US20050283824A1 - Security policy generation - Google Patents

Security policy generation Download PDF

Info

Publication number
US20050283824A1
US20050283824A1 US11/158,622 US15862205A US2005283824A1 US 20050283824 A1 US20050283824 A1 US 20050283824A1 US 15862205 A US15862205 A US 15862205A US 2005283824 A1 US2005283824 A1 US 2005283824A1
Authority
US
United States
Prior art keywords
message
security
security policy
receiver
transmitter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/158,622
Other languages
English (en)
Inventor
Yuhichi Nakamura
Takeshi Imamura
Michiaki Tatsubori
Satoshi Makino
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: IMAMURA, TAKESHI, TATSUBORI, MICHIAKI, MAKINO, SATOSHI, NAKAMURA, YUHICHI
Publication of US20050283824A1 publication Critical patent/US20050283824A1/en
Priority to US12/182,889 priority Critical patent/US8141131B2/en
Priority to US12/251,313 priority patent/US8112786B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Definitions

  • the present invention relates to a security policy generation method, a security policy generation device, a program and a recording medium. More particularly, this invention relates to a security policy generation method, a security policy generation device, a program and a recording medium for generating a security policy that is set up for a transmitting or receiving message in at least one of a plurality of information processing apparatuses connected via a network.
  • an information processing apparatus such as a server apparatus is communicated with another information processing apparatus connected via a network.
  • a relatively complex security policy is simply created by preparing the models of security policy.
  • a technique has been offered in which a security policy is selected by the user from among the candidates of security policy settable in an apparatus of setting object.
  • a technique has been offered in which a security policy having a specific keyword is selected from among a plurality of security policies represented as a text file that are prepared. With these techniques, the user can be relieved of the trouble taken to select the security policy.
  • the problems to be solved by the invention include the following.
  • a plurality of information processing apparatuses having a different administrator from each other typically cooperate with each other to provide the services such as a web service.
  • a web service For example, in the case of an online shopping system by use of credit cards, a purchaser terminal, seller server and card transaction system operate in a coordinated manner.
  • To set up a security policy appropriate to each information processing apparatus in such a system it is necessary to properly understand the contents or modes, etc. of communications performed between the information processing apparatuses and then perform the setting according to the contents or modes, etc. of the communications.
  • a problem to be solved by the invention is to set up a suitable security policy for each information processing apparatus according to the whole business process implemented by a plurality of information processing apparatuses having a different administrator from each other.
  • an object of the invention is to provide a security policy generation method, security policy generation device, program and recording medium that can solve the above problem.
  • a security policy generation method for generating a security policy that decides at least one of an electronic signature to be appended to a message transmitted or received by an information processing apparatus and an encryption method for encrypting the message transmitted or received by the information processing apparatus.
  • the security policy isg set up for the information processing apparatus.
  • a security policy generation method includes: an application model generation step of generating for each of a plurality of messages that are communicated using a distributed application program, an application model having a transmitter and a receiver of the message decided, according to an instruction of the user; a security pattern storage step of storing in advance a plurality of security patterns that are models of security policy having a signer of an electronic signature appended to the message or a decoder for decoding the encrypted message as an undecided parameter; a security pattern selection step of selecting according to an instruction of the user, a security pattern that is a model of security policy to be set up for the transmitter or receiver of the message, corresponding to each of the plurality of messages included in the application model; and a security policy generation step of generating a security policy by substituting the identification information of the transmitter or receiver of each message included in the application model for the undecided parameter of the security pattern selected corresponding to the message.
  • a security policy generation device using the security policy generation method, a program for enabling a computer to operate as the security policy generation device, and a recording medium on which the program is recorded. It is noted that in the above described outlines of the invention, not all essential features of the invention are listed. Subcombinations of these feature groups can also become an invention. Thus, with this invention, a suitable security policy can be set up for each of a plurality of information processing apparatuses for performing a distributed application program.
  • FIG. 1 shows a configuration of an information processing system 10 ;
  • FIG. 2 shows an example of an interface setting information 20 ;
  • FIG. 3 shows a configuration of a security policy generation device 30 ;
  • FIG. 4 shows an example of a security pattern 400 a
  • FIG. 5 shows an example of a security pattern 400 b
  • FIG. 6 shows an exemplary application model
  • FIG. 7 shows exemplary security patterns in an application example of the security policy generation device 30 according to the embodiment.
  • FIG. 8 shows an exemplary security policy obtained by applying an application model
  • FIG. 9 shows an exemplary security policy obtained by applying a platform model
  • FIG. 10 shows an operational flow of an exemplary process of the security policy generation device 30 creating a security policy
  • FIG. 11 shows the details of process S 1060 .
  • FIG. 12 shows an exemplary hardware configuration of a computer 500 working as the security policy generation device 30 .
  • the present invention provides security policy generation methods, security policy generation devices, and program and recording medium that can solve the above problem.
  • a security policy generation method for generating a security policy (2) a security policy generation device using the security policy generation method, (3) a program for enabling a computer to operate as the security policy generation device and (4) a recording medium on which the program is recorded.
  • the security policy generation method is for generating a security policy that decides at least one of an electronic signature to be appended to a message transmitted or received by an information processing apparatus and an encryption method for encrypting the message transmitted or received by the information processing apparatus.
  • a security policy being set up for the information processing apparatus.
  • An example security policy generation method includes: an application model generation step of generating for each of a plurality of messages that are communicated using a distributed application program, an application model having a transmitter and a receiver of the message decided, according to an instruction of the user; a security pattern storage step of storing in advance a plurality of security patterns that are models of security policy having a signer of an electronic signature appended to the message or a decoder for decoding the encrypted message as an undecided parameter; a security pattern selection step of selecting according to an instruction of the user, a security pattern that is a model of security policy to be set up for the transmitter or receiver of the message, corresponding to each of the plurality of messages included in the application model; and a security policy generation step of generating a security policy by substituting the identification information of the transmitter or receiver of each message included in the application model for the undecided parameter of the security pattern selected corresponding to the message.
  • a suitable security policy can be set up for each of a plurality of information processing apparatuses for performing a
  • FIG. 1 shows a configuration of an information processing system 10 .
  • the information processing system 10 includes a security policy generation device 30 , terminal 35 , server 40 , server 50 and authentication server 60 .
  • a security policy is set up for at least one of the terminal 35 , server 40 and server 50 , each being an exemplary information processing system.
  • the security policy decides at least one of an electronic signature to be appended to a message transmitted or received by an information processing apparatus and an encryption method for encrypting the message transmitted or received by the information processing apparatus, each of the electronic signature and encryption method being set up for the information processing apparatus.
