WO2013038418A1 - System and method to authorize the access of the service to an end user - Google Patents

System and method to authorize the access of the service to an end user Download PDF

Info

Publication number
WO2013038418A1
WO2013038418A1 PCT/IN2011/000633 IN2011000633W WO2013038418A1 WO 2013038418 A1 WO2013038418 A1 WO 2013038418A1 IN 2011000633 W IN2011000633 W IN 2011000633W WO 2013038418 A1 WO2013038418 A1 WO 2013038418A1
Authority
WO
WIPO (PCT)
Prior art keywords
enterprise application
user
service
access
server
Prior art date
Application number
PCT/IN2011/000633
Other languages
French (fr)
Inventor
Puneet Gupta
Venkat Kumar SIVARAMAMURTHY
Prashant Dhananka
Original Assignee
Infosys Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Infosys Limited filed Critical Infosys Limited
Priority to PCT/IN2011/000633 priority Critical patent/WO2013038418A1/en
Priority to AP2014007551A priority patent/AP2014007551A0/en
Publication of WO2013038418A1 publication Critical patent/WO2013038418A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets

Definitions

  • the present disclosure relates to application layer security mechanism, and particularly, to a system and a method for authorizing the access of service based on the end user and the environmental context where the service is accessed.
  • aspects of the disclosure relates to describing method and system that authorize the access of the service to an end user based on the environment of access.
  • a method for authorizing access to service for an end user comprises receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server.
  • the encryption of the user request can be performed by invoking a one-time password generator using a personal identification number of the end user.
  • the metadata is accessed by the one-time password generator and a value is retrieved from the metadata to generate a dynamic key.
  • the dynamic key generated can be converted to a symmetric encryption key or a symmetric decryption key, which can be used to encrypt the user request.
  • the user credentials are gathered by the enterprise application management server and the user credentials can be exchanged between the enterprise application management server and the enterprise application gateway server.
  • the enterprise application gateway server After receiving the encrypted user request, the enterprise application gateway server checks with the enterprise application management server to check if the end user has the credentials to access the requested service. If the end user is authorized, the end user is enabled to navigate the application enterprise server, wherein the application enterprise server comprises the requested service.
  • the end user can register from an electronic device. Drawings
  • FIG. 1 is a flow chart illustrating a method 100 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure
  • FIG. 2 is a block diagram illustrating a system 200 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure
  • Fig. 3 is a system illustrating a generalized computer network arrangement, in accordance with an embodiment of the present disclosure.
  • Fig. 1 is a flow chart illustrating a method 100 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure.
  • Method 100 comprises a step 110 wherein receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server.
  • the end user may request the enterprise application gateway server to authorize access to a particular service.
  • the end user request can be encrypted using the symmetric encryption key generated by the one-time password generator.
  • the end user may provide a personal identification number (PIN) as an input while registering through an electronic device.
  • the PIN may be an alpha numeric value, which may also include special characters.
  • a one-time password generator is invoked using the PIN. It should be noted that only the correct PIN invokes the one time password generator.
  • the one-time password generator may be any one-time password generator known in the art.
  • the metadata On entering of the correct PIN by the user, the metadata is accessed and the value present in the metadata is unlocked.
  • the metadata may be a seed file that contains a value, a dynamic key is generated by referring to the value or the value along with the personal identification number stored in the metadata file.
  • a new dynamic key is generated for every session during a transaction.
  • a new dynamic key can be generated for every request.
  • every dynamic key generated may be stored and referred to at a later point in time.
  • the dynamic key is converted to a symmetric encryption key.
  • the symmetric encryption key may be in any of a 32-bit, a 64-bit, a 128-bit and a 256-bit or any other format. It should be noted that the symmetric encryption key by itself is not sent to the server; instead, the symmetric key is used to encrypt the user request and the encrypted user request is sent to the enterprise application gateway server. Furthermore, the encrypted messaging channel can be but not restricted to a https session.
  • the method 100 also comprises a step 120 which includes associating the encrypted user request with a corresponding end user by the enterprise application gateway server.
  • the encrypted user request may be associated with the client id, service id, message Id, optional information which can be used to identify the key size and encryption algorithm used as part of the message header for the message created or which part of the message if the message is truncated.
