Note: Descriptions are shown in the official language in which they were submitted.
IN-003-CA-DIV
SYSTEM AND METHOD FOR SECURE REMOTE ACCESS
FIELD OF THE INVENTION
The invention relates to the field of computer authentication and
authorization. More
particularly, the invention relates to a system and method for secure remote
connection to
computing services.
BACKGROUND OF THE INVENTION
Authentication is the mechanism for securely identifying users, typically
through user ID
and password. These credentials are vulnerable to malware attacks, such as key
logging. In order
to access local resources on a computer, conventional authentication methods
employing user ID
(Identity Document) and password are adequate. When a remote service is
activated, it is
unprotected and open to hacking.
Accordingly, it would be beneficial to provide an improved approach for
providing a
secure access to remote computing services, which would avoid or mitigate the
shortcomings of
the existing prior art.
SUMMARY OF THE INVENTION
There is an object of the present invention to provide a system, method and
apparatus for
secure remote connection to computing services.
According to one aspect of the invention, there is provided a method for
remote secure
connection to a service on a server computer, the method comprising:
authenticating a user and a client device, comprising:
establishing a secure connection from the client device to the server
computer;
sending an invitation over the secure connection including a URL (Uniform
Resource Locator) from a server program to the client device;
downloading a client program to the client device from a location provided by
the
CA 2950955 2017-12-21
URL;
initiating execution of the client program on the client device;
entering a predetermined user PIN (personal identification number) to the
client
program;
sending a client device ID (identification number) and the predetermined user
PIN
from the client program to thc server program over the secure connection;
the server program generating a secret key and encrypting the secret key using
the
user PIN and the client device ID;
the server program sending the encrypted secret key to the client program over
the
secure connection;
the client program decrypting the encrypted secret key using the user PIN and
the
client device ID, and retrieving user account credentials; and the client
program
closing the secure connection;
establishing a connection to the server computer comprising:
a server program, comprising computer readable instructions, executing on the
server computer detecting the connection; and
the server program creating a blocking process on the server computer to block
access of the user to the service on the connection;
authorizing the user to access the service on the server computer, using the
client
program executing on the client device and the server program, comprising
terminating the blocking process on the server computer.
The method describe above comprises:
using the service; and
closing the connection to the server computer.
In the method describe above, establishing the connection further comprises:
establishing a remote desktop connection from the client device to the server
computer.
In the method describe above, establishing the connection further comprises
2
CA 2950955 2017-12-21
IN-003-CA-DIV
establishing a remote desktop connection from a client terminal to the server
computer.
In the method describe above, the server program creating the blocking process
further
comprises computer readable instructions stored in a memory, creating a
blocking window on a
desktop of the server computer.
In the method describe above, the server program creating the blocking window
further
comprises the server program creating a modal dialog window.
In the method describe above, the server program creating the blocking process
further
comprises the server program creating a blocking window on a desktop of the
server computer.
In the method describe above, the server program creating the blocking window
comprises
the server program creating a modal dialog window.
In the method describe above, the authorizing the user further comprises:
the client program creating a client OTA (One Time Authorization) code;
the server program creating a server OTA code;
the client program sending the client OTA code to the server program; and
the server program comparing the server OTA code with the client OTA code.
In the method describe above, the client program creating the client OTA code
comprises
the client program combining the secret key with dynamic connection
information using a one-
way function.
In the method describe above, the server program creating the server OTA code
comprises
the server program combining the secret key with the dynamic connection
information using the
one-way function.
The method describe above further comprises:
3
CA 2950955 2017-12-21
the server program providing a quick response (QR) code including dynamic
connection
information in a blocking window on a desktop of the server computer; and
the client program receiving the dynamic connection information from the QR
code.
In the method describe above, the client program sending the client OTA to the
server
program further comprises:
the client program copying the client OTA code to a shared clipboard; and
the server program detecting the client OTA code on the shared clipboard.