  • the terminal 35 operated by a user purchasing a commodity or service, etc, sends to the server 40 the order information for ordering the commodity as well as the identification number of a credit card, etc.
  • the server 40 operated by a seller selling commodities, etc, sends to the server 50 the identification number of a credit card, etc. received together with the order information, when receiving the order information from the security policy generation device 30 .
  • interface setting information 20 is decided which defines the interface regarding services provided by the server 40 for the terminal 35 or server 50 .
  • the server 50 managed by an issuing corporation of a credit card, etc, determines the validity of the identification number and the credit limit, etc. of the credit card identified by use of the identification number, when receiving the identification number from the server 40 . Then, the server 50 sends back the determination result to the server 40 . In response to this, the server 40 sends to the terminal 35 the information indicating whether or not the order is acceptable.
  • the authentication server 60 manages encryption key or electronic certificate for the process of encrypting a message or appending an electronic signature to a message.
  • the authentication server 60 issues the encryption key or electronic certificate, etc. in response to a request from the terminal 35 , server 40 and server 50 .
  • An example of the authentication server 60 is Certified Authority (CA) which issues an X.509-compliant encryption key, etc.
  • CA Certified Authority
  • FIG. 2 shows an example of the interface setting information 20 .
  • the interface setting information 20 defines the interface of services provided by the server 40 for the terminal 35 or server 50 .
  • the 1 st to 6 th lines of the interface setting information 20 define a namespace in the interface setting information 20 or in a message transmitted or received by the server 40 .
  • the namespace With the namespace, the meaning of an identifier, such as a tag used in the interface setting information 20 or the message can be defined.
  • the 7 th to 10 th lines of the interface setting information 20 define the type of name uniquely used in the interface setting information 20 .
  • the 12 th to 20 th lines of the interface setting information 20 define the message format for each of a message inputted for the service processing and a message outputted as the result of the service processing.
  • the 22 nd to 28 th lines of the interface setting information 20 define a program performing the service processing and the I/O of the program.
  • myServices 1 specified in operation tag indicates the name of program
  • message 1 specified in input tag indicates the identification information of a message inputted into the program
  • message 4 specified in output tag indicates the identification information of a message outputted from the program.
  • the 30 th to 32 nd lines of the interface setting information 20 define the communication protocol, etc. specifically used in the transmitting or receiving process with respect to the transmitting or receiving of each message.
  • the interface setting information 20 is described using interface description language. For example, it may be described using WSDL (Web Services Description Language). The details of WSDL are described in non-patent document 2, and hence repeated explanation thereof is omitted here.
  • FIG. 3 shows a configuration of the security policy generation device 30 .
  • the security policy generation device 30 includes an application model generation part 300 , a security pattern storage part 310 , a candidate selection part 320 , a security pattern selection part 330 , a platform model storage part 340 and a security policy generation part 350 .
  • the application model generation part 300 generates for each of a plurality of messages that a recommunicated using a distributed application program, an application model having a transmitter and a receiver of the message decided, according to an instruction of the user.
  • the application model may further decide for each message the identification information of the message or the intermediary serving as an information processing apparatus that repeats the message.
  • the distributed application program as used herein means a program which enables a plurality of information processing apparatuses to communicate with each other so that the information processing apparatuses operate according to a request of the user.
  • the distributed application program may not necessarily be a single dependent program but may be a group of programs installed into each of a plurality of information processing apparatuses.
  • the security pattern storage part 310 stores a plurality of security patterns that are models of security policy with a signer of electronic signature appended to a message or a decoder for decoding the encrypted message as an undecided parameter.
  • the security pattern storage part 310 may store each of a security pattern for transmitter, a security pattern for receiver and a security pattern for intermediary, each being a model of security pattern settable in each of the transmitter, receiver and intermediary of the message.
  • the security pattern may further include a parameter used in a process of encrypting or decoding a message, a parameter used in a process of generating an electronic signature appended to a message or a parameter used in a process of authenticating the electronic signature as an undecided parameter.
  • a security pattern 400 a and a security pattern 400 b each stored in the security pattern storage part 310 will be described later.
  • the candidate selection part 320 the user inputs an instruction for specifying a message and an information processing apparatus for which a security policy is to be set up. Then, according to the determination of whether the information processing apparatus of security policy setting object is any one of a transmitter, a receiver and an intermediary of a message of security policy setting object, the candidate selection part 320 selects the candidates of security pattern which can be set up for the information processing apparatus. In addition, the candidate selection part 320 may select the candidates of security pattern according to the determination of whether there exists an intermediary in the message of setting object. The selected candidates are referred to as a pattern candidate.
  • the security pattern selection part 330 selects according to an instruction of the user, a security pattern that is a model of security policy to be set up for the transmitter or receiver of the message, corresponding to each of the plurality of messages included in the application model. For example, the security pattern selection part 330 may select according to an instruction of the user, one security pattern from among the candidates of security pattern selected by the candidate selection part 320 .
  • the platform model storage part 340 stores an encryption processing parameter used in a process of encryption or decoding by an information processing apparatus, the encryption processing parameter being specified in advance for each information processing apparatus.
  • the platform model storage part 340 stores a signature processing parameter used in the process of generating the electronic signature or in the process of authenticating the electronic signature by the information processing apparatus, the signature processing parameter being specified in advance for each information processing apparatus.
  • the security policy generation part 350 generates a security policy by substituting the identification information of the transmitter or receiver of each message included in the application model for the undecided parameter of the security pattern selected corresponding to the message. In addition, the security policy generation part 350 further substitutes the encryption processing parameter or signature processing parameter in the information processing apparatus of security policy setting object for the undecided parameter of the security pattern. Alternatively, the security policy generation part 350 may substitute the information as inputted by the user for the undecided parameter.
  • FIG. 4 shows an example of a security pattern 400 a.
  • the name of the security pattern 400 a is “encrypted message (ET 1 )”.
  • E 1 encrypted message
  • the security pattern 400 a includes descriptive texts described in natural language.
  • a descriptive text “provision of secret message” describing the summary of the security pattern is included in the security pattern 400 a.
  • a descriptive text “information leaks” describing the presumed situation with respect to the security pattern is included in the security pattern 400 a. This descriptive text indicates the attack or threat to be guarded against using the security policy to be set up, or the countermeasure against these practices.
  • the meaning of the security pattern can be shown so that the user can more easily understand it.
