354 results about "Security context" patented technology

Network policies are managed based at least in-part on user/entity identity information with: a state monitor operable to monitor for state change events in user/entity state and related, network state or in traffic pattern and traffic flow state; an identity manager operable to obtain and validate user credentials; and a policy manager operable in response to a state change event detected by the state monitor (either the identity manager or a defense center) to select a policy based in-part on the user identity obtained by the identity manager or security context obtained by the defense center, and to prompt application of the selected policy. The policies are indicative of user/device authorization entitlements and restrictions to utilization of certain network resources, network services or applications. Dynamic policy selection and targeted responses can be used, for example, against a user who gains network access with stolen user ID and password, and subsequently attempts malicious behavior. In particular, the malicious behavior is detected and identified, and the malicious user can then be restricted from abusing network resources without adversely affecting other users, groups, network devices, and other network services.

A method for single sign-on in a client-server system including a server and a client and a remote presentation protocol based on ITU T.120, communicates between the client node and the server. The client obtains a ticket for a user operating the client. The ticket identifies the security context of the user on the client. Upon connecting the client to the server, the ticket is transferred from the client to the server. The server authenticates the ticket with a security authority and when authenticated the server receives from the security authority a security context for the ticket. When the client so requests, applications are launched using that security context. Preferably, the server is a Microsoft Terminal Server and the remote presentation protocol is Microsoft Remote Desktop Protocol (RDP). The ticket transfer preferably uses a channel within the remote presentation protocol, such as an RDP virtual channel.

A system and method for secure transmission of sensitive end user information from an Internet portal operated by a publisher to a third party data processor. The publisher provides a content portal such as an e-commerce or healthcare information site. A third party data processor such as a bank or healthcare organization requires the sensitive information for a data processing function. In response to the requirement for sensitive information, a trusted proxy frame is invoked from a secure server operative to securely communicate the sensitive information. The trusted proxy frame is displayed in a secure context in the end user's browser and receives input of the sensitive information. The sensitive information is encrypted and communicated through the secure server to the third party data processor. Results of this processing are transmitted to the publisher through a novel callback process that enables the publisher to execute its data processing functions, as if it was in possession of the sensitive information, but without actual access to the sensitive information. The third party data processor returns an acknowledgement of processing of the sensitive information.

A method for reauthentication during client roaming in a wireless network system. The network has at least one access server and a plurality of access points registered with the access server. The method includes receiving a registration request at the access server from a new access point for a roaming client registered with the access server and sending a client's session key to the new access point in a registration reply upon authentication of the registration request. The client's session key is configured for use by the new access point to authenticate the client and establish keys for the client. A method for secure context transfer during client roaming is also disclosed.

A memory management unit (MMU) is disclosed for managing a memory storing data arranged within a plurality of memory pages. The MMU includes a security check unit (SCU) receiving a physical address generated during execution of a current instruction. The physical address resides within a selected memory page. The SCU uses the physical address to access one or more security attribute data structures located in the memory to obtain a security attribute of the selected memory page, compares a numerical value conveyed by a security attribute of the current instruction to a numerical value conveyed by the security attribute of the selected memory page, and produces an output signal dependent upon a result of the comparison. The MMU accesses the selected memory page dependent upon the output signal. The security attribute of the selected memory page may include a security context identification (SCID) value indicating a security context level of the selected memory page. The security attribute of the current instruction may include an SCID value indicating a security context level of a memory page containing the current instruction. A central processing unit (CPU) is described including an execution unit and the MMU. A computer system is described including the memory, the CPU, and the MMU. A method is described for providing access security for a memory used to store data arranged within a plurality of memory pages. The method may be embodied within the MMU.

A technique for providing secure network access is disclosed. In one particular exemplary embodiment, the technique may be realized as a method for providing secure network access. The method may comprise establishing a plurality of access zones in a network, wherein client devices assigned to different access zones have different access privileges and are isolated from one another. The method may also comprise assigning a client device to one of the plurality of access zones based on an assessment of a security context associated with the client device and a connection of the client device to the network.

Provided are methods and systems for integrating the access controls of computer resources into a namespace or domain. For a remote user, a computer network or system is a namespace represented by a URL. In order to enforce the access controls of the computer network being accesses, a remote user is impersonated by a server of the computer system such that access requests to the resources of a system are made by the server in the security context of the remote user. By impersonating the remote user, the actual rights of the remote user are being presented to the access controls rather than the rights of the server. In this manner, the access control of the system can be enforced directly on the remote user and the access control is effectively extended to the namespace.

Embodiments of the present disclosure include systems and methods for providing query service of secured contents. A data collection service collects data and security context associated with the data from a data source and stores the data with the security attributes in a datastore, where the security attributes are derived from the security context and used to determine access to the data so that access to the data is consistent with the security context. Upon receiving a query and a user context of a requester making the query of the datastore, a set of query results is obtained. Based on the user context and security attributes, it is determined whether the requestor has a proper right to access the query results. If the requestor has a proper right to access the query results, access to the query results is granted.

A technique for authenticating network users is disclosed. In one particular exemplary embodiment, the technique may be realized as a method for authenticating network users. The method may comprise receiving, from a client device, a request for connection to a network. The method may also comprise evaluating a security context associated with the requested connection. The method may further comprise assigning the client device one or more access privileges based at least in part on the evaluation of the security context.

