|Publication number||US20050086540 A1|
|Application number||US 10/984,612|
|Publication date||Apr 21, 2005|
|Filing date||Nov 9, 2004|
|Priority date||Apr 25, 2001|
|Also published as||US6885388, US20020158904|
|Publication number||10984612, 984612, US 2005/0086540 A1, US 2005/086540 A1, US 20050086540 A1, US 20050086540A1, US 2005086540 A1, US 2005086540A1, US-A1-20050086540, US-A1-2005086540, US2005/0086540A1, US2005/086540A1, US20050086540 A1, US20050086540A1, US2005086540 A1, US2005086540A1|
|Inventors||Carl Gunter, Thomas Remaley, David Ruggieri|
|Original Assignee||Probaris Technologies, Inc.|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (80), Referenced by (35), Classifications (4)|
|External Links: USPTO, USPTO Assignment, Espacenet|
1. Field of the Invention
The present invention is directed generally to methods and systems for managing access to services and, more particularly in some embodiments, to methods and systems for managing access to services utilizing a personal area network to ensure security of the services.
2. Description of the Background
The Internet in general, and the World Wide Web in particular, provide an excellent capability for distributing information widely. However, information that needs to be distributed in a controlled manner on the Internet must be placed under an access control system. Such systems require careful management to preserve adequate security. One prior art method for attempting to preserve such security is to protect access through use of passwords. However, passwords are often forgotten or exposed, thereby making management of passwords cumbersome and insecure. Another prior art method for attempting to preserve such security is based on public keys. However, this method assumes a satisfactory (i.e., secure) method for distributing the public keys; to do so over the Internet is cumbersome. Thus, there exists a need for a method and system for preserving adequate security of information to be distributed under these circumstances.
Personal Digital Assistants (“PDAs”) are one type of mobile computer that provide small size and weight by accepting constraints on other features. Such limits involve size and quality of display, size and speed of memory, processing speed, longevity and expense of power supply, nature and quality of data entry facilities, and availability and quality of network connectivity. Personal area networking (“PAN”) is a family of networking technologies that can be used for wireless communication in the vicinity of an individual carrying a mobile computer with PAN capabilities. Many PDAs currently provide PAN using infrared light.
While PDAs are convenient at meetings for keeping notes, to-do lists, calendar events, and updating contact lists, they are limited in their ability to carry and transmit content and offer other services. A large document may not fit within the memory of a PDA. Available network connectivity may be inadequate to convey the document in a reasonable amount of time. Limits on PDA screen size may make the receiving device unsuitable for viewing the document. Moreover, it is often useful to provide network content distribution device functions more general than document access, and PDAs are inappropriate for providing most services of this kind. Thus, there exists a need for a system that capitalizes on the strengths of PDAs but also accounts for their shortcomings.
The present invention solves the problems encountered by the prior art systems and methods. PDAs or other devices with PAN capabilities provide an avenue of secure distribution of information since they can be used in face-to-face meetings where certain security considerations can be addressed by personal presence. Using such devices and PAN to pass pointers (such as URLs or URIs) to content and services rather than the content and services themselves can address the problems present in the prior art. That is, these devices can be used to pass information at meetings about how to obtain desired content and services on the public Internet or other network. This will even enable content that does not yet exist (meeting minutes, for example) or is changing over time to be adequately communicated at the time of the meeting. The content and services can be obtained by the device itself if its connectivity and viewing capabilities are adequate, or they can be obtained with a more capable system (like a desktop workstation) that gets pointers from the device by docking synchronization or other communication. This approach can simultaneously address security concerns by using PAN to convey access credentials along with pointers to content and services. A method and system for accomplishing this with robust security and modest management overhead will facilitate secure and convenient distribution of sensitive content and services.
The present invention is directed to a method and system of automatically generating a list of participants physically present at a meeting, and distributing permission to the participants. During the meeting, identity and key information is collected from at least one participant using at least one first personal area network. The identity and key information is stored in a delegation device. After the identity and key information is stored, permission to access services is distributed to one or more of the participants over at least one second personal area network using the delegation device. The permission is represented using a digital signature. The first personal area network and the second personal area network may be the same or different. In some aspects of the invention, the delegation device comprises a personal digital assistant. In other aspects of the invention, the permission comprises the authority to delegate one or more further permissions to subsequent delegatees via electronic mail or otherwise. The first and second personal area networks may comprise two or more devices that transmit data by infrared light waves or two or more devices that transmit data by digital short-range radio waves.