  • the security pattern 400 a includes transmitter type, receiver type and intermediary type. Specifically, the security pattern 400 a includes as the transmitter type any one of the presence attribute (any) indicating the presence of an information processing apparatus for transmitter in the message of security pattern 400 a setting object, the presence inhibition attribute (none) indicating the prohibition of the presence of an information processing apparatus for transmitter in the message of security pattern 400 a setting object, and the self attribute (self) indicating that the security pattern 400 a is a security pattern for transmitter.
  • the presence attribute any
  • the presence inhibition attribute no
  • self attribute self
  • the security pattern 400 a includes as the receiver type any one of the presence attribute (any) indicating the presence of an information processing apparatus for receiver in the message of security pattern 400 a setting object, the presence inhibition attribute (none) indicating the prohibition of the presence of an information processing apparatus for receiver in the message of security pattern 400 a setting object and the self attribute (self) indicating that the security pattern 400 a is a security pattern for a receiver.
  • the security pattern 400 a includes as the intermediary type any one of the presence attribute (any) indicating the presence of an information processing apparatus for intermediary in the message of security pattern 400 a setting object, the presence inhibition attribute (none) indicating the prohibition of the presence of an information processing apparatus for intermediary in the message of security pattern 400 a setting object, and the self attribute (self) indicating that the security pattern 400 a is a security pattern for an intermediary.
  • the intermediary type is none; therefore the security pattern 400 a indicates the inhibition of the presence of an intermediary in the message of security pattern 400 a setting object.
  • the transmitter type is any; therefore the security pattern 400 a indicates the presence of a transmitter in the message of security pattern 400 a setting object.
  • the receiver type is self; therefore the security pattern 400 a indicates that it is a security pattern for receiver.
  • the security pattern 400 a includes a model of security policy with the name of a message of setting object, the encryption algorithm, the type of cipher and the identification information regarding Certified Authority as an undecided parameter.
  • a string of characters enclosed in braces with $ mark indicates an undecided parameter.
  • $ ⁇ ALGORITHM_URL ⁇ indicates the location of a program implementing the encryption algorithm.
  • $ ⁇ TOKEN_TYPE_QNAME ⁇ indicates the type of cipher, which specifically indicates the kind of electronic certificate, etc.
  • $ ⁇ TOKEN_ISSUER_NAME ⁇ indicates the identification information regarding the authentication server 60 , etc. being an issuer of encryption key.
  • a model of security policy is represented as text data.
  • the security pattern 400 a may hold a model of security policy being divided into a plurality of segments.
  • the security pattern 400 a may hold an undecided-parameter segment and a non-undecided parameter segment as fragmentary text data. In this case, a process of retrieving an undecided parameter from the security policy can be made more efficient.
  • the security policy may further include parameter type indicating the definition of information to be stored in the undecided parameter, the parameter type corresponding to each undecided parameter.
  • each message of an application model may include parameter type indicating the definition of information indicated by a parameter included in the above message, the parameter type corresponding to each parameter. Accordingly, the security policy generation part 350 can quickly select an undecided parameter to be substituted by not scanning text data being a model of security policy but determining the correspondence regarding parameter type.
  • FIG. 5 shows an example of a security pattern 400 b.
  • the name of the security pattern 400 b is “signed message (SI 1 )”.
  • the security pattern 400 b which is a setting for the receiver of a message, includes the transmitter of the message as an undecided parameter and indicates that only the reception of the message with the electronic signature of the transmitter appended thereto is permitted.
  • the security pattern 400 b includes descriptive texts described in natural language.
  • a descriptive text “provision of complete message” describing the summary of the security pattern is included in the security pattern 400 b.
  • a descriptive text “message forgery” describing the presumed situation with respect to the security pattern is included in the security pattern 400 b. This descriptive text indicates the attack or threat to be guarded against using the security policy to be set up, or the countermeasure against these practices.
  • the security pattern 400 b decides transmitter type, receiver type and intermediary type. More specifically, referring to the drawing, the intermediary type is any; therefore, the security pattern 400 b indicates the presence of an intermediary in the message of setting object. Referring to the drawing, the transmitter type is any; therefore, the security pattern 400 b indicates the presence of a transmitter in the message of setting object. Referring to the drawing, the receiver type is self; therefore, the security pattern 400 b indicates that it is a security pattern for receiver.
  • the security pattern 400 b includes a model of security policy with the name of a message of setting object, the encryption algorithm, the type of cipher and the identification information regarding Certified Authority as an undecided parameter.
  • a string of characters enclosed in braces with $ mark indicates an undecided parameter.
  • $ ⁇ ALGORITHM_URI ⁇ indicates the location of a program implementing the encryption algorithm.
  • $ ⁇ TOKEN_TYPE_QNAME ⁇ indicates the type of cipher, which specifically indicates the kind of electronic certificate, etc.
  • $ ⁇ TOKEN_ISSUER_NAME ⁇ indicates the identification information regarding the authentication server 60 , etc. being an issuer of encryption key.
  • $ ⁇ INITIAL_SENDER_NAME ⁇ indicates the identification information regarding the transmitter of a message.
  • the security policy generation part 350 substitutes the identification information of the transmitter of the message corresponding to the security pattern 400 b for the undecided parameter of the security pattern 400 b regarding the transmitter.
  • the tag information, etc. indicating the security policy format are prepared in advance as security pattern, thus setting only a different part as undecided parameter according to the message of setting object. Accordingly, a suitable security pattern can be quickly created.
  • a model of security policy is shown as single text data described in a description language called WS-SecurityPolicy (refer to non-patent document 1).
  • the security pattern 400 b may hold a model of security policy using another data format.
  • the security pattern 400 b may hold a fragment of that part of security policy that identifies an undecided parameter.
  • FIG. 6 shows an exemplary application model. Firstly the process of generating an application model will be described with reference to the drawing.
  • the application model generation part 300 defines according to an instruction of the user, the communications of a distributed application program that is processed in a coordinated manner by a plurality of information processing apparatuses. Each communication of the distributed application program is defined based on the business scenario for electric commerce, etc. implemented by the distributed application program.
  • a terminal 35 sends order information for ordering a commodity, etc. as a message to a server 40 .
  • the terminal 35 sends information regarding payments, such as credit card number, via the server 40 as a message to a server 50 .
  • the server 40 sends information regarding commodity price, etc. as a message to the server 50 .
  • the server 50 sends information regarding the availability of payment as a message to the server 40 .
  • the server 40 sends information regarding commodity receipt, etc. as a message to the terminal 35 .
  • the user arranges each of the above described messages in the business scenario on the window by use of GUI. Accordingly, the user can specify the transmitter, receiver, etc. of each message by performing an intuitive operation as in the drawing of an event trace diagram for business.
  • the application model generation part 300 decides the identification information, transmitter, receiver and intermediary for each message. Specifically, regarding message 1 , the application model generation part 300 specifies the terminal 35 as the transmitter, and specifies the server 40 as the receiver. Regarding message 2 , the application model generation part 300 specifies the server 40 as the transmitter, and specifies the server 50 as the receiver. Regarding message 3 , the application model generation part 300 specifies the server 50 as the transmitter, and specifies the server 40 as the receiver. Regarding message 4 , the application model generation part 300 specifies the server 40 as the transmitter, and specifies the terminal 35 as the receiver.
