公开(公告)号：US20090037731A1

公开(公告)日：2009-02-05

申请号：US12147716

申请日：2008-06-27

申请人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

发明人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

IPC分类号： H04L9/32

CPC分类号： H04L63/0823 ,  H04L63/0407 ,  H04L63/14

摘要： A Centralized Authentication & Authorization (CAA) system that prevents unauthorized access to client data using a secure global hashtable residing in the application server in a web services environment. CAA comprises a Service Request Filter (SRF) and Security Program (SP). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. The client identifier is secured by the SP using a key unique to the client identifier. When the web services manager requests the client identifier, the web services manager must present the key to the SP in order to access the client identifier. Thus, the present invention prevents a malicious user from attempting to obtain sensitive data within the application server once the malicious user has gained access past the firewall.

摘要翻译： 集中式身份验证和授权（CAA）系统，可以防止使用位于Web服务环境中的应用程序服务器中的安全全局散列表来对客户端数据进行未经授权的访问。 CAA包括服务请求过滤器（SRF）和安全程序（SP）。 SRF拦截服务请求，从附加到请求的数字证书中提取服务客户端的标识符，并将该标识符存储在服务提供商可访问的存储器中。 客户端标识符由SP使用客户端标识符唯一的密钥保护。 当Web服务管理器请求客户端标识符时，Web服务管理器必须向SP呈现密钥以访问客户端标识符。 因此，本发明防止恶意用户一旦恶意用户已经通过防火墙访问，就试图获取应用服务器内的敏感数据。

公开(公告)号：US06895510B1

公开(公告)日：2005-05-17

申请号：US08976778

申请日：1997-11-24

申请人： Messaoud Benantar ,  Virgil Albaugh ,  Liane Elizabeth Haybnes Acker

发明人： Messaoud Benantar ,  Virgil Albaugh ,  Liane Elizabeth Haybnes Acker

IPC分类号： G06F13/00 ,  G06F21/00 ,  H04L29/06

CPC分类号： H04L63/0869 ,  G06F21/31

摘要： Mutual authentication between a client and server over the Internet utilizing the IOP protocol in its current state is enabled by first engaging in a “dummy” request when a client initiates a request to a new target server for the first time. This provides the means for creating a two way authentication mechanism. Rather than creating an object reference for the dummy request, the object reference at hand in the client, which the client is about to utilize for a request, is reused by extracting a proxy object from the request. The request is intercepted in the client and the proxy object passed to the interception method. The client next issues a two-way remote method already defined for the proxy object, such as the “non_existent( )” method defined on the CORBA object. The client then computes a security token, and sends the dummy request to the server. The server intercepts the dummy request, validates the security token received in the dummy request, and acquires a new authentication token to be returned to the client. Upon interception of the outgoing message, the new security token is marshalled in the security service context and sent to the client on the response message. The client intercepts the reply message and demarshals the security service context to recover the security token and complete mutual authentication.

摘要翻译： 当客户端首次在新的目标服务器发起请求时首先参与“虚拟”请求，可以实现通过互联网在客户端和服务器之间使用当前状态的IOP协议进行的相互认证。 这提供了创建双向认证机制的方法。 不是为虚拟请求创建对象引用，客户端即将要用于请求的客户端的对象引用，通过从请求中提取代理对象来重用。 请求在客户端被拦截，代理对象传递给拦截方法。 客户端下一个将为代理对象定义的双向远程方法，例如在CORBA对象上定义的“non_existent（）”方法。 然后，客户端计算安全令牌，并将虚拟请求发送到服务器。 服务器拦截虚拟请求，验证虚拟请求中接收到的安全令牌，并获取一个新的认证令牌以返回给客户端。 在拦截传出的消息时，新的安全令牌被安排在安全服务上下文中，并在响应消息上发送给客户机。 客户端拦截回复消息，并对安全服务上下文进行解密以恢复安全令牌并完成相互认证。

公开(公告)号：US20130007453A1

公开(公告)日：2013-01-03

申请号：US13172387

申请日：2011-06-29

申请人： Messaoud Benantar

发明人： Messaoud Benantar

IPC分类号： H04L9/32

CPC分类号： H04L9/0844 ,  H04L9/3093 ,  H04L9/3226

摘要： This disclosure describes a secure and computationally-efficient method to establish a single authentication context for multiple identities. The method is implemented in an authentication system using a key exchange protocol, namely, the Diffie-Hellman key exchange. One or more entities that desire to authenticate (either individually or jointly) register with the authentication system and receive private Diffie-Hellman keys (the PINs). Later, during an authentication operation, each entity provides the PIN to the authentication system, preferably over a secure transport. The authentication system, using Diffie-Hellman key exchange artifacts, generates a Diffie-Hellman cryptographic value for each PIN, although the value need not be maintained private. The authentication system orders the Diffie-Hellman values as a “partially ordered set” to form a lattice. An authentication context is derived from the Diffie-Hellman values in the lattice. Thus, for example, during authentication of multiple entities, a shared key is computed incrementally as the Diffie-Hellman keys arrive from the entities for which a multi-identity authentication is required. The shared key represents a proof of group authentication.

