公开(公告)号：US07302569B2

公开(公告)日：2007-11-27

申请号：US10643798

申请日：2003-08-19

申请人： Linda Betz ,  John C. Dayka ,  Walter B. Farrell ,  Richard H. Guski ,  Guenter Karjoth ,  Mark A. Nelson ,  Birgit M. Pfitzmann ,  Matthias Schunter ,  Michael P. Waidner

发明人： Linda Betz ,  John C. Dayka ,  Walter B. Farrell ,  Richard H. Guski ,  Guenter Karjoth ,  Mark A. Nelson ,  Birgit M. Pfitzmann ,  Matthias Schunter ,  Michael P. Waidner

IPC分类号： H04L29/00

CPC分类号： G06F21/629 ,  G06F21/6245 ,  G06F2221/2101 ,  G06F2221/2113 ,  G06F2221/2141 ,  G06F2221/2149

摘要： A data access control facility is implemented by assigning personally identifying information (PII) classification labels to PII data objects, with each PII data object having one PII classification label assigned thereto. The control facility further includes at least one PII purpose serving function set (PSFS) comprising a list of application functions that read or write PII data objects. Each PII PSFS is also assigned a PII classification label. A PII data object is accessible via an application function of a PII PSFS having a PII classification label that is identical to or dominant of the PII classification label of the PII object. A user of the control facility is assigned a PII clearance set which contains a list of at least one PII classification label, which is employed in determining whether the user is entitled to access a particular function.

摘要翻译： 通过将个人识别信息（PII）分类标签分配给PII数据对象来实现数据访问控制设施，每个PII数据对象分配有一个PII分类标签。 控制设备还包括至少一个PII目的服务功能集（PSFS），其包括读或写PII数据对象的应用功能列表。 每个PII PSFS也被分配了一个PII分类标签。 PII数据对象可通过具有与PII对象的PII分类标签相同或占优势的PII分类标签的PII PSFS的应用功能来访问。 控制设备的用户被分配有PII间隙组，其包含至少一个PII分类标签的列表，该列表用于确定用户是否有权访问特定功能。

公开(公告)号：US07617393B2

公开(公告)日：2009-11-10

申请号：US11764487

申请日：2007-06-18

申请人： Linda Betz ,  John C. Dayka ,  Walter B. Farrell ,  Richard H. Guski ,  Guenter Karjoth ,  Mark A. Nelson ,  Birgit M. Pfitzmann ,  Michael P. Waidner ,  Matthias Schunter

发明人： Linda Betz ,  John C. Dayka ,  Walter B. Farrell ,  Richard H. Guski ,  Guenter Karjoth ,  Mark A. Nelson ,  Birgit M. Pfitzmann ,  Michael P. Waidner ,  Matthias Schunter

IPC分类号： H04L29/00

CPC分类号： G06F21/629 ,  G06F21/6245 ,  G06F2221/2101 ,  G06F2221/2113 ,  G06F2221/2141 ,  G06F2221/2149

摘要： A data access control facility is implemented by assigning personally identifying information (PII) classification labels to PII data objects, with each PII data object having one PII classification label assigned thereto. The control facility further includes at least one PII purpose serving function set (PSFS) comprising a list of application functions that read or write PII data objects. Each PII PSFS is also assigned a PII classification label. A PII data object is accessible via an application function of a PII PSFS having a PII classification label that is identical to or dominant of the PII classification label of the PII object. A user of the control facility is assigned a PII clearance set which contains a list of at least one PII classification label, which is employed in determining whether the user is entitled to access a particular function.

摘要翻译： 通过将个人识别信息（PII）分类标签分配给PII数据对象来实现数据访问控制设施，每个PII数据对象分配有一个PII分类标签。 控制设备还包括至少一个PII目的服务功能集（PSFS），其包括读或写PII数据对象的应用功能列表。 每个PII PSFS也被分配了一个PII分类标签。 PII数据对象可通过具有与PII对象的PII分类标签相同或占优势的PII分类标签的PII PSFS的应用功能来访问。 控制设备的用户被分配有PII间隙组，其包含至少一个PII分类标签的列表，该列表用于确定用户是否有权访问特定功能。

公开(公告)号：US20070250913A1

公开(公告)日：2007-10-25

申请号：US11764487

申请日：2007-06-18

申请人： Linda Betz ,  John Dayka ,  Walter Farrell ,  Richard Guski ,  Guenter Karjoth ,  Mark Nelson ,  Birgit Pfitzmann ,  Matthias Schunter ,  Michael Waidner

