(12) United States Patent
`Schneider et al.
`
`US006408336B1
`US 6,408,336 B1
`*Jun. 18,2002
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`(54)
`
`(76)
`
`DISTRIBUTED ADMINISTRATION OF
`ACCESS TO INFORMATION
`
`Inventors: David S. Schneider, 5338 Hinton Ave.,
`Woodland Hills, CA (US) 91367;
`Michael B. Ribet, 3525 Cass Ct. #617,
`Oak Brook, IL (US) 60523; Laurence
`R. Lipstone, 22724 Sparrow Dell Dr.,
`Calabasas, CA (US) 91302; Daniel
`Jensen, 6853 Encino Ave., Van Nuys,
`CA (US) 91406
`
`(*)
`
`Notice:
`
`This patent issued on a continued pros
`ecution application ?led under 37 CFR
`1.53(d), and is subject to the tWenty year
`patent term provisions of 35 U.S.C.
`154(a)(2).
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21)
`(22)
`
`(60)
`
`(51)
`(52)
`(58)
`
`(56)
`
`Appl. No.: 09/034,507
`Filed:
`Mar. 4, 1998
`
`Related US. Application Data
`Provisional application No. 60/039,542, ?led on Mar. 10,
`1997, and provisional application No. 60/040,262, ?led on
`Mar. 10, 1997.
`
`..... .. G06F 15/16; G06F 9/00
`Int. Cl.7 ................... ..
`
`US. Cl. ................... ..
`................. .. 709/229; 713/201
`
`Field of Search ...... ..
`....................... .. 709/225, 229;
`713/201; 345/335, 969, 741_743
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`_
`Smith .......................... .. 707/1
`Nishikado et al.
`707/8
`707/1
`Janis .............. ..
`711/163
`Janis .... ..
`Janis ___________________________ __ 707/1
`
`9/1990
`4,956,769 A *
`4/1991
`5,012,405 A *
`5,263,157 A
`* 11/1993
`5,263,158 A
`* 11/1993
`5,263,165 A
`* 11/1993
`
`(List continued on neXt page.)
`
`FOREIGN PATENT DOCUMENTS
`
`W0
`
`W0 96 05549 A
`
`2/1996
`
`........... .. G06F/1/00
`
`OTHER PUBLICATIONS
`
`Computer Dictionary, 2d ed., Microsoft Press, Redmond,
`Washington, p. 215, Oct. 1993*
`
`(List continued on neXt page.)
`
`Primary Examiner—Zarni Maung
`Assistant Examiner—AndreW CaldWell
`(74) Attorney, Agent, or Firm—Gordon E. Nelson
`(57)
`ABSTRACT
`
`A scalable access ?lter that is used together With others like
`it in a virtual private netWork to control access by users at
`clients in the netWork to information resources provided by
`servers in the netWork. Each access ?lter use a local copy of
`an access control data base to determine Whether an access
`request made by a user. Changes made by administrators in
`the local copies are propagated to all of the other local
`copies. Each user belongs to one or more user groups and
`each information resource belongs to one or more informa
`tion sets. Access is permitted or denied according to of
`access policies Which de?ne access in terms of the user
`groups and information sets. The rights of administrators are
`similarly determined by administrative policies. Access is
`further permitted only if the trust levels of a mode of
`identi?cation of the user and of the path in the netWork by
`Which the access is made are suf?cient for the sensitivity
`level of the information resource. If necessary, the access
`?lter automatically encrypts the request With an encryption
`method Whose trust level is suf?cient. The ?rst access ?lter
`in the path performs the access check and encrypts and
`authenticates the request; the other access ?lters in the path
`do not repeat the access check.
`
`48 Claims, 31 Drawing Sheets
`
`U.S. PATENT DOCUMENTS
`
`5,652,787 A * 7/1997 O’Kelly .................... .. 379/112
`5,720,033 A * 2/1998 Deo ......................... .. 713/200
`5,787,427 A * 7/1998 Benantar et al. ............. .. 707/9
`5,787,428 A * 7/1998 Hart ............................ .. 707/9
`
`DEFINBEOEJSERS
`
`_
`
`DEggqCEULéSéER
`805
`7*
`
`ADD USERS
`To GBIZ‘SUPS
`
`Q
`
`DEFINE
`RESOURCES
`
`5%
`
`DEFINE
`INFORMATION
`SETS
`B1_1
`
`ADD
`RESOURCES
`TO SETS
`
`5.13
`
`CREATE
`POLICIES
`@?
`
`Petitioner Apple Inc. - Ex. 1020, p. 1
`
`
`Schneider et al.
`
`US006408336B1
`US 6,408,336 B1
`*Jun. 18,2002
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`(54)
`
`(76)
`
`DISTRIBUTED ADMINISTRATION OF
`ACCESS TO INFORMATION
`
`Inventors: David S. Schneider, 5338 Hinton Ave.,
`Woodland Hills, CA (US) 91367;
`Michael B. Ribet, 3525 Cass Ct. #617,
`Oak Brook, IL (US) 60523; Laurence
`R. Lipstone, 22724 Sparrow Dell Dr.,
`Calabasas, CA (US) 91302; Daniel
`Jensen, 6853 Encino Ave., Van Nuys,
`CA (US) 91406
`
`(*)
`
`Notice:
`
`This patent issued on a continued pros
`ecution application ?led under 37 CFR
`1.53(d), and is subject to the tWenty year
`patent term provisions of 35 U.S.C.
`154(a)(2).
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21)
`(22)
`
`(60)
`
`(51)
`(52)
`(58)
`
`(56)
`
`Appl. No.: 09/034,507
`Filed:
`Mar. 4, 1998
`
`Related US. Application Data
`Provisional application No. 60/039,542, ?led on Mar. 10,
`1997, and provisional application No. 60/040,262, ?led on
`Mar. 10, 1997.
`
`..... .. G06F 15/16; G06F 9/00
`Int. Cl.7 ................... ..
`
`US. Cl. ................... ..
`................. .. 709/229; 713/201
`
`Field of Search ...... ..
`....................... .. 709/225, 229;
`713/201; 345/335, 969, 741_743
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`_
`Smith .......................... .. 707/1
`Nishikado et al.
`707/8
`707/1
`Janis .............. ..
`711/163
`Janis .... ..
`Janis ___________________________ __ 707/1
`
`9/1990
`4,956,769 A *
`4/1991
`5,012,405 A *
`5,263,157 A
`* 11/1993
`5,263,158 A
`* 11/1993
`5,263,165 A
`* 11/1993
`
`(List continued on neXt page.)
