专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

31. 发明授权

US08813170B2 Testing access policies 有权
标题翻译：测试访问策略
公开(公告)号：US08813170B2
公开(公告)日：2014-08-19
申请号：US13294162
申请日：2011-11-10
申请人： Mark F. Novak , Paul Leach , Vishal Agarwal , David McPherson , Sunil Gottumukkala , Jignesh Shah , Arun K. Nanda , Nir Ben Zvi , Pranav Kukreja , Ramaswamy Ranganathan
发明人： Mark F. Novak , Paul Leach , Vishal Agarwal , David McPherson , Sunil Gottumukkala , Jignesh Shah , Arun K. Nanda , Nir Ben Zvi , Pranav Kukreja , Ramaswamy Ranganathan
IPC分类号： G06F17/00
CPC分类号： G06Q10/04 , G06Q50/26
摘要： A policy that governs access to a resource may be tested against real-world access requests before being used to control access to the resource. In one example, access to a resource is governed by a policy, referred to as an effective policy. When the policy is to be modified or replaced, the modification or replacement may become a test policy. When a request is made to access the resource, the request may be evaluated under both the effective policy and the test policy. Whether access is granted is determined under the effective policy, but the decision that would be made under the test policy is noted, and may be logged. If the test policy is determined to behave acceptably when confronted with real-world access requests, then the current effective policy may be replaced with the test policy.
摘要翻译：管理对资源的访问的策略可以在被用于控制对资源的访问之前被针对真实的访问请求进行测试。在一个示例中，对资源的访问受政策管辖，被称为有效策略。当修改或更换策略时，修改或替换可能成为测试策略。当请求访问资源时，可以根据有效策略和测试策略对请求进行评估。是否授予访问是根据有效策略确定的，但是将根据测试策略作出的决定被注明，并可能被记录。如果测试策略在面对现实访问请求时被确定为可接受的行为，则可以用测试策略替换当前的有效策略。

32. 发明申请

US20120167158A1 SCOPED RESOURCE AUTHORIZATION POLICIES 有权
标题翻译：范围资源授权政策
公开(公告)号：US20120167158A1
公开(公告)日：2012-06-28
申请号：US12978451
申请日：2010-12-24
申请人： Paul Leach , David McPherson , Vishal Agarwal , Mark Fishel Novak , Ming Tang , Ramaswamy Ranganathan , Pranav Kukreja , Andrey Popov , Nir Ben Zvi , Arun K. Nanda
发明人： Paul Leach , David McPherson , Vishal Agarwal , Mark Fishel Novak , Ming Tang , Ramaswamy Ranganathan , Pranav Kukreja , Andrey Popov , Nir Ben Zvi , Arun K. Nanda
IPC分类号： G06F17/00
CPC分类号： G06F21/604 , G06Q10/06
摘要： Resource authorization policies and resource scopes may be defined separately, thereby decoupling a set of authorization rules from the scope of resources to which those rules apply. In one example, a resource includes anything that can be used in a computing environment (e.g., a file, a device, etc.). A scope describes a set of resources (e.g., all files in folder X, all files labeled “Y”, etc.). Policies describe what can be done with a resource (e.g., “read-only,” “read/write,” “delete, if requestor is a member of the admin group,” etc.). When scopes and policies have been defined, they may be linked, thereby indicating that the policy applies to any resource within the scope. When a request for the resource is made, the request is evaluated against all policies associated with scopes that contain the resource. If the conditions specified in the policies apply, then the request may be granted.
摘要翻译：可以单独定义资源授权策略和资源作用域，从而将一组授权规则与这些规则适用的资源范围分离。在一个示例中，资源包括可以在计算环境（例如，文件，设备等）中使用的任何内容。范围描述一组资源（例如，文件夹X中的所有文件，标记为“Y”的所有文件等）。策略描述了资源可以做什么（例如，“只读”，“读/写”，“删除，如果请求者是管理组的成员”等）。当定义了范围和策略时，可以链接它们，从而指示策略适用于范围内的任何资源。当对资源进行请求时，会根据与包含资源的范围相关联的所有策略来评估该请求。如果策略中指定的条件适用，则可以授予请求。

33. 发明申请

US20080134311A1 Authentication delegation based on re-verification of cryptographic evidence 有权
标题翻译：基于重新验证加密证据的认证授权
公开(公告)号：US20080134311A1
公开(公告)日：2008-06-05
申请号：US11607720
申请日：2006-12-01
申请人： Gennady Medvinsky , Nir Nice , Tomer Shiran , Alexander Teplitsky , Paul Leach , John Neystadt
发明人： Gennady Medvinsky , Nir Nice , Tomer Shiran , Alexander Teplitsky , Paul Leach , John Neystadt
IPC分类号： H04L9/32 , G06F21/00
CPC分类号： H04L63/166 , G06F21/33 , G06F2221/2115 , H04L9/3213 , H04L9/3263 , H04L9/3271 , H04L29/06965 , H04L63/0823 , H04L2209/38
摘要： The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.
摘要翻译：在实体链中委托认证的方法依赖于在网关设备和用户之间的至少一部分TLS握手的记录，其中用户需要访问期望的服务器。然后，该方法依赖于在TLS握手的记录部分中重新验证加密证据，TLS握手被转发到（1）到需要访问的服务器，在这种情况下，服务器重新验证记录部分以确认认证，或者（2）到第三方实体，在这种情况下，第三方实体确认认证，并向网关服务器提供凭证，然后网关服务器使用凭证作为用户对服务器进行认证。

34. 发明申请

US20070088947A1 Deriving a Symmetric Key from an Asymmetric Key for File Encryption or Decryption 有权
标题翻译：从文件加密或解密的非对称密钥中导出对称密钥
公开(公告)号：US20070088947A1
公开(公告)日：2007-04-19
申请号：US11611051
申请日：2006-12-14
申请人： David Cross , Jianrong Gu , Josh Benaloh , Thomas Jones , Paul Leach , Glenn Pittaway
发明人： David Cross , Jianrong Gu , Josh Benaloh , Thomas Jones , Paul Leach , Glenn Pittaway
IPC分类号： H04L9/00
CPC分类号： H04L63/045 , G06Q20/3829 , H04L9/0822 , H04L9/0894 , H04L63/0823
摘要： One aspect relates to a process and associated device that provides a private key of an asymmetric key pair in a key device. A symmetric master key is derived from the private key of the asymmetric key pair. The symmetric master key is stored in a computer memory location. The symmetric master key is used to encrypt or decrypt a file encryption key. The file encryption key can encrypt or decrypt files. In another aspect, the user can still access the files even if a user deactivates the key device by encrypting or decrypting the file encryption key directly from the symmetric master key.
摘要翻译：一个方面涉及在密钥设备中提供非对称密钥对的私钥的过程和相关设备。对称主密钥是从非对称密钥对的私有密钥导出的。对称主密钥存储在计算机内存位置。对称主密钥用于加密或解密文件加密密钥。文件加密密钥可以加密或解密文件。在另一方面，即使用户通过直接从对称主密钥加密或解密文件加密密钥来使密钥设备停用，用户仍然可以访问文件。

35. 发明申请

US20060253699A1 Virtual distributed security system 有权
公开(公告)号：US20060253699A1
公开(公告)日：2006-11-09
申请号：US11254539
申请日：2005-10-20
申请人： Giovanni Della-Libera , Christopher Kaler , Scott Konersmann , Butler Lampson , Paul Leach , Bradford Lovering , Steven Lucco , Stephen Millet , Richard Rashid , John Shewchuk
发明人： Giovanni Della-Libera , Christopher Kaler , Scott Konersmann , Butler Lampson , Paul Leach , Bradford Lovering , Steven Lucco , Stephen Millet , Richard Rashid , John Shewchuk
IPC分类号： H04L9/00 , G06F12/14 , H04L9/32 , G06F11/30
CPC分类号： H04L63/08 , G06Q20/3676 , H04L63/10 , H04L63/168 , H04L63/20 , H04L67/02 , H04L67/28 , H04L67/2804 , H04L67/2823
摘要： A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