摘要翻译： 本公开描述了为多个身份建立单个认证上下文的安全和计算上有效的方法。 该方法在使用密钥交换协议的认证系统中实现，即Diffie-Hellman密钥交换。 希望认证（单独或联合）向认证系统注册并接收私人Diffie-Hellman密钥（PIN）的一个或多个实体。 稍后，在认证操作期间，每个实体优选地通过安全传输将PIN提供给认证系统。 使用Diffie-Hellman密钥交换工件的认证系统为每个PIN生成Diffie-Hellman密码值，尽管该值不需要保持私有。 认证系统将Diffie-Hellman值作为部分有序集合来形成一个格子。 认证上下文是从格子中的Diffie-Hellman值导出的。 因此，例如，在多个实体的认证期间，当Diffie-Hellman密钥从需要多身份认证的实体到达时，共享密钥被递增地计算。 共享密钥表示组认证的证明。

公开(公告)号：US20090204810A1

公开(公告)日：2009-08-13

申请号：US12410933

申请日：2009-03-25

申请人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

发明人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

IPC分类号： H04L29/06 ,  H04L9/00

CPC分类号： H04L63/0823

摘要： A Centralized Authentication & Authorization (CAA) system that facilitates secure communication between service clients and service providers. CAA comprises a Service Request Filter (SRF), a Service Client Authentication Program (SCAP), a Service Authorization Program (SAP), and an Authorization Database (ADB). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. In the preferred embodiment, the SRF forwards the service request to a web service manager. The web service manager invokes SCAP. SCAP matches the identifier with a record stored in ADB. SAP queries ADB to determine if the service request is valid for the service client. If the service request is valid, SAP authorizes the service request and the appropriate service provider processes the service request.

摘要翻译： 集中式身份验证和授权（CAA）系统，促进服务客户端和服务提供商之间的安全通信。 CAA包括服务请求过滤器（SRF），服务客户端认证程序（SCAP），服务授权程序（SAP）和授权数据库（ADB）。 SRF拦截服务请求，从附加到请求的数字证书中提取服务客户端的标识符，并将该标识符存储在服务提供商可访问的存储器中。 在优选实施例中，SRF将服务请求转发到web服务管理器。 Web服务管理器调用SCAP。 SCAP将标识符与存储在ADB中的记录相匹配。 SAP查询ADB以确定服务请求是否对服务客户端有效。 如果服务请求有效，则SAP授权服务请求，并且相应的服务提供商处理服务请求。

公开(公告)号：US20080071824A1

公开(公告)日：2008-03-20

申请号：US11983923

申请日：2007-11-13

申请人： Virgil Albaugh ,  Messaoud Benantar ,  Philip Chang ,  Hari Madduri

发明人： Virgil Albaugh ,  Messaoud Benantar ,  Philip Chang ,  Hari Madduri

IPC分类号： G06F17/30

CPC分类号： G06Q30/0283 ,  G06F16/10 ,  Y10S707/954 ,  Y10S707/99937 ,  Y10S707/99954

摘要： A method and implementing computer system are provided in which a unique primary key is generated to identify an original message which is received for processing. The record for the original message is stored at the primary key. As the message is propagated to the services that are to be performed on the original message, the primary key is also passed to the service. Derivative messages which are produced as a result of the services applied to the original message are identified with the primary key code along with additional derivative key codes related to services applied to the original message. The resulting derivative message storing and tracking process provides a means by which derivative messages are readily identified and associated with an original message as well as the services performed upon the original message in generating the derivative message.

