TH55430B - The use of policies as a driving force for delegating credentials for a single authentication and secure access to network resources - Google Patents

Abstract

DC60 Credged SSP provides a credential security support provider (credential security support provider, Cred SSP) service provider that supports any application. Use from client (Through the software of the service provider at Support network security (SSP - Sccurity Support Provider, SSP on the client side) sent to the target server. (Via SSP software at the host side) within a computerized environment Network safely The SSP of this invention provides a safe method that Some are based primarily on a set of policies (including the default ones that are safe from widespread attacks), which are used to control and limit the assignment of user credentials from clients. Send to the server These policies can be used with any type of user credentials and policies that They are designed to mitigate a wider range of attacks, which makes appropriate assignments capable of This can occur on the delegation environment, the network environment, the level of trust, and so forth. Moreover, only the trusted subsystem, such as the designated authoritative subsystem, can occur. Only local security authority (LSA - Local Security Authority, LSA) will have access. Plain text certifications Therefore, both the application used to call the API (API) is the SSP of evidence on the mother side. And an application used to call the API's, that is, the SSP's. Evidence on the client side has no access to all textual credentials. The Credentials section provides a service provider that supports the security of the credentials on the network (credcitial security support provider, Cred SSP) that authorizes any application to assign user credentials. From client (Through the software of the service provider at Support network security (SSP - Sccurity Support Provider, SSP on the client side) sent to the target server. (Via SSP software at the host side) within a computerized environment Network safely The SSP of this invention provides a safe method that Some are based primarily on a set of policies (including the default ones that are safe from widespread attacks), which are used to control and limit the assignment of user credentials from clients. Send to the server These policies can be used with any type of user credentials and policies that Heterogeneity was designed to mitigate Broad attack, which makes the right assignments can This can occur on the delegation environment, the network environment, the level of trust, and so forth. Moreover, only the trusted subsystem, such as the designated authoritative subsystem, can occur. Only local security authority (LSA - Local Security Authority, LSA) will have access. Plain text certifications Therefore, both the application used to call the API (API) is the SSP of evidence on the mother side. And an application used for the love of API that is SSP's Evidence on the client side has no access to all textual credentials.

Claims (2)

Disclaimer (all) which will not appear on the advertisement page: EDIT 27/03/2017 1. Method for assigning client proofs to servers in a commercial environment. Networked computers include: Client requests for applications, services, and at least resources. One of the greatest aspects of a server in a networked computing environment involves delegation. Evidence certifying the user from the client to the network server The initiation of sending signals asking for the state of communication between the client and the server, as well as obtaining the server's public key [Kpub] by the client. Server negotiation to select the package used for authentication to be used. It is shared between the client and the server to serve as an authentication mechanism for the authentication of communications. Between client and server Authentication of the host by using the chosen authentication package as Authentication mechanism Deciding whether authentication has taken place in accordance with the aforementioned authentication process. And only if the identity has been verified A session will be established between the client and server. This covers the creation of a shared secret for encryption on messages communicated between clients and receiving servers on the client. Grouping indication for that server. Before the user credentials are forwarded for the request There is still action Review the policy according to one or more predetermined policies that have been established as evidence. Endorse the user to decide whether the server can be trusted with the user credentials, and the predefined policy is based on the grouping of the received servers. The server's Kpub authentication by: Kpub encryption with the shared secret, sending the encrypted Kpub to the server. Obtaining a response from that server and verifying that the response, including [Kpub) +1], is encrypted with that shared secret and if the server is trusted in accordance with established policies. Advance and That response has been verified. User's credentials will be forwarded to the server for obtaining the right to Access to one or more applications, services, and resources requested by the server from such clients. 2. Procedures pursuant to claim 1, where at least one of the pre-declared policies is the multiple policies that are used to Control and limit the assignment of user credentials from the client to the server from the client 3. Clause 2 approach where many policies address widespread mitigation, which This includes at least one of the trojans (Trojan) or malicious programs running on the client, the default group policy settings, and the group policy settings that the client administrator can. Configurable, malicious domain name service (DNA - domain name service, DNS). To avoid Malicious server problems and denial-of-service attacks 4. Claim Method 2 where many policies are made up of different policies. Which is At least in an assignment that is accepted or rejected on the basis of the list of service principle names (SPN) of the server. 