`Schneider et al.
`
`US006408336B1
`US 6,408,336 B1
`*Jun. 18,2002
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`(54)
`
`(76)
`
`DISTRIBUTED ADMINISTRATION OF
`ACCESS TO INFORMATION
`
`Inventors: David S. Schneider, 5338 Hinton Ave.,
`Woodland Hills, CA (US) 91367;
`Michael B. Ribet, 3525 Cass Ct. #617,
`Oak Brook, IL (US) 60523; Laurence
`R. Lipstone, 22724 Sparrow Dell Dr.,
`Calabasas, CA (US) 91302; Daniel
`Jensen, 6853 Encino Ave., Van Nuys,
`CA (US) 91406
`
`(*)
`
`Notice:
`
`This patent issued on a continued pros
`ecution application ?led under 37 CFR
`1.53(d), and is subject to the tWenty year
`patent term provisions of 35 U.S.C.
`154(a)(2).
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21)
`(22)
`
`(60)
`
`(51)
`(52)
`(58)
`
`(56)
`
`Appl. No.: 09/034,507
`Filed:
`Mar. 4, 1998
`
`Related US. Application Data
`Provisional application No. 60/039,542, ?led on Mar. 10,
`1997, and provisional application No. 60/040,262, ?led on
`Mar. 10, 1997.
`
`..... .. G06F 15/16; G06F 9/00
`Int. Cl.7 ................... ..
`
`US. Cl. ................... ..
`................. .. 709/229; 713/201
`
`Field of Search ...... ..
`....................... .. 709/225, 229;
`713/201; 345/335, 969, 741_743
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`_
`Smith .......................... .. 707/1
`Nishikado et al.
`707/8
`707/1
`Janis .............. ..
`711/163
`Janis .... ..
`Janis ___________________________ __ 707/1
`
`9/1990
`4,956,769 A *
`4/1991
`5,012,405 A *
`5,263,157 A
`* 11/1993
`5,263,158 A
`* 11/1993
`5,263,165 A
`* 11/1993
`
`(List continued on neXt page.)
`
`FOREIGN PATENT DOCUMENTS
`
`W0
`
`W0 96 05549 A
`
`2/1996
`
`........... .. G06F/1/00
`
`OTHER PUBLICATIONS
`
`Computer Dictionary, 2d ed., Microsoft Press, Redmond,
`Washington, p. 215, Oct. 1993*
`
`(List continued on neXt page.)
`
`Primary Examiner—Zarni Maung
`Assistant Examiner—AndreW CaldWell
`(74) Attorney, Agent, or Firm—Gordon E. Nelson
`(57)
`ABSTRACT
`
`A scalable access ?lter that is used together With others like
`it in a virtual private netWork to control access by users at
`clients in the netWork to information resources provided by
`servers in the netWork. Each access ?lter use a local copy of
`an access control data base to determine Whether an access
`request made by a user. Changes made by administrators in
`the local copies are propagated to all of the other local
`copies. Each user belongs to one or more user groups and
`each information resource belongs to one or more informa
`tion sets. Access is permitted or denied according to of
`access policies Which de?ne access in terms of the user
`groups and information sets. The rights of administrators are
`similarly determined by administrative policies. Access is
`further permitted only if the trust levels of a mode of
`identi?cation of the user and of the path in the netWork by
`Which the access is made are suf?cient for the sensitivity
`level of the information resource. If necessary, the access
`?lter automatically encrypts the request With an encryption
`method Whose trust level is suf?cient. The ?rst access ?lter
`in the path performs the access check and encrypts and
`authenticates the request; the other access ?lters in the path
`do not repeat the access check.
`
`48 Claims, 31 Drawing Sheets
`
`U.S. PATENT DOCUMENTS
`
`5,652,787 A * 7/1997 O’Kelly .................... .. 379/112
`5,720,033 A * 2/1998 Deo ......................... .. 713/200
`5,787,427 A * 7/1998 Benantar et al. ............. .. 707/9
`5,787,428 A * 7/1998 Hart ............................ .. 707/9
`
`DEFINBEOEJSERS
`
`_
`
`DEggqCEULéSéER
`805
`7*
`
`ADD USERS
`To GBIZ‘SUPS
`
`Q
`
`DEFINE
`RESOURCES
`
`5%
`
`DEFINE
`INFORMATION
`SETS
`B1_1
`
`ADD
`RESOURCES
`TO SETS
`
`5.13
`
`CREATE
`POLICIES
`@?
`
`Petitioner Apple Inc. - Ex. 1020, p. 1
`
`
`
`US 6,408,336 B1
`Page 2
`
`5,796,951 A * 8/1998 Hamner et al- ----------- -- 709/223
`2 i
`éilsepg er 9% ~~~~~~~~~~~~~ ~~
`
`We et a . ............. ..
`
`’
`’
`709/226
`5,859,978 A * 1/1999 Sonderegger et a1.
`5,862,325 A : 1/1999 Reed et a1. ............... .. 709/201
`2 *
`‘bygeigignere’tlg'let a1‘
`5,941,947 A * 8/1999 Brown et a1‘ ~~~~~~~~~~~~~ n 709025
`5,991,807 A * 11/1999 Schmidt et a1.
`709/225
`
`6,085,191 A * 7/2000 Fisher et al. . . . . . .
