Method and apparatus for facilitating information security policy control on a per security engine user basis

US 6,499,110 B1
Filed: 06/30/1999
Issued: 12/24/2002
Est. Priority Date: 12/23/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for facilitating information security policy control for at least one information security engine comprising the steps of:

generating security policy association data on a per security engine user basis wherein the security policy association data includes data representing at least first policy user identification data and corresponding policy identification data wherein the first policy user identification data is based on executable file data of a software program, and wherein the first policy user identification data is derived at least in part by applying a hash function to at least a portion of the executable file data;

storing the security policy association data;

obtaining second policy user identification data after the security policy association data has been generated; and

comparing at least the first stored policy user identification data with the second policy user identification data on a per security engine user basis and using the stored policy identification to control security policy requirements when the first and second policy user identification data matches.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method facilitates information security policy control for an information security engine by utilizing security policy association data on a per security engine user basis. Security policy association data may include, for example, data representing identification information of the user of the security engine along with corresponding policy identification data. Policy user identification data may be a hash value of the disk image of an executable software application which uses the security engine, along with policy object identification data which indicates which policy (or policies) that particular application is required to use. A security engine obtains access to this information and also obtains comparison information such as generating a realtime hash value of a calling application that is requesting use of the security engine and compares the newly generated hash value to a stored hash value included as the policy association data. If the hash values match, indicating that the calling application has been previously approved by the trusted policy authority, the policy rules referenced by the policy association data are then employed by the security engine.

118 Citations

39 Claims

1. A method for facilitating information security policy control for at least one information security engine comprising the steps of:
- generating security policy association data on a per security engine user basis wherein the security policy association data includes data representing at least first policy user identification data and corresponding policy identification data wherein the first policy user identification data is based on executable file data of a software program, and wherein the first policy user identification data is derived at least in part by applying a hash function to at least a portion of the executable file data;
  
  storing the security policy association data;
  
  obtaining second policy user identification data after the security policy association data has been generated; and
  
  comparing at least the first stored policy user identification data with the second policy user identification data on a per security engine user basis and using the stored policy identification to control security policy requirements when the first and second policy user identification data matches.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the security policy association data includes policy user type data that includes data representing whether a user is a software application or other security engine user type.
  - 3. The method of claim 1 wherein the security policy association data includes policy rule data.
  - 4. The method of claim 1 wherein the security policy association data further includes location data allowing determination of where the executable file data is located in memory.
  - 5. The method of claim 1 including the step of applying digital signature data of a trusted authority to the policy association data.
  - 6. The method of claim 5 wherein the step of generating the security policy association data is performed by a policy authority unit operatively coupled to a plurality of subscriber units and wherein the digital signature is that of the policy authority unit.
  - 7. The method of claim 5 including the step of using a digital signature verification algorithm to determine whether the digital signature originated from a trusted source.
  - 8. The method of claim 1 wherein the step of comparing includes:
    - computing a hash value of executable file data associated with a calling application as the second policy user identification data; and
      
      comparing the computed hash value with the first policy user identification data in the policy association data.
  - 9. The method of claim 1 wherein the security policy association data is a list containing object identifier data as the policy identification data.
  - 10. The method of claim 1 wherein the step of generating the security policy association data is performed by a subscriber unit in a public key infrastructure system.
  - 11. The method of claim 1 including generating selected policy rule data through an interface that receives selectable policy rules and associated allowable values for the policy rules.
  - 12. The method of claim 1 wherein the security engine provides information security operations for a plurality of software applications and wherein the security engine enforces all security policy rules indicated in the security policy association data for a calling application identified by the policy user identification data.

13. An apparatus for facilitating information security policy control for at least one information security engine comprising:
- means for generating security policy association data on a per security engine user basis wherein the security policy association data includes data representing at least first policy user identification data and corresponding policy identification data wherein the first policy user identification data is based on executable file data of a software program; and
  
  wherein the first policy user identification data is derived at least in part by applying a hash function to at least a portion of the executable file data;
  
  means for storing the security policy association data;
  
  means for obtaining second policy user identification data after the security policy association data has been generated; and
  