The present invention is also directed to a graphical user interface on a delegation device. The graphical user interface includes an access control matrix. The access control matrix includes one or more subject display areas for displaying subject information regarding one or more subjects physically present at a meeting and from whom identity and key information has been collected using at least one first personal area network. The identity and key information is stored on the delegation device. The access control matrix also includes one or more object display areas for displaying object information regarding one or more permissions to access services, for example, related to accessing content or actuating a device, represented by a digital signature. The permissions are distributed to the one or more subjects over at least one second personal area network using the delegation device. The access control matrix further includes one or more association display areas for displaying association information of the one or more subjects to the one or more permissions. In some aspects of the invention, the one or more association display areas comprise one or more access control display areas and, in other aspects of the invention, the one or more association display areas comprise one or more capabilities display areas. The first personal area network and the second personal area network may be the same or different. The delegation device, in some aspects of the invention, comprises a personal digital assistant.
The present invention is further directed to another type of graphical user interface on a delegation device. The graphical user interface includes one or more movable subject icons representing one or more subjects physically present at a meeting and from whom identity and key information has been collected using at least one first personal area network. The identity and key information is stored on the delegation device. The graphical user interface further includes one or more movable object icons relating to one or more permissions to access services, for example, related to accessing content or actuating a device. The permissions, represented by a digital signature, are distributed to the one or more subjects over at least one second personal area network using the delegation device. The subject icons are associated with the object icons by physically associating the two together. The first and second personal area networks may be the same or different.
The present invention solves problems associated with the prior art by providing a method for managing access to services under an access control system while preserving adequate security. Those and other advantages and benefits of the present invention will become apparent from the detailed description of the invention herein below.
The accompanying drawings, wherein like referenced numerals are employed to designate like parts or steps, are included to provide a further understanding of the invention, are incorporated and constitute a part of this specification, and illustrate embodiments of the invention that together with the description serve to explain the principles of the invention.
In the drawings:
Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings. It is to be understood that the figures and descriptions of the present invention included herein illustrate and describe elements that are of particular relevance to the present invention, while eliminating, for purposes of clarity, other elements.
Those of ordinary skill in the art will recognize that other elements are desirable and/or required in order to implement the present invention. However, because such elements are well known in the art, and because they do not facilitate a better understanding of the present invention, a discussion of such elements is not provided herein.
The systems and methods disclosed herein relate to managing and controlling access to services. Such services may involve the delivery of content (referring broadly to any object, data, documents, files, directories, text, software, computer applications or other information). In addition, and by way of example, such services may involve actuating a device that, for example, turns on an engine or opens a lock. The services may be requested directly or indirectly through use of, for example, a mobile computer such as a PDA.
In step 102, publishing device 107 and delegation device 109 (such as a PDA) are synchronized, which includes the transfer of data relating to the service from publishing device 107 to delegation device 109. Such data may be a resource, such as a file or directory name or URL that provides the location of the service or information relating to the service on distribution device 108.
In step 103, a delegator delegates, using delegation device 109, a permission to a delegatee, using delegation receiving device 110. In the preferred embodiment, the permission provides the delegatee with authority to access the service and/or the authority to delegate additional permissions to one or more subsequent delegatees. In the preferred embodiment, the delegation of the permission occurs over an ad hoc network in a personal area network (typically, though not necessarily, within one room) while physical presence exists between the delegator and the delegatee. An ad hoc network refers to any network that is formed by two or more mobile computers that come into contact with each other. Such a network is formed without use of a base station and without a preconfigured infrastructure. For example, one or more delegators may attend a meeting with one or more potential delegatees at which each individual is physically present. Each delegator will have a delegation device, such as a PDA, and each delegatee involved in the exchange will have a delegation receiving device, such as a PDA or lap top computer. Verification of each delegatee is performed by virtue of such delegatee's physical presence within the personal area network.
In step 104, delegation receiving device 110 is, in some embodiments, synchronized with receiving device 111. In this step, data representing the permission delegated to the delegatee in step 103 on delegation receiving device 110 is synchronized with data on receiving device 111.
In step 105, receiving device 111, such as a personal computer, makes a request, electronically via a computer network (different from the personal area network referred to with reference to step 103), to distribution device 108 (which has stored and/or has access to the service or information relating to the service placed by publishing device 107 in step 101), to view and/or access the service or related information. The request may include data representing the identity/location of the service or information relating to the service (such as a file or directory name or URL), credential information, including the identity and public key information of the requestor (used for authentication), and the nature and extent of the permission delegated (used for authorization). The credential information may be supported using secure socket layer (“SSL”) protocol. Distribution device 108 reviews the request, including the credential information, and determines whether the requestor is entitled to access the service. Access will be provided if, in one example, it is determined that the requestor has the private key required to access the service.
