|
|
|
| United States Patent | 5604490 |
| Link to this page | http://www.wikipatents.com/5604490.html |
| Inventor(s) | Blakley, III; George R. (Austin, TX);
Hickerson; L. Brooks (Austin, TX);
Milman; Ivan M. (Austin, TX);
Gittins; Robert S. (Woodland Park, CO);
Scheer; Douglas B. (Boynton Beach, FL);
Wilson; John H. (Austin, TX) |
| Abstract | An improvement relating to the security of an operating system for either a
stand alone computer system or for a networked computer system. The
operating system provides improved security for programs available on the
computer system having different security protocols. The operating system
unifies these security protocols for each user based on unique user
credentials. The system operates, upon request to start a program
procedure by the user, to authenticate the identity of the user based on
information unique to that user. Following which, the system generates a
user handle associated with the user. The system then notifies each of the
security protocols of the user handle associated with the user. The system
then generates new user credentials for each of the security protocols.
These user credentials are associated with the user handle and then the
user handle is mapped to the unique user's credentials for each program
procedure. Once this is accomplished, the system invokes an alternate
process and tags the process with the user handle. Once a request from the
alternate process for access to an object accessed through the server is
requested, the system then grants access to the object based on the new
user credentials associated with the user handle. The new user credentials
are typically based on an association of the user identifier, the user
handle, and the unique user credentials from before. |
|
|
 |
Title Information  |
|
|
|
|
|
Drawing from US Patent 5604490 |
|
|
Method and system for providing a user access to multiple secured
subsystems |
|
|
|
|
|
| Publication Date |
February 18, 1997 |
|
|
|
|
|
| Filing Date |
September 9, 1994 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
 |
Title Information |
|
|
|
References |
|
|
| *references marked with an asterisk below are user-added references |
 |
U.S. References |
|
|
| Add a new US reference: |
| | Reference | Relevancy | Comments | Reference | Relevancy | Comments | 5450593
Howell
726/21
Sep,1995 |  Your vote accepted
[0 after 0 votes] | | 5359660
Clark
726/3
Oct,1994 | Your vote accepted
[0 after 0 votes] | | 5339403
Parker
711/221
Aug,1994 | Your vote accepted
[0 after 0 votes] | | 5305456
Boitana
726/20
Apr,1994 | Your vote accepted
[0 after 0 votes] | | 5287519
Dayan
726/16
Feb,1994 | Your vote accepted
[0 after 0 votes] | | 5280581
Bathrick
709/217
Jan,1994 | Your vote accepted
[0 after 0 votes] | | 5276901
Howell
707/9
Jan,1994 | Your vote accepted
[0 after 0 votes] | | 5263158
Janis
707/1
Nov,1993 | Your vote accepted
[0 after 0 votes] | | 5261102
Hoffman
726/19
Nov,1993 | Your vote accepted
[0 after 0 votes] | | 5241594
Kung
713/151
Aug,1993 | Your vote accepted
[0 after 0 votes] | | 5239583
Parrillo
705/72
Aug,1993 | Your vote accepted
[0 after 0 votes] | | 5239648
Nukui
707/10
Aug,1993 | Your vote accepted
[0 after 0 votes] | | 5235642
Wobber
Aug,1993 | Your vote accepted
[0 after 0 votes] | | 5202997
Arato
726/34
Apr,1993 | Your vote accepted
[0 after 0 votes] | | 5187790
East
719/316
Feb,1993 | Your vote accepted
[0 after 0 votes] | | 5060263
Bosen
713/184
Oct,1991 | Your vote accepted
[0 after 0 votes] | | 5018096
Aoyama
711/164
May,1991 | Your vote accepted
[0 after 0 votes] | | 4951249
McClung
726/35
Aug,1990 | Your vote accepted
[0 after 0 votes] | | 4742450
Duvall
719/310
May,1988 | Your vote accepted
[0 after 0 votes] | | 4731734
Gruner
711/202
Mar,1988 | Your vote accepted
[0 after 0 votes] | | 4525780
Bratt
711/163
Jun,1985 | Your vote accepted
[0 after 0 votes] | | 4498132
Ahlstrom
711/163
Feb,1985 | Your vote accepted
[0 after 0 votes] | | 4498131
Bratt
711/202
Feb,1985 | Your vote accepted
[0 after 0 votes] | | 4310720
Check, Jr.