`
`FOREIGN PATENT DOCUMENTS
`
`W0
`
`W0 96 05549 A
`
`2/1996
`
`........... .. G06F/1/00
`
`OTHER PUBLICATIONS
`
`Computer Dictionary, 2d ed., Microsoft Press, Redmond,
`Washington, p. 215, Oct. 1993*
`
`(List continued on neXt page.)
`
`Primary Examiner—Zarni Maung
`Assistant Examiner—AndreW CaldWell
`(74) Attorney, Agent, or Firm—Gordon E. Nelson
`(57)
`ABSTRACT
`
`A scalable access ?lter that is used together With others like
`it in a virtual private netWork to control access by users at
`clients in the netWork to information resources provided by
`servers in the netWork. Each access ?lter use a local copy of
`an access control data base to determine Whether an access
`request made by a user. Changes made by administrators in
`the local copies are propagated to all of the other local
`copies. Each user belongs to one or more user groups and
`each information resource belongs to one or more informa
`tion sets. Access is permitted or denied according to of
`access policies Which de?ne access in terms of the user
`groups and information sets. The rights of administrators are
`similarly determined by administrative policies. Access is
`further permitted only if the trust levels of a mode of
`identi?cation of the user and of the path in the netWork by
`Which the access is made are suf?cient for the sensitivity
`level of the information resource. If necessary, the access
`?lter automatically encrypts the request With an encryption
`method Whose trust level is suf?cient. The ?rst access ?lter
`in the path performs the access check and encrypts and
`authenticates the request; the other access ?lters in the path
`do not repeat the access check.
`
`48 Claims, 31 Drawing Sheets
`
`U.S. PATENT DOCUMENTS
`
`5,652,787 A * 7/1997 O’Kelly .................... .. 379/112
`5,720,033 A * 2/1998 Deo ......................... .. 713/200
`5,787,427 A * 7/1998 Benantar et al. ............. .. 707/9
`5,787,428 A * 7/1998 Hart ............................ .. 707/9
`
`DEFINBEOEJSERS
`
`_
`
`DEggqCEULéSéER
`805
`7*
`
`ADD USERS
`To GBIZ‘SUPS
`
`Q
`
`DEFINE
`RESOURCES
`
`5%
`
`DEFINE
`INFORMATION
`SETS
`B1_1
`
`ADD
`RESOURCES
`TO SETS
`
`5.13
`
`CREATE
`POLICIES
`@?
`
`Petitioner Apple Inc. - Ex. 1020, p. 1
`
`
`
`US 6,408,336 B1
`Page 2
`
`5,796,951 A * 8/1998 Hamner et al- ----------- -- 709/223
`2 i
`éilsepg er 9% ~~~~~~~~~~~~~ ~~
`
`We et a . ............. ..
`
`’
`’
`709/226
`5,859,978 A * 1/1999 Sonderegger et a1.
`5,862,325 A : 1/1999 Reed et a1. ............... .. 709/201
`2 *
`‘bygeigignere’tlg'let a1‘
`5,941,947 A * 8/1999 Brown et a1‘ ~~~~~~~~~~~~~ n 709025
`5,991,807 A * 11/1999 Schmidt et a1.
`709/225
`
`6,085,191 A * 7/2000 Fisher et al. . . . . . .
`
`. . . . .. 707/9
`
`~~~~ " 707/9
`6,105,027 A * 8/2000 Schneider et a1‘
`713/168
`6,178,505 B1 * H2001 Schneider et aL
`6,253,251 B1 * 6/2001 Benantar et a1. __________ __ 709/315
`
`OTHER PUBLICATIONS
`
`Edwards, K., “Policies and Roles in Collaborative Applica
`tions,” Proc. of the ACM 1996 Conf. on Computer Sup
`ported Cooperative Work, pp. 11—20, Nov. 1996.*
`Lampson, B., et al., “Authentication in Distributed Systems:
`Theory and Practice,” Proc. of the 13th ACM Symp. on
`Operating Systems Principles, pp. 165—182, Oct. 1991.*
`Gladney, H., “Access Control for Large Collections,” ACM
`Trans. on Information Systems, vol. 15, No. 2, pp. 154—194,
`Apr. 1997.*
`Shen, H., et al., “Access Control for Collaborative Environ
`ments,” Conf. Proc. on Computer—Supported Collaborative
`Work, ACM, pp. 51—58, Nov. 1992*
`Reiter, M., et al., “Integrating Security in a Group Oriented
`Distributed System,” Proc. of Research in Security & Pri
`vacy, 1992, IEEE, pp. 18—32, May 1992.*
`
`Toy, M., “AT&T’s Electronic Mail Service for Government
`Users—FTS2000MAIL,” Globecom ’92, IEEE, vol. 2, pp.
`
`950—957 D . 1992.*
`’
`66
`Che_fun Yu, Access Control and authorization plan for
`customer control of netWork services, in: IEEE Global
`Telecommunications Conference and exhibition, Conference
`Record, V01- 2, PP- 862—869
`
`.
`
`.
`
`.
`
`.
`
`.
`
`.
`
`PCT/US98/04522, Partial international search, With 1nd1ca
`tions of relevance of the references cited above. (PCT/US98/
`04522 has the same Speci?cation as the application in Which
`this IDS is being ?led).
`
`CheckPoint FireWall—1TM White Paper, Version 2.0—Jun.
`1995. http://WWW.integralis.co.uk/checkpnt/?reWall/White.
`Checkpoint FireWall—1, http://WWW.metadigm.co.uk/fWl/.
`1996 Metadigm Ltd.
`
`Commercial FireWalls and Related FW Products, http://
`hp735c.csc.cuhk.hk/?reWall.html. Mar. 23, 1996.
`
`Five Domains of NetWork Security, Technical OvervieW of
`the
`Eagle,
`http://WWW.raptor.com/
`T22NZ.Z56DAM.BF3AQD.F2.
`FireWalls and Security Related Information, http://WWWna
`cisa.nato.int/FWVENDORHTM.
`
`* cited by examiner
`
`Petitioner Apple Inc. - Ex. 1020, p. 2
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 1 of 31
`
`US 6,408,336 B1
`
`SAOIAWSS
`
`qO4
`
`di/dOt
`
`S1OD0L0Hd
`
`(Yaaydl)
`
`ell
`
`YAASS
`
`VLVd
`
`Zit
`
`Sil
`
`WNHSLN!
`
`YHOMLIN
`
`(a)eo!