If distribution device 108 determines that the requestor is entitled to access the service, in step 106, the distribution device 108 provides the receiving device 111 with access to the service over a computer network (in one embodiment different from the personal area network referred to in step 103).
Distribution system 240 includes administrative server 218, which, in some embodiments, performs systems administration functions, such as allowing users to open accounts; revoking permissions if, for example, a key is compromised; and allowing a systems administrator to review logs.
Also included in distribution system 240 is distribution database 219. Information relating to the service, which is published via publishing system 201 and stored in database 203, may also be transmitted to distribution system 240 via publishing link 281 to web server 220 and stored in distribution database 219. This activity corresponds to step 101 shown in
With further reference to
Publishing system 201 also includes synchronization manager 208, which allows for synchronization of certain data related to public keys, delegations, permissions and pregenerated data (to be used in connection with creating an electronic signature). Synchronization manager 208 includes public key database synchronization module 208A, delegation database synchronization module 208B, permission database synchronization module 208C and signature pregenerator module 208D. Synchronization manager 208 electronically synchronizes, by way of synchronization network 290, public key database 205, delegation database 206, and permission database 207 of the publishing system 201 with public key database 209, delegation database 210, and permission database 211, of mobile permissions manager 226, respectively. Synchronization network 290 may, in some embodiments, be created by placing mobile permissions manager 226 (such as a PDA) in a docking cradle that is connected electronically to publishing system 201 (such as a personal computer). With reference to
Mobile permissions manager 226 further comprises public key database manager 213, delegation database manager 214, permission database manager 215 and pregenerated data manager 270, each of which manage portions of the data representing credential information relating to permissions. In particular, each manager interfaces to manage its respective database when an operation must be performed with respect to each such database. Public key database manager 213, delegation database manager 214, permission database manager 215 and pregenerated data manager 270 of mobile permissions manager 226 are coupled to communications mechanism 217, which allows the user to receive output from another delegation device (such as remote device 228) and provide input to other delegation receiving devices (such as remote device 228). Communications mechanism 217 is a digital data interface (for example, an infrared port or other antenna) that allows for wireless electronic communication with other delegation devices. In addition, public key database manager 213, delegation database manager 214, and permission database manager 215 are coupled to user interface 216, which allow a user to view and control certain activities occurring within mobile permissions manager 226. Pregenerated data manager 270 may, in some embodiments, be coupled to user interface 216.
Thus, a delegator who wishes to delegate a permission may do so by way of system 200. The delegator may define who may access the services at publisher 202; this may be, in an exemplary embodiment, a specific individual or any individual that requests access and has the specified private key corresponding to the appropriate public key. Information relating to the service is transferred by way of publisher 202 via publishing link 281 and stored at web server 220 (corresponding to step 101 of
While the embodiment described with reference to
In a typical implementation, the permission chain is represented as an ASN. 1 (“Abstract Syntax Notation One”) sequence and encoded as an octet string using DER (“Data Encoding Rules”) as shown in
With reference to
To construct permission chain 6 intended for delegation to a second delegatee, the first delegatee, now the second delegator, encodes the appropriate permission in permission link component 8, and creates Signature 9 by signing content represented by DER octet string 10, which is the string from permission chain 1 through permission link component 8. Permission link component 8 must minimally consist of the public key of the second delegatee. Other data in permission link component 8 is optional but must represent the same or less permission as presented in the previous chain, permission link component 3.
The second delegatee, now the third delegator, uses the same technique to construct permission chain 11 for delegation to the third delegatee.
To gain access to a resource identified in permission link components 13, 8, and 3, the third delegatee must present permission chain 11 to the appropriate authority and prove to the authority that he or she holds the private key that corresponds to the public key indicated in permission link component 13. The authority must also validate the authenticity of permission chain 11 before granting access to the resource.
To validate the authenticity of permission chain 11, the authority must verify signatures 4, 9, and 14 against content 5, 10, and 15, respectively. The verification process will determine if the private key corresponding to an appropriate public key was used to sign the content in question. The appropriate public key for a signature is the delegatee (subject) public key indicated in the previous permission link component. If there is no previous permission link component, then the appropriate public key is the delegator (source) public key indicated in the current permission link component. Therefore, the appropriate public key for signature 14 is the subject public key in permission link component 8. For signature 9, it is the subject public key in permission link component 3. For signature 4, it is the source public key in permission link component 3.
Next, the authority must verify that the permission data (such as the URL or URI, delegatee, read, write, and time range) presented in each permission link component represents the same or less permission as such presented in the previous permission link component. For example, in a typical implementation, if the URL in permission link component 3 is http://company.com/resource, and the URL in permission link component 8 is http://company.com/resource/subresource then the authority will determine that the URL in permission link component 8 represents less permission than the URL in permission link component 3, since access to http://company.com/resource implies access to http://company.com/resource/subresource. The rules defining implied access may vary in other embodiments of the invention.
