US20160241545A1

Movatterモバイル変換

Info

Publication number: US20160241545A1
Application number: US15/141,311
Authority: US
Inventors: Richard L. Gregg; Sandeep Giri; Timothy C. Goeke
Original assignee: Prism Technologies LLC
Current assignee: Prism Technologies LLC
Priority date: 1997-06-11
Filing date: 2016-04-28
Publication date: 2016-08-18
Anticipated expiration: 2017-06-11
Also published as: US7290288B2; US8387155B2; US20160277398A1; US9369469B2; US8898746B2; US20030046589A1; US20110061097A1; US20150082392A1; US9544314B2; US9413768B1; US20130167204A1; US20080066168A1; US8127345B2

Abstract

A system for securing and tracking usage of transaction services or computer resources by a client computer from a first server computer, which includes clearinghouse means for storing identity data of the first server computer and the client computer(s); server software means and client software means adapted to forward its identity data and identity data of the client computer(s) to the clearinghouse means at the beginning of an operating session; and a hardware key connected to the client computer, the key being adapted to generate a digital identification as part of the identity data; wherein the hardware key is implemented using a hardware token access system, a magnetic card access system, a smart card access system, a biometric identification access system or a central processing unit with a unique embedded digital identification.

Description

The present application is a continuation of application Ser. No. 14/549,943, filed Nov. 21, 2014; which is a continuation of application Ser. No. 13/752,036, filed Jan. 28, 2013, now U.S. Pat. No. 8,898,746; which is a continuation of application Ser. No. 12/944,473, filed Nov. 11, 2010, now U.S. Pat. No. 8,387,155; which is a continuation of application Ser. No. 11/978,919, filed Oct. 30, 2007, now U.S. Pat. No. 8,127,345; which is a continuation of application Ser. No. 10/230,638, filed Aug. 29, 2002, now U.S. Pat. No. 7,290,288; which are incorporated herein by reference; and which is a continuation-in-part of application Ser. No. 08/872,710, filed Jun. 11, 1997, now U.S. Pat. No. 6,516,416.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention generally relates to security systems for use with computer networks. More particularly, the present invention relates to a secure transaction system that is particularly adapted for use with untrusted networks, such as the Internet.

2. Description of the Prior Art

There are many businesses that are connected to the Internet or some other untrusted network. Such businesses may provide transaction services without charge for certain transactions that can be accessed by any account holder having access to the network. However, the same business may want to generate revenue from other transaction services and also to protect its business assets. In order to generate revenue, there must be control over account holder access, transaction tracking, account data, and billing. For a business to offer transaction services on an untrusted network, such as the web, it must have access to a web server that connects to the Internet. Any account holder with a web browser can then access the web site.

To implement a secure transaction system for use over the web, businesses need to implement authentication, authorization and transaction tracking. Authentication involves providing restricted access to transaction services that are made available, and this is typically implemented through traditional account holder name-password schemes. Such schemes are vulnerable to password fraud because account holders can share their usernames and password by word of mouth or through Internet news groups, which obviously is conducive to fraudulent access and loss of revenue. Authorization, on the other hand, enables authenticated account holders to access transaction services based on the permission level they are granted. Transaction tracking involves collecting information on how account holders are using a particular web site, which traditionally involved the data mining of web server logs. This information is often inadequate to link web site transaction and a particular account holder who used the web site. There is also no generic transaction model that defines a web transaction, which contributes to the difficulty in implementing an account holder model based upon transactions. Thus, there is a need for an improved secure transaction system and method for securing and tracking usage by a client computer.

SUMMARY OF THE INVENTION

The present invention discloses a system for securing and tracking usage of transaction services or computer resources by a client computer from a first server computer, which includes clearinghouse means for storing identity data of the first server computer and the client computer(s); server software means installed on the first server computer and client software means installed on the client computer(s) adapted to forward its identity data and identity data of the client computer(s) to the clearinghouse means at the beginning of an operating session; and a hardware key connected to the client computer, the key being adapted to generate a digital identification as part of the identity data; the server software means being adapted to selectively request the client computer to forward the identification to the first server computer for confirmation of the hardware key being connected; the clearinghouse means being adapted to authenticate the identity of the client computer responsive to a request for selected services or resources of the first server computer; the clearinghouse means being adapted to authenticate the identity of the first server computer responsive to the client computer making the request; and the clearinghouse means being adapted to permit access to the selected request responsive to successful initial authentication of the first server computer and the client computer making the request; wherein the hardware key is implemented using a hardware token access system, a magnetic card access system, a smart card access system, a biometric identification access system or a central processing unit with a unique embedded digital identification.

These and other objects of the present invention will be apparent from review of the following specification and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of the secure transaction system embodying the present invention, wherein a secure transaction server is part of a local area network, with the server being connected to the Internet and to the local area network via a firewall;

FIG. 2 is a functional block diagram of the secure transaction system embodying the present invention and illustrating the functional interaction of components of the system and a account holder;

FIG. 3 is a more detailed block diagram of the schema of the present invention;

FIG. 4 is a software block diagram illustrating the system architecture of the preferred embodiment in the web environment, also known as the secure transaction system;

FIG. 5 is a functional block diagram illustrating the structure and operation of the transaction clearinghouse database server process of the preferred embodiment;

FIG. 6 is a functional block illustrating the structure and operation of the transaction clearinghouse account holder authentication daemon of the preferred embodiment;

FIG. 7 is a block diagram illustrating the structure and operation of the transaction daemon of the preferred embodiment;

FIG. 8 is a functional block diagram illustrating the structure and operation of the transaction clearinghouse administration software of the preferred embodiment;

FIG. 9 is a functional block diagram illustrating the structure and operation of the server shared object of the preferred embodiment;

FIG. 10 is a functional block diagram illustrating the structure and operation of the server session manager of the preferred embodiment;

FIG. 11 is a functional block diagram illustrating the structure and operation of the server login common gateway interface (CGI) program of the preferred embodiment;

FIG. 12 is a functional block diagram illustrating the structure and operation of the server re-authentication common gateway interface (CGI) program of the preferred embodiment;

FIG. 13 is a functional block diagram illustrating the structure and operation of the server online application and activation common gateway interface (CGI) program of the preferred embodiment;

FIG. 14 is a functional block diagram illustrating the structure and operation of the server site administration common gateway interface program of the preferred embodiment;

FIG. 15 is a flow chart of the operation of the system at the start of a session where a account holder requests access to a secure transaction;

FIG. 16 is a flow chart of the system illustrating the steps that are taken during the login, account holder authentication and session initiation;

FIG. 17 is a flow chart of the sequence of steps that occur during transaction service and login;

FIG. 18 is a flow chart of the sequence of steps taken during a re-authentication operation;

FIG. 19 is a flow chart of the sequence of steps that occur during a session renewal;

FIG. 20 is a flow chart of the sequence of steps that occur during a session termination;

FIG. 21 is a block diagram of the hardware token access device that is part of the preferred embodiment of the present invention;

FIG. 22 is a block diagram of the magnetic card reader access device and access media that is part of the preferred embodiment of the present invention;

FIG. 23 is a block diagram of the smart card reader access device and access media that is part of the preferred embodiment of the present invention;

FIG. 24 is a block diagram of the biometric identification reader access device and access media that is part of the preferred embodiment of the present invention;

FIG. 25 is a block diagram of the secure central processing unit (CPU) access device and access media that is part of the preferred embodiment of the present invention;

FIG. 26 is a functional block diagram which illustrates multiple system servers with a single system transaction clearinghouse; and

FIG. 27 is a functional block diagram illustrating a system having multiple system servers and multiple system transaction clearinghouses.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Broadly stated, the present invention is directed to a secure transaction system that is particularly adapted for use with an untrusted network, such as the Internet worldwide web. As used herein, an untrusted network is defined as a public network with no controlling organization, with the path to access the network being undefined and the user being anonymous. A client-server application running over such a network has no control over the transmitted information during all the phases of transmission. The present invention provides a platform for securing transactions between consumers and suppliers on an untrusted network. Because of its superior design and operation, it is capable of operating servers and transaction clearinghouses in a geographically distributed fashion. The present invention implements its platform by restricting transaction services to only authenticated and authorized account holders and by tracking their transaction in a generic transaction model that can be easily integrated to any billing model.

The system has four major components as shown inFIG. 1, which are a transaction clearinghouse, indicated generally at30; account holder administration software, shown generally at32; a secure transaction server, indicated generally at34; and a number of account holder software, one of which is shown generally at36. The account holders are connected to theInternet38 via a modem connection or a similar means, and theInternet38 has a connection to the server. Theserver34 is connected to a local area network (LAN)40 through a firewall computer42. A firewall is used to separate a local area network from the outside world. In general, a local area network is connected to the outside world by a “gateway” computer. This gateway machine can be converted into a firewall by installing special software that does not let unauthorized TCP/IP packets passed from inside to outside and vice versa. TheLAN40 also provides a connection to the accountholder administration software32 and to thetransaction clearinghouse30. While the configuration shown inFIG. 1 has a singlesecure transaction server34 and a singletransaction clearinghouse server30, the secure transaction system of the present invention is adapted to be used in other configurations, which may include multiple secure transaction servers being controlled by asingle transaction clearinghouse30 or multiple secure transaction servers that interact withmultiple transaction clearinghouses30. Such flexibility in configurations is an extremely desirable aspect of the present invention.

With respect to the transactionclearinghouse administration software32, it preferably resides on a desktop PC with a browser and is connected to theLAN40 so that it can communicate with the transactionclearinghouse database server30. This software will typically be on theLAN40 of the organization so that database access through theadministration software32 is restricted within the organization. Using this administration software, an administrator can define the configuration for the account holder services, administer accounts, demographic data and transaction data. In the present invention, it is contemplated that the demographic data can be personal profile information, which may include at least two of the following items of information including: e-mail address, username, password, personal identification number, billing name, billing address, billing city, billing state, billing zip code, billing country, shipping name, shipping address, shipping city, shipping state, shipping zip code, shipping country, shipping method, home phone number, work phone number, cellular phone number, facsimile phone number, credit card number, credit card expiration date, credit card type, debit card number, debit card expiration date, debit card type, card-holders name, date of birth, and social security number.