`
`“344
`
`TM
`
`(g)601
`
`TIVMSdls
`
`(v)601
`
`LANYSLNI
`
`cll
`
`SSIIOVHOA
`
`yidsdi/dOl
`
`
`
`(W)ZOTS1090LOHYd
`
`SSAOIAWSS
`
`YOLSANDSY
`
`SO}
`
`(Yadavdi)
`
`WNHYSLNI
`
`YYHOMLIN
`
` cr
`A(yeoL
`
`SLVAIddWNLYIA|614
`61}MHOMLSN:
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 3
`
`Petitioner Apple Inc. - Ex. 1020, p. 3
`
`
`
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 2 of 31
`
`US 6,408,336 B1
`
`==102al—o==.e|(aeoep26y
`
`
`HALTSS300¥slml5weETI()g02
` SSA00VEeaH3AHaS||SLN3NOTOE}te|ies“aEA=eoleozeoe
`
`ae—_cs=yyfaa—_
`
`
`
`
`M311dSSA900VHALW4SSI900VHALSS300¥HAL4SSIOOV
`Dae“a—_“a=ai
`408pastee.a(N12
`
`
`
`LHOAMANsidvd|ODVOIHOSATS9ONV
`
`
`602202902,()st2(NEL
`14SNOLLWNHOANI,ESI]a[mm]
`issHALTdSS399VHALMdSSAOOV
`Sol
`ey
`
`P)E0
`
`(ed?
`
`(ajeo7
`
`
`
`TaeHAOVNVA
`
`HADVNVA
`
`YSADVNVN
`
`AQOddove
`
`AQI1OdHALSVW
`
`egLIZH}yswvou
`
`HAL14
`
`
`
`HaAHaSwasn
`
`Petitioner Apple Inc. - Ex. 1020, p. 4
`
`Petitioner Apple Inc. - Ex. 1020, p. 4
`
`
`
`
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 3 of 31
`
`US 6,408,336 B1
`
`WOus
`
`€0csdV
`
`Ol
`
`
`
`——(60¢sI'H3asn )——
`——(LIEON/SSA
`
`ADNOd
`
`ZOE
`
`
`
`A010d‘NINGYV
`
`
`
`YSNVWADINOd
`
`
`
`90€ADINOd
`
`SSAVOV BLE
`
`€‘bly
`
`NOLLVAWHYOSNI
`
`SLAS
`
`Lee
`
`AYVNIGHO
`
`SdNOYD
`
`ZVE
`
`NOILVWHOSNI
`
`SSOYNOSSY
`
`Oe
`
`Yasn
`
`sdNOwd
`
`€0€ADNMOd
`
`Petitioner Apple Inc. - Ex. 1020, p. 5
`
`Petitioner Apple Inc. - Ex. 1020, p. 5
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 4 of 31
`
`US 6,408,336 B1
`
`(Seona7oe©)¢HALTdSS300ViLOp
`(peor=|dss=|Hee=yHALIdSS390VyepfteadWap1thaw(Se
`LoreBRSpy‘Bly‘SOeSCR|Bee=refveevePOS|1tinessnTehvino
`E(€)eor
`
`mm|LeeSHSAUSS;SINAIMO|:Tora
`
` 4H3114SS300V|HALTSSAOOV:gop:HALTSSSSOOV|WalTidSSA9OV
`
`te!fuvinetiii”eo!teinet
`
`feattinepeaPotinesPahontot
`
`(Ee[obtnt‘mfapoe
`
`
`HOAMANSWVd“S\NA[O8VOIHO ()e0rS3TSONVSOT
`
`
`i.AHOdSH|ADNOdANOS|AQI1OdH3LSWW
`PugovNyN|ugovv,|[7BBOVNYA
`mtotwfMalisSSa00v:=|LwadSsa90Vioy(eon
`
`_
`
`OtHSINVOd
`
`Petitioner Apple Inc. - Ex. 1020, p. 6
`
`Petitioner Apple Inc. - Ex. 1020, p. 6
`
`
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 5 of 31
`
`(s)e0r
`
`
`€daliSSAI0V
`
`MYOAMAN
`
`
`
`t'’''
`
` YAWVOU
`
`.@HalldSSAOOV:
`
`
`(s)eor__.WeaoHmaa
`(reoiecisTTT
`
`.SeeeaeLopes}HSGBisme}|Hoemeof|Yee
`rataeeiwyttsaeccyccce'wutsrrrtebHALTdSS3900VFatPtneatft
`twee
`-aoeeaPoe
`so~moLeeeeeideeiptepehatt
`60SPee4tinesPAPottient
`1it!'imeeteeeeeeneeeeeeeeeeeeLOAMEMYS4{';r1'!‘q1/HBL
`Tle,>1beeeeeeeeeeeeeeMeeeeeeeeeeeeootUebo:aPc)PTWaLTIYSS3OOV}=||HLT
`SSIOOV:=|HSLSS300V:
`SS300¥!
`
`HIOVNVN=}0;BSOVNVN'USOVNYA
`LuOdad|ADMOdHISWW
`LOSPayfttinesPepfftat
`'1'’eeTinetootseersms1YeemeotUeda
`
`
`
` '4V't‘It''1teeeedawdowneee
`
`
`
`US 6,408,336 B1
`
`-orroe
`
`YIAYSS
`
`toarot
`
`Petitioner Apple Inc. - Ex. 1020, p. 7
`
`Petitioner Apple Inc. - Ex. 1020, p. 7
`
`
`
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 6 6f 31
`
`US 6,408,336 B1
`
`
`
`00% Kr kr
`
`@ .mE
`
`6% ms 28%8 m5 666m
`6% 6; 25:26 8% 65% 5
`
`9 28;; 216m 22a
`
`262 962 255
`
`m8 wow
`
`
`
`5:835:64. E3252 E2555 E2552 Ema \ 63c.