  • the application model generation part 300 decides at least one message part included in each message. Specifically, the application model generation part 300 decides part 1 - a, part 1 - b and part 1 - c as a message part included in message 1 . The application model generation part 300 decides part 1 - c and part 2 - a as a message part included in message 2 . In this case, the transmitter of message part part 1 - c is the terminal 35 ; the intermediary of message part part 1 - c is the server 40 ; the receiver of message part part 1 - c is the server 50 . In this way, the application model generation part 300 may decide a different transmitter or receiver for each massage part even within the same message. In addition, the application model generation part 300 decides part 3 - a as a message part included in message 3 , and decides part 4 - a as a message part included in message 4 .
  • the application model generation part 300 may automatically generate an application model according to the interface setting information 20 provided for the server 40 .
  • the application model generation part 300 may automatically generate a message part received by the server 40 according to the message format decided in the interface setting information 20 . In this case, it is sufficient for the user to perform the message definition only for information processing apparatuses in which no interface setting information is decided.
  • the user selects security patterns from a tool box storing a plurality of security patterns on the GUI and arranges the selected security patterns corresponding to the message parts. Consequently, the security pattern selection part 330 can select a security pattern that is a model of security policy set up for the transmitter or receiver of a message part, corresponding to each message part. For example, the security pattern selection part 330 can select security pattern ET 1 corresponding to message part part 1 - a, and can select security pattern SI 1 corresponding to message part part 1 - c.
  • FIG. 7 shows exemplary security patterns in an application example of the security policy generation device 30 according to the embodiment.
  • the security pattern selection part 330 selects security patterns corresponding to each of a plurality of messages. For example, referring to the drawing, the security pattern selection part 330 selects security patterns AT 1 , NT 1 and EI 1 corresponding to message parts part 1 - a, part 1 - b and part 1 - c shown in FIG. 6 , respectively. In the drawing, these selected security patterns are represented as a sequence of linked text data.
  • the security pattern AT 1 a setting for the receiver of the message, includes the receiver of the message as an undecided parameter and indicates that only the reception of the message encrypted using a cipher that the receiver can decode is permitted.
  • AT stands for Authentication.
  • Security pattern AT 1 includes $ ⁇ TOKEN_TYPE_QNAME ⁇ , $ ⁇ TOKEN_ISSUER_NAME ⁇ , $ ⁇ SUBJECT_NAME ⁇ and $ ⁇ MESSAGE_PARTS ⁇ as undecided parameters.
  • $ ⁇ TOKEN_TYPE_QNAME ⁇ indicates the type of cipher, and specifically indicates the kind, etc. of electronic certificate.
  • $ ⁇ TOKEN_ISSUER_NAME ⁇ indicates the identification information regarding the authentication server 60 , etc. serving as the issuer of encryption key.
  • $ ⁇ SUBJECT_NAME ⁇ indicates a receiver who is permitted to decode the encryption key.
  • $ ⁇ MESSAGE_PARTS ⁇ indicates message parts to be encrypted. Specifically, the message parts indicating the password, etc. for certifying the validity of transmitter are substituted for $ ⁇ MESSAGE_PARTS ⁇ .
  • Security pattern NT 1 a setting for receiver, indicates that only the reception of messages to which the electronic signature of a transmitter is appended is permitted. Accordingly, the transmitter of a message cannot repudiate the fact of transmission of the message, and hence the name NT is employed which stands for Non-repudiation.
  • Security pattern NT 1 includes $ ⁇ TOKEN_TYPE_QNAME ⁇ , $ ⁇ TOKEN_ISSUER_NAME ⁇ and.$ ⁇ MESSAGE_PARTS ⁇ as undecided parameters.
  • $ ⁇ TOKEN_TYPE_QNAME ⁇ indicates the type of cipher, and specifically indicates the kind, etc. of electronic certificate.
  • $ ⁇ TOKEN_ISSUER_NAME ⁇ indicates the identification information regarding the authentication server 60 , etc. serving as the issuer of encryption key or electronic certificate.
  • $ ⁇ MESSAGE_PARTS ⁇ indicates message parts to which electronic signature is applied. Specifically, the order information of a transmitter ordering commodities, etc. from a receiver is substituted for $ ⁇ MESSAGE_PARTS ⁇ .
  • Security pattern EI 1 a setting for receiver, indicates that only the reception of messages which can not be decoded by an intermediary of the message and at the same time can be decoded by the receiver is permitted.
  • Security pattern EI 1 includes $ ⁇ TOKEN_TYPE_QNAME ⁇ , $ ⁇ TOKEN_ISSUER_NAME ⁇ , $ ⁇ SUBJECT_NAME ⁇ and $ ⁇ MESSAGE_PARTS ⁇ as undecided parameters.
  • $ ⁇ TOKEN_TYPE_QNAME ⁇ indicates the type of cipher, and specifically indicates the kind, etc. of electronic certificate.
  • $ ⁇ TOKEN_ISSUER_NAME ⁇ indicates the identification information regarding the authentication server 60 , etc. serving as the issuer of encryption key.
  • $ ⁇ SUBJECT_NAME ⁇ indicates a receiver who is permitted to decode the encryption key.
  • $ ⁇ MESSAGE_PARTS ⁇ indicates message parts to be encrypted. Specifically, the $ ⁇ message_parts ⁇ indicating the contents sent from a transmitter to a receiver without the knowledge of an intermediary are substituted for $ (MESSAGE_PARTS ⁇ .
  • FIG. 8 shows an exemplary security policy obtained by applying an application model.
  • the security policy generation part 350 substitutes the identification information of the transmitter or receiver of each message for the undecided parameter of the security pattern selected corresponding to each message.
  • the substituted parameters are underlined.
  • the security policy generation part 350 substitutes the ID of the server 40 being the receiver of the message for variable $ ⁇ SUBJECT_NAME ⁇ being the undecided parameter regarding the receiver of the security pattern on the 13 th line. On the 34 th line, the security policy generation part 350 substitutes the ID of the server 50 for variable $ ⁇ SUBJECT_NAME ⁇ .
  • the security policy generation part 350 substitutes the identification information of each message part for the undecided parameter of the security pattern selected corresponding to the message.
  • the security policy generation part 350 substitutes //UsernameToken indicating the location, etc. of message part part 1 - a for variable $ ⁇ MESSAGE_PARTS ⁇ .
  • the security policy generation part 350 substitutes //BookInf to indicating the location, etc. of message part part 1 - b for variable $ ⁇ MESSAGE_PARTS ⁇ .
  • the security policy generation part 350 substitutes //CardInfo being the identification information of message part part 1 - c for variable $ ⁇ MESSAGE_PARTS ⁇ .
  • the parameters such as //CardInfo are shown here as an example; information, etc. indicating the location of the message part (URI: Uniform Resource Indicator) may practically be substituted for the undecided parameters, or text data indicating the message part itself may be substituted.
  • the security policy may further include parameter type indicating the definition of the information which is to be stored in the undecided parameter, corresponding to each undecided parameter.
  • each message of application model may include parameter type indicating the definition of the information indicated by each parameter included in the message, the parameter type corresponding to each parameter. Accordingly, the security policy generation part 350 can quickly select an undecided parameter to be substituted for by not scanning text data being a model of security policy but determining the correspondence regarding the parameter type.
  • the security policy generation part 350 may substitute the parameter type for the undecided parameter instead of performing the substitution process. This allows the definition of undecided parameters to be properly known by the user, thus making it easy to manually decide undecided parameters of security pattern.
  • the security policy generation part 350 can generate a security policy by replacing with predetermined parameters the variable parts of a model of security policy as represented as text data.
  • FIG. 9 shows an exemplary security policy obtained by applying a platform model.
  • the security policy generation part 350 further substitute the encryption processing parameter or signature processing parameter for the information processing apparatus of security policy setting object for the undecided parameter of security pattern.
  • the security policy generation part 350 substitutes parameter X509v3 indicating the standard specification of electronic certificate for variable $ ⁇ TOKEN_TYPE_QNAME ⁇ .
  • the security policy generation part 350 substitutes parameter VeriSign indicating the encryption key, etc. generated by software from VeriSign, Inc. (a registered trademark) for variable $ ⁇ TOKEN_ISSUER_NAME ⁇ .
  • the undecided parameters of the selected security patterns can be sequentially decided according to the application model and platform model. This makes it possible to easily create an appropriate security policy.
  • FIG. 10 shows an operational flow of an exemplary process of the security policy generation device 30 creating a security policy.
  • the security pattern storage part 310 stores a plurality of security patterns in advance according to an instruction of the administrator, etc. of the security policy generation device 30 (S 1000 ).
