Query interface to policy server
US-9154489-B2 · Oct 6, 2015 · US
Query interface to policy server
US9438577B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9438577-B2 |
| Application number | US-201313967202-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 14, 2013 |
| Priority date | Mar 10, 1997 |
| Publication date | Sep 6, 2016 |
| Grant date | Sep 6, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for end-to-end encryption, the method comprising: receiving an encrypted message at a first access filter in a virtual private network session, the data packet sent from a client device associated with the first access filter, the data packet addressed to a server associated with a second access filter, wherein there are one or more intermediate access filters between the first access filter and the second access filter, each intermediate access filter applying one or more access policies; executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor: decrypts the message based on a secret shared between the client device and the first access filter, wherein the decrypted message includes authentication information related to a user of the client device, verifies that the user of the client device is permitted to access the server based on the authentication information, and reencrypts the message based on a transport key shared between the first access filter and the second access filter, wherein the transport key is generated from public and private keys; and sending the reencrypted message through one or more intermediate access filters to the second access filter, wherein the one or more intermediate access filters allow the reencrypted message through based on authentication at the first access filter without requiring decryption at the respective intermediate access filter, wherein the second filter decrypts the reencrypted message sent through the one or more intermediate access filters and performs IP-level access checking on an original header before further reencrypting the message for the server, wherein the original header is encrypted while passing through the one or more intermediate access filters, wherein the only unencrypted IP address associated with the reencrypted message are associated with the first access filter or the second access filter, and wherein the second access filter further reencrypts the message for the server. 2. The method of claim 1 , wherein a tunnel is constructed on a path between the first access filter and the second access filter. 3. The method of claim 1 , further comprising maintaining an access control database in memory, wherein the access control database stores identification and certification information for the client, the server, and the first and second access filters. 4. The method of claim 3 , wherein the access control database further stores identification and certification information for the intermediate access filters along a path between the first and second access filters. 5. The method of claim 4 , wherein the one or more access filters allow the session based on authentication at the first access filter. 6. The method of claim 1 , wherein the transport key is encrypted. 7. The method of claim 1 , further comprising configuring the client device by providing the client device with a certificate associated with the first access filter, wherein the first access filter is provided with a certificate associated with the client device. 8. The method of claim 1 , wherein the second access filter determines that the reencrypted message sent through the one or more intermediate access filters is really from the first access filter before further reencrypting the message for the server. 9. The method of claim 1 , wherein the second access filter determines that the reencrypted message sent through the one or more intermediate access filters has not been tampered with before further reencrypting the message for the server. 10. A system for end-to-end encryption, the system comprising: a client device; a server; and a first access filter associated with the client device that: receives an encrypted message in a virtual private network session, the data packet sent from the client device, the data packet addressed to a server associated with a second access filter, wherein there are one or more intermediate access filters between the first access filter and the second access filter, each intermediate access filter applying one or more access policies, and executes instructions stored in memory, wherein execution of the instructions by a processor: decrypts the message based on a secret shared between the client device and the first access filter, wherein the decrypted message includes authentication information related to a user of the client device, verifies that the user of the client device is permitted to access the server based on the authentication information, and reencrypts the message based on a transport key shared between the first access filter and a second access filter associated with the server, wherein the transport key is generated from public and private keys; and sends the reencrypted message through one or more intermediate access filters to the second access filter, wherein the one or more intermediate access filters allow the reencrypted message through based on authentication at the first access filter without requiring decryption at the respective intermediate access filter, wherein the second filter decrypts the reencrypted message sent through the one or more intermediate access filters and performs IP-level access checking on an original header before further reencrypting the message for the server, wherein the original header is encrypted while passing through the one or more intermediate access filters, wherein the only unencrypted IP address associated with the reencrypted message are associated with the first access filter or the second access filter, and wherein the second access filter further reencrypts the message for the server. 11. The system of claim 10 , further comprising the second access filter associated with the server. 12. The system of claim 10 , wherein a tunnel is constructed on a path between the first access filter and the second access filter. 13. The system of claim 10 , further comprising an access control database that stores identification and certification information for the client, the server, and the first and second access filters. 14. The system of claim 13 , wherein the access control database further stores identification and certification information for the intermediate access filters along a path between the first and second access filters. 15. The system of claim 14 , wherein the one or more access filters allow the session based on authentication at the first access filter. 16. The system of claim 10 , wherein the transport key is encrypted. 17. The system of claim 10 , wherein the client device is configured by providing the client device with a certificate associated with the first access filter, wherein the first access filter is provided with a certificate associated with the client device. 18. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for end-to-end encryption, the method comprising: receiving an encrypted message in a virtual private network session, the data packet sent from a client device associated with the first access filter, the data packet addressed to a server associated with a second access filter, wherein there are one or more intermediate access filters between the first access filter and the second access filter, each intermediate access filter applying one or more access policies; decrypting the message based on a secret shared between the client device and the first access filter, wherein the decrypted message includes authentication
Assignees
Inventors
Classifications
- H04L63/105Primary
Multiple levels of security · CPC title
- H04L63/08Primary
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
where protection concerns the structure of data, e.g. records, types, queries · CPC title
Virtual private networks · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9438577B2 cover?
- A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each informa…
- Who is the assignee on this patent?
- Dell Software Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/105. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 06 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).