公开(公告)号：US5875296A

公开(公告)日：1999-02-23

申请号：US790041

申请日：1997-01-28

申请人： Shaw-Ben Shi ,  Michael Bradford Ault ,  Ernst Robert Plassmann ,  Bruce Arland Rich ,  Mickella Ann Rosiles ,  Theodore Jack London Shrader

发明人： Shaw-Ben Shi ,  Michael Bradford Ault ,  Ernst Robert Plassmann ,  Bruce Arland Rich ,  Mickella Ann Rosiles ,  Theodore Jack London Shrader

IPC分类号： G06F21/20 ,  G06F21/00 ,  H04L9/32 ,  H04L29/06 ,  G06F11/00

CPC分类号： H04L63/168 ,  G06F21/41 ,  H04L63/0815

摘要： A method of authenticating a Web client to a Web server connectable to a distributed file system of a distributed computing environment. The distributed computing environment includes a security service for returning a credential to a user authenticated to access the distributed file system. In response to receipt by the Web server of a user id and password from the Web client, a login protocol is executed with the security service. If the user can be authenticated, a credential is stored in a database of credentials associated with authenticated users. The Web server then returns to the Web client a persistent client state object having a unique identifier therein. This object, sometimes referred to as a cookie, is then used to enable the Web client to browse Web documents in the distributed file system. In particular, when the Web client desires to make a subsequest request to the distributed file system, the persistent client state object including the identifier is used in lieu of the user's id and password, which makes the session much more secure. In this operation, the cookie identifier is used as a pointer into the credential storage table, and the credential is then retrieved and used to facilitate multiple file accessess from the distributed file system. At the same time, the Web client may obtain access to Web server (as opposed to distributed file system) documents via conventional user id and password in an HTTP request.

摘要翻译： 将Web客户端认证到可连接到分布式计算环境的分布式文件系统的Web服务器的方法。 分布式计算环境包括用于将凭证返回给被认证以访问分布式文件系统的用户的安全服务。 响应Web服务器收到来自Web客户端的用户ID和密码，与安全服务一起执行登录协议。 如果可以对用户进行身份验证，凭证将被存储在与经过身份验证的用户相关联的凭据数据库中。 然后，Web服务器向Web客户端返回其中具有唯一标识符的持久客户端状态对象。 此对象有时被称为cookie，然后用于使Web客户端浏览分布式文件系统中的Web文档。 具体地说，当Web客户端希望对分布式文件系统作出次要请求时，使用包括标识符的持久客户端状态对象来代替用户的id和密码，这使得会话更加安全。 在这个操作中，cookie标识符被用作指向证书存储表的指针，然后检索凭证并且用于促进来自分布式文件系统的多个文件访问。 同时，Web客户端可以通过HTTP请求中的常规用户标识和密码获取对Web服务器（而不是分布式文件系统）文档的访问。

公开(公告)号：US07444509B2

公开(公告)日：2008-10-28

申请号：US10855728

申请日：2004-05-27

申请人： Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Xiaoyan Zhang

发明人： Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Xiaoyan Zhang

IPC分类号： H04L9/00

CPC分类号： H04L9/3263 ,  H04L2209/56 ,  H04L2209/60

摘要： A method, an apparatus, a system, and a computer program product are presented for validating certificates. A certificate validation service receives a certificate validation request for a target certificate from a client, thereby allowing the client to offload certificate validation tasks into an online certificate validation service that is accessible and sharable by multiple components within a data processing system. In response to a determination that the target certificate is valid or invalid, the certificate validation service sends a certificate validation response with an indicating status value that the target certificate is valid or invalid. The certificate validation service is able to cache information about previously validated certificates and the associated certificate chains, thereby enhancing the efficiency of the service. Different certificate validation policies may be applied against target certificates based upon information associated with the target certificates.

