US20070291789A1 - Secure transmission system and method - Google Patents
Secure transmission system and method Download PDFInfo
- Publication number
- US20070291789A1 US20070291789A1 US11/799,452 US79945207A US2007291789A1 US 20070291789 A1 US20070291789 A1 US 20070291789A1 US 79945207 A US79945207 A US 79945207A US 2007291789 A1 US2007291789 A1 US 2007291789A1
- Authority
- US
- United States
- Prior art keywords
- message
- network entity
- network
- client
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000005540 biological transmission Effects 0.000 title description 8
- 238000004891 communication Methods 0.000 claims abstract description 64
- 238000012546 transfer Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 2
- 239000003550 marker Substances 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000004044 response Effects 0.000 description 6
- 238000001514 detection method Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0471—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
- H04L65/75—Media network packet handling
- H04L65/762—Media network packet handling at the source
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
Definitions
- This invention relates to a secure transmission system and method, particularly but not exclusively for use in a peer-to-peer telecommunications system.
- Peer-to-peer telecommunications systems allow the user of a device, such as a personal computer, to make telephone calls across a computer network such as the Internet. These systems are beneficial to the user as they are often of significantly lower cost than traditional telephony networks, such as fixed line or mobile networks. This may particularly be the case for long distance calls. These systems may utilise voice over internet protocol (“VoIP”) over an existing network (e.g. the Internet) to provide these services, although alternative protocols can also be used.
- VoIP voice over internet protocol
- the user must install and execute client software on their device. The client software provides the VoIP connections as well as other functions such as registration and authentication.
- Some calls in a peer-to-peer telephony network may be free to the user, such as calls to other user of the same peer-to-peer system.
- other calls such as to fixed line telephones or mobiles, may require the user to pay for the service. This therefore requires the user to provide sensitive information to the system, and hence requires a high level of security for transmissions of such data.
- Many peer-to-peer telephone systems operate a pre-paid account system. In these systems, the user must securely transfer sensitive information to a payment service provider in order to credit their account, and this credit is then used during the calls made. Once the credit runs out, the user must again securely transfer sensitive information to the payment service provider to credit more money into their account in order to continue using the service.
- the user may be invoiced for the amount of calls they have made over a period of time, or may be required to make a fixed payment regardless of the number of calls made.
- the user can securely transfer sensitive data to a payment service provider by opening a web browser program and navigating to the site of the telephony system operator. From this web page the user can select links to make a payment to their account. The user can then enter credit card or other payment information into the web page.
- the web browser can use known secure protocols for sending the sensitive information to a payment service provider.
- the disadvantage of this method is that it requires the user to open a separate program on their terminal (i.e. a web browser) in order to make a payment. The user may also be required to proceed through several clicks of the webpages before reaching the correct page. Furthermore, the user must have access to the World Wide Web in order to make such a payment. However, in some circumstances the user may be blocked from accessing the web for security reasons, but would otherwise still be able to use the peer-to-peer telephony service.
- the user of the telephony system would be desirable for the user of the telephony system to be able to make secure payments for services directly from the client software running on the user's terminal. This is because the user directly associates the client program with the telephony service. Furthermore, by allowing secure payment from within the client program, this avoids the need for the user to open other programs in order to securely transmit sensitive information for the service. For example, as discussed hereinbefore, if the user needs to transmit the sensitive information over the Internet, the user may be required to open a browser on his or her terminal and then enter the correct address of the web site through which they should pay before they can enter any payment details. This process can be prone to user error, and hence frustration on the part of the user.
- some users may also be suspicious of entering sensitive information on web site pages, and may have a greater level of trust in the client software provided by the operator of the telephony service.
- the client already knows the identity of user, and this information can therefore be passed to the payment provider without having to prompt the user for an additional username and password, thereby making the payment process more straightforward for the user.
- HTTP hypertext transfer protocol
- SSL secure socket layer
- TLS transport layer security
- the telephony service provider does not pose a security risk as its content would be obtained from trusted sources.
- some companies or third parties may wish to block the peer-to-peer telephony service itself. Whilst the actual telephony traffic may be difficult to detect, the client may make specific HTTP requests to perform its tasks. These requests can therefore be detected and allow the terminal running the client to be determined, and the requests blocked.
- a method of transmitting information from a user to a first network entity over a communications network comprising the steps of: the user entering information into a browser executed at a user terminal; the browser generating a first message comprising the information using a first communication protocol for dispatch over the network via a network port, the first message including an identifier of the first network entity; receiving the first message at a client executed at the user terminal before the first message reaches the network port; wrapping the first message in a second message of a second communication protocol used for transmitting messages between the client and a second network entity; transmitting the second message to the second network entity over the communications network; and unwrapping the first message from the second message at the second network entity, translating the identifier of the first network entity to a network address of the first network entity and transmitting the first message to the first network entity over the communications network.
- the method further comprises the step of encrypting the information in the first message after receiving the first message at the client. In another embodiment the method further comprises the step of receiving the first message transmitted by the second network entity at the first network entity. In another embodiment the method further comprises the step of decrypting the information in the first message, after it is received at the first network entity. In another embodiment the step of encrypting is performed using an encryption key provided by the first network entity. In another embodiment the method further comprises the step of the first network entity periodically transmitting the encryption key to the second network entity.
- the method further comprises the steps of: transmitting a third message to the second network entity from the first network entity, responsive to receiving the first message; receiving the third message at the second network entity and, responsive thereto, fetching a webpage from a server; wrapping the webpage in a fourth message of the second communication protocol; transmitting the fourth message to the client over the communications network; unwrapping the webpage from the fourth message at the client and passing the webpage to the browser; and displaying the webpage to the user in the browser.
- the third message is a redirect message.
- the step of wrapping the first message in a second message of a second communication protocol comprises the step of adding a header and a footer to the first message.
- the first communication protocol is a hypertext transfer protocol.
- the first network entity is a payment service provider.
- the communications network is the Internet.
- the second network entity is a Skype backend server.
- the information is payment information.
- a system for transmitting information from a user to a first network entity over a communications network comprising: a browser executed at a user terminal, the browser comprising means for receiving information entered by the user, and means for generating a first message comprising the information using a first communication protocol for dispatch over the network via a network port, the first message including an identifier of the first network entity; a client executed at the user terminal comprising means for receiving the first message at the client before the first message reaches the network port, means for wrapping the first message in a second message of a second communication protocol used for transmitting messages between the client and a second network entity, and means for transmitting the second message to the second network entity over the communications network; and the second network entity comprising means for unwrapping the first message from the second message at the second network entity, means for translating the identifier of the first network entity to a network address of the first network entity, and means for transmitting the first message to the first network entity over the communications network.
- the client further comprises means for encrypting the information in the first message after receiving the first message at the client.
- the first network entity further comprises means for receiving the first message transmitted by the second network entity.
- the first network entity further comprises means for decrypting the information in the first message, after it is received at the first network entity.
- the encryption is performed using an encryption key provided by the first network entity.
- the first network entity further comprises means for periodically transmitting the encryption key to the second network entity.
- the first network entity further comprises means for transmitting a third message to the second network entity, responsive to receiving the first message.
- the second network entity further comprises means for receiving the third message and, responsive thereto, fetching a webpage from a server, means for wrapping the webpage in a fourth message of the second communication protocol, and means for transmitting the fourth message to the client over the communications network.
- the client further comprises means for unwrapping the webpage from the fourth message and passing the webpage to the browser.
- the browser further comprises means for displaying the webpage to the user.
- the third message is a redirect message.
- the means for wrapping the first message in a second message of a second communication protocol comprises means for adding a header and a footer to the first message.
- the first communication protocol is a hypertext transfer protocol.
- the first network entity is a payment service provider.
- the communications network is the Internet.
- the second network entity is a Skype backend server.
- the information is payment information.
- a user terminal comprising: a browser executed at the user terminal, the browser comprising means for receiving information entered by a user, and means for generating a first message comprising the information using a first communication protocol for dispatch over a communications network via a network port, the first message including an identifier of a first network entity; and a client executed at the user terminal comprising means for receiving the first message at the client before the first message reaches the network port, means for wrapping the first message in a second message of a second communication protocol used for transmitting messages between the client and a second network entity, and means for transmitting the second message to the second network entity over the communications network.
- a network entity comprising: means for unwrapping a first message of a first communication protocol from a second message of a second communication protocol transmitted by a client executed at a user terminal to the network entity over a communications network, the first message including an identifier of a further network entity; means for translating the identifier of the further network entity to a network address of the further network entity; and means for transmitting the first message to the further network entity over the communications network.
- a computer program product comprising program code means which when loaded into a computer controls the computer to carry out the method above.
- FIG. 1 shows a peer-to-peer telephony system with the secure transfer of information to a payment service provider
- FIG. 2A shows the messages exchanged in the system of FIG. 1 for the maintenance of key information
- FIG. 2B shows the messages exchanged in the system of FIG. 1 for the initiation of a payment
- FIG. 2C shows the messages exchanged in the system of FIG. 1 for the secure transfer of payment information
- FIG. 2D shows the messages exchanged in the system of FIG. 1 for the transmission of a completed payment result
- FIG. 2E shows the messages exchanged in the system of FIG. 1 for the transmission of a uncompleted payment result
- FIG. 3 shows the structure of the messages sent in the secure transfer of payment information
- FIG. 4 shows a flowchart outlining the operations performed at the user terminal.
- FIG. 5 shows the page flow for the operations performed in FIG. 2B-2D .
- FIG. 1 in which is shown a peer-to-peer telephony system 100 with the secure transfer of information to a payment service provider.
- a user terminal 102 is shown connected to a network 104 .
- the user terminal may be, for example, a personal computer, personal digital assistant, a suitably enabled mobile phone or other device able to connect to the network 104 .
- the user terminal 102 is connected to the network 104 via a network port 105 , and may be via a cable (wired) connection or a wireless connection.
- the network 104 may be a network such as the Internet.
- a user 106 of user terminal 102 can make a telephone call to second user 108 of a second user terminal 110 across the network 104 .
- the user terminal is running a client 112 , provided by the operator of the peer-to-peer telephony system.
- the client 112 is a software program executed on a local processor in the user terminal 102 .
- the user 106 can click on the contact listed for the second user 108 displayed in the client 112 , or can alternatively type in a telephone number or username for the second user 108 .
- the client 112 then sets up the call to the second user 108 .
- the telephone call may be made using VoIP, in accordance with methods known in the art, such as disclosed in WO 2005/009019.