36. 发明申请

US20060184646A1 Authentication and Authorization Across Autonomous Network Systems 有权
标题翻译：跨自治网络系统的认证和授权
公开(公告)号：US20060184646A1
公开(公告)日：2006-08-17
申请号：US11379998
申请日：2006-04-24
申请人： Donald Schmidt , Clifford Van Dyke , Paul Leach , Praerit Garg , Murli Satagopan
发明人： Donald Schmidt , Clifford Van Dyke , Paul Leach , Praerit Garg , Murli Satagopan
IPC分类号： G06F15/16
CPC分类号： H04L63/0815 , H04L63/083
摘要： An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要翻译：企业网络架构具有建立在两个自主网络系统之间的信任链路，能够实现两个网络系统的网络域之间的传递资源访问。信任链接由相应网络系统中的每一个维护的数据结构来定义。第一网络系统维护对应于第二网络系统的命名空间和第一网络系统中的域控制器，或者第一网络系统管理员指示是否信任个体命名空间。由第二网络系统中的域管理的帐户可以通过第一网络系统中的域控制器请求认证。第一网络系统从信任链路确定将认证请求传送到第二网络系统。当管理员管理组成员身份和访问控制列表时，第一个网络系统还从信任链接确定何处传达授权请求。

37. 发明申请

US20060041929A1 Virtual distributed security system 有权
公开(公告)号：US20060041929A1
公开(公告)日：2006-02-23
申请号：US11254519
申请日：2005-10-20
申请人： Giovanni Della-Libera , Christopher Kaler , Scott Konersmann , Butler Lampson , Paul Leach , Bradford Lovering , Steven Lucco , Stephen Millet , Richard Rashid , John Shewchuk
发明人： Giovanni Della-Libera , Christopher Kaler , Scott Konersmann , Butler Lampson , Paul Leach , Bradford Lovering , Steven Lucco , Stephen Millet , Richard Rashid , John Shewchuk
IPC分类号： H04L9/00
CPC分类号： H04L63/08 , G06Q20/3676 , H04L63/10 , H04L63/168 , H04L63/20 , H04L67/02 , H04L67/28 , H04L67/2804 , H04L67/2823
摘要： A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

38. 发明授权

US6108715A Method and system for invoking remote procedure calls 失效
标题翻译：用于调用远程过程调用的方法和系统
公开(公告)号：US6108715A
公开(公告)日：2000-08-22
申请号：US892774
申请日：1997-07-15
申请人： Paul Leach , Richard Draves
发明人： Paul Leach , Richard Draves
IPC分类号： G06F9/46
CPC分类号： G06F9/547
摘要： A method and system that allows a client process to invoke a remote procedure. An operating system maintains a table with an entry for each remote procedure. Each entry of this table contains a signature that specifies a format in which parameters are exchanged between the client process and the remote procedure. When the client process requests the invocation of the remote procedure, the operating system creates a stack for the remote procedure. This stack is then mapped into the operating system's address space. By mapping the remote procedure's stack in this fashion, the operating system can simultaneously access the client's stack and the remote procedure's stack. The operating system then copies, in accordance with the remote procedure's signature, parameters directly from the client's stack to the remote procedure's stack. Once the parameters are copied, the remote procedure executes using the data contained on its own stack. When the substantive execution of the remote procedure is complete, the remote procedure traps back to the operating system. The operating system then copies, in accordance with the remote procedure's signature, return parameters from the remote procedure's stack to the client's stack. Once these parameters have been copied, the operating system returns to the client process so that the client process can continue with its execution.
摘要翻译：允许客户端进程调用远程过程的方法和系统。操作系统维护具有每个远程过程的条目的表。该表的每个条目都包含一个签名，该签名指定客户端进程和远程过程之间交换参数的格式。当客户端进程请求远程过程的调用时，操作系统将为远程过程创建一个堆栈。然后将该堆栈映射到操作系统的地址空间。通过以这种方式映射远程过程的堆栈，操作系统可以同时访问客户端的堆栈和远程过程的堆栈。然后，操作系统将根据远程过程的签名将参数直接从客户端堆栈复制到远程过程的堆栈。复制参数后，使用其自身堆栈中包含的数据执行远程过程。当远程过程的实质性执行完成时，远程过程将陷入操作系统。然后，操作系统根据远程过程的签名，将参数从远程过程的堆栈返回到客户端的堆栈。一旦这些参数被复制，操作系统将返回到客户端进程，以便客户端进程可以继续执行它。

