公开(公告)号：US20070277231A1

公开(公告)日：2007-11-29

申请号：US11441588

申请日：2006-05-26

申请人： Gennady Medvinsky ,  Cristian Ilac ,  Costin Hagiu ,  John E. Parsons ,  Mohamed Emad El Din Fathalla ,  Paul J. Leach ,  Tarek Buhaa El-Din Mahmoud Kamel

发明人： Gennady Medvinsky ,  Cristian Ilac ,  Costin Hagiu ,  John E. Parsons ,  Mohamed Emad El Din Fathalla ,  Paul J. Leach ,  Tarek Buhaa El-Din Mahmoud Kamel

IPC分类号： H04L9/32

CPC分类号： H04L63/0815 ,  H04L9/3273 ,  H04L63/20 ,  H04L2209/80

摘要： A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

摘要翻译： 提供了一种凭证安全支持提供者（Cred SSP），使任何应用程序能够通过客户端安全支持提供商（SSP）软件将客户端的凭据安全地委派给目标服务器，通过网络计算中的服务器端SSP软件 环境。 本发明的Cred SSP提供了一种安全解决方案，该解决方案部分地基于一组策略，包括针对广泛的攻击的安全性的默认策略，其用于控制​​和限制从客户机委派用户凭证 到服务器。 这些策略可以用于任何类型的用户凭证，并且不同的策略被设计为减轻广泛的攻击，从而可以针对给定的授权情况，网络条件，信任级别等进行适当的委托。此外，只有可信的子系统，例如 ，本地安全机构（LSA）的受信任的子系统可以访问明文凭据，使得服务器端的Cred SSP API的呼叫应用程序和客户端的Cred SSP API的呼叫应用都不具有访问权 清除文本凭据。

公开(公告)号：US07913084B2

公开(公告)日：2011-03-22

申请号：US11441588

申请日：2006-05-26

申请人： Gennady Medvinsky ,  Cristian Ilac ,  Costin Hagiu ,  John E. Parsons ,  Mohamed Emad El Din Fathalla ,  Paul J. Leach ,  Tarek Bahaa El-Din Mahmoud Kamel

发明人： Gennady Medvinsky ,  Cristian Ilac ,  Costin Hagiu ,  John E. Parsons ,  Mohamed Emad El Din Fathalla ,  Paul J. Leach ,  Tarek Bahaa El-Din Mahmoud Kamel

IPC分类号： H04L9/32

CPC分类号： H04L63/0815 ,  H04L9/3273 ,  H04L63/20 ,  H04L2209/80

摘要： A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

摘要翻译： 提供了一种凭证安全支持提供者（Cred SSP），使任何应用程序能够通过客户端安全支持提供商（SSP）软件将客户端的凭据安全地委派给目标服务器，通过网络计算中的服务器端SSP软件 环境。 本发明的Cred SSP提供了一种安全解决方案，该解决方案部分地基于一组策略，包括针对广泛的攻击的安全性的默认策略，其用于控制​​和限制从客户机委派用户凭证 到服务器。 这些策略可以用于任何类型的用户凭证，并且不同的策略被设计为减轻广泛的攻击，从而可以针对给定的授权情况，网络条件，信任级别等进行适当的委托。此外，只有可信的子系统，例如 ，本地安全机构（LSA）的受信任的子系统可以访问明文凭据，使得服务器端的Cred SSP API的呼叫应用程序和客户端的Cred SSP API的呼叫应用都不具有访问权 清除文本凭据。

公开(公告)号：US09038162B2

公开(公告)日：2015-05-19

申请号：US13532593

申请日：2012-06-25

申请人： Costin Hagiu ,  Elton Saul ,  Rajneesh Mahajan ,  Sergey A. Kuzin ,  Joy Chik ,  John E. Parsons ,  Ashwin Palekar ,  Ara Bernardi

发明人： Costin Hagiu ,  Elton Saul ,  Rajneesh Mahajan ,  Sergey A. Kuzin ,  Joy Chik ,  John E. Parsons ,  Ashwin Palekar ,  Ara Bernardi

