公开(公告)号：US6073242A

公开(公告)日：2000-06-06

申请号：US44607

申请日：1998-03-19

申请人： Ann Ewing Hardy ,  Norman Hardy ,  E. Dean Tribble

发明人： Ann Ewing Hardy ,  Norman Hardy ,  E. Dean Tribble

IPC分类号： G06F21/60 ,  H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  G09C3/08

CPC分类号： H04L63/102 ,  G06F21/604 ,  H04L63/12 ,  H04L63/20 ,  H04L9/083 ,  H04L9/321 ,  H04L9/3247 ,  G06F2211/007 ,  H04L2209/76

摘要： An electronic communication authority server that provides centralized key management, implementation of role-based enterprise policies and workflow and projection of corporate authorities over trusted networks. The authority server includes a key database that associates keys, signatures and indicators of corporate authority (such as letterhead) with particular corporate roles. There can be multiple roles or a single role (e.g., employee) for each authority server. Users associated with one or more roles are permitted by the authority server to exercise authority or include the indicators of authority in their communications. The authority server also encrypts/decrypts and signs/verifies communications from/to a user using the keys and signatures associated with the role being exercised by the user for that communication. The authority server permits roles to be delegated or transferred, which facilitates the execution by the authority server of role-dependent workflow procedures. In another embodiment, keys are not associated with individual roles but with servers and/or groups of users. In this embodiment a server processes a request from one of its users in accordance with the role-based policies it embodies and then, if necessary, indicates the identity of the requesting user in the end product of the request, which it then signs using its own key and encrypts with appropriate destination keys.

摘要翻译： 电子通信授权服务器，提供集中式密钥管理，基于角色的企业策略和工作流的实现以及企业机构对可信网络的预测。 授权服务器包括密钥数据库，将密钥，签名和公司权限指示符（例如信头）与特定的公司角色相关联。 每个权限服务器可以有多个角色或单个角色（例如，员工）。 与一个或多个角色相关联的用户由授权服务器允许在其通信中行使权限或包括权限指标。 权威服务器还使用与该用户正在为该通信正在行使的角色相关联的密钥和签名来加密/解密和验证来自/向用户的通信。 权限服务器允许角色委派或传输，这有助于授权服务器执行角色相关的工作流程序。 在另一个实施例中，密钥不与个体角色相关联，而是与服务器和/或用户组相关联。 在该实施例中，服务器根据其所体现的基于角色的策略来处理来自其一个用户的请求，然后，如果需要，在请求的最终产品中指示请求用户的身份，然后使用它 自己的密钥，并用适当的目的地密钥进行加密。

公开(公告)号：US5960087A

公开(公告)日：1999-09-28

申请号：US674114

申请日：1996-07-01

申请人： E. Dean Tribble ,  Mark S. Miller ,  Norman Hardy ,  Jacob Y. Levy ,  Eric C. Hill ,  Christopher T. Hibbert

发明人： E. Dean Tribble ,  Mark S. Miller ,  Norman Hardy ,  Jacob Y. Levy ,  Eric C. Hill ,  Christopher T. Hibbert

IPC分类号： G06F12/02 ,  H04L9/30 ,  H04L9/00 ,  G06F17/30

CPC分类号： G06F12/0269 ,  G06F12/0261 ,  Y10S707/99953

摘要： A distributed garbage collection system and method is disclosed that is compatible with local ref-count or full garbage collection and that ensures that no local object's storage is deleted by the local garbage collector unless it is certain that there are no actual or potential remote references to that local object. The disclosed system and method are implemented in the context of a transparent distributed object system in which communications between objects in different processes are enabled by dedicated proxy objects that are linked to corresponding remote objects via a pair of transport objects. Additional proxy holder objects and proxy holder proxies ensure that objects for which third-party object references are passed (i.e., where one object in a first process passes a remote object in a second process a reference to a third object in a third process) are not collected until a direct link is established between the remote object in the second process and the third object in the third object space. As appropriate, secret number table pointers maintained by a local registrar for each object that has been accessed via a third party message are deleted, allowing the objects to be collected when there are no other actual or pending remote references to that object. The transport managers encrypt all inter-process messages so as to provide full capability security within the distributed system. This enables the disclosed garbage collection system and methods to operate under attack from misbehaving participants.