Finally, the authority must verify that the delegator (source) public key indicated in the permission link component 3 has permission to delegate access to the resource identified by permission chain 11. This permission information is typically accessible to the authority via means other than the permission chain itself. For example, the source public key may be listed in an ACL (“Access Control List”) in a database accessible to the authority.
Given that the creation of a digital signature requires calculation of parameters that are the result of modular arithmetic and exponentiation of very large numbers, in some embodiments, the delegator may wish to pregenerate certain data relating to the digital signature, rather than generating such data on the mobile permissions manager 226 at the time the delegator seeks to delegate the permission. Generating such data on the mobile permissions manager 226 may be time consuming given that it is a constrained device (i.e., slow speed, little memory etc.). Such activities can be performed more efficiently on, for example, a personal computer. These pregenerated values represent at least a portion of data required to create a digital signature. They typically consist of the values referred to as “r”, “k”, and the “k−1”, in the DSA standard, FIPS 186-2, Section 4, and can be generated as described in FIPS 186-2, Appendix 3.2. Multiple sets of these parameters, one set per digital signature, can be generated by the signature pregenerator module 208D during synchronization with the mobile permissions manager 226, without prior knowledge of the service to which a signature will eventually be applied. The data does not need to be stored in synchronization manager 208 except in a temporary buffer during the brief time period after generation and before synchronization. Data representing the pregenerated values can be synchronized by way of signature pregenerator module 208D of synchronization manager 208 with mobile permissions manager 226 and stored in pregenerated data buffer 212. Then, upon the performance of a DSA signature operation on mobile permissions manager 226 using pregenerated data manager 270, the digital signature can be completed and the permission delegated.
Remote device 228, on which the permission has been stored, may then be used to gain access to the service. This similarly can be shown with reference to
Thus, a device, such as mobile permissions manager 226, on which a permission has been stored, for example in permission database 211, can be used in connection with accessing services. Mobile permissions manager 226 is synchronized with publishing system 201 (for example, a personal computer) such that data representing the permission in permission database 211 can be synchronized with data stored in permission database 207 by permission database synchronization module 208C (corresponding to step 104 in
Once synchronized, viewer 224 of publishing system 201 can be used to make a request (electronically) by way of browser 225 to access the service (corresponding to step 105 in
In some embodiments, in addition to or in lieu of seeking to obtain access to the service, the delegatee delegates permission obtained from the delegator to a subsequent delegatee. This may be accomplished using PAN or, in alternative embodiments, may be accomplished by sending the permission via electronic mail using desktop permission manager 204.
In one example in which the present invention may be utilized, the delegator may attend a meeting with individuals to whom the delegator wishes to provide access to a service. For example, the delegator may have created confidential documents related to a business transaction. Alternatively, the delegator may be in charge of assembling particular documents relating to a business transaction. In this alternative scenario, the delegator has not necessarily created the content himself or herself but, instead, has permission to access content created by others. Upon physically meeting with associates involved in the business transaction, the delegator may wish to allow the associates to have access to such documents. In this example, each of the meeting participants participating in the exchange has a device capable of creating a PAN, such as a PDA. The delegation device may be any device, such as a mobile computer, that is capable of creating an ad hoc network with another device and that has the ability to control delegation, including delegating electronic permissions. Thus, for example, a cellular telephone that has PAN capabilities could serve as a delegation device or a delegation receiving device.
As shown with reference to
With reference to
Thus, with reference to
In some embodiments, the delegator verifies the identity and key information through physical presence of the delegates and, in addition, may do so through a third party verification service, such as VeriSign. In other embodiments, physical presence of the delegatee is the only verification method. In an alternate embodiment, key information is received from a delegatee over a computer network. A hash of the key is taken and the hash is verbally confirmed with the delegatee to ensure that the key has been correctly delivered to the delegator from the delegatee. Permission to access the service is delegated by a delegator to the delegatee, wherein the permission is represented using a digital signature. After that, the delegates is provided access to the service.
Delegation device 401 may, in some embodiments, include a receiver that is capable of processing global positioning system (“GPS”) signals. In this embodiment, data relating to the location of the delegation device (identified by the GPS receiver) at the time the permission is delegated to the delegatee may be bound to the permission in the manner described, for example, with reference to
An exemplary embodiment of portion of a system that includes this functionality is shown with reference to
The embodiment of the present invention in which mobile permissions manager 226 includes GPS functionality has many advantages. One advantage of this embodiment is that the delegator may control access to services based on the location at which the permission was delegated. By way of example, the delegator may revoke one or more permissions delegated at a particular location. Another advantage is that delegation information may be monitored based on the location at which the permission was delegated. For example, for marketing purposes, a delegator may want to determine the locations at which permissions are being delegated. In another example, a delegator may want to determine the locations at which certain permissions were delegated to determine whether such delegations comply with certain legal restrictions or requirements.
