[go: up one dir, main page]

WO2018128605A1 - Système amélioré de cybersécurité d'accès à un ordinateur en ligne - Google Patents

Système amélioré de cybersécurité d'accès à un ordinateur en ligne Download PDF

Info

Publication number
WO2018128605A1
WO2018128605A1 PCT/US2017/012190 US2017012190W WO2018128605A1 WO 2018128605 A1 WO2018128605 A1 WO 2018128605A1 US 2017012190 W US2017012190 W US 2017012190W WO 2018128605 A1 WO2018128605 A1 WO 2018128605A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
user
security
enhanced
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2017/012190
Other languages
English (en)
Inventor
Don E. SPRAGUE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to PCT/US2017/012190 priority Critical patent/WO2018128605A1/fr
Publication of WO2018128605A1 publication Critical patent/WO2018128605A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Definitions

  • This invention relates to the field of security of computers in a system/network. More specifically, the invention includes a broad access security system for restricting, enabling or otherwise managing access and changes to all system/network online computers that go way beyond any existing computer security tools.
  • Fire walls have been implemented to prevent unwanted computer access. Since the early days of computer networks, code has been installed on computers to permit remote access or takeover. As business need increases, more code is installed to enable more ways to permit remote access or takeover.
  • the present invention removes existing code that permits human and machine access to computers. Then the invention installs new code to establishes an access security system for human and machine software local and remote online access.
  • the access security system addresses business needs while providing enhanced security.
  • the invention enables user and business to see and verify information about communication partners.
  • the invention enables users and business to control the installation and activation of code or applications on their devices when accessing web pages or clicking on links in email or files.
  • the invention enables users and companies to record common data then reuse it as needed.
  • the following main security components interact to provide enhanced security to protect all system/network online computing devices. They are described in detail later.
  • This invention includes access security managers, and remote directory services databases that use human and computer to computer
  • Any user on any network can communicate with any other user on any other network when authorized.
  • the first part of this invention addresses machine or computer and software identification and access then it addresses human
  • the access security manager For applications not already installed on the user device: When a user clicks on a link or button in an email or file or on a web page that is intended to launch an application, the access security manager examines the activation request. If it is a request to run an application that is not on the computer, the access security manager checks the national database for known, approved or disapproved applications. Then the access security manager displays an application activation and
  • installation request screen with detail about the application and the developer owner report from the remote national database.
  • the site or application data must be in layman terms.
  • the user may click to allow or disallow the installation, or click to disallow and report a suspicious request to the online database, or click to report and label the application or site as do not communicate. If the user approves the remote request to install and run an application, the user clicks to allow the application to install. Once installed, the user must again approve the run of the application. For enterprise owned devices, the enterprise database is checked for information about approved
  • the access security manager examines the application to be activated. If the software is already installed on the device, the access security manager use upgraded methods of displaying information about the activation of an application and seeking user approval. The upgrading includes but is not limited to display of application description and status that is in the national database. The access security manager enables the user to see detail information in laymen terms about all installed and running application. c. SECURE DEVICE ACCESS FOR SECURE SINGLE LOGON
  • a secure logon to any system component may enable a user to access any other system component.
  • a network is essentially an extended system. Once a user has approved access to their system/network entry point, agreements between system/network components may enable the user to access all approved system/network components without additional legacy Ids and password.
  • Enhanced user to device access identification enables secure single logon to the local entry device that securely communicates with remote sites and applications in a logical private system/network.
  • a single logon approach simplifies the management of Ids and passwords.
  • Single logon applications have been in use since the global network architecture of any to any when authorized began over 35 years ago.
  • One of the first single logon process was in the service provider network. Most are in the user device. Although any to any has grown as designed, the security of when authorized has been left behind.
  • a system/network bidirectional computer to computer identification and logon makes legacy Ids and passwords obsolete.
  • Facial recognition and voice recognition adds a significant level of security. A still shot for facial recognition and voice recognition are requirement for
  • Computers can manage large amounts of data better than a human. Any data that can be used electronically can be recorded and managed electronically. Ids and passwords can be securely recorded, managed and delivered electronically. Once the user has been securely identified, the computer can perform computer to computer identification tasks more efficiently and more securely than the human.
  • Bidirectional registration between a local user device and the remote target site or application is through the access security managers. Once the user is securely known to the local user device, a legacy password is superfluous.
