Enterprise security system
First Claim
1. A method of providing one time authentication to a distributed computing environment using any known authentication mechanism and assigning a level of trust to the authentication mechanism used, wherein authentication is separated from authorization, allowing authorization to be based on said level of trust to secure communications within said environment, and wherein said environment includes at least one originating entity and at least one target entity and one or more trusted third party servers, said one or more third party servers evaluating said authentication mechanism used by said originating entity and assigning a level of trust calculated by the confidence it has in the authentication mechanism used, wherein said level of trust can be used to dynamically change access within said environment, said entity selected from the group consisting of uniquely identifiable computer services on a computer, uniquely identifiable computers on a computer network, uniquely identifiable BIOS residing in a computer, uniquely identifiable computer chips residing in a computer, uniquely identifiable devices attached to a computer, uniquely identifiable devices capable of independent communication on a computer network, uniquely identifiable operating systems running on a computer, uniquely identifiable applications running on a computer, uniquely identifiable instances of an application running on a computer, uniquely identifiable business processes running on a computer, uniquely identifiable instances of a business process running on a computer, and uniquely identifiable persons, said method including the steps of:
- a. authenticating the identity of said originating entity using one of a predetermined plurality of known authentication mechanisms, said mechanism being separately evaluated and assigned a level of trust by said server, said authentication of identity being limited in use to authentication only, and wherein not all of the predetermined plurality of authentication mechanisms are trusted at a same level of trust other than untrusted;
a1. evaluating via said server how secure is said authentication mechanism used by said now authenticated originating entity;
a2. calculating the confidence said server has in the instance of the authentication mechanism used;
a3. assigning a level of trust that will be associated with said confidence;
a4. dynamically calculating using said level of trust what authorization, access and information can be granted to said originating entity regarding said target entity;
b. transmitting a response, from said server to said originating entity regardless of the authentication mechanism used, containing a first binding element composed of at least a random number encrypted using a key derived from a secret stored by the said server about the originating entity and its request to access said target entity, and a trust level indicating the level of confidence said server has associated with said originating entity'"'"'s authentication mechanism instance;
c. transmitting a second request that changes and transforms said response containing a first binding element by using knowledge of the same secret of itself, from said originating entity regardless of the authentication mechanism it has used, to said server, thereby requesting a second binding element from said server;
d. transmitting a second response containing said second binding element including a randomly generated unique signature regarding said originating entity and its request to access said target entity to be used by said target entity, from said server to said originating entity;
e. transmitting said second response containing said second binding element, from said originating entity to said target entity;
f. transmitting a response from said target entity to said originating entity indicating access acceptance of said originating entity by said target entity; and
g. creating a secure communication link between said target entity and said originating entity based on said evaluations, assignments and calculations.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention is a platform of software which is a single, customizable, complete distributed computing security solution designed to be integrated into an enterprise computing environment. Digital Network Authentication (DNA) is the centerpiece of the system of the present invention. It is a unique means to authenticate the identity of a communicating party and authorize its activity. The whole mechanism can be thought of as a trusted third party providing assurances to both clients and servers that each communicating entity is a discrete, authenticated entity with clearly defined privileges and supporting data. Furthermore, the level of trust to be placed in the authorization of every entity communicating within the system is communicated to every entity within a distributed computing environment.
78 Citations
20 Claims
-
1. A method of providing one time authentication to a distributed computing environment using any known authentication mechanism and assigning a level of trust to the authentication mechanism used, wherein authentication is separated from authorization, allowing authorization to be based on said level of trust to secure communications within said environment, and wherein said environment includes at least one originating entity and at least one target entity and one or more trusted third party servers, said one or more third party servers evaluating said authentication mechanism used by said originating entity and assigning a level of trust calculated by the confidence it has in the authentication mechanism used, wherein said level of trust can be used to dynamically change access within said environment, said entity selected from the group consisting of uniquely identifiable computer services on a computer, uniquely identifiable computers on a computer network, uniquely identifiable BIOS residing in a computer, uniquely identifiable computer chips residing in a computer, uniquely identifiable devices attached to a computer, uniquely identifiable devices capable of independent communication on a computer network, uniquely identifiable operating systems running on a computer, uniquely identifiable applications running on a computer, uniquely identifiable instances of an application running on a computer, uniquely identifiable business processes running on a computer, uniquely identifiable instances of a business process running on a computer, and uniquely identifiable persons, said method including the steps of:
-
a. authenticating the identity of said originating entity using one of a predetermined plurality of known authentication mechanisms, said mechanism being separately evaluated and assigned a level of trust by said server, said authentication of identity being limited in use to authentication only, and wherein not all of the predetermined plurality of authentication mechanisms are trusted at a same level of trust other than untrusted; a1. evaluating via said server how secure is said authentication mechanism used by said now authenticated originating entity; a2. calculating the confidence said server has in the instance of the authentication mechanism used; a3. assigning a level of trust that will be associated with said confidence; a4. dynamically calculating using said level of trust what authorization, access and information can be granted to said originating entity regarding said target entity; b. transmitting a response, from said server to said originating entity regardless of the authentication mechanism used, containing a first binding element composed of at least a random number encrypted using a key derived from a secret stored by the said server about the originating entity and its request to access said target entity, and a trust level indicating the level of confidence said server has associated with said originating entity'"'"'s authentication mechanism instance; c. transmitting a second request that changes and transforms said response containing a first binding element by using knowledge of the same secret of itself, from said originating entity regardless of the authentication mechanism it has used, to said server, thereby requesting a second binding element from said server; d. transmitting a second response containing said second binding element including a randomly generated unique signature regarding said originating entity and its request to access said target entity to be used by said target entity, from said server to said originating entity; e. transmitting said second response containing said second binding element, from said originating entity to said target entity; f. transmitting a response from said target entity to said originating entity indicating access acceptance of said originating entity by said target entity; and g. creating a secure communication link between said target entity and said originating entity based on said evaluations, assignments and calculations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. In a distributed computing environment, apparatus for providing one time authentication using any known authentication means and assigning a level of trust to the authentication means used, wherein authentication is separated from authorization, allowing authorization to be based on said level of trust to secure communications within said environment, and wherein said environment includes at least one originating entity and at least one target entity and one or more trusted third party servers, said one or more third party servers evaluating said authentication means used by said originating entity and assigning a level of trust calculated by the confidence it has in the authentication means used, wherein said level of trust can be used to dynamically change access within said environment, said entity selected from the group consisting of uniquely identifiable computer services on a computer, uniquely identifiable computers on a computer network, uniquely identifiable BIOS residing in a computer, uniquely identifiable computer chips residing in a computer, uniquely identifiable devices attached to a computer, uniquely identifiable devices capable of independent communication on a computer network, uniquely identifiable operating systems running on a computer, uniquely identifiable applications running on a computer, uniquely identifiable instances of an application running on a computer, uniquely identifiable business processes running on a computer, uniquely identifiable instances of a business process running on a computer, and uniquely identifiable persons, said apparatus including:
-
a. a server, where said server is a trusted third party that evaluates said authentication means used by an originating entity and assigns a level of trust calculated by the confidence it has in the authentication means used by said originating entity, wherein said level of trust is used to dynamically change access within said environment, and wherein not all authentication means are trusted at a same level of trust other than untrusted; b. means to connect said server to a target entity; c. authentication means to verify the identity of said originating entity using any known authentication means, said means to be separately evaluated and assigned a level of trust by said server, said authentication of identity to be limited in use to authentication only; c1. means to evaluate how secure is the authentication means used by said now authenticated originating entity; c2. means to calculate the confidence said server has in the authentication means used by said originating entity; c3. means to assign a level of trust that will be associated with said confidence; c4. means to dynamically calculate using said level of trust, what authorization, access and information can be granted to said originating entity regarding said target entity; d. a first binding element, said first binding element including a randomly generated unique signature encrypted using a key derived from a secret stored by said server about the originating entity and its request to access said target entity, and a trust level indicating the level of confidence said server has associated with said originating entity'"'"'s authentication means instance regardless of the authentication means it has used; e. means to transfer said response containing first binding element from said server to said originating entity upon proper verification of said identity of said originating entity regardless of the authentication means it has used; f. a second binding element including information regarding access of said target entity by said originating entity, originating in said server and used to establish communication between said originating entity and said target entity, said response containing second binding element including a randomly generated unique signature regarding said originating entity and its request to access said target entity to be used by said target entity, and proof of said originating entity'"'"'s authentication means instance regardless of the authentication means it has used; g. means to transfer said second response containing second binding element to said originating entity; and h. means to transmit said second response containing second binding element from said originating entity to said target entity. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification