`a2) Patent Application Publication co) Pub. No.: US 2002/0112167 A1
`(43) Pub. Date: Aug.15, 2002
`
`Bonehetal.
`
`US 20020112167A1
`
`(54) METHOD AND APPARATUS FOR
`TRANSPARENT ENCRYPTION
`
`(76)
`
`Inventors: Dan Boneh, Palo Alto, CA (US);
`Rajeev Chawla, Union City, CA (US);
`Alan Frindell, Mountain View, CA
`(US); Eu-Jin Goh, San Carlos, CA
`(US); Nagendra Modadugu, Menlo
`Park, CA (US); Panagiotis Tsirigotis,
`Mountain View, CA (US)
`
`Correspondence Address:
`PERKINS COIE LLP
`P.O. BOX 2168
`MENLO PARK, CA 94026 (US)
`
`(21) Appl. No.:
`
`10/038,169
`
`(22)
`
`Filed:
`
`Jan. 2, 2002
`
`Related U.S. Application Data
`
`(60) Provisional application No. 60/259,754, filed on Jan.
`4, 2001. Provisional application No. 60/259,786, filed
`on Jan. 4, 2001.
`
`Publication Classification
`
`Tint. C07 aesseesesessseneeseccseceseneneneene H04K 1/00
`(SL)
`(52) US. Ch ceecesccssssssssssnesseeesstsensssstsnesennseeeennsee 713/182
`
`(57)
`
`ABSTRACT
`
`A method and apparatus are provided for protecting sensi-
`tive information within server or other computing environ-
`ments. Numerouselectronic requests addressed to a server
`system are received over network couplings and evaluated.
`The evaluation scans for sensitive information including
`credit card information and private user information. Upon
`detecting sensitive data, cryptographic operations
`are
`applied to the sensitive data. When the sensitive data is being
`transferred to the server system, the cryptographic opera-
`tions encrypt the sensitive data prior to transfer among
`components of the server system. Whensensitive data is
`being transferred from the server system, the cryptographic
`operations decrypt the sensitive data prior to transfer among
`the network couplings. ‘The cryptographic operations also
`include hash, and keyed hash operations.
`
`BACKEND
`SITE
`
`404
`
`NETWORK
`406
`
`404
`
`BACK-END
`SITE
`
`400
`
`106
`
`CLIENT
`
`BROWSER
`
`
`
`
`NETWORK
`108
`
`
`<——>| APPLIANCE
`|<——>
`
`
`KEYS 402
`
`SERVER
`APPLIANCE [<--> SYSTEM
`104
`
`
`
`
`
`
`KEYS 402
`
`CLIENT
`BROWSER
`
`106
`
`1
`
`GOOGLE 1014
`
`GOOGLE 1014
`
`1
`
`
`
`Patent Application Publication Aug. 15,2002 Sheet 1 of 6
`
`US 2002/0112167 A1
`
`901INIIT)
`
`aSMOdd
`
`LN3ITO
`
`dISMONA
`
`801
`
`701LN3110
`
`auasmowa
`
`ouiIOMLAN
`agAgas 001
`
`201
`
`INJaVdSNVaL
`
`NOLLdAYON
`
`JONVdd
`
`oll
`
`
`
`JOVIAFLNIA3SN
`
`vol
`
`WALSAS
`
`Il
`
`2
`
`
`
`
`
`Patent Application Publication Aug. 15,2002 Sheet 2 of 6
`
`US 2002/0112167 A1
`
`$4055300%d
`
`JONddJL
`
`AYOMLIN
`
`gor
`
`202
`
`b0z
`
`JONVITdd¥AL
`
`012
`
`SaSVaVLV
`
`vor
`
`
`
`WILSASB5ANIS
`
`002
`
`cOld
`
`3
`
`
`
`
`
`
`
`
`
`Patent Application Publication Aug. 15,2002 Sheet 3 of 6
`
`US 2002/0112167 Al
`
`RECEIVE REQUEST INCLUDING SENSITIVE DATA
`
`302
`
`EVALUATE REQUEST
`
`34
`
`ENCRYPT DETECTED SENSITIVE DATA
`
`306
`
`TRANSFER ENCRYPTED SENSITIVE DATA
`TO SERVER ENVIRONMENT
`
`RECEIVE REQUEST FOR SENSITIVE DATA
`
`308
`
`310
`
`DECRYPT SENSITIVE DATA
`
`312
`
`‘
`
`PROVIDE DECRYPTED SENSITIVE DATA
`TO REQUESTING THIRD-PARTY
