公开(公告)号：US08769622B2

公开(公告)日：2014-07-01

申请号：US13173563

申请日：2011-06-30

申请人： David Yu Chang ,  Messaoud Benantar ,  John Yow-Chun Chang ,  Vishwanath Venkataramappa

发明人： David Yu Chang ,  Messaoud Benantar ,  John Yow-Chun Chang ,  Vishwanath Venkataramappa

IPC分类号： H04L9/08

CPC分类号： H04L63/104 ,  G06F21/62 ,  G06F21/6218 ,  G06F21/78 ,  G06F2221/2115 ,  H04L63/08 ,  H04L63/0815 ,  H04L67/10 ,  H04L67/34 ,  H04L67/42

摘要： An authentication and authorization plug-in model for a cloud computing environment enables cloud customers to retain control over their enterprise information when their applications are deployed in the cloud. The cloud service provider provides a pluggable interface for customer security modules. When a customer deploys an application, the cloud environment administrator allocates a resource group (e.g., processors, storage, and memory) for the customer's application and data. The customer registers its own authentication and authorization security module with the cloud security service, and that security module is then used to control what persons or entities can access information associated with the deployed application. The cloud environment administrator, however, typically is not registered (as a permitted user) within the customer's security module; thus, the cloud environment administrator is not able to access (or release to others, or to the cloud's general resource pool) the resources assigned to the cloud customer (even though the administrator itself assigned those resources) or the associated business information. To further balance the rights of the various parties, a third party notary service protects the privacy and the access right of the customer when its application and information are deployed in the cloud.

摘要翻译： 云计算环境的认证和授权插件模型使云客户在将应用程序部署在云中时能够保留对其企业信息的控制。 云服务提供商为客户安全模块提供可插拔的界面。 当客户部署应用程序时，云环境管理员为客户的应用程序和数据分配资源组（例如，处理器，存储和内存）。 客户将其自己的认证和授权安全模块注册到云安全服务，然后该安全模块用于控制哪些人员或实体可以访问与部署的应用程序相关的信息。 然而，云环境管理员通常没有在客户的安全模块中注册（作为允许的用户）; 因此，云环境管理员无法访问（或向其他人或云的一般资源池）访问分配给云客户的资源（即使管理员自己分配了这些资源）或相关联的业务信息。 为了进一步平衡各方的权利，第三方公证服务在将应用程序和信息部署在云中时保护客户的隐私和访问权限。

公开(公告)号：US08468607B2

公开(公告)日：2013-06-18

申请号：US12574825

申请日：2009-10-07

申请人： Messaoud Benantar ,  Patrick M. Commarford ,  Ajay R. Karkala

发明人： Messaoud Benantar ,  Patrick M. Commarford ,  Ajay R. Karkala

IPC分类号： G06F21/00

CPC分类号： H04L63/104 ,  H04L63/105

摘要： Multiple security domains can be created and associated with various scopes within the cell allowing security configurations of each scope to be managed collectively. Examples of scopes include the entire cell, one or more application servers, one or more applications, one or more clusters, one or more service integration buses, one or more nodes, etc. Security configurations associated with the security domains can be applied to the scopes based on a hierarchy of the security domains. In addition, new security domains may be created automatically based on security requirements of newly installed applications.

摘要翻译： 可以创建多个安全域，并与单元内的各种范围关联，从而可以集中管理每个范围的安全配置。 范围的示例包括整个小区，一个或多个应用服务器，一个或多个应用，一个或多个群集，一个或多个服务集成总线，一个或多个节点等。与安全域相关联的安全配置可以应用于 基于安全域的层次结构的范围。 此外，可以根据新安装的应用程序的安全性要求自动创建新的安全域。

公开(公告)号：US08185938B2

公开(公告)日：2012-05-22

申请号：US09821064

申请日：2001-03-29

申请人： Messaoud Benantar

发明人： Messaoud Benantar

IPC分类号： G06F7/04

CPC分类号： G06F21/33 ,  G06F21/41 ,  H04L9/3226 ,  H04L9/3263 ,  H04L2209/56 ,  H04L2209/80

摘要： A methodology is presented for a network single sign-on (SSO) authentication process using digital certificates. A user has access to protected resources, such as legacy applications, that require verification of a user's authentication data prior to providing access. The user's authentication data is encrypted using the public key of the user, and an attribute certificate containing the encrypted authentication data is generated by an attribute-certificate-issuing authority. When a user requires access to the protected resource, an SSO agent performs an initial authentication process against the user. The SSO agent then retrieves the user's attribute certificate, and for subsequent authentication requests for other protected resources, the SSO agent uses the authentication data from the attribute certificate that corresponds to the targeted protected resource. The SSO agent forwards the required authentication data to the protected resource, and the protected resource then authenticates a user based on the provided authentication data.

摘要翻译： 提出了一种使用数字证书进行网络单点登录（SSO）认证流程的方法。 用户可以访问在提供访问之前需要验证用户的认证数据的受保护资源（例如传统应用程序）。 使用用户的公开密钥对用户的认证数据进行加密，并且由属性证书颁发机构生成包含加密认证数据的属性证书。 当用户需要访问受保护的资源时，SSO代理对用户执行初始认证过程。 SSO代理然后检索用户的属性证书，并且对于其他受保护资源的后续认证请求，SSO代理使用来自与目标受保护资源相对应的属性证书的认证数据。 SSO代理将所需的认证数据转发到受保护的资源，然后受保护的资源根据提供的认证数据对用户进行认证。

公开(公告)号：US6141758A

公开(公告)日：2000-10-31

申请号：US892222

申请日：1997-07-14

申请人： Messaoud Benantar ,  Robert Howard High, Jr. ,  Mahesh Kumar Rathi

发明人： Messaoud Benantar ,  Robert Howard High, Jr. ,  Mahesh Kumar Rathi

IPC分类号： G06F21/00 ,  H04L9/00

CPC分类号： G06F21/335

摘要： A method and system for maintaining a secure association between a client and a server in a distributed computing system by computing a session identifier as a function of a Kerberos-based authentication ticket. The session identifier is independently derived or verified by the client and the server upon a first request by the client to the server, and each subsequent request by the client to the server is tagged with this session identifier to provide a reliable security association.

摘要翻译： 一种用于通过计算作为基于Kerberos的认证券的功能的会话标识符来在分布式计算系统中维护客户端与服务器之间的安全关联的方法和系统。 会话标识符由客户端和服务器在客户端向服务器首次请求时独立地导出或验证，客户端向服务器发送的每个后续请求都标记有该会话标识符，以提供可靠的安全关联。

公开(公告)号：US5802276A

公开(公告)日：1998-09-01

申请号：US582551

申请日：1996-01-03

申请人： Messaoud Benantar ,  George Robert Blakley, III ,  Anthony Joseph Nadalin

发明人： Messaoud Benantar ,  George Robert Blakley, III ,  Anthony Joseph Nadalin

IPC分类号： G06F1/00 ,  G06F9/44 ,  G06F21/00 ,  G06F11/00

CPC分类号： G06F21/6218 ,  G06F9/4433 ,  G06F2211/007 ,  G06F2221/2149

摘要： A system, method and article of manufacture for improving object security in distributed object systems, in an information handling system employing object oriented technology, includes one or more workstations, each workstation having one or more processors, a memory system, an input/output subsystem which may include one or more input/output controllers, each controlling one or more input/output devices, such as communications devices, cursor control devices, keyboards, and display devices, an operating system program such as the OS/2 multi-tasking operating system (OS/2 is a registered trademark of International Business Machines Corporation), and an object oriented control program such as the Distributed System Object Method (DSOM) program available from International Business Machines Corporation, wherein the object oriented control program includes a vault object containing security credentials for objects in the distributed system.

摘要翻译： 一种用于改善分布式对象系统中的对象安全性的系统，方法和制品，在采用面向对象技术的信息处理系统中，包括一个或多个工作站，每个工作站具有一个或多个处理器，存储器系统，输入/输出子系统 其可以包括一个或多个输入/输出控制器，每个控制器控制一个或多个输入/输出设备，诸如通信设备，光标控制设备，键盘和显示设备，操作系统程序，例如OS / 2多任务操作 系统（OS / 2是国际商业机器公司的注册商标），以及可从国际商业机器公司获得的诸如分布式系统对象方法（DSOM）程序的面向对象的控制程序，其中面向对象的控制程序包括保险库对象 包含分布式系统中对象的安全凭证。

公开(公告)号：US5787427A

公开(公告)日：1998-07-28

申请号：US582270

申请日：1996-01-03

申请人： Messaoud Benantar ,  George Robert Blakley, III ,  Anthony Joseph Nadalin

发明人： Messaoud Benantar ,  George Robert Blakley, III ,  Anthony Joseph Nadalin

IPC分类号： G06F1/00 ,  G06F21/00 ,  G06F12/14

CPC分类号： G06F21/6281 ,  Y10S707/99939

摘要： A system, method and article of manufacture, for improving object security in an object oriented system, includes one or more processors, a memory system, one or more I/O controllers, each controlling one or more I/O devices, a bus connecting the processors, the memory system and the I/O controllers, an operating system controlling operation of the processors, the memory system and the I/O controllers, and an object oriented control means which includes means for grouping objects which share common access control policies, where an access control list becomes associated with each object group and the policy applicable to the members of the group. An object may be part of multiple groups, and based upon an environment's policy, granting access to the object may be based on a single default object group or on the access granted by the union of all of its object groups.

摘要翻译： 一种用于改善面向对象系统中的对象安全性的系统，方法和制品，包括一个或多个处理器，存储器系统，一个或多个I / O控制器，每个I / O控制器控制一个或多个I / O设备，总线连接 处理器，存储器系统和I / O控制器，控制处理器，存储器系统和I / O控制器的操作的操作系统，以及面向对象的控制装置，其包括用于分组共享公共访问控制策略 ，其中访问控制列表变成与每个对象组相关联，以及适用于该组成员的策略。 对象可以是多个组的一部分，并且基于环境的策略，授予对对象的访问可以基于单个默认对象组或由其所有对象组的联合授予的访问。

公开(公告)号：US08755519B2

公开(公告)日：2014-06-17

申请号：US13172387

申请日：2011-06-29

申请人： Messaoud Benantar

发明人： Messaoud Benantar

IPC分类号： H04L9/00

CPC分类号： H04L9/0844 ,  H04L9/3093 ,  H04L9/3226

摘要： This disclosure describes a secure and computationally-efficient method to establish a single authentication context for multiple identities. The method is implemented in an authentication system using a key exchange protocol, namely, the Diffie-Hellman key exchange. One or more entities that desire to authenticate (either individually or jointly) register with the authentication system and receive private Diffie-Hellman keys (the PINs). Later, during an authentication operation, each entity provides the PIN to the authentication system, preferably over a secure transport. The authentication system, using Diffie-Hellman key exchange artifacts, generates a Diffie-Hellman cryptographic value for each PIN, although the value need not be maintained private. The authentication system orders the Diffie-Hellman values as a “partially ordered set” to form a lattice. An authentication context is derived from the Diffie-Hellman values in the lattice. Thus, for example, during authentication of multiple entities, a shared key is computed incrementally as the Diffie-Hellman keys arrive from the entities for which a multi-identity authentication is required. The shared key represents a proof of group authentication.

摘要翻译： 本公开描述了为多个身份建立单个认证上下文的安全和计算上有效的方法。 该方法在使用密钥交换协议的认证系统中实现，即Diffie-Hellman密钥交换。 希望认证（单独或联合）向认证系统注册并接收私人Diffie-Hellman密钥（PIN）的一个或多个实体。 稍后，在认证操作期间，每个实体优选地通过安全传输将PIN提供给认证系统。 使用Diffie-Hellman密钥交换工件的认证系统为每个PIN生成Diffie-Hellman密码值，尽管该值不需要保持私有。 认证系统将Diffie-Hellman值作为“部分有序集”来形成网格。 认证上下文是从格子中的Diffie-Hellman值导出的。 因此，例如，在多个实体的认证期间，当Diffie-Hellman密钥从需要多身份认证的实体到达时，共享密钥被递增地计算。 共享密钥表示组认证的证明。

公开(公告)号：US08195933B2

公开(公告)日：2012-06-05

申请号：US10045112

申请日：2002-01-10

申请人： Messaoud Benantar

发明人： Messaoud Benantar

IPC分类号： H04L29/06 ,  H04L9/00 ,  H04L9/08

CPC分类号： H04L63/0823 ,  G06F21/33 ,  G06Q20/40 ,  H04L9/007 ,  H04L9/3268 ,  H04L63/20 ,  H04L2209/56 ,  H04L2209/805

摘要： A method, system, apparatus, and computer program product are presented for managing digital certificates. When entities need to engage in a secure transaction or open a secure communication link, they may exchange digital certificates in order to provide a public key or reference information to a public key for the opposing entity, thereby requiring validation of a received certificate. Rather than construct a trust path for each validation event, hierarchical certifications and peer-to-peer cross-certifications among a set of certificate authorities are represented by a set of trust relations, and trust path information is generated using a transitive closure computation and an “all pairs shortest paths” computation over the set of trust relations and then incrementally updated as the set of trust relations changes. Computations related to trust paths can be delegated to a central agent in a trust web.

摘要翻译： 提出了用于管理数字证书的方法，系统，装置和计算机程序产品。 当实体需要进行安全交易或打开安全通信链路时，他们可以交换数字证书，以便为对方的公司的公开密钥提供公开密钥或参考信息，从而要求验证接收到的证书。 不是为每个验证事件构建信任路径，而是由一组信任关系来表示一组证书颁发机构中的分层认证和对等交叉认证，并且使用传递闭包计算和 “所有对最短路径”计算在一组信任关系上，然后随着信任关系集的变化逐步更新。 可以将与信任路径相关的计算委托给信任Web中的中心代理。

公开(公告)号：US07991996B2

公开(公告)日：2011-08-02

申请号：US12410933

申请日：2009-03-25

申请人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

发明人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

IPC分类号： H04L29/06

CPC分类号： H04L63/0823

摘要： A Centralized Authentication & Authorization (CAA) system that facilitates secure communication between service clients and service providers. CAA comprises a Service Request Filter (SRF), a Service Client Authentication Program (SCAP), a Service Authorization Program (SAP), and an Authorization Database (ADB). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. In the preferred embodiment, the SRF forwards the service request to a web service manager. The web service manager invokes SCAP. SCAP matches the identifier with a record stored in ADB. SAP queries ADB to determine if the service request is valid for the service client. If the service request is valid, SAP authorizes the service request and the appropriate service provider processes the service request.

摘要翻译： 集中式身份验证和授权（CAA）系统，促进服务客户端和服务提供商之间的安全通信。 CAA包括服务请求过滤器（SRF），服务客户端认证程序（SCAP），服务授权程序（SAP）和授权数据库（ADB）。 SRF拦截服务请求，从附加到请求的数字证书中提取服务客户端的标识符，并将该标识符存储在服务提供商可访问的存储器中。 在优选实施例中，SRF将服务请求转发到web服务管理器。 Web服务管理器调用SCAP。 SCAP将标识符与存储在ADB中的记录相匹配。 SAP查询ADB以确定服务请求是否对服务客户端有效。 如果服务请求有效，则SAP授权服务请求，并且相应的服务提供商处理服务请求。

公开(公告)号：US07519812B2

公开(公告)日：2009-04-14

申请号：US10782443

申请日：2004-02-19

申请人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

发明人： Messaoud Benantar ,  Yen-Fu Chen ,  John W. Dunsmoir ,  Randolph Michael Forlenza ,  Wei Liu ,  Sandra Juni Schlosser

IPC分类号： H04L9/00

CPC分类号： H04L63/0823

摘要： A Centralized Authentication & Authorization (CAA) system that facilitates secure communication between service clients and service providers. CAA comprises a Service Request Filter (SRF), a Service Client Authentication Program (SCAP), a Service Authorization Program (SAP), and an Authorization Database (ADB). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. In the preferred embodiment, the SRF forwards the service request to a web service manager. The web service manager invokes SCAP. SCAP matches the identifier with a record stored in ADB. SAP queries ADB to determine if the service request is valid for the service client. If the service request is valid, SAP authorizes the service request and the appropriate service provider processes the service request.

摘要翻译： 集中式身份验证和授权（CAA）系统，促进服务客户端和服务提供商之间的安全通信。 CAA包括服务请求过滤器（SRF），服务客户端认证程序（SCAP），服务授权程序（SAP）和授权数据库（ADB）。 SRF拦截服务请求，从附加到请求的数字证书中提取服务客户端的标识符，并将该标识符存储在服务提供商可访问的存储器中。 在优选实施例中，SRF将服务请求转发到web服务管理器。 Web服务管理器调用SCAP。 SCAP将标识符与存储在ADB中的记录相匹配。 SAP查询ADB以确定服务请求是否对服务客户端有效。 如果服务请求有效，则SAP授权服务请求，并且相应的服务提供商处理服务请求。