Distributed dynamic security capabilities

US 6,119,230 A
Filed: 10/01/1997
Issued: 09/12/2000
Est. Priority Date: 10/01/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for managing security credentials in a system of at least one computer, the system having a credential checking facility to authenticate one or more principals, the method comprising the steps of:

in a first directory context, providing a principal with a secure package containing a credential;

in a second directory context, receiving a request from the principal to access the system;

enabling the credential checking facility to check the access request by accessing the credential in the secure package;

allowing or denying the access request according to the result of the credential check; and

determining whether credential information about the principal which is found in the second directory context was not placed in the secure package in the first directory context.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for managing security credentials in a distributed computer system. Multiple security contexts may be defined for a given principal in the system without requiring the use of multiple accounts. A secure package is provided to allow the principal to roam. Methods are provided for identifying differences in the principal'"'"'s access rights in different contexts and for updating the secure package as needed.

238 Citations

45 Claims

1. A method for managing security credentials in a system of at least one computer, the system having a credential checking facility to authenticate one or more principals, the method comprising the steps of:
- in a first directory context, providing a principal with a secure package containing a credential;
  
  in a second directory context, receiving a request from the principal to access the system;
  
  enabling the credential checking facility to check the access request by accessing the credential in the secure package;
  
  allowing or denying the access request according to the result of the credential check; and
  
  determining whether credential information about the principal which is found in the second directory context was not placed in the secure package in the first directory context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 41, 42, 43, 44, 45)
- - 2. The method of claim 1, wherein the first directory context includes a home domain of the principal and the second directory context does not include the home domain.
  - 3. The method of claim 1, wherein the providing step includes encrypting at least a portion of the secure package.
  - 4. The method of claim 3, wherein different portions of the secure package are encrypted using different encryption methods.
  - 5. The method of claim 3, wherein different portions of the secure package are encrypted using different key lengths.
  - 6. The method of claim 1, wherein the providing step places the secure package in a buffer on a portable computer.
  - 7. The method of claim 6, wherein the buffer is a persistent buffer.
  - 8. The method of claim 1, wherein the providing step places the secure package in a hard token.
  - 9. The method of claim 1, wherein the providing step places the secure package in a persistent removable storage medium.
  - 10. The method of claim 1, further comprising the step of notifying an access monitoring agent about the access request.
  - 11. The method of claim 1, further comprising the step of digitally signing at least a portion of the secure package.
  - 12. The method of claim 11, wherein the signing step includes digitally signing principal identifying information in the secure package.
  - 13. The method of claim 11, wherein the signing step includes digitally signing a credential in the secure package.
  - 14. The method of claim 1, further comprising the step of modifying the secure package to reflect credential information about the principal which is found in the second directory context and which was not placed in the secure package in the first directory context.
  - 15. The method of claim 14, wherein the modifying step includes digitally signing at least a portion of the secure package.
  - 16. The method of claim 15, wherein the signing step includes digitally signing principal identifying information in the secure package.
  - 17. The method of claim 15, wherein the signing step includes digitally signing a credential in the secure package.
  - 18. The method of claim 15, wherein the signing step includes replacing a digital signature in the secure package with another digital signature.
  - 19. The method of claim 15, wherein the signing step includes appending new information to the secure package, the new information being digitally signed independently of other digitally signed portions of the secure package.
  - 20. The method of claim 14, wherein the modifying step includes providing the principal with a new credential.
  - 21. The method of claim 14, wherein the modifying step alters the principal'"'"'s access rights.
  - 22. The method of claim 21, wherein the modifying step adds a right to the principal'"'"'s access rights.
  - 23. The method of claim 21, wherein the modifying step removes a right from the principal'"'"'s access rights.
  - 24. The method of claim 14, further comprising the step of verifying the principal'"'"'s identity before modifying the secure package.
  - 25. The method of claim 24, wherein the verifying step uses an identification means that was not used in the first directory context while providing the secure package.
  - 26. The method of claim 1, further comprising the step of modifying the second directory context to reflect credential information about the principal which is found in the secure package.
  - 27. The method of claim 1, further comprising the step of logging onto a computer in the system before making the access request.
  - 28. The method of claim 1, wherein the access request includes a request to obtain information about use of the system.
  - 29. The method of claim 1, wherein the access request includes a request to use a computer in the system to forward a message directed at a destination outside the system.
  - 41. A computer storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer system to perform method steps for managing security credentials, the method steps comprising the steps of claim 1.
  - 42. The storage medium of claim 41, wherein the method steps comprise the steps of claim 3.
  - 43. The storage medium of claim 41, wherein the method steps comprise the steps of claim 11.
  - 44. The storage medium of claim 41, wherein the method steps comprise the steps of claim 14.
  - 45. The storage medium of claim 41, wherein the method steps comprise the steps of claim 21.

30. A computer system comprising:
- a first directory context including a first set of credentials of a principal and also including a providing means for providing the principal with a secure package containing at least part of the first set of credentials;
  
  a second directory context including a second set of credentials of the principal and also including a modifying means for modifying the secure package to reflect differences between credentials in the second set and credentials which were placed in the secure package by the providing means of the first directory context.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. The system of claim 30, wherein the directory contexts are defined at least in part according to a hierarchy of clearance levels and classification levels.
  - 32. The system of claim 30, wherein the first directory context includes a home domain of the principal.
  - 33. The system of claim 30, wherein at least one of the directory contexts contains locations connected within a distributed directory.
  - 34. The system of claim 33, wherein a location in the first directory context is connected by the distributed directory to a location in the second directory context.
  - 35. The system of claim 33, wherein the second set includes credential information stored in an unreplicated attribute of the distributed directory.
  - 36. The system of claim 33, wherein the second set includes credential information stored in an attribute of the distributed directory which is marked to require replacement of the credential information rather than in-place modification of the credential information.
  - 37. The system of claim 30, wherein the first context includes a first computer and the second context includes a different, second computer.
  - 38. The system of claim 37, wherein the two computers are connected in a network.
  - 39. The system of claim 37, wherein at least one of the two computers is a standalone machine.
  - 40. The system of claim 37, wherein at least one of the two computers is a mobile computer connectable to a computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen R.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
ELISCA, PIERRE E

Application Number

US08/943,537
Time in Patent Office

1,077 Days
Field of Search

713/200, 713/201, 713/202, 713/161, 709/229, 380/3, 380/229, 380/4, 380/232, 380/25, 380/30
US Class Current

726/5
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2221/2141   Access rights, e.g. capabil...

Distributed dynamic security capabilities

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

238 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed dynamic security capabilities

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

238 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links