With respect to thesecure transaction server34, the software for it is preferably located on the same machine that hosts the web server. It is preferably a Sun Solaris machine or comparable computer. Thesecure transaction server34 operates in conjunction with the transaction clearinghouse to authenticate and authorize account holders and to collect their transaction data. Thesecure transaction server34 also interacts with the account holder software at theaccount holder computer36 to provide transaction capture. Thesecure transaction server34 consists of a shared object that is incorporated as a part of the web server software. It also has a collection of common gateway interface programs (CGI's) that implement authentication tasks, such as login and access device polling. A session manager is provided for building sessions for every valid account holder so that a transaction list that contains all of the tasks performed during a account holder's session can be kept. The server also includes a thin client site administration software program that provides a web based visual interface to administer the session manager and maintain account holder profiles. The server sends transaction data to the transaction clearinghouse at the end of every account holder's session and includes added functionality for processing and activating online account applications.

Theaccount holder computer36 includes software that enables an account holder's web browser to access the untrusted network. The account holder desktop PC contains a browser to access the untrusted network and also includes account holder software for enabling the account holder to access secure transaction services. The account holder software, in addition to enabling the access to a web site providing secure transaction services, also allows for enforcement of the login process, re-authentication process and transaction tracking. All of these features are controlled by thesecure transaction server34, which sends specific commands to theaccount holder software36 to perform the tasks as needed. The account holder software is a plug-in or control that adds secure transaction functionality to standard browser software. The account holder also includes a hardware key for providing two or three factor authentication.FIGS. 21-25 illustrate the hardware key, which include a hardware token, magnetic card reader, smart card reader, or biometric identification reader connected to each account holder's client computer or alternatively a secure central processing unit as part of the account holder's client computer capable of reading access media that generates a unique digital ID.

The account holder access components preferably use the transmission control protocol/internet protocol (TCP/IP) and transaction datagram protocol/internet protocol (UDP/IP) to communication with each other. Any communication that needs to go through the web server or the web browser will follow the hyper text transfer protocol (HTTP) which is based on TCP/IP. These protocols are well known to those skilled in the art. The account holder's PC accesses web sites using HTTP. The web server andsecure transaction server34 communicate with each other using UDP/IP. Thesecure transaction server34 and thetransaction clearinghouse30 preferably communicate with each other using TCP/IP and the transaction clearinghouse servers communicate with a database using open database connectivity (ODBC) drivers most commonly over a TCP/IP network. The transactionclearinghouse administration software32 communicates with the database using an ODBC driver, most commonly over a TCP/IP or IPX network.

The four main components of the preferred embodiment of the system as described with respect toFIG. 1 interact with one another using a distributed architecture which establishes a many-to-many relationship between thesecure transaction servers34 and thetransaction clearinghouse30. Onetransaction clearinghouse30 can be monitoring multiplesecure transaction servers34 while each secure transaction server is interacting withmultiple account holders36. Similarly, asecure transaction server34 can be configured to interact withmultiple transaction clearinghouses30.

The manner in which the preferred embodiment of the system operates in the web environment can be broadly seen by the functional block diagram ofFIG. 2, which shows thetransaction clearinghouse server30,secure transaction server34, andaccount holder36 with steps that are taken during a session. The first step is for theaccount holder software36 to request transaction services and that request is communicated to thesecure transaction server34 that then commands the account holder to login. Theaccount holder software36 inputs the login parameters that thesecure transaction server34 then forwards to the transaction clearinghouse. If the parameters are valid, thetransaction clearinghouse30 provides a response to thesecure transaction server34 that then enables theaccount holder software36 to access the transaction services. The session transaction data is eventually forwarded for storage by thetransaction clearinghouse30.

While the steps that have been described with respect toFIG. 2 are a very broad overview of the preferred embodiment, the functional block diagram ofFIG. 3 provides a more detailed general schema of the present invention. The system includes a server application44, an account holder orclient application46, both of which are connected to an untrusted network via a traditional communication path indicated by the dotted

lines

48 and50. The system includes asession manager52 for interacting with thetransaction clearinghouse30 and thesecure transaction server34 and ahardware key54 which is connected to theaccount holder software36. The solid lines connecting the blocks of the numbered components ofFIG. 3 represent secure communications whereas the dotted lines are conventional communication paths that may not be secure.

Rather than describe the functions of the blocks ofFIG. 3, the manner in which these components function will be described in connection withFIGS. 17-23, which provide more detailed flowcharts that relate to specific operations of the system.

The manner in which the system translates into the preferred embodiment in the web environment will be described in connection with the functional block diagram illustrated inFIG. 4. Thetransaction clearinghouse30 contains the account and transaction database storage capability. Thetransaction clearinghouse30 controls the authentication and authorization of account holders for individually enabled secure transaction web servers. Thetransaction clearinghouse30 includes a number of subcomponents, including a transactionclearinghouse database server56 that provides an open database connectivity (ODBC) interface to a structured query language (SQL) database that contains the account holder database and transaction data warehouse.

Thetransaction clearinghouse30 also has an accountholder authentication daemon58 that processes the requests for account holder authentication by thesecure transaction servers34. Adaemon58 is a program that is not invoked explicitly, but lays dormant waiting for one or more necessary conditions to occur such as an incoming request from one of its client programs. For every account holder authentication request, the accountholder authentication daemon58 first insures it is communicating with an authenticsecure transaction server34, and then it queries the transactionclearinghouse database server56 to find the account holder's information. Based on this information, it sends an authentication response back to thesecure transaction server34. The accountholder authentication daemon58 also processes the secure transaction server's request for an online account holder application and an online account holder activation.

Thetransaction clearinghouse30 also includes atransaction daemon60 that is an independent server process that processes transaction data update requests made bysecure transaction servers34. Similar to the accountholder authentication daemon58, thetransaction daemon60 authenticates secure transaction servers before processing their requests. Upon successful authentication, it will accept all of the transaction data sent by a server and update thetransaction clearinghouse database56 with it. Thetransaction daemon60 also authenticatessecure transaction servers34 before processing their request. Thetransaction clearinghouse30 hasadministration software64 that provides a visual interface on a computer with a web browser to administer thetransaction clearinghouse database56.

With respect to thesecure transaction server34, it runs in conjunction with a web server and is able to provide secure transaction services using the system of the present invention. Thesecure transaction server34 authorizes each web transaction that involves account holder access of transaction services and does so by communicating with theaccount holder software36 to make the account holders login. If the login is successful, thesecure transaction server34 initiates a session and collects all transaction data so that at the end of a session it can send the transaction data to the transaction clearinghouse. The secure transaction server also provides the functionality of session re-authentication. The secure transaction server includes a number of subcomponents including thesession manager52 which is a server process that processes messages sent by an account holder access sharedobject66, an account holder access common gateway interface programs (CGI's)68 and thetransaction clearinghouse30.

When anaccount holder36 tries to log into a secure transaction system enabled web site, thesession manager52 communicates with thetransaction clearinghouse30 to authenticate the account holder. If successful, the session manager will start a new session for the account holder and from that point on, the account holder can access transaction services. Each web transaction during the session is reported to the session manager by the sharedobject66 so that thesession manager52 can build a list of transactions for the account holder. At the end of the session, the session manager will send all of the session data and transaction data to thetransaction clearinghouse30 to update the database. If the system is utilizing two or three factor authentication (e.g., the username, password, PIN plus the digital ID generated by the access media read by the hardware key attached to the account holder's computer), thesession manager52 periodically communicates with the sharedobject66 to perform re-authentication which involves polling of theaccount holder software36 to insure that thehardware key54 continues to be attached to the account holder computer.

The server sharedobject66 is a binary module which provides function pointers to aweb server69 to performsecure transaction server34 specific operations. To enable this, the server configuration files need to be changed so that theweb server69 knows which transaction services are provided by the secure transaction system. In this way, whenever an account holder attempts to access a transaction service, the server will call upon the account holder access functions that are defined in the sharedobject66 and theweb server69 will not process the request for transaction services until it receives permission to do so from these functions. The functions in the sharedobject66 insure that the account holder is operating as a valid session. If it is not a valid session, the functions redirect the account holder to the login process so that a new session can be created for the account holder. Once there is an active session, the sharedobject66 will grant permission to theweb server69 to process requests for transaction services and once the request has been processed, the shared object sends a message to thesession manager52 about a particular transaction so that the session manager can update its lists of transactions for the active session.

There are a number of account holder access common gateway interface programs (CGI'S) that are a part of thesecure transaction server34, including alogin CGI68. Any time an account holder is redirected by the system sharedobject66 to login and start a new session, the login CGI gets executed. These CGI's communicate with the account holder software to authenticate the secure transaction server and send a command to force the account holder to login. When the CGI's get the login parameters sent by theaccount holder software36, they send a request to thesession manager52 to authenticate the account holder and start a new session. There is also are-authentication CGI70 that is provided. Once a session has been initiated, periodically the sharedobject66 will redirect the account holder to get re-authenticated. There-authentication CGI70 communicates with theaccount holder software36 to poll the account holder's machine for thehardware key54, and based upon the response, the re-authentication CGI's communicates with thesession manager52 to validate re-authentication and renew the account holder session.

Thesecure transaction server34 also includes an online account holder application and activation CGI's74 which allow a person to apply online for transaction services. The CGI's collect the application data and send it to thetransaction clearinghouse30 that updates the account holder access database. Also, for an existing account holder who is trying to apply for another account, the CGI's will communicate with the transaction clearinghouse to get the account data on the account holder in order to fill out as much of the application automatically as it can. The activation feature is for users who have been approved and are trying to access secure transaction services for the first time. The CGI's for activation insure that the account holder has properly installed the account holder software and then these CGI's will send a message to the transaction clearinghouse to activate the account holder so that these approved users can access the new service. Asite administration CGI76 is another component included for providing an HTML visual interface to define the account holder profile and administer thesession manager52 for that particular account holder profile.

