Virtual distributed security system
First Claim
1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of transmitting a message within a generic security framework, wherein the generic security framework is architecture, transport, and cryptographic technology independent, the method comprising:
- receiving from a first entity a message addressed to a second entity, wherein the message is transported with a first transport and formatted in accordance with a first cryptographic technology;
determining that the message is to be transmitted to the second entity;
a processor identifying a second transport and a second cryptographic technology required by the second entity from a modular security policy, wherein the modular security policy;
establishes security rules and procedures of the generic security framework;
implements a security policy of the generic security framework with one or more protocols and transports; and
describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to use of transports and cryptographic technologies by the first and second entities and which are written in a security policy language as selectable, deployable and combinable security modules thereby enabling the modular security components to be negotiated, partitioned and modified, rather than being hard-coded, and which include;
an identity component for authenticating a principal and providing authoritative proof of identity;
an admission component for mapping external credentials to internal credentials;
a permission component for pre-fetching rights, capabilities and access control information; and
a store component for storing, retrieving, encrypting, and managing credentials; and
transmitting the message to the second entity using the transport and cryptographic technology required by the second entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.
-
Citations
20 Claims
-
1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of transmitting a message within a generic security framework, wherein the generic security framework is architecture, transport, and cryptographic technology independent, the method comprising:
-
receiving from a first entity a message addressed to a second entity, wherein the message is transported with a first transport and formatted in accordance with a first cryptographic technology; determining that the message is to be transmitted to the second entity; a processor identifying a second transport and a second cryptographic technology required by the second entity from a modular security policy, wherein the modular security policy; establishes security rules and procedures of the generic security framework; implements a security policy of the generic security framework with one or more protocols and transports; and describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to use of transports and cryptographic technologies by the first and second entities and which are written in a security policy language as selectable, deployable and combinable security modules thereby enabling the modular security components to be negotiated, partitioned and modified, rather than being hard-coded, and which include; an identity component for authenticating a principal and providing authoritative proof of identity; an admission component for mapping external credentials to internal credentials; a permission component for pre-fetching rights, capabilities and access control information; and a store component for storing, retrieving, encrypting, and managing credentials; and transmitting the message to the second entity using the transport and cryptographic technology required by the second entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product for use at a computer system, the computer program product for implementing a method for transmitting a message within a generic security framework, wherein the generic security framework is architecture, transport, and cryptographic technology independent, the computer program product comprising one or more computer-readable storage device having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
-
receive from a first entity a message addressed to a second entity, wherein the message is transported with a first transport and formatted in accordance with a first cryptographic technology; determine that the message is to be transmitted to the second entity; identify a second transport and a second cryptographic technology required by the second entity from a modular security policy, wherein the modular security policy; establishes security rules and procedures of the generic security framework; implements a security policy of the generic security framework with one or more protocols and transports; and describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to use of transports and cryptographic technologies by the first and second entities and which are written in a security policy language as selectable, deployable and combinable security modules thereby enabling the modular security components to be negotiated, partitioned and modified, rather than being hard-coded, and which include; an identity component for authenticating a principal and providing authoritative proof of identity; an admission component for mapping external credentials to internal credentials; a permission component for pre-fetching rights, capabilities and access control information; and a store component for storing, retrieving, encrypting, and managing credentials; and transmit the message to the second entity using the transport and cryptographic technology required by the second entity. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer system, the computer system comprising:
-
one or more processors; system memory; and one or more computer-readable storage media having stored thereon computer-executable instructions representing a virtual distributed security system, wherein the virtual distributed security system is configured to; receive from a first entity a message addressed to a second entity, wherein the message is transported with a first transport and formatted in accordance with a first cryptographic technology; determine that the message is to be transmitted to the second entity; identify a second transport and a second cryptographic technology required by the second entity from a modular security policy, wherein the modular security policy; establishes security rules and procedures of a generic security framework; implements a security policy of the generic security framework with one or more protocols and transports; and describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to use of transports and cryptographic technologies by the first and second entities and which are written in a security policy language as selectable, deployable and combinable security modules thereby enabling the modular security components to be negotiated, partitioned and modified, rather than being hard-coded, and which include; an identity component for authenticating a principal and providing authoritative proof of identity; an admission component for mapping external credentials to internal credentials; a permission component for pre-fetching rights, capabilities and access control information; and a store component for storing, retrieving, encrypting, and managing credentials; and transmit the message to the second entity using the transport and cryptographic technology required by the second entity.
-
Specification