Selective Cross-Realm Authentication
    2.
    发明申请
    Selective Cross-Realm Authentication 有权
    选择性跨域认证

    公开(公告)号:US20090228969A1

    公开(公告)日:2009-09-10

    申请号:US12469245

    申请日:2009-05-20

    IPC分类号: H04L29/06 G06F15/173

    摘要: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.

    摘要翻译: 选择性跨域认证器将标识符与来自在一个领域中认证的实体的请求相关联,以访问与第二领域相关联的资源。 该标识符表示该实体在与所请求的资源相关联的领域以外的领域中被认证。 与资源相关联的域控制器执行访问检查,以验证经过身份验证的用户是否被授权对请求的资源进行身份验证。 与该资源相关联的权限可用于指定授予由与另一领域相关联的域控制器认证的实体的访问级别。

    Selective cross-realm authentication
    3.
    发明授权
    Selective cross-realm authentication 有权
    选择性跨域认证

    公开(公告)号:US07568218B2

    公开(公告)日:2009-07-28

    申请号:US10285175

    申请日:2002-10-31

    IPC分类号: H04L9/32

    摘要: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.

    摘要翻译: 选择性跨域认证器将标识符与来自在一个领域中认证的实体的请求相关联,以访问与第二领域相关联的资源。 该标识符表示该实体在与所请求的资源相关联的领域以外的领域中被认证。 与资源相关联的域控制器执行访问检查,以验证经过身份验证的用户是否被授权对请求的资源进行身份验证。 与该资源相关联的权限可用于指定授予由与另一领域相关联的域控制器认证的实体的访问级别。

    Scheme for sub-realms within an authentication protocol
    4.
    发明授权
    Scheme for sub-realms within an authentication protocol 有权
    认证协议内子域的方案

    公开(公告)号:US07571311B2

    公开(公告)日:2009-08-04

    申请号:US11096829

    申请日:2005-04-01

    IPC分类号: H04L9/32

    CPC分类号: H04L9/3213 H04L9/0833

    摘要: Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs). Accounts may be named krbtgt_ where is carried in the kvno field of the ticket granting ticket (TGT) to indicate to the hub KDC which krbtgt′ key was used to encrypt the TGT.

    摘要翻译: 分支域控制器(DC)包含正常域DC中数据的只读副本。 这包括有关用户所属组的信息,因此可用于确定授权信息。 然而,密码信息仅适用于指定用于该特定分支的用户和服务(包括机器)的分支DC。 而且,所有的写入操作都希望由集线器DC,主域控制器(PDC)或公司办公室信任的其他DC来处理。 使用Kerberos子域支持分支机构的快速身份验证和授权,每个分支机构都将其作为虚拟领域运行。 Kerberos协议使用不同的密钥版本号来区分头部和分支密钥分发中心(KDC)的虚拟领域。 账户可以被命名为krbtgt_ ,其中被携带在票据授予票据(TGT)的kvno字段中,以向集线器KDC指示哪个krbtgt'密钥用于加密TGT。

    Dynamic negotiation of encryption protocols
    5.
    发明授权
    Dynamic negotiation of encryption protocols 有权
    加密协议的动态协商

    公开(公告)号:US07591012B2

    公开(公告)日:2009-09-15

    申请号:US10791035

    申请日:2004-03-02

    IPC分类号: H04L9/18 H04L29/00

    摘要: Systems and methods for negotiating an encryption algorithm may be implemented in the context of encryption-based authentication protocols. The invention has the added benefit of providing a system an method that need not interfere with the standard operation of authentication protocols. A first computer, or client computer, can send a negotiation request to a second computer, or server computer. The negotiation request can specify that the client computer supports a selected encryption algorithm. In response, the server computer can return a subsession key for encryption using the selected encryption algorithm. Both client and server may then switch to encryption in the selected encryption algorithm, using the subsession key to encrypt future communications.

    摘要翻译: 用于协商加密算法的系统和方法可以在基于加密的认证协议的上下文中实现。 本发明还提供了一种不需要干扰认证协议的标准操作的方法。 第一计算机或客户端计算机可以向第二计算机或服务器计算机发送协商请求。 协商请求可以指定客户端计算机支持选定的加密算法。 作为响应,服务器计算机可以使用所选择的加密算法返回用于加密的子会话密钥。 客户端和服务器都可以在所选择的加密算法中切换到加密,使用子会话密钥加密未来的通信。

    Dynamic negotiation of encryption protocols
    6.
    发明申请
    Dynamic negotiation of encryption protocols 有权
    加密协议的动态协商

    公开(公告)号:US20050198490A1

    公开(公告)日:2005-09-08

    申请号:US10791035

    申请日:2004-03-02

    IPC分类号: H04L9/00

    摘要: Systems and methods for negotiating an encryption algorithm may be implemented in the context of encryption-based authentication protocols. The invention has the added benefit of providing a system an method that need not interfere with the standard operation of authentication protocols. A first computer, or client computer, can send a negotiation request to a second computer, or server computer. The negotiation request can specify that the client computer supports a selected encryption algorithm. In response, the server computer can return a subsession key for encryption using the selected encryption algorithm. Both client and server may then switch to encryption in the selected encryption algorithm, using the subsession key to encrypt future communications.

