`Schneider et al.
`
`US006408336B1
`US 6,408,336 B1
`*Jun. 18,2002
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`(54)
`
`(76)
`
`DISTRIBUTED ADMINISTRATION OF
`ACCESS TO INFORMATION
`
`Inventors: David S. Schneider, 5338 Hinton Ave.,
`Woodland Hills, CA (US) 91367;
`Michael B. Ribet, 3525 Cass Ct. #617,
`Oak Brook, IL (US) 60523; Laurence
`R. Lipstone, 22724 Sparrow Dell Dr.,
`Calabasas, CA (US) 91302; Daniel
`Jensen, 6853 Encino Ave., Van Nuys,
`CA (US) 91406
`
`(*)
`
`Notice:
`
`This patent issued on a continued pros
`ecution application ?led under 37 CFR
`1.53(d), and is subject to the tWenty year
`patent term provisions of 35 U.S.C.
`154(a)(2).
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21)
`(22)
`
`(60)
`
`(51)
`(52)
`(58)
`
`(56)
`
`Appl. No.: 09/034,507
`Filed:
`Mar. 4, 1998
`
`Related US. Application Data
`Provisional application No. 60/039,542, ?led on Mar. 10,
`1997, and provisional application No. 60/040,262, ?led on
`Mar. 10, 1997.
`
`..... .. G06F 15/16; G06F 9/00
`Int. Cl.7 ................... ..
`
`US. Cl. ................... ..
`................. .. 709/229; 713/201
`
`Field of Search ...... ..
`....................... .. 709/225, 229;
`713/201; 345/335, 969, 741_743
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`_
`Smith .......................... .. 707/1
`Nishikado et al.
`707/8
`707/1
`Janis .............. ..
`711/163
`Janis .... ..
`Janis ___________________________ __ 707/1
`
`9/1990
`4,956,769 A *
`4/1991
`5,012,405 A *
`5,263,157 A
`* 11/1993
`5,263,158 A
`* 11/1993
`5,263,165 A
`* 11/1993
`
`(List continued on neXt page.)
`
`FOREIGN PATENT DOCUMENTS
`
`W0
`
`W0 96 05549 A
`
`2/1996
`
`........... .. G06F/1/00
`
`OTHER PUBLICATIONS
`
`Computer Dictionary, 2d ed., Microsoft Press, Redmond,
`Washington, p. 215, Oct. 1993*
`
`(List continued on neXt page.)
`
`Primary Examiner—Zarni Maung
`Assistant Examiner—AndreW CaldWell
`(74) Attorney, Agent, or Firm—Gordon E. Nelson
`(57)
`ABSTRACT
`
`A scalable access ?lter that is used together With others like
`it in a virtual private netWork to control access by users at
`clients in the netWork to information resources provided by
`servers in the netWork. Each access ?lter use a local copy of
`an access control data base to determine Whether an access
`request made by a user. Changes made by administrators in
`the local copies are propagated to all of the other local
`copies. Each user belongs to one or more user groups and
`each information resource belongs to one or more informa
`tion sets. Access is permitted or denied according to of
`access policies Which de?ne access in terms of the user
`groups and information sets. The rights of administrators are
`similarly determined by administrative policies. Access is
`further permitted only if the trust levels of a mode of
`identi?cation of the user and of the path in the netWork by
`Which the access is made are suf?cient for the sensitivity
`level of the information resource. If necessary, the access
`?lter automatically encrypts the request With an encryption
`method Whose trust level is suf?cient. The ?rst access ?lter
`in the path performs the access check and encrypts and
`authenticates the request; the other access ?lters in the path
`do not repeat the access check.
`
`48 Claims, 31 Drawing Sheets
`
`U.S. PATENT DOCUMENTS
`
`5,652,787 A * 7/1997 O’Kelly .................... .. 379/112
`5,720,033 A * 2/1998 Deo ......................... .. 713/200
`5,787,427 A * 7/1998 Benantar et al. ............. .. 707/9
`5,787,428 A * 7/1998 Hart ............................ .. 707/9
`
`DEFINBEOEJSERS
`
`_
`
`DEggqCEULéSéER
`805
`7*
`
`ADD USERS
`To GBIZ‘SUPS
`
`Q
`
`DEFINE
`RESOURCES
`
`5%
`
`DEFINE
`INFORMATION
`SETS
`B1_1
`
`ADD
`RESOURCES
`TO SETS
`
`5.13
`
`CREATE
`POLICIES
`@?
`
`Petitioner Apple Inc. - Ex. 1020, p. 1
`
`
`
`US 6,408,336 B1
`Page 2
`
`5,796,951 A * 8/1998 Hamner et al- ----------- -- 709/223
`2 i
`éilsepg er 9% ~~~~~~~~~~~~~ ~~
`
`We et a . ............. ..
`
`’
`’
`709/226
`5,859,978 A * 1/1999 Sonderegger et a1.
`5,862,325 A : 1/1999 Reed et a1. ............... .. 709/201
`2 *
`‘bygeigignere’tlg'let a1‘
`5,941,947 A * 8/1999 Brown et a1‘ ~~~~~~~~~~~~~ n 709025
`5,991,807 A * 11/1999 Schmidt et a1.
`709/225
`
`6,085,191 A * 7/2000 Fisher et al. . . . . . .
`
`. . . . .. 707/9
`
`~~~~ " 707/9
`6,105,027 A * 8/2000 Schneider et a1‘
`713/168
`6,178,505 B1 * H2001 Schneider et aL
`6,253,251 B1 * 6/2001 Benantar et a1. __________ __ 709/315
`
`OTHER PUBLICATIONS
`
`Edwards, K., “Policies and Roles in Collaborative Applica
`tions,” Proc. of the ACM 1996 Conf. on Computer Sup
`ported Cooperative Work, pp. 11—20, Nov. 1996.*
`Lampson, B., et al., “Authentication in Distributed Systems:
`Theory and Practice,” Proc. of the 13th ACM Symp. on
`Operating Systems Principles, pp. 165—182, Oct. 1991.*
`Gladney, H., “Access Control for Large Collections,” ACM
`Trans. on Information Systems, vol. 15, No. 2, pp. 154—194,
`Apr. 1997.*
`Shen, H., et al., “Access Control for Collaborative Environ
`ments,” Conf. Proc. on Computer—Supported Collaborative
`Work, ACM, pp. 51—58, Nov. 1992*
`Reiter, M., et al., “Integrating Security in a Group Oriented
`Distributed System,” Proc. of Research in Security & Pri
`vacy, 1992, IEEE, pp. 18—32, May 1992.*
`
`Toy, M., “AT&T’s Electronic Mail Service for Government
`Users—FTS2000MAIL,” Globecom ’92, IEEE, vol. 2, pp.
