Policy driven, credential delegation for single sign on and secure access to network resources
    1.
    发明授权
    Policy driven, credential delegation for single sign on and secure access to network resources 有权
    政策驱动,凭据授权单点登录和安全访问网络资源

    公开(公告)号:US07913084B2

    公开(公告)日:2011-03-22

    申请号:US11441588

    申请日:2006-05-26

    IPC分类号: H04L9/32

    摘要: A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

    摘要翻译: 提供了一种凭证安全支持提供者(Cred SSP),使任何应用程序能够通过客户端安全支持提供商(SSP)软件将客户端的凭据安全地委派给目标服务器,通过网络计算中的服务器端SSP软件 环境。 本发明的Cred SSP提供了一种安全解决方案,该解决方案部分地基于一组策略,包括针对广泛的攻击的安全性的默认策略,其用于控制​​和限制从客户机委派用户凭证 到服务器。 这些策略可以用于任何类型的用户凭证,并且不同的策略被设计为减轻广泛的攻击,从而可以针对给定的授权情况,网络条件,信任级别等进行适当的委托。此外,只有可信的子系统,例如 ,本地安全机构(LSA)的受信任的子系统可以访问明文凭据,使得服务器端的Cred SSP API的呼叫应用程序和客户端的Cred SSP API的呼叫应用都不具有访问权 清除文本凭据。

    Policy driven, credential delegation for single sign on and secure access to network resources
    2.
    发明申请
    Policy driven, credential delegation for single sign on and secure access to network resources 有权
    政策驱动,凭据授权单点登录和安全访问网络资源

    公开(公告)号:US20070277231A1

    公开(公告)日:2007-11-29

    申请号:US11441588

    申请日:2006-05-26

    IPC分类号: H04L9/32

    摘要: A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

    摘要翻译: 提供了一种凭证安全支持提供者(Cred SSP),使任何应用程序能够通过客户端安全支持提供商(SSP)软件将客户端的凭据安全地委派给目标服务器,通过网络计算中的服务器端SSP软件 环境。 本发明的Cred SSP提供了一种安全解决方案,该解决方案部分地基于一组策略,包括针对广泛的攻击的安全性的默认策略,其用于控制​​和限制从客户机委派用户凭证 到服务器。 这些策略可以用于任何类型的用户凭证,并且不同的策略被设计为减轻广泛的攻击,从而可以针对给定的授权情况,网络条件,信任级别等进行适当的委托。此外,只有可信的子系统,例如 ,本地安全机构(LSA)的受信任的子系统可以访问明文凭据,使得服务器端的Cred SSP API的呼叫应用程序和客户端的Cred SSP API的呼叫应用都不具有访问权 清除文本凭据。

    Native use of web service protocols and claims in server authentication
    3.
    发明授权
    Native use of web service protocols and claims in server authentication 有权
    在服务器认证中本机使用Web服务协议和声明

    公开(公告)号:US08528058B2

    公开(公告)日:2013-09-03

    申请号:US11755968

    申请日:2007-05-31

    IPC分类号: H04L29/06

    摘要: Architecture for natively authenticating a client application to a web server via HTTP authentication. The Web Services Architecture, and more specifically, Web Services Security, is leveraged to enable legacy applications to access web services transparently to the existing legacy applications. A security support provider (SSP) is created that employs WS-* protocol to at least emulate ws-trust and ws-mex thereby enabling policy exchange via an HTTP protocol stack. Policy can be exchanged via a WWW-Authenticate header enabling legacy applications to use the WS-* family of protocols without modifying the client application. The WS-* protocols are abstracted into a generic programming interface for native client application use.

    摘要翻译: 通过HTTP认证将客户端应用程序本地验证到Web服务器的体系结构。 Web服务体系结构,更具体地说,Web服务安全性是有利于使传统应用程序能够透明地访问现有的遗留应用程序的Web服务。 创建了一个安全支持提供程序(SSP),它使用WS- *协议来至少模拟ws-trust和ws-mex,从而通过HTTP协议栈实现策略交换。 可以通过WWW-Authenticate标头来交换策略,使得遗留应用程序能够使用WS- *系列协议,而无需修改客户端应用程序。 将WS- *协议抽象为通用编程接口,用于本机客户机应用程序的使用。

    Native Use Of Web Service Protocols And Claims In Server Authentication
    5.
    发明申请
    Native Use Of Web Service Protocols And Claims In Server Authentication 有权
    在服务器认证中本地使用Web服务协议和声明

    公开(公告)号:US20080301784A1

    公开(公告)日:2008-12-04

    申请号:US11755968

    申请日:2007-05-31

    IPC分类号: G06F7/04

    摘要: Architecture for natively authenticating a client application to a web server via HTTP authentication. The Web Services Architecture, and more specifically, Web Services Security, is leveraged to enable legacy applications to access web services transparently to the existing legacy applications. A security support provider (SSP) is created that employs WS-* protocol to at least emulate ws-trust and ws-mex thereby enabling policy exchange via an HTTP protocol stack. Policy can be exchanged via a WWW-Authenticate header enabling legacy applications to use the WS-* family of protocols without modifying the client application. The WS-* protocols are abstracted into a generic programming interface for native client application use.

