System and method for distributed network acess and control enabling high availability, security and survivability

US 7,278,023 B1
Filed: 06/09/2000
Issued: 10/02/2007
Est. Priority Date: 06/09/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of administering access and security on a network having a plurality of computers, comprising:

installing a one-way encrypted password file on each computer of the plurality of computers in the network, wherein the one-way encrypted password file includes a plurality of user identifications associated one-way encrypted passwords and associated privileges for each authorized user allowed access to the plurality of computers and the network;

one-way encrypting a password entered by a user when the user logs into a computer of the plurality of computers on the network;

checking for a match between the user identification and one-way encrypted password entered by the user and the plurality of user identifications and one-way encrypted passwords stored in the one-way encrypted password file;

enabling access to data and software contained on the computer and the network permitted by the associated privileges for the user when a match is found on the one-way encrypted password file;

broadcasting messages to the plurality of computers, such that each message is received at each computer;

filtering the broadcast messages at each computer according to the associated privileges of the user associated with each computer, such that a given message will be displayed only where the associated privileges of the user allow the message to be displayed; and

andupdating the one way encrypted password file at each of the plurality of computers, wherein updating the one way encrypted password file includes attaching a new master password file to a message at a computer accessible by a systems administrator or security officer, encrypting the message containing the new master password file using a private key and pass phrase available only to the systems administrator or security officer, transmitting the message to the plurality of computers, and decrypting the message at each computer using a public key corresponding to the private key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program that administers access and security on a network having more than one computer system connected thereto. This system, method and computer program has a local password file (1500) which is one-way encrypted and contains user identifications, associated one-way encrypted passwords and associated privileges for each authorized user allowed access to the wide area network (10). A user login module (1200) is used to receive a user identification or role and password from a user and login the user when a match is found in the local password file (1500). A channel monitoring and filtering module (1000) is provided to monitor and receive broadcast or multicast messages within the wide area network (10) and display the message to the user when the user'"'"'s associated privileges permit the viewing of the message. This system, method and computer program also has a password management module (1300) to update and insure that all the computers in the network contain the same local password file (1500). A remote auditing module (1400) is provided to monitor and process anomalous events which may occur on a user'"'"'s computer. A remote control module is also provided to enable a systems administrator or security officer to take appropriate action when a critical event transpires. An authentication module is also provided to enable a system administrator or security officer an option to check and confirm a password entered by a user for re-authentication.

50 Citations

View as Search Results

35 Claims

1. A method of administering access and security on a network having a plurality of computers, comprising:
- installing a one-way encrypted password file on each computer of the plurality of computers in the network, wherein the one-way encrypted password file includes a plurality of user identifications associated one-way encrypted passwords and associated privileges for each authorized user allowed access to the plurality of computers and the network;
  
  one-way encrypting a password entered by a user when the user logs into a computer of the plurality of computers on the network;
  
  checking for a match between the user identification and one-way encrypted password entered by the user and the plurality of user identifications and one-way encrypted passwords stored in the one-way encrypted password file;
  
  enabling access to data and software contained on the computer and the network permitted by the associated privileges for the user when a match is found on the one-way encrypted password file;
  
  broadcasting messages to the plurality of computers, such that each message is received at each computer;
  
  filtering the broadcast messages at each computer according to the associated privileges of the user associated with each computer, such that a given message will be displayed only where the associated privileges of the user allow the message to be displayed; and
  
  andupdating the one way encrypted password file at each of the plurality of computers, wherein updating the one way encrypted password file includes attaching a new master password file to a message at a computer accessible by a systems administrator or security officer, encrypting the message containing the new master password file using a private key and pass phrase available only to the systems administrator or security officer, transmitting the message to the plurality of computers, and decrypting the message at each computer using a public key corresponding to the private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method recited in claim 1, wherein the associated privileges contained in the one-way encrypted password file indicate the security level and access privileges of the user identification for access to software, data and messages contained in the computer, the network, and transmitted over the network.
  - 3. The method recited in claim 1, wherein when one or more attempts of the user entering a user identification and one-way encrypted password have failed to match the plurality of user identifications and one-way encrypted passwords contained in the one-way encrypted password file, the method further comprising:
    - transmitting to a systems administrator or security officer by the computer a notification of the failure to provide a one way encrypted user identification and password that matches a user identification and one-way encrypted password stored on the one-way encrypted password file.
  - 4. The method recited in claim 3, further comprising:
    - locking, upon request by the systems administrator or security officer, the computer being accessed by the user having at least one failed attempt at entering a user identification and one-way encrypted password so as to permit only access to a login screen by the user.
  - 5. The method recited in claim 3, further comprising:
    - spoofing, upon request by the systems administrator or security officer, the user into believing that the access has been gained to the computer, wherein spoofing includes the presentation of false messages and information to the user.
  - 6. The method recited in claim 3, further comprising:
    - disabling, upon request by the systems administrator or security officer, the computer system so that the user cannot access the computer system.
  - 7. The method recited in claim 6, further comprising:
    - deleting, upon request by the systems administrator or security officer, a plurality of files stored in the computer system.
  - 8. The method recited in claim 1, further comprising:
    - displaying to a screen on the computer system a request for re-authentication at the direction of a system administrator or security officer.
  - 9. The method recited in claim 8, wherein the request for re-authentication comprises:
    - displaying a login screen having a position for entry of the user identification and password.
  - 10. The method recited in claim 9, wherein the user identification is a role or title indicative of a level of authority of the user.
  - 11. The method recited in claim 9, further comprising:
    - accessing a master password file on a computer system accessible by the systems administrator or security officer;
      
