Information security system

US 20030110372A1
Filed: 11/22/2002
Published: 06/12/2003
Est. Priority Date: 04/24/2001
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising at least one platform containing a trusted entity and at least one label, the trusted entity being operable such that use of the or each label by the trusted entity is dependent on the presence or potential presence of a predetermined software state in the or each platform.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information security system is disclosed having a considerably simplified access control infrastructure. The number of secrets in a computer system domain is reduced to a minimum, yet individual users may still be identified and access to applications may still be individually controlled. The trusted entity in each of a plurality of platforms (100, 200, 202, 203) of the computer system may store an identity secret of the platform (100, 200, 202, 203) and may be trusted to use that secret in conjunction with an information label only when the platform (100, 200, 202, 203) is running the correct software to provide and/or take part in a particular service associated with that information label.

Citations

25 Claims

1. A computer system comprising at least one platform containing a trusted entity and at least one label, the trusted entity being operable such that use of the or each label by the trusted entity is dependent on the presence or potential presence of a predetermined software state in the or each platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A computer system as claimed in claim 1 in which the at least one label is adapted to indicate or advertise the presence or potential presence of the predetermined software state in the or each platform.
  - 3. A computer system as claimed in claim 1, in which the predetermined software state includes a particular configuration of computing resources and/or software described directly or indirectly by the or each label.
  - 4. A computer system as claimed in claim 3, in which the or each label describes a service which can potentially be offered by the at least one platform.
  - 5. A computer system as claimed in claim 1, in which the labels in at least two platforms are the same where the labels describe essentially the same configuration of computing resources and/or software.
  - 6. A computer system as claimed in claim 5, in which the labels in the two platforms are essentially the same where the labels describe a particular configuration of computing resources and/or software related to the same distributed computing engine or distributed service.
  - 7. A computer system as claimed in claim 1 in which the or each label is widely published and one form of published label is signed using a secret known to the platform.
  - 8. A computer system as claimed in claim 1, in which the or each label is widely published and one form of published label includes descriptive information and is signed by a trusted entity.
  - 9. A computer system as claimed in claim 1, in which the or each label is widely published and one form of published label includes descriptive information about the configuration of computing resources and/or software associated with the label and is signed by a trusted entity.
  - 10. A computer system as claimed in claim 1, in which the or each label is widely published and one form of published label includes an offer to provide a configuration of computing resources and/or software associated with the label.
  - 11. A computer system as claimed in claim 10, in which the or each label is signed using a secret known to the platform.
  - 12. A computer system as claimed in claim 1, in which the reception by the platform of a cryptographic challenge incorporating one of said at least one labels from a second platform causes the platform to determine whether the computing resources and/or software associated with said label can be provided by the platform.
  - 13. A computer system as claimed in claim 1, in which proof of possession of a label by a platform is sufficient for another entity to cooperate with that platform for the purposes of using and/or providing the computing resources and/or software described by that label.
  - 14. A computer system as claimed in claim 3, operable such that the right to use the computing resources and/or software described by the label depends on provision of one or more of:
    - proof of possession of a platform secret, proof of possession of a user secret, presentation of a non-secret authorisation value associated with a user whose use is known to be indicative of a request from the user, presentation of a non-secret authorisation value associated with a user whose use is known to be indicative of agreement by the user to tender payment.
  - 15. A computer system as claimed in claim 1, in which at least one platform contains trustworthy integrated mandatory enforcement controls and security capabilities that transparently provide security and privacy to applications that are at least substantially ignorant of security and privacy, and requires permission from at least one other platform to permit the flow of information to the resources allocated to said other platform from the resources allocated to the first-mentioned platform.

16. A computer system comprising at least one platform containing a trusted entity and at least one label, the trusted entity being operable such that use of the or each label by the trusted entity is dependent on the presence or potential presence of a predetermined software state in the or each platform, wherein the at least one label is operable to indicate or advertise the presence or potential presence of the predetermined software state in the or each platform, and wherein the or each label is widely published and describes a service or resource which can potentially be offered by the at least one platform.

17. A computer system comprising at least one platform containing a trusted entity and at least one label, wherein the label describes a predetermined software state in the or each platform and wherein the trusted entity is operable to use the label if the predetermined software state is described by the label is present or potentially present in the or each platform.
- View Dependent Claims (18, 19)
- - 18. A computer system as claimed in claim 17, in which the trusted entity will sign the at least one label with a secret known to the platform only if the predetermined software state is present or potentially present in the at least one platform.
  - 19. A computer system as claimed in claim 17, in which the at least one label publicly discloses the predetermined software state in order to indicate the availability of a service or the resource on the or each platform.

20. A computer system comprising at least one platform containing a trusted entity and at least one application, wherein the platform is operable to perform security functions for the computer system.
- View Dependent Claims (21, 22, 23)
- - 21. A computer system as claimed in claim 20, in which the platform performs substantially all security functions and the applications perform substantially no security functions.
  - 22. A computer system as claimed in claim 20, in which the platform is operable to apply mandatory security controls on communications from the computer system.
  - 23. A computer system as claimed in claim 20, in which updates of security functions are broadcast across the system to the at least one platform.

24. A method for a computer system to signal the potential availability of a computing resource or service comprises providing a platform containing a trusted entity with at least one label, wherein the label is used by the platform only when a predetermined software state is present or potentially present in the platform.
- View Dependent Claims (25)
- - 25. A method as claimed in claim 24, wherein the label describes the computing resource or service, which is defined by the predetermined software state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workday Incorporated
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Proudler, Graeme John

Granted Patent

US 8,909,555 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2153   Using hardware token as a s...

Information security system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Information security system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links