Method and system for access control of a message queue

US 6,446,206 B1
Filed: 04/01/1998
Issued: 09/03/2002
Est. Priority Date: 04/01/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of controlling access to a message queue of a receiver in a message queuing system with asynchronous message delivery, comprising the steps of:

registering with a trusted server of the message queuing system a public key of a user of the message queuing system associated with a security identification (SID) of the user for identifying the user, the trusted server being a separate entity from the receiver;

forming a digital signature for a message generated by an application run by the user using a private key associated with the public key of the user;

transmitting to the receiver a message packet including the message, the public key of the user, and the digital signature;

verifying, by the receiver, the signature transmitted with the message using the received public key;

querying, by the receiver, the trusted server to obtain the SID associated with the public key transmitted with the message; and

determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for controlling access to a message queue in a message queuing system utilizes a certificate of a user who sends a message to authenticate the message and uses a directory service of the message queuing system as a trusted entity in the authentication process. The certificate used for message authentication may be an internal certificate issued by the message queuing system or an external certificate issued by a certification authority. The certificate is registered with the directory service of the message queuing system and stored with a security identification (SID) of the user. When the user runs an application which sends a message to a target queue, the sending computer signs the message with a private key associated with the certificate and sends the message with the digital signature and the certificate to the receiving computer. When the receiving message queue (MQ) server receives the message packet, it verifies the digital signature of the message. If the signature is verified, the receiving MQ server queries the message queuing system to obtain the SID associated with the certificate. The MQ server then decides whether the message with the SID should be placed in the target queue by checking a security descriptor of the target queue.

203 Citations

24 Claims

1. A method of controlling access to a message queue of a receiver in a message queuing system with asynchronous message delivery, comprising the steps of:
- registering with a trusted server of the message queuing system a public key of a user of the message queuing system associated with a security identification (SID) of the user for identifying the user, the trusted server being a separate entity from the receiver;
  
  forming a digital signature for a message generated by an application run by the user using a private key associated with the public key of the user;
  
  transmitting to the receiver a message packet including the message, the public key of the user, and the digital signature;
  
  verifying, by the receiver, the signature transmitted with the message using the received public key;
  
  querying, by the receiver, the trusted server to obtain the SID associated with the public key transmitted with the message; and
  
  determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as in claim 1, wherein the trusted server is a replicated database.
  - 3. A method as in claim 2, wherein the replicated database provides directory service.
  - 4. A method as in claim 1, wherein the public key is generated by the message queuing system.
  - 5. A method as in claim 1, wherein the public key is issued by a certification authority.
  - 6. A method as in claim 1, further including the step of authenticating the trusted server by the receiver.
  - 7. A method as in claim 6, wherein the step of authenticating the trusted server includes transmitting a certificate of the trusted server issued by a certification authority to the receiver.
  - 8. A method as in claim 1, further including the step of storing the public key with information on a location of the private key and a cryptographic procedure for signing the message.
  - 9. A method as in claim 8, further including the step of retrieving the private key of the user from a card.
  - 10. A method as in claim 1, wherein the step of determining includes checking a security descriptor for the message queue of the receiver.
  - 11. A computer-readable medium having computer-executable instructions for performing the steps recited in claim 1.

12. A message queuing system for asynchronous delivery of a message from a sender to an access-controlled message queue of a receiver, comprising:
- a trusted server for registering a public key of a user and storing a corresponding security identification (SID) of the user for identifying the user, the trusted server being a separate entity from the receiver;
  
  a routine for generating a digital signature for a message sent by an application run by the user using a private key associated with the public key;
  
  a message queue server of the sender for transmitting the message with the public key and the digital signature to the receiver; and
  
  a message queue server of the receiver for verifying the digital signature using the received public key, querying the trusted server to obtain the SID corresponding to the public key, and determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. A message queuing system as in claim 12, wherein the trusted server is a replicated database for providing distributed directory service.
  - 14. A message queuing system as in claim 12, further including a security descriptor for the message queue for checking by the message queue server of the receiver for determining whether to allow the message to be placed in the message queue of the receiver.
  - 15. A message queuing system as in claim 13, further including a store for storing the public key with information on a location of the private key associated with the public key and a cryptographic procedure for signing the message.
  - 16. A message queuing system as in claim 12, further including a machine readable card on which the private key of the user is stored, and wherein the sender includes a card reader for reading the card to retrieve the private key.
  - 17. A message queuing system as in claim 12, wherein the public key of the user is generated by the message queuing system.
  - 18. A message queuing system as in claim 12, wherein the trusted server includes an external certificate issued by a certification authority for authentication thereof by the receiver.

19. A computer-readable medium having computer-executable components comprising:
- a trusted server component for registering a public key of a user and storing a corresponding security identification (SID) of the user for identifying the user;
  
  a signing component for generating a digital signature for a message sent by an application run by the user using a private key associated with the public key;
  
  a sending message queue server component for transmitting the message with the public key and the digital signature to the receiver; and
  
  a receiving message queue server component for verifying the digital signature using the received public key, querying the trusted server to obtain the SID corresponding to the public key, and determining whether to allow the message to be placed in a message queue of the receiver based on the obtained SID, the trusted server being a separate entity from the receiving message queue server.

20. A method of controlling access to a message queue of a receiver in a message queuing system with asynchronous message delivery, comprising the steps of:
- receiving a message from a sender of the message queuing system to a destination message queue, the message sent with a public key of a user sending the message and a digital signature of the message formed with a private key associated with the public key;
  
  verifying, by the receiver, the signature transmitted with the message using the received public key;
  
  querying, by the receiver, a trusted server of the message queuing system to obtain a security identification (SID) corresponding to the public key received by the receiver and identifying a user sending the message, the trusted server being a separate entity from the receiver; and
  
  checking a security descriptor for the destination queue to determine whether the message is allowed to be placed in the destination message queue based on the obtained SID.
- View Dependent Claims (21, 22, 23, 24)
- - 21. A method as in claim 20, further including the step of transmitting a certificate of the database to the receiver for authenticating the database by the receiver.
  - 22. A method as in claim 21, further including the step of generating the certificate by the message queuing system for the user.
  - 23. A method as in claim 20, further including the step of reading the private key from a card for forming the digital signature.
  - 24. A computer-readable medium having computer-executable instructions for performing the steps recited in claim 20.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Feldbaum, Boaz
Primary Examiner(s)
DI LORENZO, ANTHONY

Application Number

US09/053,104
Time in Patent Office

1,616 Days
Field of Search

713/200, 713/201, 713/202, 713/170, 713/181, 713/154, 713/162, 713/156, 713/159, 709/225, 709/229, 380/30
US Class Current

713/175
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/126 the source of the received ...

Method and system for access control of a message queue

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for access control of a message queue

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links