WO2001011845A2 - Security architecture with environment sensitive credentials - Google Patents
Security architecture with environment sensitive credentials Download PDFInfo
- Publication number
- WO2001011845A2 WO2001011845A2 PCT/US2000/020929 US0020929W WO0111845A2 WO 2001011845 A2 WO2001011845 A2 WO 2001011845A2 US 0020929 W US0020929 W US 0020929W WO 0111845 A2 WO0111845 A2 WO 0111845A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- session
- credential
- mformation
- access
- trust level
- Prior art date
Links
- 230000002123 temporal effect Effects 0.000 claims abstract description 5
- 238000000034 method Methods 0.000 claims description 62
- 238000013475 authorization Methods 0.000 claims description 57
- 235000014510 cooky Nutrition 0.000 claims description 30
- 230000004044 response Effects 0.000 claims description 19
- 230000002085 persistent effect Effects 0.000 claims description 10
- 230000008685 targeting Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 claims description 2
- 230000002207 retinal effect Effects 0.000 claims description 2
- 230000011664 signaling Effects 0.000 claims description 2
- 238000004590 computer program Methods 0.000 claims 3
- 230000003287 optical effect Effects 0.000 claims 2
- 230000007613 environmental effect Effects 0.000 abstract description 6
- 238000007726 management method Methods 0.000 description 17
- 230000007246 mechanism Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 230000003993 interaction Effects 0.000 description 9
- 230000008901 benefit Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 5
- 230000001010 compromised effect Effects 0.000 description 4
- 238000000354 decomposition reaction Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000007792 addition Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000004880 explosion Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000002829 reductive effect Effects 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000001427 coherent effect Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2111—Location-sensitive, e.g. geographical location, GPS
Definitions
- the invention relates to mformation secu ⁇ ty, and more particularly, to systems and method for improving the security of mformation transactions over networks
- a security architecture has been developed m which a smgle sign-on is provided for multiple mformation resources Rather than specifying a smgle authentication scheme for all information resources, secu ⁇ ty architectures m accordance with some embodiments of the present mvention associate trust-level requirements with information resources Authentication schemes (e g , those based on passwords, certificates, biomet ⁇ c techniques, smart cards, etc ) are associated with trust levels and environmental parameters
- a log-on service obtams credentials for an entity commensurate with the trust-level requ ⁇ rement(s) of an mformation resource (or mformation resources) to be accessed and with environment parameters that affect the sufficiency of a given credential type Once credentials have been obtained for an entity and have been authenticated to a given trust level, access is granted, without the need for further credentials and authentication, to mformation resources for which the trust level is sufficient given a current session environment In some configurations
- facilities in accordance with some embodiments of the present mvention advantageously allow temporal, locational, connection type and/or client capabilities-related mformation to affect the sufficiency of a given credential type (and associated authentication scheme) for access to a particular mformation resource
- time of access, o ⁇ gmating location (physical or network) and or connection type form a risk profile that can be factored mto credential type sufficiency
- changmg environmental parameters may cause a previously sufficient credential to become insufficient
- an authenticated credential previously insufficient for access at a given trust level may be sufficient based on a changed or more fully parameterized session environment
- the use of session tracking facihtes e g , the information content of session tokens
- capabilities of a particular client entity e g , browser support for 128-bit
- a method of determining sufficiency of a credential type for access to an mformation resource includes establishing a correspondence between a session and an access request targeting the mformation resource, establishing a trust level requirement for access to the mformation resource, and evaluatmg correspondence of one or more credential types with the trust level requirement for access to the mformation resource and with environment mformation associated with the session
- a method of operating a secu ⁇ ty architecture mcludes matchmg an access request of a client entity with a correspondmg session
- the access request targets a first of plural information resources and the session has an associated one or more session parameters affecting sufficiency of credential types
- the method further mcludes determining a set of one or more credential types sufficient for access to the first mformation resource The determining is based, at least m part, on the one or more session parameters If an authenticated credential associated with the session is of one of the sufficient credential types, then access to the first mformation resource is allowed Otherwise, a new credential is obtammg, the client is authenticated entity thereby, and access to the first information resource is allowed The obtamed credential is of one of the sufficient credential types
- an mformation system mcludes plural mformation resources hosted on one or more servers coupled via a commumcation network to a client entity and an access control facility common to the plural information resources
- the plural information resources have individualized authentication requirements and the common access control facility obtains a credential for the client entity and authenticates the client entity thereby
- the common access control facility evaluates, based m part on current parameters of a correspondmg persistent session, sufficiency of associated authenticated credentials for access to the first mformation resource
- an access control facility for providmg a smgle sign-on for sessions that potentially mclude accesses to plural mformation resources having differing secu ⁇ ty requirements mcludes an application proxy and means responsive to the application proxy for evaluating sufficiency of credential types based on then current parameters of the session and on a trust level requirement of the targeted information resource
- the application proxy configured for receivmg an access request targeting one of the information resources, associating the access request with a session, and selectively proxymg the access request if at least one sufficient credential is associated with the session
- FIG. 1 is a block diagram lllustratmg mformation flows between components m a secu ⁇ ty architecture with environment sensitive credential sufficiency evaluation m accordance with an exemplary embodiment of the present mvention
- FIG. 2 is a flow chart lllustratmg operation of a secu ⁇ ty architecture with environment sensitive credential sufficiency evaluation m accordance with an exemplary embodiment of the present mvention
- FIG. 3 illustrates mteractions between functional components m a functional decomposition of a secu ⁇ ty architecture with environment sensitive credential sufficiency evaluation m accordance with an exemplary embodiment of the present mvention
- FIG. 4 illustrates relations between logm credentials, session credentials and a cookie encodmg of a session token in accordance with an exemplary embodiment of the present mvention
- Access Management Systems methods and techniques for controlling use of mformation resources
- access management systems employ both authentication and authorization to control access to information resources
- Authentication A process used to venfy the identity of an entity As typically implemented, an authentication method is employed to venfy the identity of a user or object based on a credential supplied by the user or object
- Authorization A process for determining whether an identity is permitted to perform some action, such as accessmg a resource Typically, an identity will be authenticated, though in some configurations certain identities need not be
- Credential Evidence of identity used to authenticate an entity Exemplary credentials types include passwords, certificates or other encrypted mdicia based on asymmetric, symmetric, public, p ⁇ vate, or secret key technologies, one-time passwords, biometnc mdicia such as by retinal scan, voice p ⁇ nt, finger print, etc , and possession based mdicia such as smart cards, Enigma cards, keys, etc
- credentials may be associated with users, sessions, functional objects, etc
- Digital Signature A transformation of a message usmg an asymmet ⁇ c cryptosystem such that a person havmg the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key and whether the message has been altered since the transformation was made
- Entity A user or object, mcludmg data objects and/or functional objects such as applications, components, modules, services, processes, threads, etc , as well as instantiations thereof
- entities mclude functional objects without an associated human principal
- the identity of an entity may be authenticated using a credential
- Session A period and collection of states spanning one or more mteractions between an entity and an mformation environment
- a session may span multiple interactions with multiple resources of the mformation environment and, in some configurations, may span multiple mformation access protocols (e g , HTTP, FTP, telnet, etc )
- mformation access protocols e g , HTTP, FTP, telnet, etc
- a session has a beginning and an end Durmg its existence, a session has state
- the term session connotes a greater persistence than as sometimes used to describe the penod of a "session layer" protocol interaction, which m the case of some protocols, such as HTTP, is generally very short-lived
- FIG. 1 provides an overview of major mteractions between components for an exemplary secu ⁇ ty architecture in accordance with the present mvention
- a client application e g
- Gatekeeper and entry handler component 110 provides an entry pomt for external client applications requestmg access to enterprise applications and/or resources, mcludmg e g , mformation resources 191, 192 193, for which access management is provided by the secunty architecture Usmg facilities provided by a session management component 160, an authorization component 140, an authentication component 130, an identification component 150, and logm component 120
- the gatekeeper/entry handler component 110 allows, redirects or refuses access requests m accordance with a secu ⁇ ty policy
- mformation resource 191 may mclude a product mformation service for providmg general mformation such as product desc ⁇ ptions or data sheets to the public, while mformation resource 192 mcludes an order processmg system for an eCommerce site Information resource 193 may mclude functions for supply chain interactions such as access to inventory mformation or current selling price mformation Both the product mformation service and order mtake functions of the eCommerce may operate with similar security requirements, e g , allowing access by minimally authenticated, non-hostile entities On the other hand, supply cham functions may require a higher level of security Order status functions of the order processing system may require a mid-level of security Logm component 120, operatmg in conjunction with gatekeeper/entry handler component 110 and other components of the security
- gatekeeper/entry handler component In some embodiments in accordance with the present invention, gatekeeper/entry handler component
- authorization component 140 may obtam authorization for access to a particular requested enterp ⁇ se application or mformation resource by the requestmg entity (e g , the browser user) If the entity requestmg access has not yet been authenticated to the trust level required for the particular access to the particular enterprise application or information resource requested, authorization component 140 may mdicate that the access request is to be redirected to logm component 120 so that logm credentials may be obtamed and authenticated to a particular trust level If, on the other hand, logm credentials have already been obtamed for the requesting entity and the requesting entity has been authenticated usmg the obtamed credentials such that the required trust level has been achieved, the access will typically be allowed without the need for further logm credentials and authentication In certain circumstances, authorization component 140 may mdicate that the access is to be refused For example, authorization component 140 may be programmed to perform more stringent testmg beyond a trust level requirement In an exemplary enterpnse tool configuration, a desired secunty
- the mappmg of logm credential types and authentication mechanisms to trust levels is influenced by environment information such as time of request, source of request, connection speed, and/or client application (e g , browser) environment mformation
- environment information such as time of request, source of request, connection speed, and/or client application (e g , browser) environment mformation
- client application e g , browser
- mappmg rule dependencies are based on perceived variations in threat characteristics and/or requesting entity capabilities
- gatekeeper/entry handler component 110 is the authority on environment mformation for a particular requesting entity
- mappmg rules may be dynamically varied For example, if a particular logm credential type and or authentication method is deemed msecure (e g , because compromised or because of a changmg threat profile), the trust level mappings can be updated and have enterprise- wide effect.
