Computer security system

US 7,644,434 B2
Filed: 04/25/2003
Issued: 01/05/2010
Est. Priority Date: 04/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method of providing individual access to each of a plurality of protected physical resources on a network, said method comprising the steps of:

establishing a security system physically intermediate to a user access point and the plurality of protected physical resources on the network;

determining, by the security system, whether a user is authenticated to connect to an individual one or individual ones of the plurality of protected physical resources on the network to establish physical access by the user to the individual one or individual ones of the plurality of protected resources on the network;

establishing, by the security system, a client identifier and a session identifier, transparent to the user access point and the security system, to enable a session for establishing a connection between the user access point and the individual one or individual ones of the plurality of protected physical resources, if the user is authenticated by the security system for physical access to the individual one or individual ones of the plurality of protected physical resources;

changing the session identifier each time the user completes an interaction during the session, each changed session identifier being derived from a user identifier corresponding to the authenticated user;

determining, by the security system, whether the session identifier received with the interaction is derived from the user identifier and whether the received session identifier and the user identifier correlate to data included in a data source accessible by the security system, as the session identifier is changed;

providing, by the security system, the user physical access to the individual one or individual ones of the protected physical resources by establishing the connection therebetween if the received session identifier is associated with the user identifier and the received session identifier and the associated user identifier correlate to the data included in the data source; and

terminating the connection between the user and the individual one or individual ones of the protected physical resources by disabling the connection therebetween, if the received session identifier is not derived from the user identifier or the received session identifier and the associated user identifier do not correlate to the data included in the data source.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of providing access to an authenticated user, and restricting access to an unauthorized user, of a computer system, is provided. The method includes determining whether a user is authenticated to access at least one resource included in the computer system. The method also includes establishing a session and a session identifier such that the user has access to the at least one resource if the user is authenticated to access the at least one resource. The method also includes changing the session identifier each time the user completes an interaction with the computer system during the session.

49 Citations

View as Search Results

33 Claims

1. A method of providing individual access to each of a plurality of protected physical resources on a network, said method comprising the steps of:
- establishing a security system physically intermediate to a user access point and the plurality of protected physical resources on the network;
  
  determining, by the security system, whether a user is authenticated to connect to an individual one or individual ones of the plurality of protected physical resources on the network to establish physical access by the user to the individual one or individual ones of the plurality of protected resources on the network;
  
  establishing, by the security system, a client identifier and a session identifier, transparent to the user access point and the security system, to enable a session for establishing a connection between the user access point and the individual one or individual ones of the plurality of protected physical resources, if the user is authenticated by the security system for physical access to the individual one or individual ones of the plurality of protected physical resources;
  
  changing the session identifier each time the user completes an interaction during the session, each changed session identifier being derived from a user identifier corresponding to the authenticated user;
  
  determining, by the security system, whether the session identifier received with the interaction is derived from the user identifier and whether the received session identifier and the user identifier correlate to data included in a data source accessible by the security system, as the session identifier is changed;
  
  providing, by the security system, the user physical access to the individual one or individual ones of the protected physical resources by establishing the connection therebetween if the received session identifier is associated with the user identifier and the received session identifier and the associated user identifier correlate to the data included in the data source; and
  
  terminating the connection between the user and the individual one or individual ones of the protected physical resources by disabling the connection therebetween, if the received session identifier is not derived from the user identifier or the received session identifier and the associated user identifier do not correlate to the data included in the data source.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 21, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The method of claim 1 further comprising the steps of:
    - calculating the time elapsed after each interaction of the user during the session; and
      
      terminating the session upon the calculated time exceeding a predetermined value.
  - 3. The method of claim 1 wherein the data source is within or is associated with the security system.
  - 4. The method of claim 1 further comprising the steps of:
    - assigning the user identifier to the user if the user is authenticated to physically access the individual one or individual ones of the plurality of protected physical resources.
  - 5. The method of claim 4 wherein said assigning step includes randomly generating the user identifier.
  - 6. The method of claim 4 wherein said assigning step includes generating the user identifier according to a logarithmic code.
  - 7. The method of claim 1 further comprising the step of:
    - sending the user a single use security token useful for physically accessing the individual one or individual ones of the plurality of protected physical resources if the user is authenticated to access the individual one or individual ones of the plurality of protected physical resources.
  - 8. The method of claim 7 further comprising the steps of:
    - verifying that the single use security token is associated with a presently valid session identifier; and
      
      the step of providing the user with physical access to the individual one or individual ones of the plurality of protected physical resources is responsive to the verifying of an association between the single use security token and the presently valid session identifier.
  - 9. The method of claim 8 comprising the step of:
    - removing the single use security token from a list of valid security tokens on the security system after said verifying step and prior to said providing the user with physical access to the individual one or individual ones of the plurality of protected physical resources.
  - 10. The method of claim 8 wherein said providing step includes sending connection information to the user in a form of a script.
  - 11. The method of claim 8 wherein said providing step includes sending the user a cookie containing the session identifier associated with the user and useful for physically accessing the individual one or individual ones of the plurality of protected physical resources.
  - 12. The method of claim 1 wherein said establishing step includes randomly generating the user identifier.
  - 13. The method of claim 1 wherein said establishing step includes generating the user identifier according to a logarithmic code.
  - 14. The method of claim 1 wherein said determining step includes:
    - providing login information related to the user to a web browser;
      
