User identification data management scheme for networking computer systems using wide area network
First Claim
1. A computer system having a plurality of computers mutually connected through communication means for enabling communications among said plurality of computers, at least one computer among said plurality of computers being protected from an improper access, the system comprising:
- management means for judging whether an access request to said at least one computer from another computer is to be permitted or not according to which one of said plurality of computers said another computer is, and generating access permission data to be used in checking whether a communication to said at least one computer is from one computer of said plurality of computers from which an access to said at least one computer is permitted; and
memory means for storing the access permission data generated by the management means.
1 Assignment
0 Petitions
Accused Products
Abstract
A user identification data management scheme for a networking computer systems formed by a plurality of computers which are mutually connected through a network. In this scheme, at each computer, whether an access request from a user at another computer to each computer is to be permitted or not is judged, and access permission data necessary in checking whether a communication to each computer is from one user at one computer from which an access to each computer by that one user is permitted is generated. The generated access permission data are then stored in a memory. Then, whether an access to each computer is directly made at each computer or indirectly made from another computer through the network is detected, whether that access is proper or not is judged in a case that access is indirectly made, and that access is permitted in a case that access is judged as proper, according to the access permission data stored in the memory.
378 Citations
45 Claims
-
1. A computer system having a plurality of computers mutually connected through communication means for enabling communications among said plurality of computers, at least one computer among said plurality of computers being protected from an improper access, the system comprising:
-
management means for judging whether an access request to said at least one computer from another computer is to be permitted or not according to which one of said plurality of computers said another computer is, and generating access permission data to be used in checking whether a communication to said at least one computer is from one computer of said plurality of computers from which an access to said at least one computer is permitted; and memory means for storing the access permission data generated by the management means. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A computer system, comprising:
-
a plurality of computer groups mutually connected through a network for enabling communications among said plurality of computer groups, wherein said plurality of computer groups includes at least one computer group having; a data management server for judging whether an access request to a computer of said at least one computer group from a computer of another computer group is to be permitted or not according to which one of said plurality of computer groups said another computer group is, and generating access permission data to be used in checking whether a communication to a computer of said at least one computer group is from a computer of one of said plurality of computer groups from which an access to the computer of said at least one computer group is permitted; and a security gateway including; a memory for storing a key data in correspondence to the access permission data generated by the data management server; and a unit communicatively connected to the memory, the unit checking whether a communication to a computer of said at least one computer group is a proper access or not according to the access permission data, so as to permit the proper access while modifying communication data of the proper access by using the key data. - View Dependent Claims (33, 34)
-
-
35. A computer in a computer system formed by a plurality of computers mutually connected through a network for enabling communications among said plurality of computers, said computer comprising:
-
a management unit for judging whether an access request to said computer from another computer is to be permitted or not according to which one of said plurality of computers said another computer is, and generating access permission data to be used in checking whether a communication to said computer is from one of said plurality of computers from which an access to said computer is permitted; and a memory communicatively connected to the management unit, the memory storing the access permission data generated by the management unit. - View Dependent Claims (36)
-
-
37. A computer system, comprising:
-
a plurality of computers mutually connected through communication means for enabling communications among said plurality of computers, wherein said plurality of computers include at least one computer having; detection means for detecting whether an access to said at least one computer is directly made at said at least one computer or indirectly made from another computer through the communication means, judging whether said access is proper or not in a case said access is indirectly made, and permitting said access in a case said access is judged as proper; memory means for storing a set of an external user identification data of one user at one computer from which an access to said at least one computer by said one user is to be permitted, an external system identification data of said one computer, and an internal user identification data for said one user at said at least one computer, such that the detection means judges said access as proper when the memory means stores a set of the external user identification data and the external system identification data coinciding with a user identification data and a system identification data indicated by communication data of said access; and conversion means for converting a user identification data indicated by communication data of said access into the internal user identification data corresponding to the external user identification data which coincides with a user identification data indicated by communication data of said access, when the detection means judges said access as proper.
