公开(公告)号：US07451484B1

公开(公告)日：2008-11-11

申请号：US09321788

申请日：1999-05-27

申请人： Anthony J. Nadalin ,  Bruce Arland Rich ,  Theodore Jack London Shrader

发明人： Anthony J. Nadalin ,  Bruce Arland Rich ,  Theodore Jack London Shrader

IPC分类号： G06F12/14

CPC分类号： G06F21/31

摘要： A program written in untrusted code (e.g., JAVA) is enabled to access a native operating system resource (e.g., supported in WINDOWS NT) through a staged login protocol. In operation, a trusted login service listens, e.g., on a named pipe, for requests for login credentials. In response to a login request, the trusted login service requests a native operating system identifier. The native operating system identifier is then sent to the program. Using this identifier, a credential object is then created within an authentication framework. The credential object is then used to login to the native operating system to enable the program to access the resource. This technique enables a JAVA program to access a WINDOWS NT operating system resource under the identity of the user running the JAVA program.

摘要翻译： 使用不可信代码（例如，JAVA）编写的程序能够通过分段登录协议来访问本地操作系统资源（例如，在WINDOWS NT中支持）。 在操作中，信任的登录服务例如在命名管道上侦听用于登录凭证的请求。 响应于登录请求，可信登录服务请求本机操作系统标识符。 然后将本地操作系统标识符发送到程序。 使用此标识符，然后在认证框架内创建凭证对象。 然后，凭证对象用于登录到本机操作系统，以使程序能够访问该资源。 该技术使JAVA程序能够在运行JAVA程序的用户的身份下访问WINDOWS NT操作系统资源。

公开(公告)号：US06910128B1

公开(公告)日：2005-06-21

申请号：US09717524

申请日：2000-11-21

申请人： Donna Skibbie ,  Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Theodore Jack London Shrader ,  Julianne Yarsa

发明人： Donna Skibbie ,  Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Theodore Jack London Shrader ,  Julianne Yarsa

IPC分类号： G06F21/00 ,  H04L9/00 ,  H04L29/06

CPC分类号： H04L63/126 ,  G06F21/51 ,  G06F21/53 ,  H04L63/0428 ,  H04L63/20

摘要： A framework for processing signed applets that are distributed over the Internet. Using the framework, an applet that is packaged as a Netscape- or JDK-signed jar file, or as an Internet Explorer-signed cab file, is processed within the same Java runtime environment irrespective of the browser type (i.e. Netscape Communicator, Internet Explorer or JDK) used to execute the applet. When the applet is executed, the framework verifies one or more applet signatures using the same algorithm that was used to sign the applet, verifies the signer(s) of the applet, and stores information about the signers so that they can be honored by a security policy when permissions for the applet are determined.

摘要翻译： 用于处理通过互联网分发的签名小程序的框架。 使用框架，打包为Netscape或JDK签名的jar文件或作为Internet Explorer签名的cab文件的小程序在同一个Java运行时环境中处理，无论浏览器类型如Netscape Communicator，Internet Explorer 或JDK）用于执行小程序。 当小程序被执行时，框架使用用于签署小程序的相同算法验证一个或多个小程序签名，验证小应用程序的签名者，并存储关于签名者的信息，以便它们可被 确定小程序的权限时的安全策略。

公开(公告)号：US06473894B1

公开(公告)日：2002-10-29

申请号：US09240959

申请日：1999-01-29

申请人： Theodore Jack London Shrader ,  Bruce Arland Rich ,  Julianne Yarsa ,  Donna Skibbie

发明人： Theodore Jack London Shrader ,  Bruce Arland Rich ,  Julianne Yarsa ,  Donna Skibbie

IPC分类号： G06F944

CPC分类号： G06F11/3672 ,  G06F17/3089

摘要： A test/run program receives as input a list of identifiers for source pages referencing applets to be tested or run. The test/run program creates an array of the identifiers, together with parameters for each identifier, web browser to run the test under, and a number of times the source page is to be reloaded and the applets re-run. For each source page, and for each reload of a given source page, the test/run program starts the specified web browser process, loads the designated source page, and starts a fresh runtime environment for the applet. Support for a test class within the test/run program allows the applets to write success, failure, or informational results to an output file and to exit the web browser process when complete. Where a native implementation of the test class is employed, special security permissions need not be specified and the test/run program need not necessarily be run locally. In exiting the web browser process, the applets write a marker file to indicate that the applet run is complete, which the test/run program detects. Multiple applets may be automatically and repetitively loaded, each with a fresh runtime environment in a new web browser application, for testing of the applets or repeat execution of the applets changing system properties.

摘要翻译： 测试/运行程序作为输入接收引用要测试或运行的小程序的源页面的标识符列表。 测试/运行程序创建一个标识符数组，连同每个标识符的参数，Web浏览器运行测试，以及多次重新加载源页面，并重新运行小程序。 对于每个源页面，并且对于给定源页面的每个重新加载，测试/运行程序启动指定的Web浏览器进程，加载指定的源页面，并为该小程序启动新的运行时环境。 在测试/运行程序中支持测试类允许小程序将成功，失败或信息结果写入输出文件，并在完成时退出Web浏览器进程。 在使用测试类的本地实现的地方，不需要指定特殊的安全权限，并且测试/运行程序不一定必须在本地运行。 在退出Web浏览器进程时，小程序会写入一个标记文件，以指示小程序运行完成，测试/运行程序检测到该文件。 可以自动重复加载多个小应用程序，每个小程序在新的Web浏览器应用程序中具有新的运行时环境，用于测试小程序或重复执行小程序更改系统属性。

公开(公告)号：US06934840B2

公开(公告)日：2005-08-23

申请号：US09746582

申请日：2000-12-21

申请人： Bruce Arland Rich ,  Julianne Yarsa ,  Theodore Jack London Shrader ,  Donna Skibbie

发明人： Bruce Arland Rich ,  Julianne Yarsa ,  Theodore Jack London Shrader ,  Donna Skibbie

IPC分类号： H04L9/32 ,  H04L9/00

CPC分类号： H04L9/3263 ,  H04L2209/56

摘要： An apparatus and method for managing keystores is implemented. A distributed keystore is established by aggregating individual. The distributed keystore may, be organized in a multi-level structure, which may be associated with an organizational structure of an enterprise, or other predetermined partitioning. Additionally, a centralized management of certificates may be provided, whereby the expiration or revocation of the certificates may be tracked, and expired or revoked certificates may be refreshed. The keystore may be updated in response to one or more update events.

摘要翻译： 实现用于管理密钥库的设备和方法。 分布式密钥库是通过聚合个体建立的。 分布式密钥库可以被组织在可以与企业的组织结构或其他预定分区相关联的多级结构中。 此外，可以提供证书的集中管理，由此可以跟踪证书的到期或撤销，并且可以刷新过期或撤销的证书。 可以响应于一个或多个更新事件来更新密钥库。

公开(公告)号：US06151599A

公开(公告)日：2000-11-21

申请号：US118561

申请日：1998-07-17

申请人： Theodore Jack London Shrader ,  Michael Bradford Ault ,  Garry L. Child ,  Ernst Robert Plassmann ,  Bruce Arland Rich ,  Davis Kent Soper

发明人： Theodore Jack London Shrader ,  Michael Bradford Ault ,  Garry L. Child ,  Ernst Robert Plassmann ,  Bruce Arland Rich ,  Davis Kent Soper

IPC分类号： G06F21/00 ,  G06F15/173

CPC分类号： G06F21/577 ,  G06F21/6218 ,  Y10S707/99939

摘要： A test page including a statement invoking an executable periodically reloading the test page is placed on a Web server having a security plug-in to be tested. The test page may include multiple frames, each containing a reference requesting access to the same test page or each performing a different testing function. The test page may be placed in a protected directory, may include an attempt to access the contents of a file within a different protected directory, and may include attempts to access protected CGI executables or other programs or modules which may be run on the Web server. A remote browser is employed to attempt to access the test page using the userid and password employed to login to the browser. Successful or unsuccessful access to the test page verifies proper operation of the security plug-in. The test page is automatically reloaded by the browser at a selected interval, and multiple frames or multiple browser instances each accessing the test page results in stress testing of the security plug-in.

摘要翻译： 包括调用可执行程序的语句的测试页面将定期重新加载测试页面放在具有要测试的安全插件的Web服务器上。 测试页可以包括多个帧，每个帧包含请求访问相同测试页面或者每个执行不同测试功能的参考。 测试页面可能被放置在受保护的目录中，可能包括尝试访问不同的受保护目录中的文件的内容，并且可能包括尝试访问受保护的CGI可执行文件或可能在Web服务器上运行的其他程序或模块 。 使用远程浏览器尝试使用用于登录浏览器的用户名和密码访问测试页面。 成功访问或不成功访问测试页验证安全插件的正确操作。 测试页由浏览器以选定的间隔自动重新加载，并且每个访问测试页面的多个框架或多个浏览器实例会导致安全插件的压力测试。

公开(公告)号：US5974566A

公开(公告)日：1999-10-26

申请号：US946077

申请日：1997-10-07

申请人： Michael Bradford Ault ,  Ernst Robert Plassmann ,  Bruce Arland Rich ,  Shaw-Ben Shi ,  Theodore Jack London Shrader

发明人： Michael Bradford Ault ,  Ernst Robert Plassmann ,  Bruce Arland Rich ,  Shaw-Ben Shi ,  Theodore Jack London Shrader

IPC分类号： H04L29/06 ,  G06F13/00

CPC分类号： H04L63/08 ,  H04L63/10

摘要： A method of enabling persistent access by a Web server to files stored in a distributed file system of a distributed computing environment that includes a security service. A session manager is used to perform a proxy login to the security service on behalf of the Web server. Persistent operation of the session manager is ensured by periodically spawning new instances of the session manager process. Each new instance preferably initializes itself against a binding file. A prior instance of the session manager is maintained in an active state for at least a period of time during which the new instance of the session manager initializes itself. Upon receipt of a given transaction request from a Web client to the Web server, a determination is made regarding whether a new instance of the session manager process has been spawned while the Web server was otherwise idle. If so, the Web server is re-bound to the new instance of the session manager process so that the new instance of the session manager process can respond to the transaction request.

摘要翻译： 一种使Web服务器能够持久访问存储在包括安全服务的分布式计算环境的分布式文件系统中的文件的方法。 会话管理器用于代表Web服务器执行代理登录到安全服务。 通过定期产生会话管理器进程的新实例来确保会话管理器的持续操作。 每个新实例都优选地针对绑定文件初始化本身。 会话管理器的先前实例被保持在活动状态中至少一段时间，在该时间段期间，会话管理器的新实例自身初始化。 在从Web客户端向Web服务器接收到给定的事务请求时，确定在Web服务器否则空闲时是否已经产生了会话管理器进程的新实例。 如果是，则将Web服务器重新绑定到会话管理器进程的新实例，以便会话管理器进程的新实例可以响应事务请求。

公开(公告)号：US06961855B1

公开(公告)日：2005-11-01

申请号：US09464854

申请日：1999-12-16

申请人： Bruce Arland Rich ,  Theodore Jack London Shrader ,  Donna Skibbie ,  Julianne Yarsa

发明人： Bruce Arland Rich ,  Theodore Jack London Shrader ,  Donna Skibbie ,  Julianne Yarsa

IPC分类号： G06F11/30 ,  G06F12/14 ,  G06F21/00 ,  H04L9/00 ,  H04L9/32

CPC分类号： G06F21/53 ,  G06F21/552

摘要： A mechanism that allows enterprise authorities to be informed when security-sensitive decisions or actions have been or are attempting to be made by users of untrusted code executing in the trusted computing base. The mechanism may be implemented as an abstract class that is part of the trusted computing base. The class provides a framework abstract enough to permit multiple possible notifications (e.g., providing an e-mail to a system operator, sending an Simple Network Management Protocol (SNMP) alert, making an entry in an online database, or the like) in the event that a given action is taken by a user of untrusted code. The abstract class may provide a default notification, or the class may be extended to enable an authority to provide its own set of customized notifications.

摘要翻译： 一种机制，允许企业当局在安全敏感的决策或动作已经或正在尝试由可信计算基础中执行的不受信任的代码的用户进行通知。 该机制可以被实现为作为可信计算基础的一部分的抽象类。 该类提供足够的框架摘要，以允许多个可能的通知（例如，向系统运营商提供电子邮件，发送简单网络管理协议（SNMP）警报，在线数据库中创建条目等） 事件是由不受信任的代码的用户采取给定的动作。 抽象类可以提供默认通知，或者可以扩展该类以使权限能够提供其自己的一组定制通知。

公开(公告)号：US06898714B1

公开(公告)日：2005-05-24

申请号：US09478307

申请日：2000-01-06

申请人： Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Theodore Jack London Shrader ,  Julianne Yarsa

发明人： Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Theodore Jack London Shrader ,  Julianne Yarsa

IPC分类号： H04L9/00 ,  H04L29/06

CPC分类号： H04L63/0245 ,  H04L63/0442 ,  Y10S707/99944 ,  Y10S707/99945

摘要： A method and system for processing PKCS-attributes and user-defined attributes in heterogeneous environment is provided. Attributes are registered with a PKCS9 gateway class, and the attributes include user-defined attributes and PKCS-standard defined attributes. Each of the registered attributes is associatively stored with an identifier. A method in the PKCS9 gateway class may be called with a parameter containing an object identifier for an attribute. An attribute mapping data structure is searched using the object identifier in the received parameter, and in response to finding a matching object identifier, a class identifier that has been associatively stored with the matching object identifier is retrieved from the attribute mapping data structure. A method in the class identified by the class identifier is then called. The called method may include an operation for construction, attribute conversion to and from DER-encoding, attribute differentiation, and attribute value extraction. A class hierarchy of attribute types is based on an abstract class for all attribute objects with a subclass for undefined attributes and a subclass for defined attributes. The subclass for defined attributes is further decomposed into a subclass for each PKCS-defined attribute and a subclass for each user-defined attribute.

摘要翻译： 提供了一种在异构环境中处理PKCS属性和用户定义属性的方法和系统。 属性注册到PKCS9网关类，属性包括用户定义的属性和PKCS标准定义的属性。 每个注册的属性都与一个标识符相关联地存储。 可以使用包含属性的对象标识符的参数调用PKCS9网关类中的方法。 使用接收到的参数中的对象标识符来搜索属性映射数据结构，并且响应于找到匹配对象标识符，从属性映射数据结构中检索已经与匹配对象标识符相关联地存储的类标识符。 然后调用由类标识符标识的类中的方法。 所谓的方法可以包括用于构造的操作，从DER编码到属性转换，属性分化和属性值提取的属性转换。 属性类型的类层次是基于所有属性对象的抽象类，具有未定义属性的子类和定义属性的子类。 用于定义属性的子类进一步分解为每个PKCS定义属性的子类和每个用户定义属性的子类。

公开(公告)号：US06772341B1

公开(公告)日：2004-08-03

申请号：US09460838

申请日：1999-12-14

申请人： Theodore Jack London Shrader ,  Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Julianne Yarsa

发明人： Theodore Jack London Shrader ,  Anthony Joseph Nadalin ,  Bruce Arland Rich ,  Julianne Yarsa

IPC分类号： H04L900

CPC分类号： G06F21/64

摘要： A method and system for processing signed data objects in a data processing system is presented. A signed data object utility allows a user to view and edit the contents of data objects embedded within a signed data object via a graphical user interface. Graphical objects represent the data objects embedded within a signed data object. A user may drag and drop objects onto other objects within the signed data object, and the signed data object utility automatically performs the necessary signing operations. Logical associations between data objects contained within the signed data object are determined, and the logical associations are displayed using visual indicators between graphical objects representing the associated data objects. As data objects are added or deleted, the visual indicators are updated to reflect any updates to the logical associations. The user may direct other operations on the signed data object through the graphical user interface.

摘要翻译： 提出了一种在数据处理系统中处理签名数据对象的方法和系统。 签名的数据对象实用程序允许用户通过图形用户界面查看和编辑嵌入在签名数据对象内的数据对象的内容。 图形对象表示嵌入有符号数据对象中的数据对象。 用户可以将对象拖放到签名数据对象中的其他对象上，并且签名数据对象实用程序自动执行必要的签名操作。 确定包含在有符号数据对象内的数据对象之间的逻辑关联，并且使用表示关联数据对象的图形对象之间的可视指示符来显示逻辑关联。 随着数据对象被添加或删除，视觉指示器被更新以反映逻辑关联的任何更新。 用户可以通过图形用户界面对签名的数据对象引导其他操作。

公开(公告)号：US06549952B1

公开(公告)日：2003-04-15

申请号：US08790040

申请日：1997-01-28

申请人： Ernst Robert Plassmann ,  Michael Bradford Ault ,  Mickella Ann Rosiles ,  Shaw-Ben Shi ,  Theodore Jack London Shrader ,  Bruce Arland Rich

发明人： Ernst Robert Plassmann ,  Michael Bradford Ault ,  Mickella Ann Rosiles ,  Shaw-Ben Shi ,  Theodore Jack London Shrader ,  Bruce Arland Rich

IPC分类号： G06F900

CPC分类号： G06F9/44505 ,  H04L67/02

摘要： A method of enabling an HTTP server plug-in to pass an unmangled environment variable into a CGI process begins by configuring the HTTP server to initially override a CGI service method. When the server processes an HTTP request, the server plug-in, which is called prior to the CGI service method and is running in a process of the HTTP server, inserts a “name value” pair prepended with a marker in a request header parameter block of the HTTP server. Then, the CGI service override method executes the server's original (i.e. native) CGI service method, causing it to run an encapsulation program in the CGI process. This program scans the environment of the CGI process for any string prepended with a given HTTP code (e.g., the string “HTTP_”) and the marker. If it finds any such string, the program strips the given HTTP code and the marker from a remainder of the string and resets the environment variable into the CGI process in an “unmangled” form. The target CGI program is then executed in the CGI process.

摘要翻译： 使HTTP服务器插件将未调整环境变量传递到CGI进程的方法首先通过配置HTTP服务器来初始地覆盖CGI服务方法。 当服务器处理HTTP请求时，在CGI服务方法之前调用并在HTTP服务器的进程中运行的服务器插件在请求头参数中插入一个带有标记的“名称值”对 阻止HTTP服务器。 然后，CGI服务覆盖方法执行服务器的原始（即本地）CGI服务方法，使其在CGI进程中运行封装程序。 该程序扫描CGI进程的环境，前提是使用给定的HTTP代码（例如字符串“HTTP_”）和标记。 如果找到任何这样的字符串，程序将从字符串的其余部分中删除给定的HTTP代码和标记，并以“unmangled”形式将环境变量重置为CGI进程。 然后在CGI进程中执行目标CGI程序。