-
公开(公告)号:CA2926128A1
公开(公告)日:2010-03-25
申请号:CA2926128
申请日:2009-09-17
Applicant: IBM
Inventor: BAENTSCH MICHAEL , BUHLER PETER , EIRICH THOMAS , HERMANN RETO , HOERING FRANK , KRAMP THORSTEN , KUYPER MICHAEL P , WEIGOLD THOMAS D
Abstract: An authorization device (5) is provided for authorizing operations of a remote server (2) requested from user computers (3) via a data communications network (4). The device (5) has a computer interface (6) for connecting the device (5) to a local user computer (3) for communication with the remote server (2), and a user interface (7) for presenting information to a user. Control logic (11) of the device (5) is adapted to use security data to establish between the device (5) and server (2), via the local user computer (3), a mutually-authenticated connection for encrypted end-to-end communications between the device and server. The control logic (11) collects from the server (2) via this connection information indicative of any operations requested by user computers via other connections to the server (2) and requiring authorization by a user of the device (5). This information is presented to a user via the user interface (7) to prompt for authorization by the user. Server operations are controlled in accordance with rule data (18) defining operations requiring authorization by one or more authorizing users. Control logic (15) of the server control apparatus responds to an operation request from a user computer (3) by determining from the rule data (18) whether authorization by at least one authorizing user is required for that operation. If so, the operation is deferred. When a mutually-authenticated connection is established with an authorizing device (5), the control apparatus can supply information indicative of any deferred operations requested from user computers (3) and requiring authorization by the device user. A deferred operation is only performed on receipt of authorization from every authorizing user from whom authorization is required for that operation, providing secure multi-party authorization in a mobile computing environment.
-
公开(公告)号:DE60307498T2
公开(公告)日:2007-09-13
申请号:DE60307498
申请日:2003-10-24
Applicant: IBM
Inventor: BAENTSCH MICHAEL , BUHLER PETER , EIRICH THOMAS , HOERING FRANK , KRAMP THORSTEN , OESTREICHER MARCUS , OSBORNE MICHAEL , WEIGOLD D
IPC: H04L29/06
Abstract: A method for providing a user device with a set of access codes comprises, in the user device, storing an encryption key a an identification code, and sending a message containing the identification code to a server via a communications network. In the server, an encryption key is stored corresponding to the key stored in the user device, allocating the set of access codes on receipt of the identification code from the user device. A look up function is performed based on the identification code received in the message to retrieve the key from storage. The set of access codes is encrypted using the retrieved key to produce an encrypted set. A message containing the encrypted set is sent to the user device via the network. In the user device, the encrypted set received from the server is decrypted using the key in storage, and storing the decrypted set of access codes for use by a user of the user device.
-
公开(公告)号:GB2488705B
公开(公告)日:2016-03-09
申请号:GB201209974
申请日:2010-11-22
Applicant: IBM
Inventor: BUHLER PETER , DYKEMAN HAROLD D , EIRICH THOMAS , KAISERSWERTH MATTHIAS , KRAMP THORSTEN
-
公开(公告)号:DE112011103580T5
公开(公告)日:2013-11-21
申请号:DE112011103580
申请日:2011-10-18
Applicant: IBM
Inventor: BAENTSCH MICHAEL , DYKEMAN HAROLD DOUGLAS , OSBORNE MICHAEL CHARLES , WEIGOLD THOMAS D , HERMANN RETO JOSEF , KRAMP THORSTEN , KYPER-HAMMOND MICHAEL PETER
Abstract: Die Erfindung bezieht sich konkret auf ein Verfahren, eine sichere Einheit, ein System und ein Computerprogrammprodukt für das sichere Verwalten des Benutzerzugriffs auf ein Dateisystem. Das Verfahren weist die Schritte auf des: – Bereitstellens (S100) einer sicheren Einheit (10), wobei diese entwurfsbedingt gegen bösartige Software oder Schadsoftware geschützt und so gestaltet ist, dass über ein Telekommunikationsnetzwerk eine Verbindung mit einem Server (40) hergestellt wird und dies vorzugsweise über einen Host (30) erfolgt, der mit dem Server (40) verbunden ist; – Herstellens (S300) einer Verbindung (91) zwischen der sicheren Einheit und dem Server (40); – Empfangens (S350) von Daten, die einem Dateisystem zugehörig sind, das Dateien identifiziert, die zumindest teilweise außerhalb der sicheren Einheit gespeichert sind, über die hergestellte Verbindung (91) in der sicheren Einheit; – Offenlegens (S600) des Dateisystems auf der sicheren Einheit gegenüber einem Benutzer auf der Grundlage der Daten, die von dem Server empfangen wurden, wobei das Dateisystem durch den Benutzer steuerbar ist.
