Uniform modular framework for a host computer system

US 20040221174A1
Filed: 04/29/2003
Published: 11/04/2004
Est. Priority Date: 04/29/2003
Status: Abandoned Application

First Claim

Patent Images

1. A system which provides a modular uniform security applications framework for a host computer system and a compliant security token in processing communications with the host computer system comprising:

said compliant security token including a set of retrievable token security policies and one or more token security applications;

said host computer system including a retrievable set of host security policies and a token access control application, wherein said token access control application includes means for;

retrieving at least a portion of said host security policies from said host computer system, retrieving at least a portion of said token security policies from said compliant security token, generating a composite set of security policies from said host security policies and said token security policies, and ensuring enforcement of said composite set of security policies on a request to perform a security function using said compliant security token.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.

Citations

54 Claims

1. A system which provides a modular uniform security applications framework for a host computer system and a compliant security token in processing communications with the host computer system comprising:
- said compliant security token including a set of retrievable token security policies and one or more token security applications;
  
  said host computer system including a retrievable set of host security policies and a token access control application, wherein said token access control application includes means for;
  
  retrieving at least a portion of said host security policies from said host computer system, retrieving at least a portion of said token security policies from said compliant security token, generating a composite set of security policies from said host security policies and said token security policies, and ensuring enforcement of said composite set of security policies on a request to perform a security function using said compliant security token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The system according to claim 1 further including at least one security application agent functionally associated with said token access control application, wherein said at least one security application agent includes means for performing said security function with said one or more token security applications in accordance with said composite security policies.
  - 3. The system according to claim 2 wherein said token access control application further including means for;
    - receiving an object from an application, causing said at least one of security application agent to execute, sending said object to said at least one security application agent, and returning said object to said application after said at least one security application agent and said one or more token security applications have completed performing said security function.
  - 4. The system according to claim 3 wherein said at least one security application agent further includes means for returning said object to said token access control application after performing said security function with said one or more token security applications.
  - 5. The system according to claim 3 wherein said object includes a digital certificate, data to undergo a cryptographic function or data to be stored in said compliant security token.
  - 6. The system according to claim 1 wherein said security function includes authentication using a credential.
  - 7. The system according to claim 6 wherein said credential includes a personal identification number, a password or a biometric sample.
  - 8. The system according to claim 6 wherein said security function further includes establishing a secure messaging session.
  - 18. The system according to claim 1, 9, 13 or 17 wherein said one or more token security applications includes an authentication application.
  - 19. The system according to claim 18 wherein said one or more token security applications further includes a secure messaging application.
  - 20. The system according to claim 18 wherein said token access control application further includes a registry.
  - 21. The system according to claim 20 wherein said registry is comprised of a plurality of security parameters associated with at least one registered token security application, at least one registered security agent application, at least one enablement flag and at least one operational state.
  - 22. The system according to claim 19 wherein said host computer system further includes means for storing said composite security policies.
  - 23. The system according to claim 19 wherein said host security policies includes at least one host access control rule.
  - 24. The system according to claim 23 wherein said token security policies include at least one token access control rule.
  - 25. The system according to claim 24 wherein said composite set of security policies is generated from a most restrictive logical combination of said at least one host access control rule and said at least one token access control rule by said token access control application.
  - 26. The system according to claim 25 wherein said host security policies further includes token selection rules.

9. A system which provides a modular uniform security applications framework for a host computer system and a compliant security token in processing communications with the host computer system comprising:
- said compliant security token including a set of retrievable token security policies and one or more token security applications;
  
  said host computer system including a token access control application, a retrievable set of host security policies and at least one security application agent functionally associated with said token access control application;
  
  said token access control application including means for;
  
  retrieving at least a portion of said host security policies from said host computer system, retrieving at least a portion of said token security policies from said compliant security token, generating a composite set of security policies from said host security policies and said token security policies, and transferring at least a portion of said composite set of security policies to said at least one of security application agent.
- View Dependent Claims (10, 11, 12)
- - 10. The system according to claim 9 wherein said at least one security application agent further includes means for;
    - ensuring enforcement of said at least a portion of said composite set of security policies on a request to perform a security function using said compliant security token, performing one or more security functions independently with said one or more token security applications in accordance with said composite set of security policies.
  - 11. The system according to claim 10 wherein said at least one security application agent and said one or more token security applications perform said one or more security functions independently but in concert with a middleware security application.
  - 12. The system according to claim 11 wherein said one or more security functions includes biometric authentication.