39. 发明授权

US5802367A Method and system for transparently executing code using a surrogate process 失效
公开(公告)号：US5802367A
公开(公告)日：1998-09-01
申请号：US585511
申请日：1996-01-16
申请人： Andrew F. Held , Edward K. Jung , Paul Leach , Pradyumna K. Misra , Richard K. Sailor , Michael R. C. Seaman , Nathaniel S. Brown
发明人： Andrew F. Held , Edward K. Jung , Paul Leach , Pradyumna K. Misra , Richard K. Sailor , Michael R. C. Seaman , Nathaniel S. Brown
IPC分类号： G06F9/445 , G06F9/46 , G06F9/48 , G06F9/40
CPC分类号： G06F9/4843 , G06F9/445 , G06F9/44521 , G06F9/465 , G06F9/544 , G06F9/547
摘要： A method and system for transparently executing code using a surrogate process is provided. In a preferred embodiment, the underlying system provides a surrogate program that can execute server dynamic-link libraries. When a client program wishes to access an object of a sharable class or a class factory object, the client program requests a service control manager to execute the server code for the sharable class. In response, the service control manager determines from a registration database whether the server code is available in the form of a server executable or a server dynamic-link library. If the server code is implemented as a server dynamic-link library, the service control manager either returns the location of the server dynamic-link library to the client program to be run in the execution context of the client program or the service control manager launches the surrogate program and requests it to load the server dynamic-link library, thereby isolating the server dynamic-link library from the client program execution context. When the surrogate process is launched, the surrogate process loads the requested server dynamic-link library and instantiates class factory objects corresponding to the sharable classes implemented by the server dynamic-link library. In one embodiment, multiple server dynamic-link libraries can be loaded within the same surrogate process. According to this embodiment, when the client program requests access to an object of a sharable class or to a class factory object, the service control manager determines whether the server code that implements the object can be loaded in a surrogate process that is already executing or whether a new surrogate process needs to be launched. Once the server dynamic-link library is loaded in the surrogate process and a reference to a server object returned to the client program, the client program can communicate with the server code in the same manner as if the server code had been loaded into the execution context of the client program.

40. 发明授权

US5745764A Method and system for aggregating objects 失效
公开(公告)号：US5745764A
公开(公告)日：1998-04-28
申请号：US480465
申请日：1995-06-07
申请人： Paul Leach , Antony S. Williams , Edward Jung , C. Douglas Hodges , Srinivasa R. Koppolu , Barry B. MacKichan , Craig Wittenberg
发明人： Paul Leach , Antony S. Williams , Edward Jung , C. Douglas Hodges , Srinivasa R. Koppolu , Barry B. MacKichan , Craig Wittenberg
IPC分类号： G06F9/06 , G06F9/42 , G06F9/44 , G06F12/02 , G06F15/163 , G06F9/00 , G06F9/46
CPC分类号： G06F9/443 , G06F12/0261 , Y10S707/99944
摘要： A method and system for aggregating objects within a computer system are provided. In a preferred embodiment, the method aggregates an enclosed object within an enclosing object. The enclosed object has an object management interface and an external interface, while the enclosing object has a controlling object management interface. The controlling object management interface and the external interface of the enclosed object have query function members for receiving an identifier of an interface and for returning a reference to the identified interface. A preferred embodiment creates an instance of an enclosing object and an object to be enclosed. In static aggregation, the controlling object management interface of the enclosing object knows in advance how to return an identifier to the external interface of the enclosed object. In dynamic aggregation, an object to be enclosed is added to the enclosing object after the enclosing object is instantiated. Once aggregated, when the query function member of the object management interface of the enclosed object receives an identifier of an interface, it invokes the query function member of the controlling object management interface forwarding the interface identifier and returns the reference to an interface returned by the invoked query function member of the controlling object management interface. In dynamic aggregation, rules for determining to which interface to return a reference can by added to the enclosing object and used by the query function member of the controlling object management interface.

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式