In one particularly advantageous embodiment of the present invention, a list of participants physically present at a meeting may be generated, and permission distributed to the participants, automatically. For example, with reference to
There are various ways to identify permissions to be delegated to various delegatees and permissions previously delegated to delegatees during a meeting such as that described with reference to
GUI 403 may be capable of displaying an access control matrix, such as that shown with reference to
With reference to
In the preferred embodiment, once a delegatee has obtained permission and the permission has been stored on, for example, the delegatee's PDA, the delegatee may synchronize its PDA with its personal computer, thereby transmitting data representing the permissions to the personal computer, as described above with reference to
The request includes certain credential information that is required in order for the requestor to be permitted access to the service. The credential information may include identity and key information and permission information relating to the service. The credential information may be transmitted by various credential transmission mechanisms. The credential transmission mechanism must be capable of sending the credentials from the browser to the web server. In the preferred embodiment, the credential information is sent as part of a header within an HTTP request.
Thus, for example, with reference to
Assuming the credential information is accepted, and the delegates is permitted to access the service, the service may be sent to the delegatee over a computer network. In the preferred embodiment, this computer network used to access the service may be different from the personal area network, and may be, in some embodiments, a public network such as the Internet. In other embodiments, the computer network is, a personal area network. In some instances, the delegatee may be denied access to the service. This may occur if, for example, the permission granted by the delegator was limited in duration and the delegatee attempted to access the service after the permission had expired. In another example, the delegator may have revoked permissions delegated at the location (identified, for example, by a GPS receiver) at which the delegatee's permission was delegated.
In some embodiments, the services that the delegatee has received permission to access are related to the actuation of a device. For example, the delegatee may seek permission from a delegator to open a door, thereby gaining access to a building, or to start a motor. With reference to
It will be understood by those skilled in the art that the present invention can be used to control access to any number of different services, including obtaining access to services that involve control of any computerized device.
Having discussed the systems of and apparatus used in connection with the present invention, the methods of the present invention will now be discussed with reference to
With reference to
With reference to
With reference to
With reference to
With reference to
With reference to
With reference to
With reference to
While the invention has been described in detail and with reference to specific embodiments thereof, it will be apparent to one skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope thereof. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US1690 *||Jul 15, 1840||Plamtng-machibte|
|US4831 *||Oct 29, 1846||Tailor s measure|
|US7317 *||Apr 30, 1850||Keed musical instbument|
|US25300 *||Aug 30, 1859||Himself And H||Seth boyden|
|US32626 *||Jun 25, 1861||Improved machine for detaching the short fibers from cotton-seed|
|US49675 *||Aug 29, 1865||Improvement in inclinometers|
|US53247 *||Mar 13, 1866||Improved process for disintegrating fibers|
|US84296 *||Nov 24, 1868||Titus and Bostwick||Improvement in seeding-machines|
|US128903 *||Jul 9, 1872||X||Gobtolf f|
|US129106 *||Jul 16, 1872||Improvement in type-casting machines|
|US162019 *||Apr 13, 1875||Improvement in elastic seams for garments|
|US523012 *||Nov 15, 1893||Jul 17, 1894||Henry sewrey|
|US4816655 *||Dec 9, 1986||Mar 28, 1989||Centre D'etude De L'energie Nucleaire, "C.E.N."||Method and apparatus for checking the authenticity of individual-linked documents and the identity of the holders thereof|
|US4868877 *||Feb 12, 1988||Sep 19, 1989||Fischer Addison M||Public key/signature cryptosystem with enhanced digital signature certification|
|US5214702 *||May 13, 1992||May 25, 1993||Fischer Addison M||Public key/signature cryptosystem with enhanced digital signature certification|
|US5220604 *||Sep 28, 1990||Jun 15, 1993||Digital Equipment Corporation||Method for performing group exclusion in hierarchical group structures|
|US5261002 *||Mar 13, 1992||Nov 9, 1993||Digital Equipment Corporation||Method of issuance and revocation of certificates of authenticity used in public key networks and other systems|
|US5299263 *||Mar 4, 1993||Mar 29, 1994||Bell Communications Research, Inc.||Two-way public key authentication and key agreement for low-cost terminals|
|US5315657 *||Sep 28, 1990||May 24, 1994||Digital Equipment Corporation||Compound principals in access control lists|
|US5339403 *||Apr 5, 1993||Aug 16, 1994||International Computers Limited||Access control in a distributed computer system|
|US5412717 *||May 15, 1992||May 2, 1995||Fischer; Addison M.||Computer system security method and apparatus having program authorization information data structures|
|US5412727 *||Jan 26, 1994||May 2, 1995||Drexler Technology Corporation||Anti-fraud voter registration and voting system using a data card|
|US5455953 *||Nov 3, 1993||Oct 3, 1995||Wang Laboratories, Inc.||Authorization system for obtaining in single step both identification and access rights of client to server directly from encrypted authorization ticket|
|US5475758 *||Jan 19, 1994||Dec 12, 1995||Fujitsu Limited||User authenticating system and method in wide area distributed environment|
|US5495533 *||Apr 29, 1994||Feb 27, 1996||International Business Machines Corporation||Personal key archive|
|US5530235 *||Feb 16, 1995||Jun 25, 1996||Xerox Corporation||Interactive contents revealing storage device|
|US5542046 *||Jun 2, 1995||Jul 30, 1996||International Business Machines Corporation||Server entity that provides secure access to its resources through token validation|
|US5577120 *||May 1, 1995||Nov 19, 1996||Lucent Technologies Inc.||Method and apparatus for restrospectively identifying an individual who had engaged in a commercial or retail transaction or the like|
|US5583993 *||Jan 31, 1994||Dec 10, 1996||Apple Computer, Inc.||Method and apparatus for synchronously sharing data among computer|
|US5615268 *||Jan 17, 1995||Mar 25, 1997||Document Authentication Systems, Inc.||System and method for electronic transmission storage and retrieval of authenticated documents|
|US5649099 *||Jun 4, 1993||Jul 15, 1997||Xerox Corporation||Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security|
|US5659616 *||Jul 16, 1996||Aug 19, 1997||Certco, Llc||Method for securely using digital signatures in a commercial cryptographic system|
|US5659617 *||Sep 22, 1994||Aug 19, 1997||Fischer; Addison M.||Method for providing location certificates|
|US5689642 *||Nov 22, 1995||Nov 18, 1997||Xerox Corporation||Recipient prioritized communication channel profiles|
|US5694471 *||Aug 3, 1994||Dec 2, 1997||V-One Corporation||Counterfeit-proof identification card|
|US5754654 *||Nov 16, 1995||May 19, 1998||Hitachi, Ltd||Electronic ticket vending system and method thereof|
|US5757920 *||Mar 13, 1997||May 26, 1998||Microsoft Corporation||Logon certification|
|US5761309 *||Aug 29, 1995||Jun 2, 1998||Kokusai Denshin Denwa Co., Ltd.||Authentication system|
|US5784463 *||Dec 4, 1996||Jul 21, 1998||V-One Corporation||Token distribution, registration, and dynamic configuration of user entitlement for an application level security system and method|
|US5805846 *||Nov 21, 1996||Sep 8, 1998||International Business Machines Corporation||System and method for dynamically sharing an application program among a plurality of conference devices while maintaining state|
|US5872841 *||Nov 14, 1996||Feb 16, 1999||Siemens Information And Comunication Newtworks, Inc.||Apparatus and method for scheduling a telephone call|
|US5872848 *||Feb 18, 1997||Feb 16, 1999||Arcanvs||Method and apparatus for witnessed authentication of electronic documents|
|US5901284 *||Jun 19, 1996||May 4, 1999||Bellsouth Corporation||Method and system for communication access restriction|
|US5903882 *||Dec 13, 1996||May 11, 1999||Certco, Llc||Reliance server for electronic transaction system|
|US5933498 *||Nov 5, 1997||Aug 3, 1999||Mrj, Inc.||System for controlling access and distribution of digital property|
|US5943423 *||Dec 15, 1995||Aug 24, 1999||Entegrity Solutions Corporation||Smart token system for secure electronic transactions and identification|
|US5949414 *||Oct 28, 1997||Sep 7, 1999||Canon Kabushiki Kaisha||Window control with side conversation and main conference layers|