Disclosed is a method for IMSI privacy protection of a mobile communication system. A function entity includes UE, an access and mobility management function (AMF), a trusted UDM/AUSF, a trusted SMF and a trusted UPF. The UE is used for executing IMSI change behavior and initiating a network attachment request and completes a new security context negotiation based on a new IMSI at the same time. The AMF is used for replacing IMSI information and its associated GUTI information in a CP mode or a UP mode, and completes the secure context negotiation again based on the new IMSI. The UDM/AUSF is used for generating new IMSI information for UE. The SMF is used for notifying the trusted UPF to generate inband IMSI change control information under the UP mode. According to the invention, the difficulty of an attacker tracing a specific user or deriving real identity of the user is increased, the requirement for legal monitoring in the world is not violated, and at the same time, no consumption of an additional IMSI identification space is introduced.

A cellular communications system is provided in which a user device maintains and provides a last non-emergency security context to a core network when moving from a network that provided restricted services to a network that provides unrestricted services. In this way, re-authentication of the user device can be avoided in the network that provided unrestricted services.

A flexible and extensible context server for collecting, maintaining, and disseminating context information is disclosed. The context server receives requests from requesters for context information via a secure context server interface (SCS API). Communication between the requesters and the context server is conducted by means of predetermined forms. The requests received at the SCS API are passed to a mediator, which collects data from various context drivers. Each context driver is coupled to the mediator, and collects predetermined type of context information from at least one context information source. The mediator determines the appropriate context driver which can handle the request, based on its type. Operation of the context server is also controlled by a set of context utilities, including a context cache for storing recently obtained context information, a privacy engine for storing privacy preferences and an event engine for event handling.

Identity token principal mapping, including receiving in a target system a CORBA message invoking a member method on the target system, the message including a security context including an identity token including an asserted identity, the identity token having an identity token type, the target system having an authentication type, and granting to the asserted identity, in dependence upon the authentication type and in dependence upon the identity token type, authorization privileges of a corresponding user account in the target system.

The invention provides systems and methods for multi-context security policy management in a networked computing infrastructure. The invention includes generating a plurality of security contexts regarding different security characteristics of the communication between a computing device and the networked computing infrastructure. The computing device then requests access to at least one specific element of the computing infrastructure. The security policy definitions of the at least one specific element are compared with one or more of the security contexts to determine whether access to the specific elements should be granted.

A workflow, enterprise, and mail-enabled application server and platform supports distributed computing and remote execution of web applications. Lotus Domino online services (DOLS) is used by a web site administrator to configure Internet Notes (iNotes) clients to auto download from server, thus providing iNotes clients with web access using HTTP with various browsers, and with local processing and replication. A local run time model comprises a hierarchy of models including object data store model, security model, indexing model, replication model, agent workflow model and mail model. DOLS provides a layered security model that allows flexibility for controlling access to all or part of an application. The highest level of security is managed through a database access control list (ACL). Further refinements within the security model provide access to specific documents, and their views, forms or folders, and include read access lists, write access lists, form access lists and readers and authors fields.

Secure authentication of a user on a host computer to a web server including a security device acquiring trust or a security context from the web server. The security device is operable of providing an X.509 certificate to a browser plug-in on the host computer. The browser plug-in on the host computer performing authentication of the security device and in response providing user credentials to the security device. The security device performing authentication of the user and requests a security context from the web server. In response, the web server provides a security context to the security device. The security device delegates the web server trust by transmitting the context to the host computer and enabling the user to securely access resources on the web server.

Networked computing entities which are members of a trusted group share knowledge of a secret value K that is unknown outside the trusted group. When an entity within the trusted group establishes a secure connection, it encodes its name along with the secret value K and an optional random number into a connection identifier. Encoding may use a hash function and/or encryption. By using this connection identifier and the secret value K, other members of the trusted group can decode the connection identifier and gain access to the specific secure connection by using the original cryptographic information for the connection. The connection identifier can be freely transmitted, with little risk that non-trusted entities will be able to use it to gain access to the secure connection.

A computer implemented method, a computer program product, and a data processing system manage a set of federated log-in authentications at secure web sites. A client logs into a security context using a first alias from a list of existing federated single sign-on authentication aliases associated with an account. Responsive to logging into the security context, the client can receive the list of existing federated single sign-on authentication aliases. The client can then manage the list of authentication aliases.

A secure tag generation service is associated with a cloud infrastructure. This service establishes a security context for a particular cloud tenant based on a tenant's security requirements, one or more cloud resource attributes, and the like. The security content is encoded into a data structure, such as a tag that uniquely identifies that security context. The tag is then encrypted. The encrypted tag is then propagated to one or more cloud management services, such as a logging service. When one or more cloud resources are then used, such use is associated with the encrypted security context tag. In this manner, the encrypted tag is used to monitor activities that are required to meet the security context. When it comes time to perform a security or compliance management task, any cloud system logs that reference the encrypted security context tag are correlated to generate a report for the security context.

A method and apparatus for intersystem mobility security context handling between different radio access networks which can include a receiver configured to receive a tracking area update message from a user terminal. The message can include a first key identifier configured to identify a mapped security context and a second key identifier configured to identify a cached security context. A verifier can be configured to verify the tracking area update message with a key identified by the first or second key identifier.

The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.