Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

A Method for Securing Host Access via Telnet Gateways using Protected, HTTPS-Delivered SSL Client Certificates with Imminent Expiration Dates

IP.com Disclosure Number: IPCOM000129036D
Original Publication Date: 2005-Sep-27
Included in the Prior Art Database: 2005-Sep-27
Document File: 3 page(s) / 123K

Publishing Venue

IBM

Abstract

This invention provides Telnet authentication and encryption using PKI capabilites in a novel, less burdensome way, leveraging existing Web authentication systems. The pattern created uses industry-standard SSL client certificates as "tokens" used for authenticating with a host Telnet gateway. These SSL client certificates are stored in a secured, user-accessible server, such as an HTTPS or SFTP server. At any one moment in time the user-accessible server contains only one SSL client certificate. However, this client certificate has an imminent expiration date, for example, within 24 hours.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 3

A Method for Securing Host Access via Telnet Gateways using Protected, HTTPS-Delivered SSL Client Certificates with Imminent Expiration Dates

Host systems include mainframes, mid-range servers, UNIX-based systems and other servers which provide terminal-based (also known as "green screen") applications to large numbers of users. Frequently, these applications are critical to business and government functions and handle confidential information.

Many organizations with such applications wish to extend host access to clients via public networks such as the Internet yet still need security, including strong authentication and data encryption. Conventional Web technology delivered through HTTP and HTTPS protocols includes authentication systems. These organizations usually consider such systems well-managed and secure. Such systems typically require, at a minimum, each individual's sign-on with unique user IDs and passwords.

Recent products facilitating host access, such as network gateways and redirectors, use Telnet TCP/IP protocols (TN3270, TN3270E, TN5250, VT Telnet, etc.) and incorporate PKI (Public Key Infrastructure) technologies for security. While some organizations successfully implement PKI architectures to large user communities, there are drawbacks. Such architectures are costly, require issuing SSL client certificates to each user, must be carefully managed, require user retraining and otherwise impose significant burdens.

The proposed system provides Telnet authentication and encryption using PKI capabilites in a novel, less burdensome way, leveraging existing Web authentication systems. Industry-standard SSL client certificates are employed as tokens for authenticating with a host Telnet gateway. The SSL client certificates are stored in a secured, user-accessible server such as an HTTPS or SFTP server. At any particular time the user-accessible server contains only one SSL client certificate. However, this client certificate has an imminent expiration date.

System administrators substitute new client certificates with subsequent expiration dates into the user-accessible server as time advances. Typically, this certificate substitution or rotation will be automated using a scripted process to move an updated SSL client certificate into the user-accessible server from another secure location, i.e., a certificate repository. This process allows creation of a batch of SSL client certificates with staggered, e.g. daily, expiration dates that are then, one-by-one, moved from the repository into the user-accessible server as each certificate's expiration date approaches. For example:

SSL Certificate #1 Expiration September 1, 2002, 12:00 p.m. Moved into Vault: August 3...