专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US07058798B1 Method ans system for pro-active credential refreshing 有权
标题翻译：方法ans系统为主动凭证刷新
公开(公告)号：US07058798B1
公开(公告)日：2006-06-06
申请号：US09547183
申请日：2000-04-11
申请人： Yassir K. Elley , Anne H. Anderson , Stephen R. Hanna , Sean J. Mullan , Radia Joy Perlman
发明人： Yassir K. Elley , Anne H. Anderson , Stephen R. Hanna , Sean J. Mullan , Radia Joy Perlman
IPC分类号： G06F7/04
CPC分类号： G06F21/6218
摘要： The basic concept is that before a resource is accessed, the entity that has the burden of gathering the credentials, pro-actively refreshes the credentials and keeps them current. In one instance, a presenter of credentials, for example, a client, pro-actively refreshes the credentials such that at the time of presentation, the credentials meet the resource-specific constraints of a recipient of credentials, for example, a resource server. For each resource that it protects, a resource server typically establishes various constraints such as a recency requirement, which specifies how recently a credential has to have been issued to be accepted as an adequate credential. Other constraints may include maximum certificate chain length, trust level and so forth. In another instance, a recipient of credentials pro-actively gathers and refreshes credentials to prevent un-authorized access to the various resources it is protecting.
摘要翻译：基本概念是，在访问资源之前，负责收集凭据的实体主动刷新凭据并保持最新状态。在一个实例中，凭证的呈现者（例如，客户端）主动地刷新证书，使得在呈现时，证书满足凭证的接收方的资源特定约束，例如资源服务器。对于其保护的每个资源，资源服务器通常建立各种约束，例如新近要求，其指定证书必须最近被发布以被接受为足够证书。其他约束可能包括最大证书链长度，信任级别等。在另一个实例中，凭据的接收方主动收集和刷新凭据，以防止对其保护的各种资源的未授权访问。

2. 发明授权

US06801998B1 Method and apparatus for presenting anonymous group names 有权
标题翻译：用于呈现匿名组名的方法和装置
公开(公告)号：US06801998B1
公开(公告)日：2004-10-05
申请号：US09439246
申请日：1999-11-12
申请人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan
发明人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan
IPC分类号： H04L900
CPC分类号： H04L63/045 , H04L63/065 , H04L63/105
摘要： A method and system for granting an applicant associated with a client computer in a client-server system access to a requested service without providing the applicant with intelligible information regarding group membership. The applicant transmits a request for service to an application server over a computer network. In response, the application server prepares an encrypted message which includes the identification of the group or groups having access privileges and transmits the encrypted message to the client along with a request that the client prove membership in at least one of the groups. The message is encrypted with an encryption key which can be decrypted by a group membership server.
摘要翻译：一种方法和系统，用于在客户机 - 服务器系统中授予与客户端计算机相关联的申请人访问所请求的服务，而不向申请人提供关于组成员身份的可理解信息。申请人通过计算机网络向应用服务器发送服务请求。作为响应，应用服务器准备加密的消息，其包括具有访问权限的组或组的标识，并且将客户端证明成员资格的请求与客户端一起发送给客户端。消息使用加密密钥进行加密，加密密钥可以由组成员服务器进行解密。

3. 发明授权

US06263434B1 Signed group criteria 有权
标题翻译：签名组标准
公开(公告)号：US06263434B1
公开(公告)日：2001-07-17
申请号：US09399899
申请日：1999-09-21
申请人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan
发明人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan
IPC分类号： A61F238
CPC分类号： H04L9/3247 , G06Q20/3821 , H04L2209/60
摘要： A method and apparatus for identifying an applicant as a member of a group without explicitly listing all possible applicants. A test is defined which specifies the criteria for group membership. The test definition and an optional group identifier code are supplied to a criterion generator. The criterion generator generates an authenticated message based, at least in part, upon said test definition. The authenticated message is delivered to one or more criterion evaluators that verify the authenticated message. In one embodiment, once the authenticated message has been verified, the applicant for access to a resource presents a credential to the criterion evaluator. If the credential satisfies the test definition, the applicant is granted access to the specified resource and denied access if the credential does not satisfy the test definition. In another embodiment, upon presentation of a suitable credential to the criterion evaluator, the criterion evaluator produces a group membership credential that may be presented to an actuator that is not in communication with the criterion evaluator. If the actuator determines that the group membership credential is authentic, the applicant is granted access to the resource.
摘要翻译：用于将申请人识别为组的成员而不明确列出所有可能的申请人的方法和装置。定义了一个测试，该测试指定了组成员资格的标准。测试定义和可选组标识符代码被提供给标准生成器。标准生成器至少部分地基于所述测试定义生成认证消息。已验证的消息被传递给验证已验证消息的一个或多个标准评估器。在一个实施例中，一旦经过认证的消息已被验证，对资源的访问的申请人向标准评估者呈现凭证。如果凭证满足测试定义，则授予申请人访问指定的资源，如果凭证不符合测试定义，则拒绝访问。在另一个实施例中，在向标准评估器呈现合适的凭证之后，标准评估器产生可以呈现给不与标准评估器通信的致动器的组成员凭证。如果执行器确定组成员凭证是真实的，则授予申请人对该资源的访问权限。

