]; 1937 Landings 

Drive, Mountain View, CA 94043 (US). 

(72) Inventor: RIGGINS, Mark, D.; 5818 Moraga Avenue, San 

Jose, CA 95 123 (US). 

(74) Agents: SOCKOL, Marc, A. et al.; Graham & James LLP, 600 
Hansen Way, Palo Alto, CA 94304 (US). 



(81) Designated States: CA, CN, IL, JP, SG. Eurasian patent (AM, 
AZ, BY, KG. KZ. MD. RU, TJ, TM), European patent (AT, 
BE, CH, CY. DE, DK, ES, Fl, FR, GB, GR. IE, IT, LU, 
MC, NL, PT, SE). 



Published 

With international search report. 



(54) Title: SYSTEM AND METHOD FOR ENABLING SECURE ACCESS TO SERVICES IN A COMPUTER NETWORK 




A global server (106) includes a communications engine for establishing a communications link with a client ( 1 1 4n); security meons 
coupled to the communications engine for determining client privileges; a servlet host engine coupled to the security means for providing to 
the client (1 14a), based on the client privileges, an applet which enables I/O with a secured service (1 10a); and a keysafe for storing a key 
which enables access to the secured service (1 10a). The global server may be coupled to multiple sites, wherein each site provides multiple 
services. Each site may be protected by a firewall (116). Accordingly, the global server stores the keys for enabling communication via 
the firewalls (116) with the services (1 10a). 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Arrocnio 


Fl 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


Prince 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


CA 


Gabon 


LV 


Latvia 


S7. 


Swaziland 


AZ 


Azerbaijan 


GB 


Untied Kingdom 


MC 


Monaco 


TD 


Chad 


DA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


CH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belgium 


CN 


Guinea 


MK 


The former Yugoslav 


TM 


Turkmenistan 


BF 


Burkina Faso 


CR 


Greece 




Republic of Macedonia 


TR 


Turkey 


BC 


Bulgaria 


IIU 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


' Malawi 


US 


United States of America 


CA 




IT 


Iialy 


MX 


Mexico 


uz 


Uzbekistan 


CF 


Centra] African Republic 


JP 


Japan 


NK 


Niger 


VN 


Viet Nam 


CC 


Congo 


KE 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


ZW 


Zimbabwe 


CI 


Cote d'lvoirc 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


l»L 


Poland 






CN 


China 


KR 


Republic of Korea 


PT 


Portugal 






CU 


Cuba 


KZ 


Kazakstan 


KO 


Romania 






cz 


Czech Republic 


LC 


Saint Lucia 


RU 


Russian Federation 






DE 


Germany 


LI 


Liechtenstein 


SD 


Sudan 






OK 


Denmark 


LK 


Sri Lanka 


SK 


Sweden 






EE 


Estonia 


LR 


Liberia 


SC 


Singapore 







Description 



5 



10 



15 



20 



25 



30 



35 



40 



45 



55 



WO 00/1 1832 



PCT7US98/17410 



5 SYSTEM AND METHOD FOR ENABLING SECURE ACCESS TO SERVICES IN A 

COMPUTER NETWORK 

10 BACKGROUND OF THE INVENTION 

5 1. Field of the Invention 

This invention relates generally to computer networks, and more particularly to a 
15 system and method for enabling secure access to services in a computer network.2. 

Description of the Background Art 

In its infancy, the Internet provided a research-oriented environment where users and 
2Q 10 hosts were interested in a free and open exchange of information, and where users and hosts 

mutually trusted one another. However, the Internet has grown dramatically, currently 
interconnecting about 100,000 computer networks and several million users. Because of its 
size and openness, the Internet has become a target of data theft, data alteration and other 

25 

mischief. 

15 Virtually everyone on the Internet is vulnerable. Before connecting, companies 

balance the rewards of an Internet connection against risks of a security breach. Current 

30 

security techniques help provide client and server authentication, data confidentiality, system 
integrity and system access control. 

The most popular of the current security techniques is a firewall, which includes an 

35 

20 intermediate system positioned between a trusted network and the Internet. The firewall 

represents an outer perimeter of security for preventing unauthorized communication between 
the trusted network and the Internet A firewall may include screening routers, proxy servers 

40 

and application-layer gateways. 

For users on the internet to gain access to protected services on the trusted network, 
25 they may be required to provide their identity to the firewall by some means such as entering 

45 

a password or by computing a response to a challenge using a hardware token. With proper 
authentication, the user is allowed to pass through the firewall into the local network, but is 
typically limited to a predetermined set of services such as e-mail, FTP, etc. 

50 

-1- 



55 



WO 00/11S32 



PCT/US98/I7410 



5 Some local network managers place just outside the firewall a server, often referred to 

as a "sacrificial lamb" for storing non-confidential data which is easily accessible by the 
remote user but providing little security. 

10 A De-Militarized Zone, or DMZ, sits between two firewalls protecting a trusted 

5 network. The external firewall protects servers in the DMZ from external threats while 
allowing HyperText Transfer Protocol (HTTP) requests. The internal firewall protects the 

15 trusted network in the event that one of the servers in the DMZ is compromised. Many 

companies use DMZs to maintain their web servers. 

Another security technique for protecting computer networks is the issuance and use 

2Q 10 of a public key certificates. Public key certificates are issued to a party by a certificate 

authority, which via some method validates the party's identity and issues a certificate stating 
the party's name and public key. As evidence of authenticity, the certificate authority 
digitally signs the party's certificate using the certificate authority's private key. 

