Method and computer program product for processing signed applets
    1.
    发明授权
    Method and computer program product for processing signed applets 有权
    用于处理签名小程序的方法和计算机程序产品

    公开(公告)号:US06910128B1

    公开(公告)日:2005-06-21

    申请号:US09717524

    申请日:2000-11-21

    IPC分类号: G06F21/00 H04L9/00 H04L29/06

    摘要: A framework for processing signed applets that are distributed over the Internet. Using the framework, an applet that is packaged as a Netscape- or JDK-signed jar file, or as an Internet Explorer-signed cab file, is processed within the same Java runtime environment irrespective of the browser type (i.e. Netscape Communicator, Internet Explorer or JDK) used to execute the applet. When the applet is executed, the framework verifies one or more applet signatures using the same algorithm that was used to sign the applet, verifies the signer(s) of the applet, and stores information about the signers so that they can be honored by a security policy when permissions for the applet are determined.

    摘要翻译: 用于处理通过互联网分发的签名小程序的框架。 使用框架,打包为Netscape或JDK签名的jar文件或作为Internet Explorer签名的cab文件的小程序在同一个Java运行时环境中处理,无论浏览器类型如Netscape Communicator,Internet Explorer 或JDK)用于执行小程序。 当小程序被执行时,框架使用用于签署小程序的相同算法验证一个或多个小程序签名,验证小应用程序的签名者,并存储关于签名者的信息,以便它们可被 确定小程序的权限时的安全策略。

    Dynamic runtime and test architecture for Java applets
    2.
    发明授权
    Dynamic runtime and test architecture for Java applets 失效
    Java applet的动态运行时和测试体系结构

    公开(公告)号:US06473894B1

    公开(公告)日:2002-10-29

    申请号:US09240959

    申请日:1999-01-29

    IPC分类号: G06F944

    CPC分类号: G06F11/3672 G06F17/3089

    摘要: A test/run program receives as input a list of identifiers for source pages referencing applets to be tested or run. The test/run program creates an array of the identifiers, together with parameters for each identifier, web browser to run the test under, and a number of times the source page is to be reloaded and the applets re-run. For each source page, and for each reload of a given source page, the test/run program starts the specified web browser process, loads the designated source page, and starts a fresh runtime environment for the applet. Support for a test class within the test/run program allows the applets to write success, failure, or informational results to an output file and to exit the web browser process when complete. Where a native implementation of the test class is employed, special security permissions need not be specified and the test/run program need not necessarily be run locally. In exiting the web browser process, the applets write a marker file to indicate that the applet run is complete, which the test/run program detects. Multiple applets may be automatically and repetitively loaded, each with a fresh runtime environment in a new web browser application, for testing of the applets or repeat execution of the applets changing system properties.

    摘要翻译: 测试/运行程序作为输入接收引用要测试或运行的小程序的源页面的标识符列表。 测试/运行程序创建一个标识符数组,连同每个标识符的参数,Web浏览器运行测试,以及多次重新加载源页面,并重新运行小程序。 对于每个源页面,并且对于给定源页面的每个重新加载,测试/运行程序启动指定的Web浏览器进程,加载指定的源页面,并为该小程序启动新的运行时环境。 在测试/运行程序中支持测试类允许小程序将成功,失败或信息结果写入输出文件,并在完成时退出Web浏览器进程。 在使用测试类的本地实现的地方,不需要指定特殊的安全权限,并且测试/运行程序不一定必须在本地运行。 在退出Web浏览器进程时,小程序会写入一个标记文件,以指示小程序运行完成,测试/运行程序检测到该文件。 可以自动重复加载多个小应用程序,每个小程序在新的Web浏览器应用程序中具有新的运行时环境,用于测试小程序或重复执行小程序更改系统属性。

    Composite keystore facility apparatus and method therefor
    3.
    发明授权
    Composite keystore facility apparatus and method therefor 失效
    复合密钥仓库设备及其方法

    公开(公告)号:US06934840B2

    公开(公告)日:2005-08-23

    申请号:US09746582

    申请日:2000-12-21

    IPC分类号: H04L9/32 H04L9/00

    CPC分类号: H04L9/3263 H04L2209/56

    摘要: An apparatus and method for managing keystores is implemented. A distributed keystore is established by aggregating individual. The distributed keystore may, be organized in a multi-level structure, which may be associated with an organizational structure of an enterprise, or other predetermined partitioning. Additionally, a centralized management of certificates may be provided, whereby the expiration or revocation of the certificates may be tracked, and expired or revoked certificates may be refreshed. The keystore may be updated in response to one or more update events.

    摘要翻译: 实现用于管理密钥库的设备和方法。 分布式密钥库是通过聚合个体建立的。 分布式密钥库可以被组织在可以与企业的组织结构或其他预定分区相关联的多级结构中。 此外,可以提供证书的集中管理,由此可以跟踪证书的到期或撤销,并且可以刷新过期或撤销的证书。 可以响应于一个或多个更新事件来更新密钥库。

    Notification of modifications to a trusted computing base
    4.
    发明授权
    Notification of modifications to a trusted computing base 有权
    通知可信计算基础的修改

    公开(公告)号:US06961855B1

    公开(公告)日:2005-11-01

    申请号:US09464854

    申请日:1999-12-16

    CPC分类号: G06F21/53 G06F21/552

    摘要: A mechanism that allows enterprise authorities to be informed when security-sensitive decisions or actions have been or are attempting to be made by users of untrusted code executing in the trusted computing base. The mechanism may be implemented as an abstract class that is part of the trusted computing base. The class provides a framework abstract enough to permit multiple possible notifications (e.g., providing an e-mail to a system operator, sending an Simple Network Management Protocol (SNMP) alert, making an entry in an online database, or the like) in the event that a given action is taken by a user of untrusted code. The abstract class may provide a default notification, or the class may be extended to enable an authority to provide its own set of customized notifications.

    摘要翻译: 一种机制,允许企业当局在安全敏感的决策或动作已经或正在尝试由可信计算基础中执行的不受信任的代码的用户进行通知。 该机制可以被实现为作为可信计算基础的一部分的抽象类。 该类提供足够的框架摘要,以允许多个可能的通知(例如,向系统运营商提供电子邮件,发送简单网络管理协议(SNMP)警报,在线数据库中创建条目等) 事件是由不受信任的代码的用户采取给定的动作。 抽象类可以提供默认通知,或者可以扩展该类以使权限能够提供其自己的一组定制通知。

    Determining browser type in an open Java environment
    5.
    发明授权
    Determining browser type in an open Java environment 有权
    在开放的Java环境中确定浏览器类型

    公开(公告)号:US06760912B1

    公开(公告)日:2004-07-06

    申请号:US09366463

    申请日:1999-08-03

    IPC分类号: G06F944

    CPC分类号: G06F9/44526 G06F17/30899

    摘要: A method is provided for determining an identity of a browser in an Java environment in which an intermediary program masks the browser's identity. The method begins by querying an operating system process table for information identifying the browser. Thereafter, a Java properties table including the information from the process table is set. In response to a request from a calling program (e.g., an applet class) for the browser identity, a getProperty method is then called to retrieve the browser identity from the properties table. The browser identity is then returned to the calling program.

    摘要翻译: 提供了一种用于确定Java环境中的浏览器的身份的方法,其中中间程序掩盖了浏览器的身份。 该方法开始于查询操作系统进程表以获取标识浏览器的信息。 此后,设置包括来自进程表的信息的Java属性表。 响应来自用于浏览器标识的调用程序(例如,applet类)的请求,然后调用getProperty方法以从属性表中检索浏览器标识。 然后将浏览器身份返回给调用程序。

    Architecture for denied permissions in Java
    6.
    发明授权
    Architecture for denied permissions in Java 失效
    Java中被拒绝权限的体系结构

    公开(公告)号:US06708276B1

    公开(公告)日:2004-03-16

    申请号:US09366403

    申请日:1999-08-03

    IPC分类号: G06F944

    摘要: An architecture for extending the Java security model to allow a user or administrator to explicitly deny permissions. By itself, the Java 2 security model does not allow additions to the collections of policy permissions after they have been loaded from the Java policy file. The inventive architecture allows Java applets and applications to dynamically prompt the user to deny a permission that does not exist in the Java policy file. If the user denies the permission, the present invention denies the permission for the ProtectionDomain to which the class asking for the permission belongs. Attributes for the denied permission may be set during runtime and saved across browser sessions.