  • the platform model storage part 340 stores a platform model decided for each information processing apparatus in advance according to an instruction of the administrator, etc. of the security policy generation device 30 (S 1010 ).
  • the application model generation part 300 generates for each of a plurality of messages that are communicated using a distributed application program, an application model having the transmitter, receiver, intermediary, etc. of the message decided, according to an instruction of the user (S 1020 ).
  • the security policy generation device 30 repeats the following process for each of a plurality of messages included in the application model (S 1030 ). Firstly the candidate selection part 320 selects an information processing apparatus of security policy setting object according to an instruction of the user (S 1050 ).
  • the candidate selection part 320 selects the candidates of security pattern settable in the information processing apparatus according to the determination of whether the information processing apparatus of security policy setting object is anyone of the transmitter, receiver or intermediary of the message part of security policy setting object (S 1060 ).
  • the security pattern selection part 330 selects a security pattern that is a model of security policy to be set up for the transmitter or receiver of the message part, corresponding to the message part, according to an instruction of the user (S 1070 ). For example, in the security pattern selection part 330 , a security pattern may be selected from among the candidates of security pattern selected by the candidate selection part 320 , which are shown to the user, according to an instruction of the user.
  • the security policy generation part 350 generates a security policy by substituting the identification information regarding the transmitter or receiver of the message part for the undecided parameter of the security pattern selected corresponding to the message part (S 1080 ).
  • the security policy generation part 350 may further substitute the encryption processing parameter or signature processing parameter for the information processing apparatus of security policy setting object for the undecided parameter of the security pattern.
  • the security policy generation device 30 repeats the above described process for each message part (S 1090 ).
  • FIG. 11 shows the details of process S 1060 .
  • the candidate selection part 320 selects as the pattern candidates all the security patterns stored in the security pattern storage part 310 (S 1100 ). If the transmitter of the message part is the information processing apparatus of setting object (S 1110 : YES), then the candidate selection part 320 removes the security patterns for which the transmitter type of interaction pattern is not self from the pattern candidates (S 1120 ), and then the flow proceeds to S 1170 .
  • the candidate selection part 320 determines whether or not the receiver of the message part is the information processing apparatus of setting object (S 1130 ). If so (S 1130 : YES), then the candidate selection part 320 removes the security patterns for which the receiver type of interaction pattern is not self from the pattern candidates (S 1140 ).
  • the candidate selection part 320 removes the security patterns for which the intermediary type is none from the pattern candidates (S 1180 ).
  • the candidate selection part 320 determines whether or not the intermediary of the message part is the information processing apparatus of setting object (S 1150 ). If so (S 1150 : YES), then the candidate selection part 320 removes the security patterns for which the intermediary type of interaction pattern is not self from the pattern candidates (S 1160 ).
  • the candidate selection part 320 can select a suitable security pattern according to the determination of whether the information processing apparatus of setting object is any one of the transmitter, receiver and intermediary of the message part. Accordingly, the number of security pattern options can be reduced; therefore the user can be relieved of the operational load taken to select the security pattern.
  • FIG. 12 shows an exemplary hardware configuration of a computer 500 working as the security policy generation device 30 .
  • the computer 500 includes: a CPU section having a CPU 1000 , RAM 1020 and graphic controller 1075 connected to each other via a host controller 1082 ; an I/O section having a communication interface 1030 connected to the host controller 1082 via an I/O controller 1084 , a hard disk drive 1040 and a CD-ROM drive 1060 ; and a legacy I/O section having a BIOS 1010 connected to the I/O controller 1084 , a flexible disk drive 1050 and an I/O chip 1070 .
  • the host controller 1082 connects the RAM 1020 to the CPU 1000 and graphic controller 1075 each accessing the RAM 1020 with high transfer rate.
  • the CPU 1000 operates based on programs stored in the BIOS 1010 and RAM 1020 , thus controlling each section.
  • the graphic controller 1075 acquires the image data that the CPU 1000 , etc. create on the frame buffer provided in the RAM 1020 and displays the image data on a display unit 1080 .
  • the graphic controller 1075 may include therein the frame buffer into which the image data created by CPU 1000 , etc. is stored.
  • the I/O controller 1084 connects the host controller 1082 to the communication interface 1030 , hard disk drive 1040 and CD-ROM drive 1060 , each being a relatively high-speed I/O unit.
  • the communication interface 1030 communicates with the outside apparatuses via a network.
  • the hard disk drive 1040 stores the programs and data used by the computer 500 .
  • the CD-ROM drive 1060 reads programs or data from a CD-ROM 1095 and provides the programs or data for the I/O chip 1070 via the RAM 1020 .
  • the boot program executed by the CPU 1000 during the startup of the computer 500 , the programs dependent on the hardware of the computer 500 , and the like are stored in the BIOS 1010 .
  • the flexible disk drive 1050 reads programs or data from a flexible disk 1090 and provides the programs or data for the I/O chip 1070 via the RAM 1020 .
  • the I/O chip 1070 serves to connect the flexible disk 1090 and various I/O devices via, for example, a parallel port, serial port, keyboard, mouse port, etc.
  • the program provided for the computer 500 stored in recording media such as the flexible disk 1090 , CD-ROM 1095 or an IC card, etc, is provided by the user.
  • the program is read out from the I/O chip 1070 and/or I/O controller and installed into the computer 500 for execution.
  • the operation of the program executed in the security policy generation device 30 by use of the computer 500 , etc. is identical with that of the security policy generation device 30 described with reference to FIGS. 1 to 11 , and hence an explanation thereof is omitted.
  • the user can define the messages transmitted or received in a distributed application by intuitively operating GUI, etc.
  • the security policy generation device 30 can decide the transmitter, receiver, intermediary, etc. of each message. Consequently, a suitable value is assigned to the undecided parameter of the security pattern that is a model of security policy, whereby the security policy is automatically created. Accordingly, the user can be relieved of the operational load taken to create the security policy, and at the same time a suitable security policy can be created.
  • the present invention can be realized in hardware, software, or a combination of hardware and software.
  • a visualization tool according to the present invention can be realized in a centralized fashion in one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods and/or functions described herein—is suitable.
  • a typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
  • the present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out these methods.
  • Computer program means or computer program in the present context include any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after conversion to another language, code or notation, and/or reproduction in a different material form.
  • the invention includes an article of manufacture which comprises a computer usable medium having computer readable program code means embodied therein for causing a function described above.
  • the computer readable program code means in the article of manufacture comprises computer readable program code means for causing a computer to effect the steps of a method of this invention.
  • the present invention may be implemented as a computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing a function described above.
  • the computer readable program code means in the computer program product comprising computer readable program code means for causing a computer to effect one or more functions of this invention.
  • the present invention may be implemented as a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for causing one or more functions of this invention.
US11/158,622 2004-06-22 2005-06-21 Security policy generation Abandoned US20050283824A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US12/182,889 US8141131B2 (en) 2004-06-22 2008-07-30 Security policy generation
US12/251,313 US8112786B2 (en) 2004-06-22 2008-10-14 Security policy generation

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2004-184035 2004-06-22
JP2004184035A JP4197311B2 (ja) 2004-06-22 2004-06-22 セキュリティポリシー生成方法、セキュリティポリシー生成装置、プログラム、及び記録媒体

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US12/182,889 Continuation US8141131B2 (en) 2004-06-22 2008-07-30 Security policy generation
US12/251,313 Continuation US8112786B2 (en) 2004-06-22 2008-10-14 Security policy generation

Publications (1)

Publication Number Publication Date
US20050283824A1 true US20050283824A1 (en) 2005-12-22

Family

ID=35482067

Family Applications (3)

Application Number Title Priority Date Filing Date
US11/158,622 Abandoned US20050283824A1 (en) 2004-06-22 2005-06-21 Security policy generation
US12/182,889 Expired - Fee Related US8141131B2 (en) 2004-06-22 2008-07-30 Security policy generation
US12/251,313 Expired - Fee Related US8112786B2 (en) 2004-06-22 2008-10-14 Security policy generation

Family Applications After (2)

Application Number Title Priority Date Filing Date
US12/182,889 Expired - Fee Related US8141131B2 (en) 2004-06-22 2008-07-30 Security policy generation
US12/251,313 Expired - Fee Related US8112786B2 (en) 2004-06-22 2008-10-14 Security policy generation

Country Status (2)