Jan,1982 | Your vote accepted
[0 after 0 votes] | | 5321841
East
718/107
Dec,1969 | Your vote accepted
[0 after 0 votes] | | | | | |
|
 |
|
|
|
U.S. References |
|
|
|
Foreign References |
|
|
|
|
|
|
|
|
Foreign References |
|
|
|
Other References |
|
|
|
|
|
|
|
|
Other References |
|
|
|
|
|
|
|
References |
|
|
|
|
|
|
| Market Size |
|
Estimate the gross annual revenues of the relevant market
sector:
|
| | |
| |
|
|
| Market Share |
|
Estimate the percentage of the relevant market sector this invention will capture:
|
| | |
| |
|
|
| Reasonable Royalty |
|
What percentage of gross sales should the inventor or assignee be paid?
|
| | |
| |
|
|
|
Public's "Guesstimation" of Royalty Value
|
| Market Size | N/A | [No votes] | | x | Market Share | N/A | [No votes] | | x | Reasonable Royalty | N/A | [No votes] |
| | N/A | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Market Review |
|
|
|
Technical Review |
|
|
|
Claims |
|
|
We claim:
1. In a computer networking system having a server coupled to a plurality
of clients, wherein each of said plurality of clients has access to a
plurality of program procedures, accessed through said server, each said
program procedure having a security protocol required for access, unique
to each user of each of said plurality of clients, a method for unifying
said security protocols for each user based on unique user credentials
comprising the steps of:
upon request to start a program procedure by said user, authenticating the
identity of said user based on information unique to said user;
generating a user handle associated with said user;
notifying each of said security protocols of said user handle associated
with said user;
generating new user credentials for each of said security protocol;
associating said new user credentials with said user handle associated with
said user;
mapping said user handle to said unique user's credentials for each program
procedure;
generating an alternate process;
tagging said alternate process with said user handle associated with said
user;
upon request from said alternate process for access to an object accessed
through said server, granting access to said object based on said new user
credentials associated with said user handle.
2. The method according to claim 1 wherein said user handle associates with
said user via a user identifier.
3. The method according to claim 2 wherein said new user credentials is
based on the association of said user identifier, said user handle, and
said unique user credentials.
4. The method according to claim 1 wherein said alternate process acts in
behalf of said user.
5. In a computer system having a plurality of program procedures, accessed
through a server, each said program procedure having a security protocol
required for access, unique to each user of each of said plurality of
program procedures, a method for unifying said security protocols for each
user based on unique user credentials comprising the steps of:
upon request to start a program procedure by said user, authenticating the
identity of said user based on information unique to said user;
generating a user handle associated with said user;
notifying each of said security protocols of said user handle associated
with said user;
generating new user credentials for each of said security protocol;
associating said new user credentials with said user handle associated with
said user;
mapping said user handle to said unique user's credentials for each program
procedure;
generating an alternate process;
tagging said alternate process with said user handle associated with said
user;
upon request from said alternate process for access to an object accessed
through said server, granting access to said object based on said new user
credentials associated with said user handle.
6. The method according to claim 5 wherein said user handle associates with
said user via a user identifier.
7. The method according to claim 6 wherein said new user credentials is
based on the association of said user identifier, said user handle, and
said unique user credentials.
8. The method according to claim 5 wherein said alternate process acts in
behalf of said user.
9. In a computer system having a plurality of program procedures, accessed
through a server, each said program procedure having a security protocol
required for access, unique to each user of each of said plurality of
program procedures, a security system for unifying said security protocols
for each user based on unique user credentials comprising:
means for authenticating the identity of said user based on information
unique to said user;
means, coupled to said authenticating means, for generating a user handle
associated with said user;
means, coupled to said generating means, for notifying each of said
security protocols of said user handle associated with said user;
means, coupled to said authenticating means, for generating new user
credentials for each of said security protocol;
means, coupled to said new user credentials generating means, for
associating said new user credentials with said user handle associated
with said user;
means, coupled to said associating means, for mapping said user handle to
said unique user's credentials for each program procedure;
means, coupled to said mapping means, for generating an alternate process;
means, coupled to said alternate process generating means, for tagging said
alternate process with said user handle associated with said user;
means, coupled to said tagging means, for granting access to said object
based on said new user credentials associated with said user handle.