`
` 31
`
`FIG. 2
`
`4
`
`
`
`Patent Application Publication Aug. 15,2002 Sheet 4 of 6
`
`US 2002/0112167 A1
`
`901
`
`IN3IT9
`
`dzSMOag
`
`901
`
`LNAI)
`
`YaSMOad
`
`
`
`Z0bSAIX
`
`AAOMLIN
`
`gol
`
`
`
`JONVINddY |}<—_>
`
`bor
`
`agAaas
`
`W3LSAS
`
`Oe
`
`IL
`
`JONVITdd¥
`
`AAOMLIN
`
`90b
`
`00+
`
`GNFAOVE
`
`Vol
`
`aNFHOVS
`
`5
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Aug. 15,2002 Sheet 5 of 6
`
`US 2002/0112167 Al
`
`Cstarr
`
`502
`
`
`
`
`
`
`
`
`
`508
`
`506
`
`510
`
`
`
`
`
`
`
`FIG. 5
`
`6
`
`
`
`Patent Application Publication Aug. 15,2002 Sheet 6 of 6
`
`US 2002/0112167 Al
`
`RECEIVE REQUEST INCLUDING PASSWORD
`
`DETECT USER PASSWORDFIELD
`
`
`REPLACE PASSWORD WITH KEYED HASH FUNCTION
`
`
`
`
`
`
`
`602
`
`
`
`604
`
`606
`
`
`
`
`
`STORE KEYED HASH FUNCTION
`
`608
`
`
`
`FIG.6
`
`7
`
`
`
`US 2002/0112167 Al
`
`Aug. 15, 2002
`
`METHOD AND APPARATUS FOR TRANSPARENT
`ENCRYPTION
`
`FIG.3 is a flow diagram oftransparent encryption
`[0010]
`used in the embodiments.
`
`RELATED APPLICATIONS
`FIG.4 is a block diagram of a system architecture
`[0011]
`400 including one TE Appliance 102 onasite front-end, and
`one TE Appliance on the site back-end, under an alternate
`[0001] This application claims the benefit of U.S. Patent
`embodiment.
`Application Nos. 60/259,754 and 60/259,786 filed Jan. 4,
`2001, Ser. Nos. 09/877,302 and 09/877,655 filed Jun. 8,
`[0012] FIG.5is a flow diagram oftransparent encryption
`2001, and Ser. No. 09/901.350 filed Jul. 9, 2001, all of which
`under an alternative embodiment using a public key.
`are currently pending.
`
`TECHNICAL FIELD
`
`[0002] The claimed invention relates to the field of data
`security. In particular, the claimed inventionrelates to secur-
`ing sensitive user data in a server system.
`
`BACKGROUND
`
`[0003] World Wide Websites, or web sites, dealing with
`secure content use various mechanismsto protect this con-
`tent. For example, electronic commerce, or e-commerce,
`web sites use a variety of mechanismsto protect user credit
`card numbers and user passwords. Most often, these sites
`usc the Secure Socket Layer (SSL) protocol to protect all
`sensitive data while it is in transit on the Internet among
`customer computers and browsers and the website.
`
`[0004] The SSLis a typical security protocol used on the
`web. The SSL protects data while it is in the network by
`encrypting it using a session-key known only to the web
`server and the client computer. The data is decrypted as soon
`as it reaches the web server. The web server processes the
`data (e.g., validating the credit card number) and then often
`stores it in a server database.
`
`[0005] Unfortunately, however, many web servers store
`sensitive data in the clear, or in an unencrypted state, in an
`associated server database. As a result, this database is a
`prime target for hackers. Hackers have broken into web
`server databases, thereby compromising many credit card
`numbers andprivate uscr/customer information. These com-
`promises are expensive for both electronic retailers and their
`customers.
