Network layer claims based access control

US 9,344,432 B2
Filed: 06/24/2010
Issued: 05/17/2016
Est. Priority Date: 06/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method for use in a system comprising a computer configured to communicate with a network resource via at least one network, the at least one network employing a network layer security protocol, the method comprising:

receiving from the computer a request for one or more requester claims;

providing the one or more requester claims to the computer in a first communication formatted to comply with the network layer security protocol, at least one of the one or more requester claims comprises attributes of one or more of the computer, the user of the computer, a context in which access by the computer to the network resource is requested, and an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of a user of the computer;

receiving from the network resource a request for one or more resource claims, at least one of the resource claims comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage;

providing the one or more resource claims to the network resource in a second communication formatted to comply with the network layer security protocol;

receiving a request for an access control policy decision, the request for the access control policy decision providing information included in the one or more requester claims and the one or more resource claims; and

issuing the requested access control policy decision based at least in part on the provided information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide techniques for basing access control decisions at the network layer at least in part on information provided in claims, which may describe attributes of a computer requesting access, one or more resources to which access is requested, the user, the circumstances surrounding the requested access, and/or other information. The information may be evaluated based on one or more access control policies, which may be pre-set or dynamically generated, and used in making a decision whether to grant or deny the computer access to the specified resource(s).

Citations

20 Claims

1. A method for use in a system comprising a computer configured to communicate with a network resource via at least one network, the at least one network employing a network layer security protocol, the method comprising:
- receiving from the computer a request for one or more requester claims;
  
  providing the one or more requester claims to the computer in a first communication formatted to comply with the network layer security protocol, at least one of the one or more requester claims comprises attributes of one or more of the computer, the user of the computer, a context in which access by the computer to the network resource is requested, and an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of a user of the computer;
  
  receiving from the network resource a request for one or more resource claims, at least one of the resource claims comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage;
  
  providing the one or more resource claims to the network resource in a second communication formatted to comply with the network layer security protocol;
  
  receiving a request for an access control policy decision, the request for the access control policy decision providing information included in the one or more requester claims and the one or more resource claims; and
  
  issuing the requested access control policy decision based at least in part on the provided information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
- - 2. The method of claim 1, wherein receiving from the computer the request for one or more requester claims comprises receiving the request for one or more requester claims at a plurality of claim providers.
  - 3. The method of claim 2, wherein receiving from the network resource the request for one or more resource claims comprises receiving the request for one or more resource claims at the same plurality of claim providers at which the request for one or more requester claims is received.
  - 4. The method of claim 1, wherein receiving the request for the access control policy decision comprises receiving the request for the access control policy decision from the network resource.
  - 5. The method of claim 1, wherein issuing the requested access control policy decision comprises accessing a static repository of policies and issuing the access control policy decision based at least in part on an evaluation of a policy retrieved from the static repository and the information received in the request for the access control policy decision.
  - 6. The method of claim 1, wherein receiving from the computer the request for one or more requester claims comprises receiving the request from a client application executing on the computer.
  - 7. The method of claim 1, wherein the network layer security protocol is lPsec employing an AuthlP extension to enable use of a Keberos protocol.
  - 20. The method of claim 1, wherein the one or more resource claims describe attributes of one or more of an organization to which the network resource is affiliated, an owner of the network resource, and a stage of deployment of the network resource.

8. At least one computer-storage device having instructions stored thereon comprising:
- computer-executable instructions to receive first information associated with a computer requesting access to a network resource and included in a first communication formatted to comply with the network layer security protocol and comprises attributes associated with one or more of the computer, a user of the computer, a context in which access by the computer to the network resource is requested, an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of the user of the computer;
  
  computer-executable instructions to receive second information associated with the network resource and included in a second communication formatted to comply with the network layer security protocol and comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage;
  
  computer-executable instructions to issue a decision to either grant or deny access by the computer to the network resource based at least in part on the first information and the second information.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The at least one computer-storage device of claim 8, wherein issuing the decision to either grant or deny access by the computer to the network resource comprises issuing the decision based also at least in part on a policy retrieved from a static repository.
  - 10. The at least one computer-storage device of claim 9, further comprising instructions defining:
    - computer-executable instructions to present an interface enabling a user to author a policy for storage in the static repository.
  - 11. The at least one computer-storage device of claim 9, wherein issuing the decision to either grant or deny access by the computer to the network resource is performed in response to request from the network resource for an access control policy decision.
  - 12. The at least one computer-storage device of claim 8, wherein receiving first information comprises receiving claims comprising the information relating to the computer, and receiving second information comprises receiving claims comprising the information relating to the network resource.

13. A system, comprising:
- a processing system comprising one or more processors, wherein the one or more processors are coupled to memory, configured to;
  
  receive from a computer a first request, included in a first communication formatted to comply with a network layer security protocol, for one or more requester claims, the first request comprises attributes of one or more of the computer, the user of the computer, a context in which access by the computer to the network resource is requested, and an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of a user of the computer;
  
  receive from the network resource a second request, included in a second communication formatted to comply with a network layer security protocol, for one or more resource claims, the second communication comprises attributes associated with at least whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage;
  
  receive a third request, included in a third communication formatted to comply with a network layer security protocol, for an access control policy decision, the third request providing information included in the one or more requester claims and the one or more resource claims; and
  
  issue the requested access control policy decision by the computer to the network resource based at least in part on the provided information.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, further comprising a plurality of claim providers to provide the one or more requester claims to the computer in response to the first request and the one or more resource claims to the network resource in response to the second request.
  - 15. The system of claim 13, wherein at least one of the one or more processor is arranged to create an Internet Key Exchange extension for transferring information from the computer to the network resource.
  - 16. The system of claim 14, further comprising at least one dynamic claim source operable to generate the one or more requester claims using information included in the first request, and the one or more resource claims using information included in the second request.
  - 17. The system of claim 13, further comprising a static repository in which is stored a plurality of policies, and wherein the at least one processor is programmed to access the static repository to retrieve a policy and issue the access control policy decision based also at least in part on the policy.
  - 18. The system of claim 13, further comprising the network resource to which the computer requests access.

19. A method for use in a system comprising a computer configured to communicate with a network resource via at least one network, the at least one network employing a network layer security protocol, the method comprising:
- receiving, from the computer, a request for first information associated with the computer;
  
  providing the first information to the computer in a first communication formatted to comply with the network layer security protocol, the first information comprises attributes associated with one or more of the computer, a user of the computer, a context in which access by the computer to the network resource is requested, an encryption strength of connection between the computer and the network resource, and an indication of whether the computer is associated with a home of the user of the computer;
  
  receiving from the network resource a request for second information associated with the network resource, the second information comprises attributes describing whether the resource has a high, medium, or low business impact, and whether or not the resource is at production stage;
  
  providing the first information to the network resource in a second communication formatted to comply with the network layer security protocol;
  
  receiving a request for an access control policy decision, the request for the access control policy decision providing information that is included in the first information and the second information; and
  
  issuing the requested access control policy decision based at least in part on the provided information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Tor, Yair, Rose, Daniel, Neystadt, Eugene (John), Schnell, Patrik, Sapir, Moshe, Ananiev, Oleg, Zavalkovsky, Arthur, Eyal, Anat
Primary Examiner(s)
Lagor, Alexander

Application Number

US12/822,724
Publication Number

US 20110321130A1
Time in Patent Office

2,154 Days
Field of Search

726 1- 7, 726 10- 15, 709223-226
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/164   at the network layer

Network layer claims based access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network layer claims based access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links