-
91.发明申请Policy driven, credential delegation for single sign on and secure access to network resources 有权政策驱动,凭据授权单点登录和安全访问网络资源公开(公告)号:US20070277231A1
公开(公告)日:2007-11-29
申请号:US11441588
申请日:2006-05-26
申请人: Gennady Medvinsky , Cristian Ilac , Costin Hagiu , John E. Parsons , Mohamed Emad El Din Fathalla , Paul J. Leach , Tarek Buhaa El-Din Mahmoud Kamel
发明人: Gennady Medvinsky , Cristian Ilac , Costin Hagiu , John E. Parsons , Mohamed Emad El Din Fathalla , Paul J. Leach , Tarek Buhaa El-Din Mahmoud Kamel
IPC分类号: H04L9/32
CPC分类号: H04L63/0815 , H04L9/3273 , H04L63/20 , H04L2209/80
摘要: A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.
摘要翻译: 提供了一种凭证安全支持提供者(Cred SSP),使任何应用程序能够通过客户端安全支持提供商(SSP)软件将客户端的凭据安全地委派给目标服务器,通过网络计算中的服务器端SSP软件 环境。 本发明的Cred SSP提供了一种安全解决方案,该解决方案部分地基于一组策略,包括针对广泛的攻击的安全性的默认策略,其用于控制和限制从客户机委派用户凭证 到服务器。 这些策略可以用于任何类型的用户凭证,并且不同的策略被设计为减轻广泛的攻击,从而可以针对给定的授权情况,网络条件,信任级别等进行适当的委托。此外,只有可信的子系统,例如 ,本地安全机构(LSA)的受信任的子系统可以访问明文凭据,使得服务器端的Cred SSP API的呼叫应用程序和客户端的Cred SSP API的呼叫应用都不具有访问权 清除文本凭据。
-
公开(公告)号:US07251822B2
公开(公告)日:2007-07-31
申请号:US10691999
申请日:2003-10-23
CPC分类号: G06F21/6218 , G06F2221/2141 , G06F2221/2145 , Y10S707/99931 , Y10S707/99939
摘要: The present invention relates to a system and methodology to facilitate security for data items residing within (or associated with) a hierarchical database or storage structure. A database security system is provided having a hierarchical data structure associated with one or more data items. The system includes a security component that applies a security policy to the data items from a global location or region associated with a database. Various components and processes are employed to enable explicit and/or inherited security properties to be received by and propagated to the data items depending on the type of data structure encountered or processed.
摘要翻译: 本发明涉及一种促进位于分层数据库或存储结构内(或与之相关联的)数据项的安全性的系统和方法。 提供了具有与一个或多个数据项相关联的分层数据结构的数据库安全系统。 该系统包括将安全策略应用于与数据库关联的全球位置或区域的数据项的安全组件。 采用各种组件和过程来使显式和/或继承的安全属性由数据项接收和传播到数据项,这取决于遇到或处理的数据结构的类型。
-
公开(公告)号:US07185359B2
公开(公告)日:2007-02-27
申请号:US10029426
申请日:2001-12-21
CPC分类号: H04L63/0815 , H04L63/083
摘要: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要翻译: 企业网络架构具有建立在两个自主网络系统之间的信任链路,能够实现两个网络系统的网络域之间的传递资源访问。 信任链接由相应网络系统中的每一个维护的数据结构来定义。 第一网络系统维护对应于第二网络系统的命名空间和第一网络系统中的域控制器,或者第一网络系统管理员指示是否信任个体命名空间。 由第二网络系统中的域管理的帐户可以通过第一网络系统中的域控制器请求认证。 第一网络系统从信任链路确定将认证请求传送到第二网络系统。 当管理员管理组成员身份和访问控制列表时,第一个网络系统还从信任链接确定何处传达授权请求。
-
94.发明授权Deriving a symmetric key from an asymmetric key for file encryption or decryption 有权从用于文件加密或解密的非对称密钥中导出对称密钥公开(公告)号:US07181016B2
公开(公告)日:2007-02-20
申请号:US10351683
申请日:2003-01-27
申请人: David B. Cross , Jianrong Gu , Josh D. Benaloh , Thomas C. Jones , Paul J. Leach , Glenn D. Pittaway
发明人: David B. Cross , Jianrong Gu , Josh D. Benaloh , Thomas C. Jones , Paul J. Leach , Glenn D. Pittaway
IPC分类号: H04L9/00
CPC分类号: H04L63/045 , G06Q20/3829 , H04L9/0822 , H04L9/0894 , H04L63/0823
摘要: One aspect relates to a process and associated device that provides a private key of an asymmetric key pair in a key device. A symmetric master key is derived from the private key of the asymmetric key pair. The symmetric master key is stored in a computer memory location. The symmetric master key is used to encrypt or decrypt a file encryption key. The file encryption key can encrypt or decrypt files. In another aspect, the user can still access the files even if a user deactivates the key device by encrypting or decrypting the file encryption key directly from the symmetric master key.