10. The system according to claim 9 wherein said user handle associates
with said user via a user identifier.
11. The system according to claim 10 wherein said new user credentials is
based on the association of said user identifier, said user handle, and
said unique user credentials.
12. The system according to claim 9 wherein said alternate process acts in
behalf of said user.
13. The system according to claim 9 wherein said granting means acts upon
request from said alternate process for access to an object accessed
through said server.
14. In a computer networking system having a server coupled to a plurality
of clients, wherein each of said plurality of clients has access to a
plurality of program procedures accessed through said server, each said
program procedure having a security protocol required for access, unique
to each user of each of said plurality of clients, a method for unifying
said security protocols for each user based on unique user credentials
comprising the steps of:
authenticating the identity of said user based on information unique to
said user;
generating a user handle associated with said user;
notifying each of said security protocols of said user handle associated
with said user;
generating new user credentials for each of said security protocols;
associating said new user credentials with said user handle associated with
said user;
mapping said user handle to said unique user's credentials for each program
procedure; and
providing access to a requested program to a user base upon the mapping of
said user handle to said unique user's credentials, said step of providing
access to a requested program further comprising the steps of:
generating an alternate process;
tagging said alternate process with said user handle associated with said
user; and
generating access to said object.
15. The method according to claim 14 wherein said user handle associates
with said user via a user identifier.
16. The method according to claim 15 wherein said user credentials are
based on the association of said user identifier, said user handle, and
said unique user credentials.
17. In a computer networking system having a server coupled to a plurality
of clients, wherein each of said plurality of clients has access to a
plurality of program procedures accessed through said server, each said
program procedure having a security protocol required for access, unique
to each user of each of said plurality of clients, a method for unifying
said security protocols for each user based on unique user credentials
comprising the steps of:
authenticating the identity of said user based on information unique to
said user;
generating a user handle associated with said user;
notifying each of said security protocols of said user handle associated
with said user;
generating new user credentials for each of said security protocols;
associating said new user credentials with said user handle associated with
said user;
mapping said user handle to said unique user's credentials for each program
procedure; and
generating an alternate process based on the mapping of said user handle to
said unique user's credentials for each program procedure, wherein said
user handle associates with said user via a user identifier.
18. In a computer system having a plurality of program procedures, accessed
through a server, each said program procedure having a security protocol
required for access, unique to each user of each of said plurality of
program procedures, a method for unifying said security protocols for each
user based on unique user credentials comprising the steps of:
authenticating the identity of said user based on information unique to
said user;
generating a user handle associated with said user;
notifying each of said security protocols of said user handle associated
with said user;
generating new user credentials for each of said security protocol;
associating said new user credentials with said user handle associated with
said user;
mapping said user handle to said unique user's credentials for each program
procedure; and
providing access to a requested program to a user based upon the mapping of
said user handle to said unique user's credentials, wherein this step
further comprises the steps of:
generating an alternate process;
tagging said alternate process with said user handle associated with said
user; and
granting access to said object.
19. The method according to claim 18 wherein said user handle associates
with said user via a user identifier.
20. The method according to claim 19 wherein said new user credentials is
based on the association of said user identifier, said user handle, and
said unique user credentials.
21. The method according to claim 18 wherein said alternate process acts in
behalf of said user.
22. In a computer system having a plurality of program procedures, accessed
through a server, each said program procedure having a security protocol
required for access, unique to each user of each of said plurality of
program procedures, a security system for unifying said security protocols
for each user based on unique user credentials comprising:
means for authenticating the identity of said user based on information
unique to said user;
means, coupled to said authenticating means, for generating a user handle
associated with said user;
means, coupled to said generating means, for notifying each of said
security protocols of said user handle associated with said user;
means, coupled to said authenticating means, for generating new user
credentials for each of said security protocol;
means, coupled to said new user credentials generating means, for
associating said new user credentials with said user handle associated
with said user;
means, coupled to said associating means, for mapping said user handle to
said unique user's credentials for each program procedure; and
means for providing access to a program using selected results from said
mapping of said user handle to said unique user's credentials, said means
for providing access further comprising:
means, coupled to said mapping means for generating an alternate process;
means, coupled to said alternate process generating means, for tagging said
alternate process with said user handle associated with said user; and
means, coupled to said tagging means, for granting access to said object.
23. The system according to claim 22 wherein said user handle associates
with said user via a user identifier.
24. The system according to claim 23 wherein said new user credentials are
based on the association of said user identifier, said user handle, and
said unique user credentials.
25. The system according to claim 22 wherein said alternate process acts in
behalf of said user.
26. The system according to claim 22 wherein said granting means acts on
request from said alternate process for access to an object accessed
through said server. |
|
|
|
|
|
|
Claims |
|
|
|
Description |
|
|
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates, generally, to computer systems and their
security, and, more particularly, to an operating system on a computer
system or network having multiple secured subsystems in which a user may
have access. More specifically, the present invention relates to providing
a universal security system in an operating system that allows a user to
access various subsystems or applications having their own specific
security measures whereby the user is allowed to log onto the various
subsystems using only a single security password.
2. Description of the Related Art
Many computer applications typically were written for operating systems
that did not provide any security. The designers of these applications
realized that a security system would be useful for certain clients and so
the designers added security systems to their applications. Some of these
applications are server programs that allow users to access resources on
that server and to run processes on the server on their behalf. Some
examples of operating systems without initial security measures are DOS,
OS/2, and Macintosh OS.
In the case for OS/2, some examples of processes that allow users access
include TELNET, OS/2, LAN SERVER, and NETRUN. TELNET is a program that
allows multiple users to log in across a network and access an OS/2 TELNET
server as if they were sitting in front of it. TELNET is part of the OS/2
TCP/IP offering. OS/2 LAN SERVER is a program that grants remote users
access to resources such as, for example, files, print queues, and serial
devices, on an OS/2 LAN SERVER. The NETRUN program allows remote users to
execute processes on their behalf on an OS/2 LAN SERVER. Each of these
programs has its own security measures.
The security support required by such programs can be split into three
areas. The first is user identification authority (UIA), which establishes
the association between user identification information and a process or
session. This information usually includes the user's credentials, which
may describe the user's identity, group memberships, administrative roles,
and special privileges. A user authentication services (UAS) is the second
security application. A UAS authenticates the user's identity based on
information provided by the user, such as, for example, a password,
signature, or token. The third security support is an access control
authority (ACA), which enforces access to objects based on the credentials
with which it is presented.
Since insecure operating systems do not provide these security mechanisms,
any application that requires security support has to develop its own UIA,
UAS, and ACA. Unfortunately, the trio of UIA, UAS and ACA developed by one
application is virtually certain to be incompatible with the trio of UIA,
UAS, ACA of an independently developed application. First, the credential
syntax and semantics are likely to differ between different, independently
developed UIA, ACA pairs. Second, one UIA, ACA pair has no way to retrieve
security data created, and associated with a processor session, by an
independent UIA, ACA pair.
For example, a user with the user name "LYNN," who logs onto an OS/2 server
via TELNET, would not be able to access a resource owned by an OS/2 LAN
SERVER on the same network, without an additional logon, because the user
is not known as "LYNN" to either the UIA or ACA of the LAN SERVER. The
user can only access resources managed by TCP/IP-based servers, since
TELNET establishes credentials that only those users can access and
understand.
Accordingly, what is needed is a system that allows for multiple different
concurrently active security subsystems to coexist on a single operating
system, by associating with each process information that different
security subsystems can map to their own (different) views of a user's
credentials.
SUMMARY OF THE INVENTION
It is therefore one object of the present invention to provide an operating
system having improved security.