`
`
`
`
`
`
`
`72,3 252%
`
`Petitioner Apple Inc. - Ex. 1020, p. 8
`
`
`
`YaDVNVW-1...tHOd3Y|TOZ|AOMOddNyOve|AQNOdYALSVN|WALTIY
`
`
`aNrey.otehesfapossTabsaCc!=(£)602aeBeBo5|YSSVNVA'YS9VNVW
`
`
`
`
`SS3OOY|WUOAMSNSldvd~~~OSWSIHOS3TSONV
`
`
`
`|oand—/
`=ISNYLcHyYSWYOH
`
`(z)602S07
`
`U.S. Patent
`
`
`
`SSIOOV:=|HLTId
`
`eek
`
`=ma)en"
`
`aTW.>\oosteroeTeenyTyee
`
`onYaANAS:~ea}|HALTdSS3OOV|3“ee'teeneeeeewotsaToTee‘toyewenestjs:1YS
`WEDaBoyHalTdSS309VteRebfpeee
`
`
`
`~weeeweortere
`
`ed
`
`CRSe+SOL|621—va3OUNOS3YO-NImo!|dee
`my}i-13493SfabypoMee
`
`
`
`ALIAILISNASweyfobee
`
`Petitioner Apple Inc. - Ex. 1020, p. 9
`
`Petitioner Apple Inc. - Ex. 1020, p. 9
`
`
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 8 0f 31
`
`US 6,408,336 B1
`
`DEF'NE
`RESOURCES
`8Q
`
`I
`DEF'NE
`INFORMATION
`SETS
`81_1
`
`I
`
`ADD
`RESOURCES
`TO SETS
`M
`
`DEFINE USERS
`803
`_
`
`U
`DEFINE
`GROULéSSER
`805
`*
`
`V
`
`ADD USERS
`TO GROUPS
`807
`_
`
`Sol
`
`CREATE
`POLICIES
`5i
`
`Fig. 8
`
`Petitioner Apple Inc. - Ex. 1020, p. 10
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 9 of 31
`
`US 6,408,336 B1
`
`Jasp
`
`
`
`
`sjlejepeas0}qe}BBSOOUD|uewoggifabueLdiSeOODIX3]B12Ii1UEDNdA|G!SMOPUIM
`001'002'002°6S1L“0020026SI
`
`002°002'002'6S19210020026
`§@z'00¢'002'6S}0S2°002'002'6St927'002°002'6SL02°002°002'6S
`
`
`
`
`0S1°002'002°6S1L04'002°002'6S
`
`SZ1'002'000°6S1LSL°002°002'6S
`
`Lb|bLb
`
`uoneuawinsog
`
`
`
`yoddnsyoaL
`
`ayesodi02
`
`yo
`
`
`
`
`
`woosuosajdwesid]
`
`Petitioner Apple Inc. - Ex. 1020, p. 11
`
`
`
`ISUOINUIAG43Sh]
`
`si0}eaysiullupyBy
`
`youezzUy
`
`youaqulER
`
`isdnoly
`
`
`
` weiBoigsuoneoyddytyulWUUesBOlgSuuaySAS& ‘002°002'6S1te£16He
`
`
`
`sunesuIBa
`
`Petitioner Apple Inc. - Ex. 1020, p. 11
`
`
`
`Jun.18, 2002
`
`Sheet 10 of 31
`
`US 6,408,336 B1
`
`
`
`:S80INOSSYs[QRIIEA:$]@§adunosasuy
`
`SSosra
`sjuawpedeg©)
`LNSMOpUIM40}|AS[_|
`
`
`
`U.S. Patent O}‘Bi
`MMARSN
`
`Mssmenend|1110d01BuyveuU094ou4g
`
`
`
`
`
`ajqqns7yauayyOCeewbOJCalg
`
`pjeiawaanyauesqul
`
`Petitioner Apple Inc. - Ex. 1020, p. 12
`
`Petitioner Apple Inc. - Ex. 1020, p. 12
`
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 11 of 31
`
`US 6,408,336 B1
`
`MASE20:2
`26/bE/L0
`
`IL“Bis
`
`youazyy
`
`yauRU
`
`wbO
`
`a, LNSMopuIM40}1A4[_|
`
`
`
`bokb~MOLY
`
`Auag
`
`Molly
`
`
`
`a
`
`ouahiawlBo]paly3
`
`
`
`SIOJENSIUNLIPY]Sp
`
`yowayU
`
`youesquyEe
`
`
`
`sdnolgsasp
`
`1SOd0}Buyjosuu09101135
`
`Petitioner Apple Inc. - Ex. 1020, p. 13
`
`Petitioner Apple Inc. - Ex. 1020, p. 13
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 12 of 31
`
`US 6,408,336 B1
`
`
`
`|unejaqesr,|
`
`cl‘Bld
`
`qipueaujC]
`
`AdtiodOND
`
`
`
`
`L0z1uonnquisia|suondo|dnjagHai]WOMISNWEDS]AuunoasoN]sqOMIAN|a7
`[Ad[
`mows111
`
`
`snoaue|jaosiyluonesiunuwo|aameg[smauoneouauny
`
`fe[spucees|[_4]'s¢LyasuodsaypregURWSJoplomssegBuoyC)
`
`
`nojOwnpayOyo©fOtiedA¥20pusNolthos
`
`spucses|[t]isd[1]Aouanbal,ayeoyaypyeaujl
`
`
`
`
`A\ddyuoyeonuayinypaye4C)
`
`SANEJBAIBSWPAOSanjeAWNe}Eq‘py©S|lejap10}qe]BascoYD
`
`
`
`
`Auaaassseooypalueg(]
`
`
`
`suojeqsiuiupy|:sdnoidJasysAleuSiUlpy
`
`LNSMOPUIM40)
`
`Petitioner Apple Inc. - Ex. 1020, p. 14
`
`Petitioner Apple Inc. - Ex. 1020, p. 14
`
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 13 of 31
`
`US 6,408,336 B1
`
`AMicrosoft Access- [Relationships]
`E3Eile Edit View Relationships Tools Window Help
`
`‘TO
`ey
`
`[OseaBla%@ofa"B]xJOs-]a)
`
`
`
`
` SmartcardiD
`UserGroup|D
`SmartCardDeflD
`
`(Certificates
`CertificationID
`UserGroupiD
`CertificateDeflD
`
`
`
`
`
`DomainDefinition,
`
`DomainDeflD
`Name
`
`CertificateParamDeflT "
`Value
`'
`
` CertificateParamID |j::
`
`i]|
`|[Ready
`
`Petitioner Apple Inc. - Ex. 1020, p. 15
`
`Petitioner Apple Inc. - Ex. 1020, p. 15
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 14 0f 31
`
`US 6,408,336 B1
`
`‘7
`l
`FFIOMF
`FIG.
`13A}
`r
`1 ,Alert'S‘chedulesQ
`.
`1_-_ AlertSchlD
`.
`UserGrouplD
`1
`Days
`.
`Start Time
`I
`End Time
`
`E
`5
`51 1,1325
`:
`5
`:
`
`_ '2?