    摘要翻译: 用于协商加密算法的系统和方法可以在基于加密的认证协议的上下文中实现。 本发明还提供了一种不需要干扰认证协议的标准操作的方法。 第一计算机或客户端计算机可以向第二计算机或服务器计算机发送协商请求。 协商请求可以指定客户端计算机支持选定的加密算法。 作为响应,服务器计算机可以使用所选择的加密算法返回用于加密的子会话密钥。 客户端和服务器都可以在所选择的加密算法中切换到加密,使用子会话密钥加密未来的通信。

    User mapping information extension for protocols
    7.
    发明申请
    User mapping information extension for protocols 有权
    协议的用户映射信息扩展

    公开(公告)号:US20070016782A1

    公开(公告)日:2007-01-18

    申请号:US11181525

    申请日:2005-07-14

    IPC分类号: H04L9/00

    摘要: A hint containing user mapping information is provided in messages that may be exchanged during authentication handshakes. For example, a client may provide user mapping information to the server during authentication. The hint (e.g., in the form of a TLS extension mechanism) may be used to send the domain/user name information of a client to aid the server in mapping the user's certificate to an account. The extension mechanism provides integrity and authenticity of the mapping data sent by the client. The user provides a hint as to where to find the right account or domain controller (which points to, or otherwise maintains, the correct account). Based on the hint and other information in the certificate, the user is mapped to an account. The hint may be provided by the user when he logs in. Thus, a certificate is mapped to an identity to authenticate the user. A hint is sent along with the certificate information to perform the binding. Existing protocols may be extended to communicate the additional mapping information (the hint) to perform the binding. A vendor specific extension to Kerberos is defined to obtain the authorization data based on an X.509 certificate and the mapping user name hint.

    摘要翻译: 在认证握手期间可以交换的消息中提供了包含用户映射信息的提示。 例如,客户端可以在认证期间向服务器提供用户映射信息。 提示(例如,以TLS扩展机制的形式)可以用于发送客户端的域/用户名信息,以帮助服务器将用户的证书映射到帐户。 扩展机制提供客户端发送的映射数据的完整性和真实性。 用户提供关于在哪里找到正确的帐户或域控制器(指向或以其他方式维护正确的帐户)的提示。 根据证书中的提示和其他信息,用户被映射到一个帐户。 提示可以由用户在登录时提供。因此,证书被映射到身份以验证用户。 发送提示与证书信息一起执行绑定。 可以扩展现有协议以传达额外的映射信息(提示)来执行绑定。 定义了针对Kerberos的供应商特定扩展,以根据X.509证书和映射用户名提示获取授权数据。

    One time password integration with Kerberos
    8.
    发明申请
    One time password integration with Kerberos 有权
    与Kerberos一次性密码集成

    公开(公告)号:US20060288230A1

    公开(公告)日:2006-12-21

    申请号:US11153631

    申请日:2005-06-15

    IPC分类号: H04L9/00

    摘要: A domain controller (DC) side plugin supports one time passwords natively in Kerberos, Part of the key material is static and the other part is dynamic, thereby leveraging properties unique to each to securely support one time passwords in an operating system. The user is permitted to type in the one time passcode into a logon user interface. Rather than calling the SAM APIs to get the static passwords, vendors may register callbacks on the DC to plugin their algorithm. These callback functions will return the dynamically calculated passcodes for the user at a specific point in time. This passcode will then be treated as a normal password by the DC.

    摘要翻译: 域控制器(DC)侧插件在Kerberos中本地支持一次密码,部分密钥材料是静态的,另一部分是动态的,从而利用每个密钥的属性来安全地支持操作系统中的一次密码。 允许用户将一次性密码输入登录用户界面。 供应商可以在DC上注册回调来插入其算法,而不是调用SAM API来获取静态密码。 这些回调函数将在特定时间点返回动态计算的用户密码。 然后,该密码将被DC视为正常密码。

    One time password integration with Kerberos
    9.
    发明授权
    One time password integration with Kerberos 有权
    与Kerberos一次性密码集成

    公开(公告)号:US07757275B2

    公开(公告)日:2010-07-13

    申请号:US11153631

    申请日:2005-06-15

    IPC分类号: G06F21/00 H04L29/06

    摘要: A domain controller (DC) side plugin supports one time passwords natively in Kerberos, Part of the key material is static and the other part is dynamic, thereby leveraging properties unique to each to securely support one time passwords in an operating system. The user is permitted to type in the one time passcode into a logon user interface. Rather than calling the SAM APIs to get the static passwords, vendors may register callbacks on the DC to plugin their algorithm. These callback functions will return the dynamically calculated passcodes for the user at a specific point in time. This passcode will then be treated as a normal password by the DC.

    摘要翻译: 域控制器(DC)侧插件在Kerberos中本地支持一次密码,部分密钥材料是静态的,另一部分是动态的,从而利用每个密钥的属性来安全地支持操作系统中的一次密码。 允许用户将一次性密码输入登录用户界面。 供应商可以在DC上注册回调来插入其算法,而不是调用SAM API来获取静态密码。 这些回调函数将在特定时间点返回动态计算的用户密码。 然后,该密码将被DC视为正常密码。

    Scheme for sub-realms within an authentication protocol

    公开(公告)号:US20060224891A1

    公开(公告)日:2006-10-05

    申请号:US11096829

    申请日:2005-04-01

    IPC分类号: H04L9/00

    CPC分类号: H04L9/3213 H04L9/0833

    摘要: Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs). Accounts may be named krbtgt_ where is carried in the kvno field of the ticket granting ticket (TGT) to indicate to the hub KDC which krbtgt′ key was used to encrypt the TGT.