IPC分类号： G06F21/00 ,  H04L29/06 ,  G06F21/42 ,  G06F21/60 ,  H04L29/08

CPC分类号： H04L63/0823 ,  G06F21/42 ,  G06F21/606 ,  G06F2221/2107 ,  H04L67/14 ,  H04L67/141

摘要： Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

摘要翻译： 本发明的实施方式至少部分地通过在连接建立阶段早期认证客户端和服务器来有效地建立客户端和服务器之间的安全连接。 发起与服务器的连接的客户端识别在客户端启用的安全通信协议，并在发送到服务器的连接请求中识别这些协议。 服务器处理消息并使用其认为适合连接的通信协议进行响应。 然后，客户端和服务器交换适当的认证信息，然后建立实现所选通信协议的连接会话，并使用协商的通信协议加密消息。 其他实现涉及在虚拟因特网协议地址之后重新建立丢弃的连接，而不必重新承担大量的连接资源开销。

公开(公告)号：US08220042B2

公开(公告)日：2012-07-10

申请号：US11354456

申请日：2006-02-15

申请人： Costin Hagiu ,  Elton Saul ,  Rajneesh Mahajan ,  Sergey A. Kuzin ,  Joy Chik ,  John E. Parsons ,  Ashwin Palekar ,  Ara Bernardi

发明人： Costin Hagiu ,  Elton Saul ,  Rajneesh Mahajan ,  Sergey A. Kuzin ,  Joy Chik ,  John E. Parsons ,  Ashwin Palekar ,  Ara Bernardi

IPC分类号： G06F9/00

CPC分类号： H04L63/0823 ,  G06F21/42 ,  G06F21/606 ,  G06F2221/2107 ,  H04L67/14 ,  H04L67/141

摘要： Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

摘要翻译： 本发明的实施方式至少部分地通过在连接建立阶段早期认证客户端和服务器来有效地建立客户端和服务器之间的安全连接。 发起与服务器的连接的客户端识别在客户端启用的安全通信协议，并在发送到服务器的连接请求中识别这些协议。 服务器处理消息并使用其认为适合连接的通信协议进行响应。 然后，客户端和服务器交换适当的认证信息，然后建立实现所选通信协议的连接会话，并使用协商的通信协议加密消息。 其他实现涉及在虚拟因特网协议地址之后重新建立丢弃的连接，而不必重新承担大量的连接资源开销。

公开(公告)号：US20120266214A1

公开(公告)日：2012-10-18

申请号：US13532593

申请日：2012-06-25

申请人： Costin Hagiu ,  Elton Saul ,  Rajneesh Mahajan ,  Sergey A. Kuzin ,  Joy Chik ,  John E. Parsons ,  Ashwin Palekar ,  Ara Bernardi

发明人： Costin Hagiu ,  Elton Saul ,  Rajneesh Mahajan ,  Sergey A. Kuzin ,  Joy Chik ,  John E. Parsons ,  Ashwin Palekar ,  Ara Bernardi

IPC分类号： G06F21/00

CPC分类号： H04L63/0823 ,  G06F21/42 ,  G06F21/606 ,  G06F2221/2107 ,  H04L67/14 ,  H04L67/141

摘要： Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

摘要翻译： 本发明的实施方式至少部分地通过在连接建立阶段早期认证客户端和服务器来有效地建立客户端和服务器之间的安全连接。 发起与服务器的连接的客户端识别在客户端启用的安全通信协议，并在发送到服务器的连接请求中识别这些协议。 服务器处理消息并使用其认为适合连接的通信协议进行响应。 然后，客户端和服务器交换适当的认证信息，然后建立实现所选通信协议的连接会话，并使用协商的通信协议加密消息。 其他实现涉及在虚拟因特网协议地址之后重新建立丢弃的连接，而不必重新承担大量的连接资源开销。