      one-way encrypting the password; and
      
      searching the master password file for a match of the user identification and one-way encrypted password.
  - 12. The method recited in claim 11, further comprising:
    - disabling the computer system, or spoofing the user, or locking the computer system when a match is not found for the user identification and one-way encrypted password in the master password file.
  - 13. The method recited in claim 11, wherein after the user has entered the user identification and one-way encrypted password and the user identification and one-way password has matched that found in the one-way encrypted password file, further comprising:
    - entering a new password by the user;
      
      re-authenticating the user identification and one-way password stored on the master password file;
      
      one-way encrypting the new password; and
      
      replacing the user identification and password with the one-way encrypted user identification and the new one-way encrypted password in the master password file.
  - 14. The method recited in claim 1, further comprising:
    - detecting an anomalous event in a computer of the plurality of computers; and
      
      reporting the anomalous event to a system administrator or security officer.
  - 15. The method recited in claim 14, wherein the anomalous event comprises:
    - the user has exceeded the number of allowable unsuccessful login attempts;
      
      a change in the users associated privileges has occurred;
      
      a system disable operation was initiated by the user;
      
      a user'"'"'s password has expired;
      
      a message was rejected due to an invalid digital signature;
      
      a request for remote user re-authentication has been received by the systems administrator or security officer;
      
      a request for a remote user lockout has been received by the system administrator or security officer; and
      
      a request for remote loading passwords has completed successfully on the system administrator or security officer.
  - 16. The method recited in claim 14, further comprising:
    - deleting a plurality of files on the computer and disabling the computer in response to an anomalous event when requested by the system administrator or security officer or when an immediate shutdown in requested by the user.
  - 17. The method recited in claim 15, further comprising:
    - disabling the computer system, or spoofing the user, or locking the computer system when an anomalous event occurs.

18. A system to administer access and security on a network having a plurality of computers, comprising:
- a one-way encrypted password file on each computer of the plurality of computers in the network, wherein the one-way encrypted password file includes a plurality of user identifications, associated one-way encrypted passwords and associated privileges for each authorized user allowed access to the plurality of computers and the network;
  
  a user login module to receive a user identification or role and password from a user and login the user when a match is found in the one-way encrypted password file;
  
  a channel monitoring and filtering module to monitor and receive broadcast or multicast messages within the network and display the message to the user when the user'"'"'s associated privileges permit the viewing of the message; and
  
  a remote auditing module operative to monitor and process anomalous events which may occur on the computer, the anomalous events comprising;
  
  a change in the users'"'"' associated privileges;
  
  a system disable operation initiated by the user;
  
  the expiration of a user'"'"'s password;
  
  the rejection of a message due to an invalid digital signature;
  
  a request for remote user re-authentication received from the systems administrator or security officer;
  
  a request for a remote user lockout received from the system administrator or security officer; and
  
  successful completion of a request for remote loading passwords to a system administrator or security officer.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The system recited in claim 18, further comprising:
    - a password management module to update and insure that all the computers in the network contain the same one-way encrypted password file.
  - 20. The system recited in claim 18, further comprises:
    - a remote control module to enable a systems administrator or security officer to take appropriate action when an event transpires, wherein the event is an anomalous event.
  - 21. The system recited in claim 20, wherein the appropriate action comprises:
    - disabling, upon request by the systems administrator or security officer, the computer system so that the user cannot access the computer system; and
      