Theaccount holder software36 is installed on the account holder's personal computer. This software enables aweb browser77 to access thetransaction services78 provided by the secure transaction server. The account holder software is a plug-in or control that adds secure transaction functionality79 to standard browser software. The account holder software accepts messages from theweb server69 and takes actions as commanded by the secure transaction server such as making the account holder login, polling for the optional hardware key, encrypting the login parameters and sending it to the secure transaction server. The account holder software also authenticates theserver34 before accepting any commands from it so that only authenticate servers can command the account holder software.

Referring toFIG. 5, the main function of the transactionclearinghouse database server56 is to provide the database interface to the rest of the account holder access components. The transactionclearinghouse database server56 contains the enterprise-wide account holder and transaction data warehouse. This database server is a SQL server that has an ODBC interface so that the clients can interact with it using ODBC. The processes and application that interact directly with the transactionclearinghouse database server56 are the accountholder authentication daemon58, thetransaction daemon60, and the thin client transactionclearinghouse administration software64.

Referring toFIG. 6, the accountholder authentication daemon58 interacts with the transactionclearinghouse database server56, thesession manager52, the account holder application and activation CGI's74, and any CGI's that use the API's provided by the secure transaction system, such as the credit card processing CGI's80. In order to start a new session for a account holder, thesession manager52 sends an authenticate login (AL) message to the accountholder authentication daemon58, which queries the transactionclearinghouse database server56 to find the appropriate account holder records in order to do the login validation. The result of this validation is sent back to thesession manager52 as an authentication response (AR) message.

The online application CGI's74 interact with the accountholder authentication daemon58 to process an online account holder application. Normally, users fill out an online application form and submit it to one of the online application CGI's which will send all the application data in the form of an application (AP) message to the account holder authentication daemon. The daemon will verify and update the database with the application information and send back an application response (PR) message to the application CGI's indicating the status of the database update.

In cases where an existing account holder is applying for another account, the application CGI's74 communicate with the accountholder authentication daemon58 to get the account holder information on the current account holder so that the application form can be filled automatically. In order to do this, one of the application CGI's74 sends a verify application (VA) message to the accountholder authentication daemon58. The daemon will query the transactionclearinghouse database server64 to verify the applicant and get the account holder information. Based on the query results, it will send a verification response (VR) back to theapplication CGI74 which will contain the account holder information. Theapplication CGI74 will fill out the account holder part of the application form with this information. The account holder fills out the rest and submits the form that gets processed through the AP/PR message mentioned previously.

Once a user has been approved, the user needs to activate the account in order to access transaction services. This can be done online through the online activation CGI's74. Typically, an approved user (i.e., an account holder) will have to login in order to access theonline activation CGI74, which in turn sends an AA (Activate Applicant) message to the accountholder authentication daemon58 with the approved user's login parameters. Thedaemon58 will query the transactionclearinghouse database server64 to validate this information, and based on the validation results, it will send back an activation response (AR) message to the online activation CGI.

For web applications that need credit card information on account holders, the accountholder authentication daemon58 provides an API to do so. This also assumes that the account holder has logged in successfully and has an active session, which means these web applications need to be secured. In order to obtain the credit card information, these web applications can send a CC (credit card) message to the accountholder authentication daemon58. The daemon will first validate the account holder and if the validation is successful, it will send back a credit response (CR) to the credit cardprocessing web application78 that includes the account holder's credit card information.

Referring toFIG. 7, the main task of thetransaction daemon60 is to update the transactionclearinghouse database server56 with transaction data sent by the secure transactionserver session manager52. Thetransaction daemon60 is an independent process listening for TCP requests on a specific, well-known TCP port. When a account holder session terminates, thesession manager52 will send a transaction session (US) message to thetransaction daemon60 that provides some generic information about the account holder's session and also the number of transactions in the session. This message is followed by a series of session transaction (ST) messages, where each transaction in that session is represented by a ST message. Thetransaction daemon60 reads the US message and the following ST message(s), formulates SQL queries that will update all that data into thetransaction clearinghouse database56. Thetransaction daemon60 will then send back a message confirmation (MC) back to thesession manager52 that indicates the status of the database update.

As shown inFIG. 8, the transactionclearinghouse administration software64 is a thin client GUI web-based application for transaction clearinghouse database administration. This software runs on a computer with a web browser and communicates with the transactionclearinghouse database server56. This application will typically be on the private network of an organization so that database access through theadministration software64 is restricted within the organization. Theadministration software64 allows an administrator to define the particular transaction services that can be accessed by an account holder. It allows entering users as an account holder, approving and activating the account holder, and maintaining account holder profiles. It also provides inquiry screens to peruse transaction data. Also provided are table maintenance screens for the code tables in the database. The transaction clearinghouse servers preferably communicate with a database using open database connectivity (ODBC)drivers81 most commonly over a TCP/IP network, and the transactionclearinghouse administration software32 communicates with the database using anODBC driver81, most commonly over a TCP/IP or IPX network. As shown inFIG. 9, the account holder access sharedobject66 is a binary module that combines with theweb server69 to provide system-specific function pointers to the web server. Thus, when theweb server69 is configured to protect transaction services using the system, it will call upon these system specific functions. These functions provide a variety of features ranging from redirecting an account holder to the login CGI's68 to communicating with thesession manager52 to authenticate every request for transaction services. Whenever there is an incoming request from aweb browser77 including theaccount holder software36 that attempts to access a transaction service, theweb server69 invokes the sharedobject66. The sharedobject66 calls a secure transaction system function that first looks for an active session ID in the HTTP headers. If it does not find the session ID, it will redirect the account holder to the login CGI's68 in order to initiate the login process. If it finds a session ID, it sends a check session (CS) message to thesession manager52 to validate the session ID. Thesession manager52 will send the results of its validation in a session response (SR) message.

If the SR message has a SUCCESS status, the sharedobject66 grants permission to theweb server69 to process the request for the account holder to access transaction services. At the end of processing this request, the sharedobject66 calls another secure transaction system function that sends an end transaction (ET) message to the session manager so that thesession manager52 can log the end time for the specific web transaction. Periodically, the SR message will ask the sharedobject66 to perform session re-authentication. At such times, the sharedobject66 redirects the account holder to re-authentication CGI's70.

With the system architecture, transactions are protected on a directory level. A web master or a system administrator needs to determine which transactions are to be protected and make sure that all these transactions are organized in separate directories from unprotected transaction services. In this way, the web server configuration can be changed to protect these particular directories using the secure transaction system. Among other things, the configuration parameters also need to state where thesession manager52 is running and the port where it is listening for UDP requests. If there are multiple account holders being hosted from thesame web servers69, it is very important to have their transaction services contained in separate directories, and also very important is to have separate copies ofsession managers52 running for each account holder. This ensures that account holder authentication, authorization, and transaction tracking is done separately for separate account holders.

The secure transaction server session manager shown inFIG. 10 is an independent server process. It starts by reading configuration parameters from its configuration file, sessiond.conf. It listens for requests on two different ports—one UDP, and one TCP. The UDP port communicates with the account holder access sharedobject66 and the account holder access CGI's that reside on the same machine where thesession manager52 is running. The TCP port is for communication with the account holder access transaction clearinghouse daemons.

Thesession manager52 maintains a binary tree list of all the active account holder sessions. For every session, it maintains a linked list of all the transactions for that session. As stated in the description of the sharedobject66, every time a web request comes in for a transaction service, theweb server69 will invoke the sharedobject66. The sharedobject66 looks at the web server configuration files to determine which session manager52 (hostname and UDP port number) to send its check session (CS) message. In processing a CS message, thesession manager52 will traverse its list of active sessions looking for the particular session ID, and sends the result of this search back in a session response (SR) message.

During login, the login CGI's68 send an initiate session (IS) message to thesession manager52, which will read the login parameters, and send an authenticate login (AL) message to the transaction clearinghouse accountholder authentication daemon58. Thesession manager52 will read the account holder authentication daemon's58 authentication response (AR) and determine whether or not to create a new session entry, and sends a session response (SR) back to the login CGI's68 indicating the result of the session initiation process.

While processing a CS message sent by the sharedobject66, periodically thesession manager52 will find that a particular session needs to be re-authenticated. In such instances, thesession manger52 will respond back to the sharedobject66 with a session response (SR) message that tells the sharedobject66 to initiate the re-authentication process. The sharedobject66 in turn invokes the re-authentication CGI's70. The re-authentication CGI's70 perform the re-authentication task with theaccount holder software36, and sends the results in a renew session (RS) message to thesession manager52. The RS message contains the newly encrypted digital ID optionally stored on the access media which is read by thehardware key54 attached to the account holder's machine. Thesession manger52 authenticates the digital ID by comparing it to the information it has in the session entry for the particular account holder. The results of this authentication are sent back to there-authentication CGI70 in a session response (SR) message.

During specific time intervals as set in thesession manger52 configuration, the session manager goes through its list of sessions and times out any idle sessions, flagging them as inactive. These are sessions that have not had an activity in the last n seconds, where n is a session manager configuration (REFRESH_TIME) value. For each one of these inactive sessions, thesession manager52 initiates a process that will send all the transaction data collected for that session to the transaction clearinghouse'stransaction daemon60. The process first reads the session-entry and sends a transaction session (US) message that will tell thetransaction daemon60 how many transaction entries will be sent for that session. The US message is followed by a series of session transaction (ST) messages where each ST message represents a transaction for that session. The process terminates after sending all the US and ST messages. Thetransaction daemon60 will update the transaction clearinghouse database with all the transaction data, and sends a message confirmation (MC) message back to thesession manager52. Thesession manager52 determines which specific session the MC message is for, and deletes that session and its transactions from its list. If the MC message status is not successful, thesession manager52 tries to resend the transaction data. The number of retries is set in thesession manager52 configuration. If it is still unsuccessful, then thesession manger52 sends an e-mail to the system administrator indicating the error in transaction data update.