In the method describe above, the client program sending the client OTA code
to the server
program comprises sending the client OTA code on a secure channel.
In the method describe above, the client program sending the client OTA code
to the server
program further comprises:
the client program copying the client OTA code to a clipboard;
pasting the client OTA code into a secure shell executing a blocking program.
In the method describe above, the using the service further comprises:
the client program automatically signing into the service in a remote desktop
window on the
client device using user account credentials; and
signing out of the service in the remote desktop window on the client device.
In the method describe above, the using the service further comprises:
the user signing into the service in a remote desktop window on the client
device using user
account credentials; and
the user signing out of the service in the remote desktop window on the client
device.
According to another aspect of the invention, there is provided a system for
remote secure
connection to a service on a server computer, comprising:
4
CA 2950955 2017-12-21
IN-003-CA-DIV
a client device configured to execute a client program having computer
readable
instructions stored in a memory of the client device; and
a server computer having a processor configured to execute a server program,
having
computer readable instructions stored in a memory of the server computer;
the client program and server program are configured to:
authenticate a user and the client device, comprising:
establishing a secure connection from the client device to the server
computer;
sending an invitation over the secure connection including a URL (Uniform
Resource Locator) from a server program to the client device;
downloading the client program to the client device from a location provided
by the
URL;
initiating execution of the client program on the client device;
entering a predetermined user PIN (personal identification number) to the
client
program;
sending a client device ID (identification number) and the predetermined user
PIN
from the client program to the server program over the secure connection;
the server program generating a secret key and encrypting the secret key using
the user PIN and
the client device ID;
the server program sending the encrypted secret key to the client program over
the secure
connection;
the client program decrypting the encrypted secret key using the user PIN and
the client
device ID, and retrieving user account credentials; and
the client program closing the secure connection;
establish a connection to the server computer including:
the server program detecting the connection; and
the server program creating a blocking process on the server computer to block
access of
the user to the service on the connection, and authorize the user to access
the service on
the server computer, including terminating the blocking process on the server
computer.
The system describe above, further comprises a client terminal configured to
establish the
5
CA 2950955 2017-12-21
connection to the server computer.
According to yet one more aspect of the invention, there is provided an
apparatus comprising:
a server computer having a processor configured to execute a server program
stored in
a computer memory, the server program being configured to:
authenticate a user and a client device, comprising:
establishing a secure connection between the client device and the server
computer;
sending an invitation over the secure connection including a URL (Uniform
Resource
Locator) to the client device;
downloading the client program to the client device from a location provided
by the
URL;
upon execution of the client program on the client device, obtaining a
predetermined user
PIN (personal identification number) to the client program, and sending a
client device
ID (identification number) and the predetermined user PIN from the client
program to the
server program over the secure connection, the server program;
generating a secret key and encrypting the secret key using the user PIN and
the client
device ID;
sending the encrypted secret key to the client program over the secure
connection; and
upon the client program decrypting the encrypted secret key, using the user
PIN and the
client device ID, and retrieving user account credentials, closing the secure
connection;
detect a connection established by the client device to the server computer;
create a blocking process on the server computer to block access to a service
on the connection;
and
authorize the client device to access the service on the server computer,
comprising terminating
the blocking process on the server computer.
Thus, an improved system, method and apparatus for secure remote connection to
computing services have been provided.
6
CA 2950955 2017-12-21
IN-003-CA-DIV
BRIEF DESCRIPTION OF THE DRAWINGS
Further features and advantages of the invention will be apparent from the
ibllowing
description of the embodiment, which is described by way of example only and
with reference to
the accompanying drawings, in which:
Fig. 1 shows a top level flowchart of a method in accordance with a first
embodiment of the
present invention;
Fig. 2 shows an overview block diagram of a system in accordance with the
first embodiment of
the present invention with elements referenced in the flowchart of Fig. 1;
Figs. 3A and 3B show a flowchart of a method of an authentication process in
the flowchart
shown in Fig. 1;
Figs. 4A and 4B show detailed block diagrams of the system shown in Fig. 2
with elements
referenced in the flowcharts of Figs. 3A and 3B;
Figs. 5 shows a flowchart of a method of a connection process in the flowchart
shown in Fig. 1;
Figs. 6 shows a detailed block diagram of the system shown in Fig. 2 with
elements referenced in
the flowchart of Fig. 5;
Figs. 7 shows a flowchart of a method of an authorization process in the
flowchart shown in Fig.
