Computer network graded authentication system and method
First Claim
1. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
- associating an authentication grade with the authentication procedure; and
determining the access rights of the task with respect to the information object based at least on the authentication grade; and
thendistributing an effective clearance label, after which the effective clearance label resides on a plurality of server computers in the computer network.
9 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided which control access by a task to an information object in a computer system. The task is authenticated by an authentication procedure to act on behalf of a user. A computer-implemented method includes associating an authentication grade with the authentication procedure, identifying at least one clearance level previously assigned to the user by a clearance administrator, and identifying at least one classification level previously assigned to the information object by a classification administrator. The method then determines the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level. Information about the user'"'"'s connection to the system may also be considered. The results of the determination are distributed to promote consistent access; rights throughout the system.
-
Citations
40 Claims
-
1. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; and determining the access rights of the task with respect to the information object based at least on the authentication grade; and
thendistributing an effective clearance label, after which the effective clearance label resides on a plurality of server computers in the computer network. - View Dependent Claims (2)
-
-
3. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by a first authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating a first authentication grade with the first authentication procedure; associating a second authentication grade with a second authentication procedure; and determining the access rights of the task with respect to the information object based at least on the first authentication grade, wherein one of the authentication procedures has stronger cryptography than the other authentication procedure, and of the two procedures, the associating steps associate a higher authentication grade with the authentication procedure that has stronger cryptography.
-
-
4. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level and the classification level, wherein each of at least two authentication procedures is associated with its own distinct authentication grade, a partial ordering is imposed on the authentication grades, and the tranquility property is maintained over the partial ordering in the computer network. - View Dependent Claims (5, 6, 16, 21, 22, 23)
-
-
7. A computer-implemented method for controlling access by a task to an information object in a computer network the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication procedures is associated with its own distinct authentication grade, one authentication procedure has stronger cryptography than another authentication procedure, and of the two procedures, the associating step associates a higher authentication grade with the authentication procedure that has stronger cryptography.
-
-
8. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication procedures is associated with its own distinct authentication grade, one authentication procedure reviews a user identity certificate and another authentication procedure does not, and of the two procedures, the associating step associates a higher authentication grade with the authentication procedure that reviews the user identity certificate.
-
-
9. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication procedures is associated with its own distinct authentication grade, one authentication procedure requires a hardware token and another authentication procedure does not, and of the two procedures, the associating step associates a higher authentication grade with the authentication procedure that requires the hardware token.
-
-
10. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication procedures is associated with its own distinct authentication grade, one authentication procedure verifies that trusted hardware and/or trusted software is in use and another authentication procedure does not, and of the two procedures, the associating step associates a higher authentication grade with the authentication procedure that verifies such use.
-
-
11. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein one of the authentication grades is associated with a directory service authentication procedure.
-
-
12. A computer-implemented method for controlling access by a task to an information object in a computer network the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein one of the authentication grades is associated with a Secure Sockets Layer authentication procedure.
-
-
13. A computer-implemented method for controlling access by a task to an information object in a computer network the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein one of the authentication grades is associated with a cleartext name authentication procedure.
-
-
14. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the task is connected to the computer network by a connection, the method further comprises the computer-implemented step of identifying at least one characteristic of the connection, and the determining step determines the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, the classification level, and at least one characteristic of the connection.
-
-
15. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, and marking the task as a trusted task by assigning a nontrivial clearance range to the task.
-
-
17. A computer-implemented method for controlling access by a task to an information object in a computer network the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the clearance level and the classification level are each stored as an instance of the same label structure.
-
-
18. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the computer system includes a computer network, the determining step is followed by the computer-implemented step of distributing an effective clearance label, after which the effective clearance label resides on a plurality of server computers in the computer network.
-
-
19. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the effective clearance label specifies the current nontrivial clearance range of the task.
-
-
20. A computer-implemented method for controlling access by a task to an information object in a computer network, the task having been previously authenticated by an authentication procedure to act on behalf of a user, the computer-implemented method comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein a plurality of server computers in the computer network are configured such that the user has the same access rights to the information object on each of those server computers.
-
-
24. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; and determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication means is associated with its own distinct authentication grade, a partial ordering is imposed on the authentication grades by the association means, the network comprises an additional authentication means, the association means associates the additional authentication means with its own additional authentication grade, and the partial ordering is extended to include the additional authentication grade. - View Dependent Claims (32, 33)
-
-
25. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; and determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication means is associated with its own distinct authentication grade, one authentication means uses stronger cryptography than another authentication means, and the association means associates a higher authentication grade with the authentication means that uses stronger cryptography.
-
-
26. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; and determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication means is associated with its own distinct authentication grade one authentication means verifies that trusted hardware and/or trusted software is in use and another authentication means does not, and the association means associates a higher authentication grade with the authentication means that verifies such use.
-
-
27. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; and determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the authentication means includes means for performing a network operating system authentication procedure.
-
-
28. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; and determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the authentication means includes means for performing a Secure Sockets Layer authentication procedure.
-
-
29. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; and determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the task is connected to the computer network by a connection, the computer network further comprises means for identifying at least one characteristic of the connection, and the determination means determines the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, the classification level, and at least one characteristic of the connection.
-
-
30. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; and determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, further comprising means for marking the task as a trusted task by assigning a nontrivial effective clearance range to the task.
-
-
31. A computer network comprising:
-
at least one information object; authentication means for authenticating a task to execute on at least a portion of the computer network on behalf of a user; execution means capable of executing the task, including memory and at least one processor; association means for associating an authentication grade with the authentication means; clearance identification means for identifying at least one clearance level previously assigned to the user by a clearance administrator; classification identification means for identifying at least one classification level previously assigned to the information object by a classification administrator; determination means for determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level; and distribution means for distributing an effective clearance label of the task so that the effective clearance label resides on a plurality of server computers in the computer network.
-
-
34. A computer storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer network to perform method steps for controlling access by a task to an information object in the computer network after task has been authenticated by an authentication procedure to act on behalf of a user, the method steps comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the task is connected to the computer network by a connection, the method further comprises the computer-implemented step of identifying at least one characteristic of the connection, and the determining step determines the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, the classification level and at least one characteristic of the connection. - View Dependent Claims (35, 39, 40)
-
-
36. A computer storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer network to perform method steps for controlling access by a task to an information object in the computer network after task has been authenticated by an authentication procedure to act on behalf of a user, the method steps comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication procedures is associated with its own distinct authentication grade, a partial ordering is imposed on the authentication grades, one authentication procedure has stronger cryptography than another authentication procedure, and of the two procedures, the associating step associates a higher authentication grade with the authentication procedure that has stronger cryptography.
-
-
37. A computer storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer network to perform method steps for controlling access by a task to an information object in the computer network after task has been authenticated by an authentication procedure to act on behalf of a user, the method steps comprising the steps of:
-
associating an authentication grade with the authentication procedure, identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein each of at least two authentication procedures is associated with its own distinct authentication grade, a partial ordering is imposed on the authentication grades, and one of the authentication grades is associated with at least one of a directory service authentication procedure and a network operating system authentication procedure.
-
-
38. A computer storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer network to perform method steps for controlling access by a task to an information object in the computer network after task has been authenticated by an authentication procedure to act on behalf of a user, the method steps comprising the steps of:
-
associating an authentication grade with the authentication procedure; identifying at least one clearance level previously assigned to the user by a clearance administrator; identifying at least one classification level previously assigned to the information object by a classification administrator; and determining the access rights of the task with respect to the information object based at least on the authentication grade, the clearance level, and the classification level, wherein the determining step is followed by the computer-implemented step of distributing an effective clearance label, after which the effective clearance label resides on a plurality of server computers in the computer network.
-
Specification