`
`. . . . .. 707/9
`
`~~~~ " 707/9
`6,105,027 A * 8/2000 Schneider et a1‘
`713/168
`6,178,505 B1 * H2001 Schneider et aL
`6,253,251 B1 * 6/2001 Benantar et a1. __________ __ 709/315
`
`OTHER PUBLICATIONS
`
`Edwards, K., “Policies and Roles in Collaborative Applica
`tions,” Proc. of the ACM 1996 Conf. on Computer Sup
`ported Cooperative Work, pp. 11—20, Nov. 1996.*
`Lampson, B., et al., “Authentication in Distributed Systems:
`Theory and Practice,” Proc. of the 13th ACM Symp. on
`Operating Systems Principles, pp. 165—182, Oct. 1991.*
`Gladney, H., “Access Control for Large Collections,” ACM
`Trans. on Information Systems, vol. 15, No. 2, pp. 154—194,
`Apr. 1997.*
`Shen, H., et al., “Access Control for Collaborative Environ
`ments,” Conf. Proc. on Computer—Supported Collaborative
`Work, ACM, pp. 51—58, Nov. 1992*
`Reiter, M., et al., “Integrating Security in a Group Oriented
`Distributed System,” Proc. of Research in Security & Pri
`vacy, 1992, IEEE, pp. 18—32, May 1992.*
`
`Toy, M., “AT&T’s Electronic Mail Service for Government
`Users—FTS2000MAIL,” Globecom ’92, IEEE, vol. 2, pp.
`
`950—957 D . 1992.*
`’
`66
`Che_fun Yu, Access Control and authorization plan for
`customer control of netWork services, in: IEEE Global
`Telecommunications Conference and exhibition, Conference
`Record, V01- 2, PP- 862—869
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`PCT/US98/04522, Partial international search, With 1nd1ca
`tions of relevance of the references cited above. (PCT/US98/
`04522 has the same Speci?cation as the application in Which
`this IDS is being ?led).
`
`CheckPoint FireWall—1TM White Paper, Version 2.0—Jun.
`1995. http://WWW.integralis.co.uk/checkpnt/?reWall/White.
`Checkpoint FireWall—1, http://WWW.metadigm.co.uk/fWl/.
`1996 Metadigm Ltd.
`
`Commercial FireWalls and Related FW Products, http://
`hp735c.csc.cuhk.hk/?reWall.html. Mar. 23, 1996.
`
`Five Domains of NetWork Security, Technical OvervieW of
`the
`Eagle,
`http://WWW.raptor.com/
`T22NZ.Z56DAM.BF3AQD.F2.
`FireWalls and Security Related Information, http://WWWna
`cisa.nato.int/FWVENDORHTM.
`
`* cited by examiner
`
`Petitioner Apple Inc. - Ex. 1020, p. 2
`
`
`
`U.S. Patent
`
`J
`
`130.10
`
`1B
`
`m:
`
`mm>mmm
`
`
`
`axe._._<>>mEE
`
`€59
`
`mm:
`
`3;§
`
`
`
`
`
`2A.mm_D<n:V........--ESEn=\n_O._.0........m.2ooo5Efilm5........-w$8<mmmmmmmWn__Eo»mmim.....E.momm$o_>$mm$8<
`mzmm:z_
`
`
`
`
`
`1‘IIIaEmoamsommm«:5m:8.
`
`N:E8<n:v
`
`3|<EBooohomm
`
`4<zmm:z_
`
`xmm:
`
`v_mo>>mz.WE.<>En_._<:E_>_._n_
`
`
`4,\l %EmsUAmvmo.xmosmz
`E0352._<zmm:z_
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 3
`
`Petitioner Apple Inc. - Ex. 1020, p. 3
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 2 of 31
`
`US 6,408,336 B1
`
`
`
`
`
`$5:m$8<E5:mmm8<mm.SEmmm8<E5:mmm_8<
`
`
`
`
`
`E9E2.!oo<o_Iu$m_oz<
`
`..-..._.I_m95ElkEszom
`
`
`
`3'0SN
`
`umomswam
`
`
`Eonmm5:8%v_o<m5:8E552
`
`
`
`8NBuSNemaemsH$o<z<s_Eo<z<s_$o<z<_2
`
`E5:mmm8<mEmEA_.mm_m;mmES-S--B-
`
`_mI“ml
`3%-01..
`
`
`
`-5-_m--3-_m.I-_H-__..ml
`
`
`
`_M_-n,u
`
`elmom3|».Sm
`
`
`
`$5:mmmoo<
`
`
`
`E5:wm_8<
`
`.m32%_m..I
`
`sawEmzo:<s_mEz_an
`
`SI
`
`IEEIII I’?
`
`
`
`am-W-_mN.©_n_
`
`Petitioner Apple Inc. - Ex. 1020, p. 4
`
`Petitioner Apple Inc. - Ex. 1020, p. 4
`
`
`
`
`
`
`
`U.S. Patent
`
`m
`
`mM3mmm.m
`
`/0SU
`
`0004,
`
`1B/033,
`
`
`
`Jmom“:125025:
`
`
`
`_>.oE.E.|§$_Ema
`
`mom>o_._On_
`
`
`
`>o_._On_wwm_8<
`
`Nfl
`
`zo:<s_mEz_
`
`Qwmm
`
`zO_._.<_>_mOn_z_
`
`mamsommm
`
`olmd
`
`m.©_n_
`
`Em:
`
`mnsomm
`
`film
`
`Wlllvnk/||I|J
`
`Em:
`
`mnsomo
`
`ma
`
`>m<z_omo
`
`mnsomo
`
`NH
`
`5:8.z_sa<
`
`
`
`mm2<_2>O_._On_
`
`mlon5:8
`
`Em:
`
`-_n_:zm_e
`
`zO_._.<o
`
`H82.
`
`Petitioner Apple Inc. - Ex. 1020, p. 5
`
`Petitioner Apple Inc. - Ex. 1020, p. 5
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 4 of 31
`
`US 6,408,336 B1
`
`£9:
`
`
`
`m55.“.mmm_8<
`
`@
`
`41.nno
`
`$2W-..._.m.......m_
`Z_E.__"_mmmoo<J”"0m_........“
`
`
`
`"_._.n.."H_._........_yfldN__...;..-...__.-.+.;.r..,_.
`
`mE>Emmflzmso
`."W4.u__L_
`
`m8_
`
`—E5:m$8<
`
`Sn8
`
`Petitioner Apple Inc. - Ex. 1020, p. 6
`
`
`
`$5.“.wmmoo<
`
`
`
`vEO>>>mz
`
`N”._...,....”.W”,_.,.,0.“_I00M_-----_.t.O.n_.m.E.----._
`
`CC
`Lu
`P-
`='u.
