METHOD OF SECURE CREDENTIAL ASSERTION IN AN EXTERNAL OR DELEGATED AUTHENTICATION SYSTEM

FIELD OF INVENTION

[0001] The present invention is generally related to a method and system for connecting
a user with a network resource through a secure communication network and is more particularly related to the method and system for authenticating, controlling and monitoring access of the user to the resources hosted on a resource server.

BACKGROUND

[0002] In organizations today users are enabled to connect and access the company's resources remotely through Internet or through any other communication network. However, the communication links between the user's computing devices and company's resource servers are prone to external attacks. These external attacks can be in the form of a virus attack on computing device or eavesdropping or impersonation etc. Hence the communication links between the user's computing device and the resource server are not completely secure.

[0003] To make access to diverse and distributed information resources of a company more secure as well as easier for users, distributed authentication systems are now a part of most major companies' information technology infrastructure. Distributed systems make use of delegated authentication to allow different users to access the company resources.

[0004] In a distributed system environment, three entities are involved - first, a client computing device that is trying to access a resource such as email, website, applications, etc; second, a server or servers which is hosting one or more of these resources; and third, an Authentication Provider.

[0005] In this authentication method, the authentication provider is responsible for validating a user's credentials by using the selected mechanism or mechanisms such as username/password validation, certificates, two-factor authentication etc. It then generates and provides a Security Assertion to the User asserting that the user is now authorized for access to a set of resources in the system for a fixed amount of time Security Assertions are stored on the client computing device in volatile or non-volatile memory. When the user needs to access a resource on a Server, it presents the relevant Assertion to the server. The user is then allowed access to the resource. Assertions thus provide a powerful mechanism to provide authentication and Single-Sign on. The User needs to procure the Assertions only once and gain access to multiple resources. These assertions can be reused any number of times as long as their time-period of validity has not expired, and as long as they have not been invalidated for any other reason.

[0006] In the open and insecure environment of a distributed system, the client computing device, the server and the authentication provider are the three potential points of failure. Of these three, the latter two - server and authentication provider can be operated within controlled and secured environments, with severe restrictions on their functionality as these are under the control of the company. This allows them to maintain a very limited attack surface. However, to allow for mobility and a greater range of functionality, the client computing device is not limited by these restrictions and is thus vulnerable to various client attacks which can lead to compromise of stored assertions. These attacks can be targeted at the client computing device itself, or at the network connection utilized by the client computing device; such attacks include but are not limited to the following - DNS hijacking, ARP spoofing, other impersonation attacks, malware like viruses, root kits, worms, cross-site scripting, eavesdropping, packet capture etc. Hence the client computing device and the communication network between the client computing device and the server are both prone to different types of attacks. To secure both the client computing device and the communication network from different type of attacks different mechanisms have to be implemented at various levels of the communication network. These types of attacks can compromise the security assertions that authenticate the client computing device to the server.

[0007] Hence, due to the non-granular and unrestricted nature of security assertions which is required to give them the versatility of operation that they offer, an attacker who gains access to an assertion can access any resource that the user has access to. A system employing delegated authentication is not designed to limit the damage caused by compromise of the security assertion. Hence the company's resource servers are vulnerable to leakage of information, damage and data loss if the attacker gains access to a security assertion.

[0008] Hence, in the light of mentioned drawbacks in the existing system, what is needed is a system and method that can stop the misuse of the security assertion if compromised by a cyber attack. Further, there is a need of a system and method that can shield the resource servers from unauthorized access. Additionally, there is a need for a system and method that can continuously monitor the communication network channel between the client computing device and the resource server and report and react for any malicious behavior from the client computing device.

SUMMARY

[0009] The present invention provides a method and system for establishing a secure communication channel between a remote client computing device and a resource server where the client computing device is accessing the resource server to gain access to the resources hosted on the resource server.