5. Method of claim 1, where the operation Conducting inspections Policies in accordance with the requirements of one or more of the previously announced policies, which have been declared with the foundation of Types of user credentials 6. Method for claim 5, where the action consists of conducting an audit. Policies in accordance with the requirements of one or more of the previously announced policies, which have been declared with the foundation of Any type of credentials from new credentials, recorded credentials. Or implicit proof. 7. Method according to claim 1, in which the forwarding of such user evidence consists of Pass the user credentials in a format that is the only trusted subsystem of a local security system. Only those who have the right to access the user credentials in plain text format. 8. Method for claim 7 where the action of the policy review will be performed by the user. Set local security authority (LSA - Local Security Authority, LSA) and Trust will be the LSA's trusted subsystem. 9. The method of claim 1 also includes: after the establishment of a session between the client and the host. Keys will be proven. Public Server 1 0. Claim 1 method where the procedure is performed through a service provider's component that supports the security of the network credentials that are available to continue. Client made requests through the interface of a network security support provider (SSPI - Security Support Provider Interface, SSPI) 1 1. Method according to claim 1 in Where the signal starts asking for contact status is the ask signal. State of communication to Protected Protocols, Shielded Shielding (SSL - Secure Sockets Layer, SSL) or Transport Layer Security Shielded Protocol (TLS - Transport Layer Security, TLS ) 1 2. Method for claim 1, where a bargaining consists of negotiating using a bargaining mechanism. Through the application interface used for general security. (GPS, API) that is not complicated And protection (Simple and Protected Generic Security Service Application Program Interface (GSSAPI) Negotiation Mechanism) or short term SPNEGO (SPNEGO) 1 3. Method according to claim 1 in which the package The authentication used for the selected authentication is Kerberos or the local network manager on Windows NT. (NTLM - Windows NT Local Area Network (LAN) Manager; NTLM) 1 4. Method based on claim 1, where such shared secret is the session key ( session) shared 1 5. Workstation devices include: Provider components that support the security of the network credentials. For handling requests from client computer equipment to use at least one server's applications, services, and resources in a networked computing environment where the request involves the assignment of user credentials from the computer equipment. Client to the server Where the vendor component supports the security of the evidence on The network initiates a signal asking for the communication status between the client and the server, including obtaining the host's public key [Kpub] by the client, negotiating to select a service provider that supports the network. Secure on networks shared by the client and server to serve as an authentication package. For verifying the identity of communication between client and server and taking steps to verify Client and host identities using the package used to authenticate them and where only after, if authentication has already occurred. Vendor components Support the security of the credentials on the network to establish a session between clients. And the host and create a shared secret to encrypt the messages that are communicated between the client and server. According to that session, and from obtaining an indication of grouping for the server to perform the audit. A policy based on the requirements of one or more of the previously published policies that are used to control and limit the Assigning user credentials from the client computer equipment to the server, the policy is verified by Based on grouping of receiving servers And prove the identity of the server by Kpub; Encrypted Kpub With such a shared secret, sending the encrypted Kpub to the server. Receiving a response from the server and verifying that the response is comprehensive [Kpub +1] is encrypted with such shared confidentiality and the user's credentials are passed on to the server for the right. Access to that application, such services And at least one such resource is requested by the server from the client. Only when the policy review is valid The response is verified 1 6. Client computer equipment according to claim 15, where the vendor component is validated. Support for the Security of the credentials on the network will forward the user credentials in the form As such, only the Local Security Authority (LSA) trusted subsystem can Decoded in plain text format 1 7. Client computer equipment pursuant to claim 15, where at least one of the policies announced. First, it manages to mitigate a broader attack that covers at least one of the trojans or programs. Malicious active clients, the default group policy settings, and the default group policy settings. Client administrators can configure malicious domain name (DNA) services to avoid malicious server problems and denial-of-service attacks. 