-
1.发明申请公开(公告)号:US20080313712A1
公开(公告)日:2008-12-18
申请号:US11764034
申请日:2007-06-15
申请人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
发明人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
IPC分类号: H04L9/32
CPC分类号: H04L63/101 , H04L63/0823
摘要: The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.
摘要翻译: 本发明涉及利用证书来管理访问控制的系统和方法。 本文描述的系统和方法旨在将访问控制列表中表示的访问策略映射到一组证书。 该证书集可用于以ACL所描述的方式授予对资源的访问权限。 证书可以分发给实体以用于获取资源访问。 实体可以向资源提供证书,作为获取资源的权利的证据。 顺序ACL的访问逻辑可以转换或映射到一组与订单无关的证书。 特别地,可以分析每个条目,列表中的条目的位置和任何前面的条目。 该分析可用于生成根据ACL中传达的访问策略提供访问权限的独立凭证。
-
公开(公告)号:US08161285B2
公开(公告)日:2012-04-17
申请号:US12239710
申请日:2008-09-26
CPC分类号: H04L9/3234 , G06F21/57 , H04L9/3236 , H04L2209/127
摘要: Messages, including messages in conformance with various protocols, can be hashed and the hash values added to an event log and provided to a Trusted Platform Module (TPM), which can extend one or more Platform Configuration Registers (PCRs) with the hash value, much as it would with the hash of a component that was installed or executed on the computing device with the TPM. Subsequently, the TPM can sign one or more of the PCRs and the signed PCRs can be transmitted, together with the event log and a copy of the messages. The recipient can verify the sender based on the signed PCRs, can confirm that the signed PCRs match the event log, and can verify the hash of the message in the event log by independently hashing it. In another embodiment, an intermediate hashing of the message can avoid transmission of potentially malicious executable instructions within a message.
摘要翻译: 消息(包括符合各种协议的消息)可以进行散列,将散列值添加到事件日志中,并提供给可信平台模块(TPM),该平台模块可以使用散列值扩展一个或多个平台配置寄存器(PCR) 就像使用TPM在计算设备上安装或执行的组件的哈希一样。 随后,TPM可以签署一个或多个PCR,并且可以与事件日志和消息的副本一起传送签名的PCR。 收件人可以根据签名的PCR验证发件人,可以确认签名的PCR符合事件日志,并可以通过独立散列来验证事件日志中的消息散列。 在另一个实施例中,消息的中间散列可以避免在消息内传输潜在的恶意可执行指令。
-
公开(公告)号:US08122514B2
公开(公告)日:2012-02-21
申请号:US12183057
申请日:2008-07-30
IPC分类号: G06F21/02
CPC分类号: G06F21/575 , G06F21/57
摘要: Computer-executable instructions can implement a software-based Trusted Platform Module (TPM) that can have more computational power than the hardware TPM. The software TPM can be protected from modification, or other unauthorized access, via a memory partitioning scheme that enables other computer-executable instructions to access the software TPM in a predefined manner, but yet prohibits other access. A tri-partied partitioning scheme can be used wherein the computer executable instructions of the software TPM reside in a first region, a jump table to appropriate ones of those instructions resides in a second region, and everything else resides in the third region. The storage key of the software TPM can be sealed by the hardware TPM to be released only if the software TPM, and the computing device, are in a known good state, as determined by the Platform Configuration Registers of the hardware TPM, thereby further protecting the software TPM from tampering.
摘要翻译: 计算机可执行指令可以实现可以具有比硬件TPM更多的计算能力的基于软件的可信平台模块(TPM)。 可以通过使得其他计算机可执行指令以预定义的方式访问软件TPM但仍禁止其他访问的存储器分区方案来保护软件TPM免受修改或其他未经授权的访问。 可以使用三部分划分方案,其中软件TPM的计算机可执行指令驻留在第一区域中,对于这些指令中适当的指令的跳转表驻留在第二区域中,并且一切驻留在第三区域中。 软件TPM的存储密钥可以由硬件TPM密封,只有当软件TPM和计算设备处于已知的良好状态时才被释放,由硬件TPM的平台配置寄存器确定,从而进一步保护 软件TPM从篡改。
-
公开(公告)号:US20080307486A1
公开(公告)日:2008-12-11
申请号:US11761170
申请日:2007-06-11
申请人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
发明人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
CPC分类号: H04L9/3231 , H04L9/3263 , H04L63/0823 , H04L63/102 , H04L2209/56
摘要: The subject disclosure pertains to systems and methods that facilitate entity-based for access management. Typically, access to one or more resources is managed based upon identifiers assigned to entities. Groups of identifiers can be assigned to access rights. An authority component can manage an exclusion group that excludes an entity, regardless of the identifier utilized by the entity. Access control components can utilize exclusion groups in access policies to define access rights to a resource.
摘要翻译: 本发明涉及促进基于实体的访问管理的系统和方法。 通常,基于分配给实体的标识符来管理对一个或多个资源的访问。 标识符组可以分配给访问权限。 权限组件可以管理排除实体的排除组,而不管实体使用的标识符。 访问控制组件可以利用访问策略中的排除组来定义资源的访问权限。
-
公开(公告)号:US20080301780A1
公开(公告)日:2008-12-04
申请号:US11756393
申请日:2007-05-31
申请人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
发明人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
IPC分类号: G06F17/00
CPC分类号: G06F21/6218
摘要: The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group.
摘要翻译: 本发明涉及便于管理组实体以进行访问控制的系统和方法。 使用基组定义负组,其中与基组关联的负组包括未包括在基组中的任何实体。 负组可以使用证书而不是负组成员的显式列表来实现。 证书可以提供负组织成员的证据,并可以提供评估以获得资源。 减法组也可用于管理对资源的访问。 减法组可以定义为第一组的成员,不包括第二组的任何成员。
-
公开(公告)号:US09037620B2
公开(公告)日:2015-05-19
申请号:US12639950
申请日:2009-12-16
IPC分类号: G06F17/30
CPC分类号: G06F17/30126 , G06F17/30091
摘要: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.
摘要翻译: 存储在存储介质上的数据可以由多个可独立寻址的活动符号链接引用,每个活动符号链接通过不同的变换表示数据。 活动的符号链接可以是文件系统对象的形式,例如文件或目录。 单个有源符号链接可以引用存储在多个集合中的数据,或者相反地,来自单个集合的数据子集。 可以自动创建活动的符号链接,用于常见的数据转换。 可以通过多个保护专用搜索引擎或可以生成保护级别感知搜索索引的单个搜索引擎执行引用加密数据的活动符号链接的搜索。
-
公开(公告)号:US20110145296A1
公开(公告)日:2011-06-16
申请号:US12639950
申请日:2009-12-16
IPC分类号: G06F17/30
CPC分类号: G06F17/30126 , G06F17/30091
摘要: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.
摘要翻译: 存储在存储介质上的数据可以由多个可独立寻址的活动符号链接引用,每个活动符号链接通过不同的变换表示数据。 活动的符号链接可以是文件系统对象的形式,例如文件或目录。 单个有源符号链接可以引用存储在多个集合中的数据,或者相反地,来自单个集合的数据子集。 可以自动创建活动的符号链接,用于常见的数据转换。 可以通过多个保护专用搜索引擎或可以生成保护级别感知搜索索引的单个搜索引擎执行引用加密数据的活动符号链接的搜索。
-
公开(公告)号:US07900248B2
公开(公告)日:2011-03-01
申请号:US11756393
申请日:2007-05-31
申请人: Carl Melvin Ellison , Paul J. Lach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
发明人: Carl Melvin Ellison , Paul J. Lach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
IPC分类号: G06F17/30
CPC分类号: G06F21/6218
摘要: The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group.
摘要翻译: 本发明涉及便于管理组实体以进行访问控制的系统和方法。 使用基组定义负组,其中与基组关联的负组包括未包括在基组中的任何实体。 负组可以使用证书而不是负组成员的显式列表来实现。 证书可以提供负组织成员的证据,并可以提供评估以获得资源。 减法组也可用于管理对资源的访问。 减法组可以定义为第一组的成员,不包括第二组的任何成员。
-
公开(公告)号:US08468579B2
公开(公告)日:2013-06-18
申请号:US11764034
申请日:2007-06-15
申请人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
发明人: Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
IPC分类号: G06F21/00
CPC分类号: H04L63/101 , H04L63/0823
摘要: The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.
摘要翻译: 本发明涉及利用证书来管理访问控制的系统和方法。 本文描述的系统和方法旨在将访问控制列表中表示的访问策略映射到一组证书。 该证书集可用于以ACL所描述的方式授予对资源的访问权限。 证书可以分发给实体以用于获取资源访问。 实体可以向资源提供证书,作为获取资源的权利的证据。 顺序ACL的访问逻辑可以转换或映射到一组与订单无关的证书。 特别地,可以分析每个条目,列表中的条目的位置和任何前面的条目。 该分析可用于生成根据ACL中传达的访问策略提供访问权限的独立凭证。
-
公开(公告)号:US20100082984A1
公开(公告)日:2010-04-01
申请号:US12239710
申请日:2008-09-26
IPC分类号: H04L9/32
CPC分类号: H04L9/3234 , G06F21/57 , H04L9/3236 , H04L2209/127
摘要: Messages, including messages in conformance with various protocols, can be hashed and the hash values added to an event log and provided to a Trusted Platform Module (TPM), which can extend one or more Platform Configuration Registers (PCRs) with the hash value, much as it would with the hash of a component that was installed or executed on the computing device with the TPM. Subsequently, the TPM can sign one or more of the PCRs and the signed PCRs can be transmitted, together with the event log and a copy of the messages. The recipient can verify the sender based on the signed PCRs, can confirm that the signed PCRs match the event log, and can verify the hash of the message in the event log by independently hashing it. In another embodiment, an intermediate hashing of the message can avoid transmission of potentially malicious executable instructions within a message.
摘要翻译: 消息(包括符合各种协议的消息)可以进行散列,将散列值添加到事件日志中,并提供给可信平台模块(TPM),该平台模块可以使用散列值扩展一个或多个平台配置寄存器(PCR) 就像使用TPM在计算设备上安装或执行的组件的哈希一样。 随后,TPM可以签署一个或多个PCR,并且可以与事件日志和消息的副本一起传送签名的PCR。 收件人可以根据签名的PCR验证发件人,可以确认签名的PCR符合事件日志,并可以通过独立散列来验证事件日志中的消息散列。 在另一个实施例中,消息的中间散列可以避免在消息内传输潜在的恶意可执行指令。
-
-
-
-
-
-
-
-
-
搜索结果
11 条记录 (耗时 0.018 秒)