摘要翻译： 提供了一种方法和实现的计算机系统，其中生成唯一主键以识别被接收以用于处理的原始消息。 原始邮件的记录存储在主键上。 当消息传播到要在原始消息上执行的服务时，主键也被传递到服务。 作为应用于原始消息的服务的结果产生的衍生消息用主键代码以及与应用于原始消息的服务相关的附加导数键代码来标识。 所得到的派生消息存储和跟踪处理提供了一种方式，通过该方式，派生消息容易地被识别并与原始消息相关联，以及在生成导数消息时在原始消息上执行的服务。

公开(公告)号：US07139911B2

公开(公告)日：2006-11-21

申请号：US09795203

申请日：2001-02-28

申请人： James W. Sweeny ,  Messaoud Benantar ,  John J. Petreshock ,  Thomas L. Gindin ,  John C. Dayka

发明人： James W. Sweeny ,  Messaoud Benantar ,  John J. Petreshock ,  Thomas L. Gindin ,  John C. Dayka

IPC分类号： H04L9/00 ,  H04K1/00

CPC分类号： H04L9/3263

摘要： A method of certifying a host-identification mapping extension included in a digital certificate, the digital certificate issued and signed by a specific certification authority. In an exemplary embodiment of the invention, the method includes assigning a trust value for each certification authority included in a set of certification authorities. A digital certificate containing the host-identification mapping extension therein is received, with the host-identification mapping extension further containing a plurality of identification attributes therein. The plurality of identification attributes are evaluated, along with the trust value assigned to the specific certification authority issuing the digital certificate. A determination is then made, based upon the plurality of identification attributes and the trust value, as to whether the host-mapping extension is to be certified.

公开(公告)号：US20060095760A1

公开(公告)日：2006-05-04

申请号：US10975955

申请日：2004-10-28

申请人： Messaoud Benantar ,  Thomas Gindin ,  James Sweeny

发明人： Messaoud Benantar ,  Thomas Gindin ,  James Sweeny

IPC分类号： H04L9/00

CPC分类号： H04L63/0823 ,  G06F21/33 ,  H04L63/164

摘要： A method for creating a proof of possession confirmation for inclusion by an attribute certificate authority into an attribute certificate, the attribute certificate for use by an end user. The method includes receiving from the attribute certificate authority in response to a request by the end user, a plurality of data fields corresponding to a target system, the identity of the end user, and a proof of identity possession by the end user. The method further includes preparing a data structure corresponding to an authorization attribute of the attribute certificate, the data structure including a target system name, the identity of the end user, and the key identifier of the end user. Using a private key associated with the target system, the method includes signing the data structure resulting in a proof of possession confirmation, and sending the proof of possession confirmation to the attribute certificate authority for inclusion into the attribute certificate.

摘要翻译： 一种用于创建属性确认的证明的方法，用于将属性证书颁发机构包含在属性证书中，该属性证书由终端用户使用。 该方法包括响应于最终用户的请求，从属性认证机构接收与目标系统相对应的多个数据字段，终端用户的身份以及最终用户的身份证明。 该方法还包括准备与属性证书的授权属性对应的数据结构，数据结构包括目标系统名称，最终用户的身份以及最终用户的密钥标识符。 使用与目标系统相关联的私钥，该方法包括签署数据结构，从而得到拥有确认证明，并将属性认证机构的证明证明发送给属性证书。

公开(公告)号：US06854056B1

公开(公告)日：2005-02-08

申请号：US09667090

申请日：2000-09-21

申请人： Messaoud Benantar ,  Thomas L. Gindin ,  Ivan Milman

发明人： Messaoud Benantar ,  Thomas L. Gindin ,  Ivan Milman

IPC分类号： H04L9/32 ,  H04L9/00 ,  G06F11/30

CPC分类号： H04L9/3263 ,  H04L2209/60 ,  H04L2209/76

摘要： A method or system is presented for coupling identities through the use of digital certificates, thereby allowing a client to be authenticated for a variety of services without those services having to modify their existing methods of authentication. The client generates a request for a digital certificate containing its host identity for a targeted host and secret data associated with its host identity. The secret data has been encrypted using the public key of the certifying authority that receives the request for the digital certificate. The certifying authority decrypts the secret data using its private key and encrypts the secret data using the public key of the targeted host. The digital certificate is then generated and returned to the client. At some point in time, a host receives the certificate from the client and obtains the client's host identity from the certificate, i.e. the host identity uniquely identifies the client or the user of the client to the host. Encrypted secret data associated with the host identity, such as a password, is also retrieved from the digital certificate. The host decrypts the secret data with its private key, and the host then authenticates the client using the host identity and the decrypted secret data for various services. The digital certificate may be formatted according to the X.509 standard, and the host identity and secret information may be stored in an X.509 extension within the digital certificate.

