-
公开(公告)号:US08132246B2
公开(公告)日:2012-03-06
申请号:US12038736
申请日:2008-02-27
申请人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
发明人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
CPC分类号: H04L9/3213 , H04L9/0822 , H04L9/0833
摘要: An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.
摘要翻译: 用于Kerberos协议的示例性组票包括用动态组密钥和多个包络对加密的服务票据,其中每对包括与组的成员相关联的名称,以及加密的动态组密钥,用于通过所拥有的密钥进行解密 由加密的动态组密钥的解密允许解密服务票据的组的成员。 还公开了其它示例性方法,系统等。
-
公开(公告)号:US20090217029A1
公开(公告)日:2009-08-27
申请号:US12038736
申请日:2008-02-27
申请人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
发明人: Cristian Ilac , Paul J. Leach , Tarek B. Kamel , Liqiang Zhu
IPC分类号: H04L9/06
CPC分类号: H04L9/3213 , H04L9/0822 , H04L9/0833
摘要: An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.
摘要翻译: 用于Kerberos协议的示例性组票包括用动态组密钥和多个包络对加密的服务票据,其中每对包括与组的成员相关联的名称,以及加密的动态组密钥,用于通过所拥有的密钥进行解密 由加密的动态组密钥的解密允许解密服务票据的组的成员。 还公开了其它示例性方法,系统等。
-
公开(公告)号:US20090328140A1
公开(公告)日:2009-12-31
申请号:US12147054
申请日:2008-06-26
申请人: Dave M. McPherson , Tanmoy Dutta , Cristian Ilac , Liqiang Zhu
发明人: Dave M. McPherson , Tanmoy Dutta , Cristian Ilac , Liqiang Zhu
IPC分类号: G06F21/00
CPC分类号: H04L63/20 , H04L63/08 , H04L63/205 , H04L69/24
摘要: This disclosure describes methods, systems and application programming interfaces for creating an advanced security negotiation package. This disclosure describes creating an advanced security negotiation protocol under a Simple and Protected Negotiation Mechanism (SPNEGO) protocol to negotiate an authentication scheme. The protocol describes defining a Windows Security Type (WST) Library message to protect negotiation data during the advanced security negotiation protocol. The protocol sends an initial message that carries multiple authentication messages to reduce redundant roundtrips and implements key exchanges by a mini Security Support Provider (SSP).
摘要翻译: 本公开描述了用于创建高级安全协商包的方法,系统和应用程序编程接口。 本公开描述了在简单和受保护的协商机制(SPNEGO)协议下创建高级安全协商协议以协商认证方案。 该协议描述了在高级安全协商协议期间定义Windows安全类型(WST)库消息以保护协商数据。 该协议发送一个携带多个认证消息的初始消息,以减少冗余往返,并通过小型安全支持提供商(SSP)实现密钥交换。
-
4.发明申请公开(公告)号:US20080301784A1
公开(公告)日:2008-12-04
申请号:US11755968
申请日:2007-05-31
申请人: Liqiang Zhu , Gennady Medvinsky , Tanmoy Dutta , Cristian Ilac , Andreas Luther , John P. Shewchuk
发明人: Liqiang Zhu , Gennady Medvinsky , Tanmoy Dutta , Cristian Ilac , Andreas Luther , John P. Shewchuk
IPC分类号: G06F7/04
CPC分类号: H04L63/0823 , H04L63/166 , H04L67/02
摘要: Architecture for natively authenticating a client application to a web server via HTTP authentication. The Web Services Architecture, and more specifically, Web Services Security, is leveraged to enable legacy applications to access web services transparently to the existing legacy applications. A security support provider (SSP) is created that employs WS-* protocol to at least emulate ws-trust and ws-mex thereby enabling policy exchange via an HTTP protocol stack. Policy can be exchanged via a WWW-Authenticate header enabling legacy applications to use the WS-* family of protocols without modifying the client application. The WS-* protocols are abstracted into a generic programming interface for native client application use.