摘要翻译： 提供了验证证书的方法，装置，系统和计算机程序产品。 证书验证服务从客户端接收目标证书的证书验证请求，从而允许客户端将证书验证任务卸载到可由数据处理系统内的多个组件访问和共享的在线证书验证服务。 响应于目标证书有效或无效的确定，证书验证服务发送具有目标证书有效或无效的指示状态值的证书验证响应。 证书验证服务能够缓存有关以前验证的证书和关联的证书链的信息，从而提高服务的效率。 可以根据与目标证书相关的信息，针对目标证书应用不同的证书验证策略。

公开(公告)号：US07818562B2

公开(公告)日：2010-10-19

申请号：US12129490

申请日：2008-05-29

申请人： Bruce Arland Rich ,  Xiaoyan Zhang

发明人： Bruce Arland Rich ,  Xiaoyan Zhang

IPC分类号： H04L29/06 ,  H04L9/32

CPC分类号： H04L9/3297 ,  H04J3/0667 ,  H04L9/083 ,  H04L9/12

摘要： A method, apparatus, and computer implemented instructions for synchronizing time in a network data processing system. A request for time synchronization is received at a target data processing system. A current target time at the target data processing system is placed in a reply. The reply is sent to the source data processing system. A current source time from when the reply is received at the source data processing system is compared to the current target time to generate a comparison. A synchronization factor is generated using the comparison.

摘要翻译： 一种用于在网络数据处理系统中同步时间的方法，装置和计算机实现的指令。 在目标数据处理系统处接收到时间同步请求。 在目标数据处理系统中的当前目标时间被放置在回复中。 答复发送到源数据处理系统。 从源数据处理系统接收到应答的当前源时间与当前目标时间进行比较以生成比较。 使用比较生成同步因子。

公开(公告)号：US08798273B2

公开(公告)日：2014-08-05

申请号：US13213161

申请日：2011-08-19

申请人： Bruce Arland Rich ,  John Thomas Peck ,  Gordon Kent Arnold

发明人： Bruce Arland Rich ,  John Thomas Peck ,  Gordon Kent Arnold

IPC分类号： G06F21/30 ,  G06F21/00 ,  H04L29/06 ,  H04L9/08

CPC分类号： H04L9/083 ,  H04L63/062 ,  H04L63/0823

摘要： A key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.

摘要翻译： 扩展密钥管理协议（如KMIP）以提供扩展凭证类型，以将信息从客户端传递到服务器，以使服务器能够推断出各个客户端的预先配置的加密材料。 优选地，KMIP客户端代码将密码管理服务器的设备信息以流向服务器的KMIP请求的头部的值传送。 以这种方式，KMIP请求与特定设备或设备组的预先配置的加密材料相关联。

公开(公告)号：US08387111B2

公开(公告)日：2013-02-26

申请号：US10002439

申请日：2001-11-01

申请人： Lawrence Koved ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam ,  Marco Pistoia ,  Bruce Arland Rich

发明人： Lawrence Koved ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam ,  Marco Pistoia ,  Bruce Arland Rich

IPC分类号： G06F12/14

CPC分类号： G06F21/53 ,  G06F2221/2145

摘要： A method and apparatus for type independent permission based access control are provided. The method and apparatus utilize object inheritance to provide a mechanism by which a large group of permissions may be assigned to a codesource without having to explicitly assign each individual permission to the codesource. A base permission, or superclass permission, is defined along with inherited, or subclass, permissions that fall below the base permission in a hierarchy of permissions. Having defined the permissions in such a hierarchy, a developer may assign a base permission to an installed class and thereby assign all of the inherited permissions of the base permission to the installed class. In this way, security providers need not know all the permission types defined in an application. In addition, security providers can seamlessly integrate with many applications without changing their access control and policy store semantics. Moreover, application providers' security enforcement is no dependent on the security provider defined permissions. The method and apparatus do not require any changes to the Java security manager and do not require changes to application code.

摘要翻译： 提供了一种用于基于类型独立许可的访问控制的方法和装置。 该方法和装置利用对象继承来提供一种机制，通过该机制，可以将大量的权限组分配给代码源，而不必对代码源明确地分配每个单独的权限。 基本权限或超类权限与继承层级或权限级别中的基本权限之下的继承或子类权限一起定义。 在这样的层次结构中定义了权限之后，开发人员可以为已安装的类分配一个基本权限，从而将基本权限的所有继承的权限分配给已安装的类。 以这种方式，安全提供程序不需要知道应用程序中定义的所有权限类型。 此外，安全提供商可以无缝地集成许多应用程序，而无需更改其访问控制和策略存储语义。 此外，应用程序提供商的安全执行不依赖于安全提供程序定义的权限。 该方法和设备不需要对Java安全管理器进行任何更改，也不需要更改应用程序代码。

