-
公开(公告)号:US08904511B1
公开(公告)日:2014-12-02
申请号:US12861692
申请日:2010-08-23
申请人: Kevin Ross O'Neill , Mark Joseph Cavage , Nathan R. Fitch , Anders Samuelsson , Brian Irl Pratt , Yunong Jeff Xiao , Bradley Jeffery Behm , James E. Scharf, Jr.
发明人: Kevin Ross O'Neill , Mark Joseph Cavage , Nathan R. Fitch , Anders Samuelsson , Brian Irl Pratt , Yunong Jeff Xiao , Bradley Jeffery Behm , James E. Scharf, Jr.
CPC分类号: H04L63/0263 , H04L29/08081 , H04L41/28 , H04L63/08 , H04L63/102 , H04L63/20
摘要: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.
摘要翻译: 可以建立虚拟防火墙,执行关于由多租户分布式服务维护的计算资源的策略集。 计算资源的特定子集可以与多租户分布式服务的特定租户相关联。 租户可以建立由虚拟防火墙为相关联的计算资源子集强制执行的防火墙策略集,而不会影响多租户分布式服务的其他租户。 实施多个防火墙策略集的虚拟防火墙可以由多租户分布式服务的通用防火墙组件维护。 防火墙策略集可以分布在多租户分布式服务的多个位置。 对于针对特定计算资源的请求,常用防火墙组件可以标识相关联的虚拟防火墙,并根据相应的防火墙策略集将请求提交给虚拟防火墙进行评估。
-
公开(公告)号:US08739308B1
公开(公告)日:2014-05-27
申请号:US13431898
申请日:2012-03-27
申请人: Gregory B. Roth , Marc R. Barbour , Bradley Jeffery Behm , Cristian M. Ilac , Eric Jason Brandwine
发明人: Gregory B. Roth , Marc R. Barbour , Bradley Jeffery Behm , Cristian M. Ilac , Eric Jason Brandwine
IPC分类号: G06F21/00
CPC分类号: H04N21/44055 , G06F21/60 , G06F21/602 , G06F21/6218 , G06F21/64 , H04L9/0819 , H04L9/088 , H04L9/3242 , H04L2209/24 , H04L2209/38 , H04N21/4627
摘要: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.
摘要翻译: 用于认证的系统和方法从认证方和认证者之间共享的秘密凭证生成密钥。 密钥的生成可以涉及利用用于专门化密钥的参数形式的专门信息。 可以使用由多个机构保存的密钥导出的密钥和/或信息来生成其他密钥,使得可以在不访问密钥的情况下验证需要这样的密钥和/或信息的签名。 还可以导出密钥以形成分布的密钥的层次结构,使得密钥持有者解密数据的能力取决于密钥在层级中相对于用于加密数据的密钥的位置的位置。 密钥层次也可以用于将密钥集分配给内容处理设备,以使得设备能够解密内容,使得未经授权的内容的源或潜在来源可以从解密的内容中识别。
-
公开(公告)号:US08892865B1
公开(公告)日:2014-11-18
申请号:US13431760
申请日:2012-03-27
申请人: Gregory B. Roth , Marc R. Barbour , Bradley Jeffery Behm , Cristian M. Ilac , Eric Jason Brandwine
发明人: Gregory B. Roth , Marc R. Barbour , Bradley Jeffery Behm , Cristian M. Ilac , Eric Jason Brandwine
CPC分类号: H04L9/0822 , G06F21/602 , H04L9/0836 , H04L9/14 , H04L63/064 , H04L2209/24
摘要: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.
摘要翻译: 用于认证的系统和方法从认证方和认证者之间共享的秘密凭证生成密钥。 密钥的生成可以涉及利用用于专门化密钥的参数形式的专门信息。 可以使用由多个机构保存的密钥导出的密钥和/或信息来生成其他密钥,使得可以在不访问密钥的情况下验证需要这样的密钥和/或信息的签名。 还可以导出密钥以形成分布的密钥的层次结构,使得密钥持有者解密数据的能力取决于密钥在层级中相对于用于加密数据的密钥的位置的位置。 密钥层次也可以用于将密钥集分配给内容处理设备,以使得设备能够解密内容,使得未经授权的内容的源或潜在来源可以从解密的内容中识别。
-
公开(公告)号:US08769642B1
公开(公告)日:2014-07-01
申请号:US13149718
申请日:2011-05-31
申请人: Kevin Ross O'Neill , Gregory B. Roth , Eric Jason Brandwine , Brian Irl Pratt , Bradley Jeffery Behm , Nathan R. Fitch
发明人: Kevin Ross O'Neill , Gregory B. Roth , Eric Jason Brandwine , Brian Irl Pratt , Bradley Jeffery Behm , Nathan R. Fitch
IPC分类号: H04L29/06
CPC分类号: H04L63/10 , H04L63/0815 , H04L63/102 , H04L63/108
摘要: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.
摘要翻译: 用于控制对一个或多个计算资源的访问的系统和方法涉及生成可用于访问所述一个或多个计算资源的会话凭证。 对计算资源的访问可以由一组策略来管理,并且可以根据它们是否被该策略集合允许而使用会话凭证进行访问的请求来实现。 会话凭证本身可以包括可用于确定是否实现访问一个或多个计算资源的请求的元数据。 元数据可以包括会话证书的用户的权限,与一个或多个用户相关的声明以及其他信息。
-
公开(公告)号:US09237155B1
公开(公告)日:2016-01-12
申请号:US12961104
申请日:2010-12-06
申请人: Mark Cavage , Yunong Xiao , Bradley Jeffery Behm
发明人: Mark Cavage , Yunong Xiao , Bradley Jeffery Behm
IPC分类号: H04L29/06
CPC分类号: H04L47/822 , G06F9/5077 , G06F17/30312 , H04L63/0815 , H04L63/10 , H04L63/102 , H04L63/108
摘要: User-specified policies may be efficiently implemented and enforced with a distributed set of policy enforcement components. User-specified policies may be transformed into a normal form. Sets of normal form policies may be optimized. The optimized policies may be indexed and/or divided and provided to the distributed set of policy enforcement components. The distributed policy enforcement may have a sandbox mode and/or verification mode enabling policy configuration verification. With appropriate authorization, substitute data may be used in verification mode to evaluate requests with respect to policies. Evaluation results, relevant policies, and decision data utilized during request evaluation may be collected, filtered and reported at a variety of levels of detail. Originating user-specified policies may be tracked during the policy normalization process to enable reference to user-specified policies in verification mode reports.
摘要翻译: 可以通过一组分布式策略实施组件有效地实施和实施用户指定的策略。 用户指定的策略可能会转换为正常格式。 可以优化正常格式策略的集合。 优化的策略可以被索引和/或划分并提供给分布式的策略实施组件集合。 分布式策略实施可以具有启用策略配置验证的沙箱模式和/或验证模式。 通过适当的授权,可以在验证模式下使用替代数据来评估有关策略的请求。 在请求评估期间使用的评估结果,相关政策和决策数据可以以各种细节级别收集,过滤和报告。 在策略规范化过程中可能会跟踪起始用户指定的策略,以便在验证模式报告中引用用户指定的策略。
-
公开(公告)号:US09225744B1
公开(公告)日:2015-12-29
申请号:US13461562
申请日:2012-05-01
申请人: Bradley Jeffery Behm , Gregory B. Roth , Matthew A. Estes , Eric Jason Brandwine , Patrick J. Ward
发明人: Bradley Jeffery Behm , Gregory B. Roth , Matthew A. Estes , Eric Jason Brandwine , Patrick J. Ward
CPC分类号: H04L63/20 , H04L63/102 , H04L67/02
摘要: Client impersonation is recognized by an access control service using servicer credentials to allow a servicer to impersonate a user's context while requesting actions be performed on a computing resource. A servicer may be requested to perform an action through impersonation, granting access to the context of a user related to the computing resource. The computing resource receives servicer credentials and impersonation information from the servicer. After verifying the servicer's authorization to perform actions under the context of the user, the servicer may attempt to perform the requested action. The action may be logged as performed by the servicer impersonating the user. The user may also be billed for any costs incurred.
摘要翻译: 使用服务器凭据的访问控制服务识别客户端模拟,以允许服务器模拟用户的上下文,同时请求在计算资源上执行操作。 可能请求服务器通过模拟来执行操作,授予访问与计算资源相关的用户的上下文的权限。 计算资源从服务器接收服务器凭据和模拟信息。 在验证服务器在用户上下文中执行操作的授权之后,服务器可能会尝试执行请求的操作。 该操作可能会记录在服务器模拟用户的情况下。 用户也可能会收取任何费用。
-
公开(公告)号:US09197409B2
公开(公告)日:2015-11-24
申请号:US13248973
申请日:2011-09-29
申请人: Gregory B. Roth , Bradley Jeffery Behm , Eric D. Crahen , Cristian M. Ilac , Nathan R. Fitch , Eric Jason Brandwine , Kevin Ross O'Neill
发明人: Gregory B. Roth , Bradley Jeffery Behm , Eric D. Crahen , Cristian M. Ilac , Nathan R. Fitch , Eric Jason Brandwine , Kevin Ross O'Neill
CPC分类号: H04L9/083 , G06F21/31 , G06F2221/2115 , H04L9/0861 , H04L9/088 , H04L9/3242 , H04L9/3247 , H04L63/0884 , H04L63/126 , H04L2209/38
摘要: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use.
摘要翻译: 用于认证的系统和方法从认证方和认证者之间共享的秘密凭证生成密钥。 密钥的生成可以涉及利用专用信息,作为用于生成密钥的结果,使生成的密钥可用于比秘密凭证更小的使用范围。 此外,密钥生成可以涉及函数的多次调用,其中函数的调用的至少一个子集中的每一个导致具有比从先前调用函数产生的密钥更小的允许使用范围的密钥。 生成的密钥可以用作签名密钥来签名消息。 取决于消息和/或提交消息的方式是否符合密钥使用的限制,可以采取一个或多个动作。
-
公开(公告)号:US09098675B1
公开(公告)日:2015-08-04
申请号:US13614867
申请日:2012-09-13
CPC分类号: H04L63/102 , G06F21/00 , G06F2221/2115 , G06Q50/01 , H04L9/3263 , H04L63/08 , H04L63/0884 , H04L67/20
摘要: Systems and methods are described for delegating permissions to enable account access to entities not directly associated with the account. The systems determine a delegation profile associated with a secured account of at least one customer. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.
摘要翻译: 描述的系统和方法用于委派权限来启用帐户访问与帐户无直接关联的实体。 系统确定与至少一个客户的安全帐户相关联的授权简档。 授权简介包括一个名称,一个确认策略,指定可能在该帐户外部以及被允许承担该授权简档的主体,以及一个授权策略,指示该帐户内允许的行为在这些主体内的主体 委托简介。 创建授权配置文件后,可以将其提供给外部主体或服务。 这些外部主体或服务可以使用委托简档来获取使用委托简档的凭据在帐户中执行各种操作的凭据。
-
公开(公告)号:US08776190B1
公开(公告)日:2014-07-08
申请号:US12955519
申请日:2010-11-29
IPC分类号: G06F7/04
CPC分类号: H04L63/0838 , G06F21/33 , G06F21/62 , H04L63/108 , H04L2463/082
摘要: Systems and methods provide logic that validates a code generated by a user, and that executes a function of a programmatic interface after the user code is validated. In one implementation, a computer-implemented method performs a multifactor authentication of a user prior to executing a function of a programmatic interface. The method includes receiving, at a server, a user code through a programmatic interface. The server computes a server code in response to the user code, and compares the user code to the server code to determine that the user code corresponds to the server code. The server validates the user code and executes a function of the programmatic interface, after the user code is validated.
摘要翻译: 系统和方法提供验证用户生成的代码的逻辑,并且在验证用户代码之后执行编程接口的功能。 在一个实现中,计算机实现的方法在执行编程接口的功能之前执行用户的多因素认证。 该方法包括通过编程接口在服务器处接收用户代码。 服务器根据用户代码计算服务器代码,并将用户代码与服务器代码进行比较,以确定用户代码对应于服务器代码。 在验证用户代码后,服务器验证用户代码并执行编程接口的功能。
-
公开(公告)号:US20130086662A1
公开(公告)日:2013-04-04
申请号:US13248962
申请日:2011-09-29
申请人: Gregory B. Roth , Bradley Jeffery Behm , Eric D. Crahen , Cristian M. Ilac , Nathan R. Fitch , Eric Jason Brandwine , Kevin Ross O'Neill
发明人: Gregory B. Roth , Bradley Jeffery Behm , Eric D. Crahen , Cristian M. Ilac , Nathan R. Fitch , Eric Jason Brandwine , Kevin Ross O'Neill
IPC分类号: G06F21/00
CPC分类号: H04L9/0891 , G06F21/31 , G06F2221/2115 , H04L9/083 , H04L9/088 , H04L9/3247 , H04L63/08 , H04L2209/38 , H04L2463/061
摘要: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use.
摘要翻译: 用于认证的系统和方法从认证方和认证者之间共享的秘密凭证生成密钥。 密钥的生成可以涉及利用专用信息,作为用于生成密钥的结果,使生成的密钥可用于比秘密凭证更小的使用范围。 此外,密钥生成可以涉及函数的多次调用,其中函数的调用的至少一个子集中的每一个导致具有比从先前调用函数产生的密钥更小的允许使用范围的密钥。 生成的密钥可以用作签名密钥来签名消息。 取决于消息和/或提交消息的方式是否符合密钥使用的限制,可以采取一个或多个动作。
-
-
-
-
-
-
-
-
-
搜索结果
20 条记录 (耗时 0.022 秒)
