Filtering communications

摘要

Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

主权项

1. A computer-implemented method of cryptographic secret use, comprising:
under control of one or more computer systems configured with executable instructions, receiving a set of security credentials to a client device, the set of security credentials including at least a key; causing at least the key to be stored in a security module associated with a browser on the client device, at least one processor on the client device executing instructions to provide the security module; enabling active content executing in the browser to generate a request to be delivered to a target destination, the request including an indication of the key to be used to sign the request, the active content not having access to the key; enabling the security module to intercept the request after the request is generated by the active content before the request is sent from the client device to the target destination; enabling the security module to extract the indication from the request and sign the request using the stored key; enabling the signed request to be sent to the target destination, the target destination able to receive the signed request for the active content without the active content executing in the browser on the client device having access to the signed request; receiving a response to the client device to be directed to the active content; enabling the security module to intercept the response before the response is received by the active content; and enabling the security module to remove one or more security credentials corresponding to the stored key from the response, wherein enabling the security module to remove one or more security credentials corresponding to the stored key from the response occurs before the response is received by the active content.