公开(公告)号：US08340283B2

公开(公告)日：2012-12-25

申请号：US10881978

申请日：2004-06-30

申请人： Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Xiaoyan Zhang

发明人： Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Xiaoyan Zhang

IPC分类号： H04L29/06

CPC分类号： H04L63/02 ,  H04L9/006 ,  H04L9/0825 ,  H04L9/3213 ,  H04L9/3247 ,  H04L9/3268 ,  H04L63/0807 ,  H04L63/0823 ,  H04L2209/76 ,  H04L2463/062

摘要： A client generates a session key and a delegation ticket containing information for a requested delegation operation. The client generates a first copy of the session key and encrypts it using a public key of a proxy. The client generates a second copy of the session key and encrypts it using a public key of a server. The client then puts the encrypted session keys and delegation ticket into a first message that is sent to the proxy. The proxy extracts and decrypts its copy of the session key from the first message. The proxy then encrypts a proof-of-delegation data item with the session key and places it and the delegation ticket along with the encrypted copy of the session key for the server into a second message, which is sent to the server. The server extracts and decrypts its copy of the session key from the second message and uses the session key to obtain the proof-of-delegation data. Authority is successfully delegated to the proxy only if the server can verify the proof-of-delegation data.

摘要翻译： 客户端生成会话密钥和包含所请求的委派操作的信息的委托票证。 客户端生成会话密钥的第一个副本，并使用代理的公钥对其进行加密。 客户端生成会话密钥的第二个副本，并使用服务器的公钥对其进行加密。 然后，客户端将加密的会话密钥和委派票证放入发送到代理的第一条消息中。 代理从第一条消息中提取并解密会话密钥的副本。 然后，代理使用会话密钥对代理证件数据项进行加密，并将其和委托凭证以及服务器的会话密钥的加密副本一起放入发送到服务器的第二个消息中。 服务器从第二个消息中提取和解密其会话密钥的副本，并使用会话密钥获取授权证明数据。 只有当服务器可以验证授权证明数据时，才将成功委托给代理。

公开(公告)号：US20080244094A1

公开(公告)日：2008-10-02

申请号：US12129490

申请日：2008-05-29

申请人： Bruce Arland Rich ,  Xiaoyan Zhang

发明人： Bruce Arland Rich ,  Xiaoyan Zhang

IPC分类号： G06F15/177

CPC分类号： H04L9/3297 ,  H04J3/0667 ,  H04L9/083 ,  H04L9/12

摘要： A method, apparatus, and computer implemented instructions for synchronizing time in a network data processing system. A request for time synchronization is received at a target data processing system. A current target time at the target data processing system is placed in a reply. The reply is sent to the source data processing system. A current source time from when the reply is received at the source data processing system is compared to the current target time to generate a comparison. A synchronization factor is generated using the comparison.

摘要翻译： 一种用于在网络数据处理系统中同步时间的方法，装置和计算机实现的指令。 在目标数据处理系统处接收到时间同步请求。 在目标数据处理系统中的当前目标时间被放置在回复中。 答复发送到源数据处理系统。 从源数据处理系统接收到应答的当前源时间与当前目标时间进行比较以生成比较。 使用比较生成同步因子。