`
`[0006] While SSL protects transitory data in the network,
`it does not protect data once it reaches a web site and while
`it resides on the associated web servers. A different archi-
`
`tecture is needed to protect data at the server site. Indeed,
`web sites should ensure that sensitive data stored in their
`
`database is always encrypted. However, any such system
`must permit efficient communication and not create bottle-
`necks that will annoy or discourage users of the network.If
`a security system does create bottlenecks, it could discour-
`age or divert customers from the website.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`FIG.6 is a flow diagram oftransparent encryption
`[0013]
`under an alternative embodiment that protects user pass-
`words against dictionary attacks.
`
`Inthe drawings, the same reference numbersiden-
`[0014]
`tify identical or substantially similar elements or acts. To
`casily identify the discussion of any particular clement or
`act, the most significant digit or digits in a reference number
`refer to the Figure number in which that element is first
`introduced (e.g., element 108 is first introduced and dis-
`cussed with respect to FIG. 1).
`
`[0015] Any headings used herein are for convenience only
`and do not affect
`the scope or meaning of the claimed
`invention.
`
`DETAILED DESCRIPTION OF THE
`ILLUSTRATED EMBODIMENTS
`
`[0016] A method and apparatus are provided for transpar-
`ently protecting sensitive data within a server system or
`environment. Data entering and leaving a server site are
`evaluated for sensitive data. The sensitive data includes,e.g.,
`credit card numbers and information, account numbers and
`information, and any other personal information of a cus-
`tomer or user that is of a sensitive nature, including birth
`date, social security number, and information related to user
`passwords. Upon detection of sensitive data, cryptographic
`operations are applied to the data. Cryptographic operations
`include encrypting sensitive data transferred to the server
`system. Cryptographic operations also include decrypting
`encrypted sensitive data transferred from the server system
`en-route to a third party system. Further, cryptographic
`operations include hashing and keyed hashing of password
`data received at the server system. Moreover, cryptographic
`operations provide integrity for cookies.
`
`[0017] The transparent protection is provided in an appli-
`ance of an embodiment that is scparate from the server
`equipment. This appliance is coupled to the server systems
`and the data networks so that the server systems require no
`modification. In this manner, web site operators can install
`the appliances between their servers and the associated
`network connections without installing new hardware or
`software or modifying existing hardware or software on
`their servers.
`
`[0007] The accompanying figures illustrate embodiments
`of the claimed invention. In the figures:
`
`[0008] FIG. 1 is a block diagram of a system architecture
`including a Transparent Encryption Appliance, under one
`embodiment.
`
`FIG.2 is a block diagram of a system architecture
`[0009]
`including Transparent Encryption Appliances, under an
`alternate embodiment.
`
`In the description herein, numerousspecific details
`[0018]
`are included to provide a thorough understanding of, and
`enabling description for, embodiments of the invention. One
`skilled in the relevant art, however, will recognize that the
`invention can be practiced without one or more of the
`specific details, or with other ficlds, expressions, methods,
`etc. In other instances, well-knownstructures or operations
`are not shown, or are not described in detail,
`to avoid
`obscuring aspects of the invention.
`
`8
`
`
`
`US 2002/0112167 Al
`
`Aug. 15, 2002
`
`[0019] Unless described otherwise below, the construction
`and operation of the various blocks shown in FIGS. 1 and
`2 are of conventional design. As a result, such blocks need
`not be described in further detail herein, because they will be
`understood by those skilled in the relevant art. Such further
`detail is omitted for brevity and so as not to obscure the
`detailed description of the invention. Any modifications
`necessary to these blocks, or other embodiments, can be
`readily made by one skilled in the relevant art based on the
`detailed description provided herein.
`
`[0020] Each of the blocks depicted in the flowchart herein
`is of a type well known in the art, and can itself include a
`sequence of operations that need not be described herein.
`Indeed, unless described otherwise herein,
`the blocks
`depicted in the Figures are well knownordescribedin detail
`in the above-noted and cross-referenced patent applications.
