| Patent application number | Description | Published |
|---|
| 20080235807 | File System Operation and Digital Rights Management (DRM) - File system interaction with digital rights management (DRM) is facilitated by enabling one or more file system components to be DRM-aware. These one or more file system components may be part of a computer operating system. An exemplary system implementation includes: one or more processors; and one or more media in operative communication therewith, the media storing one or more file system components that are configured to provide content having DRM controls to a requesting program in either a raw form or a decrypted form in dependence on whether the DRM controls comprise simple DRM content controls or complex DRM content controls. In another exemplary system implementation, the one or more file system components are configured to provide files with simple DRM content controls to requesting applications in a decrypted form and to provide files with complex DRM content controls to requesting applications in an unaltered form. | 09-25-2008 |
| 20080244736 | MODEL-BASED ACCESS CONTROL - Access control as it relates to policies or permissions is provided based on a created model. A security policy is abstracted and can be independent of a mechanism used to protect resources. An asbstract model of a potential user, user role and/or resource is created without associating a specific individual and/or resource with a model. These abstract user models and abstract resource models can be used across applications or within disparate applications. The abstracted security policies can be selectively applied to the model. Specific users and/or resources can be associated with one or more abstract user model or abstract resource model. The models can be nested to provide configurations for larger systems. | 10-02-2008 |
| 20080301780 | ACCESS CONTROL NEGATION USING NEGATIVE GROUPS - The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group. | 12-04-2008 |
| 20080307486 | ENTITY BASED ACCESS MANAGEMENT - The subject disclosure pertains to systems and methods that facilitate entity-based for access management. Typically, access to one or more resources is managed based upon identifiers assigned to entities. Groups of identifiers can be assigned to access rights. An authority component can manage an exclusion group that excludes an entity, regardless of the identifier utilized by the entity. Access control components can utilize exclusion groups in access policies to define access rights to a resource. | 12-11-2008 |
| 20080313712 | TRANSFORMATION OF SEQUENTIAL ACCESS CONTROL LISTS UTILIZING CERTIFICATES - The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL. | 12-18-2008 |
| 20090007247 | DOMAIN ID SERVICE - The subject disclosure pertains to a domain identification system, comprising a principal that has a key and a mnemonically meaningless identifier, the mnemonically meaningless identifier is used to identify the component in a networked environment. The mnemonically meaningless identifier can be bound to the public key by a binding. The component may be part of a neighborhood of components, and each member component knows the members' binding. | 01-01-2009 |
| 20090055921 | FILE ACCESS IN MULTI-PROTOCOL ENVIRONMENT - Aspects of the subject matter described herein relate to providing file access in a multi-protocol environment. In aspects, a file server is operable to receive requests formatted according to two or more file access protocols. If a request is formatted according to a first file access protocol, the file server applies access rights associated with the file to an account associated with a requester to determine whether to grant access. If the request is formatted according to the second file access protocol, the file server may first attempt to find an account for the requester. If an account is not found, the file server may then grant access based on access rights associated with the file as applied to information in the request without consulting an account on the file server. | 02-26-2009 |
| 20090178129 | SELECTIVE AUTHORIZATION BASED ON AUTHENTICATION INPUT ATTRIBUTES - Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input. | 07-09-2009 |
| 20090217029 | KERBEROS TICKET VIRTUALIZATION FOR NETWORK LOAD BALANCERS - An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed. | 08-27-2009 |
| 20090241193 | Enhanced Computer Intrusion Detection Methods And Systems - Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms. | 09-24-2009 |
| 20090328134 | LICENSING PROTECTED CONTENT TO APPLICATION SETS - The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested. | 12-31-2009 |
| 20100100953 | PassThru for Client Authentication - This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server. | 04-22-2010 |
| 20100228982 | FAST-RECONNECTION OF NEGOTIABLE AUTHENTICATION NETWORK CLIENTS - Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process. | 09-09-2010 |
| 20100242102 | Biometric credential verification framework - Use of a biometric identification device in a client computer system to subsequently access an authentication system includes receiving biometric sample data which is digitally signed and combining the data with a user ID and PIN. This package of data is then securely transmitted to a biometric matching server to validate the user and the biometric sample. Once validated, the biometric matching server return the data package plus a temporary certificate and a public/private key pair to the client computer. The client computer may then use this information to access an authentication system to subsequently gain access to a secure resource. | 09-23-2010 |
| 20100251338 | Predictive HTTP Authentication Mode Negotiation - A client system and a server system use a Hypertext Transfer Protocol (HTTP) authentication mode preference header to negotiate an HTTP authentication mode. The client system sends an HTTP request to the server system. In response to the HTTP request, the server system sends an HTTP response to the client system. The HTTP response includes an HTTP authentication mode preference header. The HTTP authentication mode preference header indicates whether a preferred HTTP authentication mode is connection-based HTTP authentication or request-based HTTP authentication. In subsequent HTTP requests to the server system, the client system uses the HTTP authentication mode indicated by the HTTP authentication mode preference header. | 09-30-2010 |
| 20110154505 | UNOBTRUSIVE ASSURANCE OF AUTHENTIC USER INTENT - Computer-executable instructions that are directed to the performance of consequential actions and automatically elevate to execute at a higher privilege level to do so can perform such consequential actions only after user notification. Doing so can enable monitoring processes to avoid presenting duplicative user notification upon detection of such auto-elevation. In addition, prior to presenting user notification, input from the execution environment can be ignored and access to DLLs for performing consequential actions can be avoided. A static analyzer can identify non-conforming computer-executable instructions. A wrapper can be utilized to provide compliance by otherwise unknown or non-conforming computer-executable instructions. | 06-23-2011 |