4. 发明授权

US07213262B1 Method and system for proving membership in a nested group using chains of credentials 有权
标题翻译：使用凭证链验证嵌套组成员资格的方法和系统
公开(公告)号：US07213262B1
公开(公告)日：2007-05-01
申请号：US09310165
申请日：1999-05-10
申请人： Yassir K. Elley , Anne H. Anderson , Stephen R. Hanna , Sean J. Mullan , Radia J. Perlman
发明人： Yassir K. Elley , Anne H. Anderson , Stephen R. Hanna , Sean J. Mullan , Radia J. Perlman
IPC分类号： H04L9/32 , G06F15/16 , G06F17/30
CPC分类号： G06F21/6218 , G06F2221/2115
摘要： In accordance with the invention, a presenter of credentials presents to a recipient of credentials one or more chains of group credentials to prove entity membership or non-membership in a nested group in a computer network. The ability to present a chain of credentials is particularly important when a client is attempting the prove membership or non-membership in a nested group and one or more of the group servers in the family tree are off-line. A chain of group credentials includes two or more proofs of group membership and/or proofs of group non-membership Furthermore, the proofs of group membership may include one or more group membership certificates and/or one or more group membership lists; and proofs of group non-membership may include one or more group non-membership certificates and/or one or more group membership lists.
摘要翻译：根据本发明，凭证的呈现者向凭证的接收者呈现一个或多个组凭证链以证明计算机网络中的嵌套组的实体成员资格或非成员资格。当客户端尝试证明成员身份或嵌套组中的非成员身份并且家庭树中的一个或多个组服务器离线时，呈现证书链的能力尤其重要。一组组凭证包括两个或多个组成员资格证明和/或组非会员证明。此外，组成员资格的证明可以包括一个或多个组成员证书和/或一个或多个组成员资格表; 并且组非隶属的证明可以包括一个或多个组非会员证书和/或一个或多个组成员资格列表。

5. 发明授权

US07085925B2 Trust ratings in group credentials 有权
公开(公告)号：US07085925B2
公开(公告)日：2006-08-01
申请号：US09825100
申请日：2001-04-03
申请人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan
发明人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan
IPC分类号： H04L9/00 , H04L9/32
CPC分类号： H04L9/3263
摘要： A method and system for evaluating a set of credentials that includes at least one group credential and that may include one or more additional credentials. A trust rating is provided in association with the at least one group credential within the set of credentials and trust ratings may also be provided in other credentials within the set of credentials. Each trust rating provides an indication of the level of confidence in the information being certified in the respective credential. In response to a request for access to a resource or service, an evaluation of the group credentials is performed by an access control program to determine whether access to the requested resource or service should be provided. In one embodiment, within any given certification path a composite trust rating for the respective path is determined. An overall trust rating for the set of credentials is determined based upon the composite trust ratings. Upon a determination that a user requesting access to a resource has an acceptable set of credentials and a satisfactory trust rating, access to the requested resource or service is granted to the user.

6. 发明授权

US07054905B1 Replacing an email attachment with an address specifying where the attachment is stored 有权
标题翻译：用指定附件存储位置的地址替换电子邮件附件
公开(公告)号：US07054905B1
公开(公告)日：2006-05-30
申请号：US09539269
申请日：2000-03-30
申请人： Stephen R. Hanna , David C. Douglas , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan , Anne H. Anderson
发明人： Stephen R. Hanna , David C. Douglas , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan , Anne H. Anderson
IPC分类号： G06F15/16 , H04L9/00
CPC分类号： H04L51/08 , G06Q10/107 , H04L51/30
摘要： One embodiment of the present invention provides a system that replaces an attachment to an email message with a reference to a location where the attachment is stored. Upon receiving the email message, the system examines the email message to determine if the email message includes an attachment. If the email message includes the attachment, the system stores the attachment at a location on a communication network from which the attachment can be retrieved. The system also modifies the email message by replacing the attachment with a reference specifying the location of the attachment, and sends the modified email message to a recipient of the email message. In one embodiment of the present invention, the recipient receives the modified email message and uses the reference specifying the location of the attachment to retrieve the attachment across the communication network.
摘要翻译：本发明的一个实施例提供一种系统，该系统用参考存储附件的位置来替代电子邮件消息的附件。在接收到电子邮件消息时，系统检查电子邮件消息以确定电子邮件消息是否包括附件。如果电子邮件消息包含附件，则系统将附件存储在通信网络上可从中检索附件的位置。该系统还通过使用指定附件的位置的引用替换附件来修改电子邮件消息，并将修改的电子邮件消息发送给电子邮件的接收者。在本发明的一个实施例中，接收者接收经修改的电子邮件消息，并使用指定附件的位置的引用来检索跨越通信网络的附件。