- msecure e g , because compromised or because of a changmg threat profile
- the trust level mappings can be updated and have enterprise- wide effect
- several other advantages are achieved by defining the authentication requirement mterface between enterp ⁇ se applications and or resources and the security architecture m terms of required trust levels, rather than m terms of particular credential types and authentication methods
- smgle sign-on configurations are facilitated using an enterprise-wide credential obtaining, authentication and session tracking infrastructure
- authentication requirements may be enforced uniformly in accordance with an enterprise-wide security policy and with reduced vulnerability to a lax security implementation by any particular mformation resource
- credential types and authentication methods can be added, deleted, or mapped to a new trust level, all without
- a credential upgrade facility In response to an access request from an entity for which login credentials have already been obtamed and authenticated, but for which the obtained and authenticated login credentials are insufficient for the trust level associated with the requested access, authorization component 140 may indicate that the access request is to be redirected to logm component 120 so that sufficient logm credentials may be obtamed and authenticated to the required trust level
- credential upgrade facilities m accordance with certain embodiments of the present mvention allow upgrade without loss of session continuity
- an entity e g , a browser 170 operated by a user
- enterp ⁇ se applications and/or resources e g , 191, 192, 193
- enterp ⁇ se applications and/or resources e g , 191, 192, 193
- a gatekeeper/entry handler component 110 e g , 192, 193
- a login component 120 e.g , a wide va ⁇ ety of entities, including human users operatmg browser and/or non-browser client applications as well as automated agents and systems, may mteract with enterpnse applications and/or resources and the secu ⁇ ty architecture as described herein
- mformation resource identification schemes such as by Uniform Resource Locator (URL), resource address, identifier or namespace designation
- URL Uniform Resource Locator
- URL Uniform Resource Locator
- identifier identifier
- namespace designation a variety of mformation resource identification schemes, such as by Uniform Resource Locator (URL), resource address, identifier or namespace designation.
- URL Uniform Resource Locator
- an exemplary interaction involving a browser and mformation resources identified by URL is described in detail Nonetheless, based on the desc ⁇ ption herem, persons of ordinary skill m the art will appreciate a wide variety of configurations m accordance with the present mvention m which non-browser clients, automated agents or other systems mteract with enterprise applications and/or resources and the secunty architecture usmg any of a variety of mformation resource identification schemes
- browser 170 requests access to one or more of enterprise applications and or resources (e g , information resource 191) by presentmg an URL to gatekeeper/entry handler component 110, which acts as a pomt of entry for client entities requestmg access to applications and/or resources controlled by the security architecture
- Gatekeeper/entry handler component 110 receives the request as a proxy for the requested resource
- a combmed gatekeeper/entry handler mstance is provided, while in others, separate and/or multiple instances are provided with functionally identical mterfaces to other components of the security architecture
- multiple instances of entry handler functionality e g , interception of mbound requests and collection of environment information
- one or more mstances for each of several connection types e g , dialup, WAN, etc
- One or more instances of gatekeeper functionality e g , allowing access for authorized requests and otherwise denymg or initiating appropriate responsive action
- Entry handler functionality (e.g , m gatekeeper/entry handler component 110) ascertains much of the requestmg client's environment mformation For example, for dial-up connections, environment mformation such as lme speed and low-level lme encryption are ascertained.
- Additional mformation such as source number (e.g., from caller id mformation or based on a callback configuration), signaling type (e.g , POTS or digital ISDN), etc , may also be obtamed
- similar environment mformation e.g., source network and/or node, Virtual P ⁇ vate Network (VPN) low-level encryption, etc.
- VPN Virtual P ⁇ vate Network
- gatekeeper/entry handler component 110 obtams and/or mamtams mformation such as connect location (if ascertainable), temporal mformation such as request time/date, session start time/date, etc (preferably m both the client entity's frame of reference and the secunty architecture or requested mformation resource's frame of reference, if location is ascertainable), and client type and/or capabilities (e.g , browser
- Such mformation is used m some configurations for mappmg particular authentication mechanisms to trust levels and for authorization decisions.
- Environment mformation is generally packaged mto a data structure that is associated with a client session.
- Other components of the secunty architecture may add additional client environment information, such as authentication strength or current trust level
- Gatekeeper functionality (e.g., m gatekeeper/entry handler component 110) checks whether a session is already associated with the mcommg request. Although other techniques are possible, m some configurations m accordance with the present mvention, gatekeeper/entry handler component 110 checks for the presence of a session token m the mcommg request.
- a session token may be any data supplied to the client entity for use m uniquely identifying an associated session
- preferred session token implementations are cryptographically secured and mclude facilities, such as expiration or mappmg to a particular connection, to limit risk of replay attack and/or spoofing
- Some session token implementations may encode session, principal, and/or trust level mformation.
- Some session token implementations may employ cookies, URL encodmg, or other similar techniques for bmdmg to mcommg requests
- session tokens are employed to facilitate session continuity and to allow the secunty architecture to associate pnor authentication of logm credentials with an mcommg access request.
- session tokens are issued to client entities as part of an interaction with the secunty architecture and are thereafter presented with access requests.
- new session tokens (each correspondmg to a smgle session) are issued to client entity on each credential level change.
- a session token may remain the same even as credential levels are changed.
- Session continuity means the mamtenance of coherent session state across one or more mteractions between an entity and an mformation environment
- Components of session state are mamtamed or advanced throughout the duration of a session
- aspects of session state are represented internally by the secunty architecture and a session token (e g , a session id encoded m a cryptographically secured session token) allows the secunty architecture to reference mto the internal representation.
- a session token e g , a session id encoded m a cryptographically secured session token
- at least some aspects of session state may be represented or duplicated m the session token.
- a principal id and current trust level are encoded m one realization of a cryptographically secured session credential and associated session token or cookie
- a va ⁇ ety of facilities such as cookies, can be used to mamtam state across a se ⁇ es of protocol mteractions, such as HTTP transactions, that do not otherwise support persistent session state
- gatekeeper/entry handler component 110 if a session token is present in the mcommg request, gatekeeper/entry handler component 110 resolves the token to a session object Alternatively, if no session token is present or if a session token is invalid, gatekeeper/entry handler component 110 establishes a new session (2) In an exemplary configuration m accordance with FIG. 1, session management component 160 allocates a new session and supplies associated default session credentials (2) based on the requested information resource and environment mformation Note that a session is created irrespective of authentication status or identity, although some implementations may refuse to even allocate a session based on particular information resource requests and or environment information.
- Gatekeeper/entry handler component 110 supplies authorization component 140 with an identifier for the requested resource (e.g., the requested URL) and an identifier for the associated session.
- the associated session identifier is cryptographically secured (e.g., as a signed session credential)
- the signed session credential is obtained from the correspondmg session object.
- the signed session credential may be obtamed usmg a received session token
- authorization component 140 receives (3) the requested resource and session identifiers and responds (4) m accordance with the trust level requirement of the requested resource
- environment mformation may also be supplied to authorization component 140.
- authorization component 140 responds with an ALLOW, REDIRECT, or REFUSE response based on the sufficiency of a current trust level.
- authorization component 140 dynamically calculates a cunent trust level based on the signed session credentials and environment mformation.
- authorization component 140 may base its ALLOW, REDIRECT, or REFUSE response on a "current" trust level previously associated with the signed session credentials Generally, an access request with sufficient current trust level is ALLOWED and forwarded (14) without further authentication.
- An authorization request without proper parameters e.g., without a specified information resource or without a properly secured session credential may be REFUSED.
- Authorization requests associated with a client entity that has been blacklisted or for a resource for which the associated client entity cannot be authenticated usmg any available method to achieve the required trust level may also be REFUSED
- a given security policy and associated trust level mappmgs may dictate a REFUSE response m response to an access request to a sensitive resource (such as financial data) by any client entity (even a browser supplymg the digital certificate for the CFO, and therefore presumably operating on behalf of the CEO) if the access request is received over a dial-up lme and o ⁇ gmates from an unknown number or is received outside of workmg hours.
- an authorization transaction may dig deeper mto environment information before respondmg
- an authorization service will typically redirect to a logm service if the trust level associated with current session credentials is insufficient for a requested access
- an madequate trust level may result in a REFUSED message rather than a log-up REDIRECT dependmg on the particular secu ⁇ ty policy implemented.
- a REDIRECT response is used to forward the access request to logm component 120 so that sufficient logm credentials may be obtamed and authenticated to achieve the required trust level for the requested access
- both initial logm credentialing and credential upgrade are provided usmg the REDIRECT facility
- gatekeeper/entry handler component 110 redirects (5) browser 170 to logm component 120.
- gatekeeper/entry handler component 110 issues a client-side redirect via HTTP location directive to forward the request to logm component 120.
- Parameters such as required trust level, requested URL and credential passmg method can be encoded m the redirect URL and supplied (6) by browser 170 to logm component 120.
- some parameters can be passed (5A) directly (e.g , through a HttpSession object) although a stateless configuration is preferred
- a session token is passed to browser 170 m conjunction with the redirect (5) to logm component 120.
- suitable mechanisms for passmg the session token mcludmg those based on cookies and URL encodmg.
- mechanisms employed are based on facilities provided by commercially available browsers (e.g., m accordance with HTML 3.x, 4.x or other de-facto standards), although customized or plug-m facilities for receivmg and supplymg session token may be employed
- the session token is cryptographically secured and encoded m a cookie placed at browser 170 usmg a set cookie directive embedded m the redirect.
- Other configurations may use a less persistent session identification method, such as passmg an identifier or session token in the redirect URL without storage at browser 170. Still other configurations may transmit a session token, a session credential, or identifier such as a session handle for storage m a medium such as a smart card In configurations providmg credential upgrade, persistent session identification methods are generally preferred, even for a not yet authenticated client entity, for consistency of approach Note that although the identity of the client entity may not be authenticated to a sufficient level of trust, the redirected request mcludes a session token that at least identifies the session Other configurations may omit the bmdmg of session tokens to sessions of not yet authenticated client entities, though with some mcrease m complexity of logm component 120
- Browser 170 sends (6) logm component 120 a new access request usmg the URL specified m the redirect from gatekeeper/entry handler component 110
- the new access request will mclude the cookie and therefore the session token
- m configurations m which the secu ⁇ ty architecture controls access to resources m several domams care should be exercised to select a tag or tags for the cookie such that it will be provided through normal operation of the browser m subsequent accesses to any of the several domams
- suitable taggmg techniques mcludmg the use of multiple cookies
- Logm component 120 receives the access request and determines an approp ⁇ ate authentication scheme based on mappmg rules that identify those authentication schemes which are sufficient to achieve a given trust level
- the mappmg rules are a function of environment mformation
- mappmg rules are implemented as fuzzy sets wherem acceptable authentication schemes are a function
- mappmg rule logic is evaluated before a user is challenged to authenticate Mappmg occurs as a function of session environment and particulars of the information resource for which access is requested
- a service e g , a logm service such as provided by logm component 120
- the service checks current session environment agamst the allowed environment states for each potential authentication method to trim the list further If there is no particular resource for which access is bemg requested (e g , if a user jumps straight to a sign-on page without requesting an access), the service will proceed accordmg to the lowest level of trust available consistent with session environment
- Other configurations may employ differing default behaviors
- logm component 120 queries (7) authorization component 140 to identify the set of authentication schemes that meet or exceed the required trust level given a cunent environment
- the mappmg is performed by logm component 120
- logm component 120 supplies (9) mformation to browser 170 to allow the user to select from the suitable authentication schemes and to provide an associated logm credential
- logm component 120 supplies browser 170 with a logm page (e g , HTML) that prompts the user for an application specific user ID and a choice of authentication schemes Interactions with browser 170 depend on the set of credential types that, if authenticated, would be sufficient to meet the trust level requirement for access to the requested resource For example, if more than one type of credential would be sufficient, logm component 120 may mteractively allow a user to select from amongst the credential types (e g , usmg any HTML-based dialog) Once a particular credential type has been selected, logm component 120 mteracts with browser 170 to o
- Thwate, Entrust or other certificate authority may be obtamed from a browser 170 usmg an HTTP certificate request.