`—
`
`A
`1:]
`
`1309
`
`1 1UserGroups%
`—~ UserGrouplD
`Group Name
`Description
`Pre-defined
`\
`‘309
`
`1313
`
`Windowsl0%
`WindowslD
`m UserGrouplD
`r“ WindowsDeflD
`
`1305
`
`1310
`
`1303
`
`1307
`“semen; %
`°° ParentUserGroup
`w ChildUserGroupID }
`k_~__w—_i
`1303
`
`1 ___________________________
`1
`
`1 1
`
`IPRanges7/// lPRangeID
`0°
`I
`UserGrouplD W E
`
`l——l lPRangeDe?D
`
`5
`
`1_30_1
`
`l
`I
`
`|
`
`1
`
`|
`
`|
`
`|
`
`INUMI
`
`a
`F|g.13B
`
`.
`
`D
`
`Petitioner Apple Inc. - Ex. 1020, p. 16
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 15 of 31
`
`US 6,408,336 B1
`
`18SSNC[Bula}xg
`
`185SNQfewaiuy
`
`pajjoujuojyuodxy
`
`GISN
`
`GODIN
`
`JOYNYA}eoyIad)
`
`ueNU]WOl4Opi
`
`
`
`leW-3SIOUME
`
`Gijeqisn
`
`jeounosayji
`
`YOSOIIWy|
`
`Gijuewa;gdnopsay
`add|juawaj3
`qidnoipeainosaypyiys
`
`
`
`qidnonaainoseydnogesinosayjualed
`
`
`
`[sdiysuonejay]-sseooy
`
`Petitioner Apple Inc. - Ex. 1020, p. 17
`
`Petitioner Apple Inc. - Ex. 1020, p. 17
`
`
`
`YOSOIOIyy
`
`
`
`
`
`[sdciysuone|ay]-ssao0y
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 16 of 31
`
`US 6,408,336 B1
`
`agSNClewarx3
`
`18SSNC[ewalul
`
`
`
`paljoquoyyodx3
`
`NdAapisu|
`
`molosgAay
`
`PJEOPHAM
`
`GISN
`
`aIMw
`
`JOYINYVaCoIUSD
`
`
`
`dishepSiO]SADEMalAUPJIce
`
`
`
`JOURU]Wo1apiy
`
`
`
`'EW-3S18UME
`
`aueqisn1s'e19q
`
`LOSI
`
`Petitioner Apple Inc. - Ex. 1020, p. 18
`
`Petitioner Apple Inc. - Ex. 1020, p. 18
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 17 0f 31
`
`US 6,408,336 B1
`
`[f6
`J'FIG.
`116B
`
`lkMiorosott Access - [Relationships]
`@503 gm view Belationships Iools window _H_eip
`M16915 molar Ra moPoiiiglxi???viml _
`PoticiesAccess%l
`PolicylD
`UserGroupID
`ResourceGrouplD
`Policy
`Active
`Pre-defined
`Expires
`Status
`Comments
`
`UserGrouptD
`GroupName
`Description
`Pre-deiined
`
`1
`
`[tiserGroupiW i
`UserGrouplD
`Group Name
`Description
`Pre-detined
`k1309
`
`E
`I
`
`PoliciesAdminister
`PolicylD
`UserGrouplD
`SubjectType
`UserGroupiD2
`HesourceGrouplD
`SitelD
`ServeriD
`ServicelD
`f
`1613 /p FtesourcelD
`'
`Policy
`Active
`Pre-defined
`Expires
`Status
`Comments
`
`I
`
`;
`
`E
`:
`‘
`:
`1
`
`PoliciesPolicyMaker
`PolicylD
`UserGrouplD
`HesourceGrouplD
`Policy
`Active
`Pre-deiined
`Expires
`Status
`Comments
`
`:
`E
`
`ResourceGroupII
`Name
`Description
`Pre-deiined
`
`I
`
`l
`
`<11
`[Ready
`m
`
`Fig. 16A
`
`Petitioner Apple Inc. - Ex. 1020, p. 19
`
`
`
`U.S. Patent
`
`Jun. 18,2002
`
`Sheet 18 0f 31
`
`US 6,408,336 B1
`
`7
`ResourceGroupElements?
`I
`ResGroupElementlD
`“1407
`'
`ElementType
`l-i ResourceGrouplD
`ServicelD
`ResourcelD
`
`8
`
`8
`
`ID
`-
`
`Name
`Description
`l
`Details
`Pre-deiined
`l
`Enable Address to
`E lernal DNS Ser
`lniernal DNS Ser
`l
`l
`
`l
`
`Re$°u"¢e$7////////?
`ResourcelD
`Name
`ServicelD
`Type
`Description
`Delails
`TrustDeflD
`1 ‘ MW Hide From intranet
`u §érverS%//////////%
`ServicelD
`Owners E-mail
`ServerlD
`Name
`T\_‘ Description
`1
`\1409
`NT Domain
`ServiceDeilD
`lnlernet Name
`°° ServerlD
`Policy Server
`Delails
`Site Sewer
`Encrypted Service
`internal
`Port
`Inside VPN
`Wildcard
`KeyEscrow
`ExponConlrolled
`NSlD
`MKlD
`CertificateAuthoritylD
`K1417
`
`\
`1413
`
`4 l
`
`I
`
`lNUMl
`
`I
`
`l
`l
`Fig. 165
`
`l
`
`Petitioner Apple Inc. - Ex. 1020, p. 20
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 19 of 31
`
`US 6,408,336 B1
`
`DefaultAlertCond}
`
`Microsoft Access- [Relationships]
`1% File Edit View ioeTools Window Help
`
`[TO
`‘FIG.
`178
`
`Alert Cond
`
`NetworkDefinitions!
