US20130097656A1 - Methods and systems for providing trusted signaling of domain-specific security policies - Google Patents
Methods and systems for providing trusted signaling of domain-specific security policies Download PDFInfo
- Publication number
- US20130097656A1 US20130097656A1 US13/274,756 US201113274756A US2013097656A1 US 20130097656 A1 US20130097656 A1 US 20130097656A1 US 201113274756 A US201113274756 A US 201113274756A US 2013097656 A1 US2013097656 A1 US 2013097656A1
- Authority
- US
- United States
- Prior art keywords
- network
- server
- certificate
- proxy server
- based application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Definitions
- the disclosure relates generally to providing trusted signaling of domain-specific security policies. More specifically, the disclosure relates to providing domain-specific security policies to application clients using SSL server certificates.
- local IT security staff block all programs which may compromise or otherwise disclose information on a local domain to sources outside the domain.
- local IT security staff block remote collaboration applications which may give users outside the local domain various rights to the screen or desktop of a computer on the domain.
- a remote collaboration tool may give a remote user external to a local domain the ability to control the desktop of a computer on the local domain.
- Healthcare, pharmaceutical, financial, defense, Federal Government, and other regulated, risk-averse IT environments are typical examples of environments where such programs are blocked.
- provisioning of on-line resources must permit local IT security staff to communicate policies to protect the interests of a specific domain.
- security gateways and the need for them to create replacement SSL server certificates provides the opportunity to control the functionality of a network-based application client in a domain-specific and trusted fashion. For example, if the security gateway includes additional, application-specific extensions in an X.509v3 digital certificate profile when creating the replacement certificate, then the client has an opportunity to receive, validate and act on this digitally-signed information.
- local IT staff may modify a certificate profile to regulate and communicate policies for any functionality of network-based applications made available at target server located outside the local domain.
- trusted signaling of domain-specific policies is provided by storing a replacement certificate at a proxy server on a local domain; intercepting by the proxy server a first outbound connection request received from a local application executing on a client computer on the local domain, wherein the request is to connect to a network-based application server outside the local domain; initiating a second outbound connection request to the network-based application server; facilitating the establishment of a first connection between the proxy server and the network-based application server in response to the second outbound connection request and using a target certificate for verifying the identity of the network-based application server; facilitating the establishment of a second connection between the proxy server and the client; and transmitting the replacement certificate to the client by the proxy server in response to the first outbound connection request; wherein the replacement certificate stores a policy for regulating the use of one or more applications being accessed at the network-based application server.
- the proxy server is an SSL-inspecting proxy server and the first and second connections are SSL connections.
- the replacement certificate is an X.509v3 digital certificate.
- the policy is stored as an extension in the X.509v3 digital certificate.
- the local application is an on-line presentation participant software.
- the network-based application server is an on-line presentation server.
- the policy prohibits transmitting a desktop or screen image, files, or other information from the client computer outside of the local domain. In some embodiments, the policy prohibits giving remote control of the client computer to an entity outside the local domain.
- trusted signaling of domain-specific policies is provided using a proxy server on a local domain for providing trusted signaling of domain-specific policies that includes a computer storage medium for storing a replacement certificate, which stores a policy for regulating the use of one or more applications being accessed at a network-based application server; and a network interface for intercepting by the proxy server a first outbound connection request received from a local application executing on a client computer on the local domain, wherein the request is to connect to a network-based application server outside the local domain, initiating a second outbound connection request to the network-based application server, facilitating the establishment of a first connection between the proxy server and the network-based application server in response to the second outbound connection request and using a target certificate for verifying the identity of the network-based application server, facilitating the establishment of a second connection between the proxy server and the client, and transmitting the replacement certificate to the client by the proxy server in response to the first outbound connection request.
- FIG. 1 shows an embodiment of distributed computing environment
- FIG. 2 shows an embodiment of a security certificate including policy information for regulating a network-based application.