摘要翻译： 公开了一种与本地引用计数或完全垃圾收集兼容的分布式垃圾回收系统和方法，并且确保本地对象的存储被本地垃圾收集器删除，除非确定没有实际或潜在的远程引用 那个地方的对象。 所公开的系统和方法在透明分布式对象系统的上下文中实现，其中通过经由一对传输对象链接到对应的远程对象的专用代理对象来启用不同进程中的对象之间的通信。 其他代理持有者对象和代理持有人代理确保传递第三方对象引用的对象（即，第一个进程中的一个对象在第二个进程中的远程对象在第三个进程中对第三个对象的引用） 在第二进程中的远程对象与第三对象空间中的第三对象之间建立直接链接之前，不会被收集。 适当地，删除了由本地注册器为通过第三方消息访问的每个对象维护的秘密号码表指针，从而允许当对该对象没有其他实际或挂起的远程引用时收集对象。 运输经理加密所有进程间消息，以便在分布式系统中提供全面的能力安全性。 这使得所公开的垃圾收集系统和方法能够在行为不端的参与者的攻击下进行操作。

公开(公告)号：US5781633A

公开(公告)日：1998-07-14

申请号：US671307

申请日：1996-07-01

申请人： E. Dean Tribble ,  Mark S. Miller ,  Norman Hardy ,  Christopher T. Hibbert ,  Eric C. Hill

发明人： E. Dean Tribble ,  Mark S. Miller ,  Norman Hardy ,  Christopher T. Hibbert ,  Eric C. Hill

IPC分类号： G06F9/46 ,  H04L9/32 ,  G06F13/14

CPC分类号： G06F9/468

摘要： A system providing capability security for distributed object systems is disclosed. The basic tenet of capability security is that the right to do something to an object (e.g., invoke a particular object's methods) is represented solely by the holding of a reference to that object. In each of the preferred embodiments described herein, an object is presumed to hold legitimately a reference to a particular object only if the object knows some unpublicized (except under the conditions required by capability security) key associated with the particular object. That is, an object's key is required along with the object's reference. So that capability security is preserved when object references are passed between objects in different processes, the object references being passed are encrypted upon transmission and then decrypted upon arrival at their intended destination. This cryptography can be performed by objects or processes using a variety of techniques, including Diffie-Helman or public/private key cryptography. The cryptography performed in the various embodiments ensures that only the intended recipient of the message can decode the object reference and that a misbehaving object cannot convince another object that it possesses a capability it does not have. Some of the disclosed embodiments provide capability security for transparent distributed object systems, wherein a pair of matched transports handle and encrypt inter-process communications between objects in their respective processes.

摘要翻译： 公开了一种为分布式对象系统提供能力安全性的系统。 能力安全的基本原则是，仅仅通过保持对该对象的引用来表示对对象做某事的权利（例如，调用特定对象的方法）。 在本文描述的每个优选实施例中，假定对象仅在对象知道某些未公开的（在能力安全所要求的条件下除外）与该特定对象相关联的密钥时，才能合理地保持对特定对象的引用。 也就是说，对象的关键是与对象的引用一起需要的。 因此，当对象引用在不同进程中的对象之间传递时，能够保证能力安全性，所传递的对象引用在传输时被加密，然后在到达目的地时进行解密。 该密码术可以由使用各种技术的对象或进程执行，包括Diffie-Helman或公共/私人密钥密码术。 在各种实施例中执行的密码学确保仅消息的预期接收者可以解码对象引用，并且不良行为对象不能说服另一对象具有其不具有的能力。 所公开的实施例中的一些为透明分布式对象系统提供能力安全性，其中一对匹配的传输处理和加密各自进程中的对象之间的进程间通信。

公开(公告)号：US6049838A

公开(公告)日：2000-04-11

申请号：US673058

申请日：1996-07-01

申请人： Mark S. Miller ,  Norman Hardy ,  E. Dean Tribble ,  Christopher T. Hibbert ,  Eric C. Hill

发明人： Mark S. Miller ,  Norman Hardy ,  E. Dean Tribble ,  Christopher T. Hibbert ,  Eric C. Hill