发明人： Linda Betz ,  John Dayka ,  Walter Farrell ,  Richard Guski ,  Guenter Karjoth ,  Mark Nelson ,  Birgit Pfitzmann ,  Matthias Schunter ,  Michael Waidner

IPC分类号： G06F15/16

CPC分类号： G06F21/629 ,  G06F21/6245 ,  G06F2221/2101 ,  G06F2221/2113 ,  G06F2221/2141 ,  G06F2221/2149

摘要： A data access control facility is implemented by assigning personally identifying information (PII) classification labels to PII data objects, with each PII data object having one PII classification label assigned thereto. The control facility further includes at least one PII purpose serving function set (PSFS) comprising a list of application functions that read or write PII data objects. Each PII PSFS is also assigned a PII classification label. A PII data object is accessible via an application function of a PII PSFS having a PII classification label that is identical to or dominant of the PII classification label of the PII object. A user of the control facility is assigned a PII clearance set which contains a list of at least one PII classification label, which is employed in determining whether the user is entitled to access a particular function.

摘要翻译： 通过将个人识别信息（PII）分类标签分配给PII数据对象来实现数据访问控制设施，每个PII数据对象分配有一个PII分类标签。 控制设备还包括至少一个PII目的服务功能集（PSFS），其包括读或写PII数据对象的应用功能列表。 每个PII PSFS也被分配了一个PII分类标签。 PII数据对象可通过具有与PII对象的PII分类标签相同或占优势的PII分类标签的PII PSFS的应用功能来访问。 控制设备的用户被分配有PII间隙组，其包含至少一个PII分类标签的列表，该列表用于确定用户是否有权访问特定功能。

公开(公告)号：US20050044409A1

公开(公告)日：2005-02-24

申请号：US10643798

申请日：2003-08-19

申请人： Linda Betz ,  John Dayka ,  Walter Farrell ,  Richard Guski ,  Guenter Karjoth ,  Mark Nelson ,  Birgit Pfitzmann ,  Matthias Schunter ,  Michael Waidner

发明人： Linda Betz ,  John Dayka ,  Walter Farrell ,  Richard Guski ,  Guenter Karjoth ,  Mark Nelson ,  Birgit Pfitzmann ,  Matthias Schunter ,  Michael Waidner

IPC分类号： G06F21/00 ,  G06F15/16

CPC分类号： G06F21/629 ,  G06F21/6245 ,  G06F2221/2101 ,  G06F2221/2113 ,  G06F2221/2141 ,  G06F2221/2149

摘要： A data access control facility is implemented by assigning personally identifying information (PII) classification labels to PII data objects, with each PII data object having one PII classification label assigned thereto. The control facility further includes at least one PII purpose serving function set (PSFS) comprising a list of application functions that read or write PII data objects. Each PII PSFS is also assigned a PII classification label. A PII data object is accessible via an application function of a PII PSFS having a PII classification label that is identical to or dominant of the PII classification label of the PII object. A user of the control facility is assigned a PII clearance set which contains a list of at least one PII classification label, which is employed in determining whether the user is entitled to access a particular function.

摘要翻译： 通过将个人识别信息（PII）分类标签分配给PII数据对象来实现数据访问控制设施，每个PII数据对象分配有一个PII分类标签。 控制设备还包括至少一个PII目的服务功能集（PSFS），其包括读或写PII数据对象的应用功能列表。 每个PII PSFS也被分配了一个PII分类标签。 PII数据对象可通过具有与PII对象的PII分类标签相同或占优势的PII分类标签的PII PSFS的应用功能来访问。 控制设备的用户被分配有PII间隙组，其包含至少一个PII分类标签的列表，该列表用于确定用户是否有权访问特定功能。

公开(公告)号：US20050080720A1

公开(公告)日：2005-04-14

申请号：US10683022

申请日：2003-10-10

申请人： Linda Betz ,  George Blakley ,  Donald Cronin ,  David Hemsath ,  Paul Landsberg ,  Christopher O'Connor ,  Ronald Perez ,  James Ward ,  Richard Wood

发明人： Linda Betz ,  George Blakley ,  Donald Cronin ,  David Hemsath ,  Paul Landsberg ,  Christopher O'Connor ,  Ronald Perez ,  James Ward ,  Richard Wood

IPC分类号： G06Q40/00 ,  G06F17/60

CPC分类号： G06Q40/08 ,  G06Q40/025

摘要： Techniques are disclosed for systematically assessing an enterprise's security risks in view of a set of security patterns. Each pattern that is applicable to the enterprise's operation is then considered against the backdrop of a set of common attributes that are used, in turn, to further distinguish each pattern from a risk and security solution perspective. Using the disclosed techniques, specific security risks can be identified and appropriate security products can be selected to address those risks in a systematic manner, thereby assisting information technology decision makers across a wide variety of enterprises in deriving security solutions. These security solutions will typically be more effective and efficient from a functional perspective, as well as being more cost-effective, than security solutions created using prior art ad hoc approaches. The disclosed techniques may also be leveraged to create a requirements list for function to be included in a security product.

摘要翻译： 公开了一种系统地评估企业的安全风险的技术，以鉴于一套安全模式。 那么适用于企业运营的每个模式都是在一组常用属性的背景下进行考虑的，而这些属性又被用于进一步区分每种模式与风险和安全解决方案的角度。 使用公开的技术，可以确定具体的安全风险，并且可以选择适当的安全产品来系统地解决这些风险，从而帮助各种企业的信息技术决策者获得安全解决方案。 与使用现有技术的临时方法创建的安全解决方案相比，这些安全解决方案通常从功能角度更有效和高效，并且更具成本效益。 还可以利用所公开的技术来创建要包括在安全产品中的功能需求列表。

公开(公告)号：US20050246552A1

公开(公告)日：2005-11-03

申请号：US10835330

申请日：2004-04-29

申请人： Steven Bade ,  Linda Betz ,  Andrew Kegel ,  Michael Kelly ,  William Terrell

发明人： Steven Bade ,  Linda Betz ,  Andrew Kegel ,  Michael Kelly ,  William Terrell

IPC分类号： G06F11/30 ,  G06F12/14 ,  G06F21/00 ,  H04L9/32

CPC分类号： G06F21/57 ,  G06F21/53 ,  H04L9/0897

摘要： A method, an apparatus, a system, and a computer program product is presented for virtualizing trusted platform modules within a data processing system. A virtual trusted platform module along with a virtual endorsement key is created within a physical trusted platform module within the data processing system using a platform signing key of the physical trusted platform module, thereby providing a transitive trust relationship between the virtual trusted platform module and the core root of trust for the trusted platform. The virtual trusted platform module can be uniquely associated with a partition in a partitionable runtime environment within the data processing system.

摘要翻译： 提出了一种方法，装置，系统和计算机程序产品，用于虚拟化数据处理系统内的可信平台模块。 使用物理可信平台模块的平台签名密钥在数据处理系统内的物理可信平台模块内创建虚拟可信平台模块以及虚拟认证密钥，从而在虚拟可信平台模块和虚拟可信平台模块之间提供传递信任关系 信任平台的核心信任根源。 虚拟可信平台模块可以与数据处理系统内的可分区运行时环境中的分区唯一关联。

公开(公告)号：US20050257073A1

公开(公告)日：2005-11-17

申请号：US10835498

申请日：2004-04-29

申请人： Steven Bade ,  Linda Betz ,  Andrew Kegel ,  David Safford ,  Leendert Doorn

发明人： Steven Bade ,  Linda Betz ,  Andrew Kegel ,  David Safford ,  Leendert Doorn

IPC分类号： G06F21/24 ,  G06F1/00 ,  G06F3/06 ,  G06F12/14 ,  G06F12/16 ,  G06F21/00 ,  H04L9/32

CPC分类号： G06F21/575

摘要： Multiple trusted platform modules within a data processing system are used in a redundant manner that provides a reliable mechanism for securely storing secret data at rest that is used to bootstrap a system trusted platform module. A hypervisor requests each trusted platform module to encrypt a copy of the secret data, thereby generating multiple versions of encrypted secret data values, which are then stored within a non-volatile memory within the trusted platform. At some later point in time, the encrypted secret data values are retrieved, decrypted by the trusted platform module that performed the previous encryption, and then compared to each other. If any of the decrypted values do not match a quorum of values from the comparison operation, then a corresponding trusted platform module for a non-matching decrypted value is designated as defective because it has not been able to correctly decrypt a value that it previously encrypted.

摘要翻译： 以冗余的方式使用数据处理系统内的多个可信任的平台模块，其提供用于安全地存储用于引导系统可信平台模块的休息处的秘密数据的可靠机制。 管理程序请求每个可信平台模块加密秘密数据的副本，从而生成加密的秘密数据值的多个版本，然后存储在可信平台内的非易失性存储器中。 在稍后的时间点，加密的秘密数据值由执行先前加密的可信任平台模块进行解密，然后进行比较。 如果解密值中的任何一个与比较操作中的值的数量不匹配，则用于非匹配解密值的相应的可信平台模块被指定为有缺陷的，因为它不能正确解密其先前加密的值 。