  • the assess security managers at both ends exchange and record component and user information. Both ends access and verify data in a remote national database with user, application and site information.
  • a bidirectional access code that is computer created then encrypted recorded at both ends for future access or logical private network connection. The access code is revoked if there are any changes to an end device.
  • the bidirectional conversational registration exchange establishes a logical system/network connection between the two ends that remains as long as there are no system/network changes that terminate the access code.
  • Secure network registration to internet service providers and to the national database defined in this invention uses information that has been recorded in the user and enterprise site access security manager and used over and over. That information includes things such as; end user simple human recognizable alias ID, real IP bit address, end users real name, company name if any, all human recognizable alias addresses and real street addresses and legacy Ids and passwords. It may include computer information such as device type, serial, operating system and other software level. All the appropriate end user registration identification information is recorded in the Internet provider registration database and is mirrored in the national database. The table entry in the national database is given a bit value that includes the table location, a change level bit value and an approval listing value with known security risks.
  • a logical system/network connection goes to sleep when it is inactive for a period of time that is managed by both ends. To wake or
  • the devices exchange access codes. Both ends send a national database query to verify the table entry status of the other end. The query includes the table location and change level bit values. The remote database sends back a positive or negative match. If the table entry in the national database is at a different level than in the query, the updated table entry is sent to the end user. Any time an end user changes their identification information, the access security manager sends the change information to be mirrored at the Internet service provider database and is propagated to the other remote database. Any time a site or user is identified as having security risk by approved security analysts, they send updates to the national database. This use of remote databases that contain real end user data enable both communication partners to actually know real information about their communication partner. A failed access code match or a failed database query result in termination of the access code and the logical system/network connection is closed. f.
  • the access security manager enables user and enterprise manager to control all computer access and change activity.
  • the access security manager is the users local device database used to securely record and manage all their reusable information.
  • the user enters information once then permits the computer to reuse and share the information.
  • the data includes but is not limited to name, physical address, phone numbers, online Ids and passwords, and financial information. Some of the information is required to register to use the open Internet.
  • the user controls the access security manager. If the user device is part of an enterprise, an administrator has access to and manages the user device access security manager. An enterprise manager may limit applications or sites the device may access.
  • the user enters a password or pin to gain access to the access security manager.
  • face recognition and voice recognition in addition to fingerprints are used to provide fingerprints.
  • the hardware and software manufactures of the device and code must configure the systems in such a way that; 1) the user cannot alter the code, 2) and the access security manager function cannot be used or altered through a network connection. Once the user enters the reusable information, they permit the access security manager to approve use and sharing of the information. g. Enterprise directory services database
  • the enterprise database is similar to the user device database. It is used to securely record and manage all the enterprise reusable
  • the enterprise administrator enters information once then permits the computer to reuse and share the information.
  • the data includes but is not limited to Company name, physical address, phone numbers, all enterprise users names and online Ids and description of all applications in laymen terms. - Some of the enterprise information is required to register with an internet service provider to use the open Internet.
  • the remote national and international access security databases include detail information about known, approved or disapproved sites, users and applications.
  • the detail data includes but is not limited to; the individual or company owner identification and layman description of the application and the real Internet Protocol bit address of the origin point of the site, application or user.
  • the database includes detail information about the end users of the site such as their real name and real IP bit address. It also includes the users real name and physical address. It should also include a picture or screen shot of the user. Security analysts submit information about known risk from sites, applications and users.
  • the data in the international database is shadowed and fed from the national databases.
  • the information in the national databases is shadowed and fed from the Internet services providers databases or may be from the enterprise and user databases.
  • Data in the national database consists of all known reusable appropriate identification information about users or enterprises. Some of the data in the users access security manager and in enterprise databases is sent to the national database. User and enterprise financial data is not sent to or stored in the national database.
  • the national and international databases are to be configured in such a way that they have a limited receive portion, a secure process portion and a limited transmit portion.