IPC分类号： G06F9/46 ,  G06F15/163 ,  G06F9/00

CPC分类号： G06F9/465

摘要： A system and method is disclosed that provides persistent capabilities for distributed, object-oriented applications running on generally available hardware. The disclosed system and method operate in a transparent distributed object system where inter-process messaging between the program objects is effected by paired transport managers, proxies and matched in-table and out-table slots. Each object needing to communicate with an object in another address space does so by transparently issuing messages to that object's local proxy. Each process provides a registrar that includes a secret code table wherein an object is registered with a unique, practically unguessable secret code. Anticipating the need to re-establish object-proxy links following a inter-process communications fault, proxies are made revivable, meaning that their links with corresponding remote objects can be revived following a communications interruption. This is accomplished by a makeRevivable method that stores a revivable proxy's expiration date (the date beyond which the proxy is not revivable) and its corresponding remote object's secret code into the proxy's out-table slot. Upon the occurrence of a communications fault, all transport managers and tables are nulled out and then, when the communications fault is corrected, rebuilt by the transport managers. Sometime after the restoration of communications, a revived method is invoked that restores the links between, registered objects and proxies. The objects and proxies are brought back in a consistent state based on limited checkpointed data stored by the distributed program for the registered objects.

摘要翻译： 公开了一种系统和方法，其为在通常可用的硬件上运行的分布式面向对象应用程序提供持久性能力。 所公开的系统和方法在透明分布式对象系统中操作，其中程序对象之间的进程间消息通过配对的传输管理器，代理以及匹配的表内和表外时隙来实现。 需要与其他地址空间中的对象进行通信的每个对象通过透明地向该对象的本地代理发送消息来实现。 每个进程提供一个注册器，其中包括一个密码表，其中一个对象被注册了一个唯一的，几乎不可靠的密码。 考虑到在进程间通信故障之后重新建立对象 - 代理链路的需要，代理被修改，意味着它们与对应的远程对象的链接可以在通信中断之后复原。 这是通过一个makeRevivable方法实现的，该方法将可修改代理的有效期限（代理不可再生的日期）及其对应的远程对象的密码存储到代理的外表时隙中。 在发生通信故障时，所有运输管理人员和表格都将被清除，然后，当通信故障得到纠正时，由运输经理进行重建。 在恢复通信之后的某个时刻，调用了恢复的方法，恢复了注册对象和代理之间的链接。 基于由注册对象的分布式程序存储的有限检查点数据，对象和代理被恢复到一致的状态。

公开(公告)号：US5790669A

公开(公告)日：1998-08-04

申请号：US675258

申请日：1996-07-01

申请人： Mark S. Miller ,  Christopher T. Hibbert ,  Norman Hardy ,  E. Dean Tribble

发明人： Mark S. Miller ,  Christopher T. Hibbert ,  Norman Hardy ,  E. Dean Tribble

IPC分类号： H04L9/32

CPC分类号： H04L9/321 ,  G06Q50/188 ,  H04L9/12 ,  H04L9/3236 ,  H04L9/3247 ,  H04L2209/60 ,  H04L2209/805

摘要： A system and method is disclosed that provides lightweight non-repudiability for networked computer systems. Each party to a two-party communication maintains hashes on its incoming and outgoing messages. At its discretion, either party can request that the other party commit to the conversation. The second party (if it agrees) then sends signed hashes that third parties can use to verify the content of the conversation. The party requesting the commitment stores its corresponding hashes when it sends the request. If the hashes from both parties are the same for the same positions in their conversation, the two parties can verify that their conversation is error-free. If the sending party also maintains logs of both sides (incoming and outgoing) of the conversation and stores hashes corresponding to the beginning of the logs, the sending party is also able to verify to a third party that the logged portion of the conversation was between the first party and the second party. Non-repudiability for entire conversations consisting of millions of messages can therefore be provided using a single pair of commit message and commitment/signature messages.