- the telephone call may comprise voice, video, instant messaging (“IM”), or a combination thereof.
- IM instant messaging
- the second user terminal 110 may be directly connected to the network 104 (as shown in FIG. 1 ), or may be connected to a different network such as the public switched telephone network (“PSTN”) or a mobile network (not shown in FIG. 1 ). If the second user terminal is connected to the network 104 , then it may be running a client program 114 provided by the operator of the telephony system, similar to the client 112 running on the first user terminal 102 . If connected to the PSTN, the second user terminal may be a fixed line telephone, and if connected to a mobile network, the second user terminal may be a mobile telephone.
- PSTN public switched telephone network
- mobile network not shown in FIG. 1
- the user 106 In order to be able to make telephone calls, the user 106 must be suitably registered and authenticated. Furthermore, the user 106 must also be able to pay for the telephone services. Sensitive payment information therefore needs to be transferred from the user 106 to a payment service provider (“PSP”) across the network 104 .
- PSP payment service provider
- the payment system needs to be very secure. If there is sensitive information flowing though the telephony system servers, then the system must comply with payment card industry (“PCI”) rules enforced by credit card companies. Complying with these rules is expensive and takes time.
- PCI payment card industry
- the servers of the telephony system are storing sensitive payment information, then they are likely to become a target for attack by hackers. There is therefore significant benefit in reducing the number of system entities that are exposed to sensitive information and need to be PCI compliant.
- the secure transmission of the sensitive information needs to be as simple and usable as possible from the point of view of the user.
- FIG. 1 shows the entities in the system 100 that allow the user 106 to securely pay for telephony services through the client 112 .
- the user 106 makes the payment to a payment service provider 116 .
- the PSP 116 is a private network that is connected to network 104 , and may comprise a PSP proxy 118 and a PSP web application 120 .
- the PSP proxy 118 is a software program running on a processor in a server, which is connected between the PSP web application 120 and the network 104 , and is responsible for decrypting information before it is presented to the PSP web application 120 .
- the PSP web application 120 is a software application executed on a processor in a server.
- the PSP proxy 118 and PSP web application 120 may be located on separate servers, or may be running on the same server.
- the PSP 116 may be operated by a different operator than the telephony service.
- the Skype backend server 122 and the Skype web application 124 may be located within the private network 128 of the operator of the telephony system.
- the Skype backend server 122 and the Skype web application 124 may be geographically co-located, or may be geographically separated.
- the Skype backend server 122 is located between the Skype web application 124 and the network 104 , and is responsible for exchanging messages between the Skype web application 124 and the client 112 .
- the Skype backend 122 and the client 112 communicate using a proprietary Skype protocol, and do not use HTTP. This is to avoid the detection and blocking of HTTP messages by third parties and firewalls, as discussed previously.
- the Skype backend 122 also blocks HTTP.
- the user terminal 102 has web browsing software 130 installed on it, in addition to the client 112 .
- the web browser 130 is capable of being utilised as part of the user interface of the client 112 , and can be controlled by the client 112 to display hypertext markup language (“HTML”) webpages to the user 106 .
- HTML hypertext markup language
- step S 1 the Skype web application 124 will periodically query the PSP web application 120 for a new version of its public key.
- the message in step S 1 is in the form of a HTTP Get request specifying the uniform resource locator (“URL”) of the key located at the PSP web application.
- the PSP web application 120 will return the public key to the Skype web application 124 in step S 2 .
- the above two steps are performed periodically and independently of any other operations to ensure that the Skype web application 124 always has an up-to-date copy of the public key.
- the client 112 periodically polls the Skype backend 122 using the Skype protocol for a new version of the public key in step S 3 .
- the Skype backend server 122 forwards the request to the Skype web application 124 in the form of an HTTP Get request specifying the URL of the key stored in the Skype web application in step S 4 .
- the Skype web application 124 returns the key to the Skype backend server 122 in step S 5 , and this is passed to the client 112 in step S 6 using the Skype protocol.
- the above four steps are performed periodically, without the user being aware of its operation, in order to ensure that the key information is always up to date in the client 112 .
- the client 112 has a recent copy of the public key of the PSP web application 120 for use in the payment process, as described in more detail hereinbelow.
- FIG. 2B shows the user 106 initiating the payment process.
- the user 106 clicks a button which may be labeled “Buy Skype Credit” (although other labeling is possible) displayed in the client 112 , indicating to the client 112 that the payment process should be started.
- the client 112 initiates web browser 130 control, in which the client opens the web browser within the client user interface, and when complete a signal is returned to the client 112 in step S 9 .
- a URL which may, for example, be of the form “nonsecure://skype/buycredit.html”. This is a request to retrieve the page “buycredit.html” from the server “skype”, so that the page “buycredit.html” may be displayed to the user 106 in the web browser 130 .
- This request does not begin with the standard “http://”, but uses a marker string “nonsecure”.
- a request such as “nonsecure://skype/buycredit.html” has the same functionality as a standard HTTP request, but the string “nonsecure” allows the client 112 to intercept the request and determine what action to take. In other words, “nonsecure” acts as a marker for the client 112 to use when intercepting requests.
- the client 112 When the client 112 sees an attempt to make a request using “nonsecure”, the client 112 knows that the request does not contain sensitive information, and that the request can be sent to the Skype backend server 122 (a further marker is also used, “secure”, as will be described hereinafter).
- the client 112 wraps the “nonsecure” request message into a Skype proprietary communication protocol message and this is sent to the Skype backend server 122 .
- the Skype backend server 122 unwraps the “nonsecure” request from the Skype proprietary communication protocol.
- the requests only contain references to arbitrary services, not actual server addresses and ports.
- the request “nonsecure://skype/buycredit.html” only contains a reference to a server “skype”, and not an actual server address.
- the Skype backend server 122 therefore needs to resolve an arbitrary reference to a service name into a web server address. This is achieved by maintaining a table of correspondence between services and server addresses.
- the Skype backend server 122 resolves the message from the client 112 to obtain the web server address. For example, the reference to “skype” in “nonsecure://skype/buycredit.html” may be resolved to “http://webstore.skype.com”. The Skype backend server 122 then constructs a new HTTP request using the resolved address and the rest of the “nonsecure” request, resulting in, for example, “http://webstore.skype.com/buycredit.html”.
- This HTTP request is forwarded to the resolved location of the Skype web application 124 in the form of the above HTTP Get request at step S 11 , and the requested page is returned by the Skype web application 124 in step S 12 in the form of HTML.
- the Skype backend 122 wraps the HTML response from the Skype web application in the Skype protocol and forwards the page to the client 112 in step S 13 , and this is then unwrapped from the Skype protocol and sent to the web browser 130 in step S 14 , and subsequently displayed to the user 106 in step S 15 .
- step S 16 the user 106 views the page in the web browser 130 window and clicks on a link which may be labeled “Get Started”.
- This link may be, for example, a link to the URL “nonsecure://skype/getstarted.html”.
- the client 112 intercepts the web browser's attempt to make a “nonsecure” request (a type of HTTP Get request) to navigate to the linked webpage at step S 17 .
- the client 112 wraps the “nonsecure” request message into a Skype proprietary communication protocol message and this is sent to the Skype backend 122 in step S 18 .
- the Skype backend 122 unwraps the message and resolves the message from the client 112 to obtain the web server address in a similar manner to that described above with reference to step S 10 .
- the Skype backend 122 then creates a HTTP request from the resolved web server address and the unwrapped “nonsecure” request, for example “http://webstore.skype.com/getstarted.html”.
- the HTTP request is forwarded to the resolved address of the Skype web application 124 in step S 119 .
- the Skype web application 124 returns the webpage “getstarted.html” to the Skype backend 122 in step S 20 , which wraps the response in the Skype protocol and forwards it to the client 112 in step S 21 , and this is unwrapped and passed to the web browser 130 window in step S 22 and displayed to the user 106 in step S 23 .
- the page displayed to the user 106 comprises a form to enter initial payment information.
- the user 106 views the page and fills in the initial payment information, such as a billing address, email address and payment method and clicks “next”.
- the “next” button is associated with a URL, which may be, for example, “nonsecure://skype/initialform.html”.
- the HTTP Post request from the web browser 130 is received by the client 112 (which detects the use of the “nonsecure” marker) before it can reach the network port 105 .
- the client wraps the HTTP Post request in a Skype protocol message and this message is forwarded to the Skype backend server 122 in step S 26 .
- the client 112 may include other information in the message when it is wrapped in the Skype protocol, as discussed in more detail hereinafter with reference to FIG. 3 .
- the Skype backend server 122 then sends the resolved request to the Skype web application 124 in step S 27 to initiate the payment.
- the Skype web application 124 sends a message containing the initial payment information to the PSP web application 120 in step S 28 to initiate the payment at the PSP.
- step S 29 the PSP web application 120 processes the information and returns the URL of a webpage containing the appropriate form for the payment method, such as a credit card information form.
- the Skype web application 124 receives the URL and creates a redirect header.
- the redirect header is sent to the Skype backend 122 in step S 30 .
- the Skype backend server 122 resolves the address from the redirect header and sends a request to the PSP web application 120 to obtain the required webpage in step S 31 .
- the PSP web application 120 then returns the webpage containing the form for the payment details (such as credit card information) in step S 32 .
- This webpage is subsequently forwarded to the client 112 using the Skype protocol in step S 33 , unwrapped and passed to the web browser 130 in step S 34 , and displayed to the user 106 in step S 35 .
- step S 36 the user 106 enters the payment information (for example credit card number, expiry date or other information) into the HTML form presented in the web browser window and clicks a “Submit” button.
- the “Submit” button is associated with a URL, which may be, for example, “secure://somepsp/creditcardform.html”.
- the web browser 130 then generates a type of HTTP Post request using a marker “secure” containing the payment information (in the form of postData) and the URL above in step S 37 .
- the HTTP Post request from the web browser 130 is intercepted by the client 112 , and prevented from being sent into the network 104 . In particular, the client detects the marker “secure”. This not only indicates to the client that it should intercept the message (as with “nonsecure”), but also that the information in the message should be encrypted.
- step S 38 the payment information, in the form of postData from the HTTP Post request, is encrypted using the public key of the PSP (provided to the client as outlined above with regards to FIG. 2A ).
- the client 112 then wraps the HTTP Post request including the encrypted payment information in the Skype protocol format.
- the client 112 includes further information in the Skype protocol message.
