Enterprise security system

US 7,788,700 B1
Filed: 05/15/2003
Issued: 08/31/2010
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method of providing one time authentication to a distributed computing environment using any known authentication mechanism and assigning a level of trust to the authentication mechanism used, wherein authentication is separated from authorization, allowing authorization to be based on said level of trust to secure communications within said environment, and wherein said environment includes at least one originating entity and at least one target entity and one or more trusted third party servers, said one or more third party servers evaluating said authentication mechanism used by said originating entity and assigning a level of trust calculated by the confidence it has in the authentication mechanism used, wherein said level of trust can be used to dynamically change access within said environment, said entity selected from the group consisting of uniquely identifiable computer services on a computer, uniquely identifiable computers on a computer network, uniquely identifiable BIOS residing in a computer, uniquely identifiable computer chips residing in a computer, uniquely identifiable devices attached to a computer, uniquely identifiable devices capable of independent communication on a computer network, uniquely identifiable operating systems running on a computer, uniquely identifiable applications running on a computer, uniquely identifiable instances of an application running on a computer, uniquely identifiable business processes running on a computer, uniquely identifiable instances of a business process running on a computer, and uniquely identifiable persons, said method including the steps of:

a. authenticating the identity of said originating entity using one of a predetermined plurality of known authentication mechanisms, said mechanism being separately evaluated and assigned a level of trust by said server, said authentication of identity being limited in use to authentication only, and wherein not all of the predetermined plurality of authentication mechanisms are trusted at a same level of trust other than untrusted;

a1. evaluating via said server how secure is said authentication mechanism used by said now authenticated originating entity;

a2. calculating the confidence said server has in the instance of the authentication mechanism used;

a3. assigning a level of trust that will be associated with said confidence;

a4. dynamically calculating using said level of trust what authorization, access and information can be granted to said originating entity regarding said target entity;

b. transmitting a response, from said server to said originating entity regardless of the authentication mechanism used, containing a first binding element composed of at least a random number encrypted using a key derived from a secret stored by the said server about the originating entity and its request to access said target entity, and a trust level indicating the level of confidence said server has associated with said originating entity'"'"'s authentication mechanism instance;

c. transmitting a second request that changes and transforms said response containing a first binding element by using knowledge of the same secret of itself, from said originating entity regardless of the authentication mechanism it has used, to said server, thereby requesting a second binding element from said server;

d. transmitting a second response containing said second binding element including a randomly generated unique signature regarding said originating entity and its request to access said target entity to be used by said target entity, from said server to said originating entity;

e. transmitting said second response containing said second binding element, from said originating entity to said target entity;

f. transmitting a response from said target entity to said originating entity indicating access acceptance of said originating entity by said target entity; and

g. creating a secure communication link between said target entity and said originating entity based on said evaluations, assignments and calculations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a platform of software which is a single, customizable, complete distributed computing security solution designed to be integrated into an enterprise computing environment. Digital Network Authentication (DNA) is the centerpiece of the system of the present invention. It is a unique means to authenticate the identity of a communicating party and authorize its activity. The whole mechanism can be thought of as a trusted third party providing assurances to both clients and servers that each communicating entity is a discrete, authenticated entity with clearly defined privileges and supporting data. Furthermore, the level of trust to be placed in the authorization of every entity communicating within the system is communicated to every entity within a distributed computing environment.

78 Citations

View as Search Results

20 Claims

1. A method of providing one time authentication to a distributed computing environment using any known authentication mechanism and assigning a level of trust to the authentication mechanism used, wherein authentication is separated from authorization, allowing authorization to be based on said level of trust to secure communications within said environment, and wherein said environment includes at least one originating entity and at least one target entity and one or more trusted third party servers, said one or more third party servers evaluating said authentication mechanism used by said originating entity and assigning a level of trust calculated by the confidence it has in the authentication mechanism used, wherein said level of trust can be used to dynamically change access within said environment, said entity selected from the group consisting of uniquely identifiable computer services on a computer, uniquely identifiable computers on a computer network, uniquely identifiable BIOS residing in a computer, uniquely identifiable computer chips residing in a computer, uniquely identifiable devices attached to a computer, uniquely identifiable devices capable of independent communication on a computer network, uniquely identifiable operating systems running on a computer, uniquely identifiable applications running on a computer, uniquely identifiable instances of an application running on a computer, uniquely identifiable business processes running on a computer, uniquely identifiable instances of a business process running on a computer, and uniquely identifiable persons, said method including the steps of:
- a. authenticating the identity of said originating entity using one of a predetermined plurality of known authentication mechanisms, said mechanism being separately evaluated and assigned a level of trust by said server, said authentication of identity being limited in use to authentication only, and wherein not all of the predetermined plurality of authentication mechanisms are trusted at a same level of trust other than untrusted;
  
  a1. evaluating via said server how secure is said authentication mechanism used by said now authenticated originating entity;
  