Another entity that thesession manager52 performs processing for is the site administration CGI's76. The specific operations provided are data recovery, data dump, and data restore features. During data recovery, the site administration CGI's76 send a DR (data recovery) message to thesession manager52. Thesession manager52 will retry sending the transaction data for the session(s) specified in the DR message to the transaction clearinghouse'stransaction daemon60.

During a data dump, thesite administration CGI76 sends a data dump (DD) message to thesession manager52 who makes a copy of all the active session data into a flat text file under the filename specified in the DD message. During a restore dump, thesite administration CGI76 sends a restore dump (RD) message to thesession manager52 who reads the dump file as named in the RD message and builds its list of sessions and transactions from the dump file data. To all these messages (DR, DD, RD), thesession manager52 sends a SR message back to the site administration CGI's76 indicating the results of the particular operations whether they were successful or not.

Referring toFIG. 11, the login CGI's68 is initiated when the sharedobject66 redirects a account holder to login. It first sends a start login message to theaccount holder software36 combined with theweb browser77 through theweb server69. Theaccount holder software36 then creates a random challenge and sends it to the login CGI's68 for secure transaction server authentication purposes. The login CGI's68 encrypts the secure transaction server's password using the challenge sent by theaccount holder software36 and sends it back to the account holder software along with a login command and a new random challenge created by thelogin CGI68. Theaccount holder software36 then authenticates the secure transaction server's password, and if it authenticates successfully, it will force the account holder to login. The login parameters obtained from the account holder and thehardware key54 are encrypted using the challenge sent by thelogin CGI68, and sent back to the login CGI.

The login CGI's68 take the encrypted login parameters sent by theaccount holder software36 and send an initiate session (IS) message to thesession manager52. Thesession manager52 conducts the account holder verification with the aid of thetransaction clearinghouse30 and sends back a session response (SR) indicating if a new session entry was created. If SR status is successful, thelogin CGI68 will put the session ID in the HTTP headers for re-authentication purposes.

As shown inFIG. 12, the re-authentication CGI's70 are invoked by the account holder access sharedobject66. Theweb server69 sends a check login message to theaccount holder software36 combined with theweb browser77 with a newly created challenge. In response to this message, theaccount holder software36 polls thehardware key54, reads the digital ID from the access media, and encrypts it using the challenge sent by the re-authentication CGI's70, which is sent back to there-authentication CGI70 who will validate the information by sending a renew session (RS) message to thesession manager52. Thesession manager52 validates the encrypted digital ID and sends back a session response (SR) message indicating the status of the re-authentication. If SR status is successful, there-authentication CGI70 redirects the account holder to the protected transaction services, otherwise they are directed to the login process.

Referring toFIG. 13, the online application process is initiated by a new user filling out an HTML application form and submitting it to theapplication CGI74. If the user is an existing account holder, a separate link can be activated by the user that will automatically fill out the demographic part of the application form. When an existing account holder goes through this link, the account holder must login. Theparticular application CGI74 will then send a verify application (VA) message to the accountholder authentication daemon58. Thedaemon58 will first authenticate the account holder, and if the authentication is successful, it will send back the demographic information on the account holder in its verification response (VR) message. Theapplication CGI74 will fill out the HTML application form with the information in the VR message. For a user who is not an existing account holder, the user is required to go to the application form directly to manually fill out all the fields, and submit the form back to theweb server69.

When the application form is submitted to theweb server69, the application data is sent to anotherapplication CGI74 who will send an application (AP) message to the accountholder authentication daemon58. Thedaemon58 will verify all the application data and update the transaction clearinghouse database. The result of the database update is sent back to theapplication CGI74 in an application response (PR) message. Theapplication CGI74 will then display the result of this process to the user on theweb browser77.

The application approval process can be conducted in a variety of ways. For account holders offering one-factor authentication only, where ahardware key54 is not used, a user can be instantly approved during the time of application, in which case the PR message contains the username, password, PIN assigned to the user. This information is immediately displayed back to the user so that the user can quickly proceed with the account holder activation process. Alternatively, another method is not approving the application immediately. Instead, a system administrator will perform additional processing of the application data to ensure that the user meets all the prerequisites of being an account holder. This could involve things like collecting payment, credit checks, etc. Once the requirements are met, the system administrator can approve the user using the transaction clearinghouse administration application software.

The result of the application approval process is that the user will now be assigned a unique account username and a password. If the account holder uses two-factor authentication, the approval process also involves assigning a unique digital ID to the user, and microcoding that digital ID into the access media read by thehardware key54. All this information (username, password, PIN, digital ID), the user's hardware key andaccess media54, and theaccount holder software36 need to be made available to the approved user so that the user can successfully install the hardware key andaccount holder software36 on the desktop, and proceed with the activation process.

The activation process is complete when the user becomes an account holder for a particular set of transaction services. Similar to the application process, this can be done through either online or through the accountholder administration software32. Online activation requires an approved user to install the account holder software on their desktop and visit the activation URL using theweb browser77. When the user clicks on the activation URL, the user must login. At this point, the approved user will use the username, password, PIN and the hardware key when using a two-factor authentication login. Theactivation CGI74 takes all this information and sends an approve user (AU) message to the transaction clearinghouse's accountholder authentication daemon58. Thisdaemon58 will accept the AU message, and verify all the information with the approved user's information in the transaction clearinghouse database. If the verification is successful, the accountholder authentication daemon58 will create a new account holder record for the user if there is not already one, and also create a new account holder record for the particular account holder(s) for which the user was approved for. The result of this process is sent back to the activation CGI in an activation response (RA) message. If RA message status is successful, theactivation CGI74 will display a successful activation message to the account holder, and give the account holder an option to change their password if desired. Otherwise, theactivation CGI74 will display the error message explaining why application activation could not be conducted successfully.

A feature of the online application and activation process is the password change feature that can be made available as a separate link in a secured web site. This link must be protected by the system so that only valid account holders can use this feature. When this link is accessed, a password/PIN change form is displayed to the account holder where they type in the old and new passwords/PINs. Once this form is submitted, a password/PIN change CGI82 will send a change password/PIN (CP) message to the accountholder authentication daemon58 in the transaction clearinghouse that will verify the account holder and the old password/PIN. If the verification is successful, the accountholder authentication daemon58 will make the password/PIN change in the transaction clearinghouse database. The status of this process is sent back to thepassword change CGI82 in a password/PIN response (RP) response. Based on the RP message status, the password/PIN change CGI will display a message to the account holder indicating whether the password/PIN change was carried out successfully.

As shown inFIG. 14, the site administration CGI's76 allows for the session manager configuration entries to be defined and maintained through an HTML interface. It also allows for the starting, stopping, and restarting of the session manager(s)52. The specific operations provided by the site administration CGI's76 that involve message interaction with thesession manager52 are the data recovery, data dump, and the data restore features. During a data recovery, the site administration CGI's76 send a DR (data recovery) message to thesession manager52. The session manager will retry sending the transaction data for the session(s) specified in the DR message to the transaction clearinghouse'stransaction daemon60.

During data dump, thesite administration CGI76 sends a data dump (DD) message to thesession manager52 that makes a copy of all the active session data into a flat text file under a specified filename in the DD message. During restore dump, thesite administration CGI76 sends a restore dump (RD) message to thesession manager52, which reads the named dump files(s) from the RD message and builds a list of sessions and transactions from the dump file data. For any of these messages (DR, DD, RD), thesession manager52 sends a SR message back to the site administration CGI's76 for indicating the results of success or failure for these particular operations.

FIGS. 4-14 described the software components of the preferred embodiment. The specific operations of the system will now be described in connection with the flow charts ofFIGS. 15-20. In order to distinguish the present invention from the preferred embodiment in the web environment, the flowcharts use different terminology for the system components. The following table provides a cross reference between the flowchart components and the preferred embodiment.


FLOWCHART	REFERRED EMBODIMENT ONTO WEB
COMPONENTS	ENVIRONMENT

Client Application	Web browser
Client Messenger	a module of account holder software
Server Authenticator	a module of account holder software
Log-in interface	a module of account holder software
Access device interface	a module of account holder software
Client Cryptographer	a module of account holder software
Content Controller	a module of account holder software
Network transaction	a module of account holder software
tracker
Server Application	Web Server
Communication Headers	HTTP headers
Client Authenticator	a module of Shared Object for Web Server
Transaction Monitor	a module of Shared object for Web Server
Log-in Enforcer	Log-in CGI's
Access device Validator	Re-authentication CGI's
Session Validator	a module of Session Manager
Session Initiator	a module of Session Manager
Session Terminator	a module of Session Manager
Authentication Server	Transaction clearinghouse Account holder
	authentication daemon
Transaction Data Server	Transaction clearinghouse Transaction daemon

Referring toFIG. 15, the flow chart illustrating the sequence of steps that occur during the start of a session is illustrated and begins with the account holder requesting access to a transaction service (block100). The server application forwards the request to the client authenticator (block102). If the session ID is in the communication headers (block104), the client authenticator sends a check session message to the session validator (block106), and the session validator searches for a session entry in its list of active sessions (block108). If the session ID in not in the communication headers (block104), the client authenticator denies permission to the server application for servicing the account holder's request (block110). Also, if the active session entry is not found (block112), the session validator sends an unsuccessful session response to the client authenticator (block114). However, if there was an active session entry found, a subroutine of transaction service and logging is initiated (block116), which will be described later in conjunction withFIG. 17. If the client authenticator, on the other hand, denies permission to the server application (block110) when the session ID is in the communication header (block104) or after the session validator sends an unsuccessful session response (block114), the server application invokes the login enforcer to make the account holder login (block117). This results in a start login message being sent to the client messenger through the client application (block118). The client messenger then sends a random challenge to the login enforcer through the server application (block120), and the login enforcer encrypts the server application password with a client messenger challenger (block122). The login enforcer then sends a login command in its encrypted password to the client messenger with a new random challenge of its own (block124), and the client messenger then invokes server authenticator to authenticate server applications password (block126). If the server authentication is successful (block128), another subroutine of a login, account holder authentication and session initiation process is initiated (block130), which will be described in conjunction withFIG. 16. If not, the client messenger displays a server authentication error message to the account holder (block132), and the process is completed.