[0010] In one embodiment of the invention, the user who wishes to access the resources hosted on a resource server sends a request to the resource server from the user's client computing device. The said request between the client computing device and the resource server goes through a communication channel formed by the data flow between the client computing device and the resource server. In one embodiment of the invention, the communication channel is logically segregated into three segments namely user channel, security enhancement zone and resource channel. The logical segregation completely isolates the segment in which security assertions are produced and consumed from the segment in which the user consumes the resources they require. This isolation is performed, enforced and managed by the security enhancement zone which performs a seamless synchronization between the user channel and the resource channel.

[0011] In one embodiment of the invention, the user who wishes to access the resources hosted on a resource server sends a request to the resource server from the user's client computing device. The resource server directs the request coming from the client computing device to come through a secure zone where the secure zone authenticates the client computing device and monitors the data flow between the client computing device and the resource server. Further, the secure zone consists of a security assertion gateway and the security assertion provider. The secure zone stores a security assertion associated with the client computing device where the security assertion authenticates the client computing device for the resource server. Further, the security enhancement gateway generates an access token for accessing the said resource hosted on the resource server. Further, the security enhancement gateway sends the access token to the client computing device and establishes a communication between the secure zone and the client computing device. The said request to access the resource hosted on the resource server is forwarded to the secure zone where the said request has the access token attached to it. Based on the access token, the security enhancement gateway identifies the relevant security assertion and the client computing device and removes the access token from the said request. Further, the security enhancement gateway adds the relevant security assertion of the client computing device to the said request and forwards the said request with the security assertion to the resource server. In this way, a second communication channel is established between the resource server and the secure zone.

[0012] In one of the implementations of the invention, articles of manufacture are provided as computer program products. One implementation of a computer program product provides a computer program storage medium encoding a computer program that can be read and executed by a computer system. In another implementation of the invention, a computer program product may be provided in a computer data signal embodied in a carrier wave by a computing system and encoding the computer program.

[0013] One implementation of the computer program product encodes a computer program to logically segregate the communication channel between a client computing device and a resource server into three segments namely user channel, security enhancement zone and resource channel. The logical segregation completely isolates the segment in which security assertions are produced and consumed from the segment in which the user consumes the resources they require. This isolation is performed, enforced and managed by the security enhancement zone which performs a seamless synchronization between the user channel and the resource channel.

[0014] The summary is provided to give a brief idea of the invention and is not intended to be used as a means for limiting the scope of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015] FIG. 1 is a diagram depicting an environment where the delegated authentication works according to one embodiment of the invention.

[0016] FIG. 2 illustrates communication flow between the client computing device and
the resource server through a security enhancement gateway.

[00017]

DETAILED DESCRIPTION

[0018] The exemplary embodiments, described in this section with details, are provided merely to illustrate the principles of the invention. Various details are set forth for the purpose of explanation rather than limitation. However, it will be apparent to a person skilled in the art that the invention can be practiced without these details and the given exemplary embodiments should not be construed as limiting the scope of the invention. Some of the terms as used in the patent application have been described below without limiting the scope of the invention.

[0019] Definitions:

[0020] Server- A server is a physical computer (a computer hardware system) or a virtual machine (software implementation of a machine that executes programs like a physical machine) dedicated to running one or more services (as a host) to serve the needs of users of the other computers on the network. Depending on the computing service that it offers it could be a database server, file server, mail server, print server, web server, or any other computing server.

[0021] Computing Node: A device or system capable of processing / executing computing operations, with a layer of software or firmware to implement the computing logic that governs its functioning. A computing node may have auxiliary features like storage.

[0022] Security Assertions Consumer: A computing node which provides resources to an end-user, and accepts credentials or security assertions as proof that the end-user is authorized to access the resource in question.

[0023] Client Computing Device: Computing node as a device used by an end-user of the system - could be either a mobile node or a static node. The device could be a computer, laptop, mobile phone or any other device that has capabilities to run and execute software codes.