`1 NetworkDefiD
`
`
`
`
`|
`1725
`CCa
`|[Ready
`ror
`Fig. 17A
`=
`
`Petitioner Apple Inc. - Ex. 1020, p. 21
`
`Petitioner Apple Inc. - Ex. 1020, p. 21
`
`
`
`
`
`
`Description
`
`ServiceDeflD
`
`
`
`ServerlD
`Details
`
`Encrypted Service
`
`
`ResourcelD
`
`Name
`
` Description
`
`
`
`
`
`Details
`TrustDeflD
`Hide From Intranet
`Owners E-mail
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 20 of 31
`
`US 6,408,336 B1
`
`FROM
`FIG. 17A
`
`[To
`‘FIG. 17C
`
`pProxyParametersd
`
`1409
`
`
`
`Petitioner Apple Inc. - Ex. 1020, p. 22
`
`Petitioner Apple Inc. - Ex. 1020, p. 22
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`US 6,408,336 B1
`
`Sheet 21 of 31
`
`arameters:
`
`W717
`
`Petitioner Apple Inc. - Ex. 1020, p. 23
`
`Petitioner Apple Inc. - Ex. 1020, p. 23
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 22 of 31
`
`US 6,408,336 B1
`
`LESt
`
`
`608!4|48svojeuoyu|Aqvay)B08L4GorySouemnssyAyjenh(Ea=|269]a5_PHSEgog,<(anMOUSISIULEa
`
`
`EL8l|juswpedag--[+]
`LO8LMANSJeUM---EJ
`YALYOHSAYACIM>YSMOUHYN<]
`
`jeuojouny‘eyepBuueauibuejy29‘aBelIIAaxensem*-i]
`
`
`
`
`
`MMM[ZA]x92[2]euiayx3---4]
`
`jeulaju!puesuojeoyloads
`SO0IAIASASU}apNjoU|
`
`
`
`
`
`smen[A]dldlA]OjujJawoysny---FF]
`
`
`uolduosaq“I}puequio7---fF]
`aollasAquau}GOWfousauibu3]ey
`
`
`
`
`“uoHeyUsWNDOppO8l—~ojuysowojsny.--fF]
`YATIWLY
`
`
`X9UESISIU})BISaUOAueOo}oIWI0adsyousaounosal-Say!s[I2-[=]
`
`$181—-Cd13H
`gl‘Bi4
`
`youesuy---FF
`
`
`
`youesuy---{+]
`
`S081
`
`£081
`
`Petitioner Apple Inc. - Ex. 1020, p. 24
`
`Petitioner Apple Inc. - Ex. 1020, p. 24
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 23 of 31
`
`US 6,408,336 B1
`
`WDB1903(a,i)
`
`WDB1903(a,j)
`
`AF203(a)
`
`LC
`MASTER POLICY =
`
`MGR. 205
`
`MDB
`1905(a
`
`LDB
`1907(a)
`
`PCS
`MESSAGES 1909
`
`PCS MESSAGES 1909
`WDB1903(i,lhe
`awie
`
`203(i)
`
`WDB1903(i,))
`
`ISDB MGR.
`cs>CD
`
`Le
`
`MDB | LDB
`
`1905(i)
`
`1907(i)
`
`ADMIN.
`GUI 1915
`
`
`
`
`WORKSTATION
`1913
`
`
`
`as Ko c> —*
`
`Petitioner Apple Inc. - Ex. 1020, p. 25
`
`Petitioner Apple Inc. - Ex. 1020, p. 25
`
`
`
`U.S. Patent
`
`Jun.18, 2002
`
`Sheet 24 of 31
`
`US 6,408,336 B1
`
`BIAJOIANSS~---
`
`
`WayOLAXOld1944
`
`Jauja!
`
`
`
`¢c0¢HLNV
`
`di/dO.LSW€¢0¢
`
`dls
`
`£102
`
`2602ayyol4iL439)rar]
`
`Le0zJS3IXOUd7XOld
`
`
`
`
`
`SHSAYSSNV1S.LN3I19NVI.LLO0z60022002eyes‘Bl4NdA/NVWLANYILNI
`PdlXSSLVHINdWOdSIN|soyenjeng|(S)4W30IAN3SEa
`
`
`diidOLSWLoge
`
`Saxolgainjn4CSYVHSlay901
`
`
`
`|*3414[fareadidi|A_Janis|}dl||wis|CL]wsXU|wszioe|-~si0e
`aas2414aays
`O1€£0¢dvu'AYOLOSHIG|:
`FeSNUIA|
`
`“LLNY§20e
`
`woeeeeeeeeeeeeeeeeteeeeeeeeeenee
`SASVaVLVG‘HONNY1 |SLHOd3H
`—100
`
`oC
`uJ
`oo
`
`-O
`
`o
`
`co
`OQ
`QOOU
`
`NI
`
`Petitioner Apple Inc. - Ex. 1020, p. 26
`
`Petitioner Apple Inc. - Ex. 1020, p. 26
`
`
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 25 of 31
`
`US 6,408,336 B1
`
`
` CMC
`POINTER
`
`
`ENTRYMi07
`
`HEADER
`
`2103
`
`
`
`2109
`21i1
`
`
`
`
`
` GROUP ID=.2113/1
`2115
`
`
`GROUP
`ID LIST
`GROUP ID=2113(n)
`
`DATA
`2105
`
`DB CERTIFICATES BY
`USER GROUP FILE 2101
`
`230
`
`Fig. 21
`
`Petitioner Apple Inc. - Ex. 1020, p. 27
`
`Petitioner Apple Inc. - Ex. 1020, p. 27
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 26 of 31
`
`US 6,408,336 B1
`
`€0¢¢Y3ACVSH
`
`diYSLNO
`
`
`vdia|vdis|JN|yWa|SNG|wws|SNS|OVWIIEdAHOHOM|OVW
`9022|b0ee|B0ed|ad}a|ajaw]ow]gy|ow|Tez
`
`S0é¢HACVSHdS(YSQV3Hdi‘HONS
`
`NOILVOLLNSHLAVLEEZ=SOYSSSN
`
`
`bLéeY30VSH6222
`
`
`coBld
`
`CSLdAYONS
`
`QvOUVd
`
`Leee
`
`102%SDVSSAWdis
`
`Petitioner Apple Inc. - Ex. 1020, p. 28
`
`Petitioner Apple Inc. - Ex. 1020, p. 28
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 27 of 31
`
`US 6,408,336 B1
`
`
`
`
`
`
`DBResourcesTreeFile
`
`DBWindowsiDFile
`
`DBSmartCardlDFile
`
`
`MMF File Name
`
`2305
`Po Policies, User Groups, and Information Sets
`
`DBUsersFile
`240
`Describespolicy application from the User Group viewpoint.
`
`
`«<~~
`|Mapseach DB UserGroupIDto a list of ResourceGroup!Ds with
`
`
`flags that indicate whetherthe policy that relates each pairis an
`
`
`allow or deny policy.
`
`
`
`DBUsersTreeFile
`Describes the user groupstree asa flattened array. Maps each
`DB UserGroupID toalist of UserGroup!Dsfor parent user
`
`groups
`
`
`Describes policy application from the Resource Group(informa-
`2309
`DBResourcesFile
`tion set) viewpoint. Maps each DB ResourceGroupIDtoalist
`
`of UserGroup!Dswith flags that indicate whetherthepolicy that
`
`
`relates each pairis an allow or denypolicy.
`
`
`
`Describes the resource groupstree asa flattened array. Maps
`
`
`each DB ResourceGroupIDtoa list of ResourceGroupIDsfor
`
`parent information sets.
`2311
`| User Identification Information
`
`DBIPRangesFile
`IP Ranges data. Maps from IPRangeDefIDto the IP rangedata.