公开(公告)号：US08180905B2

公开(公告)日：2012-05-15

申请号：US12331298

申请日：2008-12-09

申请人： Wilhelm R. Schmieder ,  Nelamangal Krishnaswamy Srinivas ,  Costin Hagiu ,  Nadim Y. Abdo ,  Vladimir K. Stoyanov ,  Ahmed M. Tolba ,  Gautam Swaminathan ,  Srinivasa Reddy Neerudu

发明人： Wilhelm R. Schmieder ,  Nelamangal Krishnaswamy Srinivas ,  Costin Hagiu ,  Nadim Y. Abdo ,  Vladimir K. Stoyanov ,  Ahmed M. Tolba ,  Gautam Swaminathan ,  Srinivasa Reddy Neerudu

IPC分类号： G06F15/16 ,  G06F15/173

CPC分类号： G06F9/545

摘要： Techniques are disclosed for a user-mode based remote desktop protocol (RDP) encoding architecture. A user mode desktop application and user mode virtual channel application run in user-mode session space. Virtual channel data from the virtual channel application is marshaled and sent to a RDP encoder process in user-mode system space. There it is converted to RDP protocol data units (PDU) and sent to a remote client across a communications network. Graphics data from the desktop application is sent to a display driver in kernel-mode session space and then to a graphics reflector that marshals the graphics data and sends it to the RDP encoder for a similar transformation.

摘要翻译： 公开了基于用户模式的远程桌面协议（RDP）编码架构的技术。 用户模式桌面应用程序和用户模式虚拟通道应用程序在用户模式会话空间中运行。 来自虚拟通道应用的虚拟通道数据被封送并发送到用户模式系统空间中的RDP编码器进程。 它被转换成RDP协议数据单元（PDU），并通过通信网络发送到远程客户端。 来自桌面应用程序的图形数据被发送到内核模式会话空间中的显示驱动程序，然后发送到图形反射器，该图形反射器用于编排图形数据并将其发送到RDP编码器进行类似的转换。

公开(公告)号：US07548547B2

公开(公告)日：2009-06-16

申请号：US11394887

申请日：2006-03-31

申请人： Makarand V. Patwardhan ,  Nadim Abdo ,  Mahesh S. Lotlikar ,  Hammad Butt ,  Costin Hagiu

发明人： Makarand V. Patwardhan ,  Nadim Abdo ,  Mahesh S. Lotlikar ,  Hammad Butt ,  Costin Hagiu

IPC分类号： H04L1/00

CPC分类号： H04L47/10 ,  H04L47/19 ,  H04L47/2433 ,  H04L47/30

摘要： The present invention extends to methods, systems, and computer program products for controlling the transfer of terminal server data. In some embodiments, contending request to send terminal server data are resolved by a flow control module situated between a terminal server protocol and a transport/network protocol. The flow control module utilizes channel priorities along with amounts of previously sent data per channel to determine how to distribute bandwidth in a relatively controlled manner between contending channels. The flow control module can be configured to intercept communication between terminal server protocol and a transport/network protocol to facilitate bandwidth distribution. In other embodiments, data is simultaneously sent over multiple channels of terminal server connection. A first write operation obtains a lock on a corresponding channel but the channel lock does not prevent write operations on other channels.

摘要翻译： 本发明涉及用于控制终端服务器数据传输的方法，系统和计算机程序产品。 在一些实施例中，发送终端服务器数据的竞争请求由位于终端服务器协议和传输/网络协议之间的流控制模块解决。 流量控制模块利用信道优先级以及每个信道先前发送的数据量来确定如何在竞争信道之间以相对受控的方式分配带宽。 流控制模块可以被配置为拦截终端服务器协议和传输/网络协议之间的通信，以便于带宽分配。 在其他实施例中，数据同时通过多个通道的终端服务器连接发送。 第一次写入操作获得相应通道上的锁定，但是通道锁定不会阻止对其他通道的写入操作。

公开(公告)号：US07290039B1

公开(公告)日：2007-10-30

申请号：US09794799

申请日：2001-02-27

申请人： Rafael S Lisitsa ,  Dale A Sather ,  Costin Hagiu

发明人： Rafael S Lisitsa ,  Dale A Sather ,  Costin Hagiu

IPC分类号： G06F15/16

CPC分类号： G06F3/038 ,  G06F3/023

摘要： Presented is a system and method for determining a user's intent. Specifically, constituents and a topology are derived from the user's expression of intent, which can be stated broadly or stated in specific detail. The intent is expressed verbally, written, or in an XML format. The constituents and topology are resolved into a configuration based upon contexts. The contexts, which include a resource context, a user context, and an application context, includes information about the user's preferences, location, restrictions, device and network availability, and content availability. The configuration is then implemented.

摘要翻译： 提出了一种用于确定用户意图的系统和方法。 具体来说，构成要素和拓扑是从用户的意图表达中得出的，可以广泛地陈述或具体说明。 意图用口头，书面或XML格式表达。 组成部分和拓扑结构基于上下文解析成一个配置。 包括资源上下文，用户上下文和应用程序上下文的上下文包括有关用户偏好，位置，限制，设备和网络可用性以及内容可用性的信息。 然后执行配置。

公开(公告)号：US07010465B2

公开(公告)日：2006-03-07

申请号：US10811629

申请日：2004-03-29

申请人： Hammad Butt ,  Costin Hagiu

发明人： Hammad Butt ,  Costin Hagiu

IPC分类号： G06F15/00

CPC分类号： G06F11/3419 ,  G06F11/3414 ,  G06F11/3447 ,  G06F11/3457 ,  G06F11/3476 ,  G06F2201/88

摘要： Apparatuses and methods to test whether a multi-user system will provide satisfactory performance are described. Response times are logged for each individual user, and the measurements are aggregated together in a single file at the end of the test. For each action type, a graph is built that correlates the distribution of the response times as a function of the user load. A break point is determined for each action type at which a response time exceeds a predetermined threshold. By analyzing the different break points, the number of users that can be supported by the multi-user computer system is determined. Additionally, an optimal amount of memory may be determined to support a user load. The amount of memory required per user is computed based on the user load at the projected point where a line that is determined from page output peaks intersects the page input line.

公开(公告)号：US06526523B1

公开(公告)日：2003-02-25

申请号：US09179647

申请日：1998-10-27

申请人： Yue Chen ,  Costin Hagiu

发明人： Yue Chen ,  Costin Hagiu

IPC分类号： H02H305

CPC分类号： G06F11/3672

摘要： A method and system for testing software filters used in a multimedia environment to support kernel streaming. In a computer, a source module generates a data stream in order to emulate a multimedia input device, such as a microphone or video camera. A plurality of software filters are communicatively coupled to form a software filter chain. The chain of software filters receives the data stream from the source module and propagates the data stream through each software filter for processing. An analysis module receives the processed data stream from the chain of software, filters and produces performance information as a function of the received data stream. The source module, the analysis module and each software filter operate in a kernel-mode and are configured by a test tool operating in non-kernel mode. Via the test tool, a user can select appropriate source and analysis modules as well as construct the chain of software filters to include a large number of software filters. In order to assess the functionality of a large number software filters under real-world conditions using a single computer, the invention couples the software filters by one or more virtual circuits that route the data stream to and from a network.

摘要翻译： 用于测试多媒体环境中使用的软件过滤器以支持内核流的方法和系统。 在计算机中，源模块生成数据流以便模拟诸如麦克风或摄像机的多媒体输入设备。 多个软件过滤器通信地耦合以形成软件过滤器链。 软件过滤器链从源模块接收数据流，并通过每个软件过滤器传播数据流进行处理。 分析模块从软件链接收经处理的数据流，根据接收到的数据流过滤并产生性能信息。 源模块，分析模块和每个软件过滤器都以内核模式运行，并由在非内核模式下运行的测试工具进行配置。 通过测试工具，用户可以选择适当的源和分析模块，并构建软件过滤器链，以包含大量的软件过滤器。 为了使用单个计算机在真实世界条件下评估大量软件滤波器的功能，本发明通过将数据流与网络路由的一个或多个虚拟电路耦合软件滤波器。