`Indeed, much of the detailed description provided herein is
`explicitly disclosed in the provisional patent applications;
`most or all of the additional material of aspects of the
`invention will be recognized by those skilled in the relevant
`art as being inherent in the detailed description provided in
`such provisional patent applications, or well knownto those
`skilled in the relevant art. Those skilled in the relevant art
`
`can implement aspects of the invention based on the flow-
`chart of FIG. 3 and the detailed description provided in the
`patent applications. For example, those skilled in the rel-
`evant art can create source code, microcode, program logic
`arrays or otherwise implement aspects of the invention
`based on these flowchart and the detailed description pro-
`vided herein. Any routines may be stored in non-volatile
`memory (not shown) that forms part of an associated pro-
`cessor, or can be stored in removable media, such as disks,
`or hardwired or preprogrammed in chips, such as EEPROM
`or flash semiconductor memory chips.
`
`[0021] Those skilled in the relevant art will appreciate that
`the routines and other functions and methods described
`
`herein can be performed by or distributed among anyofthe
`components described herein. While many of the embodi-
`ments are shown and described as being implemented in
`hardware (e.g., one or more integrated circuits designed
`specifically for a task), such embodiments could equally be
`implemented in software and be performed by one or more
`processors. Such software can be stored on any suitable
`computer-readable medium, such as microcode stored in a
`semiconductor chip, on a computer-readable disk, or down-
`loaded from a server and stored locally at a client.
`
`[0022] The Secure Socket Layer (“SSL”)is a protocol that
`uses a significant amount of host server computing power.
`Many web sites use a security appliance or specially
`designed hardware device to manage the SSLtraffic in order
`to offload some SSL work from the web servers. The
`
`security appliance is used coupled between the web server
`and the network connections, and handles the computations
`that support SSL connections.
`
`[0023] A Transparent Encryption Appliance (“TE Appli-
`ance”) is provided that provides backend database security
`at a web site, thereby protecting sensitive customer data
`stored and managed by the host web site systems and
`servers. The TE Appliance provides enhanced functionality
`in the form of transparent encryption to a security appliance.
`
`[0024] FIG. 1 is a block diagram of a system architecture
`100 including a TE Appliance 102, under one embodiment.
`
`‘The ‘TE Appliance 102 is coupled to a host web site or server
`system 104, and to numerous client computers and browsers
`106 via at least one network 108. The network 108 includes
`
`the Internet as well as other wired, wireless, and hybrid
`network types, and may include independent networks,
`proprietary networks, or back plane networks, but is not so
`limited. Data transferred between the client computers 106
`and the server system 104 passes through the TE Appliance
`102. This includes both cleartext transactions, or Hypertext
`Transfer Protocol (“HTTP”) transactions, and encrypted
`(SSL)transactions, as explained below. The TE Appliance
`may include a user interface 110. Also, the TE Appliance
`may include keys 120 of differing types.
`[0025] FIG. 2 is a block diagram of a system architecture
`200 including Transparent Encryption Appliances 202 and
`204, under an alternate embodiment. A first TE Appliance
`202 is coupled to receive data transferred from numerous
`client computers and browsers (not shown) via the network
`108. The received data is encrypted or hashed bythe first TE
`Appliance 202, as appropriate to the type of data received,
`and the encrypted or hashed data is provided to the server
`system 104. As such, only encrypted or hashed data is
`available within the server system, in particular, in server
`system databases 210.
`[0026] Asecond TE Appliance 204 is coupled to receive
`data transferred from the server system 104 to third party or
`other electronic systems (not shown) via the network 108.
`The data requested by the third party system is decrypted by
`the second TE Appliance 204,
`[0027] The functionality provided by the TE Appliances of
`both embodiments can be hosted on dedicated network
`appliances as shown in FIGS. 1 and 2, butis not so limited.
`The transparent encryption functions can also be performed
`by, or distributed among any combination of, the host web
`site server systems 104 and 208, numerousclient processing
`devices and browsers 106 coupled to the network, and any
`of the associated network componcnts.