`DBDomainsFile
`IP Domain data. Maps from DomainDefID to the IP domain data
`DBCertificatesFile
`Certificate data. Maps from CertificateDeflD to the certificate
`
`data
`WindowsID data. Maps from WindowDefID to the windows ID
`
`data.
`Smart card (authentication token) data. Maps from Smartcard-
`DeflD to the authentication token data.
`
`
`DBIPRangesByUserGroup|Relates IP range matchingcriteria to user groups. Mapsfrom IP
`
`
`File
`Range data to UserGroup!Ds.
`
`DBDomainsByUserGroup—_|Relates IP domain matchingcriteria to user groups. Mapsfrom
`
`
`File
`IP Domain data to UserGroupIDs
`
`
`DBCertificatesByUserGroup|Relates certificates to user groups. Mapsfrom certificate data
`
`File
`to UserGroupIDs.
`2101
`
`DBWindowsiDByUserGroup|Relates WindowsIDsto user groups. Maps from Windows ID
`
`File
`data to UserGroup!Ds.
`DBSmartCardIDByUser
`Relates Smart Card (authentication token ) data to user groups.
`GroupFile
`Mapsfrom authentication token data to UserGroup!Ds
`
`
`2301
`
`File
`2303
`
`
`
`
`
`
`
`Fig. 23A
`
`Petitioner Apple Inc. - Ex. 1020, p. 29
`
`Petitioner Apple Inc. - Ex. 1020, p. 29
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 28 of 31
`
`US 6,408,336 B1
`
`
`
`2313
`
`Relates servers to resources. Maps from ServerlDs to
`ResourcelDsfor resources held on the serveridentified
`
`by the ServerlD.
`
`
`Relates services to resources. Maps from ServicelDs to
`ResourcelDs for resources belonging to the service identified
`
`by the ServicelD.
`
`
`DBResourcelDByServicelDFile|Relates servicesto their information resources. Mapsfrom
`ServicelD to ResourcelD.
`
`DBResourcelDByNameFile
`2315
`
`Relates the IP names (URLs)of resourcesto resourceIDs.
`Mapsfrom URLto resourceID.
`
`DBServerlDByNameFile
`
`Relates IP names to servers. Maps the IP FQDN(fully quali-
`(
`fied domain name) for each serverto its ServerlD.
`
`
`
`
`DBIPAndTypeByServerlDFile
`Relates serversto their locations inside or outside to the VPN.
`MapsServerlD to the server's IP address andaflag indica-
`
`
`
`ting whether the addressis inside or outside the VPN.
`
`
`
`
`
`
` Po Servers, Services, and Information Resources
`
`
`
`DBResourcesByServerlDFile
`
`
`
`
`
`DBResourcesByServicelDFile
`
`
`
`DBResourcesByResourcelDFile|Relates resourcesto information sets. Maps ResourcelD to
`2317
`Resource Grouplds
`
`Po Servers, Services,IP Information, and Proxies 2319
`Relates IP addresses to servers. Maps IP addressesto
` DBServerlDByIPFile
`ServerlDs.
`
`
`
`
`
`
`
`
`
`
`
`DBServicelDByPortFile
`
`DBServicelDByServerlDFile
`
`Relates services to their port numbers. Maps from ServicelD
`to port number.
`
`Relates servers to ports for services. Maps from ServerlD to
`a list of port numbers.
`
`DBServicePortToProxyPortFile|Relates service ports to the ports for their proxies. Maps from
`service port numberto proxy port number.
`
`DBProxyiDByServerlDFile
`
`DBProxyParametersFile
`
`
`
`Relates servers to service proxies. Maps from ServerlD to
`ProxyDeflD.
`
`Relates proxies to configuration data for the proxies. Maps
`from ProxyDeflD to options data
`
`
`2301
`
`Fig. 23B
`
`Petitioner Apple Inc. - Ex. 1020, p. 30
`
`Petitioner Apple Inc. - Ex. 1020, p. 30
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 29 of 31
`
`US 6,408,336 B1
`
`MMF File Name
`
`Contents
`
`DBAttachedNetworksBy/PFile
`
`2321
`AccessFilter Information
`Relates network interfaces in the accessfilters to information
`for the interfaces. Maps from the interface's {P addressto in-
`terface information.
`
`DBAttachedNetworksByServer_|Relates accessfilters to their networkinterfaces. Maps from
`IDFile
`ServerlD for the accessfilter to interface information.
`
`DBRoutingTableFile
`
`Describes the IP routing informationforall of the accessfilters.
`One blockof information.
`
`DBRoutingTableByServerlDFile|Relates accessfilters to their IP routing information. Maps
`from ServerlD for the accessfilter to IP routing information.
`
`information set's parents.
`
`DBPointToPointFile
`
`Relates a point-to-point description of a network path to data
`for the path. Maps from PointToPointtD for the path to the
`associated data.
`
`DBTrustTableFile
`2325
`
`DBCertificateAuthoritiesFile
`
`DBTrustAuthenticationsFile
`
`DBTrustEncryptionsFile
`
`Implements the SEND table. Mapsfrom TrustDefID,indicating
`a trustlevel, to Authentication!Dsfor user identification tech-
`niques and Encryption|Ds for encryption techniques.
`Relates identifiers for cerfiticate authorities to their data. Maps
`from CertificateAuthoritylD to associated data.
`
`Relates Authentication!Ds to information about identification
`techniques. Mapsfrom AuthenticationID to identification
`technique information.
`
`Relates Encryption|Dsto information about encryption tech-
`niques. Maps from Encryption!D to encryption type and
`strength information.
`
`DBJavaSiteTable
`
`DBJavaResourceTable
`
`DBJavaResourcesSetTable
`
`Maps from namesof locations to Location!Ds.
`
`Maps from URLsof resourcesto their ResourcelDs,
`Location|Ds, and hiddenflags.
`
`Mapsfrom namesofinformation sets to ResourceGroupIDs,
`a list of ResourcelDsfor all resources contained in the
`information set, and a list of ResourceGroups!Dsforall of the
`
`Fig. 23C
`
`Petitioner Apple Inc. - Ex. 1020, p. 31
`
`Petitioner Apple Inc. - Ex. 1020, p. 31
`
`
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 30 of 31
`
`US 6,408,336 B1
`
`2410,
`
`2411
`
`ACCESSFILTER 203(c)
`
`4
`
`
`
`2423~) WebS|---||} SERVICES 2425
`
`2421}weopfo mae SERVICE PROXIES 2427
`
`2419~|P FILTER
`
`2417
`
`ACCESS
`FILTER 203()
`}24es
`
`
`
`
`2405
`
`INTRA-MAP
`DISPLAY
`1801
`—
`
`2403
`
`WEB BROWSER
`2429
`
`Fig. 24
`
`Petitioner Apple Inc. - Ex. 1020, p. 32
`
`Petitioner Apple Inc. - Ex. 1020, p. 32
`
`
`
`2907
`
`POLICY
`MAKER
`
`POLICY
`MAKER
`
`POLICY FOR
`ENG. DATA
`
`U.S. Patent
`
`Jun. 18, 2002
`
`Sheet 31 of 31
`
`US 6,408,336 B1
`
`SECURITY
`OFFICER
`
`
`POLICY
`
`
`
`2517
`
`ADMINISTRATIVE
`POLICY; —————»
`
`POLICY MAKER
`POLICY:
`------------- ~
`
`ACCESS
`
`POLICY:
`
`-———— .