- credentials may be transacted m a variety of ways, credentials are typically obtamed from a user
- the obtammg is indirect by askmg the user's browser to complete the negotiation process.
- certificate-based authentication may be transparent to the user.
- further authentication can be performed by usmg mformation encoded within the certificate to query a certificate authority for current status or a lookup to an authentication database may be performed for more detailed requirements
- the more detailed mformation could relate to session environment or could force an additional name/password authentication as part of the certificate authentication cham
- such facilities can be provided by mappmg rule encodmgs that require successful authentication usmg multiple authentication methods to achieve a given trust level
- logm credentials Once logm credentials have been obtamed by logm component 120, they are supplied (11) to gatekeeper/entry handler component 110 for authentication.
- logm credential passmg via the shared object is suitable.
- an HTTP POST may be employed.
- the particular credential passmg method is selected as part of the ongmal HTTP redirect (e.g., encoded m the redirect URL) although other configurations need not allow for a selection or may employ other facilities for selection of a credential passmg method.
- Logm component 120 also passes control of the access request back to gatekeeper/entry handler component 110
- logm component 120 issues a new HTTP request (11) specifymg the originally requested URL, which has been stored m the HttpSession object.
- gatekeeper/entry handler component 110 receives the request.
- Gatekeeper/entry handler component 110 extracts the logm credentials from the request or from the HttpSession object and passes (12) the logm credentials to authentication component 130 for authentication.
- Authentication component 130 authenticates the logm credential, and if successful, quenes (13) identification component 150 to establish a conespondence with a set of entity descnptors that uniquely identifies the requesting entity.
- entity descnptor types mclude. entity id, system id (e.g., name/password), certificate, emgma id, smartcard token, name/address, and phone
- entity descnptor types may support multiple values (e g., multiple digital certificates, name/password parrs, or phone numbers per identity).
- session credentials are digitally-signed or otherwise cryptographically secured and returned (17) to gatekeeper/entry handler component 110
- session continuity is facilitated by supplymg a session token to browser 170
- logm component 120 supplies a session token usmg a set cookie directive encoded with the results streamed (23) back to browser 170
- browser 170 stores the cookie usmg a tag (typically a filename encodmg)
- Browser 170 supplies the cookie (and the session token) with subsequent access requests based on a correspondence between the tag and the requested resource Typically, the correspondence is based on the second-level domam (e g , sun com) m which the requested resource is hosted, although nth-level domams or other resource identification and session token associating schemes may be employed
- multiple cookies may be employed
- session tokens usmg cookies is presently prefened, m part because cookie facilities are widely supported and reasonably well accepted, other facilities may be employed to establish session continuity
- alternative URL encodmgs and/or custom or plug-in support for session identifier receipt, storage and supply may be employed
- some configurations may employ lower-level session identifiers, e g , as provided by a particular connection type such as trusted caller id information or as associated with a low-level lme encryption or virtual p ⁇ vate network mfrastructure
- connection type such as trusted caller id information
- a low-level lme encryption or virtual p ⁇ vate network mfrastructure As such facilities are likely to be connection-type specific, it is envisioned that they may be used m conjunction with other session identifier facilities descnbed above, e g , session tokens encoded m cookies
- the unique Ethernet MAC address associated with a network mterface card may be employed as a session handle The MAC
- subsequent access requests (e g , access request 1A) mclude a previously assigned session token
- gatekeeper/entry handler component 110 uses the session token, if provided to resolve a session object contaimng session credentials, and to determine whether previously authenticated credentials are sufficient for the requested access
- authorization component 140 may be que ⁇ ed usmg session credentials and an identifier for the requested resource to determine sufficiency of previously authenticated credentials
- sufficiency is determined usmg trust level mappmgs as described above
- access request 1A may or may not have associated previously authenticated ciedentials sufficient to support the requested access
- an access request 1A havmg a trust level requirement commensurate with previously obtamed and authenticated credentials (1 e , an access request for which no additional credentials need be obtamed via logm
- authorization component 140 supplies gatekeeper/entry handler component 110 with an ALLOW, REDIRECT or REFUSE response based on the trust level accorded based on the previously obtamed and authenticated logm credentials and on the trust level requirement associated with requested access 1A
- authorization of individual access requests is streamlined by the encodmg of trust level m a cryptographically secured session credential or token
- a REDIRECT response is supplied and gatekeeper/entry handler component 110 agam redirects (5) browser 170 to logm component 120 Additional logm credentials are obtamed as descnbed above with reference to initial credentials
- access request is proxied (20) and results (21) are streamed (23A) back to browser 170
- gatekeeper/entry handler component 110 supplies an updated session token usmg a set cookie directive encoded with the results streamed (23 A) back to browser 170
- An updated session token if supplied, resolves to the same session object as the session token replaced
- session state mcludmg e g , identity mappmgs, authorizations, roles, permissions, environmental vanables, etc
- the session object now encodes a logm credential successfully authenticated to achieve a higher trust level
- the achieved (higher) trust level is encoded m a cryptographically secured session token representation as a cookie streamed (23A) back to browser 170 with results (21)
- FIG. 2 illustrates operation of an exemplary secu ⁇ ty architecture providmg a smgle sign-on facility with trust level mappmg to authentication requirements
- an access request is received (201) from a client entity If the request does not contam a session identifier (e g , a session key or token) or if the request can otherwise be reliably associated with a session maintained by the secu ⁇ ty architecture, a new session is created (202)
- a trust level requirement is determined for access to the requested resource in the context of the requesting session environment In some configurations, as descnbed above, the determination is performed by an authorization service such as authorization component 140
- cunent session credentials are evaluated (203) m the context of session environment information to determine whether the previously supplied logm credentials are sufficient to achieve the required trust level
- a cryptographically secured encodmg of trust level allows authorization to be confirmed without mvolvement of an authentication service (e g , with reauthentication of logm
- session credentials may or may not be sufficient for access to the currently requested resource
- the identity of an entity accessmg resources controlled by the secunty architecture will be authenticated to a trust level sufficient for that access
- the level of trust associated with a cunent session e g , as evidenced by cunent session credentials
- the level of trust associated with a cunent session may or may not be sufficient for the subsequent access
- a cunent level of trust e g , resulting from p ⁇ or authentication of logm credentials for an entity associated with the session
- cunent session credentials may be insufficient (1) because the identity of the requesting client has not yet been authenticated (e g , m a first access situation), (2) because of a higher trust level requirement for the requested access, or (3) because of a change m mappmg rules or environment that causes a previously sufficient credential no longer be sufficient for a particular trust level
- a request conespondmg to a session and client entity that is insufficiently authenticated, and that is therefore not authorized is passed to a facility for obtammg credentials of a type that, if authenticated, will support the required trust level
- session credentials and/or an associated session token encode an expiration time (see desc ⁇ ption, below, of FIG. 4)
- session credentials are penodically refreshed by reauthentication of the underlying logm credentials
- a presented session token indicating expiration m less than five (5) minutes causes the secunty architecture to reauthenticate (not shown) underlying logm credentials stored m a conespondmg SessionObject (e g , under the pnvate key of authentication component 130)
- Reauthentication typically results m a new session credential and associated trust level Dependmg on then mstant mappmg rules, the associated trust level may or may not be sufficient
- reauthentication may fail if the logm credentials have been invalidated, revoked or if the login credentials have expired Assuming that reauthentication of logm credentials is successful, updated session credentials are issued, for example, by authentication component 130
- a request conespondmg to a session not authorized for a requested access is redirected (206) to a credential gathermg service (e g , logm component 120)
- the credential gathermg service receives (207) the redirected access and obtains (208) a trust level requirement for the requested access
- the trust level requirement may be passed with the redirected access or otherwise associated with the redirected access, m others the trust level requirement may be re-obtamed from an authorization service such as authorization component 140
- a trust level requirement is mapped (209) to at least one authentication scheme sufficient to achieve the requirement based on cunent trust level mappmgs and, if employed m the mappmg rules, based on cunent environment mformation Assuming that at least one authentication scheme is available that, if successful, will support the required trust level, logm credentials of that type are obtamed (210) for the entity and authenticated (211)
- Some credential types e g , username
- FIG. 3 illustrates mteractions between functional components m an exemplary functional decomposition of a security architecture
- An on-lme order processmg transaction is exemplary and functional bounda ⁇ es are merely illustrative
- a wide variety of suitable enterpnse information environments and functional decompositions m accordance with the appended claims will be appreciated by persons of ordmary skill m the art
- An application security framework 303 receives an access request mcludmg the order and, operating m conjunction with a vanety of other services, provides a smgle sign-on facility substantially as described above If the order does not mclude a session token or cannot be otherwise associated with conespondmg valid session credentials, then session credentials are obtamed As illustrated m FIG.
- session credentials are obtamed usmg logm credentials (e g , a username/password pair, a digital certificate, etc )
- an access request without session credentials will not have associated logm credentials
- logm credentials may be provided with an initial access request
- an mitial access request is received by application security framework 303 without session credentials or without pnor presentation and authentication of logm credentials sufficient to access the requested resource
- a subsequent request is made with logm credentials that purport to be sufficient, if authenticated, to meet the trust level required for access to order management service 312
- session credentials are obtamed by passmg logm credentials to a central secunty framework 304
- Signed session credentials are presented to application authorization service 313 together with an identifier for the requested resource and optionally with an identifier for a particular function or facility of the requested resource
- application authorization service 313 checks the authorization of the principal (e g , of user 301) associated with the session credentials to access the requested resource
- Application authorization service 313 mteracts with application resource registry 314 to identify trust level requirements for the requested resource (and m some configurations, for a particular function or facility of the requested resource) and determines the sufficiency of a cunent trust level evidenced by the session credential Note that trust level is assessed by inspection of the session credential and without interaction with an authentication service In some configurations (e g , as illustrated m FIG.
