专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

21. 发明授权

US09118672B2 Back-end constrained delegation model 有权
标题翻译：后端约束委托模型
公开(公告)号：US09118672B2
公开(公告)日：2015-08-25
申请号：US12965445
申请日：2010-12-10
申请人： Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
发明人： Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
IPC分类号： G06F7/04 , H04L29/06 , H04L9/32
CPC分类号： H04L63/0884 , H04L9/3213 , H04L63/0807
摘要： A client can communicate with a middle tier, which can then, in turn, communicate with a back end tier to access information and resources on behalf of the client within the context of a system that can scale well. Each individual back end can establish a policy that defines which computing device can delegate to that back end. That policy can be enforced by a domain controller within the same administrative domain as the particular back end. When a middle tier requests to delegate to a back end, the domain controller to which that request was directed can either apply the policy, or, if the domain controller is in a different domain than the targeted back end, it can direct the middle tier to a domain controller in a different domain and can sign relevant information that the middle tier can utilize when communicating with that different domain controller.
摘要翻译：客户端可以与中间层进行通信，然后可以与后端层进行通信，以便在可以扩展的系统的上下文中代表客户端访问信息和资源。每个单独的后端可以建立一个策略，定义哪个计算设备可以委托给该后端。该策略可以由与特定后端相同的管理域中的域控制器实施。当中间层请求委托给后端时，该请求所针对的域控制器可以应用策略，或者如果域控制器位于与目标后端不同的域中，则可以将中间层到不同域中的域控制器，并且可以签署中间层在与该不同域控制器通信时可以利用的相关信息。

22. 发明授权

US09058467B2 Distributed computer systems with time-dependent credentials 有权
标题翻译：具有时间依赖凭证的分布式计算机系统
公开(公告)号：US09058467B2
公开(公告)日：2015-06-16
申请号：US13224255
申请日：2011-09-01
申请人： Mark Novak , Paul J. Leach , Yi Zeng , Saurav Sinha , K Michiko Short , Gopinathan Kannan
发明人： Mark Novak , Paul J. Leach , Yi Zeng , Saurav Sinha , K Michiko Short , Gopinathan Kannan
IPC分类号： G06F21/00 , H04L29/06 , G06F21/62 , G06F15/16 , H04L9/32
CPC分类号： G06F21/00 , G06F21/6218 , H04L9/32 , H04L63/0846
摘要： A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.
摘要翻译：分布式系统，其中根据不同的本地时间操作的控制器提供时间依赖的凭证。通过识别在过渡间隔期间生成的凭证可以避免控制器因产生时间偏差而产生不一致凭据的错误，其中不同的控制器可能会在同一绝对时间产生不同的凭据。在转换间隔期间，控制器和其他设备可以基于认证功能的性质差异地使用凭证。每个控制器可以基于自调度续订或基于来自其他设备的请求来定期更新其凭证，使得更新时间被随机延迟抵消以避免过多的网络流量。控制器可以基于与该时间相关联的加密安全密钥以及识别与该凭证相关联的实体的信息来确定哪个凭证对于任何给定时间是有效的。

23. 发明授权

US08555069B2 Fast-reconnection of negotiable authentication network clients 有权
标题翻译：快速重新连接可转让认证网络客户端
公开(公告)号：US08555069B2
公开(公告)日：2013-10-08
申请号：US12399615
申请日：2009-03-06
申请人： Liqiang Zhu , Paul J. Leach , Kevin Thomas Damour , David McPherson , Tanmoy Dutta
发明人： Liqiang Zhu , Paul J. Leach , Kevin Thomas Damour , David McPherson , Tanmoy Dutta
IPC分类号： H04L29/06
CPC分类号： H04L9/3271 , H04L9/3234 , H04L63/0428 , H04W12/06
摘要： Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.
摘要翻译：现代网络通信通常需要客户端应用程序请求数据对提供数据的应用程序进行身份验证。这种认证请求可以是冗余的，特别是在无状态网络协议的情况下。当执行完整认证时，可以同意会话标识符和一个或多个加密密钥。随后的认证请求可以用包括会话标识符的快速重新连接令牌和使用该一个或多个加密密钥的加密签名版本来应答。如果需要额外的安全性，则可以以预定或随机的方式建立和递增序列号，以便能够检测重放的快速重新连接令牌。如果收件人可以验证快速重新连接令牌，则可以认为提供商已经根据先前的身份验证进行了身份验证。如果快速重新认证的一个方面应该失败，则可能需要对原始的完整身份验证过程进行追索。

