1. Field of the Invention
The present invention concerns the field of secure client-server communications in a computer system, and more specifically a method and a device for communicating to a server machine a certificate sent by a client machine, via a security module.
2. Description of the Related Art
HTTP (HyperText Transfer Protocol) is an application level communication protocol. The HTTP protocol is used between a client and a server to transmit and receive data in requests without state management; each request is executed independently of the others, without knowledge of the previous requests. The HTTP protocol does not provide for any encryption. Moreover, the mutual authentication methods offered by the HTTP protocol do not provide any guarantees. Authentication is a procedure that makes it possible to obtain and verify the identity of a party sending HTTP requests.
In order to solve the problem of the lack of encryption and authentication in the HTTP protocol, the current systems use security protocols such as the SSL (Secure Sockets Layer) protocol. The SSL protocol makes it possible to transmit documents securely via the network of the Web. There are other security protocols such the TLS (Transport Layer Security) protocol, which is an extension of the SSL protocol. Security protocols like SSL or TLS make it possible to encrypt the exchanges and authenticate the parties, in this case the client and the server; they offer services for authentication, integrity and confidentiality.
Security protocols like SSL and TLS use strong authentication methods based on public key cryptography methods. Each party owns a pair of asymmetric keys, called public/private keys; the key used to encrypt the information is different from the one used to decrypt it.
Public key cryptography methods use a certificate that makes it possible to verify that a given public key is actually associated with the legitimate owner and that it is in fact the owner who is using it. A certificate is a digital document that attests to the ownership of a public key by a person. Such a certificate must be issued by a recognized institution outside the secure system, called a certification authority (CA). The certificate makes it possible to prove the authenticity of a user's public key and hence to authenticate the user without ambiguity. When a person signs and sends a document, the recipient obtains the sending person's certificate. The recipient can verify the veracity of the certificate with the certificate of the certification authority; he can then verify the sender's signature.
The management module of the SSL protocol at the server level is integrated into the server or into an intermediate machine called a security box or front-end box. The security box is a splitting machine upstream from the server. The security box handles the SSL protocol. The SSL protocol is not implemented between the security box and the server. The encryption and the authentication are performed between the client and the security box. Optionally, the security box authenticates the client, particularly by means of a certificate.
The problem posed by the present invention is the lack of means in the HTTP protocol for returning said certificate from the security box to the server.
The certificate contains information that can be very useful for the server, such as for example the real identity of the client.
One object of the present invention consists of solving the problem of the lack of means for communicating a certificate between the security box and the server.