- group membership is also evaluated as part of the authorization check If the signed session credentials mdicate that the requesting entity, e g., browser 302 on behalf of user 301, is sufficiently authorized to access order management service 312, a CreateOrder request is passed to order management service 312 and order processmg proceeds in accordance with normal handlmg thereof Additional accesses may be required, e g., to select delivery options or to confirm some aspect of the order. Assuming that the additional accesses do not require a higher trust level, they will be passed to order management service 312 based on the conespondence of session credentials with trust level requirements
- a logm credential gathermg process is initiated. Based on the required trust level and on rules that encode the sufficiency of authentication schemes, a logm credential is obtamed from user 301 and/or browser 302 The obtamed login credential is of a type that, if authenticated, is sufficient to meet the trust level requirement for access to order management service 312 Aspects of an exemplary credential gathermg process are descnbed m greater detail above However, as an example, FIG. 3 illustrates the obtammg of a username/password pair.
- login credentials are obtamed, they are passed to central security framework 304 (as descnbed above) for authentication by central authentication service 307 so that session credentials can be obtamed, the requested access can be authorized, and the order processmg initiated Signed session credentials, typically embodied as a cryptographically secured session token that may be stored as a cookie, are passed back to browser 302 with results of the requested access. In this way, subsequent access requests are identified as part of a session and authorization may be quickly confirmed without unnecessary re-authentication.
- session credentials as a mechanism for evidencmg prior authentication of obtamed logm credentials and for bmdmg individual transactions to a particular session.
- session credentials are also employed m a session token form advantageous for transactions external to the secu ⁇ ty architecture.
- session tokens are encoded for supply to browsers as cookies.
- FIG. 4 illustrates relationships between exemplary logm credential, session credential and session token objects.
- logm credentials (e.g., represented m a form such as exemplary logm credentials structure 410) are obtamed for a client entity
- logm credentials encoded m logm credentials structure 410 are obtamed from a prmcipal via browser client and serve as evidence that the principal (e.g., a human user) is entitled to a particular identity.
- logm credentials structure 410 encodes a userld and a domainld within which the userld should uniquely conespond to a prmcipal.
- logm credentials structure 410 Specific logm credentials, e.g., a password, a certificate, results of a biomet ⁇ c process, a response to an Enigma challenge or results of a smart card mtenogation, etc. are encoded m logm credentials structure 410, as a tagged value.
- An authenticationScheme is specified and creation time may be encoded to limit replay attacks.
- logm credentials structure 410 is encrypted usmg the public key of an authentication service (e.g., of authentication component 130). Because the key is public, any component, even untrusted components may encrypt logm credentials for provision to authentication component 130, while only authentication component can decrypt the encrypted logm credentials usmg its p ⁇ vate key.
- secure transfer protocols e.g., SSL
- SSL secure transfer protocols
- a public key of an authentication service is performed withm the security architecture, e g , at logm component 120
- encryption with a public key of an authentication service may be performed at the client entity
- session credentials are embodied m a form such as exemplary session credentials structure 420
- Encrypted and clear text portions (421 and 422) of session credentials structure 420 allow contents of the session credential to be read by anyone and changed by no one (except the authentication service possessmg a private key) Contents of encrypted portion 421 conespond to that clear text portion 422 but are encrypted usmg the p ⁇ vate key of the authentication service (e g , of authentication component 130)
- principal ids, authorizations and other contents encoded m the session credential may be read by components of the security architecture, and m some embodiments by components external to the secunty architecture Such components can venfy the authenticity of mformation stored m clear text portion 422 usmg encrypted portion 421 and a public key conespondmg to the private key of the authentication service
- the information contamed m a session credential is generally not sensitive What
- session credentials may be digitally signed and venfied by a public key conespondmg to a p ⁇ vate key
- the digital signature also allows contents of the session credential to be read by anyone and changed by no one
- the implementation of FIG. 4 is prefened because encrypted portion 421 can be used as an externally supplied session token
- Such a session token representation is a compact representation of the session credential particularly appropnate for encodmg as a cookie placed at a browser and returned with subsequent access requests
- a session id, a prmcipal id, a trust level, group ids, a creation time and an expiration time are encoded m both m encrypted portion 421 and clear text portion 422
- the session id is a unique identifier for a persistent session mamtamed by the secu ⁇ ty architecture
- multiple successively issued session credential mstances may encode the same session id and conespond to the same persistent session
- Prmcipal id encodes an identifier for a prmcipal to which the secunty architecture has resolved logm credentials
- a logm credential mcludmg a username jdoe and a password conespondmg to jdoe may be resolved by the secunty architecture to a unique prmcipal id associated with John Q Doe of the shippmg
- Group ids can be used to grant or limit authorization scope based on group membership
- session credentials serve as evidence of p ⁇ or authentication and authorization for multiple accesses to information resources controlled by the secu ⁇ ty architecture
- session credentials may be replaced on a logm credential upgrade as described elsewhere herem
- session credentials of limited temporal validity may be refreshed by penodic replacement
- creation time and expiration time allow the secunty architecture to improve resistance to replay attacks
- Session credentials typically have a relatively short expiration time (e g , 15 minutes from creation or less) and underlymg logm credentials will be reauthenticated p ⁇ or to expiration of the session credential
- the underlymg logm credentials which are stored under the public key of authentication component 130, remam valid
- authentication component 130 will issue a replacement cryptographically secured session credential (e g , as session credentials structure 420)
- encrypted portion 421 may also be employed as a compact session token representation 430 of session credential for use as a cookie
- encrypted portion 421 is a string encoded representation of approximately 200 characters which may be placed at a browser (e g , via transfer 5, 23 or 23 A of FIG. 1) usmg a set cookie directive
- At least some of the above-desc ⁇ bed components are implemented as servlets executable m the context of a commercially-available web server environment
- JavaTM Embedded Server (JES) architecture with extensions for certificate handlmg, HyperText Transfer Protocol (HTTP), Simple Network Management Protocol (SNMP), Secure Sockets Layer (SSL), extensible Markup Language (XML) grammar processmg and secu ⁇ ty Access Control List (ACL) support available from Sun Microsystems, Inc is one suitable environment Java and all Java-based marks and logos are trademarks or registered trademarks of Sun Microsystems, Inc m the United States and other countnes
- security architectures m accordance with the teachmgs of the present mvention may be implemented m the context of many commercially-available networked mformation service environments, mcludmg web server environments, as well as m custom environments and environments that in the future will be developed
- JES Java Embedded Server
- rules mappmg trust levels to authentication schemes may be encoded m a vanety of ways dependmg on the particular implementation In general, such mappmg rules may be encoded as static or dynamic table associating trust level to authentication schemes Alternatively, mappmg rules may be encoded as predicates or m other declarative forms Mappmg rules may be encoded m a weighted logic or fuzzy set form Additionally, particular mappmgs may depend environment mformation Furthermore, evaluation of mappmg rules may be performed m a vanety of functional components such as an authorization service, a credential gathermg service or
- a session token is a compact encrypted representation of at least selected contents of a session credential
- Other compact representations conespondmg to a session credential may be employed
- the same representation of session credentials may be employed both within the secunty architectare and outside the secunty architecture (e g , at a browser or other client)
- Suitable contents of a session credential (and session token, if employed) will be appreciated by persons of ordmary skill m the art based on the descnption herem of specific examples
- vanous components, services, servlets, regist ⁇ es and frameworks are somewhat arbitrary, and particular operations are illustrated m the context of specific illustrative configurations Other allocations of functionality are envisioned and may fall within the scope of claims that follow Structures and functionality presented as discrete components m the exemplary embod ⁇ ment(s) may be implemented as a combmed structure or component
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU67527/00A AU6752700A (en) | 1999-08-05 | 2000-07-31 | Security architecture with environment sensitive credential sufficiency evaluation |
EP00955304A EP1205057A2 (en) | 1999-08-05 | 2000-07-31 | Security architecture with environment sensitive credentials |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/368,504 | 1999-08-05 | ||
US09/368,504 US6691232B1 (en) | 1999-08-05 | 1999-08-05 | Security architecture with environment sensitive credential sufficiency evaluation |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2001011845A2 true WO2001011845A2 (en) | 2001-02-15 |
WO2001011845A3 WO2001011845A3 (en) | 2001-08-16 |
Family
ID=23451529
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/020929 WO2001011845A2 (en) | 1999-08-05 | 2000-07-31 | Security architecture with environment sensitive credentials |
Country Status (4)
Country | Link |
---|---|
US (1) | US6691232B1 (en) |
EP (1) | EP1205057A2 (en) |
AU (1) | AU6752700A (en) |