`[0028] The TE Appliance of an embodimentcan reside at
`the same physical location as the server systems that it
`supports or at different physical locations. Further, a TE
`Appliance may be configured to provide support to multiple
`server systems.It is also possible that the functions provided
`by the TE Appliance of an embodiment are distributed
`among numerousprocessing devices at numerous physical
`locations.
`
`FIG.3 is a flow diagram of transparent encryption
`[0029]
`of both embodiments.
`In operation,
`the TE Appliance
`receives electronic transaction queries from client browsers
`and other electronic systems in block 302. The TE Appli-
`ance, in block 304, evaluates the requests entering thesite.
`The evaluating or scanning functionality works with typical
`web encodings
`including Uniform Resource Identifier
`(‘URI’)
`encoding and Extensible Markup Language
`(“XML”) encoding, but is not so limited. When the TE
`Appliance identifies tags indicating that the associated data
`is sensitive, it applies an appropriate cryptographic opera-
`tion to the data within these tags, in block 306. For example,
`incoming sensitive data is encrypted using known encryp-
`tion algorithms such as know public key infrastructure
`(“PKI”) encryption algorithms or thc Data Encryption Stan-
`dard (“DES”). The resulting data is then, in block 308,
`routed to the appropriate component of the backend system
`or network.
`
`9
`
`
`
`US 2002/0112167 Al
`
`Aug. 15, 2002
`
`‘The server environment, and the corresponding ‘TE
`[0030]
`Appliances, also receive electronic information requests for
`sensitive data from third-party systems, in block 310, via
`network couplings with the
`third-party systems. For
`example,
`in the case of a purchase transaction, sensitive
`information including credit card information would have to
`be cleared with a financial institution before approving the
`purchase transaction. Uponreceiving the request, encrypted
`sensitive data is retrieved and decrypted, in block 312. Once
`decrypted,
`the sensitive information is provided to the
`requesting third party in block 314, generally over a secure
`connection.
`
`In an embodiment of the transparent encryption
`[0031]
`architecture, regular expressions are used to identify fields
`containing sensitive user information. For example,
`the
`regular expression “*___.*”is used to match anystring that
`begins with “___”, such as___password. Other forms of
`identifying sensitive fields, however, are also possible.
`
`[0032] Transparent encryption can be applied to various
`messages in the HTTP protocol including,but not limited to,
`POST messages, GET messages, and HTMLresponses. The
`examples described herein illustrate the application of trans-
`parent encryption to HTML-encoded data. The same mecha-
`nism can be applied to other encodings, such as XML-
`encoded data, or data encoded in other formats, such as in
`other mark-up language formats.
`
`[0033] An example application of transparent encryption
`includes POST ENCRYPT operations, wherein a POST
`body is received from a client of the form
`
`“&password=mysecretpassword&___
`[0034]
`password_op=ENCRYPT&___password_key=
`bank_key&___password_rewrite=pwd”,
`
`but is not so limited. The “password” field
`[0035]
`portion supplies the user password.
`‘The “_” portion
`indicates that
`this field is to be processed by the TE
`Appliance. The field portion including “___password_op=
`ENCRYPT”indicates that the data in the “__password”
`fields is to be encrypted. The field portion including
`“_password_key=bank_kcy” provides the key name for
`use in encrypting the password. The field portion including
`“_password_rewrite=pwd”indicates that after transparent
`encryption processing,
`the
`field name changes
`from
`“password”to “pwd”. Following transparent encryption
`processing the POST request body of an embodimenthas the
`form “pwd=AI24FFC9B306BI234AE”.
`
`[0036] An example application of transparent encryption
`further includes POST DECRYPT operations, wherein a
`POST bodyis received from a client of the form
`
`“& password=
`[0037]
`A124FFC9B306B1234AE&___password_op=DE-
`CRYPT&___password_rewrite=pwd”,
`
`but is not so limited. The “password” field
`[0038]
`portion supplies the user password. The “_” portion
`indicates that
`this field is to be processed by the TE
`Appliance. The field portion including “___password_op=
`DECRYPT”indicates that the data in the“password”
`ficlds is to be decrypted. The ficld portion including
`“_password_rewrite=pwd”indicates that after transparent
`encryption processing,
`the
`field name changes
`from
`“password”to “pwd”. Following transparent encryption
`
`processing the POSTbody of an embodimentis of the form
`“owd=mysecretpassword”. It is noted that there is no need
`for a “___password_key”field since the cyphertext gener-
`ated during the POST ENCRYPT operation identifies the
`key used to create the cyphertext.
