公开(公告)号：US06442686B1

公开(公告)日：2002-08-27

申请号：US09157751

申请日：1998-09-21

申请人： Mark James McArdle ,  Steven Blair Schoenfeld

发明人： Mark James McArdle ,  Steven Blair Schoenfeld

IPC分类号： H04L900

CPC分类号： H04L63/0428 ,  H04L51/12 ,  H04L63/20

摘要： A cryptographic-enabled messaging system providing a “Policy Management Agent” is described. The Policy Management Agent works in conjunction with a standard mail server, such as an SMTP (Simple Mail Transport Protocol) mail server, to ensure that incoming and outgoing e-mail adheres to the policies that are specified for a given site. Specifically, the Agent intercepts e-mail normally bound for the mail server and checks to make sure that it conforms with policies configured for one's site (e.g., corporate site). If the e-mail adheres to the policies for the site, it is forwarded to the mail server where it is routed to the intended recipient. If the e-mail does not adhere to the policies specified for the site, a message of one's choosing is sent to the client indicating that the e-mail was rejected. In an exemplary embodiment (e.g., for SMTP), the Policy Management Agent may be employed to make sure that e-mail has been encrypted using certain designated recovery keys; ensure that all e-mail messages are encrypted before allowing them to be delivered; specify whether e-mail must be signed or not before it is allowed to pass the policy requirement; specify whether conventional encryption is allowed; maintain a log file listing all of the attempts to route e-mail along with a description of the outcome.

摘要翻译： 描述了提供“策略管理代理”的加密功能的消息系统。 策略管理代理与标准邮件服务器（例如SMTP（简单邮件传输协议）邮件服务器）配合工作，以确保传入和传出的电子邮件遵守为给定站点指定的策略。 具体来说，代理拦截通常绑定邮件服务器的电子邮件，并检查以确保它符合为自己的站点配置的策略（例如公司站点）。 如果电子邮件遵守该站点的策略，则将其转发到邮件服务器，将邮件服务器路由到预期的收件人。 如果电子邮件不符合为该网站指定的策略，则会向客户端发送一个选择的消息，指示该电子邮件被拒绝。 在示例性实施例中（例如，对于SMTP），可以采用策略管理代理来确保已经使用某些指定的恢复密钥来加密电子邮件; 确保所有电子邮件在被允许传送之前都被加密; 指定电子邮件是否必须签署，才允许通过策略要求; 指定是否允许常规加密; 维护日志文件列出所有尝试路由电子邮件以及结果的描述。

公开(公告)号：US06550012B1

公开(公告)日：2003-04-15

申请号：US09328177

申请日：1999-06-08

申请人： Emilio Villa ,  Adrian Zidaritz ,  Michael David Varga ,  Gerhard Eschelbeck ,  Michael Kevin Jones ,  Mark James McArdle

发明人： Emilio Villa ,  Adrian Zidaritz ,  Michael David Varga ,  Gerhard Eschelbeck ,  Michael Kevin Jones ,  Mark James McArdle

IPC分类号： G06F1130

CPC分类号： H04L63/0218 ,  H04L63/0263 ,  H04L63/0823 ,  H04L63/20

摘要： System and methodology providing automated or “proactive” network security (“active” firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component. Upon detection by a sensor that an event of interest that has occurred in the computer network system, the system may initiate authenticated communication between the sensor component and a central arbiter (e.g., “event orchestrator”) component, so that the sensor may report the event to the arbiter or “brain.” Thereafter, the arbiter (if it chooses to act on that information) initiates authenticated communication between itself and a third software component, an “actor” component (e.g., “firewall”). The arbiter may indicate to the actor how it should handle the event. The actor or firewall, upon receiving the information, may now undertake appropriate action, such as dynamically creating or modifying rules for appropriately handling the event, or it may choose to simply ignore the information.

摘要翻译： 描述了提供自动或“主动”网络安全（“主动”防火墙）的系统和方法。 该系统实现用于验证或认证通信的方法，特别是在网络安全组件之间，从而允许这些组件共享信息。 在一个实施例中，提供了实现主动防火墙的系统，其包括使用加密密钥或数字证书验证或认证网络组件（例如，传感器，仲裁器和演员）之间的通信的方法。 证书可用于对消息或文件进行数字签名，并以互补的方式验证数字签名。 首先指定可能参与认证通信的特定软件组件，包括为每个这样的软件组件创建数字证书。 在传感器检测到在计算机网络系统中发生的感兴趣的事件时，系统可以启动传感器组件和中央仲裁器（例如，“事件编排器”）组件之间的认证通信，使得传感器可以报告 事件到仲裁者或“大脑”。 此后，仲裁者（如果选择对该信息采取行动）发起自身与第三软件组件，“演员”组件（例如，“防火墙”）之间的认证通信。 仲裁者可以向演员说明应该如何处理事件。 演员或防火墙在收到信息后，现在可以采取适当的行动，例如动态创建或修改适当处理事件的规则，或者可以选择简单地忽略该信息。

公开(公告)号：US06336186B1

公开(公告)日：2002-01-01

申请号：US09156266

申请日：1998-09-16

申请人： Marc David Dyksterhouse ,  Jonathan David Callas ,  Mark James McArdle

发明人： Marc David Dyksterhouse ,  Jonathan David Callas ,  Mark James McArdle

IPC分类号： H04L900

CPC分类号： G06F21/602 ,  G06F21/6218 ,  G06F2221/2141

摘要： A cryptosystem having a Certificate (Key) Server for storing and maintaining certificate or key information in a certificate database is described. The Certificate Server allows clients to submit and retrieve keys from a database based on a set of policy constraints which are set for one's particular site (e.g., company). Access to the Certificate Server is maintained by a Certificate Policy Agent, which makes sure that the policy is enforced for a given site based on the information supplied during the configuration. During operation, the Certificate Server responds to client requests to add, search for, and retrieve certificates. The server accepts or rejects certificates based on configurable parameters enforced by a Certificate Policy Agent. When a certificate is submitted to the server, the Certificate Policy Agent checks to see if it meets the criteria for a given site based on the settings specified during the configuration. Exemplary types of checks that the Certificate Policy Agent can enforce include checking to see if the key has been signed by the appropriate entities and checking to see if the signatures or User IDs associated with a key are approved for submission. If the submission criteria established during the configuration are met, the key is accepted by the server. If the key being submitted does not pass the policy requirements, it is rejected and (optionally) a copy is placed in a “pending bucket” where the key can subsequently be examined by the system administrator to determine if the key should be allowed on the server.

摘要翻译： 描述了具有用于在证书数据库中存储和维护证书或密钥信息的证书（密钥）服务器的密码系统。 证书服务器允许客户端基于为特定站点（例如公司）设置的一组策略约束，从数据库提交和检索密钥。 证书服务器的访问由证书策略代理维护，这将确保根据配置期间提供的信息为给定站点强制实施该策略。 在运行期间，证书服务器响应客户端请求以添加，搜索和检索证书。 服务器根据证书策略代理执行的可配置参数接受或拒绝证书。 当证书提交给服务器时，证书策略代理将根据配置中指定的设置来检查是否符合给定站点的条件。 证书策略代理可以执行的示例性类型的检查包括检查密钥是否已被相应实体签名，并检查与密钥相关联的签名或用户ID是否被批准提交。 如果在配置期间建立的提交标准得到满足，则该密钥将被服务器接受。 如果提交的密钥没有通过策略要求，则它被拒绝，并且（可选地）将副本放置在“挂起的桶”中，其中密钥随后可被系统管理员检查以确定是否应该允许密钥在 服务器。