摘要翻译： 公开了一种为网络计算机系统提供轻量级不可否认性的系统和方法。 双方通信的每一方都会对其传入和传出的消息进行散列。 任何一方可以自行决定是否要求对方承诺对话。 第二方（如果同意）则发送第三方可以用来验证会话内容的签名哈希值。 请求承诺的方在发送请求时存储其对应的哈希值。 如果来自双方的散列与对话中相同的位置相同，双方可以验证他们的对话是否无误。 如果发送方还维护会话的双方的日志（传入和传出），并且存储对应于日志开始的哈希，则发送方还能够向第三方验证所记录的对话部分在 第一党和第二党。 因此，可以使用一对提交消息和承诺/签名消息来提供包含数百万条消息的整个对话的不可否认性。

公开(公告)号：US6079018A

公开(公告)日：2000-06-20

申请号：US947375

申请日：1997-10-08

申请人： Norman Hardy ,  Linda L. Vetter ,  E. Dean Tribble

发明人： Norman Hardy ,  Linda L. Vetter ,  E. Dean Tribble

IPC分类号： H04L9/32 ,  H04L9/20

CPC分类号： H04L9/0891 ,  H04L9/3247

摘要： A document is digitally signed with a digital signature that is unique to the signer/document pair. A document digest is generated by applying a predefined one-way hash function to the document. A pseudo-random key is generated by combining the document digest with at least one other value in accordance with a predefined computational procedure. The digital signature is then generated as a predefined function of the private key, the document digest, and the pseudo-random key k. A distinct pseudo-random key is generated for each distinct specified document, and for a given value of the private key, a distinct digital signature is generated for each distinct specified document. In a preferred embodiment the pseudo-random key generating step includes combining the document digest with a value corresponding to the private key to generate an intermediate value, and hashing the intermediate value with the predefined one-way hash function to generate the pseudo-random key k. In another preferred embodiment the pseudo-random key generating step includes hashing the private key with the predefined one-way hash function to generate a first intermediate value, combining the document digest with a value corresponding to the first intermediate value and an ancillary secret value to generate a second intermediate value, and hashing the second intermediate value with the predefined one-way hash function to generate the pseudo-random key k.

摘要翻译： 一个文档用签名者/文档对唯一的数字签名进行数字签名。 通过将预定义的单向散列函数应用于文档来生成文档摘要。 通过根据预定义的计算过程将文档摘要与至少一个其他值组合来生成伪随机密钥。 然后，数字签名被生成为私钥，文档摘要和伪随机密钥k的预定函数。 为每个不同的指定文档生成不同的伪随机密钥，对于私钥的给定值，会为每个不同的指定文档生成不同的数字签名。 在优选实施例中，伪随机密钥生成步骤包括将文档摘要与对应于私钥的值组合以生成中间值，并且用预定义的单向散列函数对中间值进行散列以产生伪随机密钥 k。 在另一个优选实施例中，伪随机密钥生成步骤包括用预定义的单向哈希函数散列专用密钥以产生第一中间值，将文档摘要与对应于第一中间值和辅助秘密值的值相组合 产生第二中间值，并且用预定义的单向散列函数对第二中间值进行散列以产生伪随机密钥k。

公开(公告)号：US5852666A

公开(公告)日：1998-12-22

申请号：US674128

申请日：1996-07-01

申请人： Mark S. Miller ,  E. Dean Tribble ,  Norman Hardy ,  Eric C. Hill ,  Christopher T. Hibbert

发明人： Mark S. Miller ,  E. Dean Tribble ,  Norman Hardy ,  Eric C. Hill ,  Christopher T. Hibbert

IPC分类号： G06F1/00 ,  G06F9/46 ,  G06F12/14 ,  G06F21/00 ,  G06F15/163

CPC分类号： G06F9/468 ,  G06F21/62 ,  G06F12/1483 ,  G06F2211/008 ,  G06F2221/2107 ,  G06F2221/2145

摘要： A system providing capability security for distributed object systems is disclosed. The basic tenet of capability security is that the right to do something to an object (e.g., invoke a particular object's methods) is represented solely by the holding of a reference to that object. In each of the preferred embodiments described herein, an object is presumed to hold legitimately a reference to a particular object only if the object knows some unpublicized (except under the conditions required by capability security) key associated with the particular object. That is, an object's key is required along with the object's reference. So that capability security is preserved when object references are passed between objects in different processes, the object references being passed are encrypted upon transmission and then decrypted upon arrival at their intended destination. This cryptography can be performed by objects or processes using a variety of techniques, including Diffie-Helman or public/private key cryptography. The cryptography performed in the various embodiments ensures that only the intended recipient of the message can decode the object reference and that a misbehaving object cannot convince another object that it possesses a capability it does not have. Some of the disclosed embodiments provide capability security for distributed object systems wherein the objects and processes directly handle inter-object and inter-process communications and message encryption and decryption.