`
`[0039] An example application of transparent encryption
`also includes GET operations, wherein an original requestis
`of the form
`
`“GET/foo.html?__password=mysecretpass-
`[0040]
`word&___password_op=ENCRYPT&___pass-
`word_key=bankkey&____password_rewrite=pass-
`word”,
`‘The “password” field
`but is not so limited.
`[0041]
`portion supplies the user password. The “_” portion
`indicates that
`this field is to be processed by the TL
`Appliance. The field portion including “___password_op=
`ENCRYPT”indicates that the data in the “password”
`fields
`is to be encrypted. The field portion including
`“_password_key=bank_key” provides the key name for
`use in encrypting the password. The field portion including
`“_password_rewrite=pwd”indicates that after transparent
`encryption processing,
`the
`field name changes
`from
`“password”to “pwd”. Following transparent encryption
`processing the GET request body of an embodimenthasthe
`form
`“GET/foo.html?password=
`AI24FFC9B306B1234AE”.
`
`[0042] An example application of transparent encryption
`includes HTMLresponses, wherein a string similar to the
`POSTrequest body is inserted inside an IITML comment.
`The original response from a web serveris of the form “<b>
`credit
`card:
`</b>
`<!--&__creditcard=
`A1CDF986FBC15456&___creditcard_op=DE-
`CRYPT&__creditcard_key=bank_key-->”. It is noted that
`specification of an encryption key in this original response
`example is not required as the cyphertext of an embodiment
`may include encoded key identifiers. Following transparent
`encryption processing, the HTMLresponse is of the form
`“<b>credit card:</b> 1234 4567 1234 4567”, but is not so
`limited.
`
`[0043] The HTMLfilcs can be rather large files, so pro-
`cessing of these files may slow the TE Appliance. As such,
`the TE Appliance allows the administrator to restrict the
`URLsto which HTMLresponsefiltering is applied. There-
`fore, the administrator providesa list of regular expressions,
`and any URL matchingany of these regular expressionsthat
`will be processed by the TE Appliance, such as the “__”
`expressions noted above.
`[0044]
`[urthermore,
`the administrator can specify that
`transparent encryption processing should only be applied to
`a particular number, X, of bytes of the HTMTI. file. The
`number X is generally on the order of 128 bytes indicating
`that all fields to which TE processing should be applied
`reside in the first 128 bytes of the HTMLfile, but
`the
`embodimentis not so limited. This value can beset at a large
`number indicating the entire HTMLfile is to be searched.
`[0045] With reference to FIG. 1, the TE Appliance 102 of
`an embodimentincludes a user interface 110, but is not so
`limited. The user interface 110 enables the loading of
`symmetric cneryption/decryption keys 120 onto the TE
`Appliance 102. It also enables the loading of public keys 120
`onto the TE Appliance 102. Each key 120is identified by a
`key-name.
`
`10
`
`10
`
`
`
`US 2002/0112167 Al
`
`Aug. 15, 2002
`
`‘Ihe user interface also displays a fingerprint (hash)
`[0046]
`of all transparent encryption keys currently installed on the
`TE appliance. This enables a third party to apply the same
`hash function to the keys installed on the TE appliance,
`compare the hash result to previously computed and stored
`hash values for the stored key and verify that the correct
`keys are installed.
`the user interface enables a user or
`[0047] Moreover,
`administrator to specify the list of fields to be processed by
`the TE Appliance. This is a list of regular expressions that
`identify Transparent Encryption fields. For example, setting
`““_.*” as a delimiter implies that any field matching the
`regular expression
`““_*” is a Transparent Encryption
`
`password”and “____creditcard” will
`ficld. For example, “
`be processed.
