Security system for event based middleware

US 6,158,007 A
Filed: 09/17/1997
Issued: 12/05/2000
Est. Priority Date: 09/17/1997
Status: Expired due to Term

First Claim

Patent Images

1. A system for providing security for messages between users on a computer network, the system comprising:

means for associating a security policy to any of a plurality of previously defined subjects, wherein said subjects are not the users;

means for assigning said messages to said subjects; and

a broker to identify and authorize said users and to enforce said security policies as said messages are communicated between said users in said network.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system (10) for users (50) to employ applications (12) as either publishing applications (24) or subscribing applications (26), for communicating messages (16) on computer networks. Each application (12) includes a client (28) which obtains from the user (50) a user ID (52) and a password (54), for authentication to a broker (30). The messages (16) are each assigned a subject (18) having a security policy (20), which includes an access control list (70) and a quality of protection (72). The access control list (70) may specify who may publish, who may subscribe, and who may ask for guaranteed delivery of messages (16) on the associated subject (18). Similarly, the quality of protection (72) may specify whether such messages (16) are privacy, integrity, or nonrepudiation protected, and whether they are to be audited. The broker (30) then employs the security policy (20) to control publishing and subscribing of the messages (16) and to provide the requested security protections.

Citations

26 Claims

1. A system for providing security for messages between users on a computer network, the system comprising:
- means for associating a security policy to any of a plurality of previously defined subjects, wherein said subjects are not the users;
  
  means for assigning said messages to said subjects; and
  
  a broker to identify and authorize said users and to enforce said security policies as said messages are communicated between said users in said network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein:
    - respective said security policies specify which said users may publish and which said users may receive said messages on associated respective said subjects.
  - 3. The system of claim 1, wherein:
    - specification in said security policy of at least one member of an attribute set consisting of a privacy attribute, an integrity attribute, a nonrepudiation attribute, and an audit attribute;
      
      said messages on said subjects having said privacy attribute set in their security policy are encrypted;
      
      said messages on said subjects having said integrity attribute set in their security policy are checksum protected;
      
      said messages on said subjects having said nonrepudiation attribute set in their security policy are digitally signed; and
      
      said messages on said subjects having said audit attribute set in their security policy are copied into an archive.
  - 4. The system of claim 1, wherein:
    - said users employ an application program to publish and receive said messages;
      
      said application program includes a client which solicits credentials from said user; and
      
      said client obtains access to publish and receive said messages on said network from said broker based upon said credentials.
  - 5. The system of claim 4, wherein:
    - said credentials include a user ID and a password.
  - 6. The system of claim 4, wherein:
    - said broker is authenticated to said client using digital certificate authentication; and
      
      said client is authenticated to said broker using a member of the authentication model set consisting of password authentication, digital certificate authentication, and third-party trusted host authentication.
  - 7. The system of claim 1, further comprising:
    - a security repository for securely storing said subjects, said security policies, and associations between them.
  - 8. The system of claim 7, wherein:
    - said plurality of previously defined subjects includes an administration subject; and
      
      said broker updates said security repository by receiving instances of said messages published on said administration subject, thereby administering the system.
  - 9. The system of claim 8, wherein:
    - said subjects are added to and deleted from said security repository by publication of specific said messages on said administration subject; and
      
      said security policies are added, modified, and deleted by publication of specific said messages on said administration subject.
  - 10. The system of claim 8, wherein:
    - said security policies include access control lists to specify which said users may publish and receive said messages on particular said subjects; and
      
      said users are added to and deleted from said access control lists by publication of messages on said administration subject.
  - 11. The system of claim 8, wherein:
    - said security policies include a plurality of settable security attributes for defining types of security to apply; and
      
      said security attributes are set and unset by publication of specific messages on said administration subject.
  - 12. The system of claim 7, wherein:
    - said subjects are ordered in a hierarchy; and
      
      said security policies assigned to higher ordered said subjects in said hierarchy apply also to lower ordered said subjects in said hierarchy, thereby permitting inheritance of said security policies.
  - 13. The system of claim 12, wherein:
    - said security policies assigned to higher ordered said subjects in said hierarchy are overridden by any said security policies assigned to lower ordered said subjects in said hierarchy, thereby permitting more flexible administration of inheritance by said security policies.

