公开(公告)号：US20110307938A1

公开(公告)日：2011-12-15

申请号：US12815413

申请日：2010-06-15

申请人： Charles Ronald Reeves, JR. ,  Oren J. Melzer ,  Michael Blair Jones ,  Ariel N. Gordon ,  Arun K. Nanda

发明人： Charles Ronald Reeves, JR. ,  Oren J. Melzer ,  Michael Blair Jones ,  Ariel N. Gordon ,  Arun K. Nanda

IPC分类号： H04L29/06 ,  G06F15/16

CPC分类号： H04L63/08 ,  H04L63/0823 ,  H04L63/101 ,  H04L63/1483

摘要： Described is using a client-side account selector in a passive authentication protocol environment (such as OpenID) in which a relying party website trusts the authentication response from an identity provider website. The account selector may access and maintain historical information so as to provide user-specific identity provider selection options (rather than only general identity provider selection options). The account selector is invoked based upon an object tag in the page, e.g., as invoked by a browser extension associated with that particular object tag. The account selector may communicate with a reputation service to obtain reputation information corresponding to the identity providers, and vary its operation based upon the reputation information.

摘要翻译： 描述的是在被动认证协议环境（例如OpenID）中使用客户端帐户选择器，其中依赖方网站信任来自身份提供商网站的认证响应。 帐户选择器可以访问和维护历史信息，以便提供用户特定的身份提供者选择选项（而不仅仅是一般的身份提供者选择选项）。 基于页面中的对象标签来调用帐户选择器，例如由与该特定对象标签相关联的浏览器扩展调用的。 帐户选择器可以与信誉服务通信以获得与身份提供者相对应的信誉信息，并且基于信誉信息改变其操作。

公开(公告)号：US20100293604A1

公开(公告)日：2010-11-18

申请号：US12465701

申请日：2009-05-14

申请人： Arun K. Nanda ,  Tariq Sharif ,  Kim Cameron

发明人： Arun K. Nanda ,  Tariq Sharif ,  Kim Cameron

IPC分类号： H04L9/32 ,  G06F21/00

CPC分类号： H04L9/3271 ,  G06F21/44 ,  G06F21/6218 ,  G06F2221/2103 ,  H04L9/12 ,  H04L9/3215 ,  H04L63/08 ,  H04L63/168 ,  H04L67/02 ,  H04L2209/60

摘要： A system and method for authenticating a request for a resource. A requester sends the request for a resource to a server in a first protocol. The server may send a challenge message to the requester. In response, the requester employs a challenge handler that performs an interactive challenge with a challenge server in a second protocol. Upon successful conclusion of the interactive challenge, the challenge handler synchronizes with a request handler, which sends a challenge response message to the server. The server may then enable access to the requested resource.

摘要翻译： 用于认证资源请求的系统和方法。 请求者以第一协议向服务器发送资源请求。 服务器可以向请求者发送质询消息。 作为响应，请求者使用在第二协议中与挑战服务器执行交互式挑战的挑战处理程序。 在成功完成交互式挑战后，挑战处理程序与请求处理程序同步，请求处理程序向服务器发送挑战响应消息。 服务器然后可以启用对所请求资源的访问。

公开(公告)号：US20100240413A1

公开(公告)日：2010-09-23

申请号：US12408697

申请日：2009-03-21

申请人： Jialin He ,  Michael B. Jones ,  Arun K. Nanda

发明人： Jialin He ,  Michael B. Jones ,  Arun K. Nanda

IPC分类号： H04M1/00 ,  G06F13/00 ,  G06F17/30 ,  G06F9/54 ,  G06F12/00

CPC分类号： G06F16/1847

摘要： An application programming interface (API) may receive high level file commands and implement those commands using the storage mechanism on a smart card. The smart card may have a processor and storage mechanism and may communicate to a host device using a packet based communication protocol, such as ADPU. The API may translate the high level file commands into one or more ADPU commands, communicate with the smart card, receive APDU responses, and translate the responses into high level file commands. A high level file command may allow access to a file using long file names, a hierarchical directory structure, and may allow creating, writing, reading, and deleting a file. Some embodiments may have more complex functions for navigating and manipulating a hierarchical directory structure, as well as defining metadata including access privileges and file types to individual files.