7. 发明授权

US06883100B1 Method and system for dynamic issuance of group certificates 有权
标题翻译：动态发放集体证书的方法和制度
公开(公告)号：US06883100B1
公开(公告)日：2005-04-19
申请号：US09309045
申请日：1999-05-10
申请人： Yassir K. Elley , Anne H. Anderson , Stephen R. Hanna , Sean J. Mullan , Radia J. Perlman
发明人： Yassir K. Elley , Anne H. Anderson , Stephen R. Hanna , Sean J. Mullan , Radia J. Perlman
IPC分类号： G06F1/00 , G06F21/00 , G06F9/00
CPC分类号： G06F21/6218 , G06F21/629
摘要： In accordance with the invention, on-line group servers issue group membership or group non-membership certificates upon request. Furthermore, when a requester requests a group certificate for a particular entity, the associated group server makes a dynamic decision regarding the entity's membership in the group rather than simply referring to a membership list. These capabilities provide for, among other things, the implementation of “nested” groups, wherein an entity may indirectly prove membership in a first, or nested, group by proving membership in a second group which is a member of the first group. In the nested group situation, the dynamic decision may involve the group server of the nested group obtaining proof of the entity's membership or non-membership in the second group. Proof of membership or non-membership may include a group certificate and/or a group membership list.
摘要翻译：根据本发明，在线组服务器根据请求发布组成员或组非会员证书。此外，当请求者请求特定实体的组证书时，相关联的组服务器就组织中的实体成员进行动态决定，而不是简单地参考会员列表。这些功能尤其规定了“嵌套”组的实现，其中实体可以通过证明作为第一组的成员的第二组中的成员身份间接地证明第一组或嵌套组中的成员资格。在嵌套组的情况下，动态决策可能涉及嵌套组的组服务器获得实体成员资格的证明或第二组中的非成员资格。会籍或非会员证明可能包括团体证明和/或团体会员名单。

8. 发明授权

US07010690B1 Extensible system for building and evaluating credentials 有权
标题翻译：用于构建和评估凭证的可扩展系统
公开(公告)号：US07010690B1
公开(公告)日：2006-03-07
申请号：US09612057
申请日：2000-07-07
申请人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley
发明人： Stephen R. Hanna , Anne H. Anderson , Yassir K. Elley
IPC分类号： H04L9/00
CPC分类号： G06F21/31
摘要： A method and apparatus for authenticating and authorizing a user of a device connected to a network. In one embodiment, a set of credential descriptors is generated that describes credentials that must be built for authenticating the user. The set of credential descriptors is provided to a first device, which includes a first master credential builder for building credentials corresponding to at least one of the credential descriptors. In the event that the first master credential builder does not build all of the credentials corresponding to the set of credential descriptors, another set of credential descriptors is provided to a second device, which includes a second master credential builder for building at least one credential remaining to be built. This process continues until all credentials have been built or a determination is made that they cannot be built. After all credentials have been built, the credentials are provided to a master credential evaluator, which may be included in the first device, the second device, or another device. If the master credential evaluator successfully evaluates the built credentials, then user authentication is completed. Advantageously, credential builders and credential evaluators can be added to or removed from the master credential builders and the master credential evaluator, respectively, to allow dynamic modification of the master credential builders and the master credential evaluator to suit specific and changing requirements for user authentication/authorization.
摘要翻译：一种用于认证和授权连接到网络的设备的用户的方法和装置。在一个实施例中，生成一组凭证描述符，其描述必须构建用于认证用户的凭证。证书描述符集合被提供给第一设备，该第一设备包括用于构建与至少一个凭证描述符相对应的证书的第一主凭证构建器。如果第一主凭证构建器不构建与该组凭证描述符对应的所有凭证，则将另一组凭证描述符提供给第二设备，该第二设备包括用于构建至少一个凭证剩余的第二主凭证构建器待建这个过程一直持续到所有的凭证被建立或确定它们是不能被建立的。在所有凭证已经构建之后，凭证被提供给主凭证评估器，其可以包括在第一设备，第二设备或另一设备中。如果主凭证评估器成功评估内置凭证，则完成用户验证。有利地，可以分别将凭证构建器和凭证评估器添加到主凭证建立者和主凭证评估器中或从主凭证建立者和主凭证评估器移除，以允许动态修改主凭证建立者和主凭证评估器，以适应用户认证/ 授权