15th where at least one of the policies announced First, it contains an assignment policy based on any type of proof of New credentials, recorded credentials Or implicit proof 1 9. System to perform the computer results in assigning evidence of user credentials from clients to A server in a networked computing environment in a role as part of the sign-in on Single server resources The system consists of: At least one processor and peripheral memory, communicating with at least one processor, and Contain various instructions When one or more processors are performed by one or more processors, one of these methods is performed: sending requests from clients for applications. Service work and at least resources One of the greatest aspects of a server in a networked computer environment implies delegation. Of evidence certifying the user from the client to the said server Initiating cooperation between the client and the server As well as obtaining the public key [Kpub] of the server by the said client. Negotiate with the server to select the authentication package that is shared. Between client and server as an authentication mechanism for the authentication of communication between children. Network and host Authentication of the host using the selected authentication package as Authentication mechanism Whether or not the authentication occurs with the said authentication procedure, and only when the authentication has occurred. A session will be established between the client and server. This covers the creation of a shared secret for encryption on messages communicated between the client and the server and received on the client, indication of the grouping for that server. Before submitting the user credentials for such requests Inspection Policy-based policies meet at least one predetermined policy definition for credentials. User to define a trusted server with user credentials or not. Which is where the policy is defined In advance based on grouping of received servers The server's Kpub authentication by: Kpub encryption With such shared secret, sending the encrypted Kpub to the server. Obtaining a response from the server and verifying that the response is comprehensive [Kpub +1], encrypted with such shared confidentiality, and if the server is trusted by a predetermined policy; and The response is verified, the transmission of the user's credentials to the server for the right to access that application. Such services And at least one such resource of the client's server --------------------------- 1. Methods for crouching client testimonials to a server in a medical environment. A networked computer consists of: Requests for applications, services, or at least one parent resource. Networks from clients in a networked computing environment in which evidence assignments are involved. Certify the user from the client to the server The initiation of sending signals asking for the state of communication between the client and the server, as well as obtaining the server's public key [Kpub] by the client. Negotiating to select a package used for authentication that is shared between Client and host to be used as an authentication mechanism for the authentication of communication between client and server, authentication by the use of the chosen authentication package. As Authentication mechanism A decision whether mutual authentication has taken place in accordance with the aforementioned authentication procedure. And if the identity has been verified A session will be established between the client and the host which covers the To create a shared secret to encrypt messages that are communicated between client and server. Receiving on client Grouping indication for that server. Before the credentials are forwarded for the request There is still an investigation. A policy in accordance with the requirements of one or more of the previously published policies that have been assigned to the user credentials. To decide whether the server can be trusted with the user's credentials or not. Which is where the policy Predetermined on the basis of the received server grouping The server's Kpub authentication by: Kpub encryption with the shared secret, sending the encrypted Kpub to the server. Obtaining a response from that server and verifying that the response, including [Kpub +1], is encrypted with that shared secret and if the server is trusted by a predetermined policy; and The response is verified, the user's credentials are forwarded to the server for the right to access the program. Application, service 2. Claim 1 method, where at least one of the pre-declared policies is a multitude of policies that are used to control and limit action. Assign client credentials to the server. 3. Claim-2 approach where many policies address widespread mitigation. This covers at least one of the trojans (Trojan) or malicious programs running on the client, the default group policy settings, and the client administrator group policy settings. Can be configured, malicious domain name service (DNA - domain namc service, DNS) to avoid malicious server problems and denial-of-service attacks. 4. Method of claim 2 where the policy There are many policies. Which is At least one of the assignments that are accepted or rejected based on the list of service principle names (SPNs) of the server. 5. Method of claim 1, where the The action consists of conducting an audit. Policy in accordance with the requirements of the Relative Resistance of the Authentication Mechanism 6. Method for claim 1 where action consists of conducting an audit. Policies in accordance with the requirements of one or more of the previously announced policies, which have been declared with the foundation of Types of user credentials 7. Claim Method 6, where the action consists of an audit. Policies in accordance with the requirements of one or more of the previously announced policies, which have been declared with the foundation of Any type of credentials from new credentials, recorded credentials. Or implicit proof of evidence. 8. Method of claim 1 in which the forwarding of such user evidence consists of Forwarding user credentials in a format that only has a trusted subsystem of a specific security system. Only a place has access to user credentials in plain text format. 