`
`950—957 D . 1992.*
`’
`66
`Che_fun Yu, Access Control and authorization plan for
`customer control of netWork services, in: IEEE Global
`Telecommunications Conference and exhibition, Conference
`Record, V01- 2, PP- 862—869
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`PCT/US98/04522, Partial international search, With 1nd1ca
`tions of relevance of the references cited above. (PCT/US98/
`04522 has the same Speci?cation as the application in Which
`this IDS is being ?led).
`
`CheckPoint FireWall—1TM White Paper, Version 2.0—Jun.
`1995. http://WWW.integralis.co.uk/checkpnt/?reWall/White.
`Checkpoint FireWall—1, http://WWW.metadigm.co.uk/fWl/.
`1996 Metadigm Ltd.
`
`Commercial FireWalls and Related FW Products, http://
`hp735c.csc.cuhk.hk/?reWall.html. Mar. 23, 1996.
`
`Five Domains of NetWork Security, Technical OvervieW of
`the
`Eagle,
`http://WWW.raptor.com/
`T22NZ.Z56DAM.BF3AQD.F2.
`FireWalls and Security Related Information, http://WWWna
`cisa.nato.int/FWVENDORHTM.
`
`* cited by examiner
`
`Petitioner Apple Inc. - Ex. 1020, p. 2
`
`
`
`US. Patent
`
`S
`
`13f0
`
`3
`
`1B
`
`m:
`
`mm>mmm
`
`-mm:
`
`3%,
`
`5va
`
`333%
`
`258
`
`
`
`2$52as..........ESE$80‘‘‘‘‘‘‘m.9805?.film5.........$82mmmmwmm,158ESE.......E.mom$52mBusmmm52%;;
`
`
`
`
`
`észz.
`
`1IIIaEmoamsgmm5.3.5me
`
`0N:$22as
`
`3|<E2889:
`
`xmm:
`W,EEE4:5;_._n_
`
`E0252.
`
`
`
`4,\lf'lllll/MEmsU3vax5252
`E0252._<zmm:z_
`
`
`
`Petitioner Apple Inc. - EX. 1020, p. 3
`
`Petitioner Apple Inc. - Ex. 1020, p. 3
`
`
`
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 2 0f 31
`
`US 6,408,336 B1
`
`Umom
`
`38w
`
`58m
`
`Amvmom
`
`$5:882E5:88%ESE$82$5:$82
`
`
`E?52mi:102210«.5572
`
`..’i!ll.-m9
`
`mmlll.5N
`
`FltE32
`
`
`
`
`-B-.M.--B-_M.--6-_MI-Fln
`
`
`
`Eonmm5:8maxoé5:8E522
`
`
`
`.M-mEmH.mDmE8NBN8Nema3mgH$2722$233$2232
`
`
`$5:$82mm—mm—cfiwmmEMme
`3%-B-.M---3-.MI.H.M
`
`
`
`AMI
`
`
`
`
`
`...IuEMF-Ewwwoo<
`
`$5:$82
`
`
`
`Pm2va.@MI0_M-
`
`83m.55ZO_._.<SEOH_Z_an
`
`SI
`
`l5
`
`
`
`
`
`
`
`.WIFIN-m-.mW.-.W.N.9“—
`
`Petitioner Apple Inc. - EX. 1020, p. 4
`
`Petitioner Apple Inc. - Ex. 1020, p. 4
`
`
`
`
`
`
`
`
`US. Patent
`
`m
`
`mm.m,
`
`mM3
`
`0004,6SU
`
`1B633,
`
`20E.EIsommEmma
`
`
`
` g>039;wwwoo<
`
`zo_.~<s_mon_z_
`
`a9mm
`
`zO_._.<S_mOn_z_
`
`mmom30mmm
`
`alum
`
`mom>039”.
`
`
`J8““:LIEmoEmw:
`.z__>_o<
`
`Emma
`
`mnSOEO
`
`%
`
`>m<z§mo
`
`EmnSOmo
`
`1mm:
`
`-EfiZmQ
`
`ZO_._.<0
`
`Omz.
`
`wla
`
`>039.
`
`
`
`mmxgz>O_._On_
`
`%>030m
`
`m.mE
`
`\Ill'\f|||||J
`
`mmm:
`
`mnSOmO
`
`m5
`
`Petitioner Apple Inc. - EX. 1020, p. 5
`
`Petitioner Apple Inc. - Ex. 1020, p. 5
`
`
`
`S
`
`1B633,
`
`£5
`
`UIquF2:.
`
`aHn:“u6EQ0Sun...
`8II.......mE.mWEI...
`
`m$5:332
`
`US. Patent
`
`n.HJ
`
`4w
`
`3va
`
`
`
` mmmhdmwmmoo<
`
`
`
`VEO>>>mz
`
`.I--.:“u2.._._..I..”“_._......._8,n1_
`2uflu“_...I.u.-._0.My_a»...0Wm.
`
`%Em?
`
`e55:$83.
`
`f,uu“II..-0_
`
`_.__I.IIn...
`I_l|.._.IflluxI_W»...a_#4.“...
`
`"WUWIII_II-.:I3in”._:.II.?
`.II._IIIII
`
`1.1IIQ_.-.II.I_I"u..rm2.
`
`”FM".”u.IIIIII._
`am"...1x“_
`
`“.INFIII_.II.IomIIIImI
`
`.#1I4v.....
`
`"qua...._I..umIIIJI
`.IIJ.“Fm,».
`
` hm"4.uxh.”THAI".._.IIIIIII_______
`
`IIIIIIIIII%L.
`
`H\\.\\é
`IlIlIl
`
`II.\I1
`
`
`
`my...“mm2<0m
`
`.r1-I._JIM.._mum.--“
`.1\IIu_”‘___.
`
`“.IMIuFIII._.II”Imam...