    摘要翻译: 通过HTTP认证将客户端应用程序本地验证到Web服务器的体系结构。 Web服务体系结构,更具体地说,Web服务安全性是有利于使传统应用程序能够透明地访问现有的遗留应用程序的Web服务。 创建了一个安全支持提供程序(SSP),它使用WS- *协议来至少模拟ws-trust和ws-mex,从而通过HTTP协议栈实现策略交换。 可以通过WWW-Authenticate标头来交换策略,使得遗留应用程序能够使用WS- *系列协议,而无需修改客户端应用程序。 将WS- *协议抽象为通用编程接口,用于本机客户机应用程序的使用。

    Kerberos ticket virtualization for network load balancers
    7.
    发明授权
    Kerberos ticket virtualization for network load balancers 有权
    网络负载均衡器的Kerberos票证虚拟化

    公开(公告)号:US08132246B2

    公开(公告)日:2012-03-06

    申请号:US12038736

    申请日:2008-02-27

    摘要: An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.

    摘要翻译: 用于Kerberos协议的示例性组票包括用动态组密钥和多个包络对加密的服务票据,其中每对包括与组的成员相关联的名称,以及加密的动态组密钥,用于通过所拥有的密钥进行解密 由加密的动态组密钥的解密允许解密服务票据的组的成员。 还公开了其它示例性方法,系统等。

    KERBEROS TICKET VIRTUALIZATION FOR NETWORK LOAD BALANCERS
    8.
    发明申请
    KERBEROS TICKET VIRTUALIZATION FOR NETWORK LOAD BALANCERS 有权
    KERBEROS网络虚拟化网络负载均衡器

    公开(公告)号:US20090217029A1

    公开(公告)日:2009-08-27

    申请号:US12038736

    申请日:2008-02-27

    IPC分类号: H04L9/06

    摘要: An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.

    摘要翻译: 用于Kerberos协议的示例性组票包括用动态组密钥和多个包络对加密的服务票据,其中每对包括与组的成员相关联的名称,以及加密的动态组密钥,用于通过所拥有的密钥进行解密 由加密的动态组密钥的解密允许解密服务票据的组的成员。 还公开了其它示例性方法,系统等。

    ADVANCED SECURITY NEGOTIATION PROTOCOL
    9.
    发明申请
    ADVANCED SECURITY NEGOTIATION PROTOCOL 有权
    高级安全谈判协议

    公开(公告)号:US20090328140A1

    公开(公告)日:2009-12-31

    申请号:US12147054

    申请日:2008-06-26

    IPC分类号: G06F21/00

    摘要: This disclosure describes methods, systems and application programming interfaces for creating an advanced security negotiation package. This disclosure describes creating an advanced security negotiation protocol under a Simple and Protected Negotiation Mechanism (SPNEGO) protocol to negotiate an authentication scheme. The protocol describes defining a Windows Security Type (WST) Library message to protect negotiation data during the advanced security negotiation protocol. The protocol sends an initial message that carries multiple authentication messages to reduce redundant roundtrips and implements key exchanges by a mini Security Support Provider (SSP).

    摘要翻译: 本公开描述了用于创建高级安全协商包的方法,系统和应用程序编程接口。 本公开描述了在简单和受保护的协商机制(SPNEGO)协议下创建高级安全协商协议以协商认证方案。 该协议描述了在高级安全协商协议期间定义Windows安全类型(WST)库消息以保护协商数据。 该协议发送一个携带多个认证消息的初始消息,以减少冗余往返,并通过小型安全支持提供商(SSP)实现密钥交换。

    Interoperable credential gathering and access modularity
    10.
    发明授权
    Interoperable credential gathering and access modularity 有权
    可互操作的凭证采集和访问模块化

    公开(公告)号:US07577659B2

    公开(公告)日:2009-08-18

    申请号:US10693585

    申请日:2003-10-24

    IPC分类号: G06F7/00 G06F17/30

    摘要: A credential is translated with one of different credential provider modules each translating a corresponding different type of credential into a common protocol. The translated credential is communicated through an API to a logon UI module to an operating system (OS) of a local machine. An OS logon module is called by the logon UI module to authenticate the translated credential against a credential database. A user identified by the translated credential is logged on to access the local machine when the authentication is successful. The credential can also be used with a selection received from the logon UI module via a corresponding one of different pre-log access provider (PLAP) modules that each communicate with the API. The API establishes a network session with an access service specified by the selected PLAP module when the credential is authenticated with the credential database.

    摘要翻译: 用不同凭证提供者模块之一翻译凭证,每个凭证提供者模块将相应的不同类型的凭证翻译成公共协议。 翻译的凭证通过API传送到登录UI模块到本地机器的操作系统(OS)。 登录UI模块调用操作系统登录模块,以根据凭据数据库验证转换的凭据。 当认证成功时,由登录的凭证登录的用户访问本地计算机。 证书还可以与从登录UI模块通过每个与API进行通信的不同预登录访问提供程序(PLAP)模块中的相应一个模块接收到的选择一起使用。 当凭证凭证凭证数据库进行身份验证时,API与所选择的PLAP模块指定的访问服务建立网络会话。