- the further information may include user information, such as the user's Skypename and the version of the client 112 they are running, and context information containing fraud-related information about the request context, such as the identity of the terminal and the user.
- the Skype protocol message is forwarded to the Skype backend server 122 from the client 112 in step S 39 .
- Providing user information and context information in the Skype protocol message gives the advantage of additional security. This is because, in the case of ordinary Web access, it is easy to conceal the identity of the actual terminal that a request originates from, and this often happens unintentionally on the part of the user (due to the use of proxies). However, the information in the Skype protocol message ties the request to a specific terminal, which can allow for the use of greater fraud detection mechanisms. Furthermore, the client 112 already knows the identity of user, and this information can therefore be passed to the PSP web application without having to prompt the user for an additional username and password.
- the Skype backend 122 receives the Skype protocol message containing the encrypted payment information.
- the Skype backend 122 unwraps the Skype protocol message to leave the HTTP Post request comprising the encrypted payment information.
- the Skype backend 122 resolves the reference contained in the request to the server address of the PSP proxy 118 , for example resolving the reference to “somepsp” to “http://www.psp.com”.
- This HTTP Post request is sent from the Skype backend 122 to the PSP Proxy 118 in step S 40 .
- the Skype backend 122 is not aware at any point of the actual contents of the request message. It does not decrypt the information, but merely “repackages” it into a new message. The Skype backend 122 therefore does not require PCI compliance. Furthermore, the Skype backend 122 does not store the payment information, and is therefore not a target for hackers.
- steps S 37 , S 39 and S 40 can be seen further illustrated in FIG. 3 , which shows an example of the structure of the messages received and sent in these steps.
- This shows the HTTP Post request 302 using the “secure” marker from the web browser 130 , comprising the reference to the PSP 304 and the unencrypted postData 306 , as received at the client 112 .
- the postData (the payment information) is encrypted to produce the encrypted payment information 308 .
- the encrypted payment information 308 , the reference to the PSP 304 , user information 310 , and context 312 are wrapped between a Skype protocol header 314 and Skype protocol footer 316 to form the Skype protocol message 318 .
- the Skype protocol message 318 is sent to the Skype backend 122 , where it is unwrapped and the PSP reference 304 resolved to form an HTTP Post request 320 comprising the server address of the PSP 322 and the encrypted payment information 308 .
- step S 41 the encrypted payment information in the HTTP Post request is decrypted by the PSP proxy 118 to obtain the original payment information entered by the user 106 .
- the decrypted payment information is then sent to the PSP web application 120 in step S 42 in the form of a HTTP Post request containing the decrypted payment information as postData and the URL of the PSP web application.
- the PSP web application 120 processes the payment information from the user 106 . If, following the processing of the payment information, the payment is completed, then the operation shown in FIG. 2D is performed. If, on the other hand, the payment is not yet completed, then the operation shown in FIG. 2E is performed.
- step S 43 the PSP web application 120 issues a redirect header in response to the completed payment.
- the redirect header is received at the PSP proxy 118 and forwarded without any changes to the Skype backend 122 in step S 44 .
- the Skype backend 122 processes the redirect header, and, in step S 45 , sends an HTTP Get request to the URL of the Skype web application 124 referred to in the redirect header.
- the Skype web application 124 returns a HTML webpage to the Skype backend 122 in response in step S 46 .
- the HTML webpage is then forwarded to the client 112 in step S 46 , and onto the web browser 130 in step S 48 .
- the user 106 is displayed the results of the transaction in the web browser window in step S 49 .
- FIG. 2E shows the case in which the payment has not yet been completed. This may occur if the user has entered their credit card details incorrectly, or in the case that the PSP requests additional information for fraud control purposes.
- the PSP web application 120 generates a HTML webpage to be displayed to the user 106 .
- the HTML page is sent to the PSP proxy 118 in step S 50 , and forwarded unaltered to the Skype backend 122 in step S 51 .
- the Skype backend 122 forwards the HTML webpage to the client 112 in step S 52 , and onto the web browser 130 in step S 53 .
- the user 106 is displayed the HTML page from the PSP web application 120 in the web browser window in step S 54 .
- FIG. 4 shows a flowchart summarising the operations performed at the user terminal 102 .
- the user 106 chooses to make a payment from within the client program 112 .
- the client 112 opens a web browser 130 within the client user interface at step S 404 .
- a payment details form is fetched from the PSP 116 , and is presented to the user in step S 406 in the web browser 130 .
- the user 106 enters the payment information into the form in the web browser 130 .
- the web browser 130 creates a HTTP Post request with the “secure” marker including the payment information ( 302 as shown in FIG. 3 ) and attempts to send this into the network 104 via the network port 105 in step S 410 .
- the client 112 detects the “secure” marker and intercepts the HTTP Post request from the web browser 130 in step S 412 , thereby preventing it from being sent into the network 104 .
- the client 112 encrypts the payment information from the HTTP Post request.
- the client wraps the HTTP Post request with the encrypted payload in a Skype proprietary protocol message ( 318 in FIG. 3 ).
- the client transmits the Skype protocol message containing the encrypted payment information to the Skype backend server 122 .
- FIG. 5 shows the page flow for the operations shown in FIGS. 2B-2D .
- the step numbers shown in FIG. 5 correspond to those as shown in FIGS. 2B-2D .
- “IE” refers to “Internet Explorer”, which is an example of a type of web browser 130 .
Abstract
Description
- This application claims priority under 35 U.S.C. § 119 or 365 to Great Britain Application No. GB 0608752.2, filed May 3, 2006. The entire teachings of the above application are incorporated herein by reference.
- This invention relates to a secure transmission system and method, particularly but not exclusively for use in a peer-to-peer telecommunications system.
- Peer-to-peer telecommunications systems allow the user of a device, such as a personal computer, to make telephone calls across a computer network such as the Internet. These systems are beneficial to the user as they are often of significantly lower cost than traditional telephony networks, such as fixed line or mobile networks. This may particularly be the case for long distance calls. These systems may utilise voice over internet protocol (“VoIP”) over an existing network (e.g. the Internet) to provide these services, although alternative protocols can also be used. To use a peer-to-peer telephony service, the user must install and execute client software on their device. The client software provides the VoIP connections as well as other functions such as registration and authentication.
- Some calls in a peer-to-peer telephony network may be free to the user, such as calls to other user of the same peer-to-peer system. However, other calls, such as to fixed line telephones or mobiles, may require the user to pay for the service. This therefore requires the user to provide sensitive information to the system, and hence requires a high level of security for transmissions of such data. Many peer-to-peer telephone systems operate a pre-paid account system. In these systems, the user must securely transfer sensitive information to a payment service provider in order to credit their account, and this credit is then used during the calls made. Once the credit runs out, the user must again securely transfer sensitive information to the payment service provider to credit more money into their account in order to continue using the service. In alternative systems, the user may be invoiced for the amount of calls they have made over a period of time, or may be required to make a fixed payment regardless of the number of calls made.
- In existing peer-to-peer telephony systems, the user can securely transfer sensitive data to a payment service provider by opening a web browser program and navigating to the site of the telephony system operator. From this web page the user can select links to make a payment to their account. The user can then enter credit card or other payment information into the web page. The web browser can use known secure protocols for sending the sensitive information to a payment service provider. The disadvantage of this method is that it requires the user to open a separate program on their terminal (i.e. a web browser) in order to make a payment. The user may also be required to proceed through several clicks of the webpages before reaching the correct page. Furthermore, the user must have access to the World Wide Web in order to make such a payment. However, in some circumstances the user may be blocked from accessing the web for security reasons, but would otherwise still be able to use the peer-to-peer telephony service.
- From a usability perspective, it would be desirable for the user of the telephony system to be able to make secure payments for services directly from the client software running on the user's terminal. This is because the user directly associates the client program with the telephony service. Furthermore, by allowing secure payment from within the client program, this avoids the need for the user to open other programs in order to securely transmit sensitive information for the service. For example, as discussed hereinbefore, if the user needs to transmit the sensitive information over the Internet, the user may be required to open a browser on his or her terminal and then enter the correct address of the web site through which they should pay before they can enter any payment details. This process can be prone to user error, and hence frustration on the part of the user. In addition, some users may also be suspicious of entering sensitive information on web site pages, and may have a greater level of trust in the client software provided by the operator of the telephony service. The client, however, already knows the identity of user, and this information can therefore be passed to the payment provider without having to prompt the user for an additional username and password, thereby making the payment process more straightforward for the user.
- However, any information transmitted over the network related to sensitive information must be secure. In particular, sensitive information should not be sent unencrypted. A conventional way of sending sensitive information is using a hypertext transfer protocol (“HTTP”) message format, such as HTTP secure (“HTTPS”), which encrypts data using a version of the secure socket layer (“SSL”) or transport layer security (“TLS”) protocols. However, any HTTP messages sent from the client software are easy to detect and block resulting in a failure to deliver the HTTP message and thus the encrypted data. The detection and blocking of HTTP messages may be done by third parties or firewalls. For example, some companies see the ability to access arbitrary webpages as a security risk and may therefore block HTTP. However, the telephony service provider does not pose a security risk as its content would be obtained from trusted sources. Furthermore, some companies or third parties may wish to block the peer-to-peer telephony service itself. Whilst the actual telephony traffic may be difficult to detect, the client may make specific HTTP requests to perform its tasks. These requests can therefore be detected and allow the terminal running the client to be determined, and the requests blocked.
- There is therefore a need for a secure transmission system and method in a network, such as the Internet, that enables the transmission of sensitive information from a local client to a web-based service provider.
- According to one aspect of the present invention there is provided a method of transmitting information from a user to a first network entity over a communications network, comprising the steps of: the user entering information into a browser executed at a user terminal; the browser generating a first message comprising the information using a first communication protocol for dispatch over the network via a network port, the first message including an identifier of the first network entity; receiving the first message at a client executed at the user terminal before the first message reaches the network port; wrapping the first message in a second message of a second communication protocol used for transmitting messages between the client and a second network entity; transmitting the second message to the second network entity over the communications network; and unwrapping the first message from the second message at the second network entity, translating the identifier of the first network entity to a network address of the first network entity and transmitting the first message to the first network entity over the communications network.
- In one embodiment the method further comprises the step of encrypting the information in the first message after receiving the first message at the client. In another embodiment the method further comprises the step of receiving the first message transmitted by the second network entity at the first network entity. In another embodiment the method further comprises the step of decrypting the information in the first message, after it is received at the first network entity. In another embodiment the step of encrypting is performed using an encryption key provided by the first network entity. In another embodiment the method further comprises the step of the first network entity periodically transmitting the encryption key to the second network entity.