公开(公告)号：US20130044882A1

公开(公告)日：2013-02-21

申请号：US13213191

申请日：2011-08-19

申请人： Bruce Arland Rich ,  John Thomas Peck

发明人： Bruce Arland Rich ,  John Thomas Peck

IPC分类号： H04L9/08

CPC分类号： H04L9/0833 ,  H04L9/088

摘要： A key management protocol (such as Key Management Interoperability Protocol (KMIP)) is extended via set of one or more custom attributes to provide a mechanism by which clients pass additional metadata to facilitate enhanced key provisioning operations by a key management server. The protocol comprises objects, operations, and attributes. Objects are the cryptographic material (e.g., symmetric keys, asymmetric keys, digital certificates and so on) upon which operations are performed. Operations are the actions taken with respect to the objects, such as getting an object from a key management server, modifying attributes of an object and the like. Attributes are the properties of the object, such as the kind of object it is, the unique identifier for the object, and the like. According to this disclosure, a first custom server attribute has a value that specifies a keygroup name that can be used by the key management server to locate (e.g., during a Locate operation) key material associated with a named keygroup. A second custom server attribute has a value that specifies a keygroup name into which key material should be registered (e.g., during a Register operation) by the server. A third custom server attribute has a value that specifies a default keygroup that the server should use for the device passing a request that include the attribute. Using these one or more custom server attributes, the client taps into and consumes/contributes to the key management server's provisioning machinery.

摘要翻译： 密钥管理协议（例如密钥管理互操作性协议（KMIP））通过一组或多个自定义属性进行扩展，以提供客户机通过附加元数据以促进密钥管理服务器的增强密钥提供操作的机制。 协议包括对象，操作和属性。 对象是执行操作的加密材料（例如，对称密钥，非对称密钥，数字证书等）。 操作是针对对象采取的操作，例如从密钥管理服务器获取对象，修改对象的属性等。 属性是对象的属性，例如对象的种类，对象的唯一标识符等。 根据本公开，第一自定义服务器属性具有指定密钥组名称的值，该密钥组名称可以由密钥管理服务器用来定位（例如，在定位操作期间）与命名密钥组相关联的密钥材料。 第二个自定义服务器属性具有指定密钥组名称的值，服务器应在其中注册密钥材料（例如，在注册操作期间）。 第三个自定义服务器属性具有一个值，该值指定服务器应用于传递包含该属性的请求的设备的默认密钥组。 使用这些一个或多个自定义服务器属性，客户端轻击并消费/贡献给密钥管理服务器的配置机制。

公开(公告)号：US20130044878A1

公开(公告)日：2013-02-21

申请号：US13213161

申请日：2011-08-19

申请人： Bruce Arland Rich ,  John Thomas Peck ,  Gordon Kent Arnold

发明人： Bruce Arland Rich ,  John Thomas Peck ,  Gordon Kent Arnold

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L9/083 ,  H04L63/062 ,  H04L63/0823

摘要： A key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.

摘要翻译： 扩展密钥管理协议（如KMIP）以提供扩展凭证类型，以将信息从客户端传递到服务器，以使服务器能够推断出各个客户端的预先配置的加密材料。 优选地，KMIP客户端代码将密码管理服务器的设备信息以流向服务器的KMIP请求的头部的值传送。 以这种方式，KMIP请求与特定设备或设备组的预先配置的加密材料相关联。

公开(公告)号：US07073062B2

公开(公告)日：2006-07-04

申请号：US09740600

申请日：2000-12-19

申请人： Lok Yan Leung ,  Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Thoedore Jack London Shrader

发明人： Lok Yan Leung ,  Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Thoedore Jack London Shrader

IPC分类号： G06F11/30 ,  G60F12/14

CPC分类号： G06F9/468 ,  G06F9/465 ,  G06F21/445 ,  G06F21/52 ,  G06F21/64

摘要： In response to initiating a call from a first class to a second class, an instantiation of the second class is initiated. While performing the instantiation of the second class, a class constructor for the second class is called, which determines a codebase for the first class and attempts to verify a digital signature on it. In response to a successful verification, the instantiation of the second class is successfully completed. In response to successfully completing the instantiation of the second class, a codebase for the second class is determined by the first class, and an attempt is made by the first class to verify a digital signature on the codebase for the second class. In response to a successful verification of the digital signature on the codebase for the second class, the call from the instance of the first class to the instance of the second class is performed.

摘要翻译： 响应于发起从第一类到第二类的调用，启动第二类的实例化。 在执行第二个类的实例化时，调用第二个类的类构造函数，该类构造函数确定第一个类的代码库，并尝试验证其上的数字签名。 响应成功的验证，第二课的实例化成功完成。 响应于成功完成第二类的实例化，第二类的代码库由第一类确定，并且第一类尝试在第二类的代码库上验证数字签名。 响应于对第二类的代码库的数字签名的成功验证，执行从第一类的实例到第二类的实例的调用。