25 

Thus, when a user via a client computer connects to a server, the client computer and 
15 server exchange public key certificates. Each party verifies the authenticity of the received 
certificates by using the certificate authority's public key to verify the signature of the 

30 

certificate. Then, by encrypting messages with the server's public key the user can send 
secure communications to the server, and by encrypting messages with the user's public key 
the server can send secure communications to the user. Although any party might present a 

35 

20 public key certificate, only the real user and the real host have the corresponding private key 
needed to decrypt the message. Examples of authentication and key distribution computer 
security systems include the Kerberos™ security system developed by the Massachusetts 

40 

Institute of Technology and the NetSP™ security system developed by the IBM Corporation. 
These security techniques do not solve problems associated with the roaming 
25 (traveling) user. For the roaming user, maintaining identification and authentication 

45 

information such as passwords, certificates, keys, etc. is a cumbersome process. Further, 
accessing multiple systems requires multiple keys, which often are too complex to track and 
use. Also, direct access to systems behind firewalls compromises security. Therefore, a 

50 

-2- 



55 



WO 00/1 1832 



PCT/US98/17410 



system and method are needed to enable remote access to computer services easily and 
securely. 

SUMMARY OF THE INVENTION 

The present invention provides a system and method for enabling secure access to 
services in a computer network. The network system includes a global server coupled via a 
computer network to computer services. The global server includes a communications engine 
for establishing a communications link with a client; security means coupled to the 
communications engine for determining client privileges; a servlet host engine coupled to the 
security means for providing to the client, based on the client privileges, an applet which 
enables I/O with a secured service; and a keysafe for storing keys which enable access to the 
secured services. The global server may be coupled to multiple sites, wherein each site 
provides multiple services. Each site may be protected by a firewall. Accordingly, the global 
server stores the keys for enabling communication via the firewalls with the services. 

The method includes the steps of establishing a communications link with a client; 
identifying and authenticating the client; determining client privileges; providing to the client, 
based on the client privileges, an applet which enables I/O with a secured service; and 
retrieving a key which enables access to the secured service. 

The system and method of the present invention advantageously provide a globally- 
accessible trusted third party, i.e., the global server. This trusted third party securely stores 
keys, and acts as a single identification and authentication service. Other systems may be 
accessed through the global server. The global server uses the stored keys to authenticate the 
user under an identity that is understood by the other system's existing security services, and 
establishes a secure communications channel to the desired service. Because of a global 
firewall, the global server is substantially protected from external threats. Accordingly, the 
global server provides authorized clients with secure communication through firewalls with 
services. The global server may enable multiple levels of identification and authentication 
services. Accordingly, the global server may enable multiple levels of resource access based 



WO 00/11832 



PCT7US98/17410 



on the user's status, the strengths of the identification and the authentication and on the 
privacy of the communications channel. 

Because of the global firewall and the identification and authentication services 
performed by the global server, corporations can store relatively secret information on the 
global server for use by authorized clients. Yet, the present invention also enables 
corporations to maintain only a portion of their secret information on the global server, so that 
there would be only this limited loss should the trusted third party system be compromised. 
Further, the global server advantageously may act as a client proxy for controlling access to 
services, logging use of keys and logging access of resources. 



WO 00/11832 



PCT/US98/17410 



BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram illustrating a roaming-user network access system, in 
accordance with the present invention; 

FIG. 2 is a block diagram illustrating details of an example client of FIG. 1; 

FIG. 3 is a block diagram illustrating details of the global server of FIG. 1 ; 

FIG. 4 is a block diagram illustrating details of an example service server of FIG. 1; 

FIG. 5 is a flowchart illustrating a method for remotely accessing a secure service; 

FIG. 6 is a flowchart illustrating details of the FIG. 5 step of creating a link between a 
client and the global server of; 

FIG. 7 illustrates an example web page; 

FIG. 8A is a flowchart illustrating details of the FIG. 5 step of accessing a service in a 
first embodiment; 

FIG. 8b is a flowchart illustrating details of the FIG. 5 step of accessing a service in a 
second embodiment; and 

FIG. 8C is a flowchart illustrating details of the FIG. 5 step of accessing a service in a 
third embodiment 



WO 00/U832 



PCT/US98/I7410 



DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 
FIG. 1 is a block diagram illustrating an exemplary roaming-user network access 
system 100 in accordance with the present invention. System 100 includes an interconnected 
network of computers referred to herein as an "Internet" 102. System 100 further includes a 
first company network 1 1 2, a second company network 1 1 8, a kiosk network 1 38 and an 
Internet Service Provider (ISP) network 143, each network being coupled to the Internet 102. 

Company network 1 12 includes a firewall 116 coupled between the Internet 102 and a 
client computer 1 14a. Company network 118 includes a firewall 120 coupled between the 
Internet 102 and an internal network signal bus 126. Company network 118 further includes 
a first server 108a for providing a first service 1 10a, a second server 108b for providing a 
second service 1 1 0b, a first client computer 1 1 4b storing a program for providing a third 
service 1 10c and a second client computer 1 14c, each being coupled to signal bus 126. 
Example services 1 10a-l lOd include an e-mail service program, an address book service 
program, a calendar service program, a paging service program, and a company database 
service program. 