[0024] Delegated Authentication: Delegation is the act of allowing a computing node to impersonate a user account or computer account in order to access resources throughout the network.

[00025] Security Assertions: A block of binary (possibly) or textual information which confers permission on the possessor to access resources located on one or more Servers.

[0026] Authentication Service Provider: Computing node which accepts credentials username/password etc) from an end-user and verifies them. When operated as a Security Assertions Provider, it also provides a Security Assertion (or multiple of them) to the end-user thus providing Single-Sign On functionality

[0027] Single Sign on: A method whereby an end-user who wishes to consume resources on multiple servers which require authentication presents their credentials (username/password etc) to a central server. The central server then provides them with some credential/token (possibly a Security Assertion) allowing the end-user to access resources on multiple servers simply by presenting this token without having to present their credentials again.

[0028] Distributed System: A system consisting of multiple computing nodes connected by networks.

[0029] Tunneling: A method by which data may be transmitted from one computing node to another computing node over a network. This method involves some form of encapsulation of the data.

[0030] Malware: Software programs which illegitimately take over some or all parts of the functionality of a computing node.

[0031] Spoofing: A class of cyber attacks on a computing node where an (attacker) computing node impersonates another known computing node, to gain illegitimate access to data or even take over the attacked computing node.

[0032] Eavesdropping: A class of cyber attacks on a network which is used to intercept data flowing through the network, and thus gain illegitimate access to privileged information.

[0033] Security Enhancing Gateway (SEG) - A computing node inserted into a system using delegated authentication. This node separates the insecure User Channel (Client-Computing Device + Client network) from the secure Resource Channel (Servers + server network[s]) by ensuring that Security Assertions only travel on the Resource Channel while the User Channel only gets security tokens which can be heavily protected from misuse by an attacker who compromises them. This node polices all traffic from the Client Computing device, by applying centralized policy to every flow of traffic, not just the authentication step.

[0034] Safe Zone: A zone created by inserting the SEG into a distributed system using delegated authentication. This zone has just a single node - the SEG. This is a safe zone as it is relatively isolated from attackers, and maintains a sanitizing environment (i.e. safe zone) where Security Assertions are mapped to security tokens, the mappings being stored in the SEG.

[0035] User Channel: A communication channel connecting a Client Computing device and client-network to the distributed system

[0036] Resource Channel: A communication channel to connect Servers and the networks to the distributed system

[0037] The embodiments are described below in order to explain the invention by referring to the figures.

[0038] FIG. 1 is a diagram depicting an environment where the invention may be practiced, according to one embodiment of the invention. Illustratively, the environment comprises a client computing device 102 through which a user can connect to a resource server 106 via a communication network 104. The client computing device 102 is a device that enables a user to access a network resource of an organization over a communication network. Examples of the client computing device 102 include but are not limited to laptops, personal desktop computers, mobile phones, Personal Digital Assistants (PDAs), iPads™, Tablets, Internet kiosks device or any other communication and processing device. Thus, the user can connect with the resource server 106 remotely or while travelling. The destination resource server 106 as referred herein in the specification refers to a server or cluster of servers hosting a website or a network resource of an organization that the user wishes to access. The destination resource server 106 thus may have one or more networks like several branch offices or other deployments or the departments in the organization, including but not limited to a cloud hosted or a virtual deployment of the organization. The resource server 106 can be accessed through a communication network 104 where the communication network can be internet, mobile communication network, 2G, 3G, CDMA, GPRS, WLAN, LAN or any other form of communication network that makes the data transmission feasible between any two computing nodes.

