-
公开(公告)号:US07757275B2
公开(公告)日:2010-07-13
申请号:US11153631
申请日:2005-06-15
CPC分类号: H04L9/3247 , H04L9/083 , H04L9/0863 , H04L9/3213 , H04L63/0807 , H04L63/0838
摘要: A domain controller (DC) side plugin supports one time passwords natively in Kerberos, Part of the key material is static and the other part is dynamic, thereby leveraging properties unique to each to securely support one time passwords in an operating system. The user is permitted to type in the one time passcode into a logon user interface. Rather than calling the SAM APIs to get the static passwords, vendors may register callbacks on the DC to plugin their algorithm. These callback functions will return the dynamically calculated passcodes for the user at a specific point in time. This passcode will then be treated as a normal password by the DC.
摘要翻译: 域控制器(DC)侧插件在Kerberos中本地支持一次密码,部分密钥材料是静态的,另一部分是动态的,从而利用每个密钥的属性来安全地支持操作系统中的一次密码。 允许用户将一次性密码输入登录用户界面。 供应商可以在DC上注册回调来插入其算法,而不是调用SAM API来获取静态密码。 这些回调函数将在特定时间点返回动态计算的用户密码。 然后,该密码将被DC视为正常密码。
-
公开(公告)号:US07434253B2
公开(公告)日:2008-10-07
申请号:US11181525
申请日:2005-07-14
申请人: Christopher J. Crall , Gennady Medvinsky , Joshua Ball , Karthik Jaganathan , Paul J. Leach , Liqiang Zhu , David B. Cross
发明人: Christopher J. Crall , Gennady Medvinsky , Joshua Ball , Karthik Jaganathan , Paul J. Leach , Liqiang Zhu , David B. Cross
CPC分类号: H04L9/3263 , H04L9/3273 , H04L63/0807 , H04L63/0823 , H04L63/0876 , H04L63/10 , H04L63/166
摘要: A hint containing user mapping information is provided in messages that may be exchanged during authentication handshakes. For example, a client may provide user mapping information to the server during authentication. The hint (e.g., in the form of a TLS extension mechanism) may be used to send the domain/user name information of a client to aid the server in mapping the user's certificate to an account. The extension mechanism provides integrity and authenticity of the mapping data sent by the client. The user provides a hint as to where to find the right account or domain controller (which points to, or otherwise maintains, the correct account). Based on the hint and other information in the certificate, the user is mapped to an account. The hint may be provided by the user when he logs in. Thus, a certificate is mapped to an identity to authenticate the user. A hint is sent along with the certificate information to perform the binding. Existing protocols may be extended to communicate the additional mapping information (the hint) to perform the binding. A vendor specific extension to Kerberos is defined to obtain the authorization data based on an X.509 certificate and the mapping user name hint.
摘要翻译: 在认证握手期间可以交换的消息中提供了包含用户映射信息的提示。 例如,客户端可以在认证期间向服务器提供用户映射信息。 提示(例如,以TLS扩展机制的形式)可以用于发送客户端的域/用户名信息,以帮助服务器将用户的证书映射到帐户。 扩展机制提供客户端发送的映射数据的完整性和真实性。 用户提供关于在哪里找到正确的帐户或域控制器(指向或以其他方式维护正确的帐户)的提示。 根据证书中的提示和其他信息,用户被映射到一个帐户。 提示可以由用户在登录时提供。因此,证书被映射到身份以验证用户。 发送提示与证书信息一起执行绑定。 可以扩展现有协议以传达额外的映射信息(提示)来执行绑定。 定义了针对Kerberos的供应商特定扩展,以根据X.509证书和映射用户名提示获取授权数据。
-
公开(公告)号:US09118672B2
公开(公告)日:2015-08-25
申请号:US12965445
申请日:2010-12-10
申请人: Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
发明人: Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
CPC分类号: H04L63/0884 , H04L9/3213 , H04L63/0807
摘要: A client can communicate with a middle tier, which can then, in turn, communicate with a back end tier to access information and resources on behalf of the client within the context of a system that can scale well. Each individual back end can establish a policy that defines which computing device can delegate to that back end. That policy can be enforced by a domain controller within the same administrative domain as the particular back end. When a middle tier requests to delegate to a back end, the domain controller to which that request was directed can either apply the policy, or, if the domain controller is in a different domain than the targeted back end, it can direct the middle tier to a domain controller in a different domain and can sign relevant information that the middle tier can utilize when communicating with that different domain controller.