WO (1) | WO2001011845A2 (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
NL1018494C2 (en) * | 2001-07-09 | 2003-01-10 | Koninkl Kpn Nv | Method and system for delivering a service to a client through a service process. |
WO2003009111A2 (en) | 2001-07-18 | 2003-01-30 | Daon Holdings Limited | A distributed network system using biometric authentication access |
EP1301006A1 (en) * | 2001-10-05 | 2003-04-09 | Microsoft Corporation | Granular authorization for network user sessions |
GB2384874A (en) * | 2002-01-31 | 2003-08-06 | Hewlett Packard Co | Apparatus for determining access rights to a computer |
US6618806B1 (en) * | 1998-04-01 | 2003-09-09 | Saflink Corporation | System and method for authenticating users in a computer network |
WO2004046896A2 (en) * | 2002-11-18 | 2004-06-03 | Hipaat Inc. | A method and system for access control |
WO2005034467A1 (en) * | 2003-10-02 | 2005-04-14 | Siemens Aktiengesellschaft | Communication device and method for setting a security configuration for a communication device |
US6928547B2 (en) | 1998-07-06 | 2005-08-09 | Saflink Corporation | System and method for authenticating users in a computer network |
WO2006039944A1 (en) * | 2004-10-12 | 2006-04-20 | Swisscom Ag | Method and system for the automatic adaptation of a service parameter |
EP1845689A2 (en) * | 2006-04-12 | 2007-10-17 | Deutsche Telekom AG | Method and communication system for providing personalised access to a group of devices |
DE102004025084B4 (en) * | 2003-05-23 | 2008-02-28 | Industrial Technology Research Institute, Chutung | Personal authentication device and personal authentication system and personal authentication method |
EP1990750A1 (en) * | 2007-05-09 | 2008-11-12 | Nokia Siemens Networks Oy | Method and device for data processing and communication system comprising such device |
EP2261796A2 (en) * | 2001-05-14 | 2010-12-15 | NTT DoCoMo, Inc. | System for managing program stored in storage block of mobile terminal |
WO2015134554A1 (en) * | 2014-03-07 | 2015-09-11 | Microsoft Technology Licensing, Llc | Automatic detection of authentication methods by a gateway |
JP2019049868A (en) * | 2017-09-11 | 2019-03-28 | Capy株式会社 | User authentication method, evaluation device, program, and user authentication system |
EP4016924A1 (en) * | 2020-12-21 | 2022-06-22 | BlackBerry Limited | Risk-aware access control system and related methods |
US20220382849A1 (en) * | 2021-05-25 | 2022-12-01 | Vmware, Inc. | Credentials management and usage in application modernization |
Families Citing this family (220)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6088515A (en) | 1995-11-13 | 2000-07-11 | Citrix Systems Inc | Method and apparatus for making a hypermedium interactive |
EP1149339A1 (en) | 1998-12-09 | 2001-10-31 | Network Ice Corporation | A method and apparatus for providing network and computer system security |
US7346929B1 (en) * | 1999-07-29 | 2008-03-18 | International Business Machines Corporation | Method and apparatus for auditing network security |
US6892307B1 (en) * | 1999-08-05 | 2005-05-10 | Sun Microsystems, Inc. | Single sign-on framework with trust-level mapping to authentication requirements |
WO2001022651A2 (en) * | 1999-09-20 | 2001-03-29 | Ethentica, Inc. | Cryptographic server with provisions for interoperability between cryptographic systems |
US7260724B1 (en) | 1999-09-20 | 2007-08-21 | Security First Corporation | Context sensitive dynamic authentication in a cryptographic system |
US7877492B2 (en) * | 1999-10-12 | 2011-01-25 | Webmd Corporation | System and method for delegating a user authentication process for a networked application to an authentication agent |
US8006243B2 (en) * | 1999-12-07 | 2011-08-23 | International Business Machines Corporation | Method and apparatus for remote installation of network drivers and software |
US7434219B2 (en) * | 2000-01-31 | 2008-10-07 | Commvault Systems, Inc. | Storage of application specific profiles correlating to document versions |
US7444368B1 (en) * | 2000-02-29 | 2008-10-28 | Microsoft Corporation | Methods and systems for selecting methodology for authenticating computer systems on a per computer system or per user basis |
US7050989B1 (en) * | 2000-03-16 | 2006-05-23 | Coremetrics, Inc. | Electronic commerce personalized content delivery system and method of operation |
US20050075946A1 (en) * | 2000-03-16 | 2005-04-07 | Keith Henning | Data accumulation and segmentation system in electronic commerce |
US7698565B1 (en) | 2000-03-30 | 2010-04-13 | Digitalpersona, Inc. | Crypto-proxy server and method of using the same |
US7409543B1 (en) * | 2000-03-30 | 2008-08-05 | Digitalpersona, Inc. | Method and apparatus for using a third party authentication server |
AU2001262958A1 (en) * | 2000-04-28 | 2001-11-12 | Internet Security Systems, Inc. | Method and system for managing computer security information |
WO2001084775A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | System and method for managing security events on a network |
AUPQ724700A0 (en) * | 2000-05-02 | 2000-05-25 | Canon Kabushiki Kaisha | Printing using secure pickup |
US7716492B1 (en) * | 2000-05-09 | 2010-05-11 | Oracle America, Inc. | Method and apparatus to obtain service capability credentials |
WO2001090859A1 (en) * | 2000-05-19 | 2001-11-29 | Netscape Communications Corporation | Adaptive multi-tier authentication system |
US7174454B2 (en) * | 2002-11-19 | 2007-02-06 | America Online, Inc. | System and method for establishing historical usage-based hardware trust |
US7426530B1 (en) | 2000-06-12 | 2008-09-16 | Jpmorgan Chase Bank, N.A. | System and method for providing customers with seamless entry to a remote server |
US7076653B1 (en) * | 2000-06-27 | 2006-07-11 | Intel Corporation | System and method for supporting multiple encryption or authentication schemes over a connection on a network |
US7434257B2 (en) * | 2000-06-28 | 2008-10-07 | Microsoft Corporation | System and methods for providing dynamic authorization in a computer system |
US7162649B1 (en) * | 2000-06-30 | 2007-01-09 | Internet Security Systems, Inc. | Method and apparatus for network assessment and authentication |
US7124203B2 (en) * | 2000-07-10 | 2006-10-17 | Oracle International Corporation | Selective cache flushing in identity and access management systems |
US8661539B2 (en) * | 2000-07-10 | 2014-02-25 | Oracle International Corporation | Intrusion threat detection |
US7464162B2 (en) * | 2000-07-10 | 2008-12-09 | Oracle International Corporation | Systems and methods for testing whether access to a resource is authorized based on access information |
US7134137B2 (en) * | 2000-07-10 | 2006-11-07 | Oracle International Corporation | Providing data to applications from an access system |
US7249369B2 (en) * | 2000-07-10 | 2007-07-24 | Oracle International Corporation | Post data processing |
US7080077B2 (en) * | 2000-07-10 | 2006-07-18 | Oracle International Corporation | Localized access |
US9038170B2 (en) | 2000-07-10 | 2015-05-19 | Oracle International Corporation | Logging access system events |
US7194764B2 (en) * | 2000-07-10 | 2007-03-20 | Oracle International Corporation | User authentication |
US7188158B1 (en) * | 2000-07-15 | 2007-03-06 | Hewlett-Packard Development Company, L.P. | System and method for component-based software development |
US9098685B2 (en) * | 2000-07-25 | 2015-08-04 | Activcard Ireland Limited | Flexible method of user authentication |
US7137008B1 (en) | 2000-07-25 | 2006-11-14 | Laurence Hamid | Flexible method of user authentication |
WO2002013435A1 (en) * | 2000-08-04 | 2002-02-14 | First Data Corporation | Method and system for using electronic communications for an electronic contact |
JP3393604B2 (en) * | 2000-09-01 | 2003-04-07 | 株式会社インターナショナルビジネスリンク | Service provision method |
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
US7089498B1 (en) * | 2000-09-26 | 2006-08-08 | Rathjen Alicemarie G | Method for preparing and using personal and genetic profiles |
US9027121B2 (en) | 2000-10-10 | 2015-05-05 | International Business Machines Corporation | Method and system for creating a record for one or more computer security incidents |
US8799463B1 (en) * | 2000-10-19 | 2014-08-05 | Ariba, Inc. | Method and apparatus for processing information related to interactive web sites |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
CA2327078C (en) * | 2000-11-30 | 2005-01-11 | Ibm Canada Limited-Ibm Canada Limitee | Secure session management and authentication for web sites |
US7130466B2 (en) * | 2000-12-21 | 2006-10-31 | Cobion Ag | System and method for compiling images from a database and comparing the compiled images with known images |
AU2002243763A1 (en) * | 2001-01-31 | 2002-08-12 | Internet Security Systems, Inc. | Method and system for configuring and scheduling security audits of a computer network |
US7444404B2 (en) * | 2001-02-05 | 2008-10-28 | Arbor Networks, Inc. | Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses |
US7185364B2 (en) * | 2001-03-21 | 2007-02-27 | Oracle International Corporation | Access system interface |
US7322040B1 (en) * | 2001-03-27 | 2008-01-22 | Microsoft Corporation | Authentication architecture |
US8185938B2 (en) * | 2001-03-29 | 2012-05-22 | International Business Machines Corporation | Method and system for network single-sign-on using a public key certificate and an associated attribute certificate |
US7237257B1 (en) * | 2001-04-11 | 2007-06-26 | Aol Llc | Leveraging a persistent connection to access a secured service |
US7873734B1 (en) * | 2001-05-17 | 2011-01-18 | Computer Associates Think, Inc. | Management of multiple user sessions and user requests for multiple electronic devices |
WO2002095554A2 (en) * | 2001-05-18 | 2002-11-28 | Imprivata Inc. | System and method for authentication using biometrics |
US7562146B2 (en) * | 2003-10-10 | 2009-07-14 | Citrix Systems, Inc. | Encapsulating protocol for session persistence and reliability |
US20050198379A1 (en) * | 2001-06-13 | 2005-09-08 | Citrix Systems, Inc. | Automatically reconnecting a client across reliable and persistent communication sessions |
US7657419B2 (en) * | 2001-06-19 | 2010-02-02 | International Business Machines Corporation | Analytical virtual machine |
US7062622B2 (en) * | 2001-06-29 | 2006-06-13 | Microsoft Corporation | Protection of content stored on portable memory from unauthorized usage |
US7174383B1 (en) * | 2001-08-31 | 2007-02-06 | Oracle International Corp. | Method and apparatus to facilitate single sign-on services in a hosting environment |
US20030051002A1 (en) * | 2001-09-13 | 2003-03-13 | Bogia Douglas P. | Method of connecting to a remote computer |
US20060248349A1 (en) * | 2001-09-24 | 2006-11-02 | Rathjen Alicemarie G | Method for preparing and using personal and genetic profiles |
EP1442387A4 (en) | 2001-09-28 | 2008-01-23 | Commvault Systems Inc | System and method for archiving objects in an information store |
US7412720B1 (en) * | 2001-11-02 | 2008-08-12 | Bea Systems, Inc. | Delegated authentication using a generic application-layer network protocol |
US7225256B2 (en) | 2001-11-30 | 2007-05-29 | Oracle International Corporation | Impersonation in an access system |
US7987501B2 (en) * | 2001-12-04 | 2011-07-26 | Jpmorgan Chase Bank, N.A. | System and method for single session sign-on |
US7154857B1 (en) | 2001-12-21 | 2006-12-26 | Mcafee, Inc. | Enterprise network analyzer zone controller system and method |
US7062783B1 (en) * | 2001-12-21 | 2006-06-13 | Mcafee, Inc. | Comprehensive enterprise network analyzer, scanner and intrusion detection framework |
WO2003058451A1 (en) * | 2002-01-04 | 2003-07-17 | Internet Security Systems, Inc. | System and method for the managed security control of processes on a computer system |
US7246230B2 (en) * | 2002-01-29 | 2007-07-17 | Bea Systems, Inc. | Single sign-on over the internet using public-key cryptography |
US7941533B2 (en) * | 2002-02-19 | 2011-05-10 | Jpmorgan Chase Bank, N.A. | System and method for single sign-on session management without central server |
US7984157B2 (en) * | 2002-02-26 | 2011-07-19 | Citrix Systems, Inc. | Persistent and reliable session securely traversing network components using an encapsulating protocol |
US7661129B2 (en) * | 2002-02-26 | 2010-02-09 | Citrix Systems, Inc. | Secure traversal of network components |
US7149806B2 (en) * | 2002-02-27 | 2006-12-12 | Hewlett-Packard Development Company, L.P. | Data access in a distributed environment |
US7191467B1 (en) * | 2002-03-15 | 2007-03-13 | Microsoft Corporation | Method and system of integrating third party authentication into internet browser code |
US7249262B2 (en) * | 2002-05-06 | 2007-07-24 | Browserkey, Inc. | Method for restricting access to a web site by remote users |
US7100049B2 (en) * | 2002-05-10 | 2006-08-29 | Rsa Security Inc. | Method and apparatus for authentication of users and web sites |
US7370360B2 (en) * | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US20040059941A1 (en) * | 2002-09-19 | 2004-03-25 | Myfamily.Com, Inc. | Systems and methods for identifying users and providing access to information in a network environment |
US20040059920A1 (en) * | 2002-09-19 | 2004-03-25 | International Business Machines Corporation | Security health checking tool |
US8233392B2 (en) * | 2003-07-29 | 2012-07-31 | Citrix Systems, Inc. | Transaction boundary detection for reduction in timeout penalties |
US7630305B2 (en) * | 2003-07-29 | 2009-12-08 | Orbital Data Corporation | TCP selective acknowledgements for communicating delivered and missed data packets |
US7616638B2 (en) | 2003-07-29 | 2009-11-10 | Orbital Data Corporation | Wavefront detection and disambiguation of acknowledgments |
US8270423B2 (en) | 2003-07-29 | 2012-09-18 | Citrix Systems, Inc. | Systems and methods of using packet boundaries for reduction in timeout prevention |
US7441116B2 (en) * | 2002-12-30 | 2008-10-21 | International Business Machines Corporation | Secure resource distribution through encrypted pointers |
US7913303B1 (en) | 2003-01-21 | 2011-03-22 | International Business Machines Corporation | Method and system for dynamically protecting a computer system from attack |
US7340525B1 (en) * | 2003-01-24 | 2008-03-04 | Oracle International Corporation | Method and apparatus for single sign-on in a wireless environment |
US8432800B2 (en) * | 2003-07-29 | 2013-04-30 | Citrix Systems, Inc. | Systems and methods for stochastic-based quality of service |
US8238241B2 (en) | 2003-07-29 | 2012-08-07 | Citrix Systems, Inc. | Automatic detection and window virtualization for flow control |
US8437284B2 (en) | 2003-07-29 | 2013-05-07 | Citrix Systems, Inc. | Systems and methods for additional retransmissions of dropped packets |
US7882132B2 (en) * | 2003-10-09 | 2011-02-01 | Oracle International Corporation | Support for RDBMS in LDAP system |
US7904487B2 (en) * | 2003-10-09 | 2011-03-08 | Oracle International Corporation | Translating data access requests |
US7657938B2 (en) * | 2003-10-28 | 2010-02-02 | International Business Machines Corporation | Method and system for protecting computer networks by altering unwanted network data traffic |
US8661158B2 (en) | 2003-12-10 | 2014-02-25 | Aventail Llc | Smart tunneling to resources in a network |
US8590032B2 (en) | 2003-12-10 | 2013-11-19 | Aventail Llc | Rule-based routing to resources through a network |
US8255973B2 (en) * | 2003-12-10 | 2012-08-28 | Chris Hopen | Provisioning remote computers for accessing resources |
US7650509B1 (en) * | 2004-01-28 | 2010-01-19 | Gordon & Howard Associates, Inc. | Encoding data in a password |
US7617531B1 (en) | 2004-02-18 | 2009-11-10 | Citrix Systems, Inc. | Inferencing data types of message components |
US7437736B2 (en) * | 2004-03-10 | 2008-10-14 | Citibank, N.A. | Method and apparatus for managing workflow in a single sign-on framework |
WO2006002068A2 (en) * | 2004-06-15 | 2006-01-05 | Passmark Security, Inc. | Method and apparatus for making accessible a set of services to users |
US7698734B2 (en) * | 2004-08-23 | 2010-04-13 | International Business Machines Corporation | Single sign-on (SSO) for non-SSO-compliant applications |
US20060059569A1 (en) * | 2004-08-27 | 2006-03-16 | Microsoft Corporation | Application and device user verification from an operating system-based authentication service |
US8171479B2 (en) | 2004-09-30 | 2012-05-01 | Citrix Systems, Inc. | Method and apparatus for providing an aggregate view of enumerated system resources from various isolation layers |
US8117559B2 (en) * | 2004-09-30 | 2012-02-14 | Citrix Systems, Inc. | Method and apparatus for virtualizing window information |
US20060069662A1 (en) * | 2004-09-30 | 2006-03-30 | Citrix Systems, Inc. | Method and apparatus for remapping accesses to virtual system resources |
US8095940B2 (en) * | 2005-09-19 | 2012-01-10 | Citrix Systems, Inc. | Method and system for locating and accessing resources |
US7752600B2 (en) | 2004-09-30 | 2010-07-06 | Citrix Systems, Inc. | Method and apparatus for providing file-type associations to multiple applications |
US7711835B2 (en) * | 2004-09-30 | 2010-05-04 | Citrix Systems, Inc. | Method and apparatus for reducing disclosure of proprietary data in a networked environment |
US7748032B2 (en) * | 2004-09-30 | 2010-06-29 | Citrix Systems, Inc. | Method and apparatus for associating tickets in a ticket hierarchy |
US7680758B2 (en) * | 2004-09-30 | 2010-03-16 | Citrix Systems, Inc. | Method and apparatus for isolating execution of software applications |
US8613048B2 (en) * | 2004-09-30 | 2013-12-17 | Citrix Systems, Inc. | Method and apparatus for providing authorized remote access to application sessions |
US8181219B2 (en) | 2004-10-01 | 2012-05-15 | Microsoft Corporation | Access authorization having embedded policies |
US7818781B2 (en) * | 2004-10-01 | 2010-10-19 | Microsoft Corporation | Behavior blocking access control |
US20060075220A1 (en) * | 2004-10-01 | 2006-04-06 | Baugher Mark J | System and method to authorize a device to receive a content work based on device capabilities and content-work permissions |
WO2006044820A2 (en) | 2004-10-14 | 2006-04-27 | Aventail Corporation | Rule-based routing to resources through a network |
US8077632B2 (en) * | 2005-01-20 | 2011-12-13 | Citrix Systems, Inc. | Automatic LAN/WAN port detection |
US8024568B2 (en) | 2005-01-28 | 2011-09-20 | Citrix Systems, Inc. | Method and system for verification of an endpoint security scan |
US20060230278A1 (en) * | 2005-03-30 | 2006-10-12 | Morris Robert P | Methods,systems, and computer program products for determining a trust indication associated with access to a communication network |
US20060230279A1 (en) * | 2005-03-30 | 2006-10-12 | Morris Robert P | Methods, systems, and computer program products for establishing trusted access to a communication network |
US20060265737A1 (en) * | 2005-05-23 | 2006-11-23 | Morris Robert P | Methods, systems, and computer program products for providing trusted access to a communicaiton network based on location |
WO2006130615A2 (en) * | 2005-05-31 | 2006-12-07 | Tricipher, Inc. | Secure login using single factor split key asymmetric cryptography and an augmenting factor |
WO2007002196A2 (en) * | 2005-06-21 | 2007-01-04 | Corestreet, Ltd. | Preventing identity theft |
US7941668B2 (en) * | 2005-07-08 | 2011-05-10 | Stapleton Jeff J | Method and system for securely managing application transactions using cryptographic techniques |
US8131825B2 (en) * | 2005-10-07 | 2012-03-06 | Citrix Systems, Inc. | Method and a system for responding locally to requests for file metadata associated with files stored remotely |
US7779034B2 (en) * | 2005-10-07 | 2010-08-17 | Citrix Systems, Inc. | Method and system for accessing a remote file in a directory structure associated with an application program executing locally |
US20070083610A1 (en) * | 2005-10-07 | 2007-04-12 | Treder Terry N | Method and a system for accessing a plurality of files comprising an application program |
CA2632235A1 (en) * | 2005-12-02 | 2007-06-07 | Citrix Systems, Inc. | Method and apparatus for providing authentication credentials from a proxy server to a virtualized computing environment to access a remote resource |
US20070130289A1 (en) * | 2005-12-07 | 2007-06-07 | Christopher Defazio | Remote access |
CN1852094B (en) * | 2005-12-13 | 2010-09-29 | 华为技术有限公司 | Method and system for protecting account of network business user |
US8099508B2 (en) * | 2005-12-16 | 2012-01-17 | Comcast Cable Holdings, Llc | Method of using tokens and policy descriptors for dynamic on demand session management |
US8688813B2 (en) * | 2006-01-11 | 2014-04-01 | Oracle International Corporation | Using identity/resource profile and directory enablers to support identity management |
US8424067B2 (en) * | 2006-01-19 | 2013-04-16 | International Business Machines Corporation | Smart password determination |
US20070174429A1 (en) * | 2006-01-24 | 2007-07-26 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment |
EP1982288A2 (en) * | 2006-01-26 | 2008-10-22 | Imprivata, Inc. | Systems and methods for multi-factor authentication |
US20070194881A1 (en) | 2006-02-07 | 2007-08-23 | Schwarz Stanley G | Enforcing payment schedules |
US20080028453A1 (en) * | 2006-03-30 | 2008-01-31 | Thinh Nguyen | Identity and access management framework |
US8151323B2 (en) * | 2006-04-12 | 2012-04-03 | Citrix Systems, Inc. | Systems and methods for providing levels of access and action control via an SSL VPN appliance |
US7930734B2 (en) * | 2006-04-28 | 2011-04-19 | Cisco Technology, Inc. | Method and system for creating and tracking network sessions |
US7685630B2 (en) * | 2006-05-04 | 2010-03-23 | Citrix Online, Llc | Methods and systems for providing scalable authentication |
US20080034412A1 (en) * | 2006-08-02 | 2008-02-07 | Informed Control Inc. | System to prevent misuse of access rights in a single sign on environment |
US7770002B2 (en) * | 2006-08-17 | 2010-08-03 | Fiserv, Inc. | Multi-factor authentication |
US8607303B2 (en) * | 2006-10-31 | 2013-12-10 | Apple Inc. | Techniques for modification of access expiration conditions |
US20080115192A1 (en) * | 2006-11-07 | 2008-05-15 | Rajandra Laxman Kulkarni | Customizable authentication for service provisioning |