`
`IIL__JrI
`
`ll—.u___
`
`___NEG_”IIIII.-_I“
`
`WQIIJ_.-I:3._._Ilu_____II..‘_
`__.m..._u"Lana...
`HI.__rIIII
`
`38v
`
` >o_._OmmmhmflzmmmZE
`
`mmmoo<
`
`mm0<z<§
`
`
`
`Qmovmmdoz<m9
`
`
`
`—muSEwmmood
`
`anmo
`
`"we".-..u
`"1....”u——_
`
`—__wall.I...IH."PM...
`
`-fillu-J—_u—an"._:II..._ruu.n.IIII
`
`
`
`“Wu..---n-$4.qu
`_.Pu.
`
`Petitioner Apple Inc. - EX. 1020, p. 6
`
`Petitioner Apple Inc. - Ex. 1020, p. 6
`
`
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 5 0f 31
`
`US 6,408,336 B1
`
`1-..---LL0..1n.u....¢m_uuuuuuEmov_L.-0-.......:.L-WWLW...Ll..LL£00.00...-LL...00...LL0..HL.0..0_.LLLawn--.7-.._LLawn.-.”1|“.mL00-10-.NflumLnnnnnn
`
`
`
`
`.,_.--0.0L..2.0.0....ELLLL......._._ELLL....0.0.0...LLLL--LL11LLLL.LNI...111110”-0th._uuuuuuNah-0._......will...._IIIIII
`
`
`L-...--......L...me00...L010..-.LL...WW-LL10LL..L..0L0L-..-..W..0...0LL.L0L-.-.
`
`
`
`.700..-r:|__.L,u0u..Ill.
`
`
`
`
`_TWNULIL".wfiduc__L""HIEIIcI»»u__|||‘“"_WIVHWIIInIIZIIx:
`
`
`
`
`
`_..-.,.0......flL
`
`_
`
`IIIII:
`
`_
`
`0...“...00.L0710-111-0000--.._...................
`
`
`LM.-:LL?LLL.LL000;._LLILLLamt-LEmmmoo<LL_-mmyzLuLmmmOO<L
`
`
`00mm.0---L............--00000L_.............n-----L
`
`.
`
`L.
`C)
`u)
`
`
`
`
`
`IIIII’1IJUL0.l.In4III._IHIII:NOV.......mm_H—...mnfl.L£90.00...LWML__..0»...00.
`.llllllH.1IJU..
`
`
`-“HQ—04'fil|.__lll“
`
`
`
` "fidnlt1IIIIII‘_0.._._.....IJ._Hum-IV__uHm-n0.Narnia....Lu0'»L.J.0|:0....1.“Iilll.llI0_I._11h.EmsILay-..-.......LLLB----..-L_.-.....L
`
`T"
`9'1“
`
`Petitioner Apple Inc. - EX. 1020, p. 7
`
`_-----------------.----mL-m-o-,Wz-WW,L.....L.....WWL-WLWLNLWLLEL
`
`__._.
`
`
`
`
`
`
`
`
`
`flIlv||a||||IIlIIIIIL>O_.LOn_nLDvLO<mL>O_._OnLmmhm<§Llllllllllllllllllll
`
`[I
`LLl
`'—
`:1LL.
`U)
`(J)
`Lu
`C.)
`
`O<
`
`me>262
`
`$5.:$82LLN$5:$803
`
`-HHHHHHHHmeL-WMLTW----...-........H..H..L-.m-L.L.m-o-z.<2:
`
`
`
`.mmL>L<Om
`
`Petitioner Apple Inc. - Ex. 1020, p. 7
`
`
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 6 6f 31
`
`US 6,408,336 B1
`
`
`
`00% Kr kr
`
`@ .mE
`
`6% ms 28%8 m5 666m
`6% 6; 25:26 8% 65% 5
`
`9 28;; 216m 22a
`
`262 962 255
`
`m8 wow
`
`
`
`5:835:64. E3252 E2555 E2552 Ema \ 63c.
`
`
`
`
`
`
`
`72,3 252%
`
`Petitioner Apple Inc. - Ex. 1020, p. 8
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 7 0f 31
`
`US 6,408,336 B1
`
`
`
`
`
`a55m$82W-mm+.4._wwmm._mfi.mW-m.w+.4._wmmm.wwm.m
`
`
`
`€952magi!85:6mmduz<
`
`
`
`_2.5:“.mu53E.rimmmszom
`@vam9
`
`.8-.3”Eu
`
`0mELmomaommm9;:.fl.
`
`humomm
`
`>.:>_._._mzww
`
`hum—0mm
`
`'5'
`'1?
`“9-
`MM.“
`II
`17:!
`I
`
`€85-m
`
`mmFL."
`
`
`
`emus—n.wwmoo<
`
`
`
`ImmwW522;m.....Eomwm----.mflh.-%._.4.om_.u.esfi.w532E552
`
`Petitioner Apple Inc. - EX. 1020, p. 9
`
`Petitioner Apple Inc. - Ex. 1020, p. 9
`
`
`
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 8 0f 31
`
`US 6,408,336 B1
`
`DEF'NE
`RESOURCES
`8Q
`
`I
`DEF'NE
`INFORMATION
`SETS
`81_1
`
`I
`
`ADD
`RESOURCES
`TO SETS
`M
`
`DEFINE USERS
`803
`_
`
`U
`DEFINE
`GROULéSSER
`805
`*
`
`V
`
`ADD USERS
`TO GROUPS
`807
`_
`
`Sol
`
`CREATE
`POLICIES
`5i
`
`Fig. 8
`
`Petitioner Apple Inc. - Ex. 1020, p. 10
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 9 0f 31
`
`US 6,408,336 B1
`
`Eggs.a.
`25%wow299m3850
`285:8.528:282%e262%
`
`
`
`II"mcozEzmoEm:
`
`mBEbEEEgmm
`
`5525@
`
`
`
`"£320.3:
`
`oofioomdomdmv
`
`omfoomdomdm—
`
`mtdomdomdmw
`
`oowdomdomdmr
`
`mmwdomdomdmw
`
`omwdoudcwdmw
`
`vFFrF
`
`a;E30383
`838.08%
`368.03%
`338.08%
`33038.3F636863
` Eflmoi225233&EEEEmoEmEBm>m@-F:ooNcom.9:
`
`
`I-omm
`towmcotmmsmcm
`
`m2Efi
`
`35:5
`
`cozmfimEBoo
`
`
`
`tonqnm:08.