A flow chart of the login, account holder authentication, and session initiation subroutine is shown inFIG. 16, and indicated generally at103. The client messenger first invokes a login interface to prompt account holder for a username, a password, and/or a PIN (block140). The account holder then enters the username, the password, and/or the PIN (block142), followed by the login interface requesting the hardware key interface to poll for the hardware key (block144). If using two or three factor authentication, the hardware key interface reads the digital ID from the access media and sends it to the login interface (block146). In the case of one factor authentication, the login interface assigns a blank digital ID for the login parameters. The login interface then sends the login parameters, including the username, password and digital ID to the client cryptographer (block148). The client cryptographer encrypts the password and the digital ID using the challenge sent by the login enforcer and sends them to the login enforcer (block150). The login enforcer then sends an initiate session message to the session initiator with the encrypted login parameters (block152). The session initiator accordingly sends an authenticate login message to the transaction clearinghouse account holder authentication server (block154), and the account holder authentication server accesses the account holder's information from its database and authenticates the login parameters (block156). If using two or three factor authentication, this authentication involves the comparison of the digital ID, otherwise only username, password, and PIN are considered as login parameters. If the authentication was successful (block158), the account holder authentication server sends a successful authentication response message to the session initiator (block160). The session initiator enters a new session entry for the account holder in its list of active session with a unique session ID (block162). The session initiator also sends a successful session response to the login enforcer (block164), followed by the login enforcer entering the account holder's new session ID in the communication headers for re-authentication purposes (block166). The login enforcer also grants permission to service the account holder's request for secure transaction services (block168), and proceeds to initiate the subroutine of transaction service and logging (block116) shown inFIG. 17. However, if authentication is unsuccessful (block158), the account holder authentication server sends an unsuccessful authentication response to the session initiator (block172). The session initiator then sends an unsuccessful session response to the login enforcer (block174). The login enforcer accordingly denies permission to the server application to service the account holder's request for transaction services (block176), and the server application sends back an error response to the account holder (block178).

The subroutine of the transaction service and logging process (block16) is shown inFIG. 17. The session validator first enters a new transaction entry for the account holder's current session (block180). The session validator then sends a successful session response to the client authenticator (block182), and the client authenticator grants permission to the server application to service the account holder's request (block184). The server application invokes the appropriate service function to enable the account holder to access the requested transaction services (block186) and the transaction monitor sends an end transaction message to the session validator (block188). The session validator updates the transaction entry with the transaction-specific information in the end transaction message (block190).

In accordance with an important aspect of the present invention, the system is preferably adapted to periodically re-authenticate an active session to prevent unauthorized use by someone who no longer has thehardware key54 connected to his computer. With respect to the re-authentication process, and referring toFIG. 18, the process begins with an account holder in an active session requesting a transaction service (block200). The server application forwards the request to the client authenticator (block202), and communication headers are screened to see if they have a session ID (block204). If there is no session ID (block204), the client authenticator denies permission to the server application to service the request (block206) and the server application directs the account holder to the login enforcer to start a new session (block208). If, however, the session ID is in the communication header (block204), the client authenticator sends a check session CS message to the session validator (block210).

From the CS message, the session validator searches for a session entry in its list of active sessions (block212) and determines whether an activate session entry was found (block214). If not, the session validator sends an unsuccessful session response to the client authenticator (block216) and the client authenticator denies permission to service the request (block206). The server application would again direct the account holder to the login enforced to start a new session (block208). If an active session is found (block214), then the session validator checks for the time of the last polling of the account holder's machine to determine whether thehardware key54 is present (block218). The time duration is checked to determine if the preset time limit has been exceeded (block220), and if it has not, then the system goes to the subroutine of the transaction service and logging step (block170) (seeFIG. 17). If the time duration has exceeded the preset time limit, the session validator sends a session response to the client authenticator asking to poll for the account holder's hardware key attached to the account holder's computer (block222). The client authenticator invokes the access device validator (block224), and the access device validator then sends the check login message to client messenger with a new randomly generated challenge (block226). The client messenger invokes the login interface (block228), which in turn invokes the access device key interface (block230). The access device interface polls the account holder's machine for the hardware key54 (block232) and reads the digital ID from the access media. If the digital ID is successfully read (block234), the program implements a session renewal (block236), which is shown inFIG. 19. If the digital ID is not successfully read (block234), the access device interface sends an error message to the login interface (block238) and the login interface generates an error message to the client messenger (block240). The client messenger then sends an unsuccessful polling message to the access device validator, which redirects the account holder to the login enforcer (block242).

With respect to the session renewal and referring toFIG. 19, the access device interface reads the digital ID of the access media and submits it to the login interface (block250), which in turn submits the digital ID to the client cryptographer (block252). The client cryptographer encrypts the digital ID using the challenge sent by the access device validator and sends the encrypted digital10 to the access device validator (block254), which then sends a renew session message to the session validator with the encrypted digital ID (block256). The session validator finds account holder session entry and validates the encrypted digital ID (block258) and determines whether the validation was successful (block260). If not (block260), the session validator sends an unsuccessful session response to the access device validator (block262), and the access device validator redirects the account holder to the login enforcer to start a new session (block264). If validation was successful (block260), the session validator updates the session entry's time of last re-authentication (block266) and sends a successful session response to the access device validator (block268). The access device validator grants permission to the server application to process the account holder's request for transaction services (block270), and then proceeds to the transaction service and logging step (block116) (seeFIG. 17).

With respect to session termination and referring toFIG. 20, the first step is to begin with the first session entry of a session list (block280) and the session terminator checks the difference between the current time and the time of the last request (block282). If the time difference did not exceed the idle time limit (block284), the program determines whether the first session entry is the last session entry in the session list (block286). If so, the session is terminated (block288). If it is not the last session entry in the list (block286), the program fetches a next session entry in the list (block288) and return to block282. If the time difference did exceed the idle time limit (block284), the session terminator tags the session entry as inactive (block290) and sends all session transaction data to the transaction clearinghouse's transaction data server (block292). The transaction data server updates the transaction clearinghouse database with the session transaction data (block294), and the program determines whether the update was successful (block296). If not, the transaction data server sends an unsuccessful message confirmation to the session terminator (block298), which prompts the session terminator to send an error message to the system administrator (block300). If the update was successful (block296), the transaction data server sends a successful message confirmation to the session terminator (block302) and the session terminator then removes the session entry from the session list (block304).

In accordance with another important aspect of the present invention, and referring toFIG. 21, a hardwaretoken access device450 for use as thehardware key54 is shown in the illustrated functional block diagram. Theaccess device450 is an external hardware device, such as the iKey 1000 USB Smart Token device manufactured by Rainbow Technologies of Irvine, Calif. The hardwaretoken access device450 preferably connects to the USB port of the account holder's personal computer. The major function of the hardwaretoken access device450 is to uniquely identify a account holder that desires to access the transaction services and computer resources of an untrusted network, such as the Internet. It is used in conjunction with the username, password, and/or PIN to provide two factor authentication. Generally, two factor authentication provides that something is known (e.g., the username and password) and something is held (e.g., the physical hardware token that is attached to the computer or built into the computer). While the Rainbow iKey 1000 USB Smart Token is the preferred embodiment for the hardwaretoken access device450, it should be understood that the two factor authentication could be provided by some other physical device, such as a credit card, a key, an ATM card, or the like which is known to have been assigned and given to a specific person.

InFIG. 21, the hardwaretoken access device450 includes aport interface480, which provides an interface to support the personal computer of theaccount holder36. Such may include, for example, USB, parallel, serial and/or keyboard ports. Theaccess device450 is transparent to the personal computer interface being utilized and does not prohibit the personal computer interface from being used in a normal fashion. In the Rainbow iKey 1000 Smart Token, it is preferred that the hardware token be connected to the USB port. The hardware token also includes adata bus buffer482, which provides a minimum internal data bus of eight bits regardless of the port interface configuration. A read/writecontrol logic block484 manages all the internal and external transfer of data controlled status, while acontrol register486 initializes the functional configuration of theaccess device450. Astatus register488 contains the result of the last operation performed using the control register486 on the read/write control logic484. A message digestencryption490 is used to encrypt both a nonvolatilegeneral purpose memory492 during memory read and password read operations. The message digestencryption engine490 accepts a seed value from theport interface480 that can be used to uniquely encrypt the data being read. Thememory492 contains a minimum of 1024 bytes of data that can be used for storage of information for personally identifying the account holder. This information can include, but is not limited to a digital certificate. A password register494 accepts a minimum of a 64 bit password from theport interface480, and apassword comparator496 performs a logical XOR on the contents of the password register in the contents of thenonvolatile password memory492. When the contents of the password register494 are equal to the contents of thenonvolatile password memory498, several operations can be performed, such as reading the nonvolatile general purpose memory, read the encrypted nonvolatile password memory, writing the nonvolatile general purpose memory, writing the nonvolatile password memory and writing a seed value to the message digest encryption engine. The nonvolatile password memory contains a minimum of a 64 bit password. The password is set to a known default value at the time of manufacture but can be reprogrammed at any time.

In accordance with another important aspect of the present invention, and referring toFIG. 22, a magnetic card reader access device in use with anaccess media54 is implemented as thehardware key54 is shown in the illustrated functional block diagram, and indicated generally at499. A magnetic card is a plastic card with a strip of magnetic recording tape adhered to the back of the card. The magnetic recording strip has three tracks that can be used for storing and retrieving data. In the context of the preferred embodiment, themagnetic card500 is the preferred access media containing a digital ID. Magnetic stripe cards, which typically only store about 1 kilobyte of data (compared with 8, 16, or 32 KB in smart cards), do not have a CPU and rely on the card reader, the PC to which it's attached, or a remote computer accessed via modem to perform transaction processing. Magnetic card technology is widely utilized in Point of Sale (POS) terminals, Automated Teller Machines (ATM), ticketing, card issuing, transportation, and access control.

