公开(公告)号：JP2005158043A

公开(公告)日：2005-06-16

申请号：JP2004308911

申请日：2004-10-22

Applicant: Microsoft Corp ,  マイクロソフト コーポレーション

Inventor： LEIS BENJAMIN A ,  CROSS DAVID B ,  BRYCE DUNCAN G ,  GU JIANRONG ,  NAGAR RAJEEV Y ,  FIELD SCOTT A

IPC: G06F12/00 ,  G06F12/08 ,  G06F12/14 ,  G06F21/00 ,  G06F21/24 ,  G09C1/00

CPC classification number: G06F12/145 ,  G06F21/62 ,  G06F21/6281 ,  G06F21/80 ,  G06F2221/2143

Abstract: PROBLEM TO BE SOLVED: To provide a mechanism that, when an operating system copies data from a memory page into a paging file on a disk in order to free up a space in a memory, protects paged data from unauthorized (or otherwise undesirable) observation by encrypting the copied data. SOLUTION: The data stored in the paging file are encrypted by a session key, and the session key is generated immediately after a machine in which the paging file exists is started. The session key, which is used both for the encryption and decryption of the paging file data, is stored in a volatile memory, so that the session key is not persisted across boots of the machine. Since the session key is not persisted across boots, old paging file data that have been stored prior to the most recent boot cannot be recovered in clear text, thereby protecting the data from observation. COPYRIGHT: (C)2005,JPO&NCIPI

Abstract translation: 要解决的问题：提供一种机制，当操作系统将数据从存储器页面复制到盘上的寻呼文件中以释放存储器中的空间时，保护分页数据免于未经授权（或以其他方式） 不希望的）观察，通过加密复制的数据。 解决方案：通过会话密钥对存储在寻呼文件中的数据进行加密，并且在开始分页文件的机器之后立即生成会话密钥。 用于分页文件数据的加密和解密的会话密钥存储在易失性存储器中，使得会话密钥在机器的引导之间不被持久化。 由于会话密钥不会在引导过程中持久存在，所以在最近启动之前存储的旧页面文件数据无法以明文形式恢复，从而保护数据免受观察。 版权所有（C）2005，JPO＆NCIPI

公开(公告)号：JP2011187089A

公开(公告)日：2011-09-22

申请号：JP2011147422

申请日：2011-07-01

Applicant: Microsoft Corp ,  マイクロソフト コーポレーション

Inventor： WILLMAN BRYAN MARK ,  ENGLAND PAUL ,  RAY KENNETH D ,  HUNTER JAMIE ,  MCMICHAEL LONNY D ,  LASALLE DEREK N ,  JACOMET PIERRE ,  PALEY MARK E ,  KURIEN THEKKTHALACKAL V ,  CROSS DAVID B

IPC: G06F21/22 ,  G06F9/445 ,  G06F11/00 ,  G06F21/00 ,  G06N20060101

CPC classification number: G06F21/575 ,  G06F9/4401

Abstract: PROBLEM TO BE SOLVED: To provide a mechanism for a protected operating system boot which prevents rogue components from being loaded with an operating system, and thus prevents divulgence of a system key under inappropriate circumstances. SOLUTION: After a portion of a machine startup procedure has occurred, the operating system loader is run, the loader is validated by a validator, and a correct machine state is either verified to exist and/or created. Once the loader has been verified to be a legitimate loader, and the machine state under which it is running is verified to be correct, the loader is carried out. COPYRIGHT: (C)2011,JPO&INPIT

Abstract translation: 要解决的问题：提供一种用于防止流氓组件加载操作系统的受保护操作系统引导的机制，从而防止系统密钥在不适当情况下泄露。

解决方案：在机器启动过程的一部分发生之后，运行操作系统加载程序，加载程序由验证器验证，并且正确的机器状态被验证存在和/或创建。 一旦加载程序已经被验证为合法的装载程序，并且验证其运行的机器状态是否正确，则执行加载程序。 版权所有（C）2011，JPO＆INPIT

公开(公告)号：JP2006018825A

公开(公告)日：2006-01-19

申请号：JP2005179527

申请日：2005-06-20

Applicant: Microsoft Corp ,  マイクロソフト コーポレーション

Inventor： WILLMAN BRYAN MARK ,  ENGLAND PAUL ,  RAY KENNETH D ,  HUNTER JAMIE ,  MCMICHAEL LONNY D ,  LASALLE DEREK N ,  JACOMET PIERRE ,  PALEY MARK E ,  KURIEN THEKKTHALACKAL V ,  CROSS DAVID B

IPC: G06F21/22 ,  G06F9/445 ,  G06F11/00 ,  G06F12/14 ,  G06F21/00 ,  G06N20060101

CPC classification number: G06F21/575 ,  G06F9/4401

Abstract: PROBLEM TO BE SOLVED: To prevent rogue components from being loaded together with an operating system, to prevent divulgence of a system key under inappropriate circumstances. SOLUTION: After a portion of a machine startup procedure has occurred, an operating system loader is run, and the loader is validated, and a correct machine state is either verified to exist and/or to be created. Once the loader has been verified to be a legitimate loader and the machine state under which the loader is running is verified to be correct, a loader's future behavior is known to protect against the loading of rogue components that can cause divulgence of the system key. When the loader's behavior is known to be safe for the system key, a validator unseals the system key and provides it to the loader. COPYRIGHT: (C)2006,JPO&NCIPI

Abstract translation: 要解决的问题：为了防止流氓组件与操作系统一起加载，以防止在不适当情况下泄露系统密钥。

解决方案：在机器启动过程的一部分发生之后，运行操作系统加载程序，验证加载程序，并验证是否存在和/或创建正确的机器状态。 一旦加载程序被验证为合法的加载程序，并且加载程序正在运行的机器状态被验证为正确的，装载器的未来行为是已知的，以防止可能导致系统密钥泄露的流氓组件的加载。 当装载机的行为已知对于系统密钥是安全的时，验证器将打开系统密钥并将其提供给加载程序。 版权所有（C）2006，JPO＆NCIPI

公开(公告)号：JP2006222944A

公开(公告)日：2006-08-24

申请号：JP2006019145

申请日：2006-01-27

Applicant: MICROSOFT CORP

Inventor： CROSS DAVID B ,  BRYCE DUNCAN G ,  GU JIANRONG ,  YIU KELVIN SHEK ,  ENE-PIETROSANU MONICA I

IPC: H04L9/08

Abstract: PROBLEM TO BE SOLVED: To provide an encrypted list of previously used keys by systems and methods for managing multiple keys for file encryption and decryption. SOLUTION: The list itself may be encrypted using a current key. To decrypt files that are encrypted in one or more of the previous keys, the list can be decrypted and the appropriate previous key can be retrieved. T re-key files, an automated process can decrypt any files using previous keys and encrypt them using the current key. If a new current key is introduced, the prior current key can be used to decrypt the list of keys, the prior current key can be added to the list and the list can be re-encrypted using the new current key. COPYRIGHT: (C)2006,JPO&NCIPI

公开(公告)号：JP2005303993A

公开(公告)日：2005-10-27

申请号：JP2005055981

申请日：2005-03-01

Applicant: Microsoft Corp ,  マイクロソフト コーポレーション

Inventor： CROSS DAVID B ,  ZHUANG HAO ,  HALLIN PHILIP J ,  SU XIAOHONG

IPC: G06F21/20 ,  H04L9/08 ,  H04L29/06 ,  G06F15/00

CPC classification number: H04L63/06 ,  H04L63/08 ,  H04L2463/121

Abstract: PROBLEM TO BE SOLVED: To provide a system and method for credential roaming. SOLUTION: Implementations are described and claimed to enable credential roaming among a plurality of different computing devices. An exemplary system includes an event handler to receive event notifications, such as, a client logon. The event handler calls out a management service 300, in response to receiving an event notification. The management service 300 includes a synchronous module 320 to synchronize user's credentials with a remote directory service, such as, active directory, so that the user's credentials are available from any one of a number of different computing devices. COPYRIGHT: (C)2006,JPO&NCIPI