The kiosk network 138 includes a first client computer 1 14d and a second client 
computer 1 14e, each being coupled to the Internet 102. The ISP network 143 includes an ISP 
148 coupled via a wireless channel 146 to a first client computer 1 14f and coupled via 
modems 1 52 and 1 56 and via transmission line 1 54 to a second client computer 1 14g. 

The Internet 102 includes a global server 106 which is protected by a global firewall 
104 and includes a server 1 08c for providing a service 1 lOd. Intercommunication between 
client computers 1 14a- 1 14g and services 1 10a- 1 lOd is accomplished via the global server 
106. If, for example, a user of any one of the client computers 1 14a-l 14g wants to access a 
service 1 10a-l lOd (which is provided at a location within system 100 that is unknown to the 
user), then the user applies a known Uniform Resource Locator (URL) to access a web page 
operated by global server 106. An example web page 700 is shown in and described with 
reference to FIG. 7. The global firewall 104 protects the global server 106 from external 
threats. 



WO 00/11832 



PCT/US98/17410 



5 Before obtaining access privileges to the functionality provided by the global server 

106, the user must first obtain authorization from the global server 106. Obtaining 
authorization typically requires user identification and authentication, for example, using 
1 o public-key certificates. Once authenticated, the global server 1 06 provides the user with 

5 access to the services 1 1 0a- 1 1 Od. It will be appreciated that varying levels of access to 
services 1 10a-l lOd will be granted based on varying strengths of identification and 
15 authentication and on the privacy of the communications channel. 

To enable user access to and control of the services 1 10a-l lOd, the global server 1 06 
may use conventional applets, servlets or agents in a distributed network environment, such 
10 as the Java™ distributed environment produced by the Netscape Corporation. The global 

server 106 provides the user's client with access to and control of the service 1 10a- 1 lOd. The 
global server 1 06 may redirect the user's client to access the service 1 10a- 1 lOd itself, the 
global server 1 06 may access the service 1 10a-l lOd itself and provide I/O to the client by 
proxy, or the global server 106 may provide the service 1 10a- 1 lOd itself. These three 
15 different modes of access to the services 1 10a-l IOd are described with reference to FIGs. 8A- 
8C. 

The global server 106 maintains the network addresses of all the services 1 10a- 1 IOd, 
the user's public and private keys, the user's account numbers, firewall authentication 
information, etc. Firewall authentication information includes the necessary identification, 
20 passwords and certificates needed to pass firewalls 1 16 and 120. Accordingly, the user need 
only maintain the URL of the global server 106, and identification and authentication 
information such as a password or hardware token for obtaining access to the functionality of 
the global server 106. Thus, the roaming user can access computer services 1 10a-l lOd using 
any computer terminal which is connected to the Internet 1 02. 

25 

FIG. 2 is a block diagram illustrating details of a client computer 114, such that each 
of clients 1 14a-l 14d is an instance of the client 1 14. The client 1 14 includes a Central 
Processing Unit (CPU) 210 such as a Motorola Power PC® microprocessor or an Intel 



20 



25 



30 



35 



40 



45 



50 



-7- 



55 



10 



15 



20 



25 



30 



35 



40 



45 



50 



WO 00/1 1832 PCT/US98/1 7410 

Pentium* microprocessor. An input device 220 such as a keyboard and mouse, and an output 
device 230 such as a Cathode Ray Tube (CRT) display are coupled via a signal bus 240 to 
CPU 210. A communications interface 250, a data storage device 260 such as Read Only 
Memory (ROM) or a magnetic disk, and a Random-Access Memory (RAM) 270 are further 
5 coupled via signal bus 240 to CPU 210. The communications interface 250 of client 

computer 1 14 is coupled to the Internet 102 as shown in and described with reference to FIG. 
1. 

An operating system 280 includes a program for controlling processing by CPU 210, 
and is typically stored in data storage device 260 and loaded into RAM 270 for execution. 

10 Operating system 280 includes a communication engine 282 for generating and transferring 
message packets to and from the internet 106 via the communications interface 250. 

Operating system 280 further includes an internet engine such as a web browser 284, 
e.g., the Netscape™ web browser produced by the Netscape Corporation or the Internet 
Explorer™ web browser produced by the Microsoft Corporation. The web browser 284 

15 includes an encryption engine 285 for encrypting messages using public and private keys, and 
an applet engine 286 for executing applets 288 downloaded from the global server 106 to 
enable the access to computer services 1 10a- 1 lOd. Downloaded applets 288 may include 
security applets 290 for performing services such as user identification and authentication, 
message integrity services, and certificate verification. The browser 284 further receives web 

20 page data (39 1 , FIG. 3), configuration data 390 and information identifying a set of selectable 
services 1 1 0a-l 1 Od, and uses the information to display the web page (700, FIG. 7). The web 
browser 284 enables a user via the client 1 1 4a- 1 1 4g to select one of the services 1 10a- 1 lOd 
for execution. 

It will be appreciated that a client 1 14a-l 14g such as client 1 14b may include a 
25 service engine 490 (see FIG. 4) for providing a service 1 10a- 1 lOd such as service 1 10c. 
Thus, it is possible for a client 1 14b user to request access to service 1 10c via the global 
server 106, without knowing that the service 1 10c is provided by client 1 14b. Accordingly, 



55 



5 



WO 00/11832 PCT/US98/17410 

the global server 106 will provide client 1 14 with an applet 288 for providing user interface 
I/O of service 1 10c back to client 1 14b. 