      deleting, upon request by a systems administrator or security officer, a plurality of files stored in the computer.
  - 22. The system recited in claim 20, wherein the appropriate action comprises:
    - spoofing, upon request by a systems administrator or security officer, the user into believing that the access has been gained to the computer, wherein spoofing includes the presentation of false messages and information to the user.
  - 23. The system recited in claim 20, wherein the appropriate action comprises:
    - locking the computer, upon request of a systems administrator or security officer, and displaying a login screen for the user to re-authenticate the user identification and password.
  - 24. The system recited in claim 18, further comprising:
    - an authentication module to re-authenticate the user after the user login module has found a match in the one-way encrypted password contained in the computer by checking the user identification and password against a master password file stored in a computer accessible by a systems administrator or security officer.
  - 25. The system recited in claim 19, wherein the password management module attaches a master password file containing a complete user identifications, associated one-way encrypted passwords and associated privileges to a message, encrypts the message using a private key and pass phrase for the system administrator or security officer and broadcasts the message to all users.
  - 26. The system recited in claim 25, wherein the password management module decrypts the message using a public key associated with the private key, replaces the one-way encrypted password file when decryption of the message is successful and reports a failure to the system administrator or security officer when the decryption is not successful.

27. A computer program executable by a computer and embedded in a computer readable medium to administer access and security on a network having a plurality of computers, comprising:
- a one-way encrypted password file on each computer of the plurality of computers in the network, wherein the one-way encrypted password file includes a plurality of user identifications, associated one-way encrypted passwords and associated privileges for each authorized user allowed access to the plurality of computers and the network;
  
  a user login code segment to receive a user identification or role and password from a user and login the user when a match is found in the one-way encrypted password file;
  
  a channel monitoring and filtering code segment to monitor and receive broadcast or multicast messages within the network and display the message to the user when the user'"'"'s associated privileges permit the viewing of the message; and
  
  a remote control code segment that enables a systems administrator or security officer to take appropriate action when an anomalous event transpires, the appropriate action including spoofing the user into believing that the access has been gained to the computer, wherein spoofing includes the presentation of false messages and information to the user.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. The computer program recited in claim 27, further comprising:
    - a password management code segment to update and insure that all the computers in the network contain the same one-way encrypted password file.
  - 29. The computer program recited in claim 27, further comprising:
    - a remote auditing code segment to monitor and process anomalous events which may occur on the computer.
  - 30. The computer program recited in claim 29, wherein the anomalous events comprise:
    - the user has exceeded the number of allowable unsuccessful login attempts;
      
      a change in the users associated privileges has occurred;
      
      a system disable operation was initiated by the user;
      
      a user'"'"'s password has expired;
      
      a message was rejected due to an invalid digital signature;
      
      a request for remote user re-authentication has been received by the systems administrator or security officer;
      
      a request for a remote user lockout has been received by the system administrator or security officer; and
      
      a request for remote loading passwords has completed successfully on the system administrator or security officer.
  - 31. The computer program recited in claim 27, wherein the appropriate action comprises:
    - disabling, upon request by the systems administrator or security officer, the computer system so that the user cannot access the computer system; and
      
      deleting, upon request by a systems administrator or security officer, a plurality of files stored in the computer.
  - 32. The computer program recited in claim 27, wherein the appropriate action comprises:
    - locking the computer, upon request of a systems administrator or security officer, and displaying a login screen for the user to re-authenticate the user identification and password.
  - 33. The computer program recited in claim 27, further comprising:
    - an authentication code segment to re-authenticate the user after the user login code segment has found a match in the one-way encrypted password contain in the computer by checking the user identification and password against a master password file stored in a computer accessible by a systems administrator or security officer.
  - 34. The computer program recited in claim 28, wherein the password management code segment attaches a master password file containing a complete user identifications, associated one-way encrypted passwords and associated privileges to a message, encrypts the message using a private key and passphrase for the system administrator or security officer and broadcasts the message to all users.
  - 35. The computer program recited in claim 34, wherein the password management code segment decrypts the message using a public key associated with the private key, replaces the one-way encrypted password file when decryption of the message is successful and reports a failure to the system administrator or security officer when the decryption is not successful.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
Northrop Grumman Corporation
Inventors
Siegel, Neil G., Kozel, Ronald J., Bixler, David C.
Primary Examiner(s)
Backer; Firmin

Application Number

US09/589,747
Time in Patent Office

2,671 Days
Field of Search

713/103, 713/183, 713/181
US Class Current

713/183
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2143   Clearing memory, e.g. to pr...

G06Q 20/383   Anonymous user system

System and method for distributed network acess and control enabling high availability, security and survivability

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for distributed network acess and control enabling high availability, security and survivability

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links