摘要翻译: 通过HTTP认证将客户端应用程序本地验证到Web服务器的体系结构。 Web服务体系结构,更具体地说,Web服务安全性是有利于使传统应用程序能够透明地访问现有的遗留应用程序的Web服务。 创建了一个安全支持提供程序(SSP),它使用WS- *协议来至少模拟ws-trust和ws-mex,从而通过HTTP协议栈实现策略交换。 可以通过WWW-Authenticate标头来交换策略,使得遗留应用程序能够使用WS- *系列协议,而无需修改客户端应用程序。 将WS- *协议抽象为通用编程接口,用于本机客户机应用程序的使用。
-
5.发明授权公开(公告)号:US08528058B2
公开(公告)日:2013-09-03
申请号:US11755968
申请日:2007-05-31
申请人: Liqiang Zhu , Gennady Medvinsky , Tanmoy Dutta , Cristian Ilac , Andreas Luther , John P Shewchuk
发明人: Liqiang Zhu , Gennady Medvinsky , Tanmoy Dutta , Cristian Ilac , Andreas Luther , John P Shewchuk
IPC分类号: H04L29/06
CPC分类号: H04L63/0823 , H04L63/166 , H04L67/02
摘要: Architecture for natively authenticating a client application to a web server via HTTP authentication. The Web Services Architecture, and more specifically, Web Services Security, is leveraged to enable legacy applications to access web services transparently to the existing legacy applications. A security support provider (SSP) is created that employs WS-* protocol to at least emulate ws-trust and ws-mex thereby enabling policy exchange via an HTTP protocol stack. Policy can be exchanged via a WWW-Authenticate header enabling legacy applications to use the WS-* family of protocols without modifying the client application. The WS-* protocols are abstracted into a generic programming interface for native client application use.
摘要翻译: 通过HTTP认证将客户端应用程序本地验证到Web服务器的体系结构。 Web服务体系结构,更具体地说,Web服务安全性是有利于使传统应用程序能够透明地访问现有的遗留应用程序的Web服务。 创建了一个安全支持提供程序(SSP),它使用WS- *协议来至少模拟ws-trust和ws-mex,从而通过HTTP协议栈实现策略交换。 可以通过WWW-Authenticate标头来交换策略,使得遗留应用程序能够使用WS- *系列协议,而无需修改客户端应用程序。 将WS- *协议抽象为通用编程接口,用于本机客户机应用程序的使用。
-
公开(公告)号:US08799630B2
公开(公告)日:2014-08-05
申请号:US12147054
申请日:2008-06-26
申请人: Dave M. McPherson , Tanmoy Dutta , Cristian Ilac , Liqiang Zhu
发明人: Dave M. McPherson , Tanmoy Dutta , Cristian Ilac , Liqiang Zhu
IPC分类号: G06F21/00
CPC分类号: H04L63/20 , H04L63/08 , H04L63/205 , H04L69/24
摘要: This disclosure describes methods, systems and application programming interfaces for creating an advanced security negotiation package. This disclosure describes creating an advanced security negotiation protocol under a Simple and Protected Negotiation Mechanism (SPNEGO) protocol to negotiate an authentication scheme. The protocol describes defining a Windows Security Type (WST) Library message to protect negotiation data during the advanced security negotiation protocol. The protocol sends an initial message that carries multiple authentication messages to reduce redundant roundtrips and implements key exchanges by a mini Security Support Provider (SSP).
摘要翻译: 本公开描述了用于创建高级安全协商包的方法,系统和应用程序编程接口。 本公开描述了在简单和受保护的协商机制(SPNEGO)协议下创建高级安全协商协议以协商认证方案。 该协议描述了在高级安全协商协议期间定义Windows安全类型(WST)库消息以保护协商数据。 该协议发送一个携带多个认证消息的初始消息,以减少冗余往返,并通过小型安全支持提供商(SSP)实现密钥交换。
-
公开(公告)号:US07757281B2
公开(公告)日:2010-07-13
申请号:US11450597
申请日:2006-06-09
申请人: Scott A. Field , Liqiang Zhu , Peter T. Brundrett , Paul J. Leach
发明人: Scott A. Field , Liqiang Zhu , Peter T. Brundrett , Paul J. Leach
IPC分类号: G06F7/04
CPC分类号: H04L63/102
摘要: Remote administrative privileges in a distributed system are disabled by default. To administer a remote system, express action is taken to elevate a user status to obtain remote administrative privileges. When local and remote systems communicate, information pertaining to the status of the logged on user is included in the communications. If the user wishes to legitimately administer a remote system, the user provides an explicit request. The request is processed. If the user is configured as an administrator of the remote system and the request contains an indication that the user's administrative status has been elevated, an authorization token is generated. The authorization token is utilized by the remote system to allow the user to administer the remote system.