FIG. 3 is a block diagram illustrating details of the global server 106, which includes a 

5 CPU 310 such as a Motorola Power PC* microprocessor or an Intel Pentium® 

microprocessor. An input device 320 such as a keyboard and mouse, and an output device 

330 such as a CRT display are coupled via a signal bus 340 to CPU 3 10. A communications 

interface 350, a data storage device 360 such as ROM or a magnetic disk, and a RAM 370 are 

further coupled via signal bus 340 to CPU 310. The communications interface 350 is 

10 conventionally coupled as part of the Internet 102 to the clients 1 14. Although the global 

server 106 is described as a single computer, it will be appreciated that the global server 106 

may include multiple computers networked together. 

Operating system 380 includes a program for controlling processing by CPU 3 1 0, and 

is typically stored in data storage device 260 and loaded into RAM 370 for execution. 

15 Operating system 380 includes a communication engine 382 for generating and transferring 

message packets to and from client computers 1 14 via the communications interface 350. 

Operating system 380 further includes, as part of global firewall 104, security services 

384 for opening a communications channel with users. For example, when a client attempts 

to access the global server 106, the security services 384 first determines whether the global 
35 

20 server 106 accepts in-bound communications from a particular port (not shown) and whether 
the servlet host engine 386, described below, is authorized to connect to that particular port. 
If so, the security services 384 allows the communications engine 382 to open a 

40 

communications channel via the particular port to the client 1 14a-l 14g. Otherwise, no 
channel will be opened. 

25 The operating system 380 further includes a web engine 387 which, based on user's 

45 

identification, the strength of the user's authentication and the privacy of the cornmunications 
channel, forwards web page data 391 and information identifying a set of available services 
1 10a-1 lOd to the client 1 1 4a- 1 14g. An example web page 700 is shown and described with 

50 

-9- 



25 



30 



55 



WO 00/1 1832 PCI7US98/1 741 0 

5 reference to FIG. 7. The web engine 387 enables a user to select a service 1 I0a-1 lOd from 

the web page 700. 

The web engine 387 includes a servlet host engine 286, which downloads security 
1Q applets 290 including an authentication applet (not shown) to the client computer 1 1 4 and 

5 accordingly executes an authentication servlet 397 of servlets 398 for performing 

identification and authentication services. The authentication applet 290 prompts the user for 
identification and authentication information, and then communicates the information to the 
authentication servlet 397. The authentication servlet 397 verifies that the information is 
correct. It will be noted that the user's authentication information is not necessarily sent to 
10 the authentication servlet 397, but rather its existence and correctness is proven via a secure 
means such as a secure hash. The servlet host engine 386 further includes a secure 
communications engine 396 which may use public key certificates to negotiate a secure 
communications channel with the client computer 1 14. 

Upon selection of a service 1 10a-l lOd, the servlet host engine 386 downloads a 
15 corresponding applet 388, corresponding configuration data 390 and corresponding user data 
392 and may download corresponding service address information 394 to the client computer 
1 14. Configuration data 390 includes information for configuring the user's web browser 
284, for configuring the downloaded applets 288, and for configuring the selected service 
1 1 0a-l lOd. User data 392 may include user-and-service-specific information such as stored 
20 bookmarks, calendar data, pager numbers, etc. which was specifically stored on the global 
server 106 for easy access. Service address information 394 identifies the location of the 
services 1 10a- 1 lOd provided in system 100 by the global server 106. The client computer 
1 14 executes the corresponding downloaded applet 288, which via the servlet host engine 386 
(possibly using a corresponding servlet 398) enables the user to access and to control the 
25 corresponding services 1 10a- 1 lOd. The downloadable applets 388, configuration data 390, 
user data 392 and service address information 394 may be stored on the data storage device 
360. 



15 



20 



25 



30 



35 



40 



45 



50 



-10- 



55 



WO 00/11832 



PCI7US98/17410 



5 A keysafe 395 is a data file for storing each user's identification information, each 

user's public and private keys, each firewall's password information, etc. The keysafe 395 is 
organized in a linked list format so that, based on the selected service 1 10a- 1 lOd, the global 

10 server 106 can retrieve the appropriate firewall's password information, the appropriate user's 

5 identification information and keys, etc. The keysafe 395 may be stored on the data storage 
device 360. 



15 



20 



25 



30 



35 



40 



45 



50 



FIG. 4 is a block diagram illustrating details of a service server 108, such that servers 
108a-108c and client 1 14b are instances of server 108. Server 108 includes a CPU 410 such 

10 as a Motorola Power PC® microprocessor or an Intel Pentium* microprocessor. An input 
device 420 such as a keyboard and mouse, and an output device 430 such as a CRT display 
are coupled via a signal bus 440 to CPU 410. A communications interface 450, a data storage 
device 460 such as ROM or a magnetic disk, and a RAM 470 are further coupled via signal 
bus 440 to CPU 410. The communications interface 450 is coupled to the clients 1 14 as 

15 shown in and described with reference to FIG. 1 . 

The operating system 480 includes a program for controlling processing by CPU 410, 
and is typically stored in data storage device 460 and loaded into RAM 470 for execution. 
Operating system 480 also includes a communications engine 482 for generating and 
transferring message packets via the communications interface 450 to and from clients 1 14 or 

20 to and from global server 106. Operating system 480 further includes security services 484 
for negotiating a secure channel with users, a secure communications engine 486 for opening 
the secure channel with the users, and a service engine 490 for providing a service 1 10a-l lOd 
to the users. 

The service engine 490 includes a service interface 492 for receiving and translating 
25 messages to and from downloaded applets 288 currently executing on the client 1 14, and 

includes a service processor 494 and service data 496 for processing the service requests from 
the user. The service data 496 may include previously-generated documents, database 
information, etc. It will be appreciated that the service data 496 is similar to the user data 



-11- 



55 



WO 00/11832 



PCT/US98n7410 



5 392, such that it includes the same type of information but is maintained on the service server 

108 instead of on the global server 108. 

10 FIG. 5 is a flowchart illustrating a method 500 enabling a user to access services 

5 1 10a- 1 1 Od in computer network system 100. Method 500 begins by the client 1 14 in step 

505 creating a communications link with the global server 106. Step 505 is described in 
15 greater detail with reference to FIG. 6. The global server 106 in step 510 confirms that the 

user has privileges to access the functionality of the global server 106. Corifirming user 

access privileges may include examining a user certificate, obtaining a secret password, using 
2Q 10 digital signature technology, etc. It will be appreciated that the security services 384 may 

cause the servlet host engine 386 to forward a security applet 389 via the communications 

channel to the client 1 14 for performing user authentication. 

After user access privileges are confirmed, the web page engine 387 of the global 

25 

server 106 in step 515 downloads web page data 391 and configuration data 390 to the client 
15 114. The browser 284 of the client 1 14 in step 520 uses the web page data 391 and the 
configuration data 390 to display a web page 700 (FIG. 7) on the output device 230 of the 

30 

client 1 14 and to enable access to the services 1 10a-l lOd which are offered by the global 
server 106. An example web page 700 is shown and described with reference to FIG. 7. 

From the options listed on the web page 700, the user in step 525 via input device 220 

35 

20 selects a service HOa-llOd. In response, the servlet host engine 386 of the global server 106 
in step 530 downloads the corresponding applets) 388, applet configuration data 390, user 
data 392 and possibly service address information 394 to the client 1 14. Applet configuration 

40 

data 390 preferably includes user-specific preferences, such as user-preferred fonts, for 
configuring the selected service 1 10a-l lOd. User data 392 may include user-specific and 
25 service-specific information such as stored bookmarks, calendar data, pager numbers, etc. 

45 

Service address information 394 identifies the location of the selected service 1 10a-l lOd. 
Alternatively, the corresponding applets) 388, applet configuration data 390, user data 392 

50 

-12- 



55 



WO 00/11832 



PCTAJS98/17410 



5 and service address information 394 could have been downloaded in step 515 with the web 

page data 391 and the configuration data 390. 

The applet engine 286 of the client 1 14 in step 535 executes the corresponding 

10 downloaded applet 288. The service server 108 in step 537 initiates the service engine 490. 

5 The global server 106 in step 538 selects one of the three modes of access described in FIGs. 
8A-8C for enabling the client computer 1 14 to communicate with the corresponding service 

15 engine 490. For example, if the user selects the service 1 lOd on server 108c, which is not 

protected by a separate firewall, then the global server 106 may provide the user with direct 
access. If the user selects service 1 10a provided by server 108a within company network 

2Q 10 11 8, then the global server 1 06 may access the service 1 1 0a as a proxy for the user. It will be 

appreciated that each firewall 106 and 120 may store policies establishing the proper mode of 
access the global server 106 should select. Other factors for selecting mode of access may 
include user preference, availabilitv and feasibility. The global server 106 in step 540 

25 

provides the client 1 14 user with access to the selected service 1 10a- 1 lOd. Step 540 is 
15 described in greater detail with reference to FIGs. 8A, 8B and 8C. 

30 

FIG. 6 is a flowchart illustrating details of step 505, which begins by the client 1 14 
user in step 605 using a known Uniform Resource Locator (URL) to call the global server 
1 06. The global server 106 and the client 1 14 in step 607 create a secure communications 

35 

20 channel therebetween, possibly by applying Secure Sockets Layer (SSL) technology. That is, 
the security services 384 of the global server 106 in step 610 determine if in-bound secure 
communications are permitted and, if so, creates a communications channel with the client 

40 

1 14. The browser 284 of the client 1 14 and the security services 384 of the global server 106 
in step 615 negotiate secure communications channel parameters, possibly using public key 
25 certificates. An example secure communications channel is RSA with RC4 encryption. It 

45 

will be appreciated that the global server 106 may be configured to use one of ten encryption 
protocols and the client 1 14 may be enabled to use one of five encryption protocols. Step.615 
thus may include selecting one of the encryption protocols which is common to both the 

50 

-13- 



55 



10 



15 



20 



25 



30 



35 



40 



45 



50 



WO 00/1 1832 PCT/US98yi7410 

global server 106 and the client 1 14. The encryption engine 285 of the client 1 14 and secure 
communications engine 396 of the global server 1 14 in step 620 use the secure channel 
parameters to create the secure communications channel. Method 505 then ends. 