`
`EcodommaemwE.
`
`2959003fl
`
`om
`
`Petitioner Apple Inc. - EX. 1020, p. 11
`
`Petitioner Apple Inc. - Ex. 1020, p. 11
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 10 0f 31
`
`US 6,408,336 B1
`
`
`IIIII.I.III.IIIIIAIIII.III%:5.0!
`3533:98I'll5222:858BE
`
`Hmcgs@%.95EME®
`22mea«2.5::Euse:a3525m
`
`mEmEtmamommh
`223:3”.@20:83W.
`
`
`
`
`
`.mmuhzommmo_nm__m><”3mm350me
`
`IE5%:
`
`E2585;§El
`
`9.mi
`
`Petitioner Apple Inc. - EX. 1020, p. 12
`
`Petitioner Apple Inc. - Ex. 1020, p. 12
`
`
`
`
`US. Patent
`
`uJ
`
`200
`
`11teehS
`
`f
`
`04,6SU
`
`1B63
`
`2,EF/222w>>o=<
`
`n.>55
`8525m3.8::—a95m5525wMBofiszEu.a
`“w60....23:858SE
`03:05Em:
`
`
`E5%;
`
`F2385;5..EI
`
`“SEE.m
`
`
`
`Petitioner Apple Inc. - EX. 1020, p. 13
`
`Petitioner Apple Inc. - Ex. 1020, p. 13
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 12 0f 31
`
`US 6,408,336 B1
`
`i228mm:
`
`
`
` mm2m>53$:3Ommgm>€536m©
`
`E5.52
`
`
`
`
`
`
`
`I’lllllglll’llll’la$33a20.3gE2,852,.2EI
`
`$828:50BEIan.I3839“.285thBEES
`883$28«6:55Eogwwmm993D
`.253.2asm385EEuE
`
`EBEQEEE.8390am:m>_fi:w_c_Eu<
`
`3a2.5FEEBIIII
`
`>325.83552BED
`
`n:SEED
`
`
`
`330E28:0.5:8.68ucwgwmflfimmm
`
`
`
`>o__0n_02D
`
`Petitioner Apple Inc. - EX. 1020, p. 14
`
`Petitioner Apple Inc. - Ex. 1020, p. 14
`
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 13 0f 31
`
`US 6,408,336 B1
`
`fi)
`FIG.
`138
`
`
`
`‘lertDetaiiJ/A
`:
`
`
`’5 AlertDetaiilD
`
`
`
`
`.
`3
`
`«Microsoft Access - [Relationships]
`[i-Eile Edit yiew Beiationships Iools window i_-i_elp
`--—I-[§l
`
`
`
`SmartCardTypeIl
`
`WSmartcardDefID
`
`
`Type
`[#3me
`lSJmarcticardl'EIJJ
`
`We
`ser
`roup
`
`1% Code
`SmartCardDetID
`
`
`
`
`
`
`
`ertificationlD
`UserGrouplD
`
`CertificateDetlD
`
`
`
`
`Organization Unit
`CertificateAuthoritle
`
`External
`Type
`
`KeyType
`
`SignatureType
`
`Expiration
`
`
`
`CertificateDeflD
`
`Common Name
`
`SeriaINumber
`
`
`WC
`
`
`
`
`
`CertificateParamlD
`
`CertificateParamDefII
`:'
`
`Value
`
`Group
`
`User
`
`
`Description
`
`
`IFieady
`
`El.
`
`Petitioner Apple Inc. - EX. 1020, p. 15
`
`Petitioner Apple Inc. - Ex. 1020, p. 15
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 14 0f 31
`
`US 6,408,336 B1
`
`‘7
`l
`FFIOMF
`FIG.
`13A}
`r
`1 ,Alert'S‘chedulesQ
`.
`1_-_ AlertSchlD
`.
`UserGrouplD
`1
`Days
`.
`Start Time
`I
`End Time
`
`E
`5
`51 1,1325
`:
`5
`:
`
`_ '2?
`—
`
`A
`1:]
`
`1309
`
`1 1UserGroups%
`—~ UserGrouplD
`Group Name
`Description
`Pre-defined
`\
`‘309
`
`1313
`
`Windowsl0%
`WindowslD
`m UserGrouplD
`r“ WindowsDeflD
`
`1305
`
`1310
`
`1303
`
`1307
`“semen; %
`°° ParentUserGroup
`w ChildUserGroupID }
`k_~__w—_i
`1303
`
`1 ___________________________
`1
`
`1 1
`
`IPRanges7/// lPRangeID
`0°
`I
`UserGrouplD W E
`
`l——l lPRangeDe?D
`
`5
`
`1_30_1
`
`l
`I
`
`|
`
`1
`
`|
`
`|
`
`|
`
`INUMI
`
`a
`F|g.13B
`
`.
`
`D
`
`Petitioner Apple Inc. - Ex. 1020, p. 16
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 15 0f 31
`
`US 6,408,336 B1
`
`926_.§
`
`8:95me
`
`25mm
`
`nmccmuém
`
`3mzo$535
`
`
`
`3wmzo_mE$xmmt:2mmenu<mzmcm
`
`252“2:25
`
`52%56¢
`
`.9562m
`
`cacaoHz
`
`2n_>37.5
`
`geommfix
`
`982:5
`
`3525
`
`um=eEooEnxm
`
`062
`
`022
`
`55298550
`
`3:88?me
`
`coitomoo
`
`92:23
`
`9628
`
`25mm
`
`EEoEumozm
`
`mchweom
`
`95:8
`
`925
`
`SEEEomo2:
`
`__§-m9830
`
`asewmosommmeemm EEmcoEmE
`
`mvcmemmngoémesomwx
`
`
`
`QEoEmmscammm
`
`oaaewmeaommm
`
`oEoemmmgm
`
`2;EmEmm
`
`9850me
`
`o_8_amm
`
`032908.50mmm230
`
`.$82c8292?
`
`Petitioner Apple Inc. - EX. 1020, p. 17
`
`Petitioner Apple Inc. - Ex. 1020, p. 17
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 16 0f 31
`
`US 6,408,336 B1
`
`030C._.§
`
`8:95me
`
`2500
`
`umccmuém
`
`F\\\Ememmgm
`
`
`EEoEumsfi
`
`33EmeE
`
`92m
`
`962mm8
`
`
`
`msmcmmmmzofiEmFxmFmmeuu<
`
`
`
`amwzo.255mV93:.
`
`£59226
`
`EmEmmmszEmmmozotmmFQSEmm
`9255255mF\\\\\\\\\§
`armammqiummUu.Fgwsmm
`
`0.628F
`
`955985.“.\_
`
`._mg.m.2
`
`
`
`
`
`9m:285328HmaEmcoszm26$:3gmfl:
`
`
`
`mafimcoEmE.mmmoo<
`
`
`
`mEmzBEBE
`
`83%56¢
`
`62%2m
`
`
`
`EmEoo._.z
`
`382
`
`zm>mums
`
`390mmme
`
`282:5
`
`_mEch_
`
`8:280:86
`
`052
`
`022
`
`8529853
`
`
`
`muEmmBabocm
`
`tom
`
`ozmomuEmm8
`8:95me
`
`953mm
`
`25mm
`
`\E3
`
`chmzseoimni
`
`
`
`__m_2-m9830
`
`8:95me
`
`258
`
`9893:.
`
`D_Fmouo_>._mm
`
`.6385
`
`2.82
`
`8?
`
`Petitioner Apple Inc. - EX. 1020, p. 18
`
`Petitioner Apple Inc. - Ex. 1020, p. 18
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 17 0f 31
`
`US 6,408,336 B1
`
`[f6
`J'FIG.
`116B
`
`lkMiorosott Access - [Relationships]
`@503 gm view Belationships Iools window _H_eip
`M16915 molar Ra moPoiiiglxi???viml _
`PoticiesAccess%l
`PolicylD
`UserGroupID
`ResourceGrouplD
`Policy
`Active
`Pre-defined
`Expires
`Status
`Comments
`
`UserGrouptD
`GroupName
`Description
`Pre-deiined
`
`1
`
`[tiserGroupiW i
`UserGrouplD
`Group Name
`Description
`Pre-detined
`k1309
`
`E
`I
`
`PoliciesAdminister
`PolicylD
`UserGrouplD
`SubjectType
`UserGroupiD2
`HesourceGrouplD
`SitelD
`ServeriD
`ServicelD
`f
`1613 /p FtesourcelD
`'
`Policy
`Active
`Pre-defined
`Expires
`Status
`Comments
`
`I
`
`;
`
`E
`:
`‘
`:
`1
`
`PoliciesPolicyMaker
`PolicylD
`UserGrouplD
`HesourceGrouplD
`Policy
`Active
`Pre-deiined
`Expires
`Status
`Comments
`
`:
`E
`
`ResourceGroupII
`Name
`Description
`Pre-deiined
`
`I
`
`l
`
`<11
`[Ready
`m
`
`Fig. 16A
`
`Petitioner Apple Inc. - Ex. 1020, p. 19
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 18 0f 31
`
`US 6,408,336 B1
`
`7
`ResourceGroupElements?
`I
`ResGroupElementlD
`“1407
`'
`ElementType
`l-i ResourceGrouplD
`ServicelD
`ResourcelD
`
`8
`
`8
`
`ID
`-
`
`Name
`Description
`l
`Details
`Pre-deiined
`l
`Enable Address to
`E lernal DNS Ser
`lniernal DNS Ser
`l
`l
`
`l
`
`Re$°u"¢e$7////////?
`ResourcelD
`Name
`ServicelD
`Type
`Description
`Delails
`TrustDeflD
`1 ‘ MW Hide From intranet
`u §érverS%//////////%
`ServicelD
`Owners E-mail
`ServerlD
`Name
`T\_‘ Description
`1
`\1409
`NT Domain
`ServiceDeilD
`lnlernet Name
`°° ServerlD
`Policy Server
`Delails
`Site Sewer
`Encrypted Service
`internal
`Port
`Inside VPN
`Wildcard
`KeyEscrow
`ExponConlrolled
`NSlD
`MKlD
`CertificateAuthoritylD
`K1417
`
`\
`1413
`
`4 l
`
`I
`
`lNUMl
`
`I
`
`l
`l
`Fig. 165
`
`l
`
`Petitioner Apple Inc. - Ex. 1020, p. 20
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 19 0f 31
`
`US 6,408,336 B1
`
`«Microsoft Access- [Relationships]
`|l-' {file Edit y_iew Relationships_Tools Window Help
`
`Ifo
`. FIG
`[178
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Predefined
`Arguments
`
`
`AttachedNetwork
`ServerlD
`External
`
`Intertace
`IP Address
`Mark
`Bandwidth
`NetworkDetlD
`
`.
`E
`
`DefaultAlert Cond AlertCondition/,
`
`
`AlertCondID
`AIertCondID
`!
`1417
`
`UserGrouplD
`
`matte
`W1 -
`
`
`
`MedSevTh
`LowSevTime
`335;?”
`I
`
`
`
`
`
`MedSevTime
`NT Domain
`MedSevTh
`'
`
`HISevTh
`MedSevTime
`Internet Name
`I
`
`
`
`
`HISeVTh
`HISevTime
`PoIic Server
`'
`
`
`
`Site game,
`HlSevTime
`ConditionID
`I
`
`
`
`Internal
`ConditionlD
`'
`
`
`HoutingTabl- ///A 1
`WSQGPN
`l
`
`
`
`KeyEscrow
`E
`./
`RoutingTabIelD
`
`
`
`R990” /////////A
`ExportControIIed
`ServerID
`ReportID
`NSID
`Numpen
`
`ReportDele
`MKID
`DestInatIon
`
`ServerlD
`CertificateAuthor
`Gateway
`
`DIrectory
`W
`DiskSpaceLimit
`CaptureDataAt
` P
`ArgumentsZ Description
`
`‘
`
`;
`:
`
`Petitioner Apple Inc. - EX. 1020, p. 21
`
`Petitioner Apple Inc. - Ex. 1020, p. 21
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 20 0f 31
`
`US 6,408,336 B1
`
`FROM
`FIG. 17A
`
`lib
`'FlG. 17c
`
`Prox Parameters .