摘要翻译: 客户端可以与中间层进行通信,然后可以与后端层进行通信,以便在可以扩展的系统的上下文中代表客户端访问信息和资源。 每个单独的后端可以建立一个策略,定义哪个计算设备可以委托给该后端。 该策略可以由与特定后端相同的管理域中的域控制器实施。 当中间层请求委托给后端时,该请求所针对的域控制器可以应用策略,或者如果域控制器位于与目标后端不同的域中,则可以将中间层 到不同域中的域控制器,并且可以签署中间层在与该不同域控制器通信时可以利用的相关信息。
-
公开(公告)号:US08555069B2
公开(公告)日:2013-10-08
申请号:US12399615
申请日:2009-03-06
IPC分类号: H04L29/06
CPC分类号: H04L9/3271 , H04L9/3234 , H04L63/0428 , H04W12/06
摘要: Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.
摘要翻译: 现代网络通信通常需要客户端应用程序请求数据对提供数据的应用程序进行身份验证。 这种认证请求可以是冗余的,特别是在无状态网络协议的情况下。 当执行完整认证时,可以同意会话标识符和一个或多个加密密钥。 随后的认证请求可以用包括会话标识符的快速重新连接令牌和使用该一个或多个加密密钥的加密签名版本来应答。 如果需要额外的安全性,则可以以预定或随机的方式建立和递增序列号,以便能够检测重放的快速重新连接令牌。 如果收件人可以验证快速重新连接令牌,则可以认为提供商已经根据先前的身份验证进行了身份验证。 如果快速重新认证的一个方面应该失败,则可能需要对原始的完整身份验证过程进行追索。
-
公开(公告)号:US20120131661A1
公开(公告)日:2012-05-24
申请号:US12965445
申请日:2010-12-10
申请人: Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
发明人: Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
IPC分类号: G06F15/16
CPC分类号: H04L63/0884 , H04L9/3213 , H04L63/0807
摘要: A client can communicate with a middle tier, which can then, in turn, communicate with a back end tier to access information and resources on behalf of the client within the context of a system that can scale well. Each individual back end can establish a policy that defines which computing device can delegate to that back end. That policy can be enforced by a domain controller within the same administrative domain as the particular back end. When a middle tier requests to delegate to a back end, the domain controller to which that request was directed can either apply the policy, or, if the domain controller is in a different domain than the targeted back end, it can direct the middle tier to a domain controller in a different domain and can sign relevant information that the middle tier can utilize when communicating with that different domain controller.
摘要翻译: 客户端可以与中间层进行通信,然后可以与后端层进行通信,以便在可以扩展的系统的上下文中代表客户端访问信息和资源。 每个单独的后端可以建立一个策略,定义哪个计算设备可以委托给该后端。 该策略可以由与特定后端相同的管理域中的域控制器实施。 当中间层请求委托给后端时,该请求所针对的域控制器可以应用策略,或者如果域控制器位于与目标后端不同的域中,则可以将中间层 到不同域中的域控制器,并且可以签署中间层在与该不同域控制器通信时可以利用的相关信息。
-
公开(公告)号:US20080022368A1
公开(公告)日:2008-01-24
申请号:US11450597
申请日:2006-06-09
申请人: Scott A. Field , Liqiang Zhu , Peter T. Brundrett , Paul J. Leach
发明人: Scott A. Field , Liqiang Zhu , Peter T. Brundrett , Paul J. Leach
IPC分类号: H04L9/32
CPC分类号: H04L63/102
摘要: Remote administrative privileges in a distributed system are disabled by default. To administer a remote system, express action is taken to elevate a user status to obtain remote administrative privileges. When local and remote systems communicate, information pertaining to the status of the logged on user is included in the communications. If the user wishes to legitimately administer a remote system, the user provides an explicit request. The request is processed. If the user is configured as an administrator of the remote system and the request contains an indication that the user's administrative status has been elevated, an authorization token is generated. The authorization token is utilized by the remote system to allow the user to administer the remote system.