  means, operatively coupled to the means for storing and the means for obtaining, for comparing at least the first stored policy user identification data with the second policy user identification data on a per security engine use user basis and using the stored policy identification to control security policy requirements when the first and second policy user identification data matches.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 14. The apparatus of claim 13 wherein the first policy user identification data is an internet protocol address.
  - 15. The apparatus of claim 13 wherein the security policy association data includes policy user type data that includes data representing whether a user is a software application or other security engine user type.
  - 16. The apparatus of claim 13 wherein the security policy association data includes policy rule data.
  - 17. The apparatus of claim 13 wherein the security policy association data further includes location data allowing determination of where the executable file data is located in memory.
  - 18. The apparatus of claim 13 wherein the means for generating applies digital signature data of a trusted authority to the policy association data.
  - 19. The apparatus of claim 18 wherein the means for generating the security policy association data is part of a policy authority unit operatively coupled to a plurality of subscriber units and wherein the digital signature is that of the policy authority unit.
  - 20. The apparatus of claim 18 including a policy association data signature verifier including a digital signature verification algorithm to determine whether the digital signature originated from a trusted source.
  - 21. The apparatus of claim 13 wherein means for comparing includes a hash value generator that computes a hash value of executable file data associated with a calling application as the second policy user identification data;
    - and wherein the means for comparing compares the computed hash value with the first policy user identification data in the policy association data.
  - 22. The apparatus of claim 13 wherein the security policy association data is a list containing object identifier data as the policy identification data.
  - 23. The apparatus of claim 13 wherein the means for generating the security policy association data is part of a subscriber unit in a public key infrastructure system.
  - 24. The apparatus of claim 13 including means for generating selected policy rule data through an interface that receives selectable policy rules and associated allowable values for the policy rules.
  - 25. The apparatus of claim 13 wherein the security engine provides information security operations for a plurality of software applications and wherein the security engine enforces all security policy rules indicated in the security policy association data for a calling application identified by the policy user identification data.

26. A storage medium comprising:
- memory containing executable program data that when read by one or more processing units, causes the one or more processing units to;
  
  generate security policy association data on a per security engine user basis wherein the security policy association data includes data representing at least first policy user identification data and corresponding policy identification data wherein the first policy user identification data is based on executable file data of a software program and wherein the first policy user identification data is derived at least in part by applying a hash function to at least a portion of the executable file data;
  
  store the security policy association data;
  
  obtain second policy user identification data after the security policy association data has been generated; and
  
  compare at least the first stored policy user identification data with the second policy user identification data on a per security engine use user basis and using the stored policy identification to control security policy requirements when the first and second policy user identification data matches.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 27. The storage medium of claim 26 wherein the first policy user identification data is an internet protocol address.
  - 28. The storage medium of claim 26 wherein the security policy association data includes policy user type data that includes data representing whether a user is a software application or other security engine user type.
  - 29. The storage medium of claim 26 wherein the security policy association data includes policy rule data.
  - 30. The storage medium of claim 26 wherein the security policy association data further includes location data allowing determination of where the executable file data is located in memory.
  - 31. The storage medium of claim 26 including the step of applying digital signature data of a trusted authority to the policy association data.
  - 32. The storage medium of claim 31 wherein the step of generating the security policy association data is performed by a policy authority unit operatively coupled to a plurality of subscriber units and wherein the digital signature is that of the policy authority unit.
  - 33. The storage medium of claim 31 including the step of using a digital signature verification algorithm to determine whether the digital signature originated from a trusted source.
  - 34. The storage medium of claim 26 wherein the step of comparing includes:
    - computing a hash value of executable file data associated with a calling application as the second policy user identification data; and
      
      comparing the computed hash value with the first policy user identification data in the policy association data.
  - 35. The storage medium of claim 26 wherein the security policy association data is a list containing object identifier data as the policy identification data.
  - 36. The storage medium of claim 26 wherein the step of generating the security policy association data is performed by a subscriber unit in a public key infrastructure system.
  - 37. The storage medium of claim 26 including generating selected policy rule data through an interface that receives selectable policy rules and associated allowable values for the policy rules.
  - 38. The storage medium of claim 26 wherein the security engine provides information security operations for a plurality of software applications and wherein the security engine enforces all security policy rules indicated in the security policy association data for a calling application identified by the policy user identification data.

39. A method for facilitating information security policy control for at least one information security engine comprising the steps of:
- generating security policy association data on a per security engine user basis wherein the security policy association data includes data representing at least first policy user identification data and corresponding policy identification data wherein the first policy user identification data is an internet protocol address;
  
  storing the security policy association data;
  
  obtaining second policy user identification data after the security policy association data has been generated; and
  
  comparing at least the first stored policy user identification data with the second policy user identification data on a per security engine user basis and using the stored policy identification to control security policy requirements when the first and second policy user identification data matches.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Technologies Limited
Inventors
Langford, Glenn C., Moses, Timothy E.
Primary Examiner(s)
SMITHERS, MATTHEW

Application Number

US09/343,904
Time in Patent Office

1,273 Days
Field of Search

713/201, 713/200, 713/155, 713/156, 713/164, 713/166, 713/151, 713/152, 713/182
US Class Current

726/1
CPC Class Codes

G06F 21/602 Providing cryptographic fac...

Method and apparatus for facilitating information security policy control on a per security engine user basis

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for facilitating information security policy control on a per security engine user basis

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links