Method and system for certificate based alias detection
First Claim
Patent Images
1. A method of operating a distributed computer system having alias detection, comprising the steps of:
- A) storing, in a user account store of said computer system, identification information associated with each of a plurality of user accounts, said identification information for each said user account uniquely characterizing a computer user associated with said account;
B) storing a list of selected ones of said user accounts in an authorization store;
C) after steps (A) and (B), initiating execution of a computer system resources access program in response to a request on behalf of a first of said user accounts; and
D) after step (C), processing said request from said first user account for authorizing access to a computer system resource by performing the steps ofi) comparing said identification information stored in said user account store in association with said first user account and identification information associated with each of said user accounts of said list of selected user accounts, andii) executing said computer system access program if said compared identification information do not match, thereby indicating that said first user account is not an alias of any of said selected user accounts.
4 Assignments
0 Petitions
Accused Products
Abstract
A distributed computer system employs certificate based alias detection to ensure a policy of separation of duties. Biometric information is collected during computer user account creation that is converted to canonical form and digitized. This digitized canonical form, along with account data and authentication data, is included in the user'"'"'s account information. Authorization to execute any task is validated at the time a request is made by comparison of the digitized canonical forms of biometric data of the user completing the request with those of the user initiating the request.
424 Citations
27 Claims
-
1. A method of operating a distributed computer system having alias detection, comprising the steps of:
-
A) storing, in a user account store of said computer system, identification information associated with each of a plurality of user accounts, said identification information for each said user account uniquely characterizing a computer user associated with said account; B) storing a list of selected ones of said user accounts in an authorization store; C) after steps (A) and (B), initiating execution of a computer system resources access program in response to a request on behalf of a first of said user accounts; and D) after step (C), processing said request from said first user account for authorizing access to a computer system resource by performing the steps of i) comparing said identification information stored in said user account store in association with said first user account and identification information associated with each of said user accounts of said list of selected user accounts, and ii) executing said computer system access program if said compared identification information do not match, thereby indicating that said first user account is not an alias of any of said selected user accounts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of operating a distributed computer system having alias detection, comprising the steps of:
-
A) storing, in respective user accounts a user account store of said computer system identification information associated with each of a plurality of user accounts, said identification information for each said user account uniquely characterizing a computer user associated with said account; B) in response to a first request from a first user account, initiating execution of a stage of a selected transaction program having a plurality of stages; and C) processing a second request from a second user account for authorization of execution of a subsequent stage of said selected transaction program by performing the steps of i) comparing said identification information stored in said user account store for said first user account and said identification information stored in said user account store for said second user account, and ii) denying authorization to said second user account if said compared identification information do match, thereby indicating that said second user account is an alias of said first user account. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A distributed computer system having alias detection, comprising:
-
A) a registry store of respective user accounts, said accounts containing identification information uniquely characterizing each of a plurality of computer users; B) a stored application transaction program having at least two stages requiring separate initiation requests for execution of said stages; C) means, responsive to a first user account transaction initiation request, for executing one stage of said application program; D) means, responsive to an approval of a second user account transaction initiation request, for executing a subsequent stage of said application program; and E) means for comparing identification information of said first and second user accounts in said store and providing said approval if said compared identification information do not match, thereby indicating that said second user account is not an alias of said first user account. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A distributed computer system for implementing alias detection, comprising:
-
A) a store for a plurality of user accounts, said accounts containing digitally-signed account certificates including authentication information, digitized biometric information, and user account information uniquely characterizing, for each said user account, one of a plurality of computer users; B) a stored application transaction program having at least two stages requiring separate initiation requests for execution of said stages; C) means, responsive to a first user account transaction initiation request, for executing a first stage of said at least one application program; and D) means, responsive to a second user account transaction initiation request to execute a subsequent stage of said at least one application program, for comparing said authentication information and said digitized biometric information contained in said user certificate of said first and second user accounts in said store; and E) means for allowing execution of said subsequent stage of said at least one application program only if said compared authentication information and digitized biometric information do not match, and thus only if said second user account is not an alias of said first user account. - View Dependent Claims (26, 27)
-
Specification