5 FIG. 7 illustrates an example URL-addressable HyperText Markup Language 

(HTML)-based web page 700, as maintained by the servlet host engine 386. The web page 
700 includes a title 710 "Web Page," a listing of the provided services 715 and a pointer 770 
for selecting one of the provided services 715. As illustrated, the provided services 715 may 
include an e-mail service 720, a calendaring service 730, an internet access service 740, a 
10 paging service 750 and a fax sending service 760. Although not shown, other services such 
as bookmarking, QuickCard™, etc. may be included in the web page 700. 

FIG. 8 A is a flowchart illustrating details of step 540 in a first embodiment, referred 
to as step 540a, wherein the global server 106 provides the client 1 14 with a direct connection 

15 to the service 1 1 0a- 1 1 Od. Step 540a begins by the downloaded applet 288 in step 805 

retrieving the service address 394 of the selected service 1 10a-l lOd from data storage device 
360 and the authentication information for the service 1 10a-l lOd from the keysafe 395. The 
communications engine 282 in step 810 creates a direct and secure connection with the 
communications engine 482 of the service server 108 at the retrieved service address, and 

20 uses the authentication information to authenticate itself. The applet 288 in step 8 1 5 acts as 
the I/O interface with the service engine. Step 540a then ends. 

FIG. 8B is a flowchart illustrating details of step 540 in a second embodiment, 
referred to as step 540b, wherein the global server 106 acts for the client 1 14 as a proxy to the 
25 service 1 1 Oa- 1 1 Od . Step 540b begins with the applet 288 in step 840 retrieving the "service" 
address, which results in directing it to the global server 106. Thus, the applet 288 in step 
845 creates a connection with the global server 106. The servlet host engine 386 of the global 
server 106 in step 850 retrieves the service address of the selected service 1 10a- 1 lOd and the 



-14- 



55 



WO 00/1 1832 PCT/US98/17410 

5 authentication information for the selected service 1 10a-l lOd from the keysafe 395. The 

secure communications engine 396 of the global server 106 in step 855 negotiate secure 
channel parameters for creating a secure channel with the secure communications engine 486 
10 of the service server 108. 

5 Thereafter, the applet 288 in step 860 acts as the I/O interface (enables the user to 

make requests of the service engine 490) with the secure communications engine 396 of the 
15 global server 106. If the servlet host engine 386 in step 865 determines that it is unauthorized 

to perform a client 1 14 user's request, then the servlet host engine 386 in step 870 determines 
whether the method 540b ends, e.g., whether the user has quit. If so, then method 820b ends. 
10 Otherwise, method 540b returns to step 860 to obtain another request If the servlet host 
engine 386 in step 865 determines that it is authorized to perform the client 1 14 user's 
request, then the servlet host engine 386, possibly using servlets 398, acts as the proxy for the 
client 1 14 to the service engine 490. As proxy, the servlet host engine 386 forwards the 
service request to the service 1 10a- 1 lOd for the applet 288 and forwards responses to the 
15 requesting applet 288 currently executing on the client 1 14. Method 540b then returns to step 
870. 



20 



25 



30 



35 



40 



45 



50 



FIG. 8C is a flowchart illustrating details of step 540 in a third embodiment, referred 
to as step 540c, wherein the service 1 10a-l lOd being requested is located on the global server 

20 106. Step 540c begins with the applet 288 in step 880 retrieving the service address for the 
service 1 10a- 1 lOd, which results in providing the applet 288 with the service address of the 
service 1 10a-l lOd on the global server 106. Thus, the applet 288 in step 882 creates a secure 
connection with the global server 106. No additional step of identification and authentication 
is needed since the client 1 14 has already identified and authenticated itself to the global 

25 server 106 in step 5 10 of FIG. 5. 

In step 884, a determination is made whether the service 1 10a- 1 lOd is currently 
running. If so, then in step 886 a determination is made whether the service 1 10a- 1 lOd can 
handle multiple users. If not, then the global server 106 in step 890 creates an instance for the 



-15- 



55 



WO 00/11832 



PCTAJS98/17410 



user, and the applet 288 in step 892 acts as the I/O interface with the service 1 10a-l lOd on the 
global server 106. Otherwise, if the service 1 10a- 1 lOd in step 886 determines that it cannot 
handle multiple users, then method 540a proceeds to step 892. Further, if in step 884 the 
global server 106 determines that the service 1 10a-l lOd is not currently running, then the 
global server 106 in step 888 initializes the service 1 10a-l lOd and proceeds to step 886. 

The foregoing description of the preferred embodiments of the invention is by way of 
example only, and other variations of the above-described embodiments and methods are 
provided by the present invention. Components of this invention may be implemented using 
a programmed general purpose digital computer, using application specific integrated circuits, 
or using a network of interconnected conventional components and circuits. The 
embodiments described herein have been presented for purposes of illustration and are not 
intended to be exhaustive or limiting. Many variations and modifications are possible in light 
of the foregoing teaching. The invention is limited only by the following claims. 



-16- 



WO 00/11832 



PCT/US98/17410 



10 



15 



20 



WHAT IS CLAIMED IS : 

1 1. A system comprising: 

2 a communications engine for establishing a communications link with a client; 

3 security means coupled to the communications engine for determining client 

4 privileges; 

5 a servlet host engine coupled to the security means for providing to the client, 

6 based on the client privileges, an applet which enables I/O with a secured service; and 

7 a keysafe for storing a key which enables access to the secured service. 