摘要翻译： 呈现一种通过使用数字证书来耦合身份的方法或系统，从而允许客户端针对各种服务进行身份验证，而不需要修改其现有认证方法的那些服务。 客户端生成包含其目标主机的主机身份的数字证书的请求以及与其主机身份相关联的秘密数据。 秘密数据已使用接收数字证书请求的认证机构的公钥加​​密。 认证机构使用其私钥对秘密数据进行解密，并使用目标主机的公钥对秘密数据进行加密。 然后生成数字证书并将其返回给客户端。 在某个时间点，主机从客户端接收证书，并从证书中获取客户端的主机标识，即主机标识将主机的客户端或客户端的用户唯一标识。 还从数字证书中检索与主机身份相关联的加密秘密数据，例如密码。 主机使用其私钥对秘密数据进行解密，然后主机使用主机身份和解密的各种服务的秘密数据来验证客户端。 数字证书可以根据X.509标准格式化，并且主机身份和秘密信息可以存储在数字证书中的X.509扩展中。

公开(公告)号：US20130007845A1

公开(公告)日：2013-01-03

申请号：US13173563

申请日：2011-06-30

申请人： David Yu Chang ,  Messaoud Benantar ,  John Yow-Chun Chang ,  Vishwanath Venkataramappa

发明人： David Yu Chang ,  Messaoud Benantar ,  John Yow-Chun Chang ,  Vishwanath Venkataramappa

IPC分类号： G06F17/30

CPC分类号： H04L63/104 ,  G06F21/62 ,  G06F21/6218 ,  G06F21/78 ,  G06F2221/2115 ,  H04L63/08 ,  H04L63/0815 ,  H04L67/10 ,  H04L67/34 ,  H04L67/42

摘要： An authentication and authorization plug-in model for a cloud computing environment enables cloud customers to retain control over their enterprise information when their applications are deployed in the cloud. The cloud service provider provides a pluggable interface for customer security modules. When a customer deploys an application, the cloud environment administrator allocates a resource group (e.g., processors, storage, and memory) for the customer's application and data. The customer registers its own authentication and authorization security module with the cloud security service, and that security module is then used to control what persons or entities can access information associated with the deployed application. The cloud environment administrator, however, typically is not registered (as a permitted user) within the customer's security module; thus, the cloud environment administrator is not able to access (or release to others, or to the cloud's general resource pool) the resources assigned to the cloud customer (even though the administrator itself assigned those resources) or the associated business information. To further balance the rights of the various parties, a third party notary service protects the privacy and the access right of the customer when its application and information are deployed in the cloud.

摘要翻译： 云计算环境的认证和授权插件模型使云客户在将应用程序部署在云中时能够保留对其企业信息的控制。 云服务提供商为客户安全模块提供可插拔的界面。 当客户部署应用程序时，云环境管理员为客户的应用程序和数据分配资源组（例如，处理器，存储和内存）。 客户将其自己的认证和授权安全模块注册到云安全服务，然后该安全模块用于控制哪些人员或实体可以访问与部署的应用程序相关的信息。 然而，云环境管理员通常没有在客户的安全模块中注册（作为允许的用户）; 因此，云环境管理员无法访问（或向其他人或云的一般资源池）访问分配给云客户的资源（即使管理员自己分配了这些资源）或相关联的业务信息。 为了进一步平衡各方的权利，第三方公证服务在将应用程序和信息部署在云中时保护客户的隐私和访问权限。

公开(公告)号：US20110083164A1

公开(公告)日：2011-04-07

申请号：US12574825

申请日：2009-10-07

申请人： Messaoud Benantar ,  Patrick M. Commarford ,  Ajay R. Karkala

发明人： Messaoud Benantar ,  Patrick M. Commarford ,  Ajay R. Karkala

IPC分类号： H04L29/06

CPC分类号： H04L63/104 ,  H04L63/105

摘要： Multiple security domains can be created and associated with various scopes within the cell allowing security configurations of each scope to be managed collectively. Examples of scopes include the entire cell, one or more application servers, one or more applications, one or more clusters, one or more service integration buses, one or more nodes, etc. Security configurations associated with the security domains can be applied to the scopes based on a hierarchy of the security domains. In addition, new security domains may be created automatically based on security requirements of newly installed applications.

摘要翻译： 可以创建多个安全域，并与单元内的各种范围关联，从而可以集中管理每个范围的安全配置。 范围的示例包括整个小区，一个或多个应用服务器，一个或多个应用，一个或多个群集，一个或多个服务集成总线，一个或多个节点等。与安全域相关联的安全配置可以应用于 基于安全域的层次结构的范围。 此外，可以根据新安装的应用程序的安全性要求自动创建新的安全域。