- In another embodiment the method further comprises the steps of: transmitting a third message to the second network entity from the first network entity, responsive to receiving the first message; receiving the third message at the second network entity and, responsive thereto, fetching a webpage from a server; wrapping the webpage in a fourth message of the second communication protocol; transmitting the fourth message to the client over the communications network; unwrapping the webpage from the fourth message at the client and passing the webpage to the browser; and displaying the webpage to the user in the browser. Preferably, the third message is a redirect message.
- In another embodiment the step of wrapping the first message in a second message of a second communication protocol comprises the step of adding a header and a footer to the first message.
- Preferably, the first communication protocol is a hypertext transfer protocol. Preferably, the first network entity is a payment service provider. Preferably, the communications network is the Internet. Preferably, the second network entity is a Skype backend server. Preferably, the information is payment information.
- According to another aspect of the present invention there is provided a system for transmitting information from a user to a first network entity over a communications network, comprising: a browser executed at a user terminal, the browser comprising means for receiving information entered by the user, and means for generating a first message comprising the information using a first communication protocol for dispatch over the network via a network port, the first message including an identifier of the first network entity; a client executed at the user terminal comprising means for receiving the first message at the client before the first message reaches the network port, means for wrapping the first message in a second message of a second communication protocol used for transmitting messages between the client and a second network entity, and means for transmitting the second message to the second network entity over the communications network; and the second network entity comprising means for unwrapping the first message from the second message at the second network entity, means for translating the identifier of the first network entity to a network address of the first network entity, and means for transmitting the first message to the first network entity over the communications network.
- In one embodiment the client further comprises means for encrypting the information in the first message after receiving the first message at the client. In another embodiment the first network entity further comprises means for receiving the first message transmitted by the second network entity. In another embodiment the first network entity further comprises means for decrypting the information in the first message, after it is received at the first network entity. In another embodiment the encryption is performed using an encryption key provided by the first network entity. In another embodiment the first network entity further comprises means for periodically transmitting the encryption key to the second network entity.
- In another embodiment the first network entity further comprises means for transmitting a third message to the second network entity, responsive to receiving the first message. In another embodiment the second network entity further comprises means for receiving the third message and, responsive thereto, fetching a webpage from a server, means for wrapping the webpage in a fourth message of the second communication protocol, and means for transmitting the fourth message to the client over the communications network. In another embodiment the client further comprises means for unwrapping the webpage from the fourth message and passing the webpage to the browser. In another embodiment the browser further comprises means for displaying the webpage to the user. Preferably, the third message is a redirect message.
- In another embodiment the means for wrapping the first message in a second message of a second communication protocol comprises means for adding a header and a footer to the first message.
- Preferably, the first communication protocol is a hypertext transfer protocol. Preferably, the first network entity is a payment service provider. Preferably, the communications network is the Internet. Preferably, the second network entity is a Skype backend server. Preferably, the information is payment information.
- According to another aspect of the present invention there is provided a user terminal comprising: a browser executed at the user terminal, the browser comprising means for receiving information entered by a user, and means for generating a first message comprising the information using a first communication protocol for dispatch over a communications network via a network port, the first message including an identifier of a first network entity; and a client executed at the user terminal comprising means for receiving the first message at the client before the first message reaches the network port, means for wrapping the first message in a second message of a second communication protocol used for transmitting messages between the client and a second network entity, and means for transmitting the second message to the second network entity over the communications network.
- According to another aspect of the present invention there is provided a network entity comprising: means for unwrapping a first message of a first communication protocol from a second message of a second communication protocol transmitted by a client executed at a user terminal to the network entity over a communications network, the first message including an identifier of a further network entity; means for translating the identifier of the further network entity to a network address of the further network entity; and means for transmitting the first message to the further network entity over the communications network.
- According to another aspect of the present invention there is provided a computer program product comprising program code means which when loaded into a computer controls the computer to carry out the method above.
- For a better understanding of the present invention and to show how the same may be put into effect, reference will now be made, by way of example, to the following drawings in which:
-
FIG. 1 shows a peer-to-peer telephony system with the secure transfer of information to a payment service provider; -
FIG. 2A shows the messages exchanged in the system ofFIG. 1 for the maintenance of key information; -
FIG. 2B shows the messages exchanged in the system ofFIG. 1 for the initiation of a payment; -
FIG. 2C shows the messages exchanged in the system ofFIG. 1 for the secure transfer of payment information; -
FIG. 2D shows the messages exchanged in the system ofFIG. 1 for the transmission of a completed payment result; -
FIG. 2E shows the messages exchanged in the system ofFIG. 1 for the transmission of a uncompleted payment result; -
FIG. 3 shows the structure of the messages sent in the secure transfer of payment information; -
FIG. 4 shows a flowchart outlining the operations performed at the user terminal; and -
FIG. 5 shows the page flow for the operations performed inFIG. 2B-2D . - Reference will first be made to
FIG. 1 , in which is shown a peer-to-peer telephony system 100 with the secure transfer of information to a payment service provider. - A user terminal 102 is shown connected to a
network 104. The user terminal may be, for example, a personal computer, personal digital assistant, a suitably enabled mobile phone or other device able to connect to thenetwork 104. The user terminal 102 is connected to thenetwork 104 via anetwork port 105, and may be via a cable (wired) connection or a wireless connection. Thenetwork 104 may be a network such as the Internet. - A
user 106 of user terminal 102 can make a telephone call tosecond user 108 of asecond user terminal 110 across thenetwork 104. The user terminal is running aclient 112, provided by the operator of the peer-to-peer telephony system. Theclient 112 is a software program executed on a local processor in the user terminal 102. To initiate the call, theuser 106 can click on the contact listed for thesecond user 108 displayed in theclient 112, or can alternatively type in a telephone number or username for thesecond user 108. Theclient 112 then sets up the call to thesecond user 108. The telephone call may be made using VoIP, in accordance with methods known in the art, such as disclosed in WO 2005/009019. The telephone call may comprise voice, video, instant messaging (“IM”), or a combination thereof. - The
second user terminal 110 may be directly connected to the network 104 (as shown inFIG. 1 ), or may be connected to a different network such as the public switched telephone network (“PSTN”) or a mobile network (not shown inFIG. 1 ). If the second user terminal is connected to thenetwork 104, then it may be running aclient program 114 provided by the operator of the telephony system, similar to theclient 112 running on the first user terminal 102. If connected to the PSTN, the second user terminal may be a fixed line telephone, and if connected to a mobile network, the second user terminal may be a mobile telephone. - In order to be able to make telephone calls, the
user 106 must be suitably registered and authenticated. Furthermore, theuser 106 must also be able to pay for the telephone services. Sensitive payment information therefore needs to be transferred from theuser 106 to a payment service provider (“PSP”) across thenetwork 104. As the payment information is of a sensitive nature, the payment system needs to be very secure. If there is sensitive information flowing though the telephony system servers, then the system must comply with payment card industry (“PCI”) rules enforced by credit card companies. Complying with these rules is expensive and takes time. In addition, if the servers of the telephony system are storing sensitive payment information, then they are likely to become a target for attack by hackers. There is therefore significant benefit in reducing the number of system entities that are exposed to sensitive information and need to be PCI compliant. Furthermore, the secure transmission of the sensitive information needs to be as simple and usable as possible from the point of view of the user. - As stated previously, it is significantly simpler for the user of the telephony system to be able to securely pay for services directly using the
client 112 running on the user terminal 102. In addition, this allows the client to be the only part of the telephony system that needs to be PCI compliant. As will be described hereinafter, the rest of the system just sees encrypted information, and has no knowledge of the information content. Therefore, the rest of the system is not directly dealing with sensitive information and does not need to be PCI compliant. The expense of making the client PCI compliant is an order of magnitude cheaper than maintaining a secure server environment.FIG. 1 shows the entities in thesystem 100 that allow theuser 106 to securely pay for telephony services through theclient 112. Theuser 106 makes the payment to apayment service provider 116. ThePSP 116 is a private network that is connected to network 104, and may comprise aPSP proxy 118 and aPSP web application 120. ThePSP proxy 118 is a software program running on a processor in a server, which is connected between thePSP web application 120 and thenetwork 104, and is responsible for decrypting information before it is presented to thePSP web application 120. ThePSP web application 120 is a software application executed on a processor in a server. ThePSP proxy 118 andPSP web application 120 may be located on separate servers, or may be running on the same server. ThePSP 116 may be operated by a different operator than the telephony service. - Also connected to the
