Infrastructure method and system for authenticated dynamic security domain boundary extension

US 20040260941A1
Filed: 06/17/2003
Published: 12/23/2004
Est. Priority Date: 06/17/2003
Status: Active Grant

First Claim

Patent Images

1. A system for authenticated dynamic extension of security domain boundaries, comprising:

dynamic high security domain extension instructions for dynamically forming an extended high security domain through a protected communication path from a first computer associated with a high security domain into a second computer associated with low security domain;

establishing instructions within said extended high security domain within said second computer for establishing a protected communication path between said high security domain and said extended high security domain within low security domain, said protected communication path forming an isolation barrier separating said extended high security domain from said low security domain;

authentication instructions associated with said low security domain and said high security domain for temporarily authenticating at least one object associated with said low security domain.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for authenticated dynamic extension of security domain boundaries includes high security domain extension instructions (144) for sequentially and dynamically forming an extended high security domain (133) through a protected communication path (128). The protected communication path (128) extends from a first computer (10) associated with a high security domain (80) into a second computer (10) associated with low security domain (120). The method and system establish the extended high security domain (133) within the second computer (10). A protected communication path (128) forms an isolation barrier (131) separating the extended high security domain (133) from other objects (126) within the low security domain (120). Authentication instructions (146) temporarily authenticate at least one object (132) associated with the low security domain (120). Returning instructions (156) return the at least one object (132) processed within the extended high security domain (133) to said low security domain (120).

Citations

21 Claims

1. A system for authenticated dynamic extension of security domain boundaries, comprising:
- dynamic high security domain extension instructions for dynamically forming an extended high security domain through a protected communication path from a first computer associated with a high security domain into a second computer associated with low security domain;
  
  establishing instructions within said extended high security domain within said second computer for establishing a protected communication path between said high security domain and said extended high security domain within low security domain, said protected communication path forming an isolation barrier separating said extended high security domain from said low security domain;
  
  authentication instructions associated with said low security domain and said high security domain for temporarily authenticating at least one object associated with said low security domain.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, further comprising returning instructions for subsequently returning said at least one object to said low security domain.
  - 3. The system of claim 1, further comprising instructions for verifying the security access authorization of an individual user of said computer during said temporary authentication within said high security domain.
  - 4. The system of claim 1, further comprising:
    - instructions for receiving an authenticated access request from a user within said low security domain for temporary authentication with said high security domain; and
      
      instructions for providing temporarily authenticated access to said high security domain in response to said high security domain receiving said authenticated access request.

5. A system for authenticated dynamic extension of security domain boundaries, comprising:
- instructions for enabling a computer which is normally a member of a low security domain to be temporarily authenticated as a member of remote high security domain; and
  
  instructions for reverting the computer to the service provider'"'"'s low security domain at the cessation of the service provision.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The system of claim 5, wherein the computer in said high security domain role is accorded the same degree of physical protection and access control as would be provided for a dedicated computer in an associated high security domain.
  - 7. The system of claim 5, wherein said enabling instructions further comprise:
    - instructions for authenticating an incoming request from a device associated with different security domain, and instructions for maintaining the confidentiality and integrity of a session associated with said device, wherein the strength of said authentication instructions relates to a difference in data sensitivity levels between said high security domain and said low security domain.
  - 8. The system of claim 5, further comprising:
    - instructions for controlling communications across a domain boundary between said high security domain and said low security domain at a strength level commensurate with data sensitivity level appropriate to the respective domain; and
      
      instructions for recognizing and permitting domain boundary extension requests and authenticating sessions.
  - 9. The system of claim 5, further comprising instructions for concealing the internal structure of said high security domain from all other domains to a degree commensurate with the data sensitivity level of said high security domain.
  - 10. The system of claim 5, further comprising instructions for reducing to a predetermined level the high security domain bandwidth between said high security domain and said low security domain normally containing the domain boundary extension remote device upon the removal of said extended high security domain.

11. A method for dynamically extending authenticated security domain boundaries, comprising the steps of:
- dynamically forming an extended high security domain through a protected communication path from a first computer associated with a high security domain into a second computer associated with low security domain;
  
  establishing a protected communication path between said high security domain and said extended high security domain within low security domain, said protected communication path forming an isolation barrier separating said extended high security domain from said low security domain; and
  
  temporarily authenticating at least one object associated with said low security domain.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, further comprising the step of subsequently returning said at least one object to said low security domain.
  - 13. The method of claim 11, further comprising the step of verifying the security access authorization of an individual user of said computer during said temporary authentication within said high security domain.
  - 14. The method of claim 11, further comprising the steps of:
    - receiving a properly authenticated access request from a user within said low security domain for temporary authentication with said high security domain; and
      
      providing temporarily authenticated access to said high security domain in response to said high security domain receiving said properly authenticated access request.

15. A method for dynamically extending an authenticated security domain boundary, comprising the steps of:
- enabling a computer which is normally a member of a low security domain to be temporarily authenticated as a member of remote high security domain; and
  
  reverting the computer to the service provider'"'"'s low security domain at the cessation of the service provision.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising the step of according a low security domain computer in said extended high security domain role the same degree of physical protection and access control as would be provided for a dedicated computer in an associated high security domain.
  - 17. The method of claim 15, further comprising the step of:
    - authenticating an incoming request from a device associated with different security domain, and maintaining the confidentiality and integrity of a session associate with said device, wherein the strength of said authentication instructions relates to a difference in data sensitivity levels between said high security domain and said low security domain.
  - 18. The method of claim 15, further comprising the steps of:
    - controlling communications across a domain boundary between said high security domain and said low security domain at a strength level commensurate with data sensitivity level appropriate to the respective domain; and
      
      recognizing and permitting domain boundary extension requests and authenticates sessions.
  - 19. The method of claim 15, further comprising the steps of concealing the internal structure of said high security domain from all other domains to a degree commensurate with the data sensitivity level of said high security domain.
  - 20. The method of claim 15, further comprising the steps of reducing to a predetermined level the high security domain bandwidth between said high security domain and said low security domain normally containing the domain boundary extension remote device upon the removal of said extended high security domain.

21. A storage medium comprising a system for authenticated dynamic extension of security domain boundaries, said system comprising:
- dynamic high security domain extension instructions for dynamically forming an extended high security domain through a protected communication path from a first computer associated with a high security domain into a second computer associated with low security domain;
  
  establishing instructions within said extended high security domain within said second computer for establishing a protected communication path between said high security domain and said extended high security domain within low security domain, said protected communication path forming an isolation barrier separating said extended high security domain from said low security domain; and
  
  authentication instructions associated with said low security domain and said high security domain for temporarily authenticating at least one object associated with said low security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Furniss, Diane, Johnson, Brian, Shute, Beresford, Waters, David A., Fearnley, Jolyon A.

Granted Patent

US 7,469,417 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/29
CPC Class Codes

H04L 63/08 for authentication of entit...

Infrastructure method and system for authenticated dynamic security domain boundary extension

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Infrastructure method and system for authenticated dynamic security domain boundary extension

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links