`U)
`(/3
`Lu
`C)
`C.)
`<
`
`Ln
`r
`
`0<
`
`5:8$.5<s_NE5:
`mmmoo<
`
`Eo<z<_>_
`
`
`
`Q2:mm:moz<m9
`
`::»nuIn:n..wL..ui._.
`
`IMhhhmHIlnlnl
`
`PLmm__2<om
`
`Petitioner Apple Inc. - Ex. 1020, p. 6
`
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 5 of 31
`
`US 6,408,336 B1
`
`Ewe
`
`¢mm»=mmmmoo<
`
`_llllla
`
`Illllo
`
`E9E2
`
`ru-
`
`.ufla.l._.uU_uuuu..
`
`
`
`"_n.u.---.__.---..u..._n
`_|I1L..inlruI.
`
`WM"__._.7...:III_
`
`E_2<om
`
`.
`
`$5:mmw8<
`
`5:8%va<m
`
`.----mwo.,%.<.4.----
`
`ESEmmmoos
`
`_5:8E5<2_fl:un.:a....u:a.:.-:..
`m--,:m._.m.o«.z$.,_----W
`
`H_m.%._e00--_H_@0%mg
`
`:|:‘
`
`_.
`
`-___
`
`.f1..I._
`-_.I......._H__-.m--._
`,0".UN.----
`__..n\u..._.:._%Hu..___III._
`u_uu.u_--u._--....w..m.
`
`an._..._
`
`I_.n.:I”._TIIIIIII.
`
`wufi-lU.vuuJ.1:I.._nuu:
`_wan.».nu_...m-...._
`
`7’
`omLO
`
`lllnlo
`
`Petitioner Apple Inc. - Ex. 1020, p. 7
`
`Petitioner Apple Inc. - Ex. 1020, p. 7
`
`
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 6 6f 31
`
`US 6,408,336 B1
`
`
`
`00% Kr kr
`
`@ .mE
`
`6% ms 28%8 m5 666m
`6% 6; 25:26 8% 65% 5
`
`9 28;; 216m 22a
`
`262 962 255
`
`m8 wow
`
`
`
`5:835:64. E3252 E2555 E2552 Ema \ 63c.
`
`
`
`
`
`
`
`72,3 252%
`
`Petitioner Apple Inc. - Ex. 1020, p. 8
`
`
`
`U.S. Patent
`
`1n633,80
`
`m$2:m....--mm$o<z<_2WWWJm--.--Eo.@_.----_H“_-%._.§_...¢.e_.9.\.m_
`
`wmmoo<m..A.l.l;_u_unuuua.HEMmmInn--.
`Zm:.__u_
`
`1LL3uflzmzoMnU-..---._7J”wWWhHHSH_
`
`
`4,.8-.an4.4.%I._momaommmo".z_
`_51__F1:U_EmommE.WW_E>Emzmm
`
`"FeNW....-.MMm_......“."
`
`9$5:m$8<
`
`
`
`E9E2m_$¢'.’voo<o_Io
`
`_o_._m5._
`u52:._..l..,mEszom
`
`E2:
`
`>o:o¢mmFm<2
`
`mmo<z<z
`
`mm4mwz<
`
`woe
`
`.
`
`non
`
`\"1
`
`L1III
`
`-..-_|______--—-1---.
`
`umwom
`
`aw-u
`
`fl_#@
`
`N.9“.
`
`Petitioner Apple Inc. - Ex. 1020, p. 9
`
`Petitioner Apple Inc. - Ex. 1020, p. 9
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 8 0f 31
`
`US 6,408,336 B1
`
`DEF'NE
`RESOURCES
`8Q
`
`I
`DEF'NE
`INFORMATION
`SETS
`81_1
`
`I
`
`ADD
`RESOURCES
`TO SETS
`M
`
`DEFINE USERS
`803
`_
`
`U
`DEFINE
`GROULéSSER
`805
`*
`
`V
`
`ADD USERS
`TO GROUPS
`807
`_
`
`Sol
`
`CREATE
`POLICIES
`5i
`
`Fig. 8
`
`Petitioner Apple Inc. - Ex. 1020, p. 10
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 9 of 31
`
`US 6,408,336 B1
`
`D
`
`E
`
`
`gomcmmn:gE28_._Eo.5%5_.__Eo2%2m;o2_3e2e.m_..__.%<mm
`
`w__m6ummm292mmmooco«mc._m~c_@
`Sm"mco=E__moEm:"anewmm:
`
`
`o8.oS.o8.$_m:.oo~Hoo~Hm2._.oo~.o8.$_m
`
`
`m-.oo~.o8.$_8~.oo~.o8.$_8~.o8.o8.$_e~ao.._2o_§__&<&s~.oo~.o8.m2=_eeemo.._.u.e2m>mfl
`
`
`
`
`
`
`m:.o8.oo~.$_as$xo8.oo~.$.taEww
`
`om§8.oo~.$_::8“.8~.$_9__;2__9_m_
`
`
`.._..8~SN8..EEE
`
`co=mEmE:uon
`
`E&=m52.
`
`Eoo.:omm_n_EmwE.
`
`BS0900
`
`«cw
`
`aw
`
`.2es%___>>.2EI
`
`Petitioner Apple Inc. - Ex. 1020, p. 11
`
`Petitioner Apple Inc. - Ex. 1020, p. 11
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 10 of 31
`
`US 6,408,336 B1
`
`_2__:§Egfiflggaflflfi52$_._aa._mg
`
`E2585;.2EI
`
`
`
`
`
`Mmeaommmm_nm__m><.
`
`353.3:3,.I'llG22m=_s2=_8Btu
`
`9.m_n_
`
`mEmEtmn_moQ.m:SE_mm
`.mEmE_$0
`
`m:o=u::u_W20:83mu
`
`Petitioner Apple Inc. - Ex. 1020, p. 12
`
`Petitioner Apple Inc. - Ex. 1020, p. 12
`
`
`
`
`U.S. Patent
`
`200200:1n.uJ
`
`1teehS
`
`04,6SU
`
`1B63
`
`r”’I””;”?