24. 发明授权

US08468579B2 Transformation of sequential access control lists utilizing certificates 有权
标题翻译：使用证书转换顺序访问控制列表
公开(公告)号：US08468579B2
公开(公告)日：2013-06-18
申请号：US11764034
申请日：2007-06-15
申请人： Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
发明人： Carl Melvin Ellison , Paul J. Leach , Butler Wright Lampson , Melissa W. Dunn , Ravindra Nath Pandya , Charles William Kaufman
IPC分类号： G06F21/00
CPC分类号： H04L63/101 , H04L63/0823
摘要： The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.
摘要翻译：本发明涉及利用证书来管理访问控制的系统和方法。本文描述的系统和方法旨在将访问控制列表中表示的访问策略映射到一组证书。该证书集可用于以ACL所描述的方式授予对资源的访问权限。证书可以分发给实体以用于获取资源访问。实体可以向资源提供证书，作为获取资源的权利的证据。顺序ACL的访问逻辑可以转换或映射到一组与订单无关的证书。特别地，可以分析每个条目，列表中的条目的位置和任何前面的条目。该分析可用于生成根据ACL中传达的访问策略提供访问权限的独立凭证。

25. 发明授权

US08381306B2 Translating role-based access control policy to resource authorization policy 有权
标题翻译：将基于角色的访问控制策略转换为资源授权策略
公开(公告)号：US08381306B2
公开(公告)日：2013-02-19
申请号：US11443638
申请日：2006-05-30
申请人： Dave McPherson , Muthukrishnan Paramasivam , Paul J. Leach
发明人： Dave McPherson , Muthukrishnan Paramasivam , Paul J. Leach
IPC分类号： G06F21/00
CPC分类号： G06F21/6218
摘要： Translation of role-based authoring models for managing RBAC “roles” to resource authorization policy (RAP), such as ACL-based applications, is provided. A generic RBAC system is defined from which mappings to other authorization enforcement mechanism make possible the translation of RBAC “roles” to resource authorization policies applied to resources managed by a resource manager, e.g., a file system resource manager. An implementation is described that uses Windows Authorization Manager as a storage mechanism and object model to manage object types and relationships translated from an RBAC system.
摘要翻译：提供了基于角色的角色创作模型，用于将RBAC角色管理到资源授权策略（RAP），如基于ACL的应用程序。定义了一个通用的RBAC系统，其中与其他授权执行机制的映射可以将RBAC角色转换为应用于资源管理器（例如文件系统资源管理器）管理的资源的资源授权策略。描述了使用Windows Authorization Manager作为存储机制和对象模型来管理从RBAC系统转换的对象类型和关系的实现。