      transmitting the login information from the web browser to the security system; and
      
      determining whether the user is authenticated to physically access the individual one or individual ones of the plurality of protected physical resources using the login information.
  - 21. The method of claim 1, wherein the interaction is selected from the group consisting of a mouse-click, a keystroke, a mouse movement, a joystick action, a video command, an audio command, a touch screen command, and a keypad command.
  - 23. The method of claim 1, wherein:
    - the user identifier and the session identifier are mathematically matched to each other as the session identifier is changed such that the step of determining includes verifying that the session identifier and the user identifier received from the user are mathematically matched to each other and correlate to the data included in the data source.
  - 24. The method of claim 23, wherein:
    - for each of the interactions,changing a value of the session identifier to a new value mathematically based on a value of the user identifier;
      
      sending, to the data source, the new value of the session identifier; and
      
      verifying that;
      
      (1) the new value of the session identifier is mathematically based on the user identifier received from the user and (2) the changed session identifier and user identifier correlate to the data included in the data source.
  - 25. The method of claim 1, wherein, for each interaction, the step of changing the session identifier occurs prior to providing physical access to any protected physical resource on the network.
  - 26. The method of claim 1, further comprising:
    - for each interaction between the user and the security system, maintaining physical access to the individual one or individual ones of the protected physical resources via the connection between the user access point and the individual one or individual ones of the protected physical resources if the received session identifier associated with a respective interaction is authenticated to the user.
  - 27. The method of claim 1, further comprising:
    - establishing the connection between the user access point and the individual one or individual ones of the protected physical resources by maintaining a session between the user access point and the security system as long as the received session identifier is associated with the user identifier and the received session identifier and the associated user identifier correlate to the data included in the data source, as the received session identifier changes.
  - 28. The method of claim 1, wherein:
    - the changing of the session identifier includes removing the received session identifier from a list of valid session identifiers in the data source; and
      
      thereafter,the providing, by the security system, of physical access includes sending, by the security system, a script to the user access point to establish connection parameters for the physical connection between the user access point and the individual one or individual ones of the plurality of protected physical resources on the network.
  - 29. The method of claim 1, wherein the establishing of the connection between the user access point and the individual one or individual ones of the plurality of protected physical resources includes controlling a port to the individual one or individual ones of the plurality of protected physical resources.
  - 30. The method of claim 1, wherein the protected physical resources include one or more of a computer, a server or a network.
  - 31. The method of claim 1, wherein the establishing of the client identifier and the session identifier includes generating the client identifier and the session identifier to be transparent to only the user access point and the security system.

15. A computer system comprising;
- a microprocessor; and
  
  a computer readable medium executing on the microprocessor and including computer program instructions which cause a security device to implement a method of providing individual, physical access to each of a plurality of protected physical resources, the security device being physically intermediate to a user access point and the plurality of protected physical resources on a network, the method comprising the steps of;
  
  determining, by the security device, whether a user is authenticated to connect to an individual one or individual ones of the plurality of protected physical resources to establish physical access by the user to the individual one or individual ones of the plurality of protected resources on the network;
  
  establishing a client identifier and a session identifier, transparent to the user access point and the security system, to enable a session for establishing a connection between the user access point and the individual one or individual ones of the plurality of protected physical resources, if the user is authenticated by the security device for physical access to the individual one or individual ones of the plurality of protected physical resources;
  
  changing the session identifier each time the user completes an interaction during the session, each changed session identifier being derived from a user identifier corresponding to the authenticated user;
  
  determining, by the security device, whether the session identifier received with the interaction is derived from the user identifier and whether the received session identifier and the user identifier correlate to data included in a data source accessible by the security device, as the session identifier is changed;
  
  providing, by the security device, the user physical access to the individual one or individual ones of the protected physical resources by establishing the connection therebetween if the received session identifier is associated with the user identifier and the received session identifier and the associated user identifier correlate to the data included in the data source; and
  
  terminating the connection between the user and the individual one or individual ones of the protected physical resources by disabling the connection therebetween, if the received session identifier is not derived from the user identifier or the received session identifier and the associated user identifier do not correlate to the data included in the data source.
- View Dependent Claims (16, 17)
- - 16. The computer system of claim 15 wherein the method further comprises the steps of:
    - calculating the time elapsed after each interaction of the user during the session; and
      
      terminating the session upon the calculated time exceeding a predetermined value.
  - 17. The computer system of claim 15 wherein the security device is selected from the group consisting of a personal computer, a mainframe computer, a computer server system, a computer network, a PDA, and a microprocessor based appliance.