  • the user identification credentials and the details related to the environment from which the service is being accessed is gathered by the enterprise application management gateway when the end user registers using the electronic device.
  • the user identification credentials may comprises one or more of, but not restricted to, a user information, a device identifier, client identification, access details, application information, a user service access detail, device information; and device configuration information.
  • the device configuration information can be but not restricted to device or user or application.
  • the configuration on the device can be but not restricted to Bluetooth on/off, location on/off, Wi-Fi on/off, application configuration like periodic scheduling, notifications etc.
  • Application information may comprise of a client identification number which may be used to identify a client.
  • the access details may comprise one or more of, but not restricted to, a user service access details which can be based on the role of the user what the enterprise decides user can access.
  • rules mapping client can be allowed to access or not access using client identification.
  • rules mapping user access based on the current context type of device, device hardware or device software information.
  • the access details can also be based on the channel used for access such as, GPRS, 3G data, time, location, peripheral devices connected to the device or the network used in terms of 2G or 3G.
  • the eligibility to grant the access to the end user may be decided based on the environment and the user details.
  • the final access level to the service can be one or more of null, partial or full.
  • the user information may comprise, but not restricted to unique identity to identify the user within the enterprise.
  • the device information may be but not restricted to device identification and a unique identity to identify a device.
  • the unique can be an IMEI number of the mobile phone.
  • the device information can be but not restricted to both hardware and software details. For example, CPU, RAM, OS installed, OS Version, applications installed, and applications version.
  • the user identification credentials may also store in the enterprise application management server.
  • the method 100 further comprises the step 130 wherein, the eligibility of the end user to access the requested service is determined.
  • the enterprise application management server is enabled to communicate with the enterprise application gateway server. After receiving the encrypted user request message from the end user, the enterprise application gateway server communicates with the enterprise application management server to retrieve the user identification credentials, wherein the identification credentials can be but not restricted to key and the access permission. The access permission can be full, or partial or none.
  • the enterprise application gateway server provides the message header to the enterprise application management server. The enterprise application management server based on the information available specifies whether access to the service can be granted or not.
  • step 140 of the method 100 access to the requested service is granted to the end user after the enterprise application management server authorizes the end user based on the user identification credentials.
  • the enterprise application gateway server decrypts the message and forwards the request to the enterprise application server based on the service Id for further processing.
  • the enterprise application server processes the request and responds back with the reply message to enterprise application gateway server.
  • FIG. 2 is a block diagram illustrating a system 200 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure.
  • the system comprises an end user 210, an enterprise application gateway server 220, an enterprise application management server 230, and an enterprise application server 240.
  • the end user 210 may register using an electronic device and send an encrypted user request to the enterprise application gateway server 220.
  • the encrypted user request can be encrypted using the key generated by the one-time password generator based on the PIN entered.
  • the encrypted user request from the end user 210 can be associated with the client id, service id , message Id, optional information which can be used to identify the Key size and encryption algorithm used as part of the message header.
  • the service Id identifies which category the service falls under. For example, a sales person can access sales related information, field agent can access problem ticket related information.
  • the Service Id can be at the request level. For example, request for a video content.
  • the encrypted user request can be sent along with the header inside an https message to the enterprise application gateway server (EAGS) 220.
  • the EAGS 220 retrieves the message along with the header from the https.
  • the EAGS 220 provides the message header to the enterprise application management server 230 (EAMS).
  • the EAMS 230 based on the information available specifies whether access to the service can be granted or not. If granted provides the symmetric decryption key to decrypt the encrypted user request.
  • a check can be made about the environmental conditions where the end user 210 has accessed the service. For example, an antivirus software could have been removed which make the access more vulnerable to the enterprise server. If the current process running indicates spyware etc, the access is vulnerable. Hence the access can be blocked in the above cases. Based on the environment access can be null or partial or full. Another example of the embodiment would be, access can be allowed to view the content not download the data. Based on the location information access can be enabled or disabled.