network 104 are aSkype backend server 122 and aSkype web application 124. TheSkype backend server 122 and theSkype web application 124 may be located within theprivate network 128 of the operator of the telephony system. TheSkype backend server 122 and theSkype web application 124 may be geographically co-located, or may be geographically separated. TheSkype backend server 122 is located between theSkype web application 124 and thenetwork 104, and is responsible for exchanging messages between theSkype web application 124 and theclient 112. TheSkype backend 122 and theclient 112 communicate using a proprietary Skype protocol, and do not use HTTP. This is to avoid the detection and blocking of HTTP messages by third parties and firewalls, as discussed previously. Furthermore, theSkype backend 122 also blocks HTTP. - The user terminal 102 has
web browsing software 130 installed on it, in addition to theclient 112. Theweb browser 130 is capable of being utilised as part of the user interface of theclient 112, and can be controlled by theclient 112 to display hypertext markup language (“HTML”) webpages to theuser 106. - The operation of the
system 100 shown inFIG. 1 will now be described with reference toFIGS. 2A-2E . Referring first toFIG. 2A , this figure shows the maintenance of cryptography key information at theclient 112. In step S1, theSkype web application 124 will periodically query thePSP web application 120 for a new version of its public key. The message in step S1 is in the form of a HTTP Get request specifying the uniform resource locator (“URL”) of the key located at the PSP web application. In response to this request, thePSP web application 120 will return the public key to theSkype web application 124 in step S2. The above two steps are performed periodically and independently of any other operations to ensure that theSkype web application 124 always has an up-to-date copy of the public key. - The
client 112 periodically polls theSkype backend 122 using the Skype protocol for a new version of the public key in step S3. TheSkype backend server 122 forwards the request to theSkype web application 124 in the form of an HTTP Get request specifying the URL of the key stored in the Skype web application in step S4. TheSkype web application 124 returns the key to theSkype backend server 122 in step S5, and this is passed to theclient 112 in step S6 using the Skype protocol. The above four steps are performed periodically, without the user being aware of its operation, in order to ensure that the key information is always up to date in theclient 112. - Therefore, as a result of the steps performed in
FIG. 2A , theclient 112 has a recent copy of the public key of thePSP web application 120 for use in the payment process, as described in more detail hereinbelow. -
FIG. 2B shows theuser 106 initiating the payment process. In step S7, theuser 106 clicks a button which may be labeled “Buy Skype Credit” (although other labeling is possible) displayed in theclient 112, indicating to theclient 112 that the payment process should be started. In step S8, theclient 112 initiatesweb browser 130 control, in which the client opens the web browser within the client user interface, and when complete a signal is returned to theclient 112 in step S9. - Associated with the button “Buy Skype Credit” is a URL, which may, for example, be of the form “nonsecure://skype/buycredit.html”. This is a request to retrieve the page “buycredit.html” from the server “skype”, so that the page “buycredit.html” may be displayed to the
user 106 in theweb browser 130. This request does not begin with the standard “http://”, but uses a marker string “nonsecure”. A request such as “nonsecure://skype/buycredit.html” has the same functionality as a standard HTTP request, but the string “nonsecure” allows theclient 112 to intercept the request and determine what action to take. In other words, “nonsecure” acts as a marker for theclient 112 to use when intercepting requests. When theclient 112 sees an attempt to make a request using “nonsecure”, theclient 112 knows that the request does not contain sensitive information, and that the request can be sent to the Skype backend server 122 (a further marker is also used, “secure”, as will be described hereinafter). - At step S110, the
client 112 wraps the “nonsecure” request message into a Skype proprietary communication protocol message and this is sent to theSkype backend server 122. On receipt of the message, theSkype backend server 122 unwraps the “nonsecure” request from the Skype proprietary communication protocol. For security and maintainability reasons, the requests only contain references to arbitrary services, not actual server addresses and ports. For example, the request “nonsecure://skype/buycredit.html” only contains a reference to a server “skype”, and not an actual server address. TheSkype backend server 122 therefore needs to resolve an arbitrary reference to a service name into a web server address. This is achieved by maintaining a table of correspondence between services and server addresses. Only theSkype backend server 122 maintains the mapping table between references and server addresses. TheSkype backend 122 resolves the message from theclient 112 to obtain the web server address. For example, the reference to “skype” in “nonsecure://skype/buycredit.html” may be resolved to “http://webstore.skype.com”. TheSkype backend server 122 then constructs a new HTTP request using the resolved address and the rest of the “nonsecure” request, resulting in, for example, “http://webstore.skype.com/buycredit.html”. - This HTTP request is forwarded to the resolved location of the
Skype web application 124 in the form of the above HTTP Get request at step S11, and the requested page is returned by theSkype web application 124 in step S12 in the form of HTML. TheSkype backend 122 wraps the HTML response from the Skype web application in the Skype protocol and forwards the page to theclient 112 in step S13, and this is then unwrapped from the Skype protocol and sent to theweb browser 130 in step S14, and subsequently displayed to theuser 106 in step S15. - In step S16, the
user 106 views the page in theweb browser 130 window and clicks on a link which may be labeled “Get Started”. This link may be, for example, a link to the URL “nonsecure://skype/getstarted.html”. Theclient 112 intercepts the web browser's attempt to make a “nonsecure” request (a type of HTTP Get request) to navigate to the linked webpage at step S17. Theclient 112 wraps the “nonsecure” request message into a Skype proprietary communication protocol message and this is sent to theSkype backend 122 in step S18. TheSkype backend 122 unwraps the message and resolves the message from theclient 112 to obtain the web server address in a similar manner to that described above with reference to step S10. TheSkype backend 122 then creates a HTTP request from the resolved web server address and the unwrapped “nonsecure” request, for example “http://webstore.skype.com/getstarted.html”. The HTTP request is forwarded to the resolved address of theSkype web application 124 in step S119. TheSkype web application 124 returns the webpage “getstarted.html” to theSkype backend 122 in step S20, which wraps the response in the Skype protocol and forwards it to theclient 112 in step S21, and this is unwrapped and passed to theweb browser 130 window in step S22 and displayed to theuser 106 in step S23. - The page displayed to the
user 106 comprises a form to enter initial payment information. In step S24, theuser 106 views the page and fills in the initial payment information, such as a billing address, email address and payment method and clicks “next”. The “next” button is associated with a URL, which may be, for example, “nonsecure://skype/initialform.html”. The web browser generates a type of HTTP Post request including the information entered into the form, such as “nonsecure://skype/initialform.html?address=x&method=y” (where “address=x” and “method=y” represents exemplary information entered by the user in the form), and transmits this message to thenetwork 104 via thenetwork port 105 in step S25. The HTTP Post request from theweb browser 130 is received by the client 112 (which detects the use of the “nonsecure” marker) before it can reach thenetwork port 105. The client wraps the HTTP Post request in a Skype protocol message and this message is forwarded to theSkype backend server 122 in step S26. Note that theclient 112 may include other information in the message when it is wrapped in the Skype protocol, as discussed in more detail hereinafter with reference toFIG. 3 . - The
Skype backend server 122 unwraps and resolves the HTTP Post request message. For example, “nonsecure://skype/initialform.html?address=x&method=y” may be resolved to a HTTP message of the form “http://webstore.skype.com/initialform.html?address=x&method=y”. TheSkype backend server 122 then sends the resolved request to theSkype web application 124 in step S27 to initiate the payment. TheSkype web application 124 sends a message containing the initial payment information to thePSP web application 120 in step S28 to initiate the payment at the PSP. In step S29 thePSP web application 120 processes the information and returns the URL of a webpage containing the appropriate form for the payment method, such as a credit card information form. TheSkype web application 124 receives the URL and creates a redirect header. The redirect header is sent to theSkype backend 122 in step S30. - The
Skype backend server 122 resolves the address from the redirect header and sends a request to thePSP web application 120 to obtain the required webpage in step S31. ThePSP web application 120 then returns the webpage containing the form for the payment details (such as credit card information) in step S32. This webpage is subsequently forwarded to theclient 112 using the Skype protocol in step S33, unwrapped and passed to theweb browser 130 in step S34, and displayed to theuser 106 in step S35. - As a result of the procedure outlined in
FIG. 2B , theuser 106 has been presented with a form in theweb browser 130, into which the user can enter credit card payment information. This payment information is sensitive, and therefore must be handled in a secure manner. The method in which this is performed can be seen with reference toFIG. 2C . - In step S36, the