Abstract translation: 要解决的问题：提供用于凭证漫游的系统和方法。 解决方案：描述和声明实现以使得能够在多个不同的计算设备之间进行凭证漫游。 示例性系统包括用于接收诸如客户端登录之类的事件通知的事件处理程序。 响应于接收到事件通知，事件处理器调用管理服务300。 管理服务300包括同步模块320，以将用户的凭证与诸如活动目录的远程目录服务同步，使得用户的凭证可从多个不同的计算设备中的任何一个获得。 版权所有（C）2006，JPO＆NCIPI

公开(公告)号：WO2008091277A3

公开(公告)日：2008-12-18

申请号：PCT/US2007014718

申请日：2007-06-25

Applicant: MICROSOFT CORP

Inventor： CROSS DAVID B ,  LEACH PAUL J ,  SCHUTZ KLAUS U ,  YOUNG ROBERT D ,  SHERMAN NATHAN C

IPC: H04L9/32 ,  H04L12/22

CPC classification number: G06F21/32 ,  G06F21/335 ,  G06Q20/40145 ,  H04L63/0428 ,  H04L63/067 ,  H04L63/0807 ,  H04L63/0823 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/10 ,  H04L63/126

Abstract: Use of a biometric identification device in a client computer system to subsequently access an authentication system includes receiving biometric sample data which is digitally signed and combining the data with a user ID and PIN. This package of data is then securely transmitted to a biometric matching server to validate the user and the biometric sample. Once validated, the biometric matching server return the data package plus a temporary certificate and a public/private key pair to the client computer. The client computer may then use this information to access an authentication system to subsequently gain access to a secure resource.

Abstract translation: 在客户计算机系统中使用生物识别设备随后访问认证系统包括接收数字签名的生物统计样本数据并将数据与用户ID和PIN组合。 然后将这个数据包安全地发送到生物统计学匹配服务器以验证用户和生物统计样本。 一旦生效，生物特征匹配服务器将数据包加上临时证书和公钥/私钥对返回给客户端计算机。 客户端计算机然后可以使用该信息来访问认证系统以随后获得对安全资源的访问。

公开(公告)号：WO2009088615A3

公开(公告)日：2009-09-03

申请号：PCT/US2008086047

申请日：2008-12-09

Applicant: MICROSOFT CORP

Inventor： CROSS DAVID B ,  NOVAK MARK F ,  SHEKEL ODED YE ,  LEACH PAUL J ,  LUTHER ANDREAS ,  JONES THOMAS C

IPC: H04L9/32

CPC classification number: H04L9/3213 ,  H04L9/3226 ,  H04L9/3263 ,  H04L63/0807

Abstract: Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input.

Abstract translation: 公开了用于基于认证输入属性提供区分访问的实施例。 根据一个实施例，一种方法包括使用认证协议在认证机构处接收认证输入。 认证输入与客户端相关联。 该方法还包括提供用于认证输入的一个或多个表示，其中每个表示表示认证输入的属性。

公开(公告)号：WO2007011637A3

公开(公告)日：2007-07-12

申请号：PCT/US2006027182

申请日：2006-07-12

Applicant: MICROSOFT CORP

Inventor： CRALL CHRISTOPHER J ,  MEDVINSKY GENNADY ,  BALL JOSHUA ,  JAGANATHAN KARTHIK ,  LEACH PAUL J ,  ZHU LIQIANG ,  CROSS DAVID B

IPC: H04L9/00 ,  H04K1/00 ,  H04L9/32

CPC classification number: H04L9/3263 ,  H04L9/3273 ,  H04L63/0807 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/10 ,  H04L63/166

Abstract: A hint containing user mapping information is provided in messages that may be exchanged during authentication handshakes. For example, a client may provide user mapping information to the server during authentication. The hint (e.g., in the form of a TLS extension mechanism) may be used to send the domain/user name information of a client to aid the server in mapping the user's certificate to an account. The extension mechanism provides integrity and authenticity of the mapping data sent by the client. The user provides a hint as to where to find the right account or domain controller (which points to, or otherwise maintains, the correct account). Based on the hint and other information in the certificate, the user is mapped to an account. The hint may be provided by the user when he logs in. Thus, a certificate is mapped to an identity to authenticate the user. A hint is sent along with the certificate information to perform the binding. Existing protocols may be extended to communicate the additional mapping information (the hint) to perform the binding. A vendor specific extension to Kerberos is defined to obtain the authorization data based on an X.509 certificate and the mapping user name hint.

Abstract translation: 在认证握手期间可以交换的消息中提供了包含用户映射信息的提示。 例如，客户端可以在认证期间向服务器提供用户映射信息。 提示（例如，以TLS扩展机制的形式）可以用于发送客户端的域/用户名信息，以帮助服务器将用户的证书映射到帐户。 扩展机制提供客户端发送的映射数据的完整性和真实性。 用户提供关于在哪里找到正确的帐户或域控制器（指向或以其他方式维护正确的帐户）的提示。 根据证书中的提示和其他信息，用户被映射到一个帐户。 提示可以由用户在登录时提供。因此，证书被映射到身份以验证用户。 发送提示与证书信息一起执行绑定。 可以扩展现有协议以传达额外的映射信息（提示）来执行绑定。 定义了针对Kerberos的供应商特定扩展，以根据X.509证书和映射用户名提示获取授权数据。

公开(公告)号：WO2011119443A3

公开(公告)日：2011-12-22

申请号：PCT/US2011029106

申请日：2011-03-18

Applicant: MICROSOFT CORP

Inventor： CROSS DAVID B ,  RADINSKY KIRA

IPC: G06F15/16 ,  G06F17/00

CPC classification number: H04L63/1441 ,  G06F21/51 ,  G06F21/55 ,  G06F21/56 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/1466 ,  H04L67/02

Abstract: An active filter monitors a web browser session to identify executable code transmitted in the session. The executable code may be analyzed to determine if the code is digitally signed. When the code is digitally signed by the web server or by another trusted source, the code may be executed. When the code is neither digitally signed or when the source is not trusted, the code may be rejected and not executed. The filter may be implemented as a web browser component or plugin, as well as a gateway device, proxy, or other service. The filter may also be implemented on the server side to reject incoming data that may include unauthenticated code.

Abstract translation: 活动过滤器监视Web浏览器会话以识别会话中传输的可执行代码。 可以分析可执行代码以确定代码是否被数字签名。 当代码由Web服务器或另一个可信来源进行数字签名时，代码可能会被执行。 如果代码未经过数字签名或源不受信任，代码可能会被拒绝并且不会被执行。 过滤器可以实现为网页浏览器组件或插件，以及网关设备，代理或其他服务。 过滤器也可以在服务器端实现以拒绝可能包含未经验证的代码的输入数据。

公开(公告)号：WO2010005814A3

公开(公告)日：2010-04-01

申请号：PCT/US2009048898

申请日：2009-06-26

Applicant: MICROSOFT CORP

Inventor： EDERY YIGAL ,  NICE NIR ,  CROSS DAVID B

IPC: H04L12/22 ,  H04L9/32 ,  H04L12/14 ,  H04L12/66

CPC classification number: H04L63/205 ,  G06Q10/06375 ,  G06Q30/04 ,  H04L63/102 ,  H04L63/1433 ,  H04L63/145 ,  H04L63/1475

Abstract: A network protection solution is provided by which security capabilities of a client machine are communicated to a network security gateway so that a variety of processes can be automatically and dynamically distributed between the gateway and the client machine in a way that achieves a target level of security for the client while consuming the least possible amount of resources on the gateway. For example, for a client that is compliant with specified health and/or corporate governance policies and which is known to have A/V capabilities that are deployed and operational, the network security gateway will not need to perform additional A/V scanning on incoming network traffic to the client which can thus save resources at the gateway and lower operating costs.

Abstract translation: 提供了一种网络保护解决方案，通过该网络保护解决方案，客户端机器的安全能力被传送到网络安全网关，使得可以以实现目标安全级别的方式在网关和客户机之间自动和动态地分布各种进程 为客户端消耗网关上尽可能少的资源。 例如，对于符合指定的健康和/或公司治理策略并且已知具有部署和运行的A / V功能的客户端，网络安全网关将不需要在传入时执行附加的A / V扫描 网络流量到客户端，从而可以节省网关资源，降低运营成本。