Country Link
US (3) US20050283824A1 (ja)
JP (1) JP4197311B2 (ja)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080141336A1 (en) * 2006-12-08 2008-06-12 Jochen Haller Secure execution environments for process models
WO2008104965A3 (en) * 2007-02-26 2009-05-07 Secure Islands Technologies Lt A system and method for automatic data protection in a computer network
US20090282493A1 (en) * 2008-05-09 2009-11-12 International Business Machines Corporation Mehtod and system for managing electronic messages
US20090282494A1 (en) * 2008-05-09 2009-11-12 International Business Machines Corporation Method and system for managing electronic messages
CN102647419A (zh) * 2012-04-06 2012-08-22 北京空间飞行器总体设计部 面向终端计算机的策略安全在线检查系统
CN102663298A (zh) * 2012-04-06 2012-09-12 北京空间飞行器总体设计部 面向终端计算机的安全在线检查系统
JP2015523661A (ja) * 2012-07-10 2015-08-13 マイクロソフト コーポレーション 電子メール用のデーター検出および保護ポリシー
US20160182509A1 (en) * 2014-12-23 2016-06-23 Intel Corporation Techniques for load balancing in a packet distribution system
US10262127B2 (en) * 2017-04-05 2019-04-16 General Electric Company Systems and method for securely sharing and executing data and models
US20210352110A1 (en) * 2020-05-08 2021-11-11 Rockwell Automation Technologies, Inc. Automatic endpoint security policy assignment by zero-touch enrollment
US11212322B2 (en) * 2018-10-10 2021-12-28 Rockwelll Automation Technologies, Inc. Automated discovery of security policy from design data
US11575571B2 (en) 2020-05-08 2023-02-07 Rockwell Automation Technologies, Inc. Centralized security event generation policy

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4197311B2 (ja) * 2004-06-22 2008-12-17 インターナショナル・ビジネス・マシーンズ・コーポレーション セキュリティポリシー生成方法、セキュリティポリシー生成装置、プログラム、及び記録媒体
US20090099882A1 (en) * 2007-10-15 2009-04-16 Sap Ag Enhanced Security Framework for Composite Applications
US8832201B2 (en) * 2008-08-18 2014-09-09 International Business Machines Corporation Method, system and program product for providing selective enhanced privacy and control features to one or more portions of an electronic message
US9653004B2 (en) * 2008-10-16 2017-05-16 Cypress Semiconductor Corporation Systems and methods for downloading code and data into a secure non-volatile memory
JP5191376B2 (ja) * 2008-12-25 2013-05-08 株式会社野村総合研究所 リスクベース認証システムおよび危険度情報取得サーバならびにリスクベース認証方法
JP5497548B2 (ja) * 2010-06-16 2014-05-21 日本電信電話株式会社 通信システム、転送制御装置、通信方法および通信プログラム
US8566596B2 (en) * 2010-08-24 2013-10-22 Cisco Technology, Inc. Pre-association mechanism to provide detailed description of wireless services
US8554253B2 (en) 2010-08-26 2013-10-08 John L. Rogitz Telephone messaging privacy
KR101889761B1 (ko) * 2011-06-09 2018-09-21 삼성전자주식회사 컨텐츠 이름 기반의 네트워크 장치 및 컨텐츠 보호 방법
CN103346886B (zh) * 2013-07-01 2016-12-28 天地融科技股份有限公司 一种发送签名数据的方法和电子签名令牌
JP6915457B2 (ja) * 2017-08-28 2021-08-04 富士通株式会社 サイバー攻撃情報処理プログラム、サイバー攻撃情報処理方法および情報処理装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050005116A1 (en) * 2002-09-18 2005-01-06 Commerce One Operations, Inc. Dynamic interoperability contract for web services
US20060023674A1 (en) * 2004-02-27 2006-02-02 Goring Bryan R System and method for communicating asynchronously with web services using message set definitions
US20060179150A1 (en) * 2003-03-26 2006-08-10 Farley Patrick B Client server model
US20060265689A1 (en) * 2002-12-24 2006-11-23 Eugene Kuznetsov Methods and apparatus for processing markup language messages in a network

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6091835A (en) * 1994-08-31 2000-07-18 Penop Limited Method and system for transcribing electronic affirmations
US7941534B2 (en) * 1997-04-14 2011-05-10 Carlos De La Huerga System and method to authenticate users to computer systems
US6738908B1 (en) * 1999-05-06 2004-05-18 Watchguard Technologies, Inc. Generalized network security policy templates for implementing similar network security policies across multiple networks
JP4084914B2 (ja) 1999-09-29 2008-04-30 株式会社日立製作所 セキュリティ評価方法および装置、セキュリティ施策の作成支援方法および装置
US6918039B1 (en) * 2000-05-18 2005-07-12 International Business Machines Corporation Method and an apparatus for detecting a need for security and invoking a secured presentation of data
JP2002108818A (ja) 2000-09-26 2002-04-12 International Network Securitiy Inc データセンター、セキュリティポリシー作成方法及びセキュリティシステム
SE522647C2 (sv) * 2001-07-04 2004-02-24 Ericsson Telefon Ab L M Säker brevhuvudinformation för e-brev av multi-innehållstyp
JP2003140890A (ja) * 2001-10-31 2003-05-16 Asgent Inc 電子機器設定情報作成方法及び装置並びにセキュリティポリシー作成方法及び関連装置
JP3872689B2 (ja) 2001-12-27 2007-01-24 株式会社日立製作所 セキュリティポリシーの作成支援システムおよびセキュリティ対策決定支援システム
JP4282301B2 (ja) 2002-10-11 2009-06-17 株式会社リコー アクセス制御サーバ、電子データ発行ワークフロー処理方法、そのプログラム、コンピュータ装置、および記録媒体
US8041719B2 (en) * 2003-05-06 2011-10-18 Symantec Corporation Personal computing device-based mechanism to detect preselected data
US20050033811A1 (en) * 2003-08-07 2005-02-10 International Business Machines Corporation Collaborative email
US7526806B2 (en) * 2003-11-05 2009-04-28 Cisco Technology, Inc. Method and system for addressing intrusion attacks on a computer system
US7496649B2 (en) * 2004-02-20 2009-02-24 Microsoft Corporation Policy application across multiple nodes
US20050204008A1 (en) * 2004-03-09 2005-09-15 Marc Shinbrood System and method for controlling the downstream preservation and destruction of electronic mail
US7559080B2 (en) * 2004-05-04 2009-07-07 Microsoft Corporation Automatically generating security policies for web services
JP4379223B2 (ja) * 2004-06-18 2009-12-09 日本電気株式会社 動作モデル作成システム、動作モデル作成方法および動作モデル作成プログラム
JP4197311B2 (ja) * 2004-06-22 2008-12-17 インターナショナル・ビジネス・マシーンズ・コーポレーション セキュリティポリシー生成方法、セキュリティポリシー生成装置、プログラム、及び記録媒体