`
`E25255.2EI
`
`5:22..E
`
`M.....o..m_.mfl___m_z:_WM..Q1m:05am:
`
`§a::_fl
`
`
`
`%_mon_295828._o.:m_
`
`Petitioner Apple Inc. - Ex. 1020, p. 13
`
`Petitioner Apple Inc. - Ex. 1020, p. 13
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 12 of 31
`
`US 6,408,336 B1
`
`
`
`flm.o.EE_.__Eu<_m%9oam:m>_§8E_Eu<
`
`
`
`
`
`==£mn_o._.Boo
`
`:58anma.3:_.§_<Ea2%.52EH
`Ifl
`
`SE
`
`
`
`
`
`mm:_m>aaomgumOmm2m>Esme“cm©m__m.mu.2asmmmoogo
`
`__o__s%a
`
`5«sons;.2EI
`
`Séfim_EESIIII
`
`N?.9“.
`
`
`
`Eon.ozm
`
`
`
`m:omcm__aom__2:o=moE=EEo%%=o:mu_Eo5=<
`
`EmutmemEEo3mwmn_uecwoDlvcooom__8F383328_=cmou__m>:=H_HIIomcoammma_§ammmm8<
`
`
`
`
`m:o.>>D9..__§.__D>_&<
`S_.8_e2s<BED
`
`asOE2Bs_OE:@.§_£:8ucmm_,_w__n,_£mmm
`
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 14
`
`Petitioner Apple Inc. - Ex. 1020, p. 14
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 13 of 31
`
`US 6,408,336 B1
`
`%
`FIG-
`133
`
`I
`
`
`
`
`
`SmartcardDef|D
`Name
`
`«Microsoft Access - [Relationships]
`[1 Eile Edit yiew Belationships Iools flindow i_-i_e|p
`[El
`
`5. .................... -.
`5
`
`Smartcardlo
` on
`UserGroupID
`SmartCardDet|D
`
`
`
`SmartCardTypeI|
`Type
`Manufacturer
`Version
`
`
`
`
`
`Certiticationln
`UserGroup|D
`CertificateDeflD
`
`
`
`
`Seria|Number
`IP
`Country
`Locality
`Organization
`
`
`
`
`
`
`00
`
`
`
`I, . . . . _ . . . . . . _ ..
`*
`
`Em
`
`
`
`DomainDetinition
`DomainDetlD
`Name
`
`
`
`
`CertificateParamlD
`CertificateParamDefII
`Value
`
`Petitioner Apple Inc. - Ex. 1020, p. 15
`
`Petitioner Apple Inc. - Ex. 1020, p. 15
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 14 0f 31
`
`US 6,408,336 B1
`
`‘7
`l
`FFIOMF
`FIG.
`13A}
`r
`1 ,Alert'S‘chedulesQ
`.
`1_-_ AlertSchlD
`.
`UserGrouplD
`1
`Days
`.
`Start Time
`I
`End Time
`
`E
`5
`51 1,1325
`:
`5
`:
`
`_ '2?
`—
`
`A
`1:]
`
`1309
`
`1 1UserGroups%
`—~ UserGrouplD
`Group Name
`Description
`Pre-defined
`\
`‘309
`
`1313
`
`Windowsl0%
`WindowslD
`m UserGrouplD
`r“ WindowsDeflD
`
`1305
`
`1310
`
`1303
`
`1307
`“semen; %
`°° ParentUserGroup
`w ChildUserGroupID }
`k_~__w—_i
`1303
`
`1 ___________________________
`1
`
`1 1
`
`IPRanges7/// lPRangeID
`0°
`I
`UserGrouplD W E
`
`l——l lPRangeDe?D
`
`5
`
`1_30_1
`
`l
`I
`
`|
`
`1
`
`|
`
`|
`
`|
`
`INUMI
`
`a
`F|g.13B
`
`.
`
`D
`
`Petitioner Apple Inc. - Ex. 1020, p. 16
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 15 of 31
`
`US 6,408,336 B1
`
`umc__mu.em
`
`game
`
`
`
`
`
`ozmcmEmmza_mE2.mmt:2mm2uu<
`
`ammzo_mEwE_
`
`memzEE25
`
`52mm>o__on_
`
`aamm26
`
`EmeooHz
`
`_mEmE_
`
`um__eEoo:onxm
`
`Qwz
`
`9.2
`
`._o£=<28_=:oo
`
`o=88_a...m
`
`:o_aEmoo
`
`...__3Eum
`
`ozozww
`
`228
`
`52E.Eomop:
`
`
`
`__m2-m2820
`
`mEmEm_m%9w85ommm
`
`
`
`n__EoE2m:o._omum
`
`o_q:o._08Sommm
`
`ozfiemmem
`
`
`
`ma.»Ememm
`
`Qmosommm
`
`o_8_.amm
`
`%o585ommmE2mn_
`
`oa=o_o8._:ommmn_Eo
`
`
`
` ianeoueaomom.V829858?
`
`
`
`gflmmflfifigmmaW2%2ouc§m_ooHm.Emco__m_mm32»gumm__mEW_
`
`Petitioner Apple Inc. - Ex. 1020, p. 17
`
`
`
`
`
`_ma__._.o.:o__m_mm_.mmm8<comobizu
`
`Petitioner Apple Inc. - Ex. 1020, p. 17
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 16 of 31
`
`US 6,408,336 B1
`
`RE9%32%28H8_._ms_§mm2%sum6_m@1_XE_maEmco=m_mE.mmm8<uomobid
`
`
`
`
` @ga§E@E§_
`
`o_m2._._.
`
`
`o__88_Em8_.memzQEmEm_m2_mE2mm___ozoammco:Emma
`o_E9E_m2_mWV\\\\\\\
`e.5e2m2_m_W_mEmE_
`m_rm_w_\.m,w_m%m»_n_._m_.,“upmm__£moE:_Eo¢8_I
`
`
`.
`
`:_.m_Eoo:4.ozmzmmo=m9m.E.
`E52$6%835mascm__m_2-mmaczo
`
`mt:
`
`awwzo_mEmE_
`
`mmmzo_S§xm_..__
`
`$m2uu<m_m__H_o£:<2mo=_:mo
`
`8.5%n__Q22
`
`92a
`
`25Ememm__
`
`__o_wz
`
`
`
`B__9Eooteem
`
`255
`mmzox
`
`o_.mammEm.mn_
`
`o_._mammq3_umm
`
`Petitioner Apple Inc. - Ex. 1020, p. 18
`
`Petitioner Apple Inc. - Ex. 1020, p. 18
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 17 0f 31
`
`US 6,408,336 B1
`
`[f6
`J'FIG.
`116B
`
`lkMiorosott Access - [Relationships]
`@503 gm view Belationships Iools window _H_eip
`M16915 molar Ra moPoiiiglxi???viml _
`PoticiesAccess%l
`PolicylD
`UserGroupID
`ResourceGrouplD
`Policy
`Active
`Pre-defined
`Expires
`Status
`Comments
`
`UserGrouptD
`GroupName
`Description
`Pre-deiined
`
`1
`
`[tiserGroupiW i
`UserGrouplD
`Group Name
`Description
`Pre-detined
`k1309
`
`E
`I
`
`PoliciesAdminister
`PolicylD
`UserGrouplD
`SubjectType
`UserGroupiD2
`HesourceGrouplD
`SitelD
`ServeriD
`ServicelD
`f
`1613 /p FtesourcelD
`'
`Policy
`Active
`Pre-defined
`Expires
`Status
`Comments
`
`I
`
`;
`
`E
`:
`‘
`:
`1
`
`PoliciesPolicyMaker
`PolicylD
`UserGrouplD
`HesourceGrouplD
`Policy
`Active
`Pre-deiined
`Expires
`Status
`Comments
`
`:
`E
`
`ResourceGroupII
`Name
`Description
`Pre-deiined
`
`I
`
`l
`
`<11
`[Ready
`m
`
`Fig. 16A
`
`Petitioner Apple Inc. - Ex. 1020, p. 19
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 18 0f 31
`
`US 6,408,336 B1
`
`7
`ResourceGroupElements?
`I
`ResGroupElementlD
`“1407
`'
`ElementType
`l-i ResourceGrouplD
`ServicelD
`ResourcelD
`
`8
`
`8
`
`ID
`-
`
`Name
`Description
`l
`Details
`Pre-deiined
`l
`Enable Address to
`E lernal DNS Ser
`lniernal DNS Ser
`l
`l
`
`l
`
`Re$°u"¢e$7////////?
`ResourcelD
`Name
`ServicelD
`Type
`Description
`Delails
`TrustDeflD
`1 ‘ MW Hide From intranet
`u §érverS%//////////%
`ServicelD
`Owners E-mail
`ServerlD
`Name
`T\_‘ Description
`1
`\1409
`NT Domain
`ServiceDeilD
`lnlernet Name
`°° ServerlD
`Policy Server
`Delails
`Site Sewer
`Encrypted Service
`internal
`Port
`Inside VPN
`Wildcard
`KeyEscrow
`ExponConlrolled
`NSlD
`MKlD
`CertificateAuthoritylD
`K1417
`
`\
`1413
`
`4 l
`
`I
`
`lNUMl
`
`I
`
`l
`l
`Fig. 165
`
`l
`
`Petitioner Apple Inc. - Ex. 1020, p. 20
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 19 of 31
`
`US 6,408,336 B1
`
`«Microsoft Access - [Relationships]
`‘
`| -2 Elle Edit y_iew flelationships Iools yljndow flelp
`
`
`
`[to
`' FIG.
`
`173
`
`I
`
`
`
` lnternet Name
`Policy Server
`Site Server
`internal
`
`inside VPN
`
`Wildcard
`
`KeyEscrow
`
`Exportcontrolled
`
`N ID
`ReportDef|D
`Mi")
`Se"’e"D
`CertificateAuthor
`Directory
`DiskSpaceLimit
`CaptureDataAt
`
`
`
`AttachedNetwork
`Server|D
`External
`Interface
`
`Petitioner Apple Inc. - Ex. 1020, p. 21
`
`Petitioner Apple Inc. - Ex. 1020, p. 21
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 20 of 31
`
`US 6,408,336 B1
`
`FROM
`FIG. 17A
`
`W0
`'F|G.17C
`
`Prox Parameters I
`ProxyParamlD
`ServerlD
`
`ProxyParamDei|D
`Value
`
`5-9
`
`Port
`
`
`
`
`
` ServiceID
`Description
`
`ServiceDellD
`
`ServerlD
`Details
`
`
`
`
`Encrypted Service
`
`'
`
`;
`.
`'11‘. """""""""""""" "
`-
`
`Encrypted
`;
`;
`'- ------------------------------------------ --‘---1 Details
`TrustAuthentications
`AuthenticationID
`
`
`
`TrustEncryptions I
`
`EncryptionlD
`Label
`
`Encryption
`Strength
`Export
`Descri o tion
`
`Petitioner Apple Inc. - Ex. 1020, p. 22
`
`Resource|D
`Name
`Service|D
`
`Type
`Description
`Details
`TrustDellD
`Hide From Intranet
`Owners E-mail
`
`: 1:eNf°e3e::m°"
`
`~
`
`ervice e
`Name
`Protocol
`
`Description
`IP Type
`Port
`Proxied
`ProxyDetlD
`Addressable Reso
`
`;
`E
`1
`
`
`
`
`;
`
`
`
`
`Point To Point Connection
`
`-
`
`PointToPoint|D
`SourceServerlD
`DestinationServerlD
`TrustDeflD
`
`Petitioner Apple Inc. - Ex. 1020, p. 22
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 21 of 31
`
`US 6,408,336 B1
`
`ProxyParameterDefin_
`
`
`
`
`
`
` mm
`
`ProxyParamDefID
`ProxyDef|D
`Name
`
`Description
`
`
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 23
`
`Petitioner Apple Inc. - Ex. 1020, p. 23
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 22 of 31
`
`US 6,408,336 B1
`
`
`
`E354mflmozmDEo_>>VE>>omm<zA
`
`Sm_.
`
`gm:
`
`:3
`
`93
`
`M6mco=mE_o.E_E3Em
`
`8_ammE85
`
`
`
` 32%EE8I232HEh_I8228mmmc.on2o:_
`
`co_a__o8o
`
`
`
`_mco_§=£Emu9___$._a$=<
`
`_mEmE_Emm:o_..8___8%
`
`.8_§§_a%
`
`6cmm_2:;2695Em2o_.__8%6:mmosome-$5__<._--m_
`
`av26:m_m_£.
`E2m.§_>>._.-m_
`
`
`
`mom:a.8i:m..._..:.m..m...<.na|__m:m
`
`5:£23_--E
`
`82
`
`32/25aeemaoifl
`
`
`
`8.%m___>%__§>,,-m
`
`.__.ES:_o..,--II
`
`EmEcmqoa.--Ii
`
`#m:m=:_.--Il
`
`
`
`oE__mEo§_o.--II
`
`_mE2xm.--Il
`
`E:SE_.--I_E
`
`mom_.
`
`Petitioner Apple Inc. - Ex. 1020, p. 24
`
`Petitioner Apple Inc. - Ex. 1020, p. 24
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 23 of 31
`
`US 6,408,336 B1
`
`AF203(a)
`
`MASTER POLICY - -
`
`Mew — MOB — we
`
`1905(a
`
`1907(a)
`
`PCS
`MESSAGES 1909
`
`PCS MESSAGES 1909
`
`WDB1903(i,i)
`
`- -
`
`2030) : !
`
`wDB19o3(»,;)
`
`ISDB MGR.
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 25
`
`Petitioner Apple Inc. - Ex. 1020, p. 25
`
`
`
`$_xoE
`
`S.mmmm<mE<oWm.1022:MU....................................--
`
`
`
` 65Emm%WWtoiEWNMWomwas25:%_%ww_Qflmfl
`
`J58R8
`
`1asmo_>Em+--mEmEEo<z<s_mom_
`.”:<o_n__Emo.nao882.8.m3:96ézmmbmn_EBmg88S5%.
`
`
`
`83m#2W.E32mo_>Emm5EEOM“ES2,.58amom
`EvaQmmizoo
`
`
`
`4aw..-.................................................................................--M2&2ms.88asE2
`
`M_mE9_mo
`
`MI_>__IwI2:5I25:8
`
`l28
`
`
`
`%_m5::%_mTw5:ImamESE
`n:2Inea2
`
`6
`
`1B%
`
`
`
`3,:388B88ONNzn_2z<>2Gzmm:z_mE>Ew25Ezmzo23
`
`.3
`
`mm
`
`28.
`
`Petitioner Apple Inc. - Ex. 1020, p. 26
`
`Petitioner Apple Inc. - Ex. 1020, p. 26
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 25 of 31
`
`US 6,408,336 B1
`
`CMC
`
`POINTER
`
`21_(_)_9
`
`21_1_1
`
`GROUP ID
`
`21131
`
`GROUP ID
`
`2113InI
`
`
`
`
`
`
`
`DATA
`
`2105
`
`
`
`
`GROUP
`
`ID LIST
`
`2115
`
`
`
`230
`
`DB CERTIFICATES BY
`
`USER GROUP FILE 2101
`
`Fig. 21
`
`Petitioner Apple Inc. - Ex. 1020, p. 27
`
`Petitioner Apple Inc. - Ex. 1020, p. 27
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 26 of 31
`
`US 6,408,336 B1
`
`
`<n=oEa._.EE5mzoEmmzmo<s_._.n_>momax2:
`666EEHEEEE:6
`
`
`
`8%.mmemxzo:<oE,mT_S<Smmo<wmms_
`n__E50mamEemxaimmE95:n=mozm
`
`_ammmgmxmmmm
`
`
`
`
`mm.mE
`
`n_m_.E>mozm
`
`o<o._><n_
`
`Rum
`
`
`
`§mo<mmms_flea
`
`Petitioner Apple Inc. - Ex. 1020, p. 28
`
`Petitioner Apple Inc. - Ex. 1020, p. 28
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 27 of 31
`
`US 6,408,336 B1
`
`
`
`
`
`Mwiewame
`— Policies, User Groups, and Information Sets
`
`_2_3l_)§
`
`DBUsersFile
`
`2307 Describes policy application from the User Group viewpoint.
`
`—— Maps each DB UserGrouplD to a list of ResourceGrouplDs with
`flags that indicate whether the policy that relates each pair is an
`allow or deny policy.
`
`
`
`
`
`
`
`
`DBUsersTreeFile
`
`
`
`Describes the user groups tree as a flattened array. Maps each
`
`DB UserGroup ID to a list of UserGrouplDs for parent user
`
`groups
`
`Describes policy application from the Resource Group (informa-
`2309
`DBResourcesFile
`tion set) viewpoint. Maps each DB ResourceGrouplD to a list
`of UserGrouplDs with flags that indicate whether the policy that
`relates each pair is an allow or deny policy.
`
`
`
`
`
`
`
`
`DBResourcesTreeFile
`
`
`
`Describes the resource groups tree as a flattened array. Maps
`
`
`each DB ResourceGrouplD to a list of ResourceGrouplDs for
`
`parent information sets.
`— User Identification Information
`2 11
`DBlPRangesFile
`lP Ranges data. Maps from |PRangeDetlD to the IP range data.
`DBDomainsFile
`IP Domain data. Maps from DomainDetlD to the IP domain data.
`
`
`
`DBCertillcatesFl|e
`
`DBWindowslDFi|e
`
`DBSmartCardlDFi|e
`
`DBlPRangesByUserGroup
`File
`
`DBDomainsByUserGroup
`File
`
`Certificate data. Maps from CertificaleDeflD to the certificate
`data.