Two types of devices, a reader and a terminal can read magnetic cards. A reader is interfaced to a personal computer for the majority of its processing requirements, while a terminal is a self-contained processing device. Magnetic card readers are available that interface to RS232 serial ports, USB ports, PCMCIA slots, parallel ports, infrared IRDA ports and keyboards. Terminals have their own operating systems and in addition to reading a magnetic card typically support other functions such as network connectivity, transaction printing, and keypad entry. Both terminals and readers are consideredaccess devices501 in the context of the preferred embodiment.

For example, a magnetic card reader can be attached to a personal computer (PC) and serves the role of an access device. The magnetic card reader connects in-line between a PC and its keyboard. The magnetic card reader is intended to remain virtually invisible to both the PC and the keyboard until a magnetic card is read. When a magnetic card is read, the magnetic card reader takes over the interface to the PC and sends card data using the same scan codes used by the keyboard. These scan codes are routed to theaccount holder software36. Magnetic card readers also support the operation of a keypad that can be used to enter one or any combination of username, password or PIN codes in addition to the digital ID read from the access media by the access device.

In accordance with another important aspect of the present invention, and referring toFIG. 23, a smart card reader access device in use with an access media is implemented as thehardware key54 is shown in the illustrated functional block diagram, and indicated generally at502. A smart card is a type of plastic card embedded with a computer chip that stores and transacts data between users. This data can contain several digital IDs that are stored and processed within the card's chip, either a memory or a microprocessor. The card data is transacted via a reader that is part of a computing system. Smart cards greatly improve the convenience and security of any transaction. They provide tamper-proof storage of user and account identity. Smart cards protect against a full range of security threats, from careless storage of user passwords to sophisticated system hacks. Within the context of the preferred embodiment, asmart card503 is considered access media.

Two types of devices, a reader and a terminal can read smart cards. A reader is interfaced to a personal computer for the majority of its processing requirements, while a terminal is a self-contained processing device. Both are considered access devices in the context of the preferred embodiment. Both the terminals and the readers read and write to smart cards. Readers come in many forms and in a wide variety of capabilities. Smart card readers that interface to RS232 serial ports, USB ports, PCMCIA slots, floppy disk slots, parallel ports, infrared IRDA ports and keyboards are presently available. Smart card terminals have their own operating systems and typically support other functions such as reading a magnetic card, network connectivity, transaction printing, and keypad entry. Both the terminals and the readers are consideredaccess devices504 in the context of the preferred embodiment.

Smart cards have the tremendous advantage, over their magnetic stripe ancestors, of being able to execute cryptographic algorithms locally in their internal circuitry. This means that the user's secrets (be these PIN codes or keys) never have to leave the boundaries of the tamper-resistant silicon chip, thus bringing maximum security to the overall system where the cards are used. Smart-cards contain special-purpose microcontrollers with built-in self-programmable memory and tamper-resistant features intended to make the cost of a malevolent attack more than any benefits gained from the attack. Smart Card readers can also support the operation of a keypad that can be used to enter one or any combination of username, password or PIN codes in addition to the digital ID read from the access media by the access device.

In accordance with another important aspect of the present invention, and referring toFIG. 24, a biometric identification reader access device in use with an access media is implemented as thehardware key54 is shown in the illustrated functional block diagram, and generally indicated505. As organizations search for more secure authentication methods for user access, e-commerce, and other security applications, biometrics is increasingly gaining attention in the marketplace. A biometric is one of the most secure and convenient authentication tool. It cannot be borrowed, stolen, or forgotten and is practically impossible to forge. Biometrics measure an individuals' unique physical or behavioral characteristics as a way to recognize or authenticate their identity. Common physical biometrics include fingerprints; hand or palm geometry; and retina, iris, or facial characteristics. Behavioral characters include signature, voice (which also has a physical component), keystroke pattern, and gait.

A biometric system works by capturing the chosen biometric with a biometric reader. The reader converts the biometric into a digital identification that is stored in a local repository for comparison during authentication. In the case of the preferred embodiment, thebiometric reader506 is equivalent to the access device; thebiometric identification data507 is equivalent to the digital ID created when the access device reads thefingerprint508 access media; and the local repository that stores the biometric identification data can be the transaction clearinghouse. When logging into the secure transaction system, the account holder would have the chosen biometric (e.g., access media—fingerprint, palm, etc.) scanned by thebiometric reader506, forwarded to the clearinghouse using the previously described log-in process (FIGS. 15-20). The digital ID created by the biometric data would be compared to the digital ID already stored in the transaction clearinghouse for authenticity. It is also possible in the preferred embodiment to combine the digital ID created by the biometric scan to be supplemented with one or any combination of username, password, or PIN in addition to the digital ID read from the access media by the access device. Biometric identification can be also combined with smart cards or magnetic cards in the preferred embodiment.

In accordance with another important aspect of the present invention, and referring toFIG. 25, a secure central processing unit (CPU) in use with an access media is implemented as thehardware key54 is shown in the illustrated functional block diagram, and indicated generally at509. In order to secure the CPU, a trusted subsystem must be inserted into the standard personal computer platform. The trusted subsystem is then able to extend its trust to other parts of the whole platform by building a ‘chain of trust’ where each link extends its trust to the next one. In this way, the secure CPU subsystem provides the foundation for a fully trusted platform and a basis for extending trusted computing across system and network boundaries.

The root of trust is a small hardware device called a Trusted Platform Module (TPM)510. TheTPM510 is basically a secure controller that provides features like secure memory, cryptographic sign/verify, and an immutable key pair used to generate anonymous identities. In the preferred embodiment, the CPU and its associatedplatform511 is the access device and the secure memory of theTPM510 preferably acts as the access media and holds several types of unique digital IDs. Together they provide secure CPU functionality and provide all the functions of the account holder's PC. Another important feature of theTPM510 is the possibility of producing random numbers. TheTPM510 can create digital signatures using the random number generator as the source of randomness required by the digital ID generation process. In order to generate a unique digital ID, eachsingle TPM510 has a unique key that identifies the TPM.

With these capabilities, theTPM510 is able to produce a statistically unique digital fingerprint of the PC's basic input/output system (BIOS) firmware at boot time. This fingerprint is also called an integrity metric or cryptographic digest. Once this metric is available, it is saved in the TPM's secure memory location. During the PC boot process, other integrity metrics are collected from the PC platform, for instance, fingerprints of the boot loader and the operating system itself. Device drivers may be hashed; even hardware like PCI cards can be detected and identified. Every metric of theTPM510 is concatenated to the already available metrics. This generates a final metric, which provides a unique digital ID for the PC.

The digital ID can also be used to encrypt other unique digital identification including account numbers, digital certificates, etc., and store the results in the protected storage of the TPM. The protected storage of the TPM is essentially non-volatile storage that has a means of access control. This access control determines which entities (e.g., user, programs, etc.) have permission to read, write, modify, and update the secure memory of the TPM. It is assumed that protected storage has some form of access control protocol that is used to protect against certain kinds of attack.

A distributed architecture of the system software enablingmultiple web servers69, each of which may host their own copy of aserver34 to communicate and interact with one ormore transaction clearinghouses30 is shown inFIG. 26. As shown inFIG. 26, there aremultiple servers69 residing in a geographically distributed manner on the Internet, each one of them with their own copy of a secure transaction server. Thetransaction clearinghouse30 contains the enterprise wide account holder database, the transaction and demographics data warehouse, and controls the authentication and authorization of account holders on all theweb servers69.

When an account holder attempts to access a transaction service from any secure transaction enabled web sites, therespective server69 for that web site will need to authenticate the account holder. In order to perform account holder authentication, the secure transaction server will need to interact with thesystem transaction clearinghouse30 by establishing and maintaining a communication line between itself and the transaction clearinghouse. The information transmitted on this communication line is encrypted using a public/private key mechanism so that only authentic servers and an authentic transaction clearinghouse can communicate with each other. Theserver69 also implements the same mechanism in sending transaction data to the transaction clearinghouse's data warehouse.

The other secure transaction servers interact with thetransaction clearinghouse30 in the same manner. Thus a transaction service can host several geographically distributed secure transaction enabled web sites. Once an account holder is authenticated at one of the system enabled web sites, that account holder can access other likewise enabled web sites transparently using the same username, password, PIN combination, and the optional digital ID read from the access media by thehardware key54, without having to again provide their username, password, PIN, and optional digital ID thus creating a single sign-on scenario where transaction services and computer resources can be accessed from a multitude of sources. All the transaction data generated by the account holder on all these different enabled web sites will be reported back to the transaction clearinghouse, regardless of how the account holder accesses the different enabledweb servers69. In the configuration ofFIG. 26, thesame transaction clearinghouse30 was controlling all the secure transaction servers. However, the distributed architecture can be further extended to allow multiple secure transaction servers to interact withmultiple transaction clearinghouses30, which is shown inFIG. 27.

This also presents the possibility of transaction clearinghouses forming alliances with one another. For instance, in our example above, let's suppose transaction clearinghouse A and transaction clearinghouse B form a joint agreement that they will let each other's account holders access each other's account holder services, and each transaction clearinghouse will pay a share of the dividend to the other based on transaction volumes. In order to do this, system servers will need to be configured to perform authentication from both transaction clearinghouses. As a result, an account holder who is registered with transaction clearinghouse A can access account holder services that fall under transaction clearinghouse B.

With regard to the case ofserver1 hosting account holders A and B, since now an account holder registered with transaction clearinghouse A can also access account holder services that fall under transaction clearinghouse B, account holder “a” should be able to access account holder B throughserver1. In order to do this, theserver1 will need to change its configuration so that it is able to separate transaction clearinghouse A account holders from transaction clearinghouse B account holders. When account holder “a” tries to access transaction services,secure transaction server1 will interact with transaction clearinghouse A to do authentication, and if it is account holder “b”,secure transaction server1 will interact with transaction clearinghouse B.

In accordance with another aspect of the present invention, the manner in which messages are sent among the various components will now be described in connection with the preferred embodiments of the programs that are utilized by the system. In this regard, the following is a listing of the software products that are part of the preferred embodiment of the present invention. The documents identified are specifically incorporated by reference.

Account Holder Database

Product: Sybase SQL Server XI

Installing Sybase SQL Server for Microsoft Windows NT

Sybase SQL Server Release 11.0.x

Document ID: 34714-1101-02

Last Revised: Mar. 6, 1996

Introducing Sybase SQL Server for Microsoft Windows NT

Sybase SQL Server Release 11.0.x

Document ID: 31965-1101-02

Last Revised: Feb. 10, 1996

Configuring and Administering Sybase SQL Server for Microsoft Windows NT

Sybase SQL Server Release 11.0.x

Document ID: 36446-1101-02

Last Revised: Feb. 22, 1996

Installing Sybase Products on Sun Solaris 2.x (SPARC)

Open Client/Server Release 11.1.x

Document ID: 35075-1100-03

Last Revised: Sep. 10, 1996

Open Client/Server Configuration Guide for UNIX

Open Client/Server Release 11.1.x

Document ID: 35831-1100.quadrature.02

Last Revised: Aug. 21, 1996

Open Client/Server Programmer's Supplement for UNIX

Open Client/Server Release 11.1.x

Document ID: 35456-1100-04

Last Revised: Aug. 23, 1996

Sybase SQL Server Utility Programs for UNIX

Sybase SQL Server Release 10.0

Document ID: 30475-01-1000-04

Change Level: 1

Last Revised: Feb. 1, 1994

Sybase SQL Server System Administration Guide

Sybase SQL Server Release 10.0

Document ID: 32500-01-1000-03

Change Level: 3

Last Revised: Jun. 17, 1994

Sybase SQL Server Reference Manual:Volume 1 Commands, Functions, and Topics

Sybase SQL Server Release 10.0

Document ID: 32401-01-1000-03

Change Level: 2

Last Revised: Jun. 17, 1994

Sybase SQL Server Reference Manual:Volume 1 System Procedures and Catalog Stored Procedures

Sybase SQL Server Release 10.0

Document ID: 32402-01-1000-03

Change Level: 2

Last Revised: Jun. 17, 1994

Sybase SQL Server 11 Unleashed

by Ray Rankins, Jeffrey R Garbus, David Solomon, and Bennett W McEwan

ISBN #0-672-30909-2

Library of Congress Catalog Card #95-72919

Sams Publishing, 201 West 103rd Street, Indianapolis, Ind. 46290

Sybase Developer's Guide

by Daniel J Worden

ISBN #0-672-30467-8

Library of Congress Catalog Card #93-87172

Sams Publishing, 201 West 103rd Street, Indianapolis, Ind. 46290

ODBC Driver

Intersolv DataDirect ODBC Drivers

Intersolv DataDirect ODBC Drivers Installation Guide

Microsoft Windows, Microsoft Windows 95, Microsoft Windows NT, and OS/2

Intersolv ServiceDirect Handbook

Fourth Edition November 1995

Inside ODBC by Kyle Geiger

ISBN #1-55615-815-7

Library of Congress Catalog Card #95-18867

Microsoft Press

Server Application (Web Server)

Product: Netscape Enterprise Server
Netscape Enterprise Server Version 2.0 Administrator's Guide

Netscape Communications Corporation

501 East Middlefield Road

Mountain View, Calif. 94043

802-7610-10

Netscape Enterprise Server Version 2.0 Programmer's Guide

Netscape Communications Corporation

501 East Middlefield Road

Mountain View, Calif. 94043

802-7611-10

Client Application (Web browser)

Product: Netscape Navigator

Netscape Navigator Gold Authoring Guide

Netscape Communications Corporation

501 East Middlefield Road

Mountain View, Calif. 94043

802-7612-10

Using Netscape

ISBN #0-7897-0211-8

Library of Congress Catalog #95-67809

Que Corporation

201 W. 103rd Street

Indianapolis, Ind. 46290

Hardware Key

Product: iKey 1000 Smart Token (Hardware Token)

Rainbow Technologies, Inc.

50 Technology Drive

Irvine, Calif. 92618

Product: Mag-Wedge Reader (Magnetic Card Reader)

Magtek

20725 South Annalee Avenue

Carson, Calif. 90746

Product: GemPC430 (Smart-Card Reader)

Gemplus Corporation

3 Lagoon Drive

Redwood City, Calif. 94065-1566

Product: FIU/SS2K (Fingerprint Biometric Reader)

Sony Electronics, Inc.

1 Sony Drive

Park Ridge, N.J. 07656-8002

Product: TPM (Trusted Platform Module—Secure CPU)

Infineon Technologies North America Corporation

1730 North First Street

San Jose, Calif. 95112

The secure transaction system (STS) is the preferred embodiment of the present invention in the web environment. The following table lists the STS software components as they relate to the present invention:


Preferred Embodiment Component	STS software component

Transaction clearinghouse user authentication	userauthd
daemon
Transaction clearinghouse transaction daemon	transactiond
Transaction clearinghouse administration	ch_admin.exe
software
STS Server Session Manager	sessiond
STS shard object for Web server	sts.so
STS log-in CGI's	start_login.cgi
	login.cgi
	vrfypswd.cgi
STS re-authentication CGI's	check_key.cgi
	verify_key.cgi
STS online application CGI's and HTML	application.html
	application.cgi
	account holder.cgi
	verify_applicant.cgi
STS online activation CGI's	activate.cgi
	check_activate.cgi
STS password change CGI's	pswd_chg_form.cgi
	chg_pswd.cgi
STS Site Administration CGI's	add_profile.cgi
	del_subs.cgi
	srvconf.cgi
	admin_subs.cgi
	profile.cgi
	stadmin.cgi
	chng_srvconf.cgi
	data_dumprestore.cgi
	smgr_restart.cgi
	upd_profile.cgi
	data_recovery.cgi
	smgr_start.cgi
	upd_subs.cgi
	del_profile.cgi
	smgr_stop.cgi
STS Account holder software	STS Client Plug-in
	STS ActiveX component

Following is a description how these STS components can be configured, initialized, and how their day-to-day operation can be monitored. It should be understood that the component names used in these descriptions are specific to STS, and the procedures described to perform the day-to-day operation are specific to STS components, more so as an example of the preferred embodiment of the present invention in the web environment.

With respect to the configuration files that are necessary for operating the various software components of the system, each component has its own configuration file as shown below:


	Daemon/Server	Configuration Filename

	User Authentication	userauthd.conf
	Transaction	transactiond.conf
	Session Manager	sessiond.conf
	Web Server	magnus.conf
		obj.conf
		mime.types

Each daemon accepts the name of its configuration file as a command line argument when starting the daemon. The format of the command line is:

- <daemon name><configuration file>.

The transaction clearinghouse daemons can be started by using standard shell scripts.

For the account holder authentication daemon userauthd.conf), the following configuration files apply:


PARAM-
ETER	DESCRIPTION

logdir	Absolute pathname specification of the directory which this
	daemon is to create its log files in. Two instances of the
	same daemon type (e.g., userauthd) cannot log to the same
	directory. The daemon will not start up if it is un-able to write
	to the directory.
service	Specifies the TCP port number which the daemon is to use
	to listen for requests. This can be a numeric or alphanumeric
	entry. If the entry is alphanumeric, there should be a
	corresponding entry in the/etc/services/file.
dbserver	The name of the database server to connect to. This entry
	should correspond to an entry in the database server
	interface file.
dname	The name of the database to use. A database server can
	control many databases.
dbuser	The name of the database user to use when connecting to
	the database. Database users can be used to control what
	processes (or daemons) can connect to the database and
	also what permissions they have when they connect.
	Typically all transaction clearinghouse components will use
	the same database server name, database name, database
	username and hence database user password entries in
	their configuration files.
dbpswd	The password to use for the above database user. The file
	permissions for this configuration should be set according
	knowing that it contains a database username and
	password.

For the transaction daemon (transactiond.conf), the following configuration files apply:


PARAM-
ETER	DESCRIPTION

logdir	Absolute pathname specification of the directory which this
	daemon is to create its log files in. Two instances of the
	same daemon type (e.g., transactiond) cannot log to the
	same directory. The daemon will not start up if it is unable to
	write to the directory.
service	Specifies the TCP port number which the daemon is to use
	to listen for requests. This can be a numeric or alphanumeric
	entry. If the entry is alphanumeric, there should be a
	corresponding entry in the/etc/services/file.
dbserver	The name of the database server to connect to. This entry
	should correspond to an entry in the database server
	interface file.
dname	The name of the database to use. A database server can
	control many databases.
dbuser	The name of the database user to use when connecting to
	the database. Database users can be used to control what
	processes (or daemons) can connect to the database and
	also what permissions they have when they connect.
	Typically all transaction clearinghouse components will use
	the same database server name, database name, database
	username and hence database account holder password
	entries in their configuration files.
dbpswd	The password to use for the above database user. The file
	permissions for this configuration should be set according
	knowing that it contains a database username and
	password.