摘要翻译: 默认情况下,分布式系统中的远程管理权限将被禁用。 要管理远程系统,请采取行动来提升用户状态以获得远程管理权限。 当本地和远程系统进行通信时,通信中包含与登录用户状态有关的信息。 如果用户希望合法地管理远程系统,则用户提供明确的请求。 请求被处理。 如果用户配置为远程系统的管理员,并且该请求包含用户的管理状态提升的指示,则会生成授权令牌。 远程系统利用授权令牌允许用户管理远程系统。
-
公开(公告)号:US07757281B2
公开(公告)日:2010-07-13
申请号:US11450597
申请日:2006-06-09
申请人: Scott A. Field , Liqiang Zhu , Peter T. Brundrett , Paul J. Leach
发明人: Scott A. Field , Liqiang Zhu , Peter T. Brundrett , Paul J. Leach
IPC分类号: G06F7/04
CPC分类号: H04L63/102
摘要: Remote administrative privileges in a distributed system are disabled by default. To administer a remote system, express action is taken to elevate a user status to obtain remote administrative privileges. When local and remote systems communicate, information pertaining to the status of the logged on user is included in the communications. If the user wishes to legitimately administer a remote system, the user provides an explicit request. The request is processed. If the user is configured as an administrator of the remote system and the request contains an indication that the user's administrative status has been elevated, an authorization token is generated. The authorization token is utilized by the remote system to allow the user to administer the remote system.
摘要翻译: 默认情况下,分布式系统中的远程管理权限将被禁用。 要管理远程系统,请采取行动来提升用户状态以获得远程管理权限。 当本地和远程系统进行通信时,通信中包含与登录用户状态有关的信息。 如果用户希望合法地管理远程系统,则用户提供明确的请求。 请求被处理。 如果用户配置为远程系统的管理员,并且该请求包含用户的管理状态提升的指示,则会生成授权令牌。 远程系统利用授权令牌允许用户管理远程系统。
-
公开(公告)号:US08132246B2
公开(公告)日:2012-03-06
申请号:US12038736
申请日:2008-02-27
申请人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
发明人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
CPC分类号: H04L9/3213 , H04L9/0822 , H04L9/0833
摘要: An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.
摘要翻译: 用于Kerberos协议的示例性组票包括用动态组密钥和多个包络对加密的服务票据,其中每对包括与组的成员相关联的名称,以及加密的动态组密钥,用于通过所拥有的密钥进行解密 由加密的动态组密钥的解密允许解密服务票据的组的成员。 还公开了其它示例性方法,系统等。
-
公开(公告)号:US20100228982A1
公开(公告)日:2010-09-09
申请号:US12399615
申请日:2009-03-06
IPC分类号: H04L9/32
CPC分类号: H04L9/3271 , H04L9/3234 , H04L63/0428 , H04W12/06
摘要: Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.
摘要翻译: 现代网络通信通常需要客户端应用程序请求数据对提供数据的应用程序进行身份验证。 这种认证请求可以是冗余的,特别是在无状态网络协议的情况下。 当执行完整认证时,可以同意会话标识符和一个或多个加密密钥。 随后的认证请求可以用包括会话标识符的快速重新连接令牌和使用该一个或多个加密密钥的加密签名版本来应答。 如果需要额外的安全性,则可以以预定或随机的方式建立和递增序列号,以便能够检测重放的快速重新连接令牌。 如果收件人可以验证快速重新连接令牌,则可以认为提供商已经根据先前的身份验证进行了身份验证。 如果快速重新认证的一个方面应该失败,则可能需要对原始的完整身份验证过程进行追索。
-
公开(公告)号:US20090217029A1
公开(公告)日:2009-08-27
申请号:US12038736
申请日:2008-02-27
申请人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
发明人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
IPC分类号: H04L9/06
CPC分类号: H04L9/3213 , H04L9/0822 , H04L9/0833
摘要: An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.
摘要翻译: 用于Kerberos协议的示例性组票包括用动态组密钥和多个包络对加密的服务票据,其中每对包括与组的成员相关联的名称,以及加密的动态组密钥,用于通过所拥有的密钥进行解密 由加密的动态组密钥的解密允许解密服务票据的组的成员。 还公开了其它示例性方法,系统等。
-
-
-
-
-
-
-
-
-