18. A physical computer readable storage medium storing computer program instructions which cause a computer to implement a method of providing individual, physical access to each of a plurality of protected physical resources using a security device physically intermediate to a user access point and the plurality of protected physical resources on a network, the method comprising the steps of:
- determining, by the security device, whether a user is authenticated to connect to an individual one or individual ones of the plurality of protected physical resources to establish physical access by the user to the individual one or individual ones of the plurality of protected resources on the network;
  
  establishing a client identifier and a session identifier, transparent to the user access point and the security system, to enable a session for establishing a connection between the user access point and the individual one or individual ones of the plurality of protected physical resources, if the user is authenticated by the security device for physical access to the individual one or individual ones of the plurality of protected physical resources;
  
  changing the session identifier each time the user completes an interaction during the session, each changed session identifier being derived from a user identifier corresponding to the authenticated user;
  
  determining, by the security device, whether the session identifier received with the interaction is derived from the user identifier and whether the received session identifier and the user identifier correlate to data included in a data source accessible by the security device, as the session identifier is changed;
  
  providing, by the security device, the user physical access to the individual one or individual ones of the resources by establishing the connection therebetween if the received session identifier is associated with the user identifier and the received session identifier and the associated user identifier correlate to the data included in the data source; and
  
  terminating the connection between the user and the individual one or individual ones of the resources by disabling the connection therebetween, if the received session identifier is not derived from the user identifier or the received session identifier and the associated user identifier do not correlate to the data included in the data source.
- View Dependent Claims (19, 20)
- - 19. The computer readable storage medium of claim 18 wherein the method further comprises the steps of:
    - calculating the time elapsed after each interaction of the user during the session; and
      
      terminating the session upon the calculated time exceeding a predetermined value.
  - 20. The computer readable storage medium of claim 18 wherein the physical computer readable medium is selected from the group consisting of a packaged silicon device, a solid state memory, an optical disc, and a magnetic disc.

22. A method of providing access to an authenticated user of a client device using a server device that is intermediate to the client device and a plurality of protected resources, the client and server devices, each using multi-layer security including a firewall layer, a security system layer and an application layer, said method comprising the steps of:
- establishing the server device physically intermediate to a client device and the plurality of protected physical resources on a network;
  
  authenticating, by the security system layer of the server device, a user request to connect to an individual one or individual ones of the plurality of protected physical resources on the network to establish physical access by a user to the individual one or individual ones of the plurality of protected resources on the network;
  
  establishing a client identifier and a session identifier, transparent to the client device and the security system, to enable a session and to establish a connection between the client device and the individual one or individual ones of the plurality of protected physical resources;
  
  verifying, by the firewall layer of the server device, that the session identifier is derived from a user identifier associated with the authenticated user;
  
  determining, by the firewall layer of the server device, whether the user request is authorized to physically access the individual one or individual ones of the plurality of protected physical resources, if the session identifier is verified in the verifying step;
  
  establishing physical access to the individual one or individual ones of the protected physical resources by the user by establishing the connection therebetween, if the user request is authorized in the determining step;
  
  communicating, by the user via the application layer of the server device different from the system security and firewall layers, with the individual one or individual ones of the plurality of protected physical resources after the physical access is established in the establishing physical access step; and
  
  changing, by the system security layer of the server device, the session identifier responsive to predetermined interactions during a session.

32. A method of providing individual physical access to a plurality of protected physical resources on a network using a multi-layer protocol including an application layer and one or more layers beneath the application layer, said method comprising the steps of:
- establishing a security system physically intermediate to a user access point and the plurality of protected physical resources on the network for connecting the user access point to an individual one or individual ones of the protected physical resources via the security system;
  
  for each interaction between a user and the security system,determining, at one of the layers beneath the application layer by the security system, whether the user is authenticated for physical access to an individual one or individual ones of the plurality of protected physical resources on the network;
  
  generating and sending a single use token different from a previously sent single use token to the user access point from the security system, the single use token including a client identifier and a session identifier, transparent to the user access point and the security system, such that the user has physical access to connect the user access point to the individual one or individual ones of the plurality of protected physical resources, if the user is authenticated by the security system to access the individual one or individual ones of the plurality of protected resources;
  
  determining, at the one of the layers beneath the application layer by the security system, whether the session identifier in the single use token received from the user access point is authenticated by the security system, as the session identifier is changed;
  
  providing, by the security system, physical access to the individual one or individual ones of the plurality of protected physical resources if the received session identifier corresponding to a respective interaction is associated with the user identifier and the received session identifier and the associated user identifier correlate to the data included in the data source; and
  
  terminating the physical access, when any one of the received session identifiers associated with one of the interactions by the user is not derived from the user identifier or the received session identifier and the associated user identifier do not correlate to the data included in the data source.
- View Dependent Claims (33)
- - 33. The method of claim 32, further comprising:
    - executing, on a client system, a client application to process interactions between the user and the security system without using a web browser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Applied Identity, Incorporated (Cloud Software Group)
Inventors
Pollutro, Dennis Vance, Almquist, Andrew
Primary Examiner(s)
KIM, JUNG W

Application Number

US10/423,444
Publication Number

US 20040006710A1
Time in Patent Office

2,447 Days
Field of Search

None
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

H04L 63/067   using one-time keys cryptog...

H04L 63/0838   using one-time-passwords

Computer security system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links