`
`Windows ID data. Maps from WindowDeflD to the windows ID
`data.
`
`Smart card (authentication token) data. Maps from Smartcard-
`DeflD to the authentication token data.
`
`Relates IP range matching criteria to user groups. Maps from IP
`Range data to UserGrouplDs.
`
`Relates IP domain matching criteria to user groups. Maps from
`IP Domain data to UserGrouplDs.
`
`DBCertiticatesByUserGroup Relates certificates to user groups. Maps from certificate data
`File
`to UserGrouplDs.
`21!!
`
`DBWindowslDByUserGroup Relates Windows lDs to user groups. Maps from Windows lD
`File
`data to UserGrouplDs.
`
`DBSmartCardlDByUser
`GroupFile
`331
`
`Relates Smart Card (authentication token ) data to user groups.
`Maps from authentication token data to UserGrouplDs
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Fig. 23A
`
`Petitioner Apple Inc. - Ex. 1020, p. 29
`
`Petitioner Apple Inc. - Ex. 1020, p. 29
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 28 of 31
`
`US 6,408,336 B1
`
`
`
`
`
`MMF File Name
`gals
`— Sewers, Services, and information Resources
`
`DBResourcesByServer|DFiIe
`Relates servers to resources. Maps from Serv_erlDs to
`
`ResourcelDs for resources held on the server identified
`by the ServerlD.
`
`
`
`
`DBResourcesByServicelDFile
`
`Relates services to resources. Maps from ServicelDs to
`ResourcelDs for resources belonging to the service identified
`by the ServicelD.
`
`DBResourcelDByServicelDFi|e
`
`Relates services to their information resources. Maps from
`ServicelD to ResourcelD.
`
`DBResourcelDByNameFile
`2315
`
`l
`(
`Relates thelP names URLs of resources to resource IDs.
`Maps from URL to resource ID.
`
`
`
`DBResourcesByResourcelDFile
`Relates resources to information sets. Maps ResourcelD to
`2317
`Resource Grouplds.
`319
`— Sewers, Services, IP Information, and Proxies
`DBServerIDByIPFile
`Relates IP addresses to servers. Maps IP addresses to
`ServerlDs.
`
`2
`
`DBServerlDByNameFile
`
`DBlPAndTypeByServerlDFile
`
`Relates IP names to servers. Maps the IP FQDN (fully quali-
`lied domain name) for each server to its ServerlD.
`
`Relates servers to their locations inside or outside to the VPN.
`Maps ServerlD to the server's IP address and a flag indica-
`ting whether the address is inside or outside the VPN.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DBServicelDByPortFile
`
`DBService|DByServerlDFile
`
`Relates services to their port numbers. Maps from ServicelD
`to port number.
`
`Relates servers to ports for services. Maps from ServerlD to
`a list of port numbers.
`
`DBServicePortToProxyPortFile
`
`Relates service ports to the ports lor their proxies. Maps from
`service port number to proxy port number.
`
`DBProxylDByServer|DFlle
`
`Relates servers to service proxies. Maps from ServerlD to
`ProxyDeilD.
`
`DBProxyParametersFile
`
`Relates proxies to configuration data for the proxies. Maps
`from ProxyDeflD to options data
`
`2 0
`
`Fig. 233
`
`
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 30
`
`Petitioner Apple Inc. - Ex. 1020, p. 30
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 29 of 31
`
`US 6,408,336 B1
`
`
`
`Mwiewame
`2321
`— Access Filter Information
`DBAttachedNetworksBylPFile
`Relates network interfaces in the access filters to information
`for the interfaces. Maps from the interface's IP address to in-
`terface information.
`
`
`
`DBAttachedNetworksByServer
`lDFi|e
`
`Relates access filters to their network interfaces. Maps from
`Server|D for the access filter to interface information.
`
`DBRoutingTableFile
`
`Describes the IP routing information for all of the access filters.
`One block of information.
`
`DBRoutingTableByServerlDFile
`
`Relates access filters to their IP routing information. Maps
`from ServerlD for the access filter to lP routing information.
`
` D
`
`
`DBCertiiicateAuthoritiesFile
`
`BTrustAuthenticationsFile
`
`Relates AuthenticationlDs to information about identification
`techniques. Maps from AuthenticationlD to identification
`technique information.
`
`
`
`
`
`
`
`
`DBPointToPointFile
`Relates a point-to-point description of a network path to data
`for the path. Maps from PointToPointlD for the path to the
`
`associated data.
`_ SEND Information
`2&3
`
`
`DBTrustTableFile
`implements the SEND table. Maps from TrustDeflD, indicating
`
`gag
`a trust level, to AuthenticationlDs for user identification tech-
`
`niques and EncryptioniDs for encryption techniques.
`
`
`Relates identifiers for certificate authorities to their data. Maps
`from CertificateAuthority|D to associated data.
`
`
`
`
`
`
` D
`
`BTrustEncryptionsFile
`
`Relates EncryptioniDs to information about encryption tech-
`niques. Maps from EncryptionlD to encryption type and
`strength information.
`T imramav Information M
`DBJavaSiteTable
`Maps from names of locations to LocationlDs.
`
`DBJavaResourceTab|e
`
`Maps from URLs of resources to their ResourcelDs,
`Location|Ds, and hidden flags.
`
`DBJavaResourcesSetTable
`
`
`Maps from names of information sets to ResourceGrouplDs,
`a list of ResourcelDs for all resources contained in the
`information set, and a list of ResourceGroups|Ds for all of the
`information set's parents.