1 2. The system of claim 1 , wherein the communications engine uses SSL technology 

2 to create a secure communications link with the client. 



25 13. The system of claim 1 , wherein communications engine negotiates an encryption 

2 protocol for transferring messages to and from the client. 

30 1 4. The system of claim 1 , wherein the communications engine uses public key 

2 certificates for transferring messages to and from the client. 

35 15. The system of claim 1 , wherein the security means uses public key certificates to 

2 authenticate the client. 

40 16. The system of claim 1 , wherein the security means examines client identity and the 

2 level of authentication to determine client privileges. 

45 17. The system of claim 1 , wherein the security means examines a global certificate to 

2 authenticate the client. 



50 



-17- 



55 



WO 00/1 1832 PCT/US98/17410 

5 18. The system of claim 1 , wherein the security means uses digital signature technology 

2 to authenticate the client. 

10 1 9. The system of claim 1 , wherein the servlet host engine forwards to the client a 

2 security applet for enabling the client to perform a security protocol recognized by the 

3 security means. 



15 



20 



25 



30 



35 



40 



1 10. The system of claim 1 , wherein the service is secured by a corporate firewall and the 

2 key is configured to enable communication through the firewall. 

1 11. The system of claim 1 . further comprising a global firewall for protecting the 

2 system. 

1 12. The system of claim 1, further comprising a service address for identifying the 

2 location of the secured service. 

1 13. The system of claim 1 . wherein the applet provides to the client a direct connection 

2 with the secured service. 

1 14. The system of claim 1 , further comprising a proxy in communication with the 

2 secured service, and wherein the applet enables I/O with the proxy. 



45 



50 



55 



-18- 

SUBST1TUTE SHEET (RULE 26) 



10 



15 



20 



25 



30 



35 



40 



45 



50 



WO 00/11832 PCT/US98/17410 

1 15. A method comprising the steps of: 

2 establishing a communications link with a client; 

3 determining client privileges; 

4 providing to the client, based on the client privileges, an applet which enables I/O 

5 with a secured service; and 

6 retrieving a key which enables access to the secured service. 

1 16. The method of claim 15, wherein establishing a communications link includes the 

2 step of using SSL technology to create a secure communications link with the client 

1 17. The method of claim 15, wherein establishing a communications link includes the 

2 step of negotiating an encryption protocol for transferring messages to and from the client. 

1 1 8. The method of claim 15, wherein establishing a communications link includes the 

2 step of using public key certificates for transferring messages to and from the client 

1 1 9. The method of claim 15, wherein determining client privileges includes the step of 

2 using public key certificates to authenticate the client 

1 20. The method of claim 1 5, wherein determining client privileges includes the step of 

2 examining client identity and the level of authentication to determine client privileges. 

1 21. The method of claim 15, wherein determining client privileges includes the step of 

2 examining a global certificate to authenticate the client 

1 22. The method of claim 1 5, wherein determining client privileges includes the step of 

2 using digital signature technology to authenticate the client. 



55 



-19- 

SUBSTITUTE SHEET (RULE 26) 



10 



15 



20 



25 



30 



35 



40 



45 



50 



WO 00/1 1832 PCT/US98/17410 

1 23. The method of claim 1 5, wherein establishing a communications link includes 

2 forwarding to the client a security applet for enabling the client to perform a recognized 

3 security protocol. 

1 24. The method of claim 1 5, further comprising the step of using the key to 

2 communicate through a firewall to the secured service. 

1 25. The method of claim 1 5, wherein the method is performed by a global server and 

2 further comprising using a global firewall to protect the global server. 

1 26. The method of claim 1 5, further comprising using a service address to identify the 

2 location of the secured service. 

1 27. The method of claim 1 5, wherein providing includes the step of providing to the 

2 client a direct connection with the secured service. 

1 28. The method of claim 1 5, further comprising using a proxy in communication with 

2 the secured service, and wherein providing includes enabling I/O with the proxy. 

1 29. A system comprising: 

2 means for establishing a communications link with a client; 

3 means for determining client privileges; 

4 means for providing to the client, based on the client privileges, an applet which 

5 enables I/O with a secured service; and 

6 means for retrieving a key which enables access to the secured service. 

1 30. A computer-based storage medium storing a program for causing a computer to 

2 perform the steps of: 



55 



-20- 

SUBSTTTUTE SHEET (RULE 26) 



WO 00/11832 PCT/US98/17410 

establishing a communications link with a client; 
determining client privileges; 

providing to the client, based on the client privileges, an applet which enables I/O 
with a secured service; and 

retrieving a key which enables access to the secured service. 