`ProxyParamlD
`ServerlD
`ProxyParamDeflD
`
`1.1.2
`
`
`
`
`
` ServiceID
`Description
`
`ServiceDeilD
`
`ServerlD
`Details
`
`
`
`Encrypted Service
`
`
`
`PointToPointlD
`
`SourceServerlD
`
`
`
`Port
`
`
`Strength
`
`‘
`-
`I
`
`ResourcelD
`Name
`ServicelD
`
`Type
`Description
`Details
`TrustDellD
`Hide From Intranet
`Owners E-mail
`
`1409
`
`ServiceDefinition
`
`SerwceDerID
`Name
`Protocol
`Description
`IP Type
`Port
`Proxied
`
`ProxyDeilD
`Addressable Reso
`
`Encrypted
`Details
`
`Pre-detined
`
`.
`'- --------------------------------------------
`
`:
`
`TrustAuthentications
`AuthenticationlD
`Label
`Authentication
`Strength
`Description
`
`TrustEncryptions 4
`EncryptionlD
`Label
`
`Encryption
`
`Export
`Descri - tion
`
`Fig. 178
`
`i_
`
`Petitioner Apple Inc. - EX. 1020, p. 22
`
`Petitioner Apple Inc. - Ex. 1020, p. 22
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 21 0f 31
`
`US 6,408,336 B1
`
`ProxyParamDetlD
`ProxyDetlD
`Name
`
`Description
`
`Default Value
`Global
`
`Requhed
`
`Prox Definitions
`
`ProxyDetlD
`Name
`
`Description
`Type
`RecordType
`Details
`Pre-deflned
`Parameters Numb
`
`KeyEscrowAgent
`
`g
`
`KeyEscrowAgen A
`
`Petitioner Apple Inc. - EX. 1020, p. 23
`
`Petitioner Apple Inc. - Ex. 1020, p. 23
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet22 0f31
`
`US 6,408,336 B1
`
`now_.
`
`we?
`
`:3
`
`mg
`
`mg3gm
`
`528E:2:u“8SEESEB:9:
`
`
`
` 32%EE8I262HatH8228$9:".6205
`
`83:33
`
`
`
`
`
`38:88.93mccmmcaco.2
`
`.325gmmcozmocsoaw
`
`.cozficmEBS
`
`-m mmfi<H4
`mmHmOImDmmm=>>Vmw>>0mm<zA
`6cmm_2:;0%macEm2058%6:$0582-mmgm__<Wm
`
`82$3ma:was;.u--m
`
`32Mags.fl.
`
`
`Egg;-HEwEqua;
`
` -Iwe?)255:555;-E8dogsoxm_§>>.nr-m
`
`.__.Engo.T-II
`
`-E2558226...“
`3:25.--H552$;
`
`mom:
`
`mom_.
`
`Petitioner Apple Inc. - EX. 1020, p. 24
`
`Petitioner Apple Inc. - Ex. 1020, p. 24
`
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 23 0f 31
`
`US 6,408,336 B1
`
`WDB1903(a,i)
`
`WDB1903(a,j)
`
`AF203(a)
`
`MASTER POLICY
`
`MGR. 2i
`
`PCS
`MESSAGES 1909
`
`MDB
`
`1905(a
`
`LDB
`
`1907(a)
`
`PCS MESSAGES 1909
`
`WDB19030,1)
`
`WDB1903(i,j)
`
`2030)
`
`ISDB MGR.
`
`1.9.11
`
`ADMW.
`GUI 1_91_5
`
`O
`
`O
`
`O
`
`O
`
`WORKSTATION
`1m3
`
`
`
`
`o
`
`o
`
`o
`
`0
`
`MDB
`19050)
`
`LDB
`19070)
`
`E
`
`Fig. 19
`
`Petitioner Apple Inc. - EX. 1020, p. 25
`
`Petitioner Apple Inc. - Ex. 1020, p. 25
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 24 0f 31
`
`US 6,408,336 B1
`
`mm_x0mn_
`
`Sow
`
`mmom
`
`mickm2
`
`.ZmEOH
`
`«.3mo_>mmm1-:
`
`asias“;
`
`Fommmwom
`
`
`
`E3:52mosmmmmo
`
`£58523:“.omm<ImEm?do;
`
`
`
`.IOZDEwEoBmmaWWmEonm
`mmm<m<k<o
`
`IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
`
`$1508
`
`3%m2$52883m#21
`
`
`
`mzoEEmg88'38
`
`
`
`
`
`Zm>\2<>>\._.m_zmm_._.z_mmm>mmw25mHijoz<._.
`CommeowRoomON.0?”-
`
`-m_xm_mm::-n§m_mw5:IETEE
`
`
`n:EInca&lgI%IE28
`
`1-
`
`N
`
`cm.
`
`2.0m
`
`a852
`
`$8m288
`
`Petitioner Apple Inc. - EX. 1020, p. 26
`
`Petitioner Apple Inc. - Ex. 1020, p. 26
`
`
`
`
`
`
`
`US. Patent
`
`Jun. 18,2002
`
`Sheet 25 0f 31
`
`US 6,408,336 B1
`
`POINTER
`
`GROUP
`
`ID LIST
`
`GROUP ID
`
` CMC
`
`
`
`
`
`
`2mg
`
`2_1_1_1
`
`21131
`
`2113InI
`
`
`
`
`
`
`
`DATA
`
`2105
`
`2115
`
`GROUP ID
`
`DB CERTIFICATES BY
`
`USER GROUP FILE 2101
`
`230
`
`Fig. 21
`
`Petitioner Apple Inc. - EX. 1020, p. 27
`
`Petitioner Apple Inc. - Ex. 1020, p. 27
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet26 0f31
`
`US 6,408,336 B1
`
`
`
`mammwmm
`
`|8Nm%Imamea.99o:2<axB<§EaEa5x20mzovimmzm0%.5%Ex0%
`
`
`
`mEMSOmommmmofix12mw$0511..56
`
`
`
`
`8mmawn/E:zo_._.<o:.2mIS<5mmmw<wmm2
`
`
`
`mm.5
`
`omEEozm
`
`95:5
`
`Em
`
`
`
`gmo<mmm212m
`
`Petitioner Apple Inc. - EX. 1020, p. 28
`
`2%$3:mmmm
`
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 28
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 27 0f 31
`
`US 6,408,336 B1
`
`
`
`MMFFiIeName
`
`
`
`File
`2303
`
`_ Policies, User Groups, and Information Sets
`
`2.3%
`
`
`
`2 07 Describes policy application from the User Group viewpoint.