  • the receive and transmit portions communicate with the process portion and through the network with formatted data so their operating code can not be changed through the network.
  • the operating code can only be changed through direct hardwired connection.
  • Access to the process portion of the system is to be in such a way that it can only be accessed through a hardwired device .
  • National and international databases are in highly secured federal government facilities. The manufactures must configure the systems in such a way that some specified changes including those addressed in this invention can only be made through a direct hard wired or paired connected device. There will be one master international database with shadow copies in other countries. k. Alternate or second device access and use
  • a highly secure method of enabling use of an alternate device requires pairing and registering of the alternate device with each target site. To pair devices, the user must have been securely
  • the access security managers in both devices are set to pair.
  • the primary device displays a code that the user must enter into the alternate device.
  • the devices exchange confirmation then the alternate device displays a code that is entered into the primary device.
  • the devices again exchange confirmation.
  • the IDs and appropriate system/network data for each target sites are transferred to the alternate device.
  • the user must access each site individually from the alternate device to establish the bidirectional access for the alternate device.
  • the alternate device informs each individual site that it is an alternate device.
  • the sites send a code to the users cell phone or other registered address.
  • the user enters the code in the alternate device.
  • the device sends the code to the site.
  • the site then establishes the device a second device for the same user. All the same controls to register the original device are used to register the paired second device.
  • Enterprise devices may only be paired and registered by an enterprise manager. A notice is sent to the original device owners address when a device is paired.
  • legacy Id and password management is simplified.
  • Both secure single logon and legacy logon require enhanced user to device identification. Both require the user to use progressively more detailed device logon steps.
  • Site access that does not require an Id or password is not affected. Any logon that does not require approval to spend money may be considered to be low security.
  • a simple pin to identify the user to access the device may be acceptable for low security remote site logon.
  • Progressively more user to device identification is specified in the device to site communication requirements specified by either or both ends. Those conditions are recorded and used by the access security managers at both ends .
  • the users device Id and password vault is used. It is an abridged single logon.
  • the access security manager may enter the ID and password or the user may access the vault to see the ID and password for the site.
  • the user For the user to access the vault, the user must enter the proper level of device identification.
  • a low security vault view requires only a Pin entry.
  • Id and password management is somewhat manual for sites that do not have access security manager secure single logon. m. REMOTE ACCESS USE
  • Conversational authorization among components and users requires separated human input into separated components. Then it requires the conversation between the separate computer components with additional human interaction and the remote database. This separation of users and authorization control components prevents a lone user from attacking a computer. It makes a coordinated attack difficult to complete. o. Cookies replaced by secure cookies
  • Cookies in their existing form are not permitted through the access security manager. Cookies are replaced with secure cookies aka scookies.
  • a session is beginning, a contract or binding agreement command with the rules of the session is shared. The server or application session contract requirements are explained to the client or end user in layman terms.
  • the requesting server, site or application cannot make any changes to the receiving client or end user devices.
  • the receiving client or users access security manager makes all user approved changes to the user device.
  • the user may approve individual scookies requests or approve scookies from specified sites.
  • the access security manager record information in a secure activity use area for each application. The user may click to permit their access security manager to update specific scookies recording requests without showing the approval screen.
  • An enterprise administrator manager controls scookies on users devices.
  • the administrator may require the user to approve scookies or may permit the device access security manager to update specific server scookies requests without showing the approval screen to the user.
  • the user access security manager retains a record or report of all scookies requests on the enterprise database.
  • site or application requests scookies information from a client or user device
  • users access security manager displays the request to the user.
  • the user may approve and say to always allow scookies information to be sent to that site.
  • the user may display and manage all actual scookies data.
  • the user may delete scookies by site or in total. p. Electronic credit card
  • Electronic credit card and other appropriate financial information that is used over and over may be recorded in a separate portion of the access security manager.
  • the application owner presents a formatted screen to the access security manager.
  • the access security manager displays information the user clicks to be entered in the formatted screen.
  • the sccess security manager vault may be used to record any and all reusable user information. Anything that the user knows and want to recorded and reuse may be recorded shared or otherwise managed by the user and their computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système de commande destiné à empêcher, autoriser ou gérer de manière sécurisée l'accès de tout humain et machine ou ordinateur et logiciel à des composants de système/réseau par l'intermédiaire d'un échange, d'humain/ordinateur à ