公开(公告)号：US20080313712A1

公开(公告)日：2008-12-18

申请号：US11764034

申请日：2007-06-15

申请人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

发明人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

IPC分类号： H04L9/32

CPC分类号： H04L63/101 ,  H04L63/0823

摘要： The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

摘要翻译： 本发明涉及利用证书来管理访问控制的系统和方法。 本文描述的系统和方法旨在将访问控制列表中表示的访问策略映射到一组证书。 该证书集可用于以ACL所描述的方式授予对资源的访问权限。 证书可以分发给实体以用于获取资源访问。 实体可以向资源提供证书，作为获取资源的权利的证据。 顺序ACL的访问逻辑可以转换或映射到一组与订单无关的证书。 特别地，可以分析每个条目，列表中的条目的位置和任何前面的条目。 该分析可用于生成根据ACL中传达的访问策略提供访问权限的独立凭证。

公开(公告)号：US20080301780A1

公开(公告)日：2008-12-04

申请号：US11756393

申请日：2007-05-31

申请人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

发明人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

IPC分类号： G06F17/00

CPC分类号： G06F21/6218

摘要： The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group.

摘要翻译： 本发明涉及便于管理组实体以进行访问控制的系统和方法。 使用基组定义负组，其中与基组关联的负组包括未包括在基组中的任何实体。 负组可以使用证书而不是负组成员的显式列表来实现。 证书可以提供负组织成员的证据，并可以提供评估以获得资源。 减法组也可用于管理对资源的访问。 减法组可以定义为第一组的成员，不包括第二组的任何成员。

公开(公告)号：US20080307486A1

公开(公告)日：2008-12-11

申请号：US11761170

申请日：2007-06-11

申请人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

发明人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

IPC分类号： G06F17/00 ,  H04L9/32

CPC分类号： H04L9/3231 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/102 ,  H04L2209/56

摘要： The subject disclosure pertains to systems and methods that facilitate entity-based for access management. Typically, access to one or more resources is managed based upon identifiers assigned to entities. Groups of identifiers can be assigned to access rights. An authority component can manage an exclusion group that excludes an entity, regardless of the identifier utilized by the entity. Access control components can utilize exclusion groups in access policies to define access rights to a resource.

摘要翻译： 本发明涉及促进基于实体的访问管理的系统和方法。 通常，基于分配给实体的标识符来管理对一个或多个资源的访问。 标识符组可以分配给访问权限。 权限组件可以管理排除实体的排除组，而不管实体使用的标识符。 访问控制组件可以利用访问策略中的排除组来定义资源的访问权限。

公开(公告)号：US08468579B2

公开(公告)日：2013-06-18

申请号：US11764034

申请日：2007-06-15

申请人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

发明人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

IPC分类号： G06F21/00

CPC分类号： H04L63/101 ,  H04L63/0823

摘要： The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

摘要翻译： 本发明涉及利用证书来管理访问控制的系统和方法。 本文描述的系统和方法旨在将访问控制列表中表示的访问策略映射到一组证书。 该证书集可用于以ACL所描述的方式授予对资源的访问权限。 证书可以分发给实体以用于获取资源访问。 实体可以向资源提供证书，作为获取资源的权利的证据。 顺序ACL的访问逻辑可以转换或映射到一组与订单无关的证书。 特别地，可以分析每个条目，列表中的条目的位置和任何前面的条目。 该分析可用于生成根据ACL中传达的访问策略提供访问权限的独立凭证。

公开(公告)号：US07900248B2

公开(公告)日：2011-03-01

申请号：US11756393

申请日：2007-05-31

申请人： Carl Melvin Ellison ,  Paul J. Lach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

发明人： Carl Melvin Ellison ,  Paul J. Lach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

IPC分类号： G06F17/30

CPC分类号： G06F21/6218

摘要： The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group.

摘要翻译： 本发明涉及便于管理组实体以进行访问控制的系统和方法。 使用基组定义负组，其中与基组关联的负组包括未包括在基组中的任何实体。 负组可以使用证书而不是负组成员的显式列表来实现。 证书可以提供负组织成员的证据，并可以提供评估以获得资源。 减法组也可用于管理对资源的访问。 减法组可以定义为第一组的成员，不包括第二组的任何成员。

公开(公告)号：US20080244736A1

公开(公告)日：2008-10-02

申请号：US11694014

申请日：2007-03-30

申请人： Butler Lampson ,  Ravindra Nath Pandya ,  Paul J. Leach ,  Muthukrishnan Paramasivam ,  Carl M. Ellison ,  Charles William Kaufman

发明人： Butler Lampson ,  Ravindra Nath Pandya ,  Paul J. Leach ,  Muthukrishnan Paramasivam ,  Carl M. Ellison ,  Charles William Kaufman

IPC分类号： G06F12/14

CPC分类号： G06F21/604 ,  G06F21/6218

摘要： Access control as it relates to policies or permissions is provided based on a created model. A security policy is abstracted and can be independent of a mechanism used to protect resources. An asbstract model of a potential user, user role and/or resource is created without associating a specific individual and/or resource with a model. These abstract user models and abstract resource models can be used across applications or within disparate applications. The abstracted security policies can be selectively applied to the model. Specific users and/or resources can be associated with one or more abstract user model or abstract resource model. The models can be nested to provide configurations for larger systems.

摘要翻译： 基于创建的模型提供与策略或权限相关的访问控制。 安全策略被抽象出来，可以独立于用于保护资源的机制。 创建潜在用户，用户角色和/或资源的抽象模型，而不将特定个人和/或资源与模型相关联。 这些抽象用户模型和抽象资源模型可以跨应用程序或不同的应用程序使用。 抽象的安全策略可以选择性地应用于模型。 特定用户和/或资源可以与一个或多个抽象用户模型或抽象资源模型相关联。 这些型号可以嵌套，以提供更大系统的配置。

公开(公告)号：US20070283411A1

公开(公告)日：2007-12-06

申请号：US11445778

申请日：2006-06-02

申请人： Muthukrishnan Paramasivam ,  Charles F. Rose ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

发明人： Muthukrishnan Paramasivam ,  Charles F. Rose ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

IPC分类号： H04L9/00

CPC分类号： H04L63/102 ,  G06F21/604 ,  H04L63/20

摘要： Abstracting access control policy from access check mechanisms allows for richer expression of policy, using a declarative model with semantics, than what is permitted by the access check mechanisms. Further, abstracting access control policy allows for uniform expression of policy across multiple access check mechanisms. Proof-like reasons for any access query are provided, such as who has access to what resource, built from the policy statements themselves, independent of the access check mechanism that provide access. Access is audited and policy-based reasons for access are provided based on the access control policy.

摘要翻译： 来自访问检查机制的抽象访问控制策略允许使用具有语义的声明性模型，而不是访问检查机制允许的策略的更丰富的表达。 此外，抽象访问控制策略允许在多个访问检查机制之间统一表达策略。 提供任何访问查询的类似原因，例如谁可以访问从策略语句本身构建的什么资源，独立于提供访问的访问检查机制。 访问被审计，基于访问控制策略提供基于策略的访问原因。

公开(公告)号：US07882539B2

公开(公告)日：2011-02-01

申请号：US11445778

申请日：2006-06-02

申请人： Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

发明人： Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L63/102 ,  G06F21/604 ,  H04L63/20

摘要： Abstracting access control policy from access check mechanisms allows for richer expression of policy, using a declarative model with semantics, than what is permitted by the access check mechanisms. Further, abstracting access control policy allows for uniform expression of policy across multiple access check mechanisms. Proof-like reasons for any access query are provided, such as who has access to what resource, built from the policy statements themselves, independent of the access check mechanism that provide access. Access is audited and policy-based reasons for access are provided based on the access control policy.

摘要翻译： 来自访问检查机制的抽象访问控制策略允许使用具有语义的声明性模型，而不是访问检查机制允许的策略的更丰富的表达。 此外，抽象访问控制策略允许在多个访问检查机制之间统一表达策略。 提供任何访问查询的类似原因，例如谁可以访问从策略语句本身构建的什么资源，独立于提供访问的访问检查机制。 访问被审计，基于访问控制策略提供基于策略的访问原因。

公开(公告)号：US07770206B2

公开(公告)日：2010-08-03

申请号：US11077574

申请日：2005-03-11

申请人： Blair Brewster Dillaway ,  Brian LaMacchia ,  Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Ravindra Nath Pandya

发明人： Blair Brewster Dillaway ,  Brian LaMacchia ,  Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Ravindra Nath Pandya

IPC分类号： G06F7/04

CPC分类号： G06F21/62 ,  G06F21/33 ,  G06F2221/2145

摘要： A resource of a first organization provides access thereto to a requestor of a second organization. A first administrator of the first organization issues a first credential to a second administrator of the second organization, including policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator. The second administrator issues the second credential to the requester, including the issued first credential. The requestor requests access from the resource and includes the issued first and second credentials. The resource validates that the issued first credential ties the first administrator to the second administrator, and that the issued second credential ties the second administrator to the requester. The resource thus knows that the request is based on rights delegated from the first administrator to the requester by way of the second administrator.

摘要翻译： 第一组织的资源提供对第二组织的请求者的访问。 第一个组织的第一个管理员向第二个组织的第二个管理员颁发第一个凭据，包括第二个管理员可以代表第一个管理员向请求者发出第二个凭证的策略。 第二个管理员向请求者发出第二个凭证，包括发出的第一个凭证。 请求者请求从资源的访问，并且包括发出的第一和第二凭证。 该资源验证所发出的第一个凭证将第一个管理员与第二个管理员相关联，并且发出的第二个凭证将第二个管理员与请求者联系起来。 因此，该资源知道该请求基于通过第二管理员从第一管理员委派给请求者的权限。

公开(公告)号：US08619971B2

公开(公告)日：2013-12-31

申请号：US11097697

申请日：2005-04-01

申请人： Thekkthalackal Varugis Kurien ,  Paul England ,  Ravindra Nath Pandya ,  Niels Ferguson

发明人： Thekkthalackal Varugis Kurien ,  Paul England ,  Ravindra Nath Pandya ,  Niels Ferguson

IPC分类号： H04K1/04 ,  H04K1/06

CPC分类号： G06F21/57 ,  G06F9/5077 ,  G06F2221/2149

摘要： Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like.

摘要翻译： 系统和方法提供了诸如管理程序之类的隔离技术上托管的多个分区，其中至少一个分区本地安全服务分区（LSSP）为其他分区提供安全服务。 服务分区（LSSP）承载需要严格安全隔离的高保证服务，即使在用户未连接到网络时，也可以跨分区共享服务并进行访问。 LSSP还可以使用由TPM认证身份密钥（AIK）签名的密钥或由管理程序或服务分区安全地保存的其他密钥来证明任何计算的结果。 可以将LSSP配置为提供可信的审核日志，可信的安全扫描，可信密码服务，可信的编译和测试，可信登录服务等。