Virtual distributed security system
First Claim
1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of delegating security credentials within a generic security framework, wherein the generic security framework abstracts cryptographic technologies and license formats, the method comprising:
- receiving a first license from a first party wherein the first license is formatted with a first license format associated with the first party;
determining that the first license is to be delegated to a second party;
a processor identifying a second license format required by the second party from a modular security policy, wherein the modular security policy;
establishes security rules and procedures of the generic security framework;
implements a security policy of the generic security framework with one or more protocols and transports; and
describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include;
an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation;
a permission component for pre-fetching rights, capabilities and access control information; and
a trust component for managing trust relationships and for specifying the extent to which a party is trusted;
using the modular security policy to identify security rights corresponding to the use of the first license by the second party;
re-issuing the first license to the second party as a re-issued license;
using the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party;
signing the re-issued license with the first license, naming the first party as an issuing authority;
providing the re-issued license to the second party in the second license format, which is distinguished from the first license format; and
providing the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license.
1 Assignment
0 Petitions
Accused Products
Abstract
A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.
-
Citations
20 Claims
-
1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of delegating security credentials within a generic security framework, wherein the generic security framework abstracts cryptographic technologies and license formats, the method comprising:
-
receiving a first license from a first party wherein the first license is formatted with a first license format associated with the first party; determining that the first license is to be delegated to a second party; a processor identifying a second license format required by the second party from a modular security policy, wherein the modular security policy; establishes security rules and procedures of the generic security framework;
implements a security policy of the generic security framework with one or more protocols and transports; anddescribes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include; an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation; a permission component for pre-fetching rights, capabilities and access control information; and a trust component for managing trust relationships and for specifying the extent to which a party is trusted; using the modular security policy to identify security rights corresponding to the use of the first license by the second party; re-issuing the first license to the second party as a re-issued license; using the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party; signing the re-issued license with the first license, naming the first party as an issuing authority; providing the re-issued license to the second party in the second license format, which is distinguished from the first license format; and providing the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product for use at a computer system, the computer program product for implementing a method of delegating security credentials within a generic security framework, wherein the generic security framework abstracts cryptographic technologies and license formats, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
-
receive a first license from a first party wherein the first license is formatted with a first license format associated with the first party; determine that the first license is to be delegated to a second party; identify a second license format required by the second party from a modular security policy, wherein the modular security policy; establishes security rules and procedures of the generic security framework;
implements a security policy of the generic security framework with one or more protocols and transports; anddescribes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include; an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation; a permission component for pre-fetching rights, capabilities and access control information; and a trust component for managing trust relationships and for specifying the extent to which a party is trusted; use the modular security policy to identify security rights corresponding to the use of the first license by the second party; re-issue the first license to the second party as a re-issued license; use the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party; sign the re-issued license with the first license, naming the first party as an issuing authority; provide the re-issued license to the second party in the second license format, which is distinguished from the first license format; and provide the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer system, the computer system comprising:
-
one or more processors; system memory; and one or more computer-readable storage media having stored thereon computer-executable instructions representing a virtual distributed security system, wherein the virtual distributed security system is configured to; receive a first license from a first party wherein the first license is formatted with a first license format associated with the first party; determine that the first license is to be delegated to a second party; identify a second license format required by the second party from a modular security policy, wherein the modular security policy; establishes security rules and procedures of the generic security framework;
implements a security policy of the generic security framework with one or more protocols and transports; anddescribes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include; an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation; a permission component for pre-fetching rights, capabilities and access control information; and a trust component for managing trust relationships and for specifying the extent to which a party is trusted; use the modular security policy to identify security rights corresponding to the use of the first license by the second party; re-issue the first license to the second party as a re-issued license; use the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party; sign the re-issued license with the first license, naming the first party as an issuing authority; provide the re-issued license to the second party in the second license format, which is distinguished from the first license format; and provide the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license.
-
Specification