摘要翻译: 默认情况下,分布式系统中的远程管理权限将被禁用。 要管理远程系统,请采取行动来提升用户状态以获得远程管理权限。 当本地和远程系统进行通信时,通信中包含与登录用户状态有关的信息。 如果用户希望合法地管理远程系统,则用户提供明确的请求。 请求被处理。 如果用户配置为远程系统的管理员,并且该请求包含用户的管理状态提升的指示,则会生成授权令牌。 远程系统利用授权令牌允许用户管理远程系统。
-
公开(公告)号:US07434253B2
公开(公告)日:2008-10-07
申请号:US11181525
申请日:2005-07-14
申请人: Christopher J. Crall , Gennady Medvinsky , Joshua Ball , Karthik Jaganathan , Paul J. Leach , Liqiang Zhu , David B. Cross
发明人: Christopher J. Crall , Gennady Medvinsky , Joshua Ball , Karthik Jaganathan , Paul J. Leach , Liqiang Zhu , David B. Cross
CPC分类号: H04L9/3263 , H04L9/3273 , H04L63/0807 , H04L63/0823 , H04L63/0876 , H04L63/10 , H04L63/166
摘要: A hint containing user mapping information is provided in messages that may be exchanged during authentication handshakes. For example, a client may provide user mapping information to the server during authentication. The hint (e.g., in the form of a TLS extension mechanism) may be used to send the domain/user name information of a client to aid the server in mapping the user's certificate to an account. The extension mechanism provides integrity and authenticity of the mapping data sent by the client. The user provides a hint as to where to find the right account or domain controller (which points to, or otherwise maintains, the correct account). Based on the hint and other information in the certificate, the user is mapped to an account. The hint may be provided by the user when he logs in. Thus, a certificate is mapped to an identity to authenticate the user. A hint is sent along with the certificate information to perform the binding. Existing protocols may be extended to communicate the additional mapping information (the hint) to perform the binding. A vendor specific extension to Kerberos is defined to obtain the authorization data based on an X.509 certificate and the mapping user name hint.
摘要翻译: 在认证握手期间可以交换的消息中提供了包含用户映射信息的提示。 例如,客户端可以在认证期间向服务器提供用户映射信息。 提示(例如,以TLS扩展机制的形式)可以用于发送客户端的域/用户名信息,以帮助服务器将用户的证书映射到帐户。 扩展机制提供客户端发送的映射数据的完整性和真实性。 用户提供关于在哪里找到正确的帐户或域控制器(指向或以其他方式维护正确的帐户)的提示。 根据证书中的提示和其他信息,用户被映射到一个帐户。 提示可以由用户在登录时提供。因此,证书被映射到身份以验证用户。 发送提示与证书信息一起执行绑定。 可以扩展现有协议以传达额外的映射信息(提示)来执行绑定。 定义了针对Kerberos的供应商特定扩展,以根据X.509证书和映射用户名提示获取授权数据。
-
公开(公告)号:US20100228982A1
公开(公告)日:2010-09-09
申请号:US12399615
申请日:2009-03-06
IPC分类号: H04L9/32
CPC分类号: H04L9/3271 , H04L9/3234 , H04L63/0428 , H04W12/06
摘要: Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.
摘要翻译: 现代网络通信通常需要客户端应用程序请求数据对提供数据的应用程序进行身份验证。 这种认证请求可以是冗余的,特别是在无状态网络协议的情况下。 当执行完整认证时,可以同意会话标识符和一个或多个加密密钥。 随后的认证请求可以用包括会话标识符的快速重新连接令牌和使用该一个或多个加密密钥的加密签名版本来应答。 如果需要额外的安全性,则可以以预定或随机的方式建立和递增序列号,以便能够检测重放的快速重新连接令牌。 如果收件人可以验证快速重新连接令牌,则可以认为提供商已经根据先前的身份验证进行了身份验证。 如果快速重新认证的一个方面应该失败,则可能需要对原始的完整身份验证过程进行追索。
-
公开(公告)号:US09118672B2
公开(公告)日:2015-08-25
申请号:US12965445
申请日:2010-12-10
申请人: Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
发明人: Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
CPC分类号: H04L63/0884 , H04L9/3213 , H04L63/0807
摘要: A client can communicate with a middle tier, which can then, in turn, communicate with a back end tier to access information and resources on behalf of the client within the context of a system that can scale well. Each individual back end can establish a policy that defines which computing device can delegate to that back end. That policy can be enforced by a domain controller within the same administrative domain as the particular back end. When a middle tier requests to delegate to a back end, the domain controller to which that request was directed can either apply the policy, or, if the domain controller is in a different domain than the targeted back end, it can direct the middle tier to a domain controller in a different domain and can sign relevant information that the middle tier can utilize when communicating with that different domain controller.
摘要翻译: 客户端可以与中间层进行通信,然后可以与后端层进行通信,以便在可以扩展的系统的上下文中代表客户端访问信息和资源。 每个单独的后端可以建立一个策略,定义哪个计算设备可以委托给该后端。 该策略可以由与特定后端相同的管理域中的域控制器实施。 当中间层请求委托给后端时,该请求所针对的域控制器可以应用策略,或者如果域控制器位于与目标后端不同的域中,则可以将中间层 到不同域中的域控制器,并且可以签署中间层在与该不同域控制器通信时可以利用的相关信息。
-
-
-
-
-
-
-
-
-
搜索结果
41 条记录 (耗时 0.022 秒)