|US5960085 *||Apr 14, 1997||Sep 28, 1999||De La Huerga; Carlos||Security badge for automated access control and secure data gathering|
|US5978484 *||Apr 25, 1996||Nov 2, 1999||Microsoft Corporation||System and method for safety distributing executable objects|
|US5999208 *||Jul 15, 1998||Dec 7, 1999||Lucent Technologies Inc.||System for implementing multiple simultaneous meetings in a virtual reality mixed media meeting room|
|US6003014 *||Aug 22, 1997||Dec 14, 1999||Visa International Service Association||Method and apparatus for acquiring access using a smart card|
|US6031904 *||Jun 19, 1997||Feb 29, 2000||Nortel Networks Corporation||Service order mechanism for telephone subscriber|
|US6061448 *||Apr 1, 1997||May 9, 2000||Tumbleweed Communications Corp.||Method and system for dynamic server document encryption|
|US6138235 *||Jun 29, 1998||Oct 24, 2000||Sun Microsystems, Inc.||Controlling access to services between modular applications|
|US6144997 *||Oct 28, 1998||Nov 7, 2000||Xerox Corporation||System and method for accessing and distributing electronic documents|
|US6161139 *||Feb 12, 1999||Dec 12, 2000||Encommerce, Inc.||Administrative roles that govern access to administrative functions|
|US6212634 *||Nov 15, 1996||Apr 3, 2001||Open Market, Inc.||Certifying authorization in computer networks|
|US6216116 *||Apr 14, 1999||Apr 10, 2001||Diversinet Corp.||System and method for handling permits|
|US6256733 *||Jun 30, 1999||Jul 3, 2001||Entrust Technologies Limited||Access and storage of secure group communication cryptographic keys|
|US6282183 *||Jun 25, 1998||Aug 28, 2001||Motorola, Inc.||Method for authorizing couplings between devices in a capability addressable network|
|US6285991 *||Dec 13, 1996||Sep 4, 2001||Visa International Service Association||Secure interactive electronic account statement delivery system|
|US6301263 *||Mar 24, 1999||Oct 9, 2001||Qualcomm Inc.||Method and apparatus for providing fair access in a group communication system in which users experience differing signaling delays|
|US6343313 *||Mar 25, 1997||Jan 29, 2002||Pixion, Inc.||Computer conferencing system with real-time multipoint, multi-speed, multi-stream scalability|
|US6343361 *||Nov 13, 1998||Jan 29, 2002||Tsunami Security, Inc.||Dynamic challenge-response authentication and verification of identity of party sending or receiving electronic communication|
|US6347373 *||Nov 6, 1998||Feb 12, 2002||Koninklijke Kpn N.V.||Method and device for the protected storage of data from message traffic|
|US6367009 *||Dec 17, 1998||Apr 2, 2002||International Business Machines Corporation||Extending SSL to a multi-tier environment using delegation of authentication and authority|
|US6393565 *||Aug 3, 1998||May 21, 2002||Entrust Technologies Limited||Data management system and method for a limited capacity cryptographic storage unit|
|US6411605 *||Jul 8, 1998||Jun 25, 2002||Qwest Communications International, Inc.||Scheduler for telecommunications bridge|
|US6429773 *||Oct 31, 2000||Aug 6, 2002||Hewlett-Packard Company||System for remotely communicating with a vehicle|
|US6430688 *||Dec 22, 1998||Aug 6, 2002||International Business Machines Corporation||Architecture for web-based on-line-off-line digital certificate authority|
|US6438600 *||Jan 29, 1999||Aug 20, 2002||International Business Machines Corporation||Securely sharing log-in credentials among trusted browser-based applications|
|US6446253 *||Mar 19, 1999||Sep 3, 2002||Novell, Inc.||Mechanism for achieving transparent network computing|
|US6560581 *||Jun 8, 1998||May 6, 2003||Visa International Service Association||System and method for secure electronic commerce transaction|
|US6567075 *||Mar 19, 1999||May 20, 2003||Avaya Technology Corp.||Feature access control in a display-based terminal environment|
|US6577949 *||Nov 22, 2000||Jun 10, 2003||Navigation Technologies Corp.||Method and system for exchanging routing data between end users|
|US6601102 *||Apr 1, 2002||Jul 29, 2003||Xerox Corporation||Secure token-based document server|
|US6601171 *||Feb 18, 1999||Jul 29, 2003||Novell, Inc.||Deputization in a distributed computing system|
|US6624827 *||Aug 4, 2000||Sep 23, 2003||Dae-Joon Hwang||Apparatus and method for locking or prohibiting access to designated object displayed on shared electronic whiteboard|
|US6651166 *||Apr 9, 1998||Nov 18, 2003||Tumbleweed Software Corp.||Sender driven certification enrollment system|
|US6711679 *||Mar 31, 1999||Mar 23, 2004||International Business Machines Corporation||Public key infrastructure delegation|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7643818||Nov 21, 2005||Jan 5, 2010||Seven Networks, Inc.||E-mail messaging to/from a mobile terminal|
|US7769400||Aug 11, 2008||Aug 3, 2010||Seven Networks International Oy||Connectivity function for forwarding e-mail|
|US7904101||Mar 8, 2011||Seven Networks International Oy||Network-initiated data transfer in a mobile network|
|US8010082||Oct 19, 2005||Aug 30, 2011||Seven Networks, Inc.||Flexible billing architecture|
|US8010560||Dec 21, 2007||Aug 30, 2011||Microsoft Corporation||Abducing assertion to support access query|
|US8127342||Sep 23, 2010||Feb 28, 2012||Seven Networks, Inc.||Secure end-to-end transport through intermediary nodes|
|US8209709||Jul 5, 2010||Jun 26, 2012||Seven Networks, Inc.||Cross-platform event engine|
|US8285200||Aug 9, 2010||Oct 9, 2012||Seven Networks International Oy||Maintaining an IP connection in a mobile network|
|US8316098||Nov 20, 2012||Seven Networks Inc.||Social caching for device resource sharing and management|
|US8352866 *||Jun 22, 2009||Jan 8, 2013||International Business Machines Corporation||Adapting a network topology|
|US8356080||Jan 15, 2013||Seven Networks, Inc.||System and method for a mobile device to use physical storage of another device for caching|
|US8549587||Feb 14, 2012||Oct 1, 2013||Seven Networks, Inc.||Secure end-to-end transport through intermediary nodes|
|US8561086||May 17, 2012||Oct 15, 2013||Seven Networks, Inc.||System and method for executing commands that are non-native to the native environment of a mobile device|
|US8607311||Dec 21, 2007||Dec 10, 2013||Microsoft Corporation||Delegation in logic-based access control|
|US8620858 *||Dec 28, 2005||Dec 31, 2013||Seven Networks International Oy||Database synchronization via a mobile network|
|US8731542||Mar 8, 2011||May 20, 2014||Seven Networks International Oy||Dynamic adjustment of keep-alive message intervals in a mobile network|
|US8811952||May 5, 2011||Aug 19, 2014||Seven Networks, Inc.||Mobile device power management in data synchronization over a mobile network with or without a trigger notification|
|US8831561||Apr 28, 2011||Sep 9, 2014||Seven Networks, Inc||System and method for tracking billing events in a mobile wireless network for a network operator|
|US8839344||Jan 28, 2008||Sep 16, 2014||Microsoft Corporation||Access policy analysis|
|US8868753||Dec 6, 2012||Oct 21, 2014||Seven Networks, Inc.||System of redundantly clustered machines to provide failover mechanisms for mobile traffic management and network resource conservation|
|US8874761||Mar 15, 2013||Oct 28, 2014||Seven Networks, Inc.||Signaling optimization in a wireless network for traffic utilizing proprietary and non-proprietary protocols|
|US8977755||Dec 6, 2012||Mar 10, 2015||Seven Networks, Inc.||Mobile device and method to utilize the failover mechanism for fault tolerance provided for mobile traffic management and network/device resource conservation|
|US9001746||Aug 20, 2010||Apr 7, 2015||Seven Networks, Inc.||Network-initiated data transfer in a mobile network|
|US9002828||Jan 2, 2009||Apr 7, 2015||Seven Networks, Inc.||Predictive content delivery|
|US9043433||May 25, 2011||May 26, 2015||Seven Networks, Inc.||Mobile network traffic coordination across multiple applications|
|US9043731||Mar 30, 2011||May 26, 2015||Seven Networks, Inc.||3D mobile user interface with configurable workspace management|
|US9047142||Dec 16, 2010||Jun 2, 2015||Seven Networks, Inc.||Intelligent rendering of information in a limited display environment|
|US9049179||Jan 20, 2012||Jun 2, 2015||Seven Networks, Inc.||Mobile network traffic coordination across multiple applications|
|US9055102||Aug 2, 2010||Jun 9, 2015||Seven Networks, Inc.||Location-based operations and messaging|
|US9060032||May 9, 2012||Jun 16, 2015||Seven Networks, Inc.||Selective data compression by a distributed traffic management system to reduce mobile data traffic and signaling traffic|
|US9065765||Oct 8, 2013||Jun 23, 2015||Seven Networks, Inc.||Proxy server associated with a mobile carrier for enhancing mobile traffic management in a mobile network|
|US9077630||Jul 8, 2011||Jul 7, 2015||Seven Networks, Inc.||Distributed implementation of dynamic wireless traffic policy|
|US9084105||Apr 19, 2012||Jul 14, 2015||Seven Networks, Inc.||Device resources sharing for network resource conservation|
|US9100873||Sep 14, 2012||Aug 4, 2015||Seven Networks, Inc.||Mobile network background traffic data management|
|US20090327902 *||Dec 31, 2009||International Business Machines Corporation||Adapting a Network Topology|