  a2. calculating the confidence said server has in the instance of the authentication mechanism used;
  
  a3. assigning a level of trust that will be associated with said confidence;
  
  a4. dynamically calculating using said level of trust what authorization, access and information can be granted to said originating entity regarding said target entity;
  
  b. transmitting a response, from said server to said originating entity regardless of the authentication mechanism used, containing a first binding element composed of at least a random number encrypted using a key derived from a secret stored by the said server about the originating entity and its request to access said target entity, and a trust level indicating the level of confidence said server has associated with said originating entity'"'"'s authentication mechanism instance;
  
  c. transmitting a second request that changes and transforms said response containing a first binding element by using knowledge of the same secret of itself, from said originating entity regardless of the authentication mechanism it has used, to said server, thereby requesting a second binding element from said server;
  
  d. transmitting a second response containing said second binding element including a randomly generated unique signature regarding said originating entity and its request to access said target entity to be used by said target entity, from said server to said originating entity;
  
  e. transmitting said second response containing said second binding element, from said originating entity to said target entity;
  
  f. transmitting a response from said target entity to said originating entity indicating access acceptance of said originating entity by said target entity; and
  
  g. creating a secure communication link between said target entity and said originating entity based on said evaluations, assignments and calculations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as set forth in claim 1, further including the step of creating a secure communication link between said server and said originating entity based on said evaluations, assignments and calculations.
  - 3. The method as set forth in claim 2, further including the step of creating a secure communication link between said target entity and said server based on said evaluations, assignments and calculations.
  - 4. The method set forth in claim 3 further including the steps of:
    - a. providing an event recorder, where said event recorder is authenticated and authorized-based on said evaluations, assignments and calculations;
      
      b. transmitting chosen events from within said secure communication link between said originating entity and said target entity, said entities authenticated and authorized to access said event recorder based on said evaluations, assignments and calculations to said event recorder;
      
      c. transmitting chosen events from said originating entity to said event recorder; and
      
      d. transmitting chosen events from said target entity to said event recorder.
  - 5. The method as set forth in claim 4, further including at least one step of:
    - a. transmitting chosen events from within said secure communication link between said originating entity, authenticated and authorized based on said evaluations, assignments and calculations, and said server to said event recorder; and
      
      b. transmitting chosen events from within inner workings of said secure communication link between said target entity, authenticated and authorized based on said evaluations, assignments and calculations and said server to said event recorder.
  - 6. The method as set forth in claim 5, further including the steps of:
    - a. monitoring said chosen events for pre-selected types of activities; and
      
      b. reporting said events to any said entity authenticated and authorized to receive said events, based on said evaluations, assignments and calculations.
  - 7. The method set forth in claim 1, further including objects wished to be held in secure storage associated with said originating entity, said objects selected from the group consisting of authentication, authorization, permission, name/value, credential, client specific, group, group information, group membership, personalization, legacy system access, role based authorization control, and other objects wished to be private, and including the steps of:
    - a. storing in said server one or more objects associated with said originating entity, each requiring a sufficient level of trust for assignment;
      
      b. sending a request from said target entity to said server for one or more objects regarding said originating entity, which has been authenticated and whose authentication mechanism instance has been assigned a level of trust, from said server;
      
      c. selecting from said secure storage, utilizing said level of trust that said server has established for said originating entity'"'"'s authentication mechanism instance, one or more of said objects associated with said originating entity and only retrieving said objects that do not exceed said level of trust;
      
      d. transmitting said selected objects from server to said target entity; and
      
      e. utilizing said selected objects to establish the level of authorization granted to said originating entity regarding said target entity.
  - 8. The method set forth in claim 5, further including the steps of:
    - a. providing a method to monitor the operational characteristics of all links said server has participated in establishing;
      
      b. monitoring all communications between said server, said originating entity and said target entity;
      
      c. recognizing abnormal characteristics and communications within said communications; and
      
      d. reporting of said abnormal characteristics and communications to the event recorder, using said established secure communication link to said event recorder without participating entities being aware that reporting is taking place.
  - 9. The method set forth in claim 1, further including the step of assigning a time stamp and a nonce value to all communications between said server, said originating entity and said target entity.

10. In a distributed computing environment, apparatus for providing one time authentication using any known authentication means and assigning a level of trust to the authentication means used, wherein authentication is separated from authorization, allowing authorization to be based on said level of trust to secure communications within said environment, and wherein said environment includes at least one originating entity and at least one target entity and one or more trusted third party servers, said one or more third party servers evaluating said authentication means used by said originating entity and assigning a level of trust calculated by the confidence it has in the authentication means used, wherein said level of trust can be used to dynamically change access within said environment, said entity selected from the group consisting of uniquely identifiable computer services on a computer, uniquely identifiable computers on a computer network, uniquely identifiable BIOS residing in a computer, uniquely identifiable computer chips residing in a computer, uniquely identifiable devices attached to a computer, uniquely identifiable devices capable of independent communication on a computer network, uniquely identifiable operating systems running on a computer, uniquely identifiable applications running on a computer, uniquely identifiable instances of an application running on a computer, uniquely identifiable business processes running on a computer, uniquely identifiable instances of a business process running on a computer, and uniquely identifiable persons, said apparatus including:
- a. a server, where said server is a trusted third party that evaluates said authentication means used by an originating entity and assigns a level of trust calculated by the confidence it has in the authentication means used by said originating entity, wherein said level of trust is used to dynamically change access within said environment, and wherein not all authentication means are trusted at a same level of trust other than untrusted;
  
  b. means to connect said server to a target entity;
  
  c. authentication means to verify the identity of said originating entity using any known authentication means, said means to be separately evaluated and assigned a level of trust by said server, said authentication of identity to be limited in use to authentication only;
  
  c1. means to evaluate how secure is the authentication means used by said now authenticated originating entity;
  
  c2. means to calculate the confidence said server has in the authentication means used by said originating entity;
  
  c3. means to assign a level of trust that will be associated with said confidence;
  
  c4. means to dynamically calculate using said level of trust, what authorization, access and information can be granted to said originating entity regarding said target entity;
  
  d. a first binding element, said first binding element including a randomly generated unique signature encrypted using a key derived from a secret stored by said server about the originating entity and its request to access said target entity, and a trust level indicating the level of confidence said server has associated with said originating entity'"'"'s authentication means instance regardless of the authentication means it has used;
  
  e. means to transfer said response containing first binding element from said server to said originating entity upon proper verification of said identity of said originating entity regardless of the authentication means it has used;
  
  f. a second binding element including information regarding access of said target entity by said originating entity, originating in said server and used to establish communication between said originating entity and said target entity, said response containing second binding element including a randomly generated unique signature regarding said originating entity and its request to access said target entity to be used by said target entity, and proof of said originating entity'"'"'s authentication means instance regardless of the authentication means it has used;
  
  g. means to transfer said second response containing second binding element to said originating entity; and
  
  h. means to transmit said second response containing second binding element from said originating entity to said target entity.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The apparatus of claim 10, further including objects wished to be held in secure storage related to one or more of said originating entity and said target entity, said objects requiring a sufficient level of trust for assignment, said objects selected from the group consisting of authentication, authorization, permission, name/value, credential, client specific, group, group information, group membership, personalization, policy related to at least one portion of said environment, legacy system access, remote, role based authorization control, and other objects wished to be private, and said objects to be stored securely where said objects are not accessible except using the apparatus, said objects stored in said server.
  - 12. The apparatus of claim 11, further including means for said target entity to request at least some of said objects from said server where said target entity is utilizing said server acting as a trusted third party to determine information about said originating entity, said server utilizing level of trust assigned to said originating entity requesting access to said target entity.
  - 13. The apparatus of claim 10, wherein said authentication means to verify the identity of said originating entity comprises means to use a secret key encryption algorithm.
  - 14. The apparatus of claim 10, wherein said authentication means to verify the identity of said originating entity comprises means to use a password.
  - 15. The apparatus of claim 10, wherein said authentication means to verify the identity of said originating entity comprises means to use a private key/public key combination associated with a public key certificate.
  - 16. The apparatus of claim 10, further including means for encrypting all communications between said originating entity, said server acting as a trusted third party, and said target entity, regardless of the authentication means said entities have used.
  - 17. The apparatus of claim 11, wherein said first binding element includes personalization information for said originating entity, whether level of trust assigned to said originating entity is sufficient for accessing the services of said target entity, and to what class or groups said originating entity belongs, wherein said personalization information is stored in one of said objects.
  - 18. The apparatus of claim 10, further including a channel listener attached to said target entity, to detect the presence of said request containing first binding element from an originating entity.
  - 19. The apparatus of claim 10, further including an event recorder where access to the event recorder is authenticated and authorized using said trust level to record all communications between said originating entity, said server, and said target entity, where all sources of information to said recorder are also authenticated and authorized using said apparatus, and said event recorder also records any instances of eavesdropping or security breaches without participating entities being aware reporting is taking place.
  - 20. The apparatus of claim 19, further including a means to monitor operational characteristics of all links said server has participated in establishing from within the link itself, and reporting abnormal activity within said environment to said event recorder without participating entities being aware reporting is taking place.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gerard A. Gagliano
Original Assignee
Gerard A. Gagliano
Inventors
Feezel, Richard M., Gagliano, Gerard A.
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Fields; Courtney D

Application Number

US10/439,114
Time in Patent Office

2,665 Days
Field of Search

726/2, 726/27, 713/168, 713/175
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

H04L 2209/56   Financial cryptography, e.g...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/321   involving a third party or ...

H04L 9/3218   using proof of knowledge, e...

Enterprise security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

78 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links