It is another object of the present invention to provide a security system
on a computer system or network having multiple security subsystems in
which a user may have access.
It is yet another object of the present invention to provide a universal
security system and operating system that allows a user to access various
subsystems or applications having their own specific security measures
whereby the user is allowed to log onto the various subsystems using only
a single security password.
The foregoing objects are achieved as is now described.
According to the present invention, an operating system for a computer
system, either stand alone or networked systems, is disclosed. The
operating system provides improved security for programs available on the
computer system having different security protocols. The operating system
unifies these security protocols for each user based on unique user
credentials. The system operates, upon request to start a program
procedure by the user, to authenticate the identity of the user based on
information unique to that user. Following which, the system generates a
user handle associated with the user. The system then notifies each of the
security protocols of the user handle associated with the user. The system
then generates new user credentials for each of the security protocols.
These user credentials are associated with the user handle, which is
mapped to the unique user's credentials for each program procedure. Once
this is accomplished, the system invokes an alternate process and tags the
process with the user handle. Once a request from the alternate process
for access to an object accessed through the server is requested, the
system then grants access to the object based on the new user credentials
associated with the user handle. The new user credentials are typically
based on an association of the user identifier, the user handle, and the
unique user credentials from before.
BRIEF DESCRIPTION OF THE DRAWINGS
The novel features believed characteristic of the invention are set forth
in the appended claims. The invention itself, however, as well as a
preferred mode of use, further objectives and advantages thereof, will
best be understood by reference to the following detailed description of
an illustrative embodiment when read in conjunction with the accompanying
drawings, wherein:
FIG. 1 depicts a networking system implementing a security system according
to the present invention;
FIG. 2 is a flowchart depicting the method by which a single password and
user name are used to access different security systems on the network of
FIG. 1;
FIGS. 3A and 3B depict a block diagram of the system flow according to
FIGS. 2 and 4;
FIG. 4 is a flowchart depicting the operating of the child process
according to the present invention; and
FIG. 5 depicts a flowchart of the operational hierarchy used in FIGS. 2-4.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENT
With reference now to the figures and in particular with reference to FIG.
1, there is depicted a pictorial representation of a distributed data
processing system 8 which may be utilized to implement the method and
system of the present invention. As may be seen, distributed data
processing system 8 may include a plurality of networks, such as Local
Area Networks (LAN) 10 and 32, each of which preferably includes a
plurality of individual computers 12 and 30, respectively. Of course,
those skilled in the art will appreciate that a plurality of Intelligent
Work Stations (IWS) coupled to a host processor may be utilized for each
such network.
As is common is such data processing systems, each individual computer may
be coupled to a storage device 14 and/or a printer/output device 16. One
or more such storage devices 14 may be utilized, in accordance with the
method of the present invention, to store the various data objects or
documents which may be periodically accessed and processed by a user
within distributed data processing system 8, in accordance with the method
and system of the present invention. In a manner well known in the prior
art, each such data processing procedure or document may be stored within
a storage device 14 which is associated with a Resource Manager or Library
Service, which is responsible for maintaining and updating all resource
objects associated therewith.
Still referring to FIG. 1, it may be seen that distributed data processing
system 8 may also include multiple mainframe computers, such as mainframe
computer 18, which may be preferably coupled to Local Area Network (LAN)
10 by means of communications link 22. Mainframe computer 18 may also be
coupled to a storage device 20 which may serve as remote storage for Local
Area Network (LAN) 10. A second Local Area Network (LAN) 32 may be coupled
to Local Area Network (LAN) 10 via communications controller 26 and
communications link 34 to a gateway server 28. Gateway server 28 is
preferably an individual computer or Intelligent Work Station (IWS) which
serves to link Local Area Network (LAN) 32 to Local Area Network (LAN) 10.
As discussed above with respect to Local Area Network (LAN) 32 and Local
Area Network (LAN) 10, a plurality of data processing procedures or
documents may be stored within storage device 20 and controlled by
mainframe computer 18, as Resource Manager or Library Service for the data
processing procedures and documents thus stored.
Of course, those skilled in the art will apprecia | | |