US8533846B2 (en) * | 2006-11-08 | 2013-09-10 | Citrix Systems, Inc. | Method and system for dynamically associating access rights with a resource |
US7874011B2 (en) | 2006-12-01 | 2011-01-18 | International Business Machines Corporation | Authenticating user identity when resetting passwords |
US8380841B2 (en) * | 2006-12-07 | 2013-02-19 | Microsoft Corporation | Strategies for investigating and mitigating vulnerabilities caused by the acquisition of credentials |
US7734669B2 (en) | 2006-12-22 | 2010-06-08 | Commvault Systems, Inc. | Managing copies of data |
US8788419B2 (en) | 2006-12-30 | 2014-07-22 | First Data Corporation | Method and system for mitigating risk of fraud in internet banking |
US8583564B2 (en) * | 2007-03-26 | 2013-11-12 | Microsoft Corporation | Differential pricing based on social network standing |
US8327456B2 (en) * | 2007-04-13 | 2012-12-04 | Microsoft Corporation | Multiple entity authorization model |
US7992198B2 (en) * | 2007-04-13 | 2011-08-02 | Microsoft Corporation | Unified authentication for web method platforms |
US7908642B2 (en) * | 2007-04-18 | 2011-03-15 | Canon Kabushiki Kaisha | Policy store |
US8230490B2 (en) * | 2007-07-31 | 2012-07-24 | Keycorp | System and method for authentication of users in a secure computer system |
US20090064134A1 (en) * | 2007-08-30 | 2009-03-05 | Citrix Systems,Inc. | Systems and methods for creating and executing files |
US8396838B2 (en) * | 2007-10-17 | 2013-03-12 | Commvault Systems, Inc. | Legal compliance, electronic discovery and electronic document handling of online and offline copies of data |
US7925694B2 (en) | 2007-10-19 | 2011-04-12 | Citrix Systems, Inc. | Systems and methods for managing cookies via HTTP content layer |
US8171483B2 (en) | 2007-10-20 | 2012-05-01 | Citrix Systems, Inc. | Method and system for communicating between isolation environments |
US8539551B2 (en) * | 2007-12-20 | 2013-09-17 | Fujitsu Limited | Trusted virtual machine as a client |
US8090877B2 (en) * | 2008-01-26 | 2012-01-03 | Citrix Systems, Inc. | Systems and methods for fine grain policy driven cookie proxying |
US9832069B1 (en) | 2008-05-30 | 2017-11-28 | F5 Networks, Inc. | Persistence based on server response in an IP multimedia subsystem (IMS) |
US8769048B2 (en) * | 2008-06-18 | 2014-07-01 | Commvault Systems, Inc. | Data protection scheduling, such as providing a flexible backup window in a data protection system |
US9128883B2 (en) | 2008-06-19 | 2015-09-08 | Commvault Systems, Inc | Data storage resource allocation by performing abbreviated resource checks based on relative chances of failure of the data storage resources to determine whether data storage requests would fail |
US8352954B2 (en) | 2008-06-19 | 2013-01-08 | Commvault Systems, Inc. | Data storage resource allocation by employing dynamic methods and blacklisting resource request pools |
US8725688B2 (en) | 2008-09-05 | 2014-05-13 | Commvault Systems, Inc. | Image level copy or restore, such as image level restore without knowledge of data object metadata |
US20100070474A1 (en) | 2008-09-12 | 2010-03-18 | Lad Kamleshkumar K | Transferring or migrating portions of data objects, such as block-level data migration or chunk-based data migration |
US20100070466A1 (en) * | 2008-09-15 | 2010-03-18 | Anand Prahlad | Data transfer techniques within data storage devices, such as network attached storage performing data migration |
US8281379B2 (en) * | 2008-11-13 | 2012-10-02 | Vasco Data Security, Inc. | Method and system for providing a federated authentication service with gradual expiration of credentials |
US8544083B2 (en) * | 2009-02-19 | 2013-09-24 | Microsoft Corporation | Identification security elevation |
US8090797B2 (en) | 2009-05-02 | 2012-01-03 | Citrix Systems, Inc. | Methods and systems for launching applications into existing isolation environments |
WO2010144898A1 (en) * | 2009-06-12 | 2010-12-16 | General Instrument Corporation | Certificate status information protocol (csip) proxy and responder |
US9531695B2 (en) * | 2009-06-12 | 2016-12-27 | Microsoft Technology Licensing, Llc | Access control to secured application features using client trust levels |
US8202205B2 (en) * | 2010-02-09 | 2012-06-19 | GoBe Healthy, LLC | Omni-directional exercise device |
US9294479B1 (en) * | 2010-12-01 | 2016-03-22 | Google Inc. | Client-side authentication |
US8849762B2 (en) | 2011-03-31 | 2014-09-30 | Commvault Systems, Inc. | Restoring computing environments, such as autorecovery of file systems at certain points in time |
US11475105B2 (en) | 2011-12-09 | 2022-10-18 | Rightquestion, Llc | Authentication translation |
US9294452B1 (en) * | 2011-12-09 | 2016-03-22 | Rightquestion, Llc | Authentication translation |
US10157184B2 (en) | 2012-03-30 | 2018-12-18 | Commvault Systems, Inc. | Data previewing before recalling large data files |
US9781129B1 (en) * | 2012-03-30 | 2017-10-03 | EMC IP Holding Company LLC | Authenticating an entity |
US9203818B1 (en) * | 2012-08-23 | 2015-12-01 | Amazon Technologies, Inc. | Adaptive timeouts for security credentials |
US9213827B2 (en) | 2012-09-27 | 2015-12-15 | Intel Corporation | Security data aggregation and business intelligence for web applications |
US9633216B2 (en) | 2012-12-27 | 2017-04-25 | Commvault Systems, Inc. | Application of information management policies based on operation with a geographic entity |
US11178126B2 (en) | 2013-01-15 | 2021-11-16 | Schneider Electric USA, Inc. | Systems and methods for securely accessing programmable devices |
US9100387B2 (en) * | 2013-01-24 | 2015-08-04 | Oracle International Corporation | State driven orchestration of authentication components in an access manager |
US9459968B2 (en) | 2013-03-11 | 2016-10-04 | Commvault Systems, Inc. | Single index to query multiple backup formats |
US9166970B1 (en) | 2013-03-15 | 2015-10-20 | Symantec Corporation | Dynamic framework for certificate application configuration |
US9780950B1 (en) * | 2013-03-15 | 2017-10-03 | Symantec Corporation | Authentication of PKI credential by use of a one time password and pin |
US9430665B2 (en) * | 2013-07-22 | 2016-08-30 | Siemens Aktiengesellschaft | Dynamic authorization to features and data in JAVA-based enterprise applications |
US9232402B2 (en) * | 2013-11-21 | 2016-01-05 | At&T Intellectual Property I, L.P. | System and method for implementing a two-person access rule using mobile devices |
US9798596B2 (en) | 2014-02-27 | 2017-10-24 | Commvault Systems, Inc. | Automatic alert escalation for an information management system |
US9648100B2 (en) | 2014-03-05 | 2017-05-09 | Commvault Systems, Inc. | Cross-system storage management for transferring data across autonomous information management systems |
US9823978B2 (en) | 2014-04-16 | 2017-11-21 | Commvault Systems, Inc. | User-level quota management of data objects stored in information management systems |
US9740574B2 (en) | 2014-05-09 | 2017-08-22 | Commvault Systems, Inc. | Load balancing across multiple data paths |
US9852026B2 (en) | 2014-08-06 | 2017-12-26 | Commvault Systems, Inc. | Efficient application recovery in an information management system based on a pseudo-storage-device driver |
US11249858B2 (en) | 2014-08-06 | 2022-02-15 | Commvault Systems, Inc. | Point-in-time backups of a production application made accessible over fibre channel and/or ISCSI as data sources to a remote application by representing the backups as pseudo-disks operating apart from the production application and its host |
US9444811B2 (en) | 2014-10-21 | 2016-09-13 | Commvault Systems, Inc. | Using an enhanced data agent to restore backed up data across autonomous storage management systems |
GB2535165B (en) * | 2015-02-09 | 2021-09-29 | Arm Ip Ltd | A method of establishing trust between a device and an apparatus |
US10834065B1 (en) | 2015-03-31 | 2020-11-10 | F5 Networks, Inc. | Methods for SSL protected NTLM re-authentication and devices thereof |
EP3317875B1 (en) * | 2015-07-03 | 2022-10-26 | Telefonaktiebolaget LM Ericsson (publ) | Keyless signature infrastructure based virtual machine integrity |
US9766825B2 (en) | 2015-07-22 | 2017-09-19 | Commvault Systems, Inc. | Browse and restore for block-level backups |
US9946859B2 (en) | 2015-11-04 | 2018-04-17 | Motorola Solutions, Inc. | Systems and methods for enabling a lock screen of an electronic device |
US9701279B1 (en) | 2016-01-12 | 2017-07-11 | Gordon*Howard Associates, Inc. | On board monitoring device |
US10404698B1 (en) | 2016-01-15 | 2019-09-03 | F5 Networks, Inc. | Methods for adaptive organization of web application access points in webtops and devices thereof |
US10296368B2 (en) | 2016-03-09 | 2019-05-21 | Commvault Systems, Inc. | Hypervisor-independent block-level live browse for access to backed up virtual machine (VM) data and hypervisor-free file-level recovery (block-level pseudo-mount) |
US10838821B2 (en) | 2017-02-08 | 2020-11-17 | Commvault Systems, Inc. | Migrating content and metadata from a backup system |
US10740193B2 (en) | 2017-02-27 | 2020-08-11 | Commvault Systems, Inc. | Hypervisor-independent reference copies of virtual machine payload data based on block-level pseudo-mount |
US10891069B2 (en) | 2017-03-27 | 2021-01-12 | Commvault Systems, Inc. | Creating local copies of data stored in online data repositories |
US10776329B2 (en) | 2017-03-28 | 2020-09-15 | Commvault Systems, Inc. | Migration of a database management system to cloud storage |
US11074140B2 (en) | 2017-03-29 | 2021-07-27 | Commvault Systems, Inc. | Live browsing of granular mailbox data |
US10664352B2 (en) | 2017-06-14 | 2020-05-26 | Commvault Systems, Inc. | Live browsing of backed up data residing on cloned disks |
US11290466B2 (en) * | 2017-08-16 | 2022-03-29 | Cable Television Laboratories, Inc. | Systems and methods for network access granting |
US10795927B2 (en) | 2018-02-05 | 2020-10-06 | Commvault Systems, Inc. | On-demand metadata extraction of clinical image data |
US10761942B2 (en) | 2018-03-12 | 2020-09-01 | Commvault Systems, Inc. | Recovery point objective (RPO) driven backup scheduling in a data storage management system using an enhanced data agent |
US10789387B2 (en) | 2018-03-13 | 2020-09-29 | Commvault Systems, Inc. | Graphical representation of an information management system |
US10860443B2 (en) | 2018-12-10 | 2020-12-08 | Commvault Systems, Inc. | Evaluation and reporting of recovery readiness in a data storage management system |
US11070548B2 (en) * | 2018-12-21 | 2021-07-20 | Paypal, Inc. | Tokenized online application sessions |
US11057531B2 (en) * | 2019-01-03 | 2021-07-06 | Kodak Alaris Inc. | Operating an appliance scanner system |
US11443052B2 (en) | 2019-03-21 | 2022-09-13 | Microsoft Technology Licensing, Llc | Secure area in a file storage system |
US11025732B2 (en) | 2019-06-17 | 2021-06-01 | Vmware, Inc. | Method and apparatus to perform user authentication during cloud provider sessions |
US11308034B2 (en) | 2019-06-27 | 2022-04-19 | Commvault Systems, Inc. | Continuously run log backup with minimal configuration and resource usage from the source machine |
US11171945B2 (en) * | 2019-10-16 | 2021-11-09 | Capital One Services, Llc | Time-based token trust depreciation |
US11818159B2 (en) | 2019-12-11 | 2023-11-14 | Target Brands, Inc. | Website guest risk assessment and mitigation |
CN113779609B (en) * | 2021-09-22 | 2024-03-22 | 北方健康医疗大数据科技有限公司 | Data management method, device, electronic equipment and storage medium |
CN116962088B (en) * | 2023-09-20 | 2023-11-28 | 上海金电网安科技有限公司 | Login authentication method, zero trust controller and electronic equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0465016A2 (en) * | 1990-06-25 | 1992-01-08 | Digital Equipment Corporation | Distributed multilevel computer security system and method |
EP0849680A2 (en) * | 1996-12-18 | 1998-06-24 | Sun Microsystems, Inc. | Multilevel security port methods, apparatuses, and computer program products |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5610981A (en) | 1992-06-04 | 1997-03-11 | Integrated Technologies Of America, Inc. | Preboot protection for a data security system with anti-intrusion capability |
EP0830774B1 (en) | 1995-06-07 | 2004-10-06 | divine technology ventures | Internet server access control and monitoring systems |
US5774551A (en) | 1995-08-07 | 1998-06-30 | Sun Microsystems, Inc. | Pluggable account management interface with unified login and logout and multiple user authentication services |
US5826014A (en) | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
CA2272649A1 (en) | 1996-11-21 | 1998-06-11 | Jordan J. Glogau | Web site copy protection system and method |
US5875296A (en) | 1997-01-28 | 1999-02-23 | International Business Machines Corporation | Distributed file system web server user authentication with cookies |
US6041357A (en) | 1997-02-06 | 2000-03-21 | Electric Classified, Inc. | Common session token system and protocol |
US6408336B1 (en) * | 1997-03-10 | 2002-06-18 | David S. Schneider | Distributed administration of access to information |
US6275941B1 (en) | 1997-03-28 | 2001-08-14 | Hiatchi, Ltd. | Security management method for network system |
US5944824A (en) | 1997-04-30 | 1999-08-31 | Mci Communications Corporation | System and method for single sign-on to a plurality of network elements |
US5930804A (en) | 1997-06-09 | 1999-07-27 | Philips Electronics North America Corporation | Web-based biometric authentication system and method |
US6308273B1 (en) * | 1998-06-12 | 2001-10-23 | Microsoft Corporation | Method and system of security location discrimination |
US6182142B1 (en) * | 1998-07-10 | 2001-01-30 | Encommerce, Inc. | Distributed access management of information resources |
US6226752B1 (en) | 1999-05-11 | 2001-05-01 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
-
1999
- 1999-08-05 US US09/368,504 patent/US6691232B1/en not_active Expired - Lifetime
-
2000
- 2000-07-31 WO PCT/US2000/020929 patent/WO2001011845A2/en not_active Application Discontinuation
- 2000-07-31 AU AU67527/00A patent/AU6752700A/en not_active Abandoned
- 2000-07-31 EP EP00955304A patent/EP1205057A2/en not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0465016A2 (en) * | 1990-06-25 | 1992-01-08 | Digital Equipment Corporation | Distributed multilevel computer security system and method |
EP0849680A2 (en) * | 1996-12-18 | 1998-06-24 | Sun Microsystems, Inc. | Multilevel security port methods, apparatuses, and computer program products |
Non-Patent Citations (1)
Title |
---|
STALLINGS W: "IPV6: THE NEW INTERNET PROTOCOL" IEEE COMMUNICATIONS MAGAZINE,IEEE SERVICE CENTER. PISCATAWAY, N.J,US, vol. 34, no. 7, 1 July 1996 (1996-07-01), pages 96-108, XP000623747 ISSN: 0163-6804 * |
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6618806B1 (en) * | 1998-04-01 | 2003-09-09 | Saflink Corporation | System and method for authenticating users in a computer network |
US8171288B2 (en) | 1998-07-06 | 2012-05-01 | Imprivata, Inc. | System and method for authenticating users in a computer network |
US6928547B2 (en) | 1998-07-06 | 2005-08-09 | Saflink Corporation | System and method for authenticating users in a computer network |
EP2261796A2 (en) * | 2001-05-14 | 2010-12-15 | NTT DoCoMo, Inc. | System for managing program stored in storage block of mobile terminal |
WO2003007571A1 (en) * | 2001-07-09 | 2003-01-23 | Koninklijke Kpn N.V. | Method and system for a service process to provide a service to a client |
NL1018494C2 (en) * | 2001-07-09 | 2003-01-10 | Koninkl Kpn Nv | Method and system for delivering a service to a client through a service process. |
US7565554B2 (en) | 2001-07-09 | 2009-07-21 | Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno | Method and system for a service process to provide a service to a client |
WO2003009111A3 (en) * | 2001-07-18 | 2004-04-08 | Daon Holdings Ltd | A distributed network system using biometric authentication access |
WO2003009111A2 (en) | 2001-07-18 | 2003-01-30 | Daon Holdings Limited | A distributed network system using biometric authentication access |
US7702918B2 (en) | 2001-07-18 | 2010-04-20 | Daon Holdings Limited | Distributed network system using biometric authentication access |
EP1301006A1 (en) * | 2001-10-05 | 2003-04-09 | Microsoft Corporation | Granular authorization for network user sessions |
US7076797B2 (en) | 2001-10-05 | 2006-07-11 | Microsoft Corporation | Granular authorization for network user sessions |
GB2384874A (en) * | 2002-01-31 | 2003-08-06 | Hewlett Packard Co | Apparatus for determining access rights to a computer |
GB2384874B (en) * | 2002-01-31 | 2005-12-21 | Hewlett Packard Co | Apparatus for setting access requirements |
WO2004046896A3 (en) * | 2002-11-18 | 2004-11-04 | Hipaat Inc | A method and system for access control |
WO2004046896A2 (en) * | 2002-11-18 | 2004-06-03 | Hipaat Inc. | A method and system for access control |
DE102004025084B4 (en) * | 2003-05-23 | 2008-02-28 | Industrial Technology Research Institute, Chutung | Personal authentication device and personal authentication system and personal authentication method |
US7694330B2 (en) | 2003-05-23 | 2010-04-06 | Industrial Technology Research Institute | Personal authentication device and system and method thereof |
WO2005034467A1 (en) * | 2003-10-02 | 2005-04-14 | Siemens Aktiengesellschaft | Communication device and method for setting a security configuration for a communication device |
WO2006039944A1 (en) * | 2004-10-12 | 2006-04-20 | Swisscom Ag | Method and system for the automatic adaptation of a service parameter |
EP1845689A3 (en) * | 2006-04-12 | 2009-02-18 | Deutsche Telekom AG | Method and communication system for providing personalised access to a group of devices |
EP1845689A2 (en) * | 2006-04-12 | 2007-10-17 | Deutsche Telekom AG | Method and communication system for providing personalised access to a group of devices |
US8966568B2 (en) | 2007-05-09 | 2015-02-24 | Nokia Solutions And Networks Oy | Method and device for data processing and communication system comprising such device |
WO2008138747A3 (en) * | 2007-05-09 | 2009-02-05 | Nokia Siemens Networks Oy | Method and device for data processing and communication system comprising such device |
WO2008138747A2 (en) | 2007-05-09 | 2008-11-20 | Nokia Siemens Networks Oy | Method and device for data processing and communication system comprising such device |
EP1990750A1 (en) * | 2007-05-09 | 2008-11-12 | Nokia Siemens Networks Oy | Method and device for data processing and communication system comprising such device |
EP3557456A1 (en) * | 2007-05-09 | 2019-10-23 | Nokia Solutions and Networks Oy | Method and device for data processing and communication system comprising such device |
WO2015134554A1 (en) * | 2014-03-07 | 2015-09-11 | Microsoft Technology Licensing, Llc | Automatic detection of authentication methods by a gateway |
US9794227B2 (en) | 2014-03-07 | 2017-10-17 | Microsoft Technology Licensing, Llc | Automatic detection of authentication methods by a gateway |
JP2019049868A (en) * | 2017-09-11 | 2019-03-28 | Capy株式会社 | User authentication method, evaluation device, program, and user authentication system |
EP3480715A4 (en) * | 2017-09-11 | 2019-07-24 | Capy Japan Inc. | User authentication method, evaluation device, program and user authentication system |
US11153312B2 (en) | 2017-09-11 | 2021-10-19 | Capy Japan Inc. | User authentication method, evaluation device, non-transitory computer-readable storage medium, and user authentication system |
EP4016924A1 (en) * | 2020-12-21 | 2022-06-22 | BlackBerry Limited | Risk-aware access control system and related methods |
US11888857B2 (en) | 2020-12-21 | 2024-01-30 | Blackberry Limited | Risk-aware access control system and related methods |
US20220382849A1 (en) * | 2021-05-25 | 2022-12-01 | Vmware, Inc. | Credentials management and usage in application modernization |
Also Published As
Publication number | Publication date |
---|---|
EP1205057A2 (en) | 2002-05-15 |
WO2001011845A3 (en) | 2001-08-16 |
US6691232B1 (en) | 2004-02-10 |
AU6752700A (en) | 2001-03-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6691232B1 (en) | Security architecture with environment sensitive credential sufficiency evaluation | |
US6668322B1 (en) | Access management system and method employing secure credentials | |
US6609198B1 (en) | Log-on service providing credential level change without loss of session continuity | |
US6892307B1 (en) | Single sign-on framework with trust-level mapping to authentication requirements | |
Gutzmann | Access control and session management in the HTTP environment | |
EP1427160B1 (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
US7774612B1 (en) | Method and system for single signon for multiple remote sites of a computer network | |
Erdos et al. | Shibboleth architecture draft v05 | |
EP1595190B1 (en) | Service provider anonymization in a single sign-on system | |
US7356833B2 (en) | Systems and methods for authenticating a user to a web server | |
CN112039909A (en) | Authentication method, device, equipment and storage medium based on unified gateway | |
Carretero et al. | Federated identity architecture of the European eID system | |
Beltran | Characterization of web single sign-on protocols | |
CA3093444A1 (en) | System and method for identity and authorization management | |
US20040083296A1 (en) | Apparatus and method for controlling user access | |
KR100406292B1 (en) | Password Transmission system and method in Terminal Communications | |
Alrodhan | Identity management systems | |
Kivinen | OpenID Connect Provider Certification | |
KR101066729B1 (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
Straub et al. | A multipurpose delegation proxy for WWW credentials | |
Rehbock | Trustworthy Clients: Extending TNC for Integrity Checks in Web-Based Environments | |
Fleischer et al. | Information Assurance for Global Information Grid (GIG) Net-Centric Enterprise Services | |
Kang et al. | ANALYSIS OF THE SECURITY REQUIREMENTS FOR THE ID MANAGEMENT SYSTEM |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000955304 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2000955304 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000955304 Country of ref document: EP |