- FIG. 1 An embodiment of a distributed computing environment 10 is depicted in FIG. 1 .
- the environment 10 comprises a local network or domain 12 of users 14 .
- an SSL proxy server 16 On the local network 12 is an SSL proxy server 16 .
- the local network 12 is connected to an unsecure network, such as the Internet 18 .
- a network-based application service 19 is also connected to the Internet 18 .
- Web security gateways or proxy servers such as SSL proxy servers 16
- SSL proxy servers 16 are employed by a growing number of enterprises to mitigate risks associated with malware, sensitive data threat/leakage, and unauthorized access to objectionable Internet content or applications.
- Some of these gateways 16 intercept outbound connection requests and serve as a middle man between a client 14 and target 19 . In doing so, the gateways 16 return a security certificate signed by a trusted, internal certificate authority.
- an SSL proxy server 16 intercepts outbound SSL connection requests, generates “spoofed,” replacement SSL server certificates which it returns to the requester 14 , and then establishes a second SSL connection to the target server 19 identified in the request.
- the spoofed certificate is signed by an internal certificate authority that the enterprise controls.
- the security gateway 16 can act as a so-called “man in the middle” and inspect the plaintext traffic between the client 14 and target server 19 .
- security certificates may be used to communicate local-IT administrators' policies for a particular network-based application available at a network-based application service 19 to clients 14 seeking access to the network-based application.
- network-based application broadly refers to any application that uses information received from a network to operate.
- Digital security certificates are not limited to distributing only cryptographic information.
- an X.509v3 digital certificate 20 may optionally include one or more extensions 22 in its structure. These extensions 22 may be used to transmit data with the certificate 20 . Ordinarily, in prior art systems, extensions 22 are used to distribute information about the certificate 20 itself, not for regulating policies regarding applications that may use the certificate 20 .
- the security gateway 16 adds application-specific extensions 22 in an X.509v3 digital certificate 20 profile when creating a replacement certificate to send to a client 14 , then the client 14 has an opportunity to receive, validate, and act on this digitally-signed information.
- the information provided in these application-specific extensions 22 may be policy information that a browser or proprietary software application can interpret. More information on security certificates and extensions may be found in the Internet Engineering Task Force's (IETF) Request For Comments (RFC) 5280, entitled “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” from May 2008, which is incorporated in its entirety by reference herein.
- IETF Internet Engineering Task Force's
- RRC Request For Comments
- CTL Certificate Revocation List
- the network-based application's client-side software is configured to detect and parse information included in a security certificate.
- the code is also adapted to communicate the policy conveyed in the certificate 20 to the application security layer in the client 14 for interpretation and enforcement.
- the client-side software is also able to accept and trust local certificate authorities either by accessing a local certificate store on the client computer or through additional logic and GUI elements to confirm acceptance of non-standard certificate authority root certificates by the user, e.g., such as exists within standard Internet browsers.
- a user 14 directs its browser towards an on-line presentation application's server 19 .
- the user 14 then downloads from the server 19 client software to run the on-line presentation.
- the user 14 next attempts to establish an SSL connection to an on-line presentation server.
- the client software When initiating its outbound SSL communications with the on-line presentation server, the client software expects to receive a valid security certificate in response.
- a local SSL proxy server 16 intercepts the SSL connection request and establishes a connection with the on-line presentation server.
- the SSL proxy server 16 also returns a replacement certificate 20 in response to the outbound connection request. Because the certificate 20 is signed by a local certificate authority, the client 14 trusts the contents of the certificate 20 .
- the certificate 20 includes policy information, stored in an extension 22 of the certificate, for identifying the rights and capabilities of the on-line presentation software running on the client computer 14 .
- policy information stored in an extension 22 of the certificate, for identifying the rights and capabilities of the on-line presentation software running on the client computer 14 .
- the certificate 20 includes appropriately encoded policy information along the lines of “On-Line Presentation Software—No Share Desktop” or “On-Line Presentation Software—No Remote Control,” then the local IT security staff could allow employees to use the on-line presentation software with the desired functionality restrictions needed to comply with local policy. Accordingly, the on-line presentation software operates according to the restrictions and permissions identified in the security certificate.
- this method provides an advantage over, say, using Windows registry settings to signal policy to the application client. It also does not require IT staff to contact each network-based application vendor to request manually blocking or hobbling client functionality based on the requesting IP address.
- this systems and methods disclosed herein provide a way to enhance the value of products to customers and better accommodate the needs of mutual customers.
- a local computer will operate according to the policies identified in the trusted security certificate received from its local security certificate authority.
- a digital security certificate may include a policy that prohibits the execution of various multimedia platforms, including Adobe Systems Inc.'s ADOBE FLASH PLAYER.
- Various embodiments of this disclosure may be used to distribute domain-specific policies for downloading content or programs from servers outside of the domain by way of security certificates.
- security certificates may be used to distribute domain-specific policies to regulate viewing and listening of streaming video or audio websites.
- the systems and methods disclosed herein are not limited to the examples disclosed, but are applicable to regulating domain-specific policies in instances where a security certificate is distributed.
- the previously described embodiments may be implemented as a method, apparatus or article of manufacture using programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof.
- article of manufacture as used herein is intended to encompass code or logic accessible from and embedded in one or more computer-readable devices, firmware, programmable logic, memory devices (e.g., EEPROMs, ROMs, PROMs, RAMs, SRAMs, etc.), hardware (e.g., integrated circuit chip, Field Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC), etc.), electronic devices, a computer readable non-volatile storage unit (e.g., CD-ROM, floppy disk, hard disk drive, etc.), a file server providing access to the programs via a network transmission line, wireless transmission media, signals propagating through space, radio waves, infrared signals, etc.
- the article of manufacture includes hardware logic as well as software or programmable code embedded in a computer readable medium that is executed by a processor. Of course, those skilled in the art
Abstract
Description
- The disclosure relates generally to providing trusted signaling of domain-specific security policies. More specifically, the disclosure relates to providing domain-specific security policies to application clients using SSL server certificates.
- In some on-line environments, local IT security staff block all programs which may compromise or otherwise disclose information on a local domain to sources outside the domain. For example, local IT security staff block remote collaboration applications which may give users outside the local domain various rights to the screen or desktop of a computer on the domain. In a specific example, a remote collaboration tool may give a remote user external to a local domain the ability to control the desktop of a computer on the local domain. Healthcare, pharmaceutical, financial, defense, Federal Government, and other regulated, risk-averse IT environments are typical examples of environments where such programs are blocked. Thus, to be compatible with these types of secure environments, provisioning of on-line resources must permit local IT security staff to communicate policies to protect the interests of a specific domain.
- One option for compatibility is to modify the registry on each computer. When using a computer's registry, a software client will always refer to the registry when executing. A problem with this solution is that it is difficult to deploy the registry settings to every computer on a network, which could be in the thousands. Another option would be to direct software toward an active directory. A problem with this solution, however, requires pre-programming of the software client.
- The deployment of security gateways and the need for them to create replacement SSL server certificates provides the opportunity to control the functionality of a network-based application client in a domain-specific and trusted fashion. For example, if the security gateway includes additional, application-specific extensions in an X.509v3 digital certificate profile when creating the replacement certificate, then the client has an opportunity to receive, validate and act on this digitally-signed information. Thus, local IT staff may modify a certificate profile to regulate and communicate policies for any functionality of network-based applications made available at target server located outside the local domain.
- In one embodiment of the systems and methods disclosed herein, trusted signaling of domain-specific policies is provided by storing a replacement certificate at a proxy server on a local domain; intercepting by the proxy server a first outbound connection request received from a local application executing on a client computer on the local domain, wherein the request is to connect to a network-based application server outside the local domain; initiating a second outbound connection request to the network-based application server; facilitating the establishment of a first connection between the proxy server and the network-based application server in response to the second outbound connection request and using a target certificate for verifying the identity of the network-based application server; facilitating the establishment of a second connection between the proxy server and the client; and transmitting the replacement certificate to the client by the proxy server in response to the first outbound connection request; wherein the replacement certificate stores a policy for regulating the use of one or more applications being accessed at the network-based application server.
- In various embodiments, the proxy server is an SSL-inspecting proxy server and the first and second connections are SSL connections. In some embodiments, the replacement certificate is an X.509v3 digital certificate. In some embodiments, the policy is stored as an extension in the X.509v3 digital certificate. In some embodiments, the local application is an on-line presentation participant software. In some embodiments, the network-based application server is an on-line presentation server. In some embodiments, the policy prohibits transmitting a desktop or screen image, files, or other information from the client computer outside of the local domain. In some embodiments, the policy prohibits giving remote control of the client computer to an entity outside the local domain.
- In one embodiment of the systems and methods disclosed herein, trusted signaling of domain-specific policies is provided using a proxy server on a local domain for providing trusted signaling of domain-specific policies that includes a computer storage medium for storing a replacement certificate, which stores a policy for regulating the use of one or more applications being accessed at a network-based application server; and a network interface for intercepting by the proxy server a first outbound connection request received from a local application executing on a client computer on the local domain, wherein the request is to connect to a network-based application server outside the local domain, initiating a second outbound connection request to the network-based application server, facilitating the establishment of a first connection between the proxy server and the network-based application server in response to the second outbound connection request and using a target certificate for verifying the identity of the network-based application server, facilitating the establishment of a second connection between the proxy server and the client, and transmitting the replacement certificate to the client by the proxy server in response to the first outbound connection request.
- The foregoing discussion will be understood more readily from the following detailed description of the disclosure, when taken in conjunction with the accompanying drawings, in which:
-
FIG. 1 shows an embodiment of distributed computing environment; -
FIG. 2 shows an embodiment of a security certificate including policy information for regulating a network-based application. - An embodiment of a
distributed computing environment 10 is depicted inFIG. 1 . Theenvironment 10 comprises a local network ordomain 12 ofusers 14. On thelocal network 12 is anSSL proxy server 16. Thelocal network 12 is connected to an unsecure network, such as the Internet 18. A network-basedapplication service 19 is also connected to the Internet 18. - Web security gateways or proxy servers, such as
SSL proxy servers 16, are employed by a growing number of enterprises to mitigate risks associated with malware, sensitive data threat/leakage, and unauthorized access to objectionable Internet content or applications. Some of thesegateways 16 intercept outbound connection requests and serve as a middle man between aclient 14 andtarget 19. In doing so, thegateways 16 return a security certificate signed by a trusted, internal certificate authority. For example, anSSL proxy server 16 intercepts outbound SSL connection requests, generates “spoofed,” replacement SSL server certificates which it returns to therequester 14, and then establishes a second SSL connection to thetarget server 19 identified in the request. The spoofed certificate is signed by an internal certificate authority that the enterprise controls. As long as theclient 14 trusts the internal certificate authority, thesecurity gateway 16 can act as a so-called “man in the middle” and inspect the plaintext traffic between theclient 14 andtarget server 19. - These security certificates may be used to communicate local-IT administrators' policies for a particular network-based application available at a network-based
application service 19 toclients 14 seeking access to the network-based application. As used herein, “network-based application” broadly refers to any application that uses information received from a network to operate. Digital security certificates are not limited to distributing only cryptographic information. For example, as illustrated inFIG. 2 , an X.509v3digital certificate 20 may optionally include one ormore extensions 22 in its structure. Theseextensions 22 may be used to transmit data with thecertificate 20. Ordinarily, in prior art systems,extensions 22 are used to distribute information about thecertificate 20 itself, not for regulating policies regarding applications that may use thecertificate 20. If thesecurity gateway 16 adds application-specific extensions 22 in an X.509v3digital certificate 20 profile when creating a replacement certificate to send to aclient 14, then theclient 14 has an opportunity to receive, validate, and act on this digitally-signed information. The information provided in these application-specific extensions 22 may be policy information that a browser or proprietary software application can interpret. More information on security certificates and extensions may be found in the Internet Engineering Task Force's (IETF) Request For Comments (RFC) 5280, entitled “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” from May 2008, which is incorporated in its entirety by reference herein. Thus, a trusted security certificate returned from an internal certificate authority can double as a distributor for policies regulating permissions granted to a network-based application for which the certificate was issued. In other words, functionality of a network-based application may be restricted through the SSL proxy process. - In various embodiments, the network-based application's client-side software is configured to detect and parse information included in a security certificate. The code is also adapted to communicate the policy conveyed in the
certificate 20 to the application security layer in theclient 14 for interpretation and enforcement. The client-side software is also able to accept and trust local certificate authorities either by accessing a local certificate store on the client computer or through additional logic and GUI elements to confirm acceptance of non-standard certificate authority root certificates by the user, e.g., such as exists within standard Internet browsers. - The following is a work flow example of an embodiment of the present disclosure. A
user 14 directs its browser towards an on-line presentation application'sserver 19. Theuser 14 then downloads from theserver 19 client software to run the on-line presentation. Theuser 14 next attempts to establish an SSL connection to an on-line presentation server. When initiating its outbound SSL communications with the on-line presentation server, the client software expects to receive a valid security certificate in response. A localSSL proxy server 16 intercepts the SSL connection request and establishes a connection with the on-line presentation server. TheSSL proxy server 16 also returns areplacement certificate 20 in response to the outbound connection request. Because thecertificate 20 is signed by a local certificate authority, theclient 14 trusts the contents of thecertificate 20. Thecertificate 20 includes policy information, stored in anextension 22 of the certificate, for identifying the rights and capabilities of the on-line presentation software running on theclient computer 14. For example, in environments that prohibit presenting or giving remote control to a local computer's desktop to outside computers, if thecertificate 20 includes appropriately encoded policy information along the lines of “On-Line Presentation Software—No Share Desktop” or “On-Line Presentation Software—No Remote Control,” then the local IT security staff could allow employees to use the on-line presentation software with the desired functionality restrictions needed to comply with local policy. Accordingly, the on-line presentation software operates according to the restrictions and permissions identified in the security certificate. - Use of security certificates is beneficial because an internal certificate authority is a central place for IT to distribute updated policies to any machine on a domain that is seeking access to a particular network-based application. Because these systems already have a gateway for intercepting SSL requests and transmitting replacement certificates, it is beneficial to take advantage of these replacement certificates to simultaneously distribute policies to regulate the use of network-based applications with entities outside of a local, trusted domain.
- For IT staff that are inclined to implement many web security controls at these security gateways, this method provides an advantage over, say, using Windows registry settings to signal policy to the application client. It also does not require IT staff to contact each network-based application vendor to request manually blocking or hobbling client functionality based on the requesting IP address. For vendors of security gateways and SSL-inspecting proxies in particular, this systems and methods disclosed herein provide a way to enhance the value of products to customers and better accommodate the needs of mutual customers.
- Aspects of this disclosure are compatible with any browser or software client that has functionality distributed outside a local domain. A local computer will operate according to the policies identified in the trusted security certificate received from its local security certificate authority. For example, a digital security certificate may include a policy that prohibits the execution of various multimedia platforms, including Adobe Systems Inc.'s ADOBE FLASH PLAYER.
- Various embodiments of this disclosure may be used to distribute domain-specific policies for downloading content or programs from servers outside of the domain by way of security certificates. In yet other embodiments, security certificates may be used to distribute domain-specific policies to regulate viewing and listening of streaming video or audio websites. The systems and methods disclosed herein are not limited to the examples disclosed, but are applicable to regulating domain-specific policies in instances where a security certificate is distributed.
- The previously described embodiments may be implemented as a method, apparatus or article of manufacture using programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof. The term “article of manufacture” as used herein is intended to encompass code or logic accessible from and embedded in one or more computer-readable devices, firmware, programmable logic, memory devices (e.g., EEPROMs, ROMs, PROMs, RAMs, SRAMs, etc.), hardware (e.g., integrated circuit chip, Field Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC), etc.), electronic devices, a computer readable non-volatile storage unit (e.g., CD-ROM, floppy disk, hard disk drive, etc.), a file server providing access to the programs via a network transmission line, wireless transmission media, signals propagating through space, radio waves, infrared signals, etc. The article of manufacture includes hardware logic as well as software or programmable code embedded in a computer readable medium that is executed by a processor. Of course, those skilled in the art will recognize that many modifications may be made to this configuration without departing from the scope of the present disclosure.
- Although the present disclosure has been described with reference to specific details, it is not intended that such details should be regarded as limitations upon the scope of the disclosure, except as and to the extent that they are included in the accompanying claims.
Claims (16)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/274,756 US20130097656A1 (en) | 2011-10-17 | 2011-10-17 | Methods and systems for providing trusted signaling of domain-specific security policies |
US14/582,633 US9231983B2 (en) | 2011-10-17 | 2014-12-24 | Methods and systems for providing trusted signaling of domain-specific security policies |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/274,756 US20130097656A1 (en) | 2011-10-17 | 2011-10-17 | Methods and systems for providing trusted signaling of domain-specific security policies |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/582,633 Continuation US9231983B2 (en) | 2011-10-17 | 2014-12-24 | Methods and systems for providing trusted signaling of domain-specific security policies |
Publications (1)
Publication Number | Publication Date |
---|---|
US20130097656A1 true US20130097656A1 (en) | 2013-04-18 |
Family
ID=48086898
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/274,756 Abandoned US20130097656A1 (en) | 2011-10-17 | 2011-10-17 | Methods and systems for providing trusted signaling of domain-specific security policies |
US14/582,633 Active US9231983B2 (en) | 2011-10-17 | 2014-12-24 | Methods and systems for providing trusted signaling of domain-specific security policies |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/582,633 Active US9231983B2 (en) | 2011-10-17 | 2014-12-24 | Methods and systems for providing trusted signaling of domain-specific security policies |
Country Status (1)
Country | Link |
---|---|
US (2) | US20130097656A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170063557A1 (en) * | 2015-08-28 | 2017-03-02 | Fortinet, Inc. | Detection of fraudulent certificate authority certificates |
US20170163429A1 (en) * | 2014-06-23 | 2017-06-08 | Vmware, Inc. | Cryptographic Proxy Service |
WO2018026290A1 (en) * | 2016-08-05 | 2018-02-08 | Auckland Uniservices Limited | Certificate revocation system |
US10114939B1 (en) * | 2014-09-22 | 2018-10-30 | Symantec Corporation | Systems and methods for secure communications between devices |
US20190005211A1 (en) * | 2015-08-05 | 2019-01-03 | Sony Corporation | Control apparatus, authentication apparatus, control system, and control method |
US10389528B2 (en) * | 2017-03-02 | 2019-08-20 | Microsoft Technology Licensing, Llc. | On-demand generation and distribution of cryptographic certificates |
US11546358B1 (en) * | 2021-10-01 | 2023-01-03 | Netskope, Inc. | Authorization token confidence system |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9503527B1 (en) * | 2013-03-15 | 2016-11-22 | Cisco Technology, Inc. | Personalized phone registration based on virtual desktop infrastructure |
US10708256B1 (en) * | 2015-10-13 | 2020-07-07 | Amazon Technologies, Inc. | Identification of trusted certificates |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6671804B1 (en) * | 1999-12-01 | 2003-12-30 | Bbnt Solutions Llc | Method and apparatus for supporting authorities in a public key infrastructure |
US20050050362A1 (en) * | 2003-08-13 | 2005-03-03 | Amir Peles | Content inspection in secure networks |
US20070294623A1 (en) * | 2006-06-15 | 2007-12-20 | Saavedra Rafael H | Methods and Systems For Receiving Feedback From a Scalable Number of Participants of an On-Line Presentation |
US7475250B2 (en) * | 2001-12-19 | 2009-01-06 | Northrop Grumman Corporation | Assignment of user certificates/private keys in token enabled public key infrastructure system |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5553083B1 (en) | 1995-01-19 | 2000-05-16 | Starburst Comm Corp | Method for quickly and reliably transmitting frames of data over communications links |
US5845265A (en) | 1995-04-26 | 1998-12-01 | Mercexchange, L.L.C. | Consignment nodes |
US5826025A (en) | 1995-09-08 | 1998-10-20 | Sun Microsystems, Inc. | System for annotation overlay proxy configured to retrieve associated overlays associated with a document request from annotation directory created from list of overlay groups |
US6249291B1 (en) | 1995-09-22 | 2001-06-19 | Next Software, Inc. | Method and apparatus for managing internet transactions |
CA2239826A1 (en) | 1995-12-11 | 1997-06-19 | Hewlett-Packard Company | Method of providing telecommunication services |
WO1997022201A2 (en) | 1995-12-12 | 1997-06-19 | The Board Of Trustees Of The University Of Illinois | Method and system for transmitting real-time video |
US5956027A (en) | 1995-12-12 | 1999-09-21 | At&T Corp | Method and apparatus for sharing a web page |
US6081829A (en) | 1996-01-31 | 2000-06-27 | Silicon Graphics, Inc. | General purpose web annotations without modifying browser |
US7013327B1 (en) | 1996-02-16 | 2006-03-14 | G&H Nevada -Tek | Method and apparatus for computing within a wide area network |
US6167432A (en) | 1996-02-29 | 2000-12-26 | Webex Communications, Inc., | Method for creating peer-to-peer connections over an interconnected network to facilitate conferencing among users |
US5764235A (en) | 1996-03-25 | 1998-06-09 | Insight Development Corporation | Computer implemented method and system for transmitting graphical images from server to client at user selectable resolution |
US6343313B1 (en) | 1996-03-26 | 2002-01-29 | Pixion, Inc. | Computer conferencing system with real-time multipoint, multi-speed, multi-stream scalability |
AU6097000A (en) * | 1999-07-15 | 2001-02-05 | Frank W Sudia | Certificate revocation notification systems |
US6854056B1 (en) * | 2000-09-21 | 2005-02-08 | International Business Machines Corporation | Method and system for coupling an X.509 digital certificate with a host identity |
-
2011
- 2011-10-17 US US13/274,756 patent/US20130097656A1/en not_active Abandoned
-
2014
- 2014-12-24 US US14/582,633 patent/US9231983B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6671804B1 (en) * | 1999-12-01 | 2003-12-30 | Bbnt Solutions Llc | Method and apparatus for supporting authorities in a public key infrastructure |
US7475250B2 (en) * | 2001-12-19 | 2009-01-06 | Northrop Grumman Corporation | Assignment of user certificates/private keys in token enabled public key infrastructure system |
US20050050362A1 (en) * | 2003-08-13 | 2005-03-03 | Amir Peles | Content inspection in secure networks |
US20070294623A1 (en) * | 2006-06-15 | 2007-12-20 | Saavedra Rafael H | Methods and Systems For Receiving Feedback From a Scalable Number of Participants of an On-Line Presentation |
Non-Patent Citations (1)
Title |
---|
Rexha, B., "Increasing user privacy in online transactions with X.509 v3 certificate private extensions and smartcards," E-Commerce Technology, 2005. CEC 2005. Seventh IEEE International Conference on , vol., no., pp.293,300, 19-22 July 2005 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170163429A1 (en) * | 2014-06-23 | 2017-06-08 | Vmware, Inc. | Cryptographic Proxy Service |
US10469465B2 (en) * | 2014-06-23 | 2019-11-05 | Vmware, Inc. | Cryptographic proxy service |
US11075893B2 (en) | 2014-06-23 | 2021-07-27 | Vmware, Inc. | Cryptographic proxy service |
US10114939B1 (en) * | 2014-09-22 | 2018-10-30 | Symantec Corporation | Systems and methods for secure communications between devices |
US20190005211A1 (en) * | 2015-08-05 | 2019-01-03 | Sony Corporation | Control apparatus, authentication apparatus, control system, and control method |
US10733272B2 (en) * | 2015-08-05 | 2020-08-04 | Sony Corporation | Control apparatus, authentication apparatus, control system, and control method |
US20170063557A1 (en) * | 2015-08-28 | 2017-03-02 | Fortinet, Inc. | Detection of fraudulent certificate authority certificates |
WO2018026290A1 (en) * | 2016-08-05 | 2018-02-08 | Auckland Uniservices Limited | Certificate revocation system |
US10389528B2 (en) * | 2017-03-02 | 2019-08-20 | Microsoft Technology Licensing, Llc. | On-demand generation and distribution of cryptographic certificates |
US11546358B1 (en) * | 2021-10-01 | 2023-01-03 | Netskope, Inc. | Authorization token confidence system |
US20230132478A1 (en) * | 2021-10-01 | 2023-05-04 | Netskope, Inc. | Policy-controlled token authorization |
US11870791B2 (en) * | 2021-10-01 | 2024-01-09 | Netskope, Inc. | Policy-controlled token authorization |
Also Published As
Publication number | Publication date |
---|---|
US20150180904A1 (en) | 2015-06-25 |
US9231983B2 (en) | 2016-01-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9231983B2 (en) | Methods and systems for providing trusted signaling of domain-specific security policies | |
JP5539335B2 (en) | Authentication for distributed secure content management systems | |
US11838299B2 (en) | Cloud-based web content processing system providing client threat isolation and data integrity | |
US11750709B2 (en) | Secure in-band service detection | |
US8312064B1 (en) | Method and apparatus for securing documents using a position dependent file system | |
EP2989769B1 (en) | Selectively performing man in the middle decryption | |
US9723007B2 (en) | Techniques for secure debugging and monitoring | |
EP2625643B1 (en) | Methods and systems for providing and controlling cryptographically secure communications across unsecured networks between a secure virtual terminal and a remote system | |
US10776489B2 (en) | Methods and systems for providing and controlling cryptographic secure communications terminal operable to provide a plurality of desktop environments | |
US11115211B2 (en) | Secure container platform for resource access and placement on unmanaged and unsecured devices | |
US10848489B2 (en) | Timestamp-based authentication with redirection | |
US8272043B2 (en) | Firewall control system | |
WO2020122977A1 (en) | Timestamp-based authentication with redirection | |
US10116634B2 (en) | Intercepting secure session upon receipt of untrusted certificate | |
US11611558B2 (en) | Integration of third-party encryption key managers with cloud services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CITRIX ONLINE LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KENNEDY, JOHN;REEL/FRAME:027126/0723 Effective date: 20111018 |
|
AS | Assignment |
Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CITRIX ONLINE, LLC;REEL/FRAME:032339/0447 Effective date: 20140226 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: CITRIX ONLINE LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KENNEDY, JOHN;REEL/FRAME:035455/0210 Effective date: 20111018 |