摘要翻译： 应用编程接口（API）可以接收高级文件命令，并使用智能卡上的存储机制来实现这些命令。 智能卡可以具有处理器和存储机制，并且可以使用诸如ADPU的基于分组的通信协议来与主机设备通信。 API可以将高级别文件命令转换成一个或多个ADPU命令，与智能卡通信，接收APDU响应，并将响应转换成高级文件命令。 高级文件命令可以允许使用长文件名，分层目录结构访问文件，并且可以允许创建，写入，读取和删除文件。 一些实施例可以具有用于导航和操纵分层目录结构的更复杂的功能，以及将包括访问特权和文件类型的元数据定义到单个文件。

公开(公告)号：US20100064361A1

公开(公告)日：2010-03-11

申请号：US12620444

申请日：2009-11-17

申请人： John P. Shewchuk ,  Arun K. Nanda ,  Donald F. Box ,  Douglas A. Walter ,  Hervey O. Wilson

发明人： John P. Shewchuk ,  Arun K. Nanda ,  Donald F. Box ,  Douglas A. Walter ,  Hervey O. Wilson

IPC分类号： H04L29/06 ,  H04L9/32

CPC分类号： H04L9/3271 ,  H04L9/3213 ,  H04L9/3297 ,  H04L2209/56 ,  H04L2209/80

摘要： A cryptographic session key is utilized to maintain security of a digital identity. The session key is valid only for a limited period of time. Additional security is provided via a bimodal credential allowing different levels of access to the digital identify. An identity token contains pertinent information associated with the digital identity. The identity token is encrypted utilizing public-key cryptography. An identifier utilized to verify the validity of the digital identity is encrypted with the cryptographic session key. The encrypted identity token and the encrypted identifier are provided to a service for example. The service decrypts the encrypted identity token utilizing public key cryptography, and decrypts, with the cryptographic session key obtained from the identity token, the encrypted identifier. If the identifier is determined to be valid, the transaction proceeds normally. If the identifier is determined to be invalid, the transaction is halted.

摘要翻译： 利用加密会话密钥来维护数字身份的安全性。 会话密钥仅在有限的时间内有效。 通过双峰凭证提供额外的安全性，允许不同级别的访问数字识别。 身份令牌包含与数字身份相关联的相关信息。 使用公钥密码术对身份令牌进行加密。 用于验证数字身份的有效性的标识符被加密会话密钥加密。 加密的身份令牌和加密的标识符例如被提供给服务。 该服务使用公钥加密来解密加密的身份令牌，并且利用从身份令牌获得的加密会话密钥对加密的标识符进行解密。 如果标识符被确定为有效，则事务正常进行。 如果标识符被确定为无效，则停止该事务。

公开(公告)号：US20090320095A1

公开(公告)日：2009-12-24

申请号：US12141515

申请日：2008-06-18

申请人： Arun K. Nanda ,  Tariq Sharif

发明人： Arun K. Nanda ,  Tariq Sharif

IPC分类号： G06F21/00

CPC分类号： H04L63/0807 ,  G06F21/33

摘要： A federated identity provisioning system includes relying parties, identity providers, and clients that obtain tokens from identity providers for access to a relying party's services. When a client contacts a new relying party, the relying party provides information that the client can independently resolve and evaluate for trustworthiness. For example, the relying party provides a generic domain name address. The client can then resolve the domain name address over various, authenticated steps to identity an endpoint for a digital identity provisioning service. The client can further interact with and authenticate the provisioning service (e.g., requiring digital signatures) to establish a trust relationship. Once determining that the client/user trusts the provisioning service, the client/user can then provide information to obtain a digital identity representation. The client can then use the digital identity representation with the corresponding identity provider to obtain one or more tokens that the relying party can validate.

摘要翻译： 联合身份提供系统包括依赖方，身份提供商和从身份提供者获得令牌以访问依赖方服务的客户端。 当客户联系新的依赖方时，依赖方提供客户可以独立解决和评估可信赖性的信息。 例如，依赖方提供通用域名地址。 然后，客户端可以通过各种经过身份验证的步骤来解析域名地址，以识别数字身份提供服务的端点。 客户端可进一步与供应服务（例如，要求数字签名）进行交互和验证以建立信任关系。 一旦确定客户端/用户信任供应服务，客户端/用户就可以提供信息以获得数字身份表示。 然后，客户端可以使用与相应身份提供商的数字身份表示来获得依赖方可以验证的一个或多个令牌。

公开(公告)号：US20090217362A1

公开(公告)日：2009-08-27

申请号：US12432606

申请日：2009-04-29

申请人： Arun K. Nanda ,  Hervey Wilson ,  Dan Guberman ,  Vijay K. Gajjala ,  Raman Chikkamagalur ,  Oren Melzer

发明人： Arun K. Nanda ,  Hervey Wilson ,  Dan Guberman ,  Vijay K. Gajjala ,  Raman Chikkamagalur ,  Oren Melzer

IPC分类号： G06F21/22 ,  G06F15/16

CPC分类号： H04L63/0884 ,  G06F21/33 ,  G06F21/42 ,  G06F21/73 ,  H04L29/00 ,  H04L63/0815 ,  H04L63/105

摘要： A server provisions a client with digital identity representations such as information cards. A provisioning request to the server includes filtering parameters. The server assembles a provisioning response containing cards that satisfy the filtering parameters, and transmits the response to a client, possibly by way of a proxy. The provisioning response may include provisioning state information to help a server determine in subsequent exchanges which cards are already present on the client. A client may keep track the source of information cards and discard cards which a server has discarded. A proxy may make the provisioning request on behalf of a client, providing the server with the proxy's own authentication and with a copy of the request from the client to the proxy.

摘要翻译： 服务器为客户端提供数字身份表示，如信息卡。 向服务器的配置请求包括过滤参数。 服务器组装包含满足过滤参数的卡的配置响应，并且可能通过代理将响应发送给客户端。 供应响应可以包括供应状态信息以帮助服务器在随后的交换机中确定哪些卡已经存在于客户端上。 客户端可以跟踪服务器已丢弃的信息卡和丢弃卡的来源。 代理可以代表客户端提供供应请求，为服务器提供代理自己的身份验证，并将客户端的请求副本提供给代理。

公开(公告)号：US20080086766A1

公开(公告)日：2008-04-10

申请号：US11539255

申请日：2006-10-06

申请人： Christopher G. Kaler ,  Arun K. Nanda ,  Kim Cameron

发明人： Christopher G. Kaler ,  Arun K. Nanda ,  Kim Cameron

IPC分类号： H04L9/32 ,  H04L9/00 ,  G06F15/16 ,  H04K1/00 ,  G06F17/30 ,  G06F7/04 ,  G06F7/58 ,  G06K19/00 ,  G06K9/00

CPC分类号： H04L63/0807 ,  G06F21/33 ,  G06F21/6263 ,  H04L63/0421

摘要： Obtaining tokens with alternate personally identifying information. A method may be practiced, for example, in a networked computing environment including a client and a token issuer. The token issuer provides security tokens to the client that the client can use for accessing functionality of services in the networked computing environment. The method includes sending a security token request to a token issuer. The security token request specifies alternate personally identifying information for an entity. The method further includes receiving a security token from the security token issuer. The security token includes the alternate personally identifying information.

摘要翻译： 获取替代个人识别信息的令牌。 可以例如在包括客户端和令牌发行者的联网计算环境中实践一种方法。 令牌发行者向客户端提供安全令牌，客户端可以使用该令牌来访问联网计算环境中的服务功能。 该方法包括向令牌发行者发送安全令牌请求。 安全令牌请求指定了一个实体的备用个人识别信息。 该方法还包括从安全令牌发行者接收安全令牌。 安全令牌包括替代的个人识别信息。

公开(公告)号：US07290052B2

公开(公告)日：2007-10-30

申请号：US10464913

申请日：2003-06-19

申请人： Arun K. Nanda ,  Donald J. Hacherl

发明人： Arun K. Nanda ,  Donald J. Hacherl

IPC分类号： G06F15/173 ,  G06F12/00

CPC分类号： H04L61/1523 ,  H04L29/12141 ,  H04L61/1558 ,  Y10S707/99953 ,  Y10S707/99957

摘要： A system and method for managing the creation of objects in a distributed directory service system assigns quotas to entities (such as users, computers, groups) to limit the number of objects each entity is allowed to create and own. For purposes of enforcing the quotas, tombstones generated for deleted objects are taken into account in the calculation of a weighted total number of objects owned by an entity, with each tombstone counted as a configurable fraction of a regular object. When an entity requests a directory operation that will increase the number of objects owned by that entity, the number of system objects owned by that entity is added to the number of tombstones multiplied by the fractional tombstone factor to generate the weighted total, which is compared to the quota of that entity to determine when the requested operation should be performed.