1;
Figs. 8 shows a detailed block diagram of the system shown in Fig. 2 with
elements referenced in
the flowchart of Fig. 7;
Figs. 9 shows a flowchart of a method of a Using Services process in the
flowchart shown in Fig.
1;
Figs. 10 shows a detailed block diagram of the system shown in Fig. 2 with
elements referenced
in the flowchart of Fig. 9;
Fig. 11 shows a top level flowchart of a method in accordance with a second
embodiment of the
present invention;
Fig. 12 shows an overview block diagram of a system in accordance with the
second
embodiment of the present invention with elements referenced in the flowchart
of Fig.
11;
7
CA 2950955 2017-12-21
Figs. 13 shows a flowchart of a method of a connection process in the
flowchart shown in Fig.
11;
Figs. 14 shows a detailed block diagram of the system shown in Fig. 2 with
elements referenced
in the flowchart of Fig. 13;
Figs. 15 shows a flowchart of a method of an authorization process in the
flowchart shown in
Fig. 11;
Figs. 16 shows a detailed block diagram of the system shown in Fig. 12 with
elements referenced
in the flowchart of Fig. 15;
Figs. 17 shows a flowchart of a method of a Using Services process in the
flowchart shown in
Fig.!!;
Figs. 18 shows a detailed block diagram of the system shown in Fig. 12 with
elements referenced
in the flowchart of Fig. 17;
Fig. 19 shows a top level flowchart of a method in accordance with a third
embodiment of the
present invention;
Fig. 20 shows an overview block diagram of a system in accordance with the
third embodiment
of the present invention with elements referenced in the flowchart of Fig.19;
Figs. 21 shows a flowchart of a method of a connection process in the
flowchart shown in Fig.
19;
Figs. 22 shows a detailed block diagram of the system shown in Fig. 2 with
elements referenced
in the flowchart of Fig. 21;
Figs. 23 shows a flowchart of a method of an authorization process in the
flowchart shown in
Fig. 19;
Figs. 24 shows a detailed block diagram of the system shown in Fig. 12 with
elements referenced
in the flowchart of Fig. 23;
Figs. 25 shows a flowchart of a method of a Using Services process in the
flowchart shown in
Fig. 19; and
Figs. 26 shows a detailed block diagram of the system shown in Fig. 12 with
elements referenced
in the flowchart of Fig. 25.
8
CA 2950955 2017-12-21
IN-003-CA-DIV
The accompanying drawings are included to provide a further understanding of
the
present invention and are incorporated in and constitute a part of this
specification. The drawings
illustrate some embodiments of the present invention and together with the
description serve to
explain the principles of the invention. Other embodiments of the present
invention and many of
the intended advantages of the present invention will be readily appreciated
as they become
better understood by reference to the following detailed description. The
elements of the
drawings are not necessarily to scale relative to each other. Like reference
numerals designate
corresponding similar parts.
DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION
Embodiments of the present invention address deficiencies in conventional
authentication
and authorization processes when remote connections are used to access
computing services. The
process of authorization is distinct from that of authentication. Whereas
authentication is the
process of verifying that "you are who you say you are", authorization is the
process of verifying
that "you are permitted to do what you are trying to do". Authorization thus
presupposes
authentication.
Various embodiments of the present invention will be described in general
using
summary flowcharts and block diagrams with each general description followed
by detailed
flowcharts and block diagrams.