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050005116A1 (en) * 2002-09-18 2005-01-06 Commerce One Operations, Inc. Dynamic interoperability contract for web services
US20060265689A1 (en) * 2002-12-24 2006-11-23 Eugene Kuznetsov Methods and apparatus for processing markup language messages in a network
US20060179150A1 (en) * 2003-03-26 2006-08-10 Farley Patrick B Client server model
US20060023674A1 (en) * 2004-02-27 2006-02-02 Goring Bryan R System and method for communicating asynchronously with web services using message set definitions

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080141336A1 (en) * 2006-12-08 2008-06-12 Jochen Haller Secure execution environments for process models
US9111276B2 (en) * 2006-12-08 2015-08-18 Sap Se Secure execution environments for process models
WO2008104965A3 (en) * 2007-02-26 2009-05-07 Secure Islands Technologies Lt A system and method for automatic data protection in a computer network
US10367851B2 (en) 2007-02-26 2019-07-30 Microsoft Israel Research And Development (2002) Ltd System and method for automatic data protection in a computer network
US9838432B2 (en) 2007-02-26 2017-12-05 Secure Islands Technologies Ltd System and method for automatic data protection in a computer network
US20100146600A1 (en) * 2007-02-26 2010-06-10 Secure Islands Technologies Ltd System and method for automatic data protection in a computer network
US9218500B2 (en) * 2007-02-26 2015-12-22 Secure Islands Technologies Ltd. System and method for automatic data protection in a computer network
US20090282494A1 (en) * 2008-05-09 2009-11-12 International Business Machines Corporation Method and system for managing electronic messages
US8484746B2 (en) * 2008-05-09 2013-07-09 International Business Machines Corporation Method and system for managing electronic messages
US8484747B2 (en) * 2008-05-09 2013-07-09 International Business Machines Corporation Method and system for managing electronic messages
US20090282493A1 (en) * 2008-05-09 2009-11-12 International Business Machines Corporation Mehtod and system for managing electronic messages
CN102663298A (zh) * 2012-04-06 2012-09-12 北京空间飞行器总体设计部 面向终端计算机的安全在线检查系统
CN102647419A (zh) * 2012-04-06 2012-08-22 北京空间飞行器总体设计部 面向终端计算机的策略安全在线检查系统
US10372916B2 (en) 2012-07-10 2019-08-06 Microsoft Technology Licensing, Llc Data detection and protection policies for electronic file systems
JP2015523661A (ja) * 2012-07-10 2015-08-13 マイクロソフト コーポレーション 電子メール用のデーター検出および保護ポリシー
US20170324713A1 (en) * 2014-12-23 2017-11-09 Intel Corporation Techniques for load balancing in a packet distribution system
US9553853B2 (en) * 2014-12-23 2017-01-24 Intel Corporation Techniques for load balancing in a packet distribution system
US20160182509A1 (en) * 2014-12-23 2016-06-23 Intel Corporation Techniques for load balancing in a packet distribution system
US10686763B2 (en) * 2014-12-23 2020-06-16 Intel Corporation Techniques for load balancing in a packet distribution system
US10262127B2 (en) * 2017-04-05 2019-04-16 General Electric Company Systems and method for securely sharing and executing data and models
US11212322B2 (en) * 2018-10-10 2021-12-28 Rockwelll Automation Technologies, Inc. Automated discovery of security policy from design data
US20210352110A1 (en) * 2020-05-08 2021-11-11 Rockwell Automation Technologies, Inc. Automatic endpoint security policy assignment by zero-touch enrollment
US11575571B2 (en) 2020-05-08 2023-02-07 Rockwell Automation Technologies, Inc. Centralized security event generation policy
US11588856B2 (en) * 2020-05-08 2023-02-21 Rockwell Automation Technologies, Inc. Automatic endpoint security policy assignment by zero-touch enrollment

Also Published As

Publication number Publication date
JP4197311B2 (ja) 2008-12-17
US8141131B2 (en) 2012-03-20
US20090044248A1 (en) 2009-02-12
US8112786B2 (en) 2012-02-07
JP2006011554A (ja) 2006-01-12
US20080307492A1 (en) 2008-12-11

Similar Documents

Publication Publication Date Title
US8112786B2 (en) Security policy generation
US6990585B2 (en) Digital signature system, digital signature method, digital signature mediation method, digital signature mediation system, information terminal and storage medium
US11341464B2 (en) Purchase transaction system with encrypted payment card data
US7502945B2 (en) Using a flexible rights template to obtain a signed rights label (SRL) for digital content in a rights management system
AU2010246464B2 (en) Method for accessing information on object having tag, local server, ONS proxy, program, tag creation method, device having tag writer, tag, and program for controlling device having tag writer
US8417640B2 (en) Secure license key method and system
US9159046B2 (en) Systems and methods for implementing supply chain visibility policies
US11223482B2 (en) Secure data exchange
US20090228982A1 (en) License transfer system, user terminal, and license information issue server
CN100472550C (zh) 产生证书的方法以及使用证书提供内容的方法和设备
JP2007280180A (ja) 電子文書
WO2006080754A1 (en) Contents encryption method, system and method for providing contents through network using the encryption method
JP2005242519A (ja) デジタル著作権管理のための情報処理装置
JP2007280181A (ja) 電子文書の処理プログラム及び電子文書の処理装置
JP2008294596A (ja) 表データの真正性保証システム
EP1785901B1 (en) Secure License Key Method and System
KR100785275B1 (ko) 쿠폰을 이용한 컨텐츠 제공 방법 및 시스템
WO2020048290A1 (zh) 用于发行证书的系统和方法
JP2018055149A (ja) 出荷製品認証システムおよびサーバ装置
CN114429267B (zh) 一种数字作品版权的风控方法、系统、装置及存储介质
JP2009181598A (ja) デジタル著作権管理のための情報処理装置
KR20020064469A (ko) 인터넷을 이용한 공개키 기반구조 거래내용 보호 서비스제공방법 및 시스템
TWI645345B (zh) 透過交易信物執行憑證作業之系統、裝置及其方法
JP2006065408A (ja) 署名生成方法、署名検証方法、及び情報処理装置
CN109766703A (zh) 信息处理系统、方法和装置

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NAKAMURA, YUHICHI;IMAMURA, TAKESHI;TATSUBORI, MICHIAKI;AND OTHERS;REEL/FRAME:016605/0160;SIGNING DATES FROM 20050708 TO 20050725

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION