公开(公告)号：WO2007011637A3

公开(公告)日：2007-07-12

申请号：PCT/US2006027182

申请日：2006-07-12

Applicant: MICROSOFT CORP

Inventor： CRALL CHRISTOPHER J ,  MEDVINSKY GENNADY ,  BALL JOSHUA ,  JAGANATHAN KARTHIK ,  LEACH PAUL J ,  ZHU LIQIANG ,  CROSS DAVID B

IPC: H04L9/00 ,  H04K1/00 ,  H04L9/32

CPC classification number: H04L9/3263 ,  H04L9/3273 ,  H04L63/0807 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/10 ,  H04L63/166

Abstract: A hint containing user mapping information is provided in messages that may be exchanged during authentication handshakes. For example, a client may provide user mapping information to the server during authentication. The hint (e.g., in the form of a TLS extension mechanism) may be used to send the domain/user name information of a client to aid the server in mapping the user's certificate to an account. The extension mechanism provides integrity and authenticity of the mapping data sent by the client. The user provides a hint as to where to find the right account or domain controller (which points to, or otherwise maintains, the correct account). Based on the hint and other information in the certificate, the user is mapped to an account. The hint may be provided by the user when he logs in. Thus, a certificate is mapped to an identity to authenticate the user. A hint is sent along with the certificate information to perform the binding. Existing protocols may be extended to communicate the additional mapping information (the hint) to perform the binding. A vendor specific extension to Kerberos is defined to obtain the authorization data based on an X.509 certificate and the mapping user name hint.

Abstract translation: 在认证握手期间可以交换的消息中提供了包含用户映射信息的提示。 例如，客户端可以在认证期间向服务器提供用户映射信息。 提示（例如，以TLS扩展机制的形式）可以用于发送客户端的域/用户名信息，以帮助服务器将用户的证书映射到帐户。 扩展机制提供客户端发送的映射数据的完整性和真实性。 用户提供关于在哪里找到正确的帐户或域控制器（指向或以其他方式维护正确的帐户）的提示。 根据证书中的提示和其他信息，用户被映射到一个帐户。 提示可以由用户在登录时提供。因此，证书被映射到身份以验证用户。 发送提示与证书信息一起执行绑定。 可以扩展现有协议以传达额外的映射信息（提示）来执行绑定。 定义了针对Kerberos的供应商特定扩展，以根据X.509证书和映射用户名提示获取授权数据。

公开(公告)号：WO2008127447A3

公开(公告)日：2009-03-26

申请号：PCT/US2007086122

申请日：2007-11-30

Applicant: MICROSOFT CORP

Inventor： MEDVINSKY GENNADY ,  NICE NIR ,  SHIRAN TOMER ,  TEPLITSKY ALEXANDER

IPC: H04L9/00 ,  H04L12/22

CPC classification number: H04L63/166 ,  G06F21/33 ,  G06F2221/2115 ,  H04L9/3213 ,  H04L9/3263 ,  H04L9/3271 ,  H04L29/06965 ,  H04L63/0823 ,  H04L2209/38

Abstract: The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portin of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as a user.

Abstract translation: 在实体链中委托认证的方法依赖于在网关设备和用户之间记录TLS握手的至少一部分，其中用户需要访问期望的服务器。 该方法然后依赖于在TLS握手的记录端口中重新验证加密证据，TLS握手被转发到（1）到需要访问的服务器，在这种情况下，服务器重新验证记录部分以确认认证 ，或（2）到第三方实体，在这种情况下，第三方实体确认认证，并向网关服务器提供凭证，然后网关服务器使用凭证作为用户对服务器进行身份验证。

公开(公告)号：WO2007139944A3

公开(公告)日：2008-02-14

申请号：PCT/US2007012512

申请日：2007-05-25

Applicant: MICROSOFT CORP

Inventor： MEDVINSKY GENNADY ,  ILAC CRISTIAN ,  HAGIU COSTIN ,  PARSONS JOHN E ,  FATHALLA MOHAMED EMAD EL DIN ,  LEACH PAUL J ,  KAMEL TAREK BUHAA EL-DIN MAHMO

IPC: G06F15/00 ,  H04L9/32

CPC classification number: H04L63/0815 ,  H04L9/3273 ,  H04L63/20 ,  H04L2209/80

Abstract: A credential security support provider (Cred SSP) enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software. The Cred SSP provides a secure solution based in part upon a set of policies. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

Abstract translation: 凭证安全支持提供商（Cred SSP）使任何应用程序能够通过客户端安全支持提供商（SSP）软件将用户的凭据安全地委派给目标服务器，通过服务器端SSP软件。 Cred SSP提供了一部分基于一组策略的安全解决方案。 这些策略可以用于任何类型的用户凭证，并且不同的策略被设计为减轻广泛的攻击，从而可以针对给定的授权情况，网络条件，信任级别等进行适当的委托。此外，只有可信的子系统，例如 ，本地安全机构（LSA）的受信任的子系统可以访问明文凭据，使得服务器端的Cred SSP API的呼叫应用程序和客户端的Cred SSP API的呼叫应用都不具有访问权限 清除文本凭据。

公开(公告)号：WO2010002749A3

公开(公告)日：2010-03-25

申请号：PCT/US2009048985

申请日：2009-06-28

Applicant: MICROSOFT CORP

Inventor： ELIEN JEAN-EMILE ,  CHEN LING TONY ,  COOPER RYAN B ,  KRISHNAMOORTHY SHYAM ,  MEDVINSKY GENNADY ,  HARTRELL GREGORY D ,  NAGARAN RAMESH

IPC: G06Q50/00 ,  G06Q30/00

CPC classification number: G06Q30/0601 ,  G06F21/10 ,  G06F21/6218

Abstract: A platform and application independent ecosystem for the creation, consumption and trade of user generated digital content permits any application operating on any platform to participate in market driven economy for user generated digital objects (UGDOs). The trading system is independent of all participating applications. A metadata attribution method for UGDOs in combination with heterogeneous application support through well-defined interfaces facilitates unlimited participation. Attributed metadata may be understood and consumed across platforms and applications. Flexible UGDO rights enforcement techniques in combination with flexible fair exchange service for those rights support all manner of UGDOs and commercial transactions therefore. Participating application may provide rights enforcement in some instances. The nature of enforcement may rest on the nature of UGDO content, rights in UGDOs or author preferences. The trading system assures that all transactions in the UGDO economy are secure, fault tolerant and atomic, providing integrity and confidence in UGDO economy.

Abstract translation: 用户生成的数字内容的创建，消费和交易平台和独立于应用程序的生态系统允许任何运行在任何平台上的应用程序参与用户生成的数字对象（UGDO）的市场驱动型经济。 交易系统独立于所有参与的应用程序。 UGDO的元数据归属方法与异构应用程序支持通过定义良好的界面相结合，有助于无限参与。 可以在平台和应用程序中理解和使用归因元数据。 因此，灵活的UGDO权利实施技术与灵活的公平交换服务相结合，可以支持所有UGDO和商业交易。 参与申请可能会在某些情况下提供版权执法。 执法的性质可能取决于UGDO内容的性质，UGDO的权利或作者的偏好。 交易系统确保UGDO经济中的所有交易安全，容错和原子化，为UGDO经济提供完整性和信心。

公开(公告)号：NO20084500L

公开(公告)日：2008-11-26

申请号：NO20084500

申请日：2008-10-27

Applicant: MICROSOFT CORP

Inventor： ILAC CRISTIAN ,  MEDVINSKY GENNADY ,  HAGIU COSTIN ,  PARSONS JOHN E ,  FATHALLA MOHAMED EMAD EL DIN ,  LEACH PAUL J ,  KAMEL TARK BUHAA E-DIN MAHMOUD

IPC: G06F15/00 ,  H04L9/32

Abstract: A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

公开(公告)号：CA2654381A1

公开(公告)日：2007-12-06

申请号：CA2654381

申请日：2007-05-25

Applicant: MICROSOFT CORP

Inventor： PARSONS JOHN E ,  KAMEL TAREK BUHAA EL-DIN MAHMOUD ,  ILAC CRISTIAN ,  FATHALLA MOHAMED EMAD EL DIN ,  MEDVINSKY GENNADY ,  LEACH PAUL J ,  HAGIU COSTIN

IPC: G06F15/00 ,  H04L9/32

Abstract: A credential security support provider (Cred SSP) enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server sid e SSP software. The Cred SSP provides a secure solution based in part upon a set of policies. The policies can be for any type of user credentials and t he different policies are designed to mitigate a broad range of attacks so t hat appropriate delegation can occur for given delegation circumstances, net work conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of t he Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

公开(公告)号：AU2007267836A1

公开(公告)日：2007-12-06

申请号：AU2007267836

申请日：2007-05-25

Applicant: MICROSOFT CORP

Inventor： LEACH PAUL J ,  FATHALLA MOHAMED EMAD EL DIN ,  ILAC CRISTIAN ,  PARSONS JOHN E ,  KAMEL TAREK BUHAA EL-DIN MAHMOUD ,  HAGIU COSTIN ,  MEDVINSKY GENNADY

IPC: G06F15/00 ,  H04L9/32

Abstract: A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

公开(公告)号：EP2021938A4

公开(公告)日：2012-04-04

申请号：EP07809190

申请日：2007-05-25

Applicant: MICROSOFT CORP

Inventor： MEDVINSKY GENNADY ,  ILAC CRISTIAN ,  HAGIU COSTIN ,  PARSONS JOHN E ,  FATHALLA MOHAMED EMAD EL DIN ,  LEACH PAUL J ,  KAMEL TAREK BUHAA EL-DIN MAHMOUD

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L63/0815 ,  H04L9/3273 ,  H04L63/20 ,  H04L2209/80

公开(公告)号：CA2654381C

公开(公告)日：2016-11-01

申请号：CA2654381

申请日：2007-05-25

Applicant: MICROSOFT CORP

Inventor： MEDVINSKY GENNADY ,  ILAC CRISTIAN ,  HAGIU COSTIN ,  PARSONS JOHN E ,  FATHALLA MOHAMED EMAD EL DIN ,  LEACH PAUL J ,  KAMEL TAREK BUHAA EL-DIN MAHMOUD

IPC: G06F15/00 ,  H04L9/32

Abstract: A credential security support provider (Cred SSP) enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software. The Cred SSP provides a secure solution based in part upon a set of policies. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

公开(公告)号：BRPI0711702A2

公开(公告)日：2011-11-29

申请号：BRPI0711702

申请日：2007-05-25

Applicant: MICROSOFT CORP

Inventor： MEDVINSKY GENNADY ,  ILAC CRISTIAN ,  HAGIUS COSTIN ,  PARSONS JOHN E ,  EL DIN FATHALLA MOHAMED EMAD ,  LEACH PAUL J ,  EL-DIN MAHMOUD KAMEL TAREK BUHAA

IPC: G06F15/00 ,  H04L9/32

Abstract: A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user's credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.