Referring to Fig. 1 there is shown a summary flowchart of a method 100 of a
first
embodiment of the present invention; and in Fig. 2 there is shown a block
diagram 200 of a
system including elements referred to in the flowchart 100 in Fig. 1.
Firstly, a user 202 and a user device 204, or a client device 204, the two
terms to be used
interchangeably in this application, are authenticated 102. The user device
204 may be, for
example, a personal computer, tablet computer, a smart phone, or any other
device suitable for
the user 202 to remotely access desired services.
Next, a remote desktop connection 206 is established 104 from the client
device 204 to a
server computer 210. The remote desktop connection 206 may be made through a
network such
9
CA 2950955 2017-12-21
as, for example, the Internet 208, a LAN (local area network), WAN (wide area
network), or the
like. The remote desktop connection 206 may be based on conventional protocols
such as RDP
(Remote Desktop Protocol) or VNC (Virtual Network Computing) protocols or the
like. The
server computer 210 may be, for example, be a computing system within a bank,
on-line retailer
or any other like institution offering one or more predetermined on-line
service(s) 214. In
general, the server computer 210 may be, for example, a computer having a
processor configured
to execute instructions stared in a memory (not shown). For clarity, the
predetermined services
214 comprise computer readable instructions stored in the memory of the server
computer 210.
As well, the server program comprises computer readable instructions stored in
the memory of
the server computer 210.
All modules or blocks shown inside the client device 204 and the server
computer 210
comprise computer readable instructions stored in a non-transitory computer
readable storage
medium, such as computer memory, CD-ROM, DVD or similar, for retrieval and/or
execution by
a processor.
Next, a server program 212 executing on the server computer 210 authorizes 106
the user
202 to access and use the predetermined services 214 on the server computer
210 that are
available to the authenticated user 202 and authenticated client device 204.
Next, the user 202 uses 108 the predetermined services 214 in a conventional
manner.
When the user 202 is finished using the predetermined services 214, the user
202 closes
110 the RDP connection 206. Optionally, the user 202 may repeat 112 the
connection 104 to
closing 110 processes as many times as desired without repeating the
authentication 102 process.
The authentication 102 process will now be described in more detail with
reference to the
flowchart shown in Figs. 3A and 3B; and the block diagrams shown in Figs. 4A
and 4B. For
clarity, a layout guide 302 shows an arrangement of Figs. 3A and 3B.
First, the client device 204 establishes 304 a secure connection 402 with the
server
computer 210. The secure connection 402 may be based on any secure protocol
known in the art
such as SSL (Secure Sockets Layer), TLS (Transport Layer Security), or the
like.
CA 2950955 2017-12-21
IN-003-CA-DIV
Then server program 212 sends 306 an invitation in including a URL (Uniform
Resource
Location) for downloading 312 a client program 408 from, for example, a
download site on the
Internet 208. The invitation may optionally include a registration code (not
shown). The
invitation 404 may be sent via email or any other conventional message system.
The client
program 408, after downloading 312, comprises computer readable instructions
stored in a
memory (not shown) of the client device 204.
Having received the invitation 404 the user decides 308 to accept the
invitation 404 or
not. If the user 202 does not accept the invitation 404 the authentication
process 102 fails and the
authentication process stops 310.
If the user 202 accepts the invitation, the user 202 downloads 312 the client
program 408
using the provided URL 406 to the client device 204 and initiates execution of
the client program
408 on the client device 204.
The user 202 enters 314 a predetermined user PIN (Personal Identification
Number) 410
to the client program 408. The predetermined PIN 410 may be, for example, a
secret number
known only to the user 202, or biometric information entered using
conventional hardware (not
shown) included in the client device 204.
The client program 408 sends 316 the user PIN 410, a client device ID 413,
and,
optionally, the registration code 404 to the server program 212. The client
device ID 413 is a
copy made by the client program 408 when the client program 408 is initially
executed 312 of a
static dev ID 412 unique to the client device 404 that is determined at time
of manufacture.