26. 发明申请

US20120131661A1 BACK-END CONSTRAINED DELEGATION MODEL 有权
标题翻译：后端约束代码模型
公开(公告)号：US20120131661A1
公开(公告)日：2012-05-24
申请号：US12965445
申请日：2010-12-10
申请人： Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
发明人： Mark Fishel Novak , Paul J. Leach , Liqiang Zhu , Paul J. Miller , Alexandru Hanganu , Yi Zeng , Jeremy Dominic Viegas , K. Michiko Short
IPC分类号： G06F15/16
CPC分类号： H04L63/0884 , H04L9/3213 , H04L63/0807
摘要： A client can communicate with a middle tier, which can then, in turn, communicate with a back end tier to access information and resources on behalf of the client within the context of a system that can scale well. Each individual back end can establish a policy that defines which computing device can delegate to that back end. That policy can be enforced by a domain controller within the same administrative domain as the particular back end. When a middle tier requests to delegate to a back end, the domain controller to which that request was directed can either apply the policy, or, if the domain controller is in a different domain than the targeted back end, it can direct the middle tier to a domain controller in a different domain and can sign relevant information that the middle tier can utilize when communicating with that different domain controller.
摘要翻译：客户端可以与中间层进行通信，然后可以与后端层进行通信，以便在可以扩展的系统的上下文中代表客户端访问信息和资源。每个单独的后端可以建立一个策略，定义哪个计算设备可以委托给该后端。该策略可以由与特定后端相同的管理域中的域控制器实施。当中间层请求委托给后端时，该请求所针对的域控制器可以应用策略，或者如果域控制器位于与目标后端不同的域中，则可以将中间层到不同域中的域控制器，并且可以签署中间层在与该不同域控制器通信时可以利用的相关信息。

27. 发明申请

US20110154505A1 UNOBTRUSIVE ASSURANCE OF AUTHENTIC USER INTENT 有权
标题翻译：认证用户信息的全面保证
公开(公告)号：US20110154505A1
公开(公告)日：2011-06-23
申请号：US12645465
申请日：2009-12-22
申请人： Crispin Cowan , Matthew Z. Tamayo-Rios , Tanmoy Dutta , John Lambert , Paul J. Leach , Scott A. Field , Thomas C. Jones
发明人： Crispin Cowan , Matthew Z. Tamayo-Rios , Tanmoy Dutta , John Lambert , Paul J. Leach , Scott A. Field , Thomas C. Jones
IPC分类号： G06F21/22
CPC分类号： G06F21/52 , G06F21/53 , G06F21/62
摘要： Computer-executable instructions that are directed to the performance of consequential actions and automatically elevate to execute at a higher privilege level to do so can perform such consequential actions only after user notification. Doing so can enable monitoring processes to avoid presenting duplicative user notification upon detection of such auto-elevation. In addition, prior to presenting user notification, input from the execution environment can be ignored and access to DLLs for performing consequential actions can be avoided. A static analyzer can identify non-conforming computer-executable instructions. A wrapper can be utilized to provide compliance by otherwise unknown or non-conforming computer-executable instructions.
摘要翻译：针对执行相应操作并自动提升以在较高权限级别执行的计算机可执行指令，只有在用户通知后才能执行此类后续操作。这样做可以实现监控过程，以避免在检测到这种自动升高时呈现重复的用户通知。此外，在呈现用户通知之前，可以忽略来自执行环境的输入，并且可以避免对用于执行相继动作的DLL的访问。静态分析仪可以识别不合格的计算机可执行指令。可以使用包装器来提供否则未知或不合格的计算机可执行指令的符合性。

28. 发明授权

US07882539B2 Abstracting security policy from, and transforming to, native representations of access check mechanisms 有权
标题翻译：抽取安全策略和转换为访问检查机制的本机表示
公开(公告)号：US07882539B2
公开(公告)日：2011-02-01
申请号：US11445778
申请日：2006-06-02
申请人： Muthukrishnan Paramasivam , Charles F. Rose, III , Dave M. McPherson , Raja Pazhanivel Perumal , Satyajit Nath , Paul J. Leach , Ravindra Nath Pandya
发明人： Muthukrishnan Paramasivam , Charles F. Rose, III , Dave M. McPherson , Raja Pazhanivel Perumal , Satyajit Nath , Paul J. Leach , Ravindra Nath Pandya
IPC分类号： G06F17/00 , H04L29/06
CPC分类号： H04L63/102 , G06F21/604 , H04L63/20
摘要： Abstracting access control policy from access check mechanisms allows for richer expression of policy, using a declarative model with semantics, than what is permitted by the access check mechanisms. Further, abstracting access control policy allows for uniform expression of policy across multiple access check mechanisms. Proof-like reasons for any access query are provided, such as who has access to what resource, built from the policy statements themselves, independent of the access check mechanism that provide access. Access is audited and policy-based reasons for access are provided based on the access control policy.
摘要翻译：来自访问检查机制的抽象访问控制策略允许使用具有语义的声明性模型，而不是访问检查机制允许的策略的更丰富的表达。此外，抽象访问控制策略允许在多个访问检查机制之间统一表达策略。提供任何访问查询的类似原因，例如谁可以访问从策略语句本身构建的什么资源，独立于提供访问的访问检查机制。访问被审计，基于访问控制策略提供基于策略的访问原因。