For the session manager (sessiond.conf), the following configuration files apply:


Parameter	Description

SESSIOND_UDP_PORT	Specifies the UDP port which the session manager
	will use to list for requests from CGI programs.
SESSIOND_TCP_PORT	Specifies the TCP port which the session manager
	will use to listen for replies from the transaction
	clearinghouse.
TRANSACTION_CLEARINGHOUSE_HOST	The UNIX host name that the transaction
	clearinghouse server is running on. When the session
	manager communicates with the transaction
	clearinghouse, this entry forms part of the address.
TRANSACTION_CLEARINGHOUSE_PORT	This entry specifies the TCP port which the session
	manager should use when communicating with the
	transaction clearinghouse transaction daemon. The
	session manager uses this entry and the
	TRANSACTION CLEARINGHOUSE_HOST entry to
	build the complete address for the transaction
	daemon. This port number should match the port
	number defined in the service entry of the transaction
	daemons configuration file.
TRANSACTION_CLEARINGHOUSE_URL_PORT	This entry specifies the TCP port which the
	session manager should use when communicating
	with the transaction clearinghouse URL tracking
	daemon. The session manager uses this entry and
	the TRANSACTION CLEARINGHOUSE_HOST entry
	to build the complete address for the URL tracking
	daemon. This port number should match the port
	number defined in the service entry of the URL
	tracking daemons configuration file.
TRANSACTION_CLEARINGHOUSE_AUTH_PORT	This entry specifies the TCP port that the
	session manager should use when communicating
	with the transaction clearinghouse account holder
	authentication daemon. The session manager uses
	this entry and the TRANSACTION
	CLEARINGHOUSE_HOST entry to build the
	complete address for the account holder
	authentication daemon. This port number should
	match the port number defined in the service entry of
	the account holder authentication daemons
	configuration file.
COMPANY_NO	Unique ID assigned to each company defined with the
	secure transaction server system.
ACCOUNT HOLDER_ID	Unique ID assigned to each account holder defined
	for a company in the secure transaction server
	system.
KEYCHECK_INTERVAL	The number of seconds that will elapse before the
	secure transaction server asks the browser to check
	for the existence of the access device.
REFRESH_TIME	The amount of time (in seconds) that must expire
	without any session activity before a session is
	considered inactive and terminated.
SESSION_REFRESH_INTERVAL	The amount of time (in seconds) that must
	elapse with no new connection requests to the secure
	transaction server, which will cause the secure
	transaction server to stop listening for incoming
	connections and go examine the its internal session
	table to see if any sessions have become idle (refresh
	time has expired for the session). It will clean up idle
	sessions and resume listening for incoming
	connection requests.
LOCAL_TRANSACTION_TRACK	Indicates if the transaction tracking data is
	stored locally as well as being sent to the transaction
	clearinghouse for storage. Valid entries are YES or
	NO.
MAX_RESEND_NO	If the secure transaction server does not get a
	confirmation message back from the transaction
	clearinghouse for information it sent to the secure
	access transaction clearinghouse, the secure
	transaction server will resend the data until we get a
	confirmation message or until the maximum times to
	resend transaction data has been exceeded.
ADMIN_EMAIL_ADDR	When an event occurs that requires intervention from
	an administrator, notification is sent to this email
	address.
MAIL_BIN	Absolute filename specification of the program to use
	to send email notification to the person defined in
	ADMIN_EMAIL_ADDR.
TRANSACTION	This defines the granularity of the transaction data
	that the session manager records about a session.
	There are two valid entries: SESSION or TRAN.
	TRAN indicates that the session manager should
	record information about every transaction that
	occurred in a session. SESSION indicates that only
	information regarding the session should be stored,
	i.e., session start and end times, account holder ID,
	number of transactions that occurred in session
	manager.
LOCAL_AUTHENTICATION	Indicates if account holder authentication should be
	performed against a local database as opposed to the
	transaction clearinghouse database. Valid entries are
	YES or NO. YES indicates that authentication should
	be performed locally, while NO indicates the opposite.
RUNTIME_DIR	This is the default directory for the secure transaction
	server. Here is where the secure transaction server
	will create log files and other dynamic run time files
	required for successful operation.

For the web server (magnus.conf), in order that the system sharedobject66 component works correctly with the web server, the following changes need to be made to the magnus.conf file:


#
# load the account holderaccount holder access specific NSAPI functions
#
Init fn=load-modules shlib=/usr/ns-home/bin/load_modules/sts.so
funcs=init-sts,restrict-by-sts,log-end,restrict-by-rpa
#
#call init-sts to initialize sts server specific NSAPI
#variables
#
Init fn=init-sts
Sm_host=localhost
login_url=http://10.199.199.7/cgi-bin/gatekpr/login.cgi
keycheck_url=http://10.199.199.7/cgi-bin/gatekpr/check_key.cgi
smerr_url=http://10.199.199.7/gatekpr/session_err.html

It should be noted that all the <variable>=<value> pairs listed above should appear on the line beginning Init if and should be separated with spaces. Each variable/pair value was listed on a separate line to aid clarity.

The following describes the meaning of each of NSAPI variables:

Sm_host: hostname or the IP address of the machine hosting session manager daemon(s)

login_url: URL for the account holderaccount holder access login CGI

keycheck_url: URL for account holderaccount holder access re-authentication CGI

smerr_url: URL for error HTML for session manager errors (configurable)

For the web server (obj.conf), for each directory protected by the secure transaction system, the following entries need to be inserted in obj.conf:


	<Object ppath=“/usr/ns-home/htdocs_unsecure/demosite/*”>
	PathCheck fn=“restrict-by-sts”
	log_head=“prism_login.txt”
	session_port=“50420”
	trailer=“prism_tail.txt”
	err_head=“prism_err.txt”
	digest=“5”
	AddLog fn=“log-end”
	</Object>

Once again, each entry was placed on a separate line for clarity but when adding them to the configuration file all the entries should be on the same line, separated by spaces.

The variable meaning is as follows:

log_head: text file containing the HTML header tags for the login page

session_port: session manager's port number

trailer: text file containing the HTML trailer tags for login page and error pages

err_head: text file containing the HTML header tags for error pages

digest: message digest type to use for one-time-password encryption (4-MD4; 5-MD5)

For the web server configuration file (mime.types), one line needs to be added to the mime.types configuration file. The line is:

- type=application/x-protect exts=pro

The positioning of the new line within the configuration file is not important. Adding this line enables any file with the extension pro to automatically invoke the client side software to process the file.

With respect to routine operating procedures, there are general guidelines for the orderly start up and shutdown of the system of the present invention. To start up the system, there are a sequence of activities that are involved. First, each server should be configured through its configuration files. Each of the transaction clearinghouse servers is started by a series of shell strips, which in a typical installation, will be in the directory named/usr/local/sts/transaction clearinghouse. The/usr/local part of the previous pathname was the directory specified at installation time. The scripts are named start_userauthd.sh, start_transactiond.sh and start_urltrackd.sh. After the scripts are executed, the PS-EF command is used to check if the following processes exist: userauthd, transactiond and urltrackd. The next step is to start up the database server which requires login as the account holder sybase. This login will have an environment variable called SYBASE which defines what directory SYBASE was installed to. It is necessary to move to the directory $SYBASE/bin. For each database server to be started, there is a filed called RUN_<SERVER_NAME>. If two database servers called STS and STS_backup were created during the installation, the start up files would be called RUN_STS and RUN_STS_BACKUP. This start up file should be used in conjunction with the startserver program. The exact syntax is: startserver {-f<startup files>}. To continue the example from above, the command would be: startserver -f RUN_STS -f RUN_STS_BACKUP.

With respect to the session manager, it can be started by a shell script and there will be one instance of the session manager per account holder per company. If the installation directory was specified to be/usr/local then the session manager start up scripts will be found at/usr/local/STS/sessionmgr. The naming convention for the start up scripts is: start_<account holder name>.sh. Each account holder will have its own directory off of/usr/local/STS/sessionmgr.

With respect to the web server, once its configuration files have been modified as indicated above, the account holder access component will automatically be used once the web server is started. As web servers from different vendors require different start up procedures, it is assumed that this information is already known.

With respect to shutdown, of the system and particularly the web server, it is best to start with the secure transaction server as this is the first point of contact for the account holder's browser. Like the start up procedure for the web server, the shutdown procedure will differ for each different web server.

With respect to the session manager, it is recommended that shutdown of it be done from within the server side administration program. The browser should be pointed at the URL where the server site administration program is located and the administer button for the session manager that is wanted to be stopped should be clicked. A data dump on the session manager should be performed before stopping it to avoid loss of data contained within the manager to be stopped. This is executed by entering the complete passname of the data dump file and clicking the data dump button. With respect to the transaction clearinghouse, the transaction clearinghouse daemons are shutdown using the kill command. The process identification numbers for each of the servers should be found by getting a list of all processes and searching for the process names of the start up procedures. Once the process identification numbers have been established, the command kill -9<pid>{<pid>} should be used.

With respect to the database server, it can be shutdown using the following steps:


login into isql as the system administrator
type “shutdown <backup database server name>”
type “go”
type “shutdown”
type “go”
hadji:>isql -Usa -P -SSTS
1>shutdown SYB_BACKUP
2> go
Backup Server: 3.48.1.1: The Backup Server will go down immediately.
Terminating sessions.
1>shutdown
2> go
Server SHUTDOWN by request.
The SQL Server is terminating this process.
00:97/05/14 14:52:40.23 server SQL Server shutdown by request.
00:97/05/14 14:52:40.24 kernel usshutdown: exiting DB-LIBRARY error:
Unexpected EOF from SQL Server.
hadji:>

It should be understood from the foregoing that a secure transaction system has been shown and described which enables a business to have total control over account holder access, transaction tracking and billing over an untrusted network such as the Internet world wide web. The system has many desirable attributes and features that enable it to provide such functionality. Moreover, it is extremely flexible in that it can operate to function with multiple servers and multiple transaction clearinghouses if desired. Moreover, two-factor authentication enables the system to frequently determine if a account holder is authentic and the system also functions to authenticate servers as well. A secure platform for businesses to securely provide transaction services to the world wide web in a way that assures revenue generation if that is a goal is a prominent feature of the system of the present invention.

While various embodiments of the present invention have been shown and described, it should be understood that other modifications, substitutions and alternatives are apparent to one of ordinary skill in the art. Such modifications, substitutions and alternatives can be made without departing from the spirit and scope of the invention, which should be determined from the appended claims.

Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.