9. Method for Claim 8, where the conduct of the policy review will be done by: Local Security Authority LSA and the local security authority Trust will be the LSA's Trusted Subsystem 1 0. The method of claim 1 also includes: after the establishment of a session between the client and the server. The server's public key 1 will be verified 1. Method to claim 1, where the procedure is performed via a service provider's component (componcnt) that supports the security of the network credentials. Which is ready for further use Clients making requests through the interface of a network security support provider (SSPI - Security Support Provider interface, SSPI) 1 2. Method according to claim 1 in Where the signal begins in asking the contact status between children The network and the server are the communication status queries between client and server in accordance with the protocol requirements. That is the protection protocol for the socket layer (SSL - Secure Sockets Layer, SSL) and the protocol that is Criteria for Transport Layer Security (TLS) 1 3. Claim Method 1 where a bargaining consists of negotiating by means of a negotiation mechanism. General security negotiation through the application interface (GSSAPI) that is simple and protected (Simple and Protected Generic Sccurity Service Application Program Interface (GSSAPI) Negotiation Mechanism) or shortly known as SPNEGO (SPNEGO) 1 4 The method according to claim 1, where the chosen authentication package is the type Any type in Kerberos or Local Area Network Manager on Windows NT (NTLM - Windows NT Local Area Network (LAN) Manager, NTLM). Claim 1, where the shared secret is the shared session key 1 6. The application interface consists of modules. Of the interface at Computers can perform actions that have various commands. That the computer can perform which is used to Proceed to the instructions in Claim 1 1 7. Workstation equipment consists of: Provider components that support the security of the network credential. For handling requests from workstation devices to run applications, services, or host resources in a networked computing environment. Where the request relates to Assign the user credentials from the client computer equipment to the server. Where the vendor component supports the security of the evidence on The network initiates a signal asking for the contact status between the client and the server, negotiating to select a user. Provides services that support security on networks shared by clients and servers to use as a package Used to authenticate for the authentication of communication between client and server, steps are taken to authenticate each other between client and server using the authentication package. that Where, if mutual authentication has already taken place Vendor components Supporting the security of the credentials on the network will establish a session between the client and the parent. Network and create a shared secret to encrypt messages communicated between the client and server in accordance with that session, conducting a policy review in accordance with the requirements of one or more of the published policies that are This is used to control and limit the assignment of user credentials from the client computer device to the server, and to forward the user credentials to the server for the client's right to access the application, service or parent resources. Network only if the policy review is valid through 1. 8. Client computer equipment according to claim 17, where the vendor component at Support for the security of the credentials on the network will forward the user credentials in the available format. Only the Local Security Authority (LSA) trusted subsystem can Decoded in plain-text format 1 9. Client computer equipment pursuant to claim 17, where at least one of the declared policies. It will manage to mitigate a broader attack that covers at least one of the trojans or Malicious programs running on clients, default group policy settings and policy settings. Configurable groups for client administrators, malicious domain name (DNA) service. To avoid malicious server problems and denial-of-service attacks 2 0. Client computing devices pursuant to claim 17, where at least one of the policies announced. First, it consists of an assignment policy based on the relative resistance of the authentication mechanism 2. 1. Client computer equipment pursuant to claim 17, where at least one of the It consists of an assignment policy based on any type of proof of New credentials, recorded credentials Or implicit proof 2 2. Methods for assigning user credentials from a client to a server in a computer environment Networked computers in roles that are a single sign-on to the host's resources include; Obtaining user credentials through single sign-on of local components. Contact a client user to access the host resource pack. And in response Initialization of signaling to ask for the communication status between client and server in accordance with the requirements of The protocol that is the protection protocol, the transport layer (TLS), the negotiation to select the authentication package that is shared between clients and A server to be used as an authentication mechanism for the authentication of communication between client and server. Mutual authentication of the host and client using the authentication package. Selected identity as an authentication mechanism If mutual authentication has already taken place A session will be established between clients. And a server, which covers the creation of a shared secret for encryption of the messages being communicated. Between client and server, and assigning user credentials to the server for secure access to the resource pack.