Virtual distributed security system

US 7,752,431 B2
Filed: 10/20/2005
Issued: 07/06/2010
Est. Priority Date: 10/16/2001
Status: Expired due to Fees

First Claim

Patent Images

1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of delegating security credentials within a generic security framework, wherein the generic security framework abstracts cryptographic technologies and license formats, the method comprising:

receiving a first license from a first party wherein the first license is formatted with a first license format associated with the first party;

determining that the first license is to be delegated to a second party;

a processor identifying a second license format required by the second party from a modular security policy, wherein the modular security policy;

establishes security rules and procedures of the generic security framework;

implements a security policy of the generic security framework with one or more protocols and transports; and

describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include;

an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation;

a permission component for pre-fetching rights, capabilities and access control information; and

a trust component for managing trust relationships and for specifying the extent to which a party is trusted;

using the modular security policy to identify security rights corresponding to the use of the first license by the second party;

re-issuing the first license to the second party as a re-issued license;

using the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party;

signing the re-issued license with the first license, naming the first party as an issuing authority;

providing the re-issued license to the second party in the second license format, which is distinguished from the first license format; and

providing the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

130 Citations

20 Claims

1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of delegating security credentials within a generic security framework, wherein the generic security framework abstracts cryptographic technologies and license formats, the method comprising:
- receiving a first license from a first party wherein the first license is formatted with a first license format associated with the first party;
  
  determining that the first license is to be delegated to a second party;
  
  a processor identifying a second license format required by the second party from a modular security policy, wherein the modular security policy;
  
  establishes security rules and procedures of the generic security framework;
  
  implements a security policy of the generic security framework with one or more protocols and transports; and
  
  describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include;
  
  an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation;
  
  a permission component for pre-fetching rights, capabilities and access control information; and
  
  a trust component for managing trust relationships and for specifying the extent to which a party is trusted;
  
  using the modular security policy to identify security rights corresponding to the use of the first license by the second party;
  
  re-issuing the first license to the second party as a re-issued license;
  
  using the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party;
  
  signing the re-issued license with the first license, naming the first party as an issuing authority;
  
  providing the re-issued license to the second party in the second license format, which is distinguished from the first license format; and
  
  providing the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein:
    - the modular security policy identifies access rights of the security system.
  - 3. The method of claim 1, wherein:
    - the security policy language comprises the extensible markup language.
  - 4. The method of claim 1, wherein:
    - the modular security policy is configurable.
  - 5. The method of claim 1, wherein:
    - the security policy language comprises at least some logic-based components.
  - 6. The method of claim 1, wherein:
    - the security policy language comprises at least some rule-based components.
  - 7. The method of claim 1, wherein:
    - the security policy language comprises procedural components.
  - 8. The method of claim 1, wherein the modular security policy includes a revocation service.
  - 9. The method of claim 1, wherein the modular security policy includes a mapping of entities to rights.
  - 10. The method of claim 9, wherein the modular security policy further includes a mapping of entities to capabilities.
  - 11. The method of claim 1, wherein providing the re-issued license to the second party further comprises providing a session key to the second party wherein the session key is encrypted with a secret key which is shared among a plurality of parties, the parties all using the generic security framework.

12. A computer program product for use at a computer system, the computer program product for implementing a method of delegating security credentials within a generic security framework, wherein the generic security framework abstracts cryptographic technologies and license formats, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
- receive a first license from a first party wherein the first license is formatted with a first license format associated with the first party;
  
  determine that the first license is to be delegated to a second party;
  
  identify a second license format required by the second party from a modular security policy, wherein the modular security policy;
  
  establishes security rules and procedures of the generic security framework;
  
  implements a security policy of the generic security framework with one or more protocols and transports; and
  
  describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include;
  
  an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation;
  
  a permission component for pre-fetching rights, capabilities and access control information; and
  
  a trust component for managing trust relationships and for specifying the extent to which a party is trusted;
  
  use the modular security policy to identify security rights corresponding to the use of the first license by the second party;
  
  re-issue the first license to the second party as a re-issued license;
  
  use the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party;
  
  sign the re-issued license with the first license, naming the first party as an issuing authority;
  
  provide the re-issued license to the second party in the second license format, which is distinguished from the first license format; and
  
  provide the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computer program product of claim 12, wherein the modular security policy identifies access rights of the security system.
  - 14. The computer program product of claim 12, wherein the security policy language comprises the extensible markup language.
  - 15. The computer program product of claim 12, wherein the security policy language comprises one or more of logic-based components, rule-based components, and procedural components.
  - 16. The computer program product of claim 12, wherein the modular security policy includes a revocation service.
  - 17. The computer program product of claim 12, wherein the modular security includes a mapping selected from among the list of:
    - (a) a mapping of entities to rights and (b) a mapping of entities to capabilities.
  - 18. The computer program product of claim 12, wherein computer-executable instructions that, when executed at a processor, cause the computer system to provide the re-issued license to the second party further comprise computer-executable instructions that, when executed at a processor, cause the computer system to providing a session key to the second party wherein the session key is encrypted with a secret key which is shared among a plurality of parties, the parties all using the generic security framework.
  - 19. The computer program product of claim 12, wherein the modular security policy is configurable.

20. A computer system, the computer system comprising:
- one or more processors;
  
  system memory; and
  
  one or more computer-readable storage media having stored thereon computer-executable instructions representing a virtual distributed security system, wherein the virtual distributed security system is configured to;
  
  receive a first license from a first party wherein the first license is formatted with a first license format associated with the first party;
  
  determine that the first license is to be delegated to a second party;
  
  identify a second license format required by the second party from a modular security policy, wherein the modular security policy;
  
  establishes security rules and procedures of the generic security framework;
  
  implements a security policy of the generic security framework with one or more protocols and transports; and
  
  describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define security rights corresponding to use of the first license by the first and second parties and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the modular security components to be negotiated, partitioned and modified, rather than being hard-coded and which include;
  
  an admission component for mapping external credentials to internal credentials and for performing a re-issuance operation;
  
  a permission component for pre-fetching rights, capabilities and access control information; and
  
  a trust component for managing trust relationships and for specifying the extent to which a party is trusted;
  
  use the modular security policy to identify security rights corresponding to the use of the first license by the second party;
  
  re-issue the first license to the second party as a re-issued license;
  
  use the modular security policy to specify delegations and conditions for the use of the re-issued license by the second party;
  
  sign the re-issued license with the first license, naming the first party as an issuing authority;
  
  provide the re-issued license to the second party in the second license format, which is distinguished from the first license format; and
  
  provide the first license to the second party so that the second party can prove that the first party delegated the first license as the re-issued license and that the delegations in the re-issued license correctly correspond to the first license.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shewchuk, John P., Kaler, Christopher G., Leach, Paul J., Della-Libera, Giovanni M., Rashid, Richard F., Lucco, Steven E., Lovering, Bradford H., Millet, Stephen J., Konersmann, Scott A., Lampson, Butler W.
Primary Examiner(s)
Homayounmehr; Farid

Application Number

US11/254,264
Publication Number

US 20060041743A1
Time in Patent Office

1,720 Days
Field of Search

713/151, 713/156, 705/59, 709/225
US Class Current

713/151
CPC Class Codes

G06Q 20/3676   Balancing accounts

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

H04L 67/561   Adding application-function...

H04L 67/565   Conversion or adaptation of...

Virtual distributed security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

130 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual distributed security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links