-21- 

SUBSTnUTE SHEET (RULE 26) 



WO 00/11832 



PCT/US98/17410 



1/10 





SUBSTITUTE SHEET (RULE 26) 



WO 00/11832 



2/10 



PCT/US98/17410 




SUBSTITUTE SHEET (RULE 28) 



PCT/US98/17410 



3/10 




SUBSTITUTE SHEET (RUL£ 26) 



WO 00/11832 



PCT/US98/17410 



4/10 




SUBSTITUTE SHEET (RULE 26) 



WO 00/1 1832 



PCIYUS98/17410 



5/10 



500 



c 



Start 



3 



Create link between client and global 
server 



Confirm user access privileges 



Download web page data and 
configuration data from global 
server to client 



T 



Configure client and display web 
page 



Client user selects a service 



Download corresponding applet, 
applet configuration data and user 
data from the global server to the 
client 



T 



Execute the applet 



T 



Initiate the service 



Select a mode of access 



Provide access to the service to the 
client user 



505 



510 



515 



520 



525 



530 



535 



537 



538 



540 



/ 



c 



End 



FIG. 5 



SUBSTITUTE SHEET (RULE 26) 



WO 00/11832 



PCI7US98/17410 



6/10 



505 



( 



Start 



) 



/ 



\ 


r 






Call global server using known URL 


oU5 












i 610 




Create communications channel 






615 




Negotiate secure channel ^ 
parameters 


\ 


f 






Create secure channel 








\ 





( 



End 



) 



607 



FIG. 6 



SUBSTITUTE SHEET (RULE 28) 



WO 00/11832 



PCT/US98/17410 



7/10 



FIG. 7 

(Web Page Screen Shot) 



/ 



700 



Web Page 




1. 


E-Mail 




2. 


Calendaring 




3. 


s 

Internet Access 


770 


4. 


Paging 




5. 


Sending Faxes 





710 



720 



730 



740 



750 



760 



> 



715 



SUBSTITUTE SHEET (RULE 28) 



WO 00/11832 



PCT/US9S/17410 



8/10 



c 



Start 



3 



540a 



/ 



Applet retrieves service address 
and authentication information 



Client creates direct and secure 
connection with service and 
uses the authentication 
information to authenticate itself 



805 



810 



Applet acts as I/O interface with 
the service engine 



815 



c 



End 



FIG. 8A 
(Redirect) 



SUBSTITUTE SHEET (RULE 28) 



WO 00/11832 PCT/US98/17410 



9/10 



540b 



c 



Start 



3 



/ 



Applet retrieves service 
address directing it to the 
global server 



Applet creates a secure 
connection to the global server 



Global server retrieves the 
service address and the 
authentication information 



Global server connects to the 

service and uses the 
authentication information to 
authenticate itself as the user 



840 



845 



850 



855 



Applet acts as I/O interface 
with global server 



860 



Global server 
acts as proxy 
to service 




875 



FIG. 8B (Proxy) 



SUBSTITUTE SHEET (RULE 26) 



WO 00/11832 



PCT/US98/17410 




892 




J 

( End ) 

FIG. 8C 
(Direct to data) 



SUBSTITUTE SHEET (RULE 26) 



INTERNATIONAL SEARCH REPORT 



International application No. 
PCTVUS98717410 



A. CLASSIFICATION OF SUBJECT MATTER 
IPC(6) : H04 L 9/00 
USCL : 380/49 

According to International Patent Classification (IPC) or to both national classification and IPC 



a FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 
U.S. : 380/21.49.50 



Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 



Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 
APS. INTERNET 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 



Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to claim No. 



TANBNBAUM, ANDREW. Computer Networks, Third Edition 
Prentice-Hall, 1996, see entire document. 

KNUDSEN, JONATHAN. Java Cryptography, O'Reilly, 1998, p. 
79-91, 112, 160. 

Verisign Press Release. Verisign Enhances Digital IDS to Enable 
Universal Website Login and One-step Registration. 
<www.verisign.com/press/product/isv.html>, especially 2nd 
paragraph. 

US 5,644,354 (THOMPSON ET AL.) 01 July 1997, especially col. 
2, 11. 2-9. 

CA 2,191,505 A (JONES) 30 June 1997, especially p. 4 11. 5-20. 



1-30 
1-30 
1-30 

1-30 
1-30 



[""] Further documents arc listed in the continuation of Box C. j^J Sec patent family annex. 



•o* 
•r 



Special cite? or ie* of ckod doctaaaots: 

docure «u definine. tha general itaia of tha art which b net cooeiderad 
to be of particular relavanoa 

aartiar document publubed an or after lite istamauoMl filial data 

doauraent which may throw douba on priority cttbn(i) or which it 
akad la eatebttab tba publication data of anoUiar citation or «htf 
epeciai raaaoo (u (peeiried) 

docuraant refertinf to an oral diaeioaurc. um. exhibition or other 



doouraanl published prior to the uMrraaiional filing data but later dten 
lh a priority d au claimed 



later docuatant publtahcd after tha inurnaoonal ftUoa, 
data aod not bi conflict with tba application but citad 
tha principle or theory uadcrtyioa, tha taecalioa 

document of particular relevance; the e taint ad or«< 
considered oorel or cannot ba considered w mvohra 
t it taken alona 



data or priority 
' to undetauad 



an uavanuVa step 



document of particular ralwertoa; rha ctaunad invce 
considered to awoKra an irwerrtr»a »iap whan th 
combated with ona or mora other iuch docuaeou. eu 
beata. elwioue le • partem ikilUd in tha an 

document men bar of the fame patent family 



Dale of the actual completion of the international search 
03 NOVEMBER 1998 



Date of mailing of the international search report 

15 JUN1999 



Name and mailing address of the ISAJUS 
Commissioner of Patents and Trademarks 
Box PCT 

Washington. D.C 20231 
Facaimae No. (703) 305-3230 



Aulhorizcd officer 

CHRISTIAN AUSnN-HOLLANQsJfS - ^ 
Telephone No. (703) 3050900 



Form PCT/ISA72IO (second shcet)(July 1992)*