`[0048] The user interface also allows an administrator to
`specify access controls to various keys installed on the
`module. For example, with reference to FIG. 2, the admin-
`istrator is able to specify that on TE Appliance 202 the key
`bank-key can only be used for encryption, while on ‘TE
`Appliance 204 the bank-key can only be used for decryption.
`Thus,sites using two TE Appliances can specify that one TL
`Appliance is used for encryption, while the other is used for
`decryption.
`
`[0049] Transparent encryption on a TE Appliance or web
`security appliance has many important applications. These
`applications include, but are not limited to, protecting credit
`card numbers/information, protecting sensitive user infor-
`mation, protecting passwords, providing integrity for cook-
`ies, and functioning as a key server.
`information, such as
`[0050] Protecting sensitive user
`credit card numbers/information and bank account numbers/
`information,
`is a most natural application for transparent
`encryption. FIG.4 is a block diagram of a system architec-
`ture 400 including one TE Appliance 102 on a site front-end,
`and one ‘TE Appliance on the site back-end, under an
`alternate embodiment.
`
`{0051] The front-end TE Appliance 102 of an embodiment
`is configured to inspect all requests entering the site via the
`network 108 and the client browsers 106. When a user
`request contains sensitive user data, the TE Appliance 102 is
`configured to encrypt the data using one of the installed keys
`402. The server system 104 receives only the encrypted data.
`This encrypted data is stored in at
`least one database
`associated with the host web site 104.
`
`[0052] The backend systems 404 connected to the server
`system 104 often need access to the sensitive user data. For
`example, with credit card numbers,the server system 104, or
`web site, often has to send the numbers to a financial
`clearing house 404 during the course of a transaction.
`Therefore, the server system 104 uses another TE Appliance
`204 at the back-end. The back-end TE Appliance 204 of an
`embodiment is configured to use the installed keys 402 to
`decrypt all scnsitive data passing through it cnroute to the
`network 406 and back-end systems 404. This way,the credit
`card numberis decrypted immediately before it is sent to the
`clearing house 404. Again, none of the host website internal
`systems 104 see the unencrypted credit card number. The
`network 406 can be a proprietary network, or can be the
`same type as network 108.
`[0053] FIG. 5 is a flow diagram of transparent encryption
`of an alternative embodiment using a public key. The TE
`
`Appliance of the alternative embodiment receives a request
`including a credit card number, at block 502. The TE
`Appliance identifies the sensitive information tags associ-
`ated with the credit card number, at block 504, and encrypts
`the credit card number using an issuer’s, or acquirer’s,
`public key, under block 506. The web site sends the
`encrypted credit card numberto the issuer, at block 508, and
`the issuer decrypts the number, at block 510. The issuer
`clears the transaction using the decrypted number. In this
`transaction, the web site never sees credit card numbers in
`the clear. This eliminates the risk of hackers breaking into
`the site and exposing customer credit card numbers.
`
`FIG.6 is a flow diagram oftransparent encryption
`[0054]
`of an alternative embodimentthat protects user passwords
`against dictionary attacks. This function is realized when a
`front-end TE Applianceis configured to receive, under block
`602, and inspect all user requests. When the TE Appliance
`detects a user password field, at block 604, it replaces the
`actual password “pwd” with a keyed hash function of the
`password H,(pwd), under block 606. Any of a number of
`standard keyed hash functions (also known as message
`authentication code (“MAC”) functions) can be used, for
`example HMAC-SHAL1. The keyed hash function is stored
`in the server system, under block 608.
`
`[0055] Referring to FIG. 1, the hashing key 120 is pre-
`installed on the TE Appliance 102, but is not so limited. The
`hashed passwordis stored in the host web site 104 database.
`Whena user logs in, the user provides the password as part
`of the user’s request. The TE Appliance 102 detects the
`password and again applies the keyed hash function to the
`received password. The web site 104 then compares the
`hashed password to the value stored in the database, and
`authorizes the login if the two hashes match.