13. A system which provides a modular uniform security applications framework for a host computer system and a compliant security token in processing communications with the host computer system comprising:
- said compliant security token including a set of retrievable token security policies and one or more token security applications;
  
  said host computer system including a requesting application, a token access control application, a retrievable set of host security policies and at least one security application agent functionally associated with said token access control application;
  
  said token access control application including means for;
  
  retrieving at least a portion of said host security policies from said host computer system, retrieving at least a portion of said token security policies from said compliant security token, generating a composite set of security policies from said host security policies and said token security policies, and returning at least a portion of said composite set of security policies to said requesting application;
  
  said requesting application including means for;
  
  generating a request to perform a security function using said compliant security token, ensuring enforcement of said at least a portion of said composite set of security policies, and causing said at least one security application agent to execute in response to said request; and
  
  said at least one security application agent including means for performing a security function with said one or more token security applications in accordance with said at least a portion of said composite set of security requirements.
- View Dependent Claims (14, 15, 16)
- - 14. The system according to claim 13 wherein said security function includes authentication using a credential.
  - 15. The system according to claim 14 wherein said security function further includes establishing a secure messaging session.
  - 16. The system according to claim 13 wherein said at least one security application agent further includes means for returning an object to said requesting application after performing said security function with said one or more token security applications.

17. A system which provides a modular uniform security applications framework for a host computer system and a compliant security token in processing communications with the host computer system comprising:
- said compliant security token including a set of retrievable token security policies and one or more token security applications;
  
  said host computer system including a token access control application, a retrievable set of host security policies and at least one security application agent functionally associated with said token access control application;
  
  said token access control application including means for;
  
  retrieving at least a portion of said host security policies from said host computer system, retrieving at least a portion of said token security policies from said compliant security token, generating a composite set of security policies from said host security policies and said token security policies, ensuring enforcement of said composite set of security policies on a request to perform a security function using said compliant security token, and said at least one security application agent, including means for performing said security function with said one or more token security applications in accordance with said composite set of security policies.

27. A method for using a modular uniform security applications framework for a host computer system and a compliant security token comprising the steps of:
- a. receiving a token security function request from a requesting application, b. retrieving a set of token security policies, c. retrieving a set of host security policies, d. combining said token security policies and said host security policies into a composite security policy, e. ensuring enforcement of said composite security policy on said security function request, f. receiving a credential if required by said composite security policy, g. sending said credential to an appropriate security application agent if required by said composite security policy, h. sending said credential to an appropriate token security application if required by said composite security policy, and i. performing a security function in accordance with said composite security policy.
- View Dependent Claims (30, 31)
- - 30. The method according to claim 27, 28 or 29 wherein step 27.d, 28.d or 29.d further including the steps of:
    - a. verifying a plurality of enablement states in a registry, b. verifying at least one authentication state in said registry, and c. verifying a secure messaging state in said registry.
  - 31. The method according to claim 30 further including the steps of verifying that all required applications are operatively installed to ensure enforcement said composite set of security policies and if not, retrieving and operatively installing the missing of said required applications.

28. A method for using a modular uniform security applications framework for a host computer system and a compliant security token comprising the steps of:
- a. receiving a token security function request from a requesting application, b. retrieving a set of token security policies, c. retrieving a set of host security policies, d. combining said token security policies and said host security policies into a composite security policy, e. sending at least a portion of said composite security policy to a appropriate security application agent, f. ensuring enforcement of at least a portion of said composite security policy on said security function request, g. receiving a credential if required by said composite security policy, h. sending said credential to an appropriate token security application if required by said composite security policy, and h. performing a security function in accordance with said composite security policy.

29. A method for providing a modular uniform security applications framework for a host computer system and a compliant security token comprising the steps of:
- a. receiving a token security function request from a requesting application, b. retrieving a set of token security policies, c. retrieving a set of host security policies, d. combining said token security policies and said host security policies into a composite security policy, e. sending at least a portion of said composite security policy to said requesting application, f. ensuring enforcement of at least a portion of said composite security policy by said requesting application, g. receiving a credential if required by said composite security policy, h. sending said credential to an appropriate security application agent if required by said composite security policy, i. sending said credential to an appropriate token security application if required by said composite security policy, and j. performing a security function in accordance with said composite security policy.

32. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for causing a computer to provide a modular uniform security applications framework for a host computer system and a compliant security token, said executable instructions comprising computer readable program code means for causing said computer to;
- a. receive a token security function request from a requesting application, b. retrieve a set of token security policies, c. retrieve a set of host security policies, d. combine said token security policies and said host security policies into a composite security policy, e. enforce said composite security policy on said security function request, receive a credential if required by said composite security policy, h. send said credential to an appropriate security application agent if required by said composite security policy, i. send said credential to an appropriate token security application if required by said composite security policy, and j. perform a security function in accordance with said composite security policy.
- View Dependent Claims (35, 36)
- - 35. The computer program product according to claim 32, 33 or 34 wherein step 32.d, 33.d or 34.d further including the executable instructions for:
    - a. verification of a plurality of enablement states in a registry, b. verification of at least one authentication state in said registry, and c. verification of a secure messaging state in said registry.
  - 36. The computer program product according to claim 35 further including the executable instructions for verification that all required applications are operatively installed to enforce said composite set of security policies and if not, to cause the retrieval and operative installation of the missing of said required applications.

33. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for causing a computer to provide a modular uniform security applications framework for a host computer system and a compliant security token, said executable instructions comprising computer readable program code means for causing said computer to;
- a. receive a security function request from a requesting application, b. retrieve a set of token security policies, c. retrieve a set of host security policies, d. combine said token security policies and said host security policies into a composite security policy, e. send at least a portion of said composite security policy to an appropriate security application agent, f. enforce at least a portion of said composite security policy on said security function request, g. receive a credential if required by said composite security policy, h. send said credential to an appropriate token security application if required by said composite security policy, and i. perform a security function in accordance with said composite security policy.

34. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for causing a computer to provide a modular uniform security applications framework for a host computer system and a compliant security token, said executable instructions comprising computer readable program code means for causing said computer to;
- a. receive a security function request from a requesting application, b. retrieve a set of token security policies, c. retrieve a set of host security policies, d. combine said token security policies and said host security policies into a composite security policy, e. send at least a portion of said composite security policy to requesting application, f. enforce at least a portion of said composite security policy by said requesting application, g. receive a credential if required by said composite security policy, h. send said credential to an appropriate security application agent if required by said composite security policy, i. send said credential to an appropriate token security application if required by said composite security policy, and j. perform a security function in accordance with said composite security policy.

37. A system which provides for retrieval of compatibility information associated with one or more counterpart security application agents from a functionally connected security token by at least one security application installed on a host computer system comprising:
- said functionally connected security token including said retrievable compatibility information and one or more token security applications installed in said functionally connected security token, wherein said retrievable capability information relates to compatibility between said one or more counterpart security application agents and said one or more token security applications;
  
  said host computer system including said one or more counterpart security application agents and said at least one security application, wherein said at least one security application includes means for;
  
  retrieving said compatibility information related to said one or more counterpart security application agents;
  
  verifying that at least one compatible counterpart security application agent is operatively installed and if not, retrieving and operatively installing at least one compatible counterpart security application agent.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44)
- - 38. The system according to claim 37 wherein said at least one security application is installed in a middleware services layer.
  - 39. The system according to claim 37 wherein said at least one security application includes a token access control application.
  - 40. The system according to claim 37 wherein said retrieved at least one compatible counterpart security application agent is retrieved from a local storage location.
  - 41. The system according to claim 37 wherein said retrieved at least one compatible counterpart security application agent is retrieved from a remote storage location.
  - 42. The system according to claim 37 wherein installing said retrieved at least one compatible counterpart security application agent is accomplished by entering one or more parameters associated with said at least one compatible counterpart security application agent in a registry.
  - 43. The system according to claim 42 wherein said at least one compatible counterpart security application agent is a module which can be added, removed or replaced without disruption of any existing dependencies by changing said one or more parameters in said registry.
  - 44. The system according to claim 37 wherein said at least one security application further includes means for causing a digital signature verification to performed on said retrieved at least one compatible counterpart security application agent before said at least one compatible counterpart security application agent is operatively installed and if said digital signature verification is unsuccessful aborting said installation.

45. A method which provides for retrieval of compatibility information related to one or more counterpart security application agents from a functionally connected security token by at least one security application installed on a host computer system comprising the steps of:
- a. retrieving said compatibility information related to said one or more counterpart security application agents from said functionally connected security token, b. verifying that at least one compatible counterpart security application agent is operatively installed on a host computer system, and if not, c. retrieving said at least one compatible counterpart security application agent and d. operatively installing said at least one compatible counterpart security application agent on said host computer system.
- View Dependent Claims (46, 47, 48, 49)
- - 46. The method according to claim 45 wherein said at least one compatible counterpart security application agent is retrieved from a local storage location.
  - 47. The method according to claim 45 wherein said at least one compatible counterpart security application agent is retrieved from a remote storage location.
  - 48. The method according to claim 45 wherein step 45.c includes the steps of;
    - a. performing a signature verification of said retrieved at least one compatible counterpart security application agent, and b. aborting an installation of said retrieved at least one compatible counterpart security application agent if said signature verification is unsuccessful.
  - 49. The method according to claim 45 wherein step 45.d includes the step of entering one or parameters associated with said at least one compatible counterpart security application agent into a registry.

50. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for causing a computer to provide for retrieval of compatibility information related to one or more counterpart security application agents from a functionally connected security token by at least one security application installed on a host computer system, said executable instructions comprising computer readable program code means for causing said computer to;
- a. retrieve said compatibility information related to said one or more counterpart security application agents from said functionally connected security token, b. verify that at least one compatible counterpart security application agent is operatively installed on a host computer system, and if not, c. retrieve said at least one compatible counterpart security application agent and d. operatively install said at least one compatible counterpart security application agent on said host computer system.
- View Dependent Claims (51, 52, 53, 54)
- - 51. The computer program product according to claim 50 further including the executable instructions for retrieval of said at least one compatible counterpart security application agent from a local storage location.
  - 52. The computer program product according to claim 50 further including the executable instructions for retrieval of said at least one compatible counterpart security application agent from a remote storage location.
  - 53. The computer program product according to claim 50 further including the executable instructions for;
    - a. performance of a signature verification of said retrieved at least one compatible counterpart security application agent, and b. aborting an installation of said retrieved at least one compatible counterpart security application agent if said signature verification is unsuccessful.
  - 54. The computer program product according to claim 50 further including the executable instructions for entry of one or parameters associated with said at least one compatible counterpart security application agent into a registry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Activcard Ireland, Limited (Assa Abloy AB)
Original Assignee
ActivIdentity, Inc. (Assa Abloy AB)
Inventors
Boyer, John, Le Saint, Eric

Application Number

US10/425,028
Publication Number

US 20040221174A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/123   by using dedicated hardware...

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/006   involving public key infras...

Uniform modular framework for a host computer system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Uniform modular framework for a host computer system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links