DYNAMIC ACCESS TO RADIO NETWORKS
    3.
    发明申请
    DYNAMIC ACCESS TO RADIO NETWORKS 审中-公开
    动态访问无线网络

    公开(公告)号:WO2010020615A2

    公开(公告)日:2010-02-25

    申请号:PCT/EP2009060626

    申请日:2009-08-17

    CPC classification number: H04W12/06 H04L12/14 H04L12/1403 H04L63/0815

    Abstract: A method, system, and computer usable program product for dynamic access to radio networks are provided in the illustrative embodiments. A new radio network having a characteristic more suitable than a corresponding characteristic of a present radio network is detected. A request for access to the new radio network is sent, the request including a token, which includes structured information about a user, a device, a home network, or a billing service. Access to the new radio network is received. Switching is performed from the present radio network to the new radio network for wireless communication. The request for access to a radio network is received such that the requestor is not known to a provider of the radio network. The requestor is verified using a billing service provider or a home network provider identified in a token in the request. Upon verification, access is granted to the radio network.

    Abstract translation: 在说明性实施例中提供了用于动态访问无线电网络的方法,系统和计算机可用程序产品。 检测到具有比当前无线电网络的相应特性更适合的特性的新无线电网络。 发送对新无线电网络的访问请求,该请求包括令牌,其包括关于用户,设备,家庭网络或计费服务的结构化信息。 接收到新的无线电网络的接入。 从当前的无线电网络到新的无线电网络进行无线通信的切换。 接收对无线电网络的访问请求,使得请求者对于无线电网络的提供者是不知道的。 使用在请求中的令牌中标识的计费服务提供商或家庭网络提供商来验证请求者。 验证后,无线电网络将获得访问权限。

    METHOD AND SYSTEM FOR WEB-BASED CROSS-DOMAIN SINGLE-SIGN-ON AUTHENTICATION
    4.
    发明申请
    METHOD AND SYSTEM FOR WEB-BASED CROSS-DOMAIN SINGLE-SIGN-ON AUTHENTICATION 审中-公开
    基于WEB的跨域单一认证方法与系统

    公开(公告)号:WO0239237A3

    公开(公告)日:2003-10-09

    申请号:PCT/EP0112361

    申请日:2001-10-25

    Abstract: A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. The methodology uses an introductory authentication token to introduce an already authenticated user from one domain to a new domain. This token is passed from one domain to the other domain using HTTP-redirection. This token is protected by encryption with a cryptographic key shared only between the two domain in a secure manner such that an external user cannot generate a counterfeit introductory token. An introductory token is further protected by enabling it with a limited lifetime so that an unauthorized user would not be able to use or reuse the introductory token within the token s lifetime. After a user has been introduced to a new security domain, then all of the user's resource requests are authorized by the new domain.

    Abstract translation: 提供了一种方法,系统或计算机程序产品,用于跨域,单点登录,认证功能。 该方法使用介绍性身份验证令牌将已验证的用户从一个域引入新域。 该令牌使用HTTP重定向从一个域传递到另一个域。 该令牌通过使用仅以两个域之间共享的加密密钥以安全方式进行加密来保护,使得外部用户不能生成伪造介绍令牌。 引入令牌进一步受到保护,使其在有限的使用寿命期内使未经授权的用户无法在令牌寿命内使用或重新使用介绍令牌。 在将用户引入新的安全域之后,所有用户的资源请求都被新域授权。

    METHOD AND SYSTEM FOR SYNCHRONIZED POLICY CONTROL IN A WEB SERVICES ENVIRONMENT
    5.
    发明申请
    METHOD AND SYSTEM FOR SYNCHRONIZED POLICY CONTROL IN A WEB SERVICES ENVIRONMENT 审中-公开
    网络服务环境中同步策略控制的方法和系统

    公开(公告)号:WO2008046888A3

    公开(公告)日:2008-06-12

    申请号:PCT/EP2007061161

    申请日:2007-10-18

    CPC classification number: H04L63/20 H04L63/101

    Abstract: Policy controls for Web service resource objects in a hierarchical resource space are loosely coupled so that policy changes are applied and enforced across the objects. This technique ensures that different policies are not applied unintentionally to the same resource (for example, one at the Web services entry level, and the other at the resource level). By synchronizing the object in the manner described, neither the entity that deploys the applicat ion nor the security administrator need to be aware of the differences between the various types of requests that occur within a Web services environment. In a representative embodiment, resource objects are linked within a hierarchical resource space to provide synchronized policy control, where the policy is an audit policy, a quality-of-service (QoS) policy, a service level agreement (SLA) policy, a governance policy, a compliance policy, a patch management/vulnerability management policy, a user management policy, or a rights management policy.

    Abstract translation: 分层资源空间中的Web服务资源对象的策略控制松散耦合,以便跨对象应用和实施策略更改。 此技术可确保不同意的策略不会无意中应用于相同的资源(例如,在Web服务入门级和资源级别)。 通过以所描述的方式同步对象,部署应用程序的实体和安全管理员都不需要知道在Web服务环境中发生的各种类型的请求之间的差异。 在代表性实施例中,资源对象在分级资源空间内链接以提供同步的策略控制,其中策略是审计策略,服务质量(QoS)策略,服务级别协议(SLA)策略,治理 策略,合规策略,修补程序管理/漏洞管理策略,用户管理策略或权限管理策略。

    METHOD AND APPARATUS FOR MANAGING OBFUSCATED MOBILE DEVICE USER IDENTITIES
    6.
    发明申请
    METHOD AND APPARATUS FOR MANAGING OBFUSCATED MOBILE DEVICE USER IDENTITIES 审中-公开
    用于管理移动设备用户标识的方法和装置

    公开(公告)号:WO2008141947A3

    公开(公告)日:2009-05-22

    申请号:PCT/EP2008055690

    申请日:2008-05-08

    CPC classification number: H04L63/0407 H04L63/0414 H04W8/26

    Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an "enriched" identifier that exposes the mobile device user's home operator but obfuscates the mobile device's (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mobile device user's home operator. The second part, however, is an opaque data string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator. The present invention describes a method and apparatus for use in a home network to manage the generation, storage and use of the unique identifiers.

    Abstract translation: 通常伴随移动设备请求的移动设备标识符(例如,MSISDN)被暴露于移动设备用户的本地操作员但是模糊移动设备(以及因此设备用户的身份)的“丰富”标识符所替代。 在一个实施例中,标识符包括第一部分和第二部分。 第一部分包括标识(直接地或通过数据库查找)移动设备用户的本地操作员的数据串。 然而,第二部分是不透明的数据串,例如一次性使用的唯一标识符(UID)或另外被导出为MSISDN(或类似的)的函数的值)。 不透明数据串以优选仅由用户的家庭运营商恢复的方式对移动设备的身份进行编码。 本发明描述了一种在家庭网络中用于管理唯一标识符的生成,存储和使用的方法和装置。

    METHOD AND APPARATUS FOR ACCESSING A FOREIGN NETWORK WITH AN OBFUSCATED MOBILE DEVICE USER IDENTITY
    7.
    发明申请
    METHOD AND APPARATUS FOR ACCESSING A FOREIGN NETWORK WITH AN OBFUSCATED MOBILE DEVICE USER IDENTITY 审中-公开
    用于接收具有移动移动设备用户身份的外部网络的方法和装置

    公开(公告)号:WO2008141949A3

    公开(公告)日:2009-01-22

    申请号:PCT/EP2008055694

    申请日:2008-05-08

    CPC classification number: H04L63/0414 H04W12/02 H04W84/042 H04W88/02 H04W88/16

    Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an "enriched" identifier that exposes the mobile device user's home operator but obfuscates the mobile device's (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mobile device user's home operator. The second part, however, is an opaque data string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator (or an entity authorized thereby). When the mobile device user roams into a foreign network, that network receives the enriched identifier in lieu of an MSISDN. The foreign network uses the first part to identify the mobile device user's home network, e.g., to determine whether to permit the requested access (or to provide some other value-added service). The foreign network, however, cannot decode the second part; thus, the mobile device's identity (as well as the identity of the mobile device user) remains obscured. This ensures that the user's privacy is maintained, while preventing third parties from building a profile of the device based on the requests that include the MSISDN or similar identifier.

    Abstract translation: 通常伴随移动设备请求的移动设备标识符(例如,MSISDN)被暴露于移动设备用户的本地操作员但是模糊移动设备(以及因此设备用户的身份)的“丰富”标识符所替代。 在一个实施例中,标识符包括第一部分和第二部分。 第一部分包括标识(直接地或通过数据库查找)移动设备用户的本地操作员的数据串。 然而,第二部分是不透明的数据串,例如一次性使用的唯一标识符(UID)或另外被导出为MSISDN(或类似的)的函数的值)。 不透明数据串以优选仅由用户的家庭运营商(或由其授权的实体)恢复的方式对移动设备的身份进行编码。 当移动设备用户漫游到外部网络时,该网络接收到代替MSISDN的富集标识符。 外部网络使用第一部分来识别移动设备用户的家庭网络,例如,以确定是否允许所请求的访问(或提供一些其他增值服务)。 然而,外部网络无法解码第二部分; 因此,移动设备的身份(以及移动设备用户的身份)仍然被遮蔽。 这确保了用户的隐私被维护,同时防止第三方基于包括MSISDN或类似标识符的请求构建设备的配置文件。

    METHOD AND APPARATUS FOR ACCESSING A FOREIGN NETWORK WITH ANOBFUSCATED MOBILE DEVICE USER IDENTITY

    公开(公告)号:CA2672702A1

    公开(公告)日:2008-11-27

    申请号:CA2672702

    申请日:2008-05-08

    Applicant: IBM

    Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an "enriched" identifier that expo ses the mobile device user's home operator but obfuscates the mobile device' s (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mo bile device user's home operator. The second part, however, is an opaque dat a string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator (or an entity authorized ther eby). When the mobile device user roams into a foreign network, that network receives the enriched identifier in lieu of an MSISDN. The foreign network uses the first part to identify the mobile device user's home network, e.g., to determine whether to permit the requested access (or to provide some oth er value-added service). The foreign network, however, cannot decode the sec ond part; thus, the mobile device's identity (as well as the identity of the mobile device user) remains obscured. This ensures that the user's privacy is maintained, while preventing third parties from building a profile of the device based on the requests that include the MSISDN or similar identifier.

    METHOD AND SYSTEM FOR USER-DETERMINED AUTHENTICATION AND SINGLE-SIGN-ON IN A FEDERATED ENVIRONMENT

    公开(公告)号:CA2488881A1

    公开(公告)日:2004-01-08

    申请号:CA2488881

    申请日:2003-06-24

    Applicant: IBM

    Abstract: A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. A user may contract with one o r more authentication service providers ANSPs. E-commerce service providers ECSPs, such as online banks or online merchants, also maintain a relationshi p with an ANSP such that the ECSP can trust the authenticated identity of a us er that is vouched-for by the ANSP on behalf of the user. The user can visit an y e-commerce service provider in a federated environment without having to establish an a priori relationship with that particular ECSP. As long as the ECSP's domain has a relationship with at least one of the user's authentication service providers, then the user will be able to have a singl e- sign-on experience at that ECSP.

    IDENTITY PROVIDER DISCOVERY SERVICE USING A PUBLISH-SUBSCRIBE MODEL

    公开(公告)号:CA2918009A1

    公开(公告)日:2013-08-29

    申请号:CA2918009

    申请日:2013-01-29

    Applicant: IBM

    Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

Patent Agency Ranking