[0039] FIG. 1 shows the functioning of the invention with respect to a delegated authentication system. As shown in the FIG. 1, the delegated authentication system primarily consists of three main components a client computing device 102, a resource server 106 and an authentication provider 108. The client computing device 102 sends a request to access the resource server 106 through a communication network 104. The client computing device 102 sends a request through a web browser, or through email or through GPRS signals or through any other means to access the resource server 106. The resource server 106 is a computing node that is hosting resources such as web-server, email-server, and data server within an organization, document server or any other server that can store data and provide the data to the users on request. The resource server has capabilities to understand the user's credentials to access various resources hosted on the server 106. Further, the resource server has the capabilities to decipher the security assertion, security token, security certificates, security tickets or any other means that can authenticates the user's credentials to access the resources. In one embodiment of the invention, the user's credentials can be user name and password. In another embodiment of the invention, the user's credentials can be cookies or certificates stored in the client computing device 102. Hence the resource server 106 can verify different types of user credentials and allows the user to access the resources hosted on the resource server 106.

[0040] In a delegated authentication system apart from a client computing device 102 and resource server 106, there is an authentication provider 108. The authentication provider 108 is an entity that is responsible to authenticate the users and the client computing device 102. Based on the inputs from the authentication provider 108, the resource server 106 allows the access of different resources to the client computing device 102. In one embodiment of the invention, the authentication provider 108 can be a security assertion generator. Based on the inputs from the client computing device 102, the authentication provider 108 generates the security assertions for the client computing device 102. These security assertions authenticate the access of different resources for the client computing device. The resource server 106 understands the security assertion generated through the authentication provider 108. In another embodiment of the invention, the authentication provider can be a system to generate security tickets, or security certificates or security tokens to authenticate the user for the resource server 108. Hence, it is clear for a person skilled in the art, that the authentication provider can be implemented with any technology that can authenticate the user's credentials for the resource server 106.

[0041] In an embodiment of the invention, FIG 1 shows the working of the delegated authentication system in a four step method. First the client computing device 102 sends a request to the resource server 106 to access one of the resources hosted on the resource server 106. The resource server 106 checks whether the client computing device 102 is authenticated to access the said resource hosted on the resource server 106. To check the authentication of the client computing device 102, in an embodiment of the invention, the resource server 106 checks whether the said request to access the said resource is accompanied with a security assertion allowing access to the said resource. If the said request is not accompanied with the said security assertion, then the resource server 106 asks the client computing device 102 to get a security assertion allowing access to the said resource. Then at next step of the method, the client computing device 102 sends the said request to the authentication provider 108 and requests the authentication provider 108 to issue a security certificate to access the said resource on the resource server 106. Based on the received request, the authentication provider 108 generates a security certificate for the client computing device 102. In one embodiment of the invention, the security certificate is a security assertion associated with the client computing device 102. Then the authentication provider 108 sends the security assertion to the client computing device 102. After receiving the security assertion, the client computing device 102 resends the said request with the received security assertion to the resource server 106. The resource sever 106 checks the security assertion and allows the access of the said resource to the client computing device 102. If the security assertion is compromised through a cyber attack then the security of the delegated authentication system is compromised. Therefore, the transfer of security assertion from authentication provider 108 to the client computing device 102 is a major source of security breach in the delegated authentication system. Therefore the invention proposed a secured mechanism of delegated authentication where the security of the system will not be compromised based on the movement of security assertion from the authentication provider 108 to the client computing device 102.

[0042] FIG 2 illustrates the communication flow between the client computing device 102 and the resource server 106 through a security enhancement gateway 202 where the security enhancement gateway 202 logically segregates the communication flow between the client computing device 102 and the resource server 106 into three segments. FIG 2 illustrates three logical segments of the communication flow namely - user channel, safe zone and the resource channel. The three way logical segregation of the communication flow completely isolates the segment in which Security Assertions are produced and consumed from the segment in which the client computing device 102 consumes the resources that the client computing device 102 has requested for access. The user channel has all the communication that is originating from the client computing device 102 and received by the client computing device 102 from the safe zone. The safe zone or the security enhancement safe zone has the communication flow between the security enhancement gateway 202 and the authentication provider 108. Further, the security enhancement safe zone monitors and directs the communication flow between the client computing device 102 and the resource server 106. The resource channel has all the communication that is generated from the resource server 106 and the communication flow that is taken place between the safe zone and the resource server 106. The three way logical segmentation of the communication flow is performed, enforced and managed by the security enhancement safe zone which performs a seamless synchronization between the user channel and the resource channel.