    摘要翻译: 用于扩展Java安全模型以允许用户或管理员明确拒绝权限的体系结构。 自己,Java 2安全模型在从Java策略文件加载后不允许添加策略权限集合。 本发明的架构允许Java小应用程序和应用程序动态地提示用户拒绝Java策略文件中不存在的权限。 如果用户拒绝该权限,则本发明拒绝对请求该权限的类所属的ProtectionDomain的许可。 被拒绝的权限的属性可以在运行时设置并保存在浏览器会话之间。

    Architecture for dynamic permissions in java
    7.
    发明授权
    Architecture for dynamic permissions in java 有权
    java中的动态权限架构

    公开(公告)号:US06526513B1

    公开(公告)日:2003-02-25

    申请号:US09366465

    申请日:1999-08-03

    IPC分类号: G06F1330

    CPC分类号: G06F9/465 G06F21/52

    摘要: An architecture for extending the Java security model to allow a user or administrator to grant permissions dynamically. By itself, the Java 2 security model does not allow additions to the collections of policy permissions after they have been loaded from the Java policy file. The inventive architecture allows Java applets and applications to dynamically prompt the user to grant a permission that does not exist in the Java policy file. If the user grants the permission, the present invention grants the permission for the ProtectionDomain to which the class asking for the permission belongs. Attributes for the dynamic permission may be set during runtime and saved across browser sessions.

    摘要翻译: 用于扩展Java安全模型以允许用户或管理员动态授予权限的体系结构。 自己,Java 2安全模型在从Java策略文件加载后不允许添加策略权限集合。 本发明的架构允许Java小应用程序和应用程序动态地提示用户授予Java策略文件中不存在的权限。 如果用户授予权限,则本发明授予对请求该许可所属的类的ProtectionDomain的许可。 可以在运行时设置动态权限的属性,并在浏览器会话之间进行保存。

    Managing and extending attribute values for public key cryptography standards
    8.
    发明授权
    Managing and extending attribute values for public key cryptography standards 失效
    管理和扩展公钥加密标准的属性值

    公开(公告)号:US06898714B1

    公开(公告)日:2005-05-24

    申请号:US09478307

    申请日:2000-01-06

    IPC分类号: H04L9/00 H04L29/06

    摘要: A method and system for processing PKCS-attributes and user-defined attributes in heterogeneous environment is provided. Attributes are registered with a PKCS9 gateway class, and the attributes include user-defined attributes and PKCS-standard defined attributes. Each of the registered attributes is associatively stored with an identifier. A method in the PKCS9 gateway class may be called with a parameter containing an object identifier for an attribute. An attribute mapping data structure is searched using the object identifier in the received parameter, and in response to finding a matching object identifier, a class identifier that has been associatively stored with the matching object identifier is retrieved from the attribute mapping data structure. A method in the class identified by the class identifier is then called. The called method may include an operation for construction, attribute conversion to and from DER-encoding, attribute differentiation, and attribute value extraction. A class hierarchy of attribute types is based on an abstract class for all attribute objects with a subclass for undefined attributes and a subclass for defined attributes. The subclass for defined attributes is further decomposed into a subclass for each PKCS-defined attribute and a subclass for each user-defined attribute.

    摘要翻译: 提供了一种在异构环境中处理PKCS属性和用户定义属性的方法和系统。 属性注册到PKCS9网关类,属性包括用户定义的属性和PKCS标准定义的属性。 每个注册的属性都与一个标识符相关联地存储。 可以使用包含属性的对象标识符的参数调用PKCS9网关类中的方法。 使用接收到的参数中的对象标识符来搜索属性映射数据结构,并且响应于找到匹配对象标识符,从属性映射数据结构中检索已经与匹配对象标识符相关联地存储的类标识符。 然后调用由类标识符标识的类中的方法。 所谓的方法可以包括用于构造的操作,从DER编码到属性转换,属性分化和属性值提取的属性转换。 属性类型的类层次是基于所有属性对象的抽象类,具有未定义属性的子类和定义属性的子类。 用于定义属性的子类进一步分解为每个PKCS定义属性的子类和每个用户定义属性的子类。

    Method and system for presentation and manipulation of PKCS signed-data objects
    9.
    发明授权
    Method and system for presentation and manipulation of PKCS signed-data objects 失效
    用于呈现和操纵PKCS签名数据对象的方法和系统

    公开(公告)号:US06772341B1

    公开(公告)日:2004-08-03

    申请号:US09460838

    申请日:1999-12-14

    IPC分类号: H04L900

    CPC分类号: G06F21/64

    摘要: A method and system for processing signed data objects in a data processing system is presented. A signed data object utility allows a user to view and edit the contents of data objects embedded within a signed data object via a graphical user interface. Graphical objects represent the data objects embedded within a signed data object. A user may drag and drop objects onto other objects within the signed data object, and the signed data object utility automatically performs the necessary signing operations. Logical associations between data objects contained within the signed data object are determined, and the logical associations are displayed using visual indicators between graphical objects representing the associated data objects. As data objects are added or deleted, the visual indicators are updated to reflect any updates to the logical associations. The user may direct other operations on the signed data object through the graphical user interface.

    摘要翻译: 提出了一种在数据处理系统中处理签名数据对象的方法和系统。 签名的数据对象实用程序允许用户通过图形用户界面查看和编辑嵌入在签名数据对象内的数据对象的内容。 图形对象表示嵌入有符号数据对象中的数据对象。 用户可以将对象拖放到签名数据对象中的其他对象上,并且签名数据对象实用程序自动执行必要的签名操作。 确定包含在有符号数据对象内的数据对象之间的逻辑关联,并且使用表示关联数据对象的图形对象之间的可视指示符来显示逻辑关联。 随着数据对象被添加或删除,视觉指示器被更新以反映逻辑关联的任何更新。 用户可以通过图形用户界面对签名的数据对象引导其他操作。

    Method and system for presentation and manipulation of PKCS enveloped-data objects
    10.
    发明授权
    Method and system for presentation and manipulation of PKCS enveloped-data objects 有权
    用于演示和操纵PKCS包络数据对象的方法和系统

    公开(公告)号:US06914985B1

    公开(公告)日:2005-07-05

    申请号:US09460839

    申请日:1999-12-14

    摘要: A method and system for processing enveloped data objects in a data processing system. The enveloped data object may be formatted as defined by PKCS (Public Key Cryptography Standard) standards. An enveloped data object utility allows a user to view and edit the contents of data objects embedded within an enveloped data object via a graphical user interface. Graphical objects represent the data objects embedded within an enveloped data object. A user may drag and drop objects onto other objects within the enveloped data object, and the enveloped data object utility automatically performs the necessary encrypting operations. Logical associations between data objects contained within the enveloped data object are determined or created, and the logical associations are displayed using visual indicators. As data objects are added or deleted through user actions on the graphical objects, the visual indicators are updated.

    摘要翻译: 一种在数据处理系统中处理包络数据对象的方法和系统。 被包围的数据对象可以按照PKCS(公共密钥加密标准)标准定义。 被包围的数据对象实用程序允许用户通过图形用户界面来查看和编辑嵌入在被包围的数据对象内的数据对象的内容。 图形对象表示嵌入在包络数据对象中的数据对象。 用户可以将对象拖放到被包围的数据对象中的其他对象上,并且被包围的数据对象实用程序自动执行必要的加密操作。 包含在包络数据对象内的数据对象之间的逻辑关联被确定或创建,并且使用可视指示器显示逻辑关联。 当通过图形对象上的用户操作添加或删除数据对象时,可更新视觉指示符。