-
-
38. A computer system, comprising:
-
a plurality of computers mutually connected through communication means for enabling communications among said plurality of computers, wherein said plurality of computers include at least one computer having; storage means for storing access permission conditions indicating a set of an external user identification data of one user at one computer from which an access to said at least one computer by said one user is to be permitted, an external system identification data of said one computer, and an internal user identification data for said one user at said at least one computer; detection means for detecting whether an access to said at least one computer is directly made at said at least one computer or indirectly made from another computer through the communication means; management means for judging whether said access from a user at said another computer to said at least one computer is to be permitted or not in a case said access is indirectly made, and permitting said access in a case said access is judged to be permitted, the management means judges by authenticating a source system identification data of said another computer, obtaining a source user identification data encrypted by a secret key of said another computer, authenticating the source user identification data by decrypting the source user identification data by using a public key of said another computer, and checking the access permission conditions stored in the storage means for authenticated source user identification data and source system identification data; and conversion means for converting a user identification data indicated by communication data of said access into the internal user identification data corresponding to the external user identification data which coincides with a user identification data indicated by communication data of said access, when the detection means judges said access as proper.
-
-
39. A method of managing a computer system formed by a plurality of computers which are mutually connected through a network, the method comprising the steps of:
-
judging whether an access request to one computer from another computer is to be permitted or not according to which one of said plurality of computers said another computer is; generating access permission data to be used in checking whether a communication to said one computer is from a computer from which an access to said one computer is permitted; and storing the access permission data in a memory. - View Dependent Claims (40, 41, 42, 43)
-
-
44. A method of establishing a data communications session between a user at a first computer and a second computer, the second computer being a part of a local area network, the first computer not being a part of the local area network but being capable of connecting with the local area network via a wide area network, the user having a first ID code for accessing the first computer, and the user having a second ID code for accessing the second computer when the user is accessing the second computer within the local area network, the method comprising the steps of:
-
a) sending a command from the user to the first computer to set up the data communications session with the second computer; b) transmitting, from the first computer, a request to the second computer to set up the data communications session with the second computer, the request having associated data including;
i) a transmission source network address of the first computer used to access the first computer via the wide area network, ii) the first ID code of the user, iii) a destination network address of the second computer used to access the second computer via the wide area network, iv) the second ID code of the user, v) a unique signature code of the first computer, and vi) a unique signature code of the second computer, the unique signature code of the first computer being encrypted by a public key of the first computer that is also known to the second computer, the unique signature code of the second computer being encrypted by a secret key of the user known only to the user and the second computer;c) receiving the request at the second computer, and authenticating the request by the following substeps; c1) determining whether the request is being made by the user at the first computer, the determination being made by the second computer from the associated data included in the request; c2) determining whether the request has been received within a period of time that the user is allowed to access the second computer from the first computer, the period of time being stored as access permission data in a memory at the second computer; c3) if the request has been received within the allowed period of time as determined in the step c2), transmitting, from the second computer to the first computer, a session allowable message which includes a session ID for allowing the data communications session and transmitting the session ID to the user at the first computer, the session allowable message including;
i) a temporary cipher key for use by the user at the first computer for accessing the second computer only during the data communications session using the session ID, ii) the unique signature code of the first computer, and iii) the unique signature code of the second computer; andc4) checking, by the first computer, to determine whether the session allowable message is a valid message sent from the second computer, the checking being made by determining if the unique signature code of the first computer and the unique signature code of the second computer as contained in the session allowable message are valid, the unique signature code of the first computer being decrypted at the first computer by using the public key of the first computer, the unique signature code of the second computer being decrypted at the first computer by using the secret key of the user.
-
-
45. A method of managing a computer system formed by a plurality of computers which are mutually connected through a network, comprising the steps of:
-
judging whether an access request for a communication to one computer from a user at another computer is to be permitted or not according to which one of said plurality of computers said another computer is; generating access permission data to be used in checking whether each communication to said one computer corresponds to the access request judged to be permitted; storing the access permission data including a key data stored in a memory; and checking whether the communication to said one computer is a proper access or not according to the access permission data stored in the memory, so as to permit the proper access while modifying communication data of the proper access by using the key data stored in the memory.
-
Specification