  • the EAGS 220 decrypts the message and forwards the request to the enterprise application server (EAS) 240 based on the service Id for further processing.
  • EAS 240 process the request and responds back with the reply message to EAGS 220.
  • the EAGS 220 encrypts the message with the symmetric encryption key and appends the header with the header information received in the encrypted user request message and forwards the reply to the end user 210.
  • the EAGS 220 can modify the header before appending, to reflect the change in parameters such as but not restricted to encryption algorithm or key size.
  • FIG. 3 illustrates a generalized example of a computing environment 300.
  • the computing environment 300 is not intended to suggest any limitation as to scope of use or functionality of described embodiments.
  • the computing environment 300 includes at least one processing unit 310 and memory 320.
  • the processing unit 310 executes computer-executable instructions and may be a real or a virtual processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power.
  • the memory 320 may be volatile memory (e.g., registers, cache, RAM), non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or some combination of the two. In some embodiments, the memory 320 stores software 380 implementing described techniques.
  • a computing environment may have additional features.
  • the computing environment 300 includes storage 340, one or more input devices 350, one or more output devices 360, and one or more communication connections 370.
  • An interconnection mechanism such as a bus, controller, or network interconnects the components of the computing environment 300.
  • operating system software provides an operating environment for other software executing in the computing environment 300, and coordinates activities of the components of the computing environment 300.
  • the storage 340 may be removable or non-removable, and includes magnetic disks, magnetic tapes or cassettes, CD-ROMs, CD-RWs, DVDs, or any other medium which may be used to store information and which may be accessed within the computing environment 300.
  • the storage 340 stores instructions for the software 380.
  • the input device(s) 350 may be a touch input device such as a keyboard, mouse, pen, trackball, touch screen, or game controller, a voice input device, a scanning device, a digital camera, or another device that provides input to the computing environment 300.
  • the output device(s) 360 may be a display, a television, a hand held device, a head mounted display or a Kiosk that provides output from the computing environment 300.
  • the communication connection(s) 370 enable communication over a communication medium to another computing entity.
  • the communication medium conveys information such as computer-executable instructions, audio or video information, or other data in a modulated data signal.
  • a modulated data signal is a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media include wired or wireless techniques implemented with an electrical, optical, RF, infrared, acoustic, or other carrier.
  • Computer-readable media are any available media that may be accessed within a computing environment.
  • Computer-readable media include memory 320, storage 340, communication media, and combinations of any of the above.
  • the sequence of instructions as explained in the method steps may include a program code adapted for receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server.
  • the sequence of instructions may also include a program code adapted for associating the encrypted user request with a user identification credentials.
  • the sequence of instructions may also include a program code adapted for associating the encrypted user request with a user identification credentials.
  • the sequence of instructions may also comprise, program code adapted for determining eligibility of the user to access the service and program code adapted for authorizing the user use the service based on the eligibility.
  • the sequence of instruction may also comprise program code adapted for enabling the user to register on an electronic device. Furthermore, the sequence of instructions may comprise of program code adapted for gathering the user identification credentials, wherein the user identification credentials comprises, a device identifier, a device information and a device configuration information.
  • sequence of instructions may also include program code adapted for storing the user identification credentials on an enterprise application management server.
  • the sequence of instruction may also include, program code adapted for decrypting the encrypted user request by the enterprise application gateway server using the symmetric decryption key.
  • the sequence of instruction may comprise of program code adapted for enabling the user to navigate an enterprise application server, wherein the enterprise application service comprises the service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present disclosure describes a method for authorizing access to service for an end user, the method comprising receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server. The method further comprises associating the encrypted user request with a user identification credentials. Furthermore, the method also comprises determining eligibility of the end user to access the service and also authorizing the end user use the service based on the eligibility.