9. 发明授权

US06560705B1 Content screening with end-to-end encryption prior to reaching a destination 有权
标题翻译：在到达目的地之前进行端到端加密的内容筛选
公开(公告)号：US06560705B1
公开(公告)日：2003-05-06
申请号：US09511541
申请日：2000-02-23
申请人： Radia J. Perlman , Stephen R. Hanna , Yassir K. Elley
发明人： Radia J. Perlman , Stephen R. Hanna , Yassir K. Elley
IPC分类号： H04L936
CPC分类号： H04L63/0209 , H04L63/0442 , H04L63/1408
摘要： One embodiment of the present invention provides a system that performs content screening on a message that is protected by end-to-end encryption. The system operates by receiving an encrypted message and an encrypted message key at a content screener from a firewall, the firewall having previously received the encrypted message and the encrypted message key from a source outside the firewall. The content screener decrypts the encrypted message key to restore the message key, and decrypts the encrypted message with the message key to restore the message. Next, the content screener screens the message to determine whether the message satisfies a screening criterion. If so, the system forwards the message to a destination within the firewall in a secure manner. In one embodiment of the present invention, the system decrypts the encrypted message key by sending the encrypted message key to the destination. Upon receiving the encrypted message key, the destination decrypts the encrypted message key and returns the message key to the content screener in a secure manner.
摘要翻译：本发明的一个实施例提供一种对通过端到端加密保护的消息执行内容筛选的系统。该系统通过从防火墙在内容筛选器处接收加密消息和加密消息密钥来操作，防火墙先前从防火墙外部的源接收到加密消息和加密消息密钥。内容筛选器解密加密的消息密钥以恢复消息密钥，并用消息密钥解密加密的消息以恢复消息。接下来，内容筛选器筛选消息以确定消息是否满足筛选标准。如果是这样，系统会以安全的方式将消息转发到防火墙内的目的地。在本发明的一个实施例中，系统通过将加密的消息密钥发送到目的地来解密加密的消息密钥。在接收到加密的消息密钥时，目的地解密加密的消息密钥，并以安全的方式将消息密钥返回给内容筛选器。

10. 发明授权

US06546486B1 Content screening with end-to-end encryption within a firewall 有权
标题翻译：在防火墙内进行端到端加密的内容筛选
公开(公告)号：US06546486B1
公开(公告)日：2003-04-08
申请号：US09510912
申请日：2000-02-23
申请人： Radia J. Perlman , Stephen R. Hanna , Yassir K. Elley
发明人： Radia J. Perlman , Stephen R. Hanna , Yassir K. Elley
IPC分类号： H04L936
CPC分类号： H04L63/0209 , H04L63/0442 , H04L63/1408
摘要： One embodiment of the present invention provides a system that performs, content screening on a message that is protected by end-to-end encryption. The system operates by receiving an encrypted message at a firewall from a source outside of the firewall, the encrypted message having been formed by encrypting the message with a message key. In order to restore the message, the system procures the message key and decrypts the encrypted message with the message key. Next, the system screens the message within the firewall to determine whether the message satisfies a screening criterion. If so, the system allows a destination within the firewall to process the message. In one embodiment of the present invention, procuring the message key includes allowing the source and the destination to negotiate the message key, which is then sent to the firewall. In one embodiment of the present invention, the firewall procures the message key by receiving an encrypted message key along with the encrypted message, the encrypted message key having been formed by encrypting the message key. Next, the firewall sends the encrypted message key to the destination, and allows the destination to decrypt the encrypted message key to restore the message key. Finally, the destination returns the message key to the firewall so that the firewall can decrypt the message.
摘要翻译：本发明的一个实施例提供一种对通过端到端加密保护的消息执行内容筛选的系统。该系统通过从防火墙之外的源接收来自防火墙的加密消息，通过用消息密钥加密消息形成加密消息。为了恢复消息，系统采用消息密钥，并使用消息密钥解密加密的消息。接下来，系统在防火墙内屏蔽消息，以确定消息是否满足筛选标准。如果是这样，系统允许防火墙内的目的地处理消息。在本发明的一个实施例中，采购消息密钥包括允许源和目的地协商消息密钥，然后将消息密钥发送到防火墙。在本发明的一个实施例中，防火墙通过接收加密的消息密钥以及加密的消息来获取消息密钥，加密的消息密钥是通过加密消息密钥形成的。接下来，防火墙将加密的消息密钥发送到目的地，并允许目的地解密加密的消息密钥以恢复消息密钥。最后，目的地将消息密钥返回给防火墙，以便防火墙能够解密该消息。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式