`
`[0056] As a result of using this scheme, hackers that
`successtully break into the database only recover hashed
`passwords. Hashed passwords do not assist the hacker in
`logging into the site. I'urthermore, the hacker is not able to
`mount an offline dictionary attack on the hashed passwords
`because the hacker does not have the key or keys used bythe
`TE Appliance to hash the passwords. Hence, the TE Appli-
`ance prevents dictionary attacks on user passwords.
`
`‘The ‘TE Appliance of an embodimentalso provides
`[0057]
`integrity for HTTP cookies. Typically, the HTTP cookies are
`usedto store state on a user’s web browser. The website can
`send a cookie to the user and then retrieve the cookie from
`the user at a later time. Unfortunately, there is no mechanism
`for ensuring that users do not maliciously modify cookies
`while they reside on the user’s machine. The TE Appliance
`can be used to overcome this problem.
`
`[0058] When a website sends a cookie to the user the TE
`Appliance appends a checksum or MACto the cookie.
`When the user sends the cookie back to the site the TE
`Appliance can verify the checksum/MAC. If the checksum/
`MACis not verified, the TE Appliance rejects the user’s
`request. Otherwise, it forwards the user’s request into the
`website.
`
`[0059] Web site administrators frequently place all secret
`keys on a single server called a key server. When a pro-
`cessing componentofthe site needs to apply cryptographic
`operations to data (e.g., encrypt, decrypt, or MAC),
`the
`processing component contacts the key server and requests
`
`11
`
`11
`
`
`
`US 2002/0112167 Al
`
`Aug. 15, 2002
`
`that the key server perform this task. Currently there are no
`standard protocols for communicating with a key server.
`Lach site implements a site-specific mechanism.
`[0060] The TE Appliance of an embodiment functions as
`a key server. This is accomplished byinstalling the site’s
`secret keys on the TE Appliance. The site’s processing
`components or processors
`then issue standard HTTP
`requests to the TE Appliance in order to encrypt, decrypt, or
`MACspecified data. The response from the TE Appliance
`also uses the standard HTTP protocol. Hence,
`the TE
`Appliance is a convenient way for implementing a key
`server using standard web protocols.
`[0061] FIGS. 1 and 2 and the discussion herein provide a
`brief, general description of a suitable computing environ-
`ment in which aspects of the invention can be implemented.
`Although oot required, embodiments of the invention are
`described in the general context of computer-executable
`instructions, such as routines executed by a general purpose
`computer (¢.g., a server or personal computer). Those skilled
`in the relevant art will appreciate that aspects of the inven-
`tion can be practiced with other computer system configu-
`rations, including Internet appliances, hand-held devices,
`wearable computers, cellular or mobile phones, multi-pro-
`cessor systems, microprocessor-based or programmable
`consumer electronics, set-top boxes, network PCs, mini-
`computers, mainframe computers and the like. Aspects of
`the invention can be embodied in a special purpose com-
`puter or data processor that
`is specifically programmed,
`configured or constructed to perform one or more of the
`computer-executable instructions explained in detail below.
`Indeed, the term “computer,” as used generally herein,refers
`to any of the above devices, as well as any data processor.
`Further, the term “processor” as generally used herein refers
`to any logic processing unit, such as one or more central
`processing units (CPUs), digital signal processors (DSPs),
`application-specific integrated circuits (ASIC), etc.
`[0062] Aspects of the invention can also be practiced in
`distributed computing environments where certain tasks or
`modules are performed by remote processing devices and
`which are linked through a communications network, such
`as a Local Area Network (“LAN”), Metropolitan Area
`Network (“MAN”), Wide Area Network (“WAN”), or the
`Internet. In a distributed computing environment, program
`modules or sub-routines may be located in both local and
`remote memory storage devices. Aspects of the invention
`described herein may be stored or distributed on computer-
`readable media, including magnetic and optically readable
`and removable computer disks, hard-wired or prepro-
`grammedin chips (e.g., EEPROM semiconductorchips), as
`well as distributed electronically over the Internet or over
`other networks (including wireless networks). Those skilled
`in the relevant art will recognize that portions of the inven-
`tion reside on a server computer, while corresponding por-
`tions reside on a client computer. Data structures and trans-
`mission of data particular to aspects of the invention are also
`encompassed wi