摘要翻译: 一个方面涉及在密钥设备中提供非对称密钥对的私钥的过程和相关设备。 对称主密钥是从非对称密钥对的私有密钥导出的。 对称主密钥存储在计算机内存位置。 对称主密钥用于加密或解密文件加密密钥。 文件加密密钥可以加密或解密文件。 在另一方面,即使用户通过直接从对称主密钥加密或解密文件加密密钥来使密钥设备停用,用户仍然可以访问文件。
-
公开(公告)号:US06985958B2
公开(公告)日:2006-01-10
申请号:US10003754
申请日:2001-10-22
申请人: Mark Lucovsky , Shaun D. Pierce , Alexander T. Weinert , Michael G. Burner , Richard B. Ward , Paul J. Leach , George M. Moore , Arthur Zwiegincew , Vivek Gundotra , Robert M. Hyman , Jonathan D. Pincus , Daniel R. Simon
发明人: Mark Lucovsky , Shaun D. Pierce , Alexander T. Weinert , Michael G. Burner , Richard B. Ward , Paul J. Leach , George M. Moore , Arthur Zwiegincew , Vivek Gundotra , Robert M. Hyman , Jonathan D. Pincus , Daniel R. Simon
IPC分类号: G06F13/00
CPC分类号: H04L63/101 , G06F21/6218 , G06F21/6227 , G06F21/6245 , G06Q10/109 , H04L12/1859 , H04L12/1863 , H04L29/06 , H04L63/104 , H04L63/123 , H04L63/1425 , H04L67/02 , H04L67/16 , H04L67/303 , H04L67/306 , H04L67/325 , H04L67/40 , H04L67/42 , H04L69/329
摘要: A messaging data structure for accessing data in an identity-centric manner. An identity may be a user, a group of users, or an organization. Instead of data being maintained on an application-by-application basis, the data associated with a particular identity is stored by one or more data services accessible by many applications. The data is stored in accordance with a schema that is recognized by a number of different applications and the data service. The messaging data structure includes fields that identify the target data object to be operated upon using an identity field, a schema field, and an instance identifier field. In addition, the desired operation is specified. Thus, the target data object is operated on in an identity-centric manner.
-
96.发明授权公开(公告)号:US06401211B1
公开(公告)日:2002-06-04
申请号:US09525419
申请日:2000-03-15
IPC分类号: G06F1100
CPC分类号: H04L67/306 , G06F21/33 , H04L63/0807 , H04L63/102 , H04L69/329
摘要: A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.
-
97.发明授权Method and system for resource management with independent real-time applications on a common set of machines 失效用于资源管理的方法和系统,具有独立的实时应用程序公开(公告)号:US06282561B1
公开(公告)日:2001-08-28
申请号:US08568578
申请日:1995-12-07
IPC分类号: G06F900
CPC分类号: G06F9/5011 , G06F2209/5014
摘要: A resource management mechanism is provided to ensure that real-time application programs running on a single machine or set of machines exhibit predictable behavior. The resource management mechanism employs the abstraction of an activity which serves as the basis for granting resource reservations and for accounting. An activity submits a request for resources in specified amounts to a resource planner. The activity is resource self-aware so that it is aware of its resource requirements. The activity may query resource providers to obtain resource requirements for particular operations. The resource planner determines whether the activity should be granted the requested reservation by employing an internal policy. Policy is separated by mechanism so that the resource planner may implement any of a number of policies. The resource planner may choose to grant the reservation to an activity or deny the request by an activity. When denying a request, the resource planner may inform the activity of what quantity of the requested resources are currently available so that the activity may submit a modified request. The resource management mechanism includes a dynamic feedback mechanism for initiating renegotiation of resource reservations when appropriate.
摘要翻译: 提供资源管理机制以确保在单个机器或机器组上运行的实时应用程序呈现出可预测的行为。 资源管理机制采用抽象的活动,作为资源预留和会计准备的基础。 活动向资源规划者提交指定数量的资源请求。 该活动是资源自我感知,以便它了解其资源需求。 该活动可以查询资源提供者以获得特定操作的资源需求。 资源计划员通过采用内部策略来确定活动是否应该被授予请求的预留。 策略由机制分隔,以便资源规划师可以实现多个策略中的任何一个。 资源规划师可以选择将活动的请求授予活动或拒绝该请求。 当拒绝请求时,资源规划者可以通知活动当前可用的所请求的资源的数量,使得活动可以提交经修改的请求。 资源管理机制包括适当时启动重新协商资源预留的动态反馈机制。
-
公开(公告)号:US5339435A
公开(公告)日:1994-08-16
申请号:US158180
申请日:1993-11-24
申请人: David C. Lubkin , Douglas B. Robinson , Robert P. Chase, Jr. , Paul J. Leach , Daniel L. McCue, III , David B. Leblang
发明人: David C. Lubkin , Douglas B. Robinson , Robert P. Chase, Jr. , Paul J. Leach , Daniel L. McCue, III , David B. Leblang
CPC分类号: G06F8/71
摘要: A heterogeneous configuration management tool enables building of a software system in a heterogeneous network of computers. In building a desired software system, the tool enables at least one component of the system to be translated by a foreign computer of the network and other components of the system to be translated by other computers of the network. A reference to a version indicator is passed to the foreign computer to provide the foreign computer an indication of user-specified version of the component being translated by the foreign computer. The reference is expanded during processing on the foreign computer. Pathname transformation files are employed to provide transformation of a pathname in one computer of the network to a corresponding pathname in another computer of a network. Binaries resulting from component translations are stored in split pools. In turn, split releases of the built software system are enabled.
摘要翻译: 异构配置管理工具可以在异构计算机网络中构建软件系统。 在构建期望的软件系统时,该工具使系统的至少一个组件能够被网络的外部计算机和要由网络的其他计算机转换的系统的其他组件转换。 对版本指示符的引用被传递给外部计算机以向外国计算机提供由外部计算机翻译的组件的用户指定版本的指示。 在外国计算机处理过程中扩展了参考。 使用路径名转换文件来提供网络的一台计算机中的路径名到网络的另一计算机中的对应路径名的转换。 由组件转换产生的二进制文件存储在拆分池中。 反过来,启用了内置软件系统的拆分版本。
-
-
-
-
-
-
-
搜索结果
98 条记录 (耗时 0.036 秒)