摘要翻译： 用于管理分布式目录服务系统中的对象的创建的系统和方法将配额分配给实体（诸如用户，计算机，组），以限制允许每个实体创建和拥有的对象的数量。 为了强制配额，在计算一个实体所拥有的对象的加权总数时，会考虑为已删除的对象生成的墓碑，每个墓碑计为常规对象的可配置分数。 当一个实体请求一个增加该实体拥有的对象数目的目录操作时，该实体所拥有的系统对象的数量将被添加到墓碑数乘以小数墓碑因子，以生成加权总数，并将其进行比较 到该实体的配额以确定何时应该执行所请求的操作。

公开(公告)号：US6153452A

公开(公告)日：2000-11-28

申请号：US782010

申请日：1997-01-07

申请人： Sailesh M. Merchant ,  Arun K. Nanda ,  Pradip K. Roy ,  Hem M. Vaidya

发明人： Sailesh M. Merchant ,  Arun K. Nanda ,  Pradip K. Roy ,  Hem M. Vaidya

IPC分类号： H01L21/28 ,  H01L21/8238 ,  H01L29/49

CPC分类号： H01L21/28061 ,  H01L21/823835 ,  H01L29/4933

摘要： Methods of manufacturing a semiconductor device. One method includes the steps of: (1) providing a substrate over which is to be deposited a metal silicide layer having a stoichiometric ratio within a desired range, (2) providing a target composed of a metal silicide, the target subject to degradation by reason of use, (3) sputtering atoms from the target to form the metal silicide layer over the substrate, the stoichiometric ratio subject to being without the desired range by reason of the degradation of the target and (4) depositing a predetermined amount of silicon on the metal silicide layer to return the stoichiometric ratio to within the desired range, a useful life of the target thereby increased.

摘要翻译： 制造半导体器件的方法。 一种方法包括以下步骤：（1）提供要在其上沉积化学计量比在所需范围内的金属硅化物层的衬底，（2）提供由金属硅化物组成的靶，靶由 使用原因，（3）从靶上溅射原子以在衬底上形成金属硅化物层，化学计量比由于靶的劣化而不具有所需的范围，（4）沉积预定量的硅 在金属硅化物层上以将化学计量比返回到所需范围内，从而靶的使用寿命增加。

公开(公告)号：US08813170B2

公开(公告)日：2014-08-19

申请号：US13294162

申请日：2011-11-10

申请人： Mark F. Novak ,  Paul Leach ,  Vishal Agarwal ,  David McPherson ,  Sunil Gottumukkala ,  Jignesh Shah ,  Arun K. Nanda ,  Nir Ben Zvi ,  Pranav Kukreja ,  Ramaswamy Ranganathan

发明人： Mark F. Novak ,  Paul Leach ,  Vishal Agarwal ,  David McPherson ,  Sunil Gottumukkala ,  Jignesh Shah ,  Arun K. Nanda ,  Nir Ben Zvi ,  Pranav Kukreja ,  Ramaswamy Ranganathan

IPC分类号： G06F17/00

CPC分类号： G06Q10/04 ,  G06Q50/26

摘要： A policy that governs access to a resource may be tested against real-world access requests before being used to control access to the resource. In one example, access to a resource is governed by a policy, referred to as an effective policy. When the policy is to be modified or replaced, the modification or replacement may become a test policy. When a request is made to access the resource, the request may be evaluated under both the effective policy and the test policy. Whether access is granted is determined under the effective policy, but the decision that would be made under the test policy is noted, and may be logged. If the test policy is determined to behave acceptably when confronted with real-world access requests, then the current effective policy may be replaced with the test policy.

摘要翻译： 管理对资源的访问的策略可以在被用于控制对资源的访问之前被针对真实的访问请求进行测试。 在一个示例中，对资源的访问受政策管辖，被称为有效策略。 当修改或更换策略时，修改或替换可能成为测试策略。 当请求访问资源时，可以根据有效策略和测试策略对请求进行评估。 是否授予访问是根据有效策略确定的，但是将根据测试策略作出的决定被注明，并可能被记录。 如果测试策略在面对现实访问请求时被确定为可接受的行为，则可以用测试策略替换当前的有效策略。