[0043] The security enhancement safe zone is operated by a software system and/or computing node called Security Enhancing Gateway (SEG) 202. The security enhancing gateway 202 is the broker system that performs the authentication process on behalf of the client computing device 102 and stores the mapping between a Security Assertion and the authentication token. The security enhancing gateway 202 forwards authentication requests to the authentication provider 108, and retrieves Security Assertions generated by the authentication provider 108 on successful authentication. Further, the security enhancing gateway 202 stores the User's Security Assertions in a secure store locally. The SEG 202 provides the user with policy-controlled and restricted access tokens, and maintains an internal mapping between access tokens and Security Assertions. This allows enforcement of separation of system segments, where access tokens are only communicated over the user channel, while Security Assertions are only communicated over the resource channel, with the SEG providing the two-way mapping required to seamlessly integrate the two segregated segments of the communication flow between the client computing device 102 and the resource server 106.

[0044] Hence all the communications between the client computing device 102 and the resource server 106 is diverted to ensure that it passes through the SEG 202. The said diversion is performed using interception techniques used at the client computing device 102 or network 104, including but not limited to DNS Redirection, Browser Plugins, ActiveX Controls, Proxy Auto-Configuration, Tunneling Interfaces etc. It is apparent to a person skilled in the art that the above mentioned technologies are just examples to implement diversion of the communication flow through the SEG 202. The said diversion of the communication flow can be implemented with other technologies too. These technologies ensure that all communication from the client computing device 102 must pass through the security enhancement safe zone (i.e. via the SEG 202) thus ensuring isolation of the resource channel from the user channel. This ensures that the client computing device 102 cannot bypass the SEG 202 and consume resources directly.

[0045] FIG 2 illustrates the working of the security enhancing gateway 202 with respect to the communication flow between the client computing device 102 and the resources server 106. In an embodiment of the invention, at step 1 the client computing device 102 sends a request to the resource server 106 to access the resources hosted on the resource server 106. The said request is a first time request from the client computing device 102 to the resource server 106 therefore the said request does not have a security assertion attached to it. Hence the resource server 106 at step 2 redirects the said request to the client computing device 102 to acquire an appropriate security assertion from the authentication provider 108. Further, at step 3, the client computing device 102 sends a request to the authentication provider 108 to provide a security assertion to access the resources hosted on the resource server 106. The authentication provider 106 at step 4 sends a protocol redirect to the client computing device 102 to send the request to go via SEG 202. Hence all the communication needs to be transferred through the security enhancing gateway 202.

[0046] Further at step 5, the client computing device sends the same request to the SEG 202. SEG 202 stores the information regarding the client computing device 102 at a local storage. At step 6, the SEG 202 sends a request to the authentication provider 108 to authenticate the client computing device 102 and acquire the security assertion on behalf of the client computing device 102. The authentication provider 108 sends the security assertion to the SEG 202 at step 7. Further, the SEG creates a new access token for the client computing device 102 and creates an entry in its local Secure Storage which contain a mapping between access token and Security Assertion received. Further at step 8, SEG 202 sends the access token to the client computing device 102. It also configures the client computing device 102 to divert all the communication between the client computing device 102 and the resource server 104 to go via SEG 202. This forms a new communication channel between the client computing device 102 and the resource server 104 via SEG 202. This is achieved via combination of one or more of the following mechanisms DNS redirection, browser plug-in, active-X controls, proxy auto configuration files, or tunnel between the client computing device 102 and the SEG 202. It is apparent to a person skilled in the art that the new communication channel can be implemented with any of the mentioned technologies based on the capabilities of the client computing device 102. Further, the above mentioned technologies have been mentioned for exemplary purposes only, it is apparent to a person skilled in the art that the actual implementation of the new communication channel can be executed by any other technology too. After successful implementation of the new communication channel, the communication flow between the client computing device 102 and the resource server 106 is logically divided into 3 segments: the user channel, the safe zone and the resource channel.