Description

SYSTEM AND METHOD TO AUTHORIZE THE ACCESS OF THE SERVICE TO AN
END USER
Technical Field
[0001] The present disclosure relates to application layer security mechanism, and particularly, to a system and a method for authorizing the access of service based on the end user and the environmental context where the service is accessed.
Background
[0002] There exists several device management techniques. The techniques involve a complete solution is built in to the software stack of the underlying operating system of the device and the device is controlled through a central server. These techniques have a limitation that they are platform or operating system specific. Individual applications which act as agent is built for individual platform and the agent receive instructions from centralized server to control the device. This approach can handle multiple platforms. Both the above approaches works fine until enterprise own the device and employee only uses the device to access the enterprise information. But the recent trends are that employee brings in their own device and use the device to access the information. In this situation employee don't prefer the enterprise controlling or monitoring the device. Hence both the models proposed above in not suitable for addressing employee's privacy concern.
[0003] Accordingly, there is a need for a technique that enables, the enterprise focus on securing the application and provide the access to the service requested by the employees. Summary of the invention
[0004] Aspects of the disclosure relates to describing method and system that authorize the access of the service to an end user based on the environment of access.
[0005] According to the one aspect of the present disclosure, a method for authorizing access to service for an end user comprises receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server. The encryption of the user request can be performed by invoking a one-time password generator using a personal identification number of the end user. The metadata is accessed by the one-time password generator and a value is retrieved from the metadata to generate a dynamic key. The dynamic key generated can be converted to a symmetric encryption key or a symmetric decryption key, which can be used to encrypt the user request. The user credentials are gathered by the enterprise application management server and the user credentials can be exchanged between the enterprise application management server and the enterprise application gateway server. After receiving the encrypted user request, the enterprise application gateway server checks with the enterprise application management server to check if the end user has the credentials to access the requested service. If the end user is authorized, the end user is enabled to navigate the application enterprise server, wherein the application enterprise server comprises the requested service.
[0006] In the embodiment of the present disclosure, the end user can register from an electronic device. Drawings
[0007] These and other features, aspects, and advantages of the present disclosure will be better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein: [0008] Fig. 1 is a flow chart illustrating a method 100 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure;
[0009] Fig. 2 is a block diagram illustrating a system 200 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure; and [0010] Fig. 3 is a system illustrating a generalized computer network arrangement, in accordance with an embodiment of the present disclosure.
Detailed Description
[0011] Fig. 1 is a flow chart illustrating a method 100 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure. Method 100 comprises a step 110 wherein receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server. The end user may request the enterprise application gateway server to authorize access to a particular service. The end user request can be encrypted using the symmetric encryption key generated by the one-time password generator. The end user may provide a personal identification number (PIN) as an input while registering through an electronic device. The PIN may be an alpha numeric value, which may also include special characters. A one-time password generator is invoked using the PIN. It should be noted that only the correct PIN invokes the one time password generator. The one-time password generator may be any one-time password generator known in the art. On entering of the correct PIN by the user, the metadata is accessed and the value present in the metadata is unlocked. The metadata may be a seed file that contains a value, a dynamic key is generated by referring to the value or the value along with the personal identification number stored in the metadata file. In accordance with an embodiment, a new dynamic key is generated for every session during a transaction. A new dynamic key can be generated for every request. Further, every dynamic key generated may be stored and referred to at a later point in time. The dynamic key is converted to a symmetric encryption key. Further, the symmetric encryption key may be in any of a 32-bit, a 64-bit, a 128-bit and a 256-bit or any other format. It should be noted that the symmetric encryption key by itself is not sent to the server; instead, the symmetric key is used to encrypt the user request and the encrypted user request is sent to the enterprise application gateway server. Furthermore, the encrypted messaging channel can be but not restricted to a https session.
[0012] Continuing with reference to Fig.l, the method 100 also comprises a step 120 which includes associating the encrypted user request with a corresponding end user by the enterprise application gateway server. The encrypted user request may be associated with the client id, service id, message Id, optional information which can be used to identify the key size and encryption algorithm used as part of the message header for the message created or which part of the message if the message is truncated. Prior to associating the encrypted message user credentials, the user identification credentials and the details related to the environment from which the service is being accessed is gathered by the enterprise application management gateway when the end user registers using the electronic device. The user identification credentials may comprises one or more of, but not restricted to, a user information, a device identifier, client identification, access details, application information, a user service access detail, device information; and device configuration information. The device configuration information can be but not restricted to device or user or application. The configuration on the device can be but not restricted to Bluetooth on/off, location on/off, Wi-Fi on/off, application configuration like periodic scheduling, notifications etc. Application information may comprise of a client identification number which may be used to identify a client.
[0013] Furthermore, the access details may comprise one or more of, but not restricted to, a user service access details which can be based on the role of the user what the enterprise decides user can access. In another embodiment of the present disclosure, rules mapping client can be allowed to access or not access using client identification. Also, rules mapping user access based on the current context type of device, device hardware or device software information. The access details can also be based on the channel used for access such as, GPRS, 3G data, time, location, peripheral devices connected to the device or the network used in terms of 2G or 3G.
[0014] In another embodiment of the present disclosure, the eligibility to grant the access to the end user may be decided based on the environment and the user details. The final access level to the service can be one or more of null, partial or full.
[0015] The user information may comprise, but not restricted to unique identity to identify the user within the enterprise. The device information may be but not restricted to device identification and a unique identity to identify a device. For example, the unique can be an IMEI number of the mobile phone. The device information can be but not restricted to both hardware and software details. For example, CPU, RAM, OS installed, OS Version, applications installed, and applications version. Furthermore, once the user identification credentials are received by the enterprise application management server, the user identification credentials may also store in the enterprise application management server.
[0016] Furthermore, the method 100 further comprises the step 130 wherein, the eligibility of the end user to access the requested service is determined. The enterprise application management server is enabled to communicate with the enterprise application gateway server. After receiving the encrypted user request message from the end user, the enterprise application gateway server communicates with the enterprise application management server to retrieve the user identification credentials, wherein the identification credentials can be but not restricted to key and the access permission. The access permission can be full, or partial or none. The enterprise application gateway server provides the message header to the enterprise application management server. The enterprise application management server based on the information available specifies whether access to the service can be granted or not.
[0017] At step 140 of the method 100, access to the requested service is granted to the end user after the enterprise application management server authorizes the end user based on the user identification credentials. The enterprise application gateway server decrypts the message and forwards the request to the enterprise application server based on the service Id for further processing. The enterprise application server processes the request and responds back with the reply message to enterprise application gateway server.
[0018] Fig. 2 is a block diagram illustrating a system 200 for authorizing access to service for an end user, in accordance with an embodiment of the present disclosure. The system comprises an end user 210, an enterprise application gateway server 220, an enterprise application management server 230, and an enterprise application server 240.
[0019] The end user 210 may register using an electronic device and send an encrypted user request to the enterprise application gateway server 220. The encrypted user request can be encrypted using the key generated by the one-time password generator based on the PIN entered. The encrypted user request from the end user 210 can be associated with the client id, service id , message Id, optional information which can be used to identify the Key size and encryption algorithm used as part of the message header. For example, the service Id identifies which category the service falls under. For example, a sales person can access sales related information, field agent can access problem ticket related information. In another embodiment of the present disclosure the Service Id can be at the request level. For example, request for a video content.
[0020] The encrypted user request can be sent along with the header inside an https message to the enterprise application gateway server (EAGS) 220. The EAGS 220 retrieves the message along with the header from the https. The EAGS 220 provides the message header to the enterprise application management server 230 (EAMS). The EAMS 230 based on the information available specifies whether access to the service can be granted or not. If granted provides the symmetric decryption key to decrypt the encrypted user request.
[0021] In another embodiment of the present disclosure, a check can be made about the environmental conditions where the end user 210 has accessed the service. For example, an antivirus software could have been removed which make the access more vulnerable to the enterprise server. If the current process running indicates spyware etc, the access is vulnerable. Hence the access can be blocked in the above cases. Based on the environment access can be null or partial or full. Another example of the embodiment would be, access can be allowed to view the content not download the data. Based on the location information access can be enabled or disabled.