user 106 enters the payment information (for example credit card number, expiry date or other information) into the HTML form presented in the web browser window and clicks a “Submit” button. The “Submit” button is associated with a URL, which may be, for example, “secure://somepsp/creditcardform.html”. Theweb browser 130 then generates a type of HTTP Post request using a marker “secure” containing the payment information (in the form of postData) and the URL above in step S37. This HTTP Post request may be, for example, “secure://somepsp/creditcardform.html?cardno=1234&expirydate=01012010” (where “cardno=1234” and “expirydate=01012010” represents exemplary credit card information entered in the form. Note also that this is a POST request represented in GET notation for ease of reading). The HTTP Post request from theweb browser 130 is intercepted by theclient 112, and prevented from being sent into thenetwork 104. In particular, the client detects the marker “secure”. This not only indicates to the client that it should intercept the message (as with “nonsecure”), but also that the information in the message should be encrypted. - In step S38, the payment information, in the form of postData from the HTTP Post request, is encrypted using the public key of the PSP (provided to the client as outlined above with regards to
FIG. 2A ). The encryption is performed using a standard encryption algorithm as are known in the art. For example, if the postData were to comprise information such as “cardno=1234” and “expirydate=01012010”, this is encrypted to form a new HTTP Post request with, e.g., “payload=34214123ddasdas”. The client then creates a new HTTP Post request with the encrypted payload, for example “secure://somepsp/creditcardform.html?payload=34214123ddasdas”. - The
client 112 then wraps the HTTP Post request including the encrypted payment information in the Skype protocol format. In addition, theclient 112 includes further information in the Skype protocol message. The further information may include user information, such as the user's Skypename and the version of theclient 112 they are running, and context information containing fraud-related information about the request context, such as the identity of the terminal and the user. The Skype protocol message is forwarded to theSkype backend server 122 from theclient 112 in step S39. - Providing user information and context information in the Skype protocol message gives the advantage of additional security. This is because, in the case of ordinary Web access, it is easy to conceal the identity of the actual terminal that a request originates from, and this often happens unintentionally on the part of the user (due to the use of proxies). However, the information in the Skype protocol message ties the request to a specific terminal, which can allow for the use of greater fraud detection mechanisms. Furthermore, the
client 112 already knows the identity of user, and this information can therefore be passed to the PSP web application without having to prompt the user for an additional username and password. - The
Skype backend 122 receives the Skype protocol message containing the encrypted payment information. TheSkype backend 122 unwraps the Skype protocol message to leave the HTTP Post request comprising the encrypted payment information. TheSkype backend 122 resolves the reference contained in the request to the server address of thePSP proxy 118, for example resolving the reference to “somepsp” to “http://www.psp.com”. TheSkype backend 122 then creates a new HTTP Post request message by combining the resolved server address of thePSP proxy 118 with the encrypted payload from the “secure” message. For example, this may create a HTTP Post request such as http://www.psp.com/creditcardform.html?payload=34214123ddasdas. This HTTP Post request is sent from theSkype backend 122 to thePSP Proxy 118 in step S40. It should be noted that theSkype backend 122 is not aware at any point of the actual contents of the request message. It does not decrypt the information, but merely “repackages” it into a new message. TheSkype backend 122 therefore does not require PCI compliance. Furthermore, theSkype backend 122 does not store the payment information, and is therefore not a target for hackers. - The operation performed in steps S37, S39 and S40 can be seen further illustrated in
FIG. 3 , which shows an example of the structure of the messages received and sent in these steps. This shows theHTTP Post request 302 using the “secure” marker from theweb browser 130, comprising the reference to thePSP 304 and theunencrypted postData 306, as received at theclient 112. The postData (the payment information) is encrypted to produce theencrypted payment information 308. Theencrypted payment information 308, the reference to thePSP 304,user information 310, andcontext 312 are wrapped between aSkype protocol header 314 andSkype protocol footer 316 to form theSkype protocol message 318. TheSkype protocol message 318 is sent to theSkype backend 122, where it is unwrapped and thePSP reference 304 resolved to form anHTTP Post request 320 comprising the server address of thePSP 322 and theencrypted payment information 308. - Referring again to
FIG. 2C , in step S41 the encrypted payment information in the HTTP Post request is decrypted by thePSP proxy 118 to obtain the original payment information entered by theuser 106. The decrypted payment information is then sent to thePSP web application 120 in step S42 in the form of a HTTP Post request containing the decrypted payment information as postData and the URL of the PSP web application. - The
PSP web application 120 processes the payment information from theuser 106. If, following the processing of the payment information, the payment is completed, then the operation shown inFIG. 2D is performed. If, on the other hand, the payment is not yet completed, then the operation shown inFIG. 2E is performed. - Reference is first made to
FIG. 2D , which, as mentioned above, shows the case in which the payment has been completed. In step S43, thePSP web application 120 issues a redirect header in response to the completed payment. The redirect header is received at thePSP proxy 118 and forwarded without any changes to theSkype backend 122 in step S44. The Skype backend 122 processes the redirect header, and, in step S45, sends an HTTP Get request to the URL of theSkype web application 124 referred to in the redirect header. TheSkype web application 124 returns a HTML webpage to theSkype backend 122 in response in step S46. The HTML webpage is then forwarded to theclient 112 in step S46, and onto theweb browser 130 in step S48. Finally, theuser 106 is displayed the results of the transaction in the web browser window in step S49. - Reference is now made to
FIG. 2E , which, as mentioned above, shows the case in which the payment has not yet been completed. This may occur if the user has entered their credit card details incorrectly, or in the case that the PSP requests additional information for fraud control purposes. In this instance thePSP web application 120 generates a HTML webpage to be displayed to theuser 106. The HTML page is sent to thePSP proxy 118 in step S50, and forwarded unaltered to theSkype backend 122 in step S51. The Skype backend 122 forwards the HTML webpage to theclient 112 in step S52, and onto theweb browser 130 in step S53. Finally, theuser 106 is displayed the HTML page from thePSP web application 120 in the web browser window in step S54. -
FIG. 4 shows a flowchart summarising the operations performed at the user terminal 102. In step S402, theuser 106 chooses to make a payment from within theclient program 112. In response to this, theclient 112 opens aweb browser 130 within the client user interface at step S404. A payment details form is fetched from thePSP 116, and is presented to the user in step S406 in theweb browser 130. In step S408 theuser 106 enters the payment information into the form in theweb browser 130. Theweb browser 130 creates a HTTP Post request with the “secure” marker including the payment information (302 as shown inFIG. 3 ) and attempts to send this into thenetwork 104 via thenetwork port 105 in step S410. Theclient 112 detects the “secure” marker and intercepts the HTTP Post request from theweb browser 130 in step S412, thereby preventing it from being sent into thenetwork 104. In step S414, theclient 112 encrypts the payment information from the HTTP Post request. Then, in step S416, the client wraps the HTTP Post request with the encrypted payload in a Skype proprietary protocol message (318 inFIG. 3 ). Finally, in step S418, the client transmits the Skype protocol message containing the encrypted payment information to theSkype backend server 122. -
FIG. 5 shows the page flow for the operations shown inFIGS. 2B-2D . The step numbers shown inFIG. 5 correspond to those as shown inFIGS. 2B-2D . InFIG. 5 , “IE” refers to “Internet Explorer”, which is an example of a type ofweb browser 130. - While this invention has been particularly shown and described with reference to preferred embodiments, it will be understood to those skilled in the art that various changes in form and detail may be made without departing from the scope of the invention as defined by the appendant claims.
Claims (34)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/832,672 US8705565B2 (en) | 2006-05-03 | 2010-07-08 | Secure transmission system and method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0608752A GB2437791A (en) | 2006-05-03 | 2006-05-03 | Secure communication using protocol encapsulation |
GBGB0608752.2 | 2006-05-03 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/832,672 Continuation US8705565B2 (en) | 2006-05-03 | 2010-07-08 | Secure transmission system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
US20070291789A1 true US20070291789A1 (en) | 2007-12-20 |
Family
ID=36603854
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/799,452 Abandoned US20070291789A1 (en) | 2006-05-03 | 2007-05-01 | Secure transmission system and method |
US12/832,672 Active 2028-01-06 US8705565B2 (en) | 2006-05-03 | 2010-07-08 | Secure transmission system and method |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/832,672 Active 2028-01-06 US8705565B2 (en) | 2006-05-03 | 2010-07-08 | Secure transmission system and method |
Country Status (8)
Country | Link |
---|---|
US (2) | US20070291789A1 (en) |
EP (1) | EP2022235B1 (en) |
JP (1) | JP5208920B2 (en) |
CN (1) | CN101485166B (en) |
AU (1) | AU2007245389B2 (en) |
BR (1) | BRPI0711279A2 (en) |
GB (1) | GB2437791A (en) |
WO (1) | WO2007125412A2 (en) |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100275007A1 (en) * | 2006-05-03 | 2010-10-28 | Skype Limited | Secure Transmission System and Method |
US20110161654A1 (en) * | 2009-12-31 | 2011-06-30 | Stas Margolis | Peer-to-peer telephony recording |
US20150019650A1 (en) * | 2013-06-25 | 2015-01-15 | Nest Labs, Inc. | Fabric network |
WO2015199737A1 (en) * | 2014-06-27 | 2015-12-30 | Hewlett-Packard Development Company, L.P. | Message receipt through firewall |
US9686243B1 (en) * | 2010-09-24 | 2017-06-20 | Symantec Corporation | Encrypted universal resource identifier (URI) based messaging |
US9818133B1 (en) | 2014-10-20 | 2017-11-14 | Sprint Communications Company L.P. | Method for consumer profile consolidation using mobile network identification |
US9836771B1 (en) | 2014-01-21 | 2017-12-05 | Sprint Communications Company L.P. | Client mediation and integration to advertisement gateway |
US20180123955A1 (en) * | 2013-03-12 | 2018-05-03 | Centripetal Networks, Inc. | Filtering network data transfers |
US9984395B1 (en) | 2014-01-21 | 2018-05-29 | Sprint Communications Company L.P. | Advertisement mediation of supply-demand communications |
US10013707B1 (en) | 2014-01-21 | 2018-07-03 | Sprint Communications Company L.P. | Address modification for advertisement mediation |
US10055757B1 (en) | 2014-01-21 | 2018-08-21 | Sprint Communications Company L.P. | IP address hashing in advertisement gateway |