`DBUsersFile
`
`
`—— Maps each DB UserGrouplD to a list of ResourceGrouple with
`
`
`flags that indicate whether the policy that relates each pair is an
`
`
`allow or deny policy.
`Describes the user groups tree as a flattened array. Maps each
`
`
`DB UserGroup ID to a list of UserGroupiDs for parent user
`groups
`
`Describes policy application from the Resource Group (informa-
`
`tion set) viewpoint. Maps each DB ResourceGroupID to a list
`
`of UserGroupIDs with flags that indicate whether the policy that
`
`
`relates each pair is an allow or deny policy.
`
`
`Describes the resource groups tree as a flattened array. Maps
`
`
`
`each DB ResourceGrouplD to a list of ResourceGrouple for
`
`parent information sets.
`— User Identification Information
`2 11
`
`IP Ranges data. Maps from IPRangeDele to the IP range data.
`DBIPRangesFile
`
`DBDomainsFile
`IP Domain data. Maps from DomainDele to the IP domain data.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DBUsersTreeFile
`
`
`
`DBResourcesFile
`
`230
`
`(.0
`
`DBResourcesTreeFile
`
`DBCertificatesFile
`
`DBWindowsIDFile
`
`Certificate data. Maps from CertificateDele to the certificate
`data.
`
`Windows ID data. Maps from WindowDele to the windows ID
`data.
`
`DBSmartCardlDFile
`
`Smart card (authentication token) data. Maps from Smartcard-
`Dele to the authentication token data.
`
`DBIPRangesByUserGroup
`File
`
`Relates IP range matching criteria to user groups. Maps from IP
`Range data to UserGroupIDs.
`
`DBDomainsByUserGroup
`File
`
`Relates IP domain matching criteria to user groups. Maps from
`IP Domain data to UserGroupIDs.
`
`DBCertificatesByUserGroup Relates certificates to user groups. Maps from certificate data
`File
`to UserGroupIDs.
`21m
`
`DBWindowsIDByUserGroup Relates Windows IDs to user groups. Maps from Windows ID
`File
`data to UserGroupIDs.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Relates Smart Card (authentication token ) data to user groups.
`DBSmartCardlDByUser
`Maps from authentication token data to UserGrouple
`GroupFile
`
`
`El
`
`Fig. 23A
`
`Petitioner Apple Inc. - EX. 1020, p. 29
`
`Petitioner Apple Inc. - Ex. 1020, p. 29
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 28 0f 31
`
`US 6,408,336 B1
`
` _ Sewers, Services, and information Resources
`
`DBResourcesBySewerlDFiIe
`Relates sewers to resources Maps from SewerIDs2to
`
`
`
`
`ResourceiDs for resources held on the server identified
`by the ServerID.
`
`
`
`Relates sewices to resources. Maps from Sewicele to
`DBResourcesBySewicelDFile
`Resourcele for resources belonging to the service identified
`
`by the SewiceiD.
`
`DBResourcelDBySewicelDFiIe
`
`Relates SBI‘VICGS to theIrIntormatIon resources. Maps from
`SewicelD to ResourcelD.
`
`DBResourcelDByNameFile
`_2__315
`
`Relates thelP names(()URLs of resources to resource IDs
`Maps from URL to resource ID.
`
`
`
`
`DBResourcesByResourcelDFile
`Relates resources to InformatIon sets Maps ResourcelD to
`2__317
`Resource Grouplds
`
`— Sewers, Sewices, IP Information, and Proxies22139
`
`DBServerIDBylPFile
`Relates IP addresses to sewers. Maps IP addresses to
`
`Sewerle.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DBSewerlDByNameFile
`
`DBlPAndTypeBySewerlDFite
`
`Relates IP names to sewers. Maps the IP FQDN((fully quali-
`
`fied domain name)l)or each sewer to its SewerlD
`
`
`
`Relates sewers to their locations inside or outside to the VPN.
`Maps SewerlD to the sewer‘s IP address and a flag indica-
`
`ting whether the address is inside or outside the VPN.
`
`DBSewicelDByPortFile
`
`Relates sewices to their port numbers. Maps from SewicelD
`to port number.
`
`DBSewicelDBySeweriDFile
`
`Relates sewers to ports for sewices. Maps from SewerlD to
`a list of port numbers.
`
`DBSewicePortToProxyPortFile
`
`Relates sewice ports to the ports for their proxies. Maps from
`sewice port number to proxy port number.
`
`DBProxleBySewerIDFile
`
`Relates sewers to sewice proxies. Maps from SewerlD to
`ProxyDellD.
`
`DBProxyParametersFile
`
`Relates proxies to configuration data for the proxies. Maps
`trom ProxyDetlD to options data
`
`Fig. 233
`
`Petitioner Apple Inc. - EX. 1020, p. 30
`
`Petitioner Apple Inc. - Ex. 1020, p. 30
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 29 0f 31
`
`US 6,408,336 B1
`
`_ Access Filter Information gag
`DBAttachedNetworksByiPFile
`Relates network interfaces in the access filters to information
`for the interfaces. Maps from the interface's iP address to in-
`terface information.
`
`
`
`
`
`
`
`
`
`
`
`DBPointToPointFiie
`Relates a point-to-point description of a network path to data
`for the path. Maps from PointToPointlD for the path to the
`
`associated data.
`
`
`DBTrustTabieFiie
`implements the SEND table. Maps from TrustDefiD, indicating
`
`
`gag
`a trust level, to AuthenticationiDs for user identification tech-
`
`
`niques and EncryptioniDs for encryption techniques.
`
`DBCertificateAuthoritiesFile
`
`
`Relates identifiers for cerfiticate authorities to their data. Maps
`from CertificateAuthoritle to associated data.
`
` DBTrustAuthenticationsFiie
`Relates AuthenticationiDs to information about identification
`
`techniques. Maps from AuthenticationiD to identification
`technique information.
`
` DBTrustEncryptionsFiie
`Relates EncryptioniDs to information about encryption tech-
`niques. Maps from EncryptionlD to encryption type and
`strength information.
`
`
`
`
`
`DBAttachedNetworksByServer
`lDFiIe
`
`Relates access filters to their network interfaces. Maps from
`ServerlD for the access filter to interface information.
`
`DBRoutingTableFiie
`
`Describes the IP routing information for all of the access filters.