14. A method of providing security for messages between users of a computer network, the steps comprising:
- defining subjects for said messages, wherein said subjects are not the users;
  
  associating a security policy with each said subject;
  
  identifying and authenticating said users to a broker; and
  
  enforcing said security policy with said broker automatically as said messages are communicated between said users in said network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The method of claim 14, further comprising:
    - specifying in each said security policy which of said users may publish said messages on the associated said subject and which of said users may receive said messages on the associated said subject.
  - 16. The method of claim 14, further comprising:
    - specifying in each said security policy at least one member of an attribute set consisting of a privacy attribute, an integrity attribute, a nonrepudiation attribute, and an audit attribute;
      
      encrypting instances of said messages on said subjects in which said security policy specifies said privacy attribute;
      
      checksumming instances of said messages on said subjects in which said security policy specifies said integrity attribute;
      
      origin vouching instances of said messages on said subjects in which said security policy specifies said nonrepudiation attribute; and
      
      auditing instances of said messages on said subjects in which said security policy specifies said audit attribute.
  - 17. The method of claim 16, wherein:
    - said step of encrypting uses Data Encryption Standard;
      
      said step of checksumming uses Message Digest 5; and
      
      said step of origin vouching uses Digital Signature Algorithm.
  - 18. The method of claim 15, wherein:
    - said users employ an application program to publish and receive said messages; and
      
      said application program includes a client which performs said step of identifying and authenticating said users to said broker; and
      
      the method further comprising;
      
      soliciting credentials from said user with said client; and
      
      controlling access of particular said users to publish and receive said messages on said network based upon said credentials.
  - 19. The method of claim 18, further comprising:
    - authenticating said client to said broker; and
      
      authenticating said broker to said client, thereby controlling access by said users to said network.
  - 20. The method of claim 15, further comprising:
    - storing said subjects, said security policies, and associations between them in a security repository.
  - 21. The method of claim 20, further comprising:
    - publishing administration messages on a previously defined administration subject;
      
      receiving said administration messages with said broker; and
      
      updating said security repository based upon said administration messages, thereby administering security of said network.
  - 22. The method of claim 21, further comprising:
    - controlling access of particular said users to publish and receive said messages on said network based upon adding to and deleting from said security repository by publication of specific said administration messages.
  - 23. The method of claim 22, further comprising:
    - defining at least one said user as an administration user; and
      
      publishing at least one specific said administration message requesting that only said administration users have access to publish on said administration subject, thereby controlling security over said administration subject.
  - 24. The method of claim 23, further comprising:
    - controlling types of security applied for specific said subjects by publication of specific said administration messages.
  - 25. The method of claim 15, further comprising:
    - ordering said subjects into a hierarchy; and
      
      applying said security policies assigned to higher ordered said subjects in said hierarchy also to lower ordered said subjects in said hierarchy, thereby permitting inheritance of said security policies.
  - 26. The method of claim 25, further comprising:
    - overriding selectively any said security policies assigned to higher ordered said subjects in said hierarchy by specifically assigning different said security policies to lower ordered said subjects in said hierarchy, thereby permitting more flexible administration of inheritance by said security policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Jahanshah Moreh, Terry M. Olkin
Inventors
Olkin, Terry M., Moreh, Jahanshah
Primary Examiner(s)
Swann, Tod R.
Assistant Examiner(s)
Smithers, Matthew

Application Number

US08/932,322
Time in Patent Office

1,175 Days
Field of Search

380/25, 395/187.01, 713/150, 713/201, 713/166, 713/164, 713/200, 711/163
US Class Current

726/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 12/185   with management of multicas...

H04L 12/1895   for short real-time informa...

H04L 51/00   User-to-user messaging in p...

H04L 63/0442   wherein the sending and rec...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Security system for event based middleware

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Security system for event based middleware

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links