US10127540B2 (en) * | 2011-12-19 | 2018-11-13 | Paypal, Inc. | System and method for facilitating electronic financial transactions during a phone call |
US10284526B2 (en) | 2017-07-24 | 2019-05-07 | Centripetal Networks, Inc. | Efficient SSL/TLS proxy |
US10405173B1 (en) * | 2013-06-05 | 2019-09-03 | Sprint Communications Company L.P. | Method and systems of collecting and segmenting device sensor data while in transit via a network |
US10511572B2 (en) | 2013-01-11 | 2019-12-17 | Centripetal Networks, Inc. | Rule swapping in a packet network |
US10530903B2 (en) | 2015-02-10 | 2020-01-07 | Centripetal Networks, Inc. | Correlating packets in communications networks |
US10542028B2 (en) * | 2015-04-17 | 2020-01-21 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US10567437B2 (en) | 2012-10-22 | 2020-02-18 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US10749906B2 (en) | 2014-04-16 | 2020-08-18 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US10862909B2 (en) | 2013-03-15 | 2020-12-08 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
US11122014B2 (en) * | 2019-01-25 | 2021-09-14 | V440 Spółka Akcyjna | User device and method of providing notification in messaging application on user device |
US20210409457A1 (en) * | 2008-04-02 | 2021-12-30 | Twilio Inc. | System and method for processing telephony sessions |
US11233777B2 (en) | 2017-07-24 | 2022-01-25 | Centripetal Networks, Inc. | Efficient SSL/TLS proxy |
US11290424B2 (en) | 2018-07-09 | 2022-03-29 | Centripetal Networks, Inc. | Methods and systems for efficient network protection |
US11477224B2 (en) | 2015-12-23 | 2022-10-18 | Centripetal Networks, Inc. | Rule-based network-threat detection for encrypted communications |
US11539664B2 (en) | 2020-10-27 | 2022-12-27 | Centripetal Networks, Inc. | Methods and systems for efficient adaptive logging of cyber threat incidents |
US11574047B2 (en) | 2017-07-10 | 2023-02-07 | Centripetal Networks, Inc. | Cyberanalysis workflow acceleration |
US11729144B2 (en) | 2016-01-04 | 2023-08-15 | Centripetal Networks, Llc | Efficient packet capture for cyber threat analysis |
US11956338B2 (en) | 2023-05-19 | 2024-04-09 | Centripetal Networks, Llc | Correlating packets in communications networks |
Families Citing this family (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2464553B (en) | 2008-10-22 | 2012-11-21 | Skype | Controlling a connection between a user terminal and an access node connected to a communication network |
US10009305B2 (en) * | 2011-03-31 | 2018-06-26 | Loment, Inc. | Ubiquitous user control for information communicated among end user communication devices |
US9684887B2 (en) * | 2011-03-31 | 2017-06-20 | Loment, Inc. | Priority of outbound messages communicated among end user communication devices |
US9331972B2 (en) * | 2011-03-31 | 2016-05-03 | Loment, Inc. | Automatic expiration of messages communicated to an end user communication device |
GB201121585D0 (en) * | 2011-12-15 | 2012-01-25 | Skype Ltd | Communication system and method |
US10038735B2 (en) * | 2012-06-19 | 2018-07-31 | Loment, Inc. | Delivery control for HTTP communications among multiple end user communication devices |
US8625805B1 (en) | 2012-07-16 | 2014-01-07 | Wickr Inc. | Digital security bubble |
US10129260B1 (en) | 2013-06-25 | 2018-11-13 | Wickr Inc. | Mutual privacy management |
US9830089B1 (en) | 2013-06-25 | 2017-11-28 | Wickr Inc. | Digital data sanitization |
US9866591B1 (en) | 2013-06-25 | 2018-01-09 | Wickr Inc. | Enterprise messaging platform |
US10567349B2 (en) | 2013-06-25 | 2020-02-18 | Wickr Inc. | Secure time-to-live |
US9698976B1 (en) | 2014-02-24 | 2017-07-04 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
DK3790301T3 (en) * | 2014-03-19 | 2022-07-04 | Bluefin Payment Sys Llc | SYSTEMS AND METHODS FOR MANUFACTURING FINGERPRINTS FOR ENCRYPTION DEVICES |
US9584530B1 (en) | 2014-06-27 | 2017-02-28 | Wickr Inc. | In-band identity verification and man-in-the-middle defense |
US9654288B1 (en) | 2014-12-11 | 2017-05-16 | Wickr Inc. | Securing group communications |
US9584493B1 (en) | 2015-12-18 | 2017-02-28 | Wickr Inc. | Decentralized authoritative messaging |
US10291607B1 (en) | 2016-02-02 | 2019-05-14 | Wickr Inc. | Providing real-time events to applications |
US9590958B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure file transfer |
US9596079B1 (en) | 2016-04-14 | 2017-03-14 | Wickr Inc. | Secure telecommunications |
CN109565498A (en) * | 2016-06-02 | 2019-04-02 | 北京易掌云峰科技有限公司 | It is transmitted using the dynamic of the performance of header |
US20230110546A1 (en) * | 2021-09-24 | 2023-04-13 | The Toronto-Dominion Bank | Digital identity network gateway |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5931917A (en) * | 1996-09-26 | 1999-08-03 | Verifone, Inc. | System, method and article of manufacture for a gateway system architecture with system administration information accessible from a browser |
US20020010801A1 (en) * | 2000-04-21 | 2002-01-24 | Meagher Patrick S. | Server to third party serial gateway in a power control management system |
US20020042882A1 (en) * | 2000-10-10 | 2002-04-11 | Dervan R. Donald | Computer security system |
US20020174068A1 (en) * | 2001-05-07 | 2002-11-21 | Rodolphe Marsot | Method for increasing the security of payment of tradesman by a client, corresponding localization center and system |
US6611533B1 (en) * | 1999-01-13 | 2003-08-26 | Nortel Networks Limited | Public telephone network, intelligent network, and internet protocol network services interworking |
US20040034776A1 (en) * | 2002-08-14 | 2004-02-19 | Microsoft Corporation | Authenticating peer-to-peer connections |
US20040236962A1 (en) * | 2003-05-19 | 2004-11-25 | Wong Ping Wah | Method and apparatus for secure browser-based information service |
US20050195799A1 (en) * | 2004-03-04 | 2005-09-08 | Wiline Networks, Inc. | Method and device for coupling a POTS terminal to a non-PSTN communications network |
US20060271497A1 (en) * | 2005-05-24 | 2006-11-30 | Cullen Andrew J | Payment authorisation process |
US20070211651A1 (en) * | 2006-03-13 | 2007-09-13 | Ebay Inc. | Peer-to-peer trading platform with roles-based transactions |
US7308101B2 (en) * | 2004-01-22 | 2007-12-11 | Cisco Technology, Inc. | Method and apparatus for transporting encrypted media streams over a wide area network |
US20080126665A1 (en) * | 2006-09-19 | 2008-05-29 | Kent Allan Burr | Apparatus and methods to communicatively couple field devices to controllers in a process control system |
US7650500B2 (en) * | 2004-10-22 | 2010-01-19 | Fujitsu Limited | Encryption communication system |
US7810148B2 (en) * | 2005-02-25 | 2010-10-05 | Microsoft Corporation | Enabling terminal services through a firewall |
US20100275007A1 (en) * | 2006-05-03 | 2010-10-28 | Skype Limited | Secure Transmission System and Method |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI102860B (en) * | 1995-11-07 | 1999-02-26 | Nokia Telecommunications Oy | Procedure and apparatus for transmitting an electronic payment |
US20030145062A1 (en) * | 2002-01-14 | 2003-07-31 | Dipanshu Sharma | Data conversion server for voice browsing system |
WO2005009019A2 (en) | 2003-07-16 | 2005-01-27 | Skype Limited | Peer-to-peer telephone system and method |
-
2006
- 2006-05-03 GB GB0608752A patent/GB2437791A/en not_active Withdrawn
-
2007
- 2007-04-30 AU AU2007245389A patent/AU2007245389B2/en active Active
- 2007-04-30 EP EP07734496.8A patent/EP2022235B1/en active Active
- 2007-04-30 BR BRPI0711279-3A patent/BRPI0711279A2/en not_active Application Discontinuation
- 2007-04-30 WO PCT/IB2007/001181 patent/WO2007125412A2/en active Application Filing
- 2007-04-30 JP JP2009508536A patent/JP5208920B2/en active Active
- 2007-04-30 CN CN200780024386.8A patent/CN101485166B/en active Active
- 2007-05-01 US US11/799,452 patent/US20070291789A1/en not_active Abandoned
-
2010
- 2010-07-08 US US12/832,672 patent/US8705565B2/en active Active
Patent Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5931917A (en) * | 1996-09-26 | 1999-08-03 | Verifone, Inc. | System, method and article of manufacture for a gateway system architecture with system administration information accessible from a browser |
US6611533B1 (en) * | 1999-01-13 | 2003-08-26 | Nortel Networks Limited | Public telephone network, intelligent network, and internet protocol network services interworking |
US20020010801A1 (en) * | 2000-04-21 | 2002-01-24 | Meagher Patrick S. | Server to third party serial gateway in a power control management system |
US20020042882A1 (en) * | 2000-10-10 | 2002-04-11 | Dervan R. Donald | Computer security system |
US20020174068A1 (en) * | 2001-05-07 | 2002-11-21 | Rodolphe Marsot | Method for increasing the security of payment of tradesman by a client, corresponding localization center and system |
US20040034776A1 (en) * | 2002-08-14 | 2004-02-19 | Microsoft Corporation | Authenticating peer-to-peer connections |
US20040236962A1 (en) * | 2003-05-19 | 2004-11-25 | Wong Ping Wah | Method and apparatus for secure browser-based information service |
US7308101B2 (en) * | 2004-01-22 | 2007-12-11 | Cisco Technology, Inc. | Method and apparatus for transporting encrypted media streams over a wide area network |
US20050195799A1 (en) * | 2004-03-04 | 2005-09-08 | Wiline Networks, Inc. | Method and device for coupling a POTS terminal to a non-PSTN communications network |
US7650500B2 (en) * | 2004-10-22 | 2010-01-19 | Fujitsu Limited | Encryption communication system |
US7810148B2 (en) * | 2005-02-25 | 2010-10-05 | Microsoft Corporation | Enabling terminal services through a firewall |
US20060271497A1 (en) * | 2005-05-24 | 2006-11-30 | Cullen Andrew J | Payment authorisation process |
US20070211651A1 (en) * | 2006-03-13 | 2007-09-13 | Ebay Inc. | Peer-to-peer trading platform with roles-based transactions |
US7958019B2 (en) * | 2006-03-13 | 2011-06-07 | Ebay Inc. | Peer-to-peer trading platform with roles-based transactions |
US20100275007A1 (en) * | 2006-05-03 | 2010-10-28 | Skype Limited | Secure Transmission System and Method |
US20080126665A1 (en) * | 2006-09-19 | 2008-05-29 | Kent Allan Burr | Apparatus and methods to communicatively couple field devices to controllers in a process control system |
Cited By (81)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8705565B2 (en) | 2006-05-03 | 2014-04-22 | Skype | Secure transmission system and method |
US20100275007A1 (en) * | 2006-05-03 | 2010-10-28 | Skype Limited | Secure Transmission System and Method |
US11843722B2 (en) | 2008-04-02 | 2023-12-12 | Twilio Inc. | System and method for processing telephony sessions |
US11611663B2 (en) | 2008-04-02 | 2023-03-21 | Twilio Inc. | System and method for processing telephony sessions |
US11575795B2 (en) * | 2008-04-02 | 2023-02-07 | Twilio Inc. | System and method for processing telephony sessions |
US11831810B2 (en) | 2008-04-02 | 2023-11-28 | Twilio Inc. | System and method for processing telephony sessions |
US20210409457A1 (en) * | 2008-04-02 | 2021-12-30 | Twilio Inc. | System and method for processing telephony sessions |
US11706349B2 (en) | 2008-04-02 | 2023-07-18 | Twilio Inc. | System and method for processing telephony sessions |
US11722602B2 (en) | 2008-04-02 | 2023-08-08 | Twilio Inc. | System and method for processing media requests during telephony sessions |
US11856150B2 (en) | 2008-04-02 | 2023-12-26 | Twilio Inc. | System and method for processing telephony sessions |
US11765275B2 (en) | 2008-04-02 | 2023-09-19 | Twilio Inc. | System and method for processing telephony sessions |
