| 摘要 |
A user having remote device wants to access an application executing on an application server computer that is behind a firewall. During set-up, another firewall and a gateway computer are configured in front of the original firewall. During registration, users' remote devices are configured with security data. The security data includes user authentication cryptographic credentials, for establishing secure channels, and may include user application cryptographic credentials as needed by individual applications executing on the application server. During operation, the user provides a password to an application program executing on his/her remote device to use the security information on the remote device to establish a secure channel to the application, and then conducts a data session with the application. If the application needs to verify the identity of the user, the user's remote device performs a cryptographic operation using the user application cryptographic credentials, and sends the result to the application. |
| 主权项 |
1. A method of enabling use of an application program, comprising:
receiving, at a controller computer, a request from a user of a remote device for application entitlement; automatically sending, from the controller computer to the remote device, a list of application programs that the user of the remote device is entitled to use, and network addresses of gateway computers respectively associated with the application programs; sending, from the controller computer to the remote device, security data for one of: (i) establishing a secure communication channel with the controller computer, (ii) establishing a secure communication channel with one of the gateway computers, (iii) encrypting data stored at the remote device, and (iv) using with the application program; receiving, at one of the gateway computers, an application request from the user of the remote device for use of a selected application program, the application request being received after the security data has been sent; automatically creating, by the gateway computer, a request for verification that the user of the remote device is entitled to use the selected application program; automatically sending, from the gateway computer to the controller computer via a public communication network, the request for verification; receiving via the public communication network, at the gateway computer, a response from the controller computer indicating that the user of the remote device is entitled to use the selected application program; establishing, from the gateway computer to the selected application program executing on a computer other than the gateway computer or the controller computer, a secure channel; receiving, at the gateway computer, first data from the selected application program; automatically sending, from the gateway computer to the remote device, the first data from the selected application program; receiving, at the gateway computer, second data from the remote device; and automatically sending, from the gateway computer to the application program using the secure channel, the second data from the remote device, wherein the remote device always lacks a network address of the selected application program, and wherein the controller computer does not receive each of the application request, the first data and the second data. |