Beneficially, at any time after the authentication process 102, the client
program 408 may
compare the copy of the client device ID 413 with the static device ID 412 for
increased security.
The server program 212 generates a random number for providing 318 a secret
key 414.
The random number may be generated by any process known in the art.
The server program 212 encrypts 320 the secret key 414 using the user PIN 410
and the
client device ID 413 as keys to provide an encrypted secret key 416. The
secret key 414 may be
11
CA 2950955 2017-12-21
encrypted, for example, using any suitable algorithm known in the art such as
AES (Advanced
Encryption Standard) or the like.
The server program 212 sends 322 the encrypted secret key 416 to the client
program 408
over the secure connection 402.
The client program 408 decrypts 324 the encrypted secret key 416 using the
user PIN 410
and the client device id 413 as keys.
The user 202 enters 326 user account credentials 418 into the client program
408.
Optionally, the server program 212 encrypts 328 the user account credentials
418 with the
secret key 414. [he server program 212 sends 330 the encrypted user account
credentials (not
shown) to the client program 408. The client program 408 decrypts 332 the
encrypted user
account credentials.
The client program 408 closes 324 the secure connection 402.
Fig 4B shows the system 200 after completion of the authentication process
102. The user
202 and the client device 204 are now authenticated since the user 202 and the
client device
share the predetermined user PIN; and the client program 408 and server
program 212 share the
secret key 414. After the authentication process 102 the client device 204 is
what is known in the
art as a trusted device.
Figs. 5 shows a flowchart of a method of the connection process 104 in the
flowchart
shown in Fig. 1; and Fig. 6 shows a detailed block diagram of the system 200
shown in Fig. 2
with elements referenced in the flowchart of Fig. 5.
The user 202 enters 502 a PIN 602 into the client program 408. The entered
user PIN 602
is compared 504 with the predetermined user PIN 410. If the entered user PIN
602 and the
predetermined user PIN 410 do no match, the connection process 104 is stopped
506. If the
entered user PIN 602 and the predetermined user PIN 410 do match then the
connection process
104 continues.
12
CA 2950955 2017-12-21
IN-003-CA-DIV
The client program 408 establishes 508 a remote desktop connection 206 from
the client
device 204 to the server computer 210. The remote desktop connection may be a
RDP (Remote
Desktop Protocol) or VNC (Virtual Network Computing) connection or the like.
The server
program 212 detects 510 the remote desktop connection 206 and creates a
blocking window 606
on a server desktop 608. The blocking window may be for example a modal dialog
box. Such a
dialog box, as understood in the art, blocks all other user access until
certain inputs or actions are
provided. In this case the action is the authorization of the user 202 as
describe herein below. In
general, any type of process or program that blocks the user 202 from
accessing any services on
the server computer 210 until the user 204 is authorized is within the scope
of the invention.
Figs. 7 shows a flowchart of a method of the authorization process 106 in the
flowchart
shown in Fig. i and Figs. 8 shows a detailed block diagram of the system 200
shown in Fig. 2
with elements referenced in the flowchart of Fig. 7.
First, the client program 408 creates 702 a client OTA code 802 by combining
dynamic
connection information 804 with the secret key 414. The dynamic connection
information 804
may be, for example, an IP (Internet Protocol) address, port number, time
stamp or any
combination thereof. The dynamic connection information 804, secret key 414,
and dynamic
connection information 804 are combined using a one-way function such as
exclusive OR, or
any other one-way function known in the art.
Next, the client program 408 copies 704 the client OTA code 802 to a shared
clipboard
806.
Next, the server program 212 detects 706 the client OTA code on the shared
clipboard
806. The server program 212 creates 708 a server OTA code 810 by combing the
dynamic
connection information 808 with the secret key 414. The dynamic connection
information 808
may be, for example, an IP (Internet Protocol) address, port number, time
stamp or any
combination thereof. The dynamic connection information 804 is the same as the
dynamic
connection information 808 on the server computer 210. The dynamic connection
information
808 and secret key 414 are combined using the same one-way function as in
creating the client
OTA code 802 described herein above.
13
CA 2950955 2017-12-21
Next, the server program 212 compares 710 the server OTA code 810 with the
client OTA
code 802. If the server OTA code 810 does not match the client OTA code 802,
then the blocking
window 606 remains 714 and the authorization process 106 is stopped.
If the server OTA code 810 does match the client OTA code 802, then the server
program
212 removes 716 blocking window 606 from the server desktop 608.
Figs. 9 shows a flowchart of a method of the Using Services 108 process in the
flowchart
shown in Fig. 1; and Fig. 10 shows a detailed block diagram of the system 200
shown in Fig. 2
with elements referenced in the flowchart of Fig. 9.
First, preferably the client program 408 automatically signs into 902 the
service 214
using the user account credentials 418, or alternatively the user 202 manually
signs into the
service 214. Then the user 202 uses 904 the service 214 in a conventional
manner from the client
device 204 such as bank accounts or online retail services. After the user 202
is finished, the user
202 signs out 906 of service 214.
Lastly, the user closes 110 the RDP connection 206 in a conventional manner.
Referring now to Fig. 11, there is shown a summary flowchart of a method 1110
in
accordance with a second embodiment of the present invention; and Fig. 12
shows an overview
block diagram of a system 1200 in accordance with the second embodiment of the
present
invention with elements referenced in the flowchart of Fig. 11.
Firstly, a user 202 and a user device 204 are authenticated 102. The
authentication
process 102 of the second embodiment is identical to the authentication
process of the first
embodiment 102 as described herein above. fhe user device 204 is preferably
mobile device
such as a smart phone, PDA (Personal Digital Assistant) or the like having a
camera with QR.
(Quick Response) code reading capability as is common in the art.
Next, a remote desktop connection 206 is established 104 from a client
terminal 1202 to
the server computer 210.
14
CA 2950955 2017-12-21
IN-003-CA-DIV
Next, a server program 212 authorizes 1106 the user 202 from the client
terminal 1202 to
access and use the predetermined services 214 on the server computer 210 that
are available to
the authenticated user 202 and authenticated client device 204. The client
terminal may be, for
example, a public shared computer in a cafe or library not previously
authenticated.
Next, the user 202 uses 108 the predetermined services 214 in a conventional
manner.
When the user 202 is finished using the predetermined services 214, the user
202 closes
110 the RDP connection 206. Optionally, the user 202 may repeat 1112 the
connection 104 to
closing 110 processes as many times as desired without repeating the
authentication 102 process.
Figs. 13 shows a flowchart of a method of the connection process 1100 in the
flowchart
shown in Fig. 11; and Figs. 14 shows a detailed block diagram of the system
shown in Fig. 2
with elements referenced in the flowchart of Fig. 13.
First, the user 202 establishes 1302 a remote desktop connection 206 from the
client
terminal 1202 to the server computer 210.
Next, the server program 212 detects 1304 the remote desktop connection 206
and creates
a blocking window 606 on the server desktop 608.
Next, the server program 212 provides 1306 a QR code 1402 including the
dynamic
connection information 808 in the blocking window 606.
Next, the user 202 enters 1308 a user pin 602 into the client program 408. The
entered
PIN 602 is compared 1310 with the predetermined user PIN 410. If the entered
user PIN 602 and
the predetermined user PIN 410 do no match, the connection process 1104 is
stopped 1312. If the
entered user PIN 602 and the predetermined user PIN 410 do match then the
connection process
1104 continues.
Next, the user 202 holds the client device 204 in a position for the client
program 408 to
read 1314 the QR code 1402 and provide the dynamic connection information 808
to the client
program 408.
CA 2950955 2017-12-21
Figs. 15 shows a flowchart of a method of the authorization process 1104 in
the flowchart
shown in Fig. 11; and Fig. 16 shows a detailed block diagram of the system
1200 shown in Fig.
12 with elements referenced in the flowchart of Fig. 15.
First, the client program 408 creates 1502 a client OTA code 802 by combining
the
dynamic connection information 806 with the secret key 414.
Then the client program 408 sends 1506 the client OTA code 802 to the server
program
212 on an authorization channel 1602. The authorization channel 1602 may be
based on any
secure protocol known in the art such as SSL (Secure Sockets Layer), TLS
(Transport Layer
Security), or the like.
Then the server program 212 creates 1508 a server OTA code by combing the
dynamic
connection information 808 with the secret key 414.
Then the server program 212 compares 1510 the server FA code 810 with the
client
OTA code 802. If the server OTA code 810 does not match the client OTA code
802, then the
blocking window 606 remains 1514 and the authorization process 106 is stopped.
If the server OTA code 810 does match the client OTA code 802, then the server
program
212 removes '516 blocking window 606 from the server desktop 608.
Figs. 17 shows a flowchart of a method of a Using Services process in the
flowchart
shown in Fig. 11; and Figs. 18 shows a detailed block diagram of the system
shown in Fig. 12
with elements referenced in the flowchart of Fig. 17.
The user 202 signs 1702 into the service 214 with the user account credentials
418 in the
remote desktop 610 on the client terminal 1202. The user 202 uses 704 the
service 214 in a
conventional manner from the client terminal 1202. The user 202 signs out 1706
of service 214
Lastly, the user 202 closes 1110 the RDP connection 206 in a conventional
manner.
Fig. 19 shows a summary flowchart of a method 1900 in accordance with a third
embodiment of the present invention; and Fig. 20 shows an overview block
diagram of a system
16
CA 2950955 2017-12-21
1N-003-CA-DIV
2000 in accordance with the third embodiment of the present invention with
elements referenced
in the flowchart of Fig.19.
Firstly, a user 202 and a user device 204 are authenticated 102 using a
process identical to
the process 102 described in the first embodiment
Next, a SSH (secure shell) connection 2002 is established 1904 from the client
device
204 to the server computer 210.
Next, a server program 212 authorizes 1906 the user 202 to access and use the
predetermined services 214 on the server computer 210 that are available to
the authenticated
user 202 and authenticated client device 204.
Next, the user 202 uses 1908 the predetermined services 214 in a conventional
manner.
When the user 202 is finished using the predetermined services 214, the user
202 closes
110 the SSH connection 2002. Optionally, the user 202 may repeat 1912 the
connection 1904 to
closing 1910 processes as many times as desired without repeating the
authentication 102
process.
Figs. 21 shows a flowchart of a method of the connection process 1904 in the
flowchart
shown in Fig. 19; and Figs. 22 shows a detailed block diagram of the system
shown in Fig. 20
with elements referenced in the flowchart of Fig. 21.
First, the user 202 enters 2102 a PIN 602 into the client program 408. The
entered user
PIN 602 is compared 2104 with the predetermined user PIN 410. If the entered
user PIN 602 and
the predetermined user PIN 410 do no match, the connection process 1904 is
stopped 2106. If the
entered user PIN 602 and the predetermined user PIN 410 do match then the
connection process
1904 continues.
Next, the client program 408 establishes 2108 a secure shell connection 2002
from the
client device 204 to the server computer 210. The server program 212 detects
2110 the secure
shell connection 2002 and a blocking program 2204 in the secure shell 2202.
17
CA 2950955 2017-12-21
Figs. 23 shows a flowchart of a method of an authorization process in the
flowchart
shown in Fig. 19; and Figs. 24 shows a detailed block diagram of the system
shown in Fig. 20
with elements referenced in the flowchart of Fig. 23.
The authorization process for the third embodiment 1906 is substantially the
same as the
first embodiment 106 except that the server program 212 removes 2118 the
blocking program
2204 from the secure shell 2202.
