Virtual distributed security system

US 7,752,442 B2
Filed: 10/20/2005
Issued: 07/06/2010
Est. Priority Date: 10/16/2001
Status: Expired due to Fees

First Claim

Patent Images

1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of transmitting a secure message from a first party to a second party, the first party using a first cryptographic technology and the second party using a second cryptographic technology, wherein the first and second parties are within a generic security framework and wherein the generic security framework abstracts cryptographic technologies and license formats, the method comprising:

determining that a message is to be sent to the second party;

a processor creating at least one security credential using a modular security policy and creating an encrypted message from the message, wherein the modular security policy;

establishes security rules and procedures of the generic security framework;

implements a security policy of the generic security framework with one or more protocols and transports; and

describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to the first and second cryptographic technologies used by the first and second parties, and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the security components to be negotiated, partitioned and modified, and rather than being hard-coded, and which include;

a store component for storing, retrieving, encrypting, and managing credentials;

an integrity component for signing portions of a message and for verifying integrity and signatures of received messages; and

a confidentiality component for encrypting and decrypting portions of a message; and

formatting a second message with a markup language wherein the markup language comprises at least one header and wherein the second message contains the encrypted message;

inserting at least the one security credential into the at least one header in the markup language in the second message; and

transmitting the second message to the second party and wherein the second party can use the modular security policy to decrypt and verify the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

158 Citations

20 Claims

1. In a distributed computing system environment that includes a plurality of computing devices that each comprise a processor and system memory, a method of transmitting a secure message from a first party to a second party, the first party using a first cryptographic technology and the second party using a second cryptographic technology, wherein the first and second parties are within a generic security framework and wherein the generic security framework abstracts cryptographic technologies and license formats, the method comprising:
- determining that a message is to be sent to the second party;
  
  a processor creating at least one security credential using a modular security policy and creating an encrypted message from the message, wherein the modular security policy;
  
  establishes security rules and procedures of the generic security framework;
  
  implements a security policy of the generic security framework with one or more protocols and transports; and
  
  describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to the first and second cryptographic technologies used by the first and second parties, and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the security components to be negotiated, partitioned and modified, and rather than being hard-coded, and which include;
  
  a store component for storing, retrieving, encrypting, and managing credentials;
  
  an integrity component for signing portions of a message and for verifying integrity and signatures of received messages; and
  
  a confidentiality component for encrypting and decrypting portions of a message; and
  
  formatting a second message with a markup language wherein the markup language comprises at least one header and wherein the second message contains the encrypted message;
  
  inserting at least the one security credential into the at least one header in the markup language in the second message; and
  
  transmitting the second message to the second party and wherein the second party can use the modular security policy to decrypt and verify the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the markup language comprises the extensible markup language.
  - 3. The method of claim 2, wherein the extensible markup language comprises the simple object access protocol.
  - 4. The method of claim 1, wherein the security credential comprises a license.
  - 5. The method of claim 4, wherein the security policy defines a testament associated with the license wherein the testament proves that a party owns the license.
  - 6. The method of claim 1, wherein the security credential comprises a key.
  - 7. The method of claim 6, wherein the security policy defines a testament associated with the key wherein the testament proves that a party owns the key.
  - 8. The method of claim 1, wherein the security credential is defined by the security policy.
  - 9. The method of claim 1, wherein:
    - the security policy identifies access rights of the security system.
  - 10. The method of claim 1, wherein:
    - the security policy language comprises the extensible markup language.
  - 11. The method of claim 1, wherein:
    - the security policy is configurable.
  - 12. The method of claim 1, wherein:
    - the security policy language comprises at least some logic-based components.
  - 13. The method of claim 1, wherein:
    - the security policy language comprises at least some rule-based components.
  - 14. The method of claim 1, wherein:
    - the security policy language comprises procedural components.
  - 15. The method of claim 1, wherein the security policy includes a revocation service.
  - 16. The method of claim 1, wherein the security policy includes a mapping of entities to rights.
  - 17. The method of claim 16, wherein the security policy further includes a mapping of entities to capabilities.

18. A computer program product for use at a computer system, the computer program product for implementing a method of transmitting a secure message from a first party to a second party, the first party using a first cryptographic technology and the second party using a second cryptographic technology, wherein the first and second parties are within a generic security framework and wherein the generic security framework abstracts cryptographic technologies and license formats, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
- determine that a message is to be sent to the second party;
  
  create at least one security credential using a modular security policy and create an encrypted message from the message, wherein the modular security policy;
  
  establishes security rules and procedures of the generic security framework;
  
  implements a security policy of the generic security framework with one or more protocols and transports; and
  
  describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to the first and second cryptographic technologies used by the first and second parties, and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the security components to be negotiated, partitioned and modified, and rather than being hard-coded, and which include;
  
  a store component for storing, retrieving, encrypting, and managing credentials;
  
  an integrity component for signing portions of a message and for verifying integrity and signatures of received messages; and
  
  a confidentiality component for encrypting and decrypting portions of a message; and
  
  format a second message with a markup language wherein the markup language comprises at least one header and wherein the second message contains the encrypted message;
  
  inserting at least the one security credential into the at least one header in the markup language in the second message; and
  
  transmit the second message to the second party and wherein the second party can use the modular security policy to decrypt and verify the message.
- View Dependent Claims (19)
- - 19. The computer program product of claim 18, wherein the modular security policy defines one of:
    - a testament associated with the license wherein the testament proves that a party owns the license and a testament associated with the key wherein the testament proves that a party owns the key.

20. A computer system, the computer system comprising:
- one or more processors;
  
  system memory; and
  
  one or more computer-readable storage media having stored thereon computer-executable instructions representing a virtual distributed security system, wherein the virtual distributed security system is configured to;
  
  determine that a message is to be sent to the second party;
  
  create at least one security credential using a modular security policy and create an encrypted message from the message, wherein the modular security policy;
  
  establishes security rules and procedures of a generic security framework;
  
  implements a security policy of the generic security framework with one or more protocols and transports; and
  
  describes security aspects, including properties, capabilities, requirements and interaction semantics, of a plurality of modular security components which define behaviors corresponding to the first and second cryptographic technologies used by the first and second parties, and which are written in a security policy language as selectable, deployable and combinable security modules and which enables the security components to be negotiated, partitioned and modified, and rather than being hard-coded, and which include;
  
  a store component for storing, retrieving, encrypting, and managing credentials;
  
  an integrity component for signing portions of a message and for verifying integrity and signatures of received messages; and
  
  a confidentiality component for encrypting and decrypting portions of a message; and
  
  format a second message with a markup language wherein the markup language comprises at least one header and wherein the second message contains the encrypted message;
  
  inserting at least the one security credential into the at least one header in the markup language in the second message; and
  
  transmit the second message to the second party and wherein the second party can use the modular security policy to decrypt and verify the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Luocco, Steven E., Shewchuk, John P., Kaler, Christopher G., Leach, Paul J., Della-Libera, Giovanni M., Rashid, Richard F., Lovering, Bradford H., Millet, Stephen J., Konersmann, Scott A., Lampson, Butler W.
Primary Examiner(s)
Homayounmehr; Farid

Application Number

US11/254,539
Publication Number

US 20060253699A1
Time in Patent Office

1,720 Days
Field of Search

713/170
US Class Current

713/170
CPC Class Codes

G06Q 20/3676   Balancing accounts

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

H04L 67/561   Adding application-function...

H04L 67/565   Conversion or adaptation of...

Virtual distributed security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

158 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual distributed security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links