`One block of information.
`
`DBRoutingTabieByServerlDFiie
`
`Relates access filters to their iP routing information. Maps
`from ServeriD for the access filter to iP routing information.
`
`DBJavaSiteTabie
`
`Maps from names of locations to LocationiDs.
`
`DBJavaResourceTable
`
`Maps from URLs of resources to their ResourceiDs,
`LocationiDs, and hidden flags.
`
`DBJavaResourcesSetTabie
`
`
`Maps from names of information sets to ResourceGrouple,
`a list of ResourceiDs for all resources contained in the
`information set, and a list of ResourceGroupsiDs for all of the
`information set's parents.
`
`Fig. 23C
`
`Petitioner Apple Inc. - EX. 1020, p. 31
`
`Petitioner Apple Inc. - Ex. 1020, p. 31
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 30 0f 31
`
`US 6,408,336 B1
`
`2410
`
`2411
`
`2423
`
`2421
`
`2419
`
`APPLE
`
`D.___B301
`M 2422
`
`
`WebP - I'm},
`
`"""" 2424 -
`WebS
`
`ACCESS FILTER 203(0)
`
`SERVICES 2425
`
`iSERVICEPROXIES2427
`
`IPFILTER
`
`2417
`
`
`3—1
`
`
`
`
`LOCAL
`ACCESS
`
`FILTER 203(1)
`
`-—- 12425
`”—
`
`lNTRA-MAP
`DlSPLAY
`18°
`
`2403
`
`—‘ 1
`
`LIST
`2431
`
`"
`LAN 213
`
`2409
`o o o o o
`
`O O O O O
`‘ 2413
`415
`
`F 2
`
`WEB BROWSER
`2429
`
`2411
`2401
`__
`
`L
`
`['0A O .4
`
`Fig. 24
`
`Petitioner Apple Inc. - EX. 1020, p. 32
`
`Petitioner Apple Inc. - Ex. 1020, p. 32
`
`
`
`US. Patent
`
`Jun. 18, 2002
`
`Sheet 31 0f 31
`
`US 6,408,336 B1
`
`2503
`
`
`
`SECURWY
`
`OFHCER
`
`USERGROUP
`
`
`
`POUCY
`MAKER
`
`POUCY
`
`2515
`
`
`
`POLICY
`ENGINEER-
`ING ADMIN
`MAKER
`..............
`
`
`POUCYFOR
`
`
`
`ENG.DATA
`
`
`
`gfl
`
`ADMINISTRATIVE
`POLICY: —_..
`
`POLICY MAKER
`POUCY:
`............. _
`
`ACCESS
`POLICY: _____ +
`
`Fig. 25
`
`Petitioner Apple Inc. - EX. 1020, p. 33
`
`Petitioner Apple Inc. - Ex. 1020, p. 33
`
`
`
`US 6,408,336 B1
`
`1
`DISTRIBUTED ADMINISTRATION OF
`ACCESS TO INFORMATION
`
`CROSS REFERENCE TO RELATED PATENT
`APPLICATIONS
`
`The present patent application claims priority from the
`provisional applications No. 60/093,542, Schneider, et al.,
`Distributed Network Security, filed Mar. 10, 1997, and No.
`60/040,262, Schneider, et al., Secure Electronic Network
`Delivery, also filed Mar. 10, 1997. The present patent
`application is further one of four patent applications that
`have the same Detailed Description and assignee as the
`present patent application and are being filed on the same
`date. The four applications are:
`US. Ser. No. 09/034,507, David Schneider, et al., Dis-
`tributed administration of access to information;
`U.S. Ser. No. 09/034,503, David Schneider, et al., User
`interface for accessing information, now abandoned;
`U.S. Ser. No. 09/034,576, David Schneider, et al., Secure
`delivery of information in a network, issued Jan. 23,
`2001 as US. Pat. No. 6,178,505; and
`US. Ser. No. 09/034,587, David Schneider, et al., Scal-
`able access filter, issued Aug. 15, 2000 as U.S. Pat. No.
`6,105,027, David Schneider, et al., Techniques for
`eliminating redundant access checking by access filters.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`The invention relates generally to control of access to data
`and relates more specifically to control of access to data in
`a distributed environment.
`
`2. Description of Related Art
`The Internet has revolutionized data communications. It
`
`35
`
`has done so by providing protocols and addressing schemes
`which make it possible for any computer system anywhere
`in the world to exchange information with any other com-
`puter system anywhere in the world, regardless of the
`computer system’s physical hardware, the kind of physical
`network it is connected to, or the kinds of physical networks
`that are used to send the information from the one computer
`system to the other computer system. All that is required for
`the two computer systems to exchange information is that
`each computer system have an Internet address and the
`software necessary for the protocols and that there be a route
`between the two machines by way of some combination of
`the many physical networks that may be used to carry
`messages constructed according to the protocols.
`The very ease with which computer systems may
`exchange information via the Internet has, however, caused
`problems. On the one hand, it has made accessing informa-
`tion easier and cheaper than it ever was before; on the other
`hand, it has made it much harder to protect information. The
`Internet has made it harder to protect information in two
`ways:
`It
`is harder to restrict access. If information may be
`accessed at all via the Internet, it is potentially acces-
`sible to anyone with access to the Internet. Once there
`is Internet access to information, blocking skilled
`intruders becomes a difficult technical problem.
`is harder to maintain security en route through the
`Internet. The Internet
`is implemented as a packet
`switching network. It
`is impossible to predict what
`route a message will take through the network. It is
`further impossible to ensure the security of all of the
`
`It
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`switches, or to ensure that the portions of the message,
`including those which specify its source or destination,
`have not been read or altered en route.
`FIG. 1 shows techniques presently used to increase secu-
`rity in networks that are accessible via the Internet. FIG. 1
`shows network 101, which is made up of two separate
`internal networks 103(A) and 103(B) that are connected by
`Internet 111. Networks 103(A) and 103(B) are not generally
`accessible, but are part of the Internet in the sense that
`computer systems in these networks have Internet addresses
`and employ Internet protocols to exchange information. Two
`such computer systems appear in FIG. 1 as requestor 105 in
`network 103(A) and server 113 in network 103(b).
`Requestor 105 is requesting access to data which can be
`provided by server 113. Attached to server 113 is a mass
`storage device 115 that