[0047] At step 8 after receiving a security assertion from the authentication provider 108, the SEG 202 creates a restricted, policy-controlled access token which is an opaque identifier and internally stores one or more Security Assertions obtained by the client computing device 102 with an internal mapping to one or more such access tokens. The client computing device 102 utilizes the access token instead of the actual Security Assertion. When the client computing device 102 asks to connect to any entity that requires the Security Assertion, it presents the relevant access token(s) to the broker, with all communication occurring over the user channel. The broker then retrieves the Security Assertion(s) mapped to the access token(s) and sends them to the resource server 106, over the resource channel. The multiple mapping between access token(s) and security assertions allows for new unique functionality of mapping a user with multiple SSO/Authentication Mechanisms where one access token can be associated with security assertions from multiple authentication mechanisms. The Security Assertion never travels over the user channel, and is not transmitted to the client computing device 102. Thus, attacks aimed at the user channel or the client computing device 102 can only compromise the access token, which is policy-restricted and subject to security verification and controls which tie use of this access token to that specific computing device to which they were allocated by the SEG 202. The policy restrictions are applied to all the communication between client computing device 102 and resources hosted on the resource server 106. This ensures that if the client computing device 102 becomes compromised at any point of time after initial authentication, it is denied access according to policy-restrictions.

[0048] Further the authentication provider 108 can be configured to allow communication only with SEG 202 and all communication between the SEG 202 and the authentication provider 108 can be subject to strict security restrictions including measures taken to encrypt the traffic as well as additional policy-based access restrictions. Hence all the communication inside the safe zone is completely secure and away from different forms of cyber attacks. Hence by establishing the new communication channel at step 8, the SEG 202 creates an environment of secure communication between the client computing device 102 and the resource server 106.

[0049] Further at step 9, the client computing device 102 send the said request to access the said resource hosted on the resource server 106 with the access token attached to the SEG 202. SEG 202 enforces policy restrictions, security restriction to the communication from the client computing device 102 and checks if the communication is allowed to go further or not. If allowed, SEG 202 detaches the access token from the said request. After removing the access token from the said request, the SEG 202 at step 10 retrieves the security assertion(s) mapped to the access token from its secure store and attaches the security assertion(s) to the said request. All the information in request pertaining to the client computing device 102, or Users Network 104 is translated into equivalent resource channel information by the SEG 202. The said request with the attached security assertion is then sent to the resource server 106 on the resource channel. Steps (9) and (10) effectively form the security enhancement safe zone in one direction.

[0050] After receiving the said request at the resource server 106, the resource server 106 checks the attached security assertion and determines whether the access of the said resource is allowed to the client computing device 102 or not. Based on the determination, appropriate response is sent to the SEG 202 from the resource server 106. The said response may also have the security assertion attached to it. SEG 202 receives the response from resource on the resource server 106. The security assertion if attached in the response is removed and the access token for the client computing device 102 may be attached to the response. The response of the said request is sent to the client computing device 102 at step 12.

[0051] The embodiments of the invention described above are intended for the purpose of illustration only. Numerous modifications, changes, variations, substitutions and equivalents will be apparent to those skilled in the art without departing from the spirit and scope of the invention as described in the claims.

We Claim:

1. A method of establishing a secure communication channel between a client computing device and a resource server comprising:

a) receiving a request to access the resource server by the client computing device;

b) directing the client computing device to access the resource server through a secure zone, wherein the secure zone consists of security assertion provider and a security enhancement gateway;

c) storing a security assertion for the client computing device at the secure zone wherein the security assertion authenticates the credentials of the client computing device;

d) generating an access token for the client computing device by the security enhancement gateway wherein the access token are resource specific authentication for accessing the resource server;

e) sending the access token to the client computing device to establish a first part of the secure communication channel between the secure zone and the client computing device;

f) forwarding the request with the access token from the client computing device to the security enhancement gateway;

g) modifying the request by removing the access token and attaching the security assertion;

h) forwarding the modified request from the security enhancement gateway to the resource server; and

i) establishing a second part of the secure communication between the client computing device and the resource server wherein the second part of the secure communication exchanges information between the secure zone and the resource server.

