Enterprise security system

摘要

A platform of Trust Management software which is a single, customizable, complete distributed computing security solution designed to be integrated into an enterprise computing environment. Digital Network Authentication (DNA) is the centerpiece of the system of the present invention. It is a unique means to authenticate the identity of a communicating party and authorize its activity. The whole mechanism can be thought of as a trusted third party providing assurances to both clients and servers that each communicating entity is a discrete, authenticated entity with clearly defined privileges and supporting data. Furthermore, the level of trust to be placed in the authorization of every entity communicating within the system is communicated to every entity within a distributed computing environment.

主权项

1. A non-transient computer-readable medium comprising computer software comprising code for providing one time authentication to a distributed computing environment using any known authentication mechanism and assigning a level of trust to the authentication mechanism used, wherein-authentication is separated from authorization, allowing authorization to be based on said level of trust to secure communications within said environment, and wherein said environment includes at least one originating entity and at least one target entity and one or more trusted third party servers, said one or more third party servers evaluating said authentication mechanism used by said originating entity and assigning a level of trust calculated by the confidence it has in the authentication mechanism used, wherein said level of trust can be used to dynamically change access within said environment, said entity selected from the group consisting of uniquely identifiable computer services on a computer, uniquely identifiable computers on a computer network, uniquely identifiable BIOS residing in a computer, uniquely identifiable computer chips residing in a computer, uniquely identifiable devices attached to a computer, uniquely identifiable devices capable of independent communication on a computer network, uniquely identifiable operating systems running on a computer, uniquely identifiable applications running on a computer, uniquely identifiable instances of an application running on a computer, uniquely identifiable business processes running on a computer, uniquely identifiable instances of a business process running on a computer, and uniquely identifiable persons, said code comprising:
a. code for authenticating the identity of said originating entity using one of a predetermined plurality of known authentication mechanisms, said mechanism being separately evaluated and assigned a level of trust by said server, said authentication of identity being limited in use to authentication only, and wherein not all of the predetermined plurality of authentication mechanisms are trusted at a same level of trust other than untrusted; a1. code for evaluating via said server how secure is said authentication mechanism used by said now authenticated originating entity; a2. code for calculating the confidence said server has in the instance of the authentication mechanism used; a3. code for assigning a level of trust that will be associated with said confidence; a4. code for dynamically calculating using said level of trust what authorization, access and information can be granted to said originating entity regarding said target entity; b. code for transmitting a response, from said server to said originating entity regardless of the authentication mechanism used, containing a first binding element composed of at least a random number encrypted using a key derived from a secret stored by the said server about the originating entity and its request to access said target entity, and a trust level indicating the level of confidence said server has associated with said originating entity's authentication mechanism instance; c. code for transmitting a second request that changes and transforms said response containing a first binding element by using knowledge of the same secret of itself, from said originating entity regardless of the authentication mechanism it has used, to said server, thereby requesting a second binding element from said server; d. code for transmitting a second response containing said second binding element including a randomly generated unique signature regarding said originating entity and its request to access said target entity to be used by said target entity, from said server to said originating entity; e. code for transmitting said second response containing said second binding element, from said originating entity to said target entity; f. code for transmitting a response from said target entity to said originating entity indicating access acceptance of said originating entity by said target entity; and g. code for creating a secure communication link between said target entity and said originating entity based on said evaluations, assignments and calculations.