-
1.发明授权Method and apparatus for controlling server access to a resource in a client/server system 失效用于控制服务器访问客户机/服务器系统中的资源的方法和装置公开(公告)号:US06377994B1
公开(公告)日:2002-04-23
申请号:US08632251
申请日:1996-04-15
IPC分类号: G06F1516
CPC分类号: H04L63/10 , H04L63/1441 , Y10S707/99939 , Y10S707/99945
摘要: In a client/server system, a method and apparatus for handing requests for access to a host resource purportedly on behalf of a client from an untrusted application server that may be capable of operating as a “rogue” server. Upon receiving a service request from a client, an untrusted application server creates a new thread within its address space for the client and obtains from the security server a client security context, which is anchored to the task control block (TCB) for that thread. The client security context specifies the client and indicates whether the client is an authenticated client or an unauthenticated client. When the application server makes a request for access to a host resource purportedly on behalf of the client, the security server examines the security context created for the requesting thread. If the client security context indicates that the client is an authenticated client, the security server grants access to the host resource if the client specified in the client security context is authorized to make the requested access to the host resource. If the client security context indicates that the client is an authenticated client, the security server grants access to the host resource only if both the client specified in the client security context and the application server are authorized to make the requested access to the host resource.
摘要翻译: 在客户/服务器系统中,一种方法和装置,用于从可能能够作为“流氓”服务器操作的不信任的应用服务器处理代表客户机的代理访问主机资源的请求。 在从客户机接收到服务请求之后,不可信应用服务器在其用于客户端的地址空间内创建一个新线程,并从安全服务器获得锚定到该线程的任务控制块(TCB)的客户端安全上下文。 客户机安全上下文指定客户端,并指示客户端是经过身份验证的客户端还是未经身份验证的客户端。 当应用程序服务器请求访问代表客户端的主机资源时,安全服务器检查为请求的线程创建的安全上下文。 如果客户端安全上下文指示客户端是经过身份验证的客户端,则如果在客户端安全上下文中指定的客户端被授权进行主机资源的请求访问,则安全服务器授予对主机资源的访问权限。 如果客户端安全上下文指示客户端是经过身份验证的客户端,则只有当客户端安全上下文中指定的客户端和应用程序服务器都被授权才能请求访问主机资源时,安全服务器就会授予对主机资源的访问权限。
-
2.发明授权公开(公告)号:US06292896B1
公开(公告)日:2001-09-18
申请号:US08785939
申请日:1997-01-22
IPC分类号: H04L912
CPC分类号: H04L63/0838 , H04L9/0625 , H04L9/0866 , H04L9/088 , H04L9/3228 , H04L9/3242
摘要: A system for authenticating a first entity to a second entity and for simultaneously generating a session key for encrypting communications between the entities. The first entity generates an authentication value by encrypting time-dependent information using a long-lived secret key shared by the entities and transmits the authentication value to the second entity. The first entity independently encrypts other time-dependent information using the long-lived key to generate a session key that cannot be derived from the authentication value without the long-lived key. Upon receiving the transmitted authentication value, the second entity checks the transmitted authentication value using the shared long-lived key to determine whether it is valid. If the authentication value is valid, the second entity authenticates the first entity and generates an identical session key from the same shared secret information and time-dependent information. The encrypted time-dependent information is passed through a key weakening function to generate a weakened key which is used as the session key. The key weakening function includes a one-way function to protect the input value from discovery by an attacker who may have ascertained the weakened session key.
摘要翻译: 一种用于将第一实体认证给第二实体并用于同时生成用于加密所述实体之间的通信的会话密钥的系统。 第一实体通过使用由实体共享的长寿命秘密密钥加密时间相关信息来生成认证值,并将认证值发送给第二实体。 第一实体使用长寿命密钥独立地加密其他与时间相关的信息,以生成不具有长寿命密钥的认证值的会话密钥。 在接收到发送的认证值时,第二实体使用共享的长寿命密钥来检查发送的认证值,以确定其是否有效。 如果认证值有效,则第二实体认证第一实体,并从相同的共享秘密信息和时间相关信息中生成相同的会话密钥。 加密的时间相关信息通过密钥弱化函数传递,以产生用作会话密钥的弱化密钥。 关键的弱化功能包括单向功能,以保护输入值免受可能已经确定弱化的会话密钥的攻击者的发现。
-
搜索结果
2 条记录 (耗时 0.027 秒)