29. 发明授权

US07802294B2 Controlling computer applications' access to data 有权
标题翻译：控制计算机应用程序访问数据
公开(公告)号：US07802294B2
公开(公告)日：2010-09-21
申请号：US11046281
申请日：2005-01-28
申请人： Eric C. Perlin , Klaus U. Schutz , Paul J. Leach , Peter T. Brundrett , Thomas C. Jones
发明人： Eric C. Perlin , Klaus U. Schutz , Paul J. Leach , Peter T. Brundrett , Thomas C. Jones
IPC分类号： G06F7/04
CPC分类号： G06F21/6218 , G06F21/6281 , G06F2221/2141
摘要： Systems and methods are described that control attempts made by an application to access data. In one embodiment, the application is associated with a security token that includes an application ID. In operation, the system receives a request, initiated by the application, for access to the data. The system is configured to evaluate the request for access based in part on comparison of the security token and a listing of approved application IDs associated with the data.
摘要翻译：描述了控制由应用访问数据的尝试的系统和方法。在一个实施例中，该应用与包括应用ID的安全令牌相关联。在操作中，系统接收由应用程序启动的用于访问数据的请求。该系统被配置为基于安全令牌的比较和与数据相关联的已批准应用ID的列表来部分地评估访问请求。

30. 发明授权

US07779265B2 Access control list inheritance thru object(s) 有权
标题翻译：访问控制列表继承通过对象
公开(公告)号：US07779265B2
公开(公告)日：2010-08-17
申请号：US11302047
申请日：2005-12-13
申请人： Kendarnath A. Dubhashi , Balan Sethu Raman , Paul J. Leach , Prasanna V. Krishnan
发明人： Kendarnath A. Dubhashi , Balan Sethu Raman , Paul J. Leach , Prasanna V. Krishnan
IPC分类号： G06F17/30 , G06F21/00
CPC分类号： G06F21/6218 , G06F2221/2141 , G06F2221/2145 , H04L63/101
摘要： An item inheritance system and method are provided. The item inheritance system can be employed to propagate access control information (e.g., an access control list) to one or more item(s), thus facilitating security of item(s). At least one of the item(s) is a compound item.The item inheritance system includes an input component that receives information associated with one or more items. The items can include container(s), object(s) and/or compound item(s). The system can be triggered by a change in security policy to the item(s), for example, adding and/or deleting a user's access to the item(s). Additionally, moving and/or copying a collection of items can further trigger the system.The system further includes a propagation component that propagates access control information to the item(s). For example, the propagation component can enforce the ACL propagation policies when a change to the security descriptor takes place at the root of a hierarchy.
摘要翻译：提供了项目继承系统和方法。可以采用项目继承系统将访问控制信息（例如，访问控制列表）传播到一个或多个项目，从而促进项目的安全性。至少一个项目是复合项目。项目继承系统包括接收与一个或多个项目相关联的信息的输入组件。物品可以包括容器，物体和/或复合物品。可以通过对项目的安全策略的改变来触发系统，例如添加和/或删除用户对项目的访问。此外，移动和/或复制物品的集合可以进一步触发系统。该系统还包括将访问控制信息传播到该项目的传播组件。例如，当安全描述符的更改发生在层次结构的根目录下时，传播组件可以强制执行ACL传播策略。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式