US8909811B2 (en) | 2009-12-31 | 2014-12-09 | Nice-Systems Ltd. | Peer-to-peer telephony recording |
US8380872B2 (en) | 2009-12-31 | 2013-02-19 | Nice Systems Ltd. | Peer-to-peer telephony recording |
US20110161654A1 (en) * | 2009-12-31 | 2011-06-30 | Stas Margolis | Peer-to-peer telephony recording |
US9686243B1 (en) * | 2010-09-24 | 2017-06-20 | Symantec Corporation | Encrypted universal resource identifier (URI) based messaging |
US11030607B2 (en) | 2011-12-19 | 2021-06-08 | Paypal, Inc. | System and method for facilitating electronic financial transactions during a phone call |
US10127540B2 (en) * | 2011-12-19 | 2018-11-13 | Paypal, Inc. | System and method for facilitating electronic financial transactions during a phone call |
US11687908B2 (en) | 2011-12-19 | 2023-06-27 | Paypal, Inc. | System and method for facilitating electronic financial transactions during a phone call |
US11012474B2 (en) | 2012-10-22 | 2021-05-18 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US10567437B2 (en) | 2012-10-22 | 2020-02-18 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US10785266B2 (en) | 2012-10-22 | 2020-09-22 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US10681009B2 (en) | 2013-01-11 | 2020-06-09 | Centripetal Networks, Inc. | Rule swapping in a packet network |
US11539665B2 (en) | 2013-01-11 | 2022-12-27 | Centripetal Networks, Inc. | Rule swapping in a packet network |
US11502996B2 (en) | 2013-01-11 | 2022-11-15 | Centripetal Networks, Inc. | Rule swapping in a packet network |
US10511572B2 (en) | 2013-01-11 | 2019-12-17 | Centripetal Networks, Inc. | Rule swapping in a packet network |
US10541972B2 (en) | 2013-01-11 | 2020-01-21 | Centripetal Networks, Inc. | Rule swapping in a packet network |
US10505898B2 (en) | 2013-03-12 | 2019-12-10 | Centripetal Networks, Inc. | Filtering network data transfers |
US10567343B2 (en) * | 2013-03-12 | 2020-02-18 | Centripetal Networks, Inc. | Filtering network data transfers |
US11012415B2 (en) * | 2013-03-12 | 2021-05-18 | Centripetal Networks, Inc. | Filtering network data transfers |
US11418487B2 (en) | 2013-03-12 | 2022-08-16 | Centripetal Networks, Inc. | Filtering network data transfers |
US20180123955A1 (en) * | 2013-03-12 | 2018-05-03 | Centripetal Networks, Inc. | Filtering network data transfers |
US10735380B2 (en) | 2013-03-12 | 2020-08-04 | Centripetal Networks, Inc. | Filtering network data transfers |
US11496497B2 (en) | 2013-03-15 | 2022-11-08 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
US10862909B2 (en) | 2013-03-15 | 2020-12-08 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
US10405173B1 (en) * | 2013-06-05 | 2019-09-03 | Sprint Communications Company L.P. | Method and systems of collecting and segmenting device sensor data while in transit via a network |
US9923801B2 (en) | 2013-06-25 | 2018-03-20 | Google Llc | Fabric network |
US9172759B2 (en) * | 2013-06-25 | 2015-10-27 | Google Inc. | Fabric network |
US10693760B2 (en) | 2013-06-25 | 2020-06-23 | Google Llc | Fabric network |
US9015266B2 (en) * | 2013-06-25 | 2015-04-21 | Google Inc. | Fabric network |
US20150019669A1 (en) * | 2013-06-25 | 2015-01-15 | Nest Labs, Inc. | Fabric network |
US20150019650A1 (en) * | 2013-06-25 | 2015-01-15 | Nest Labs, Inc. | Fabric network |
US9836771B1 (en) | 2014-01-21 | 2017-12-05 | Sprint Communications Company L.P. | Client mediation and integration to advertisement gateway |
US9984395B1 (en) | 2014-01-21 | 2018-05-29 | Sprint Communications Company L.P. | Advertisement mediation of supply-demand communications |
US10013707B1 (en) | 2014-01-21 | 2018-07-03 | Sprint Communications Company L.P. | Address modification for advertisement mediation |
US10055757B1 (en) | 2014-01-21 | 2018-08-21 | Sprint Communications Company L.P. | IP address hashing in advertisement gateway |
US10951660B2 (en) | 2014-04-16 | 2021-03-16 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US10749906B2 (en) | 2014-04-16 | 2020-08-18 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US10944792B2 (en) | 2014-04-16 | 2021-03-09 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US11477237B2 (en) | 2014-04-16 | 2022-10-18 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
WO2015199737A1 (en) * | 2014-06-27 | 2015-12-30 | Hewlett-Packard Development Company, L.P. | Message receipt through firewall |
US10069795B2 (en) | 2014-06-27 | 2018-09-04 | Hewlett-Packard Development Company, L.P. | Message receipt through firewall |
US9818133B1 (en) | 2014-10-20 | 2017-11-14 | Sprint Communications Company L.P. | Method for consumer profile consolidation using mobile network identification |
US10530903B2 (en) | 2015-02-10 | 2020-01-07 | Centripetal Networks, Inc. | Correlating packets in communications networks |
US10931797B2 (en) | 2015-02-10 | 2021-02-23 | Centripetal Networks, Inc. | Correlating packets in communications networks |
US11683401B2 (en) | 2015-02-10 | 2023-06-20 | Centripetal Networks, Llc | Correlating packets in communications networks |
US10659573B2 (en) | 2015-02-10 | 2020-05-19 | Centripetal Networks, Inc. | Correlating packets in communications networks |
US10609062B1 (en) | 2015-04-17 | 2020-03-31 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11700273B2 (en) | 2015-04-17 | 2023-07-11 | Centripetal Networks, Llc | Rule-based network-threat detection |
US11012459B2 (en) | 2015-04-17 | 2021-05-18 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11516241B2 (en) | 2015-04-17 | 2022-11-29 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US10757126B2 (en) | 2015-04-17 | 2020-08-25 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11792220B2 (en) | 2015-04-17 | 2023-10-17 | Centripetal Networks, Llc | Rule-based network-threat detection |
US10542028B2 (en) * | 2015-04-17 | 2020-01-21 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11496500B2 (en) | 2015-04-17 | 2022-11-08 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US10567413B2 (en) | 2015-04-17 | 2020-02-18 | Centripetal Networks, Inc. | Rule-based network-threat detection |
US11811808B2 (en) | 2015-12-23 | 2023-11-07 | Centripetal Networks, Llc | Rule-based network-threat detection for encrypted communications |
US11811809B2 (en) | 2015-12-23 | 2023-11-07 | Centripetal Networks, Llc | Rule-based network-threat detection for encrypted communications |
US11477224B2 (en) | 2015-12-23 | 2022-10-18 | Centripetal Networks, Inc. | Rule-based network-threat detection for encrypted communications |
US11824879B2 (en) | 2015-12-23 | 2023-11-21 | Centripetal Networks, Llc | Rule-based network-threat detection for encrypted communications |
US11563758B2 (en) | 2015-12-23 | 2023-01-24 | Centripetal Networks, Inc. | Rule-based network-threat detection for encrypted communications |
US11811810B2 (en) | 2015-12-23 | 2023-11-07 | Centripetal Networks, Llc | Rule-based network threat detection for encrypted communications |
US11729144B2 (en) | 2016-01-04 | 2023-08-15 | Centripetal Networks, Llc | Efficient packet capture for cyber threat analysis |
US11797671B2 (en) | 2017-07-10 | 2023-10-24 | Centripetal Networks, Llc | Cyberanalysis workflow acceleration |
US11574047B2 (en) | 2017-07-10 | 2023-02-07 | Centripetal Networks, Inc. | Cyberanalysis workflow acceleration |
US10284526B2 (en) | 2017-07-24 | 2019-05-07 | Centripetal Networks, Inc. | Efficient SSL/TLS proxy |
US11233777B2 (en) | 2017-07-24 | 2022-01-25 | Centripetal Networks, Inc. | Efficient SSL/TLS proxy |
US11290424B2 (en) | 2018-07-09 | 2022-03-29 | Centripetal Networks, Inc. | Methods and systems for efficient network protection |
US11122014B2 (en) * | 2019-01-25 | 2021-09-14 | V440 Spółka Akcyjna | User device and method of providing notification in messaging application on user device |
US11736440B2 (en) | 2020-10-27 | 2023-08-22 | Centripetal Networks, Llc | Methods and systems for efficient adaptive logging of cyber threat incidents |
US11539664B2 (en) | 2020-10-27 | 2022-12-27 | Centripetal Networks, Inc. | Methods and systems for efficient adaptive logging of cyber threat incidents |
US11956338B2 (en) | 2023-05-19 | 2024-04-09 | Centripetal Networks, Llc | Correlating packets in communications networks |
Also Published As
Publication number | Publication date |
---|---|
JP5208920B2 (en) | 2013-06-12 |
GB2437791A (en) | 2007-11-07 |
EP2022235A2 (en) | 2009-02-11 |
AU2007245389A1 (en) | 2007-11-08 |
BRPI0711279A2 (en) | 2011-10-04 |
JP2009535955A (en) | 2009-10-01 |
GB0608752D0 (en) | 2006-06-14 |
CN101485166B (en) | 2012-08-29 |
AU2007245389B2 (en) | 2011-09-01 |
EP2022235B1 (en) | 2019-03-20 |
WO2007125412A3 (en) | 2008-01-17 |
US20100275007A1 (en) | 2010-10-28 |
WO2007125412A2 (en) | 2007-11-08 |
CN101485166A (en) | 2009-07-15 |
US8705565B2 (en) | 2014-04-22 |
WO2007125412B1 (en) | 2008-05-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8705565B2 (en) | Secure transmission system and method | |
EP1854243B1 (en) | Mapping an encrypted https network packet to a specific url name and other data without decryption outside of a secure web server | |
TWI251418B (en) | Method and system for selecting a security format conversion | |
US8930548B2 (en) | Mobile link system, method and apparatus | |
US7992212B2 (en) | Mobile terminal and gateway for remotely controlling data transfer from secure network | |
US7984157B2 (en) | Persistent and reliable session securely traversing network components using an encapsulating protocol | |
US20090285118A1 (en) | Proxy terminal, service device, proxy terminal communication path setting method, and server device communication path setting method | |
US6823452B1 (en) | Providing end-to-end user authentication for host access using digital certificates | |
US20050277434A1 (en) | Access controller | |
JP2002535884A (en) | Distribution of web-based secure email messages | |
CN101345752B (en) | Method, apparatus and system for guarantee safety of mobile terminal access to WEB resource | |
US11658951B2 (en) | Carrier encryption system | |
US20070115927A1 (en) | Click to initiate secure network service | |
JP2018519562A (en) | Method and system for transaction security | |
CN113949566A (en) | Resource access method, device, electronic equipment and medium | |
EP2887608B1 (en) | A computer implemented method and system for an anonymous communication and computer program thereof | |
CN113765933B (en) | Traffic encryption and decryption method and computer readable storage medium | |
EP1211860A1 (en) | Provision of secure access for telecommunications system | |
CN115242519A (en) | Login password substitution method based on reverse proxy | |
KR20090034170A (en) | Method and apparatus for authenticating service by using web embedded application | |
WO2001035569A1 (en) | Method and system for data encryption and filtering |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SKYPE LIMITED, IRELAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KUTT, ANDRES;HIIR, TANEL;REEL/FRAME:019777/0436 Effective date: 20070806 |
|
AS | Assignment |
Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNOR:SKYPE LIMITED;REEL/FRAME:023854/0805 Effective date: 20091125 Owner name: JPMORGAN CHASE BANK, N.A.,NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNOR:SKYPE LIMITED;REEL/FRAME:023854/0805 Effective date: 20091125 |
|
AS | Assignment |
Owner name: SKYPE LIMITED, CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:027289/0923 Effective date: 20111013 |
|
AS | Assignment |
Owner name: SKYPE, IRELAND Free format text: CHANGE OF NAME;ASSIGNOR:SKYPE LIMITED;REEL/FRAME:028691/0596 Effective date: 20111115 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |