Techniques for preserving and managing identities in an audit log

US 20070124820A1
Filed: 11/30/2005
Published: 05/31/2007
Est. Priority Date: 11/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

obtaining a transaction identity;

generating an index entry into an index structure for referencing the transaction identity;

identifying a message digest for the transaction identity; and

emitting a log entry within a log that identifies the index entry and the message digest for the transaction identity.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for preserving and managing identities within an audit log. Initial entries into a log do not include an explicit and direct reference to an agent that performs a transaction; rather, the agent acquires a temporary transaction identity for the transaction and an indirect reference to the transaction identity is written to the log while the transaction is pending. Once the transaction completes a direct reference to the transaction identity is written to the log, the identity of agent remains transparent until the identity of the agent expires, if at all.

Citations

29 Claims

1. A method, comprising:
- obtaining a transaction identity;
  
  generating an index entry into an index structure for referencing the transaction identity;
  
  identifying a message digest for the transaction identity; and
  
  emitting a log entry within a log that identifies the index entry and the message digest for the transaction identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - detecting expiration of the transaction identity; and
      
      writing the transaction identity to the log as a final log entry.
  - 3. The method of claim 1 further comprising:
    - associating a time-to-live (TTL) attribute to the transaction identity; and
      
      adding the TTL attribute to the log entry.
  - 4. The method of claim 3 further comprising:
    - detecting a renewal of the transaction identity;
      
      adding a new TTL attribute to a new log entry of the log;
      
      including the index entry and a new reference to the message digest in the new log entry of the log.
  - 5. The method of claim 1 further comprising, including an encryption key with the log entry of the log, wherein the encrypted transaction identity if decrypted identifies the transaction identity.
  - 6. The method of claim 5 further comprising, associating a time-to-live (TTL) attribute with the encryption key, wherein the TTL attribute is in response to a policy.
  - 7. The method of claim 1, wherein obtaining further includes acquiring the transaction identity from an identity service in response to an identity of an agent who performs the transaction and in response to one or more additional identities associated with resources involved in the transaction.
  - 8. The method of claim 1 further comprising at least one of:
    - recording the index entry and the message digest in one or more other log entiries, wherein the transaction identity is associated with two or more transactions; and
      
      associating a new index entry and new message digest with a changed transaction identity within the log for a single transaction, and which is also associated with the original transaction identity.

9. A method, comprising:
- authenticating a principal for a request to acquire a transaction identity;
  
  evaluating a policy with respect to the principal and with respect to one or more resources that are associated with a transaction, which is to be performed using the transaction identity; and
  
  supplying the principal with the transaction identity, if permitted by the policy, and wherein the transaction identity is associated with one or more identities of the one or more resources.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 further comprising, supplying a time-to-live (TTL) attribute with the transaction identity.
  - 11. The method of claim 10:
    - receiving a request to renew the transaction identity; and
      
      associating a new TTL attribute with the transaction identity.
  - 12. The method of claim 9, wherein authenticating the principal further includes identifying the principal as at least one of a logging service and an agent, wherein the agent is identified as one of the one or more resources and an entity that is responsible for performing the transaction.
  - 13. The method of claim 9 further comprising, supplying a decryption key to the principal, wherein an encrypted transaction identity when decrypted with the decryption key identifies the transaction identity.

14. A method, comprising:
- receiving a transaction identity to be associated with an agent for a transaction;
  
  adding an index entry to reference the transaction identity within an index data structure; and
  
  creating, if not in existence, a message digest for the agent.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14 further comprising adding an encryption key to a log entry that identifies the transaction identity when decrypted.
  - 16. The method of claim 15 further comprising:
    - receiving a decryption of the key; and
      
      returning the transaction identity to a requestor supplying the key.
  - 17. The method of claim 14 further comprising:
    - receiving an authorized request to access the index structure using the index entry; and
      
      returning the transaction identity to a requester associated with the authorized request.
  - 18. The method of claim 14 further comprising at least one of:
    - writing the transaction identity as another entry in a log when the transaction identity expires; and
      
      including a time-to-live attribute within an entry and associated with the transaction identity.

19. A system, comprising:
- a log; and
  
  a transaction identity, wherein entries in the log reference the transaction identity while transactions are pending without specifically identifying the transaction identity.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system of claim 19, wherein an initial entry of the entries includes a time-to-live (TTL) attribute, which is associated with the transaction identity.
  - 21. The system of claim 19, wherein a number of the entries includes an encrypted version of the transaction identity.
  - 22. The system of claim 19, wherein the entries are emitted as output while the agent performs the transaction.
  - 23. The system of claim 19, wherein the entries are produced by a logging service that detects actions of an agent while the agent performs the transaction.
  - 24. The system of claim 22, wherein a last one of the entries explicitly identifies the transaction identity.

25. A system, comprising:
- an identity service; and
  
  a logging service, wherein the identity service is to supply a transaction identity for a transaction, and wherein the logging service is to generate entries into the log that does not identify the transaction identity while the transaction is pending and remains active.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The system of claim 25 further comprising, a message digest maintained by the logging service for the transaction identity.
  - 27. The system of claim 25 further comprising, index data, wherein the index data includes the transaction identity and a number of the entries include an index key into the index data to acquire the transaction identity, and wherein access to the index data is maintained securely by the logging service.
  - 28. The system of claim 27, wherein one or more of the entries includes an encryption key, and wherein the key identifies at least one of the index data and the transaction identity.
  - 29. The system of claim 28, wherein a time-to-live (TTL) attribute is associated with at least one of the transaction identity and the encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen, Burch, Lloyd, Earl, Douglas

Granted Patent

US 7,647,624 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 21/31   User authentication

G06F 21/552   involving long-term monitor...

G06F 21/6263   during internet communicati...

H04L 63/0807   using tickets, e.g. Kerbero...

Techniques for preserving and managing identities in an audit log

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for preserving and managing identities in an audit log

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links