摘要翻译： 公开了一种为分布式对象系统提供能力安全性的系统。 能力安全的基本原则是，仅仅通过保持对该对象的引用来表示对对象做某事的权利（例如，调用特定对象的方法）。 在本文描述的每个优选实施例中，假定对象仅在对象知道某些未公开的（在能力安全所要求的条件下除外）与该特定对象相关联的密钥时，才能合理地保持对特定对象的引用。 也就是说，对象的关键是与对象的引用一起需要的。 因此，当对象引用在不同进程中的对象之间传递时，能够保证能力安全性，所传递的对象引用在传输时被加密，然后在到达目的地时进行解密。 该密码术可以由使用各种技术的对象或进程执行，包括Diffie-Helman或公共/私人密钥密码术。 在各种实施例中执行的密码学确保仅消息的预期接收者可以解码对象引用，并且不良行为对象不能说服另一对象具有其不具有的能力。 所公开的实施例中的一些为分布式对象系统提供能力安全性，其中对象和过程直接处理对象间和进程间通信以及消息加密和解密。

公开(公告)号：US6161121A

公开(公告)日：2000-12-12

申请号：US673039

申请日：1996-07-01

申请人： Norman Hardy ,  E. Dean Tribble ,  Mark S. Miller ,  John D. Corbett ,  Eric C. Hill ,  Christopher T. Hibbert

发明人： Norman Hardy ,  E. Dean Tribble ,  Mark S. Miller ,  John D. Corbett ,  Eric C. Hill ,  Christopher T. Hibbert

IPC分类号： G06F21/00 ,  G06F9/00

CPC分类号： G06F21/6218 ,  G06F2221/2141

摘要： A system and method are disclosed that enable exclusive rights in generic goods to be transferred from one party to another. A party holds an exclusive right to a good through a rescindable capability. When two parties agree on a transfer of the exclusive right to the good, a goods description memorializing the agreement is created which is in synergy with the rescindable capability. The goods description includes an acquire method that is the only method that can extract rights from the rescindable capability with which it is in synergy. The object from which the generic right is being transferred sends a message to the recipient with a reference to the rescindable capability. Upon receiving the message, the recipient invokes the acquire method of the referenced goods description, which returns a new rescindable capability that encompasses the generic right just transferred. Once the recipient holds a reference to the new rescindable capability, the sender has had its rights rescinded. Because details of a transfer are implemented between a rescindable capability and a goods description, rights to goods of any type can be transferred. This is useful in escrow transactions, where a trusted third party with no knowledge of goods being exchanged can effect exchanges of exclusive rights to generic goods by two mutually-suspicious parties.

摘要翻译： 公开了一种允许通用商品的专有权力从一方转移到另一方的系统和方法。 一个党通过不可剥夺的能力拥有一个善良的独家权利。 当双方同意转让该商品的专有权时，就会形成纪念该协议的商品说明，该协议与可撤销的能力相协调。 货物描述包括一种获取方法，该方法是可以从协同作用的可撤销能力中提取权利的唯一方法。 正在转移通用权利的对象通过参考可重新登录的能力向收件人发送消息。 在接收到消息后，接收方调用所引用商品描述的获取方法，该方法返回包含刚被传送的通用权限的新的可重新命名的能力。 收件人一旦提到新的可撤销的功能，发件人已被取消权利。 由于转让的细节是在可撤销的能力和商品描述之间实现的，所以可以转让任何类型的商品的权利。 这对于托管交易是有用的，其中不知道货物被交换的可信赖的第三方可以通过两个相互怀疑的各方交换通用商品的专有权。

公开(公告)号：US5640569A

公开(公告)日：1997-06-17

申请号：US431021

申请日：1995-04-28

申请人： Mark S. Miller ,  E. Dean Tribble ,  Norman Hardy ,  Christopher T. Hibbert

发明人： Mark S. Miller ,  E. Dean Tribble ,  Norman Hardy ,  Christopher T. Hibbert

IPC分类号： G06F9/50 ,  G06F13/362 ,  G06F13/366 ,  G06F15/76

CPC分类号： G06F9/50 ,  G06F13/362 ,  G06Q40/04

摘要： A diverse goods arbitration system and method allocates computer resources among bidding requesters. Bid slates are transmitted to an arbiter by users (requesters) requesting use of specified portions of the available computer resources. Each bid slate may contain a plurality of bids, each bid representing a requested set of resources and a bid price. The arbiter selects combinations of bids from the bid slates, where each bid combination consists of no more than one bid from each of the received bid slates. The arbiter rejects all bid combinations whose constituent bids exceed an established maximum allocation level for any computer resource. It then selects as a winning bid combination the bid combination having the highest total bid price. Computer resources are then allocated for a next time period based on the winning bid. Costs are allocating to each successful requester in accordance with a predefined opportunity cost function. In particular, for each successful requester, the arbitration process is repeated while excluding that successful requester's bid slate from the set of bid slates considered, resulting in the selection of a second winning bid that excludes the successful requester. The successful requester is then assessed a cost corresponding to the difference between the winning bid's total bid prices, excluding the price in the successful requester's granted bid, and the total bid prices associated with the second winning bid.

摘要翻译： 多样化的商品仲裁系统和方法在投标请求者之间分配计算机资源。 用户（请求者）请求使用可用计算机资源的指定部分的投标标准被传送给仲裁者。 每个出价平均值可能包含多个出价，每个出价代表所要求的一组资源和一个投标价格。 仲裁者从出价板中选择出价的组合，其中每个出价组合由每个收到的出价格式不超过一个出价。 仲裁人拒绝其组合出价超过任何计算机资源的既定最大分配水平的所有投标组合。 然后选择具有最高总出价价格的投标组合作为中标投标组合。 然后根据获胜的出价，计算机资源分配下一个时间段。 成本根据预定义的机会成本函数分配给每个成功的请求者。 特别地，对于每个成功的请求者，重复仲裁过程，而不考虑所考虑的一组投标标准中的成功请求者的投标价格，导致选择排除成功请求者的第二中标。 然后，对成功的请求者进行评估，对应于获胜投标的总出价价格（不包括成功的请求者授权出价中的价格）与与第二中标投标相关的总投标价格之间的差额的成本。

公开(公告)号：US4584639A

公开(公告)日：1986-04-22

申请号：US565194

申请日：1983-12-23

申请人： Norman Hardy

发明人： Norman Hardy

IPC分类号： G06F9/46 ,  G06F1/00

CPC分类号： G06F9/52

摘要： A capability based computer system includes means, called a factory, for allowing two domains to share resources in a secure manner. Factories are special domains which, in combination with corresponding kernel functions, allow a first domain (called a builder domain) to install a program and other components in a factory for use by other domains, and then to seal the factory, thereby leaving the builder domain with no keys to the factory except a special type of entry key called a requestor key.The holders of requestor keys can use the program in the factory by invoking the requestor key. This causes the factory to set up a new special domain for the requestor which allows the requestor to use the program in the factory to process data without being able to inspect the program. Further, the factory mechanism includes means for the requestor to confirm that the factory includes no keys which could compromise the confidentiality of the requestor's data.A second aspect of the present invention is the ability to provide different memory fault resolution mechanisms (called segment keeper domains) for different memory segments.

摘要翻译： 基于能力的计算机系统包括称为工厂的手段，用于允许两个域以安全的方式共享资源。 工厂是特殊的领域，结合相应的内核功能，允许第一个域（称为构建器域）在工厂中安装程序和其他组件以供其他域使用，然后密封工厂，从而离开构建器 域中没有密钥到工厂，除了特殊类型的入口密钥称为请求方密钥。 请求者密钥的持有者可以通过调用请求方密钥来使用工厂中的程序。 这导致工厂为请求者设置一个新的特殊域，允许请求者使用工厂中的程序来处理数据，而无需检查程序。 此外，工厂机制包括请求者确认工厂不包含可能危及请求者数据的机密性的方式的手段。 本发明的第二方面是提供用于不同存储器段的不同存储器故障解析机制（称为段保持器域）的能力。