Figs. 25 shows a flowchart of a method of the Using Services process in the
flowchart
shown in Fig. 19; and Figs. 26 shows a detailed block diagram of the system
shown in Fig. 20
with elements referenced in the flowchart of Fig. 25.
First, the user 202 signs into 2502 service 214 in the remote shell 2206. [he
user 202
uses 2504 the service 214. The user 202 signs out 2506 of service 214.
Therefore embodiments of the present invention expand a shared environment
between
the client and the server elements, which require the following:
Separating the authentication process from the authorization process;
Reversing a conventional sequence of access and connection processes by
establishing a
connection first, so that dynamic connection link information can be used as
an input for
generating stronger, more secure OTA codes that are uniquely associated with
the connection.
This authorization process authorizes the user for a specific run-time
connection that has been
established, since the dynamic connection information forms part of the OTA
code.
Embodiments of the present invention provide an improved authorization process
for
securely accessing remote computing services, such as data centers and various
services based on
cloud computing models, for example. Furthermore, embodiments of the present
invention
provide a real-time method for generating and verifying a One-Time
Authorization (OTA) code.
This method is based on the client program and server program sharing the
static and dynamic
information for generating and verifying OTA codes:
18
CA 2950955 2017-12-21
IN-003-CA-DIV
Accordingly, it is to be understood that the embodiments of the invention
herein
described are merely illustrative of the application of the principles of the
invention. Reference
herein to details of the illustrated embodiments is not intended to limit the
scope of the claims,
which themselves recite those features regarded as essential to the invention.
TABLE OF ELEMENTS
100 Flowchart of a first embodiment
102 to 112 Processes of flowchart 100
200 System block diagram of the first embodiment
202 User
204 Client Device
206 RDP Connection
208 Internet
210 Server Computer
212 Server Program
214 Service(s)
302 Layout guide to Figs. 3A and 313
304 to 324 Processes of Authentication 102 shown in Fig. 1
402 Secure Connection
404 Invitation
406 Download URL
408 Client Program
19
CA 2950955 2017-12-21
410 Predetermined User Pin
412 Static Client Device ID
413 Client device ID (copy)
414 Secret Key
416 Encrypted Secret Key
418 User Account Credentials
502 to 510 Processes of Connection 104 shown in Fig. 1
602 Entered User PIN
604 Static Connection Information
606 Blocking Window
608 Server Desktop
610 Remote Desktop
702 to 718 Processes of Authorization 106 shown in Fig. 1
802 Client OTA Code
804 Client Dynamic Connection Information
806 Shared Clipboard
808 Server Dynamic Connection Information
810 Server OTA Code
902 to 906 Processes of Using Services 108 shown in Fig. 1
1100 Flowchart of a second embodiment
CA 2950955 2017-12-21
IN-003-CA-DIV
102, 1104 to 1112 Processes of flowchart 1100
1200 System block diagram of the second embodiment
1202 Client terminal
1302 to 1314 Processes of connection 1104 shown in Fig. 11
1402 QR code
1502 to 1516 Processes of authorization 1106 shown in Fig. 11
1602 Authorization channel
1702 to 1706 Processes of Using Services 1108 shown in Fig. 11
1900 Flowchart of a third embodiment
102, 1904 to 1912 Processes of flowchart 1900
2000 System block diagram of the third embodiment
2002 Secure shell connection
2102 to 2110 Processes of connection 1904 shown in Fig. 19
2202 Shell
2204 Blocking program
2206 Remote shell
2302 to 2318 Processes of authorization 1906 shown in Fig. 19
2502 to 2506 Processes of using 1908 show in Fig. 19
Thus, an improved system, method and apparatus for secure remote connection to
computing services have been provided.
21
CA 2950955 2017-12-21
Although the embodiments of the invention have been described in detail, it
will be
apparent to one skilled in the art that variations and modifications to the
embodiment may be
made within the scope of the following claims.
22
CA 2950955 2017-12-21