-
公开(公告)号:GB2498139A
公开(公告)日:2013-07-03
申请号:GB201306126
申请日:2011-10-18
Applicant: IBM
Inventor: BAENTSCH MICHAEL , DYKEMAN HAROLD D , HERMANN RETO , KRAMP THORSTEN , KYPER-HAMMOND MICHAEL PETER , OSBORNE CHARLES , WEIGOLD THOMAS D
Abstract: The invention is notably directed to a method, a secure device, a system and a computer program product for securely managing user access to a file system. The method comprises the steps of: - providing (S100) a secure device (10), the latter protected by design against malicious software or malware and adapted to establish a connection to a server (40 through a telecommunication network and this, preferably via a host (30) connected to the server (40); - establishing (S300) a connection (91) between the secure device and the server (40); - receiving (S350) at the secure device, through the established connection (91), data pertaining to a file system identifying files which are at least partly stored outside the secure device; - exposing (S600) at the secure device the file system to a user, based on the data received from the server, the file system navigable by the user.
-
Patent Agency Ranking
公开(公告)号:DE112010004580T5
公开(公告)日:2012-11-29
申请号:DE112010004580
申请日:2010-11-22
Applicant: IBM
Inventor: DYKEMAN HAROLD D , KAISERSWERTH MATTHIAS , KRAMP THORSTEN , BUHLER PETER , EIRICH THOMAS
Abstract: Die Erfindung bezieht sich insbesondere auf ein Verfahren für eine sichere PIN-Verwaltung einer für Benutzer vertrauenswürdigen Einheit (10), die über ein Datenverarbeitungsmittel (15) verfügt, das mit einem dauerhaften Speicher (15'), einem nicht dauerhaften Speicher (15') und Schnittstellen (17, 18, 20) für das Verbinden oder Zusammenwirken mit einem Benutzer (1), einer Speicherkarte (16) wie z. B. einer Smartcard und einer Datenstation (30) verbunden ist, wobei das Verfahren die folgenden Schritte umfasst: Bereitstellen der mit einer Speicherkarte (16) verbundenen Einheit; Empfangen in der Einheit: eine externe PIN und eine Karten-PIN, wobei letztere in der Lage ist, die Speicherkarte zu entsperren; Erzeugen und Speichern eines Schlüssels in dem dauerhaften Speicher über das Datenverarbeitungsmittel und aus den empfangenen PINs, so dass die Karten-PIN anhand einer Funktion, die in dem dauerhaften Speicher gespeichert ist, berechnet werden kann, wobei die externe PIN und der Schlüssel als Argument verwendet werden; Empfangen einer Benutzereingabe der externen PIN in der Datenstation und Übertragen der externen PIN an die Einheit; Anweisen des Datenverarbeitungsmittels, die Karten-PIN unter Verwendung der gespeicherten Funktion zu berechnen; und Verwenden der berechneten Karten-PIN, um die Speicherkarte zu entsperren.
-
公开(公告)号:GB2488705A
公开(公告)日:2012-09-05
申请号:GB201209974
申请日:2010-11-22
Applicant: IBM
Inventor: BUHLER PETER , DYKEMAN HAROLD D , EIRICH THOMAS , KAISERSWERTH MATTHIAS , KRAMP THORSTEN
Abstract: The invention is notably directed to a method for secure PIN management of a user trusted device (10) having computing means (15) coupled to a persistent memory (15"), a non-persistent memory (15') and interfaces (17, 18, 20) for coupling to or/interacting with a user (1), a memory card (16) and a terminal (30), the method comprising the steps of: providing the device coupled to a memory card (16); receiving at the device: an external PIN and a card PIN, the latter capable of unlocking the memory card; generating and storing a key on the persistent memory, via the computing means and from the PINs received, such that the card PIN can be computed via a function stored on the persistent memory, taking the external PIN and the key as argument; receiving, at the terminal, user input of the external PIN and communicating the external PIN to the device; instructing the computing means to compute the card PIN using the function as stored; and using the computed card PIN to unlock the memory card.
-
公开(公告)号:CA2504843C
公开(公告)日:2011-02-22
申请号:CA2504843
申请日:2003-10-24
Applicant: IBM
Inventor: BAENTSCH MICHAEL , BUHLER PETER , EIRICH THOMAS , HORING FRANK , KRAMP THORSTEN , OESTREICHER MARCUS , OSBORNE MICHAEL , WEIGOLD THOMAS D
IPC: H04L29/06
Abstract: A method for providing a user device with a set of access codes comprises, in the user device, storing an encryption key and an identification code, and sending a message containing the identification code to a server via a communications network. In the server, an encryption key is stored corresponding to the key stored in the user device, allocating the set of access codes on receipt of the identification code from the user device. A look up function is performed based on the identification code received in the message to retrieve the key from storage. The set of access codes is encrypted using the retrieved key to produce an encrypted set. A message containing the encrypted set is sent to the user device via the network. In the user device, the encrypted set received from the server is decrypted using the key in storage, and storing the decrypted set of access codes for use by a user of the user device.
-
公开(公告)号:AU2009294201A1
公开(公告)日:2010-03-25
申请号:AU2009294201
申请日:2009-09-17
Applicant: IBM
Inventor: BAENTSCH MICHAEL , BUHLER PETER , EIRICH THOMAS , HERMANN RETO , HOERING FRANK , KRAMP THORSTEN , KUYPER MICHAEL P , WEIGOLD THOMAS D
Abstract: An authorization device for authorizing operations of a remote server requested from user computers via a data communications network includes a computer interface configured to connect to a local user computer for facilitating communication with the remote server via a data communications network, a user interface configured to present information to a user, and control logic. The control logic is adapted to use security data accessible to the control logic to establish, via the local user computer, a mutually-authenticated connection for encrypted end-to-end communications with the server; collect from the server, via the connection, information indicative of any operation requested via a different connection to the server and requiring authorization by the user; and present the information to the user via the user interface to prompt for authorization of the operation.
-
公开(公告)号:AT336135T
公开(公告)日:2006-09-15
申请号:AT03751197
申请日:2003-10-24
Applicant: IBM
Inventor: BAENTSCH MICHAEL , BUHLER PETER , EIRICH THOMAS , HOERING FRANK , KRAMP THORSTEN , OESTREICHER MARCUS , OSBORNE MICHAEL , WEIGOLD THOMAS D
IPC: H04L29/06
Abstract: A method for providing a user device with a set of access codes comprises, in the user device, storing an encryption key a an identification code, and sending a message containing the identification code to a server via a communications network. In the server, an encryption key is stored corresponding to the key stored in the user device, allocating the set of access codes on receipt of the identification code from the user device. A look up function is performed based on the identification code received in the message to retrieve the key from storage. The set of access codes is encrypted using the retrieved key to produce an encrypted set. A message containing the encrypted set is sent to the user device via the network. In the user device, the encrypted set received from the server is decrypted using the key in storage, and storing the decrypted set of access codes for use by a user of the user device.
-
-
-
-
-
-
-
-
-
Search Results
31
records
(took 0.02 seconds)
