公开(公告)号：AT367025T

公开(公告)日：2007-08-15

申请号：AT05701444

申请日：2005-01-05

Applicant: IBM

Inventor： ASHLEY PAUL ,  FYFE ROBERT ,  THOMAS MICHAEL

IPC: H04L9/08 ,  H04L9/30 ,  H04L9/32 ,  H04L29/06

Abstract: A method for establishing a secure context for communicating messages between a client and a server is presented that is compliant with the Generic Security Service application programming interface (GSS-API). The client sends to the server a first message containing a first symmetric secret key generated by the client and an authentication token; the first message is secured with the public key from the server's public key certificate. After the server authenticates the client based on the authentication token, the client then receives from the server a second message that has been secured with the first symmetric secret key and that contains a second symmetric secret key. The client and the server employ the second symmetric secret key to secure subsequent messages sent between the client and the server. The authentication token may be a public key certificate associated with the client, a username-password pair, or a secure ticket.

公开(公告)号：AT446638T

公开(公告)日：2009-11-15

申请号：AT04766174

申请日：2004-07-09

Applicant: IBM

Inventor： ASHLEY PAUL ,  MUPPIDI SRIDHAR ,  VANDENWAUVER MARK

IPC: H04L29/06 ,  G06F21/00 ,  H04L9/00

Abstract: A method is presented for performing authentication operations. When a client requests a resource from a server, a non-certificate-based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client. When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SSL session without exiting or renegotiating the SSL session prior to completion of the certificate-based authentication operation. During the certificate-based authentication procedure, an executable module is downloaded to the client from the server through the SSL session, after which the server receives through the SSL session a digital signature that has been generated by the executable module using a digital certificate at the client. In response to successfully verifying the digital signature at the server, the server provides access to a requested resource.