`
`Fig. 23C
`
`Petitioner Apple Inc. - Ex. 1020, p. 31
`
`Petitioner Apple Inc. - Ex. 1020, p. 31
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 30 of 31
`
`US 6,408,336 B1
`
`ACCESS FILTER 203(0) —
`2423 _:iseavlces2425
`2421 - SERVICE PROXIES 2427
`
`2419
`
`IPFILTER
`
`2417
`
`
`
`
`3-‘
`
`LOCAL
`ACCESS
`FILTER 203(1)
`
`INTRA-MAP
`DlSPLAY
`
`1_§Q1
`
`Petitioner Apple Inc. - Ex. 1020, p. 32
`
`Petitioner Apple Inc. - Ex. 1020, p. 32
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 31 of 31
`
`US 6,408,336 B1
`
`2503
`
`SECURITY
`
`
`OFFICER
`USER GROUP
`
`
`
`2509
`
`2507
`
`
`
`POLICY
`MAKER
`
`
`
`POLICY
`
`2505
`
`2515
`
`
`
`POLICY
`MAKER
`POLICY FOR
`ENG. DATA
`
`
`
`
`
`2509
`............ ___
`2510
`
`Z~i1_5
`
`gm
`
`ADMINISTRATIVE
`
`POLICY:
`
`POLICY MAKER
`POLICY:
`----------- —--
`
`ACCESS
`POLICY:
`
`—— — —— — —- —»
`
`Fi g _ 25
`
`Petitioner Apple Inc. - Ex. 1020, p. 33
`
`Petitioner Apple Inc. - Ex. 1020, p. 33
`
`
`
`US 6,408,336 B1
`
`1
`DISTRIBUTED ADMINISTRATION OF
`ACCESS TO INFORMATION
`
`CROSS REFERENCE TO RELATED PATENT
`APPLICATIONS
`
`The present patent application claims priority from the
`provisional applications No. 60/093,542, Schneider, et al.,
`Distributed Network Security, filed Mar. 10, 1997, and No.
`60/040,262, Schneider, et al., Secure Electronic Network
`Delivery, also filed Mar. 10, 1997. The present patent
`application is further one of four patent applications that
`have the same Detailed Description and assignee as the
`present patent application and are being filed on the same
`date. The four applications are:
`U.S. Ser. No. 09/034,507, David Schneider, et al., Dis-
`tributed administration of access to information;
`U.S. Ser. No. 09/034,503, David Schneider, et al., User
`interface for accessing information, now abandoned;
`U.S. Ser. No. 09/034,576, David Schneider, et al., Secure
`delivery of information in a network, issued Jan. 23,
`2001 as U.S. Pat. No. 6,178,505; and
`U.S. Ser. No. 09/034,587, David Schneider, et al., Scal-
`able access filter, issued Aug. 15, 2000 as U.S. Pat. No.
`6,105,027, David Schneider, et al., Techniques for
`eliminating redundant access checking by access filters.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`The invention relates generally to control of access to data
`and relates more specifically to control of access to data in
`a distributed environment.
`
`2. Description of Related Art
`The Internet has revolutionized data communications. It
`
`35
`
`has done so by providing protocols and addressing schemes
`which make it possible for any computer system anywhere
`in the world to exchange information with any other com-
`puter system anywhere in the world, regardless of the
`computer system’s physical hardware, the kind of physical
`network it is connected to, or the kinds of physical networks
`that are used to send the information from the one computer
`system to the other computer system. All that is required for
`the two computer systems to exchange information is that
`each computer system have an Internet address and the
`software necessary for the protocols and that there be a route
`between the two machines by way of some combination of
`the many physical networks that may be used to carry
`messages constructed according to the protocols.
`The very ease with which computer systems may
`exchange information via the Internet has, however, caused
`problems. On the one hand, it has made accessing informa-
`tion easier and cheaper than it ever was before; on the other
`hand, it has made it much harder to protect information. The
`Internet has made it harder to protect information in two
`ways:
`It
`is harder to restrict access. If information may be
`accessed at all via the Internet, it is potentially acces-
`sible to anyone with access to the Internet. Once there
`is Internet access to information, blocking skilled
`intruders becomes a difficult technical problem.
`is harder to maintain security en route through the
`Internet. The Internet
`is implemented as a packet
`switching network. It
`is impossible to predict what
`route a message will take through the network. It is
`further impossible to ensure the security of all of the
`
`It
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`switches, or to ensure that the portions of the message,
`including those which specify its source or destination,
`have not been read or altered en route.
`FIG. 1 shows techniques presently used to increase secu-
`rity in networks that are accessible via the Internet. FIG. 1
`shows network 101, which is made up of two separate
`internal networks 103(A) and 103(B) that are connected by
`Internet 111. Networks 103(A) and 103(B) are not generally
`accessible, but are part of the Internet in the sense that
`computer systems in these networks have Internet addresses
`and employ Internet protocols to exchange information. Two
`such computer systems appear in FIG. 1 as requestor 105 in
`network 103(A) and server 113 in network 103(b).
`Requestor 105 is requesting access to data which can be
`provided by server 113. Attached to server 113 is a mass
`storage device 115 that contains data 117 which is being
`requested by requestor 105. Of course, for other data, server
`113 may be the requester and requestor 105 the server.
`Moreover, access is to be understood in the present context
`as any operation which can read or change data stored on
`server 113 or which can change the state of server 113. In
`making the request, requester 105 is using one of the
`standard TCP/IP protocols. As used here, a protocol is a
`description of a set of messages that can be used to exchange
`information between computer systems. The actual mes-
`sages that are sent between computer systems that are
`communicating according to a protocol are collectively
`termed a session. During the session, Requestor 105 sends
`messages according to the protocol to server 113’s Internet
`address and server 113 sends messages according to the
`protocol
`to requestor 105’s Internet address. Both the
`request and response will travel between internal network
`103(A) and 103(B) by Internet 111. If server 113 permits
`requester 105 to access the data, some of the messages
`flowing from server 113 to requestor 105 in the session will
`include the requested data 117. The software components of
`server 113 which respond to the messages as required by the
`protocol are termed a service.
`If the owner of internal networks 103(A and B) wants to
`be sure that only users of computer systems connected
`directly to networks 103(A and B) can access data 117 and
`that the contents of the request and response are not known
`outside those networks, the owner must solve two problems:
`making sure that server 113 does not respond to requests
`from computer systems other than