`
`Fig. 25
`
`Petitioner Apple Inc. - Ex. 1020, p. 33
`
`Petitioner Apple Inc. - Ex. 1020, p. 33
`
`
`
`US 6,408,336 B1
`
`1
`DISTRIBUTED ADMINISTRATION OF
`ACCESS TO INFORMATION
`
`CROSS REFERENCE TO RELATED PATENT
`APPLICATIONS
`
`The present patent application claims priority from the
`provisional applications No. 60/093,542, Schneider,et al.,
`Distributed Network Security, filed Mar. 10, 1997, and No.
`60/040,262, Schneider, et al., Secure Electronic Network
`Delivery, also filed Mar. 10, 1997. The present patent
`application is further one of four patent applications that
`have the same Detailed Description and assignee as the
`present patent application and are being filed on the same
`date. The four applications are:
`USS. Ser. No. 09/034,507, David Schneider, et al., Dis-
`tributed administration of access to information;
`USS. Ser. No. 09/034,503, David Schneider, et al., User
`interface for accessing information, now abandoned;
`USS. Ser. No. 09/034,576, David Schneider, et al., Secure
`delivery of information in a network, issued Jan. 23,
`2001 as U.S. Pat. No. 6,178,505; and
`US. Ser. No. 09/034,587, David Schneider, et al., Scal-
`able access filter, issued Aug. 15, 2000 as U.S. Pat. No.
`6,105,027, David Schneider, et al., Techniques for
`eliminating redundant access checking by accessfilters.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`10
`
`15
`
`20
`
`25
`
`30
`
`The invention relates generally to control of accessto data
`and relates more specifically to control of access to data in
`a distributed environment.
`
`2. Description of Related Art
`The Internet has revolutionized data communications. It
`
`35
`
`2
`switches, or to ensure that the portions of the message,
`including those which specify its source or destination,
`have not been read or altered en route.
`FIG. 1 shows techniques presently used to increase secu-
`rity in networks that are accessible via the Internet. FIG. 1
`shows network 101, which is made up of two separate
`internal networks 103(A) and 103(B) that are connected by
`Internet 111. Networks 103(A) and 103(B) are not generally
`accessible, but are part of the Internet in the sense that
`computer systems in these networks have Internet addresses
`and employ Internet protocols to exchange information. Two
`such computer systems appear in FIG. 1 as requestor 105 in
`network 103(A) and server 113 in network 103(b).
`Requestor 105 is requesting access to data which can be
`provided by server 113. Attached to server 113 is a mass
`storage device 115 that contains data 117 which is being
`requested by requestor 105. Of course, for other data, server
`113 may be the requester and requestor 105 the server.
`Moreover, access is to be understood in the present context
`as any operation which can read or change data stored on
`server 113 or which can change the state of server 113. In
`making the request, requester 105 is using one of the
`standard TCP/IP protocols. As used here, a protocol is a
`description of a set of messagesthat can be used to exchange
`information between computer systems. The actual mes-
`sages that are sent between computer systems that are
`communicating according to a protocol are collectively
`termed a session. During the session, Requestor 105 sends
`messages according to the protocol to server 113’s Internet
`address and server 113 sends messages according to the
`protocol
`to requestor 105’s Internet address. Both the
`request and response will travel between internal network
`103(A) and 103(B) by Internet 111. If server 113 permits
`requester 105 to access the data, some of the messages
`flowing from server 113 to requestor 105 in the session will
`include the requested data 117. The software components of
`server 113 which respond to the messages as required by the
`protocol are termed a service.
`If the owner of internal networks 103(A and B) wants to
`be sure that only users of computer systems connected
`directly to networks 103(A and B) can access data 117 and
`that the contents of the request and response are not known
`outside those networks, the owner mustsolve two problems:
`making sure that server 113 does not respond to requests
`from computer systems other than those connected to the
`internal networks and makingsure that people with access to
`Internet 111 cannot access or modify the request and
`response while they are in transit through Internet 111. Two
`techniques which makeit possible to achieve these goals are
`firewalls and tunneling using encryption.
`Conceptually, a firewall is a barrier between an internal
`network and the rest of Internet 111. Firewalls appear at
`109(A) and (B). Firewall 109(A) protects internal network
`103(A) and firewall 109(B) protects internal network 103
`(B). Firewalls are implemented by means of a gateway
`running in a computer system that is installed at the point
`where an internal network is connected to the Internet.
`
`40
`
`45
`
`50
`
`55
`
`has doneso by providing protocols and addressing schemes
`which makeit possible for any computer system anywhere
`in the world to exchange information with any other com-
`puter system anywhere in the world, regardless of the
`computer system’s physical hardware, the kind of physical
`networkit is connected to, or the kinds of physical networks
`that are used to send the information from the one computer
`system to the other computer system. All that is required for
`the two computer systems to exchange information is that
`each computer system have an Internet address and the
`software necessary for the protocols and that there be a route
`between the two machines by way of some combination of
`the many physical networks that may be used to carry
`messages constructed according to the protocols.
`The very ease with which computer systems may
`exchange information via the Internet has, however, caused
`problems. On the one hand, it has made accessing informa-
`tion easier and cheaper than it ever was before; on the other
`hand,it has made it much harderto protect information. The
`Internet has made it harder to protect information in two
`ways:
`It
`is harder to restrict access. If information may be
`accessed at all via the Internet, it is potentially acces-
`sible to anyone with access to the Internet. Once there
`is Internet access to information, blocking skilled
`intruders becomes a difficult technical problem.
`is harder to maintain security en route through the
`Internet. The Internet
`is implemented as a packet
`switching network. It
`is impossible to predict what
`route a message will take through the network.It is
`further impossible to ensure the security of all of the
`
`I>
`
`60
`
`Included in the gatewayis an accessfilter. a set of software
`and
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