2. The method as recited in claim 1, wherein the client computing device can be a computer, laptop, mobile phone or any other communication device that has capabilities of computing.

3. The method as recited in claim 1, wherein the security assertion provider is an XML based open standard data format for exchanging authentication and authorization data between the client computing device and the resource server.

4. The method as recited in claim 1, where the security assertion provider is Kerberos tickets generator.

5. The method as recited in claim 1, wherein the method further comprising configuring the client computing device to divert all information between the client computing device and the resource server to go through the secure zone.

6. The method as recited in claim 1, wherein the first part of the secure communication channel can be implemented with DNS redirection, Active X control, Browser plug-in, proxy auto-configuration files or tunnel between the client computing device and the secure zone.

7. The method as recited in claim 1, wherein the access token can be a certificate based authentication.
8. The method as recited in claim 1, wherein the method further comprising storing a mapping between the security assertion and the access token at the security enhancement gateway.

9. A method to access a resource from a list of plurality of resources hosted at a content server comprising:

a) receiving a request to access the resource from a client computing device;

b) directing the client computing device to access the content server through a secure zone wherein the secure zone works as a conduit between the client computing device and the content server;

c) storing an identifier for the client computing device in a local electronic register wherein the local electronic register is within the secure zone and wherein the identifier authenticates the credentials of the client computing device to access the content server;

d) sending an access permission code to the client computing device wherein the access permission code has been generated by the secure zone and the generated access permission code allows the client computing device to access the requested resource; e)configuring the client computing device to communicate with the content server through the secure zone;

e) receiving the request along with the access permission code at the secure zone;

f) modifying the received request at the secure zone wherein the modification step consist of removing the access permission code from the received request and attaching the identifier to the received request;

g) forwarding the modified request to the content server;

h) processing the forwarded request by the content server wherein the processing step consist of allowing the access of the requested resource and sending a response to the secure zone wherein the response has the identifier attached to the response; and

i) forwarding the response of the content server to the client computing device wherein the forwarded response has the access permission code attached.

10. The method as recited in claim 8, wherein the secure zone generates the identifier for the client computing device.

11. The method as recited in claim 8, wherein the identifier can be implemented with security assertion markup language.

12. The method as recited in claim 8, wherein the step of configuring the client computing device to communicate with the content server through the secure zone can be implemented with DNS redirection, Active - X control, Browser Plug in, Proxy auto configuration files or tunnel between the client computing device and the secure zone.

13. The method as recited in claim 8, the access permission code is access token.

14. The method as recited in claim 8, the access permission code is an authentication certificate generated at the secure zone.

15. A security enhancement system to control access to a resource server by a client computing device, wherein the client computing device requests access to a resource from a list of plurality of resources hosted at the resource server, the security enhancement system comprising:

a) a security assertion provider; and

b) a security enhancement gateway,

wherein the security assertion provider performing the steps of:

i) directing the client computing device to access the resource server through a secure zone; and
wherein the security enhancement gateway performing the steps of:
ii) generating an access token for the client computing device, wherein the access token are resource specific authentication for accessing the resource server;

iii) sending the access token to the client computing device to establish a first part of the secure communication channel between the secure zone and the client computing device;

iv) modifying the request by removing the access token and attaching the security assertion;

v) forwarding the modified request from the security enhancement gateway to the resource server; and

vi) establishing a second part of the secure communication between the client computing device and the resource server wherein the second part of the secure communication exchanges information between the secure zone and the resource server.