[0022] The EAGS 220 decrypts the message and forwards the request to the enterprise application server (EAS) 240 based on the service Id for further processing. EAS 240 process the request and responds back with the reply message to EAGS 220. The EAGS 220 encrypts the message with the symmetric encryption key and appends the header with the header information received in the encrypted user request message and forwards the reply to the end user 210.
[0023] In another embodiment of the present disclosure, the EAGS 220 can modify the header before appending, to reflect the change in parameters such as but not restricted to encryption algorithm or key size.
[0024] One or more of the above-described techniques may be implemented in or involve one or more computer systems. Fig. 3 illustrates a generalized example of a computing environment 300. The computing environment 300 is not intended to suggest any limitation as to scope of use or functionality of described embodiments.
[0025] With reference to Fig. 3, the computing environment 300 includes at least one processing unit 310 and memory 320. In Figure 3, this most basic configuration 330 is included within a dashed line. The processing unit 310 executes computer-executable instructions and may be a real or a virtual processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power. The memory 320 may be volatile memory (e.g., registers, cache, RAM), non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or some combination of the two. In some embodiments, the memory 320 stores software 380 implementing described techniques.
[0026] A computing environment may have additional features. For example, the computing environment 300 includes storage 340, one or more input devices 350, one or more output devices 360, and one or more communication connections 370. An interconnection mechanism (not shown) such as a bus, controller, or network interconnects the components of the computing environment 300. Typically, operating system software (not shown) provides an operating environment for other software executing in the computing environment 300, and coordinates activities of the components of the computing environment 300.
[0027] The storage 340 may be removable or non-removable, and includes magnetic disks, magnetic tapes or cassettes, CD-ROMs, CD-RWs, DVDs, or any other medium which may be used to store information and which may be accessed within the computing environment 300. In some embodiments, the storage 340 stores instructions for the software 380.
[0028] The input device(s) 350 may be a touch input device such as a keyboard, mouse, pen, trackball, touch screen, or game controller, a voice input device, a scanning device, a digital camera, or another device that provides input to the computing environment 300. The output device(s) 360 may be a display, a television, a hand held device, a head mounted display or a Kiosk that provides output from the computing environment 300.
[0029] The communication connection(s) 370 enable communication over a communication medium to another computing entity. The communication medium conveys information such as computer-executable instructions, audio or video information, or other data in a modulated data signal. A modulated data signal is a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media include wired or wireless techniques implemented with an electrical, optical, RF, infrared, acoustic, or other carrier.
[0030] Implementations may be described in the general context of computer-readable media. Computer-readable media are any available media that may be accessed within a computing environment. By way of example, and not limitation, within the computing environment 300, computer-readable media include memory 320, storage 340, communication media, and combinations of any of the above.
[0031] The sequence of instructions as explained in the method steps may include a program code adapted for receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server. The sequence of instructions may also include a program code adapted for associating the encrypted user request with a user identification credentials. Furthermore, the sequence of instructions may also include a program code adapted for associating the encrypted user request with a user identification credentials. The sequence of instructions may also comprise, program code adapted for determining eligibility of the user to access the service and program code adapted for authorizing the user use the service based on the eligibility.
[0032] The sequence of instruction may also comprise program code adapted for enabling the user to register on an electronic device. Furthermore, the sequence of instructions may comprise of program code adapted for gathering the user identification credentials, wherein the user identification credentials comprises, a device identifier, a device information and a device configuration information.
[0033] The sequence of instructions may also include program code adapted for storing the user identification credentials on an enterprise application management server.
[0034] The sequence of instruction may also include, program code adapted for decrypting the encrypted user request by the enterprise application gateway server using the symmetric decryption key.
[0035] The sequence of instruction may comprise of program code adapted for enabling the user to navigate an enterprise application server, wherein the enterprise application service comprises the service.
[0036] Having described and illustrated the principles of our invention with reference to described embodiments, it will be recognized that the described embodiments may be modified in arrangement and detail without departing from such principles. It should be understood that the programs, processes, or methods described herein are not related or limited to any particular type of computing environment, unless indicated otherwise. Various types of general purpose or specialized computing environments may be used with or perform operations in accordance with the teachings described herein. Elements of the described embodiments shown in software may be implemented in hardware and vice versa. [0037] In view of the many possible embodiments to which the principles of our invention may be applied, we claim as our invention all such embodiments as may come within the scope and spirit of the following claims and equivalents thereto.

Claims

Claims What is claimed is:
1. A method for authorizing access to service for an end user, the method comprising:
receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server; associating the encrypted user request with a user identification credentials;
determining eligibility of the end user to access the service based on the end user and the environment of access; and
authorizing the end user use the service based on the eligibility.
2. The method of claim 1, wherein encryption of the user request is performed by:
invoking a one-time password generator using a personal identification number of the end user;
accessing a metadata by the one-time password generator, wherein a value is retrieved from the metadata to generate a dynamic key; and
converting the dynamic key to a symmetric encryption key.
3. The method of claim 1, further comprising:
enabling the user to register from an electronic device.
4. The method of claim 3, further comprises:
gathering the user identification credentials and an environment of access, wherein the user identification credentials and the environment of access comprises:
a device identifier;
a user authentication; a client identification; a type of data channel; a plurality of peripheral devices; a device information; and a device configuration information.
5. The method of claim 4, further comprises:
storing the user identification credentials on an enterprise application management server.
6. The method of claim 5, further comprises: enabling the enterprise application management server to communicate with the enterprise application management gateway.
7. The method of claim 2, further comprises: converting the dynamic key to a symmetric decryption key.
8. The method of claim 1 further comprising: decrypting the encrypted user request by the enterprise application gateway server using the symmetric decryption key.
9. The method of claim 8 further comprises: enabling the user to navigate an enterprise application server, wherein the enterprise application server comprises the service.
10. A system for authorizing access to service for an end user, the system comprising: an enterprise application gateway server configured to receive an encrypted user request for access of the service through an encrypted communication channel from the end user; an enterprise application management server communicably coupled to the enterprise application gateway server, the enterprise application management server configured to authorize the end user to access the service; and
an enterprise application server communicably coupled with the enterprise application gateway server, wherein the enterprise application server comprises the services requested by the end user.
11. The system of claim 10, wherein the encrypted communication channel is a https session.
12. The system of claim 10, wherein the enterprise application gateway service is configured to receive the encrypted user request with a message header from the end user.
13. The system of claim 10, wherein the enterprise application management server is further configured to store and authenticate based on one or more of:
a device information;
a client identification;
a plurality of peripheral devices connected;
a type of data channel;
a user service access detail;
a device identifier; and
a device configuration information.
14. The system of claim 12, wherein the enterprise application gateway service is configured to send the message header to the enterprise application management server.
15. The system of claim 14, wherein the enterprise application management server is further configured to authorize permission to the end user based on the information present in the message header.
16. The system of claim 10, wherein the enterprise application gateway server further comprises a processor, wherein the processor is configured to perform the task of:
invoking a one-time password generator using a personal identification number of the end user;
accessing a metadata by the one-time password generator, wherein a value is retrieved from the metadata to generate a dynamic key; and
converting the dynamic key to a symmetric decryption key.
17. The system of claim 10, wherein the enterprise application gateway server is further configured to decrypt the encrypted user request and send the decrypted message to the enterprise application server.
18. The system of claim 10, wherein the enterprise application server is further configured to respond back with a service reply message to the enterprise application gateway server.
19. The system of claim 18, wherein the enterprise application gateway server is configured to receive the service reply message and append the message header to the service reply message.
20. The system of claim 19, wherein the enterprise application gateway server is further configured to send the service reply message with the message header to the end user.
21. The system of claim 20, wherein the enterprise application gateway server is further configured to encrypt the service reply message and send the encrypted service reply message to the end user.
22. A computer program product, comprising a machine-accessible medium having instructions encoded thereon for enabling a processor to perform the operations of: program code adapted for receiving an encrypted user request for access of the service through an encrypted communication channel by an enterprise application gateway server;
program code adapted for associating the encrypted user request with a user identification credentials;
program code adapted for associating the encrypted user request with a user identification credentials;
program code adapted for determining eligibility of the user to access the service; and
program code adapted for authorizing the user use the service based on the eligibility.
23. The computer program product of claim 22, further comprising:
program code adapted for enabling the user to register on an electronic device.
24. The computer program product of claim 22, further comprising:
program code adapted for gathering the user identification credentials and an environment of access, wherein the user identification credentials and the environment access comprises:
a device identifier;
a user authentication;
a plurality of peripheral devices;
a client identification;
a type of data channel
a device information; and a device configuration information.
25. The computer program product of claim 24, further comprising:
program code adapted for storing the user identification credentials on an enterprise application management server.
26. The computer program product of claim 24, further comprising:
program code adapted for decrypting the encrypted user request by the enterprise application gateway server using the symmetric decryption key.
27. The computer program product of claim 24, further comprising:
program code adapted for enabling the user to navigate an enterprise application server, wherein the enterprise application service comprises the service.
28. The method of claim 1, further comprising:
encrypting a service reply message and sending the encrypted service reply message to the end user.
PCT/IN2011/000633 2011-09-14 2011-09-14 System and method to authorize the access of the service to an end user WO2013038418A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/IN2011/000633 WO2013038418A1 (en) 2011-09-14 2011-09-14 System and method to authorize the access of the service to an end user
AP2014007551A AP2014007551A0 (en) 2011-09-14 2011-09-14 System and method to authorize the access of the services to an end user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IN2011/000633 WO2013038418A1 (en) 2011-09-14 2011-09-14 System and method to authorize the access of the service to an end user

Publications (1)

Publication Number Publication Date
WO2013038418A1 true WO2013038418A1 (en) 2013-03-21

Family

ID=47882709

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2011/000633 WO2013038418A1 (en) 2011-09-14 2011-09-14 System and method to authorize the access of the service to an end user

Country Status (2)

Country Link
AP (1) AP2014007551A0 (en)
WO (1) WO2013038418A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110784317A (en) * 2019-10-30 2020-02-11 京东方科技集团股份有限公司 Data encryption interaction method, device and system
CN111049787A (en) * 2018-10-15 2020-04-21 深圳市加推科技有限公司 Information association method, device, system and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6668322B1 (en) * 1999-08-05 2003-12-23 Sun Microsystems, Inc. Access management system and method employing secure credentials
US20080034216A1 (en) * 2006-08-03 2008-02-07 Eric Chun Wah Law Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords
US7665127B1 (en) * 2004-06-30 2010-02-16 Jp Morgan Chase Bank System and method for providing access to protected services
US7882555B2 (en) * 2001-03-16 2011-02-01 Kavado, Inc. Application layer security method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6668322B1 (en) * 1999-08-05 2003-12-23 Sun Microsystems, Inc. Access management system and method employing secure credentials
US7882555B2 (en) * 2001-03-16 2011-02-01 Kavado, Inc. Application layer security method and system
US7665127B1 (en) * 2004-06-30 2010-02-16 Jp Morgan Chase Bank System and method for providing access to protected services
US20080034216A1 (en) * 2006-08-03 2008-02-07 Eric Chun Wah Law Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049787A (en) * 2018-10-15 2020-04-21 深圳市加推科技有限公司 Information association method, device, system and computer readable storage medium
CN110784317A (en) * 2019-10-30 2020-02-11 京东方科技集团股份有限公司 Data encryption interaction method, device and system
US11477018B2 (en) 2019-10-30 2022-10-18 Beijing Boe Technology Development Co., Ltd. Method, device and system for encrypting interactive data

Also Published As

Publication number Publication date
AP2014007551A0 (en) 2014-03-31

Similar Documents

Publication Publication Date Title
US10904234B2 (en) Systems and methods of device based customer authentication and authorization
US10985913B2 (en) Method and system for protecting data keys in trusted computing
US9912645B2 (en) Methods and apparatus to securely share data
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
US9191394B2 (en) Protecting user credentials from a computing device
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
US20140172830A1 (en) Secure search processing system and secure search processing method
US9313185B1 (en) Systems and methods for authenticating devices
US11606202B2 (en) Methods and systems for secure data transmission
KR101809974B1 (en) A system for security certification generating authentication key combinating multi-user element and a method thereof
US10867056B2 (en) Method and system for data protection
US9864853B2 (en) Enhanced security mechanism for authentication of users of a system
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
US11399015B2 (en) Data security tool
US11245684B2 (en) User enrollment and authentication across providers having trusted authentication and identity management services
US9245097B2 (en) Systems and methods for locking an application to device without storing device information on server
WO2013038418A1 (en) System and method to authorize the access of the service to an end user
KR101809976B1 (en) A method for security certification generating authentication key combinating multi-user element
KR102332037B1 (en) Enhanced operator authentication system and method in scada control network
WO2017020449A1 (en) Fingerprint reading method and user equipment
KR101636802B1 (en) File management method and system for preventing security incident by portable memory
JP6353412B2 (en) ID password authentication method, password management service system, information terminal, password management service device, user terminal, and program thereof
US20220239489A1 (en) Identity verification program, identity verification method, user terminal, and user authentication program
US20240031134A1 (en) Systems and methods for securing communication channels for new user onboarding
WO2016017324A1 (en) User information management system, user information management method, management server program and recording medium with same recorded thereon, user terminal program and recording medium with same recorded thereon, and service server program and recording medium with same recorded thereon

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11872285

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 12014500578

Country of ref document: PH

WWE Wipo information: entry into national phase

Ref document number: P255/2014

Country of ref document: AE

122 Ep: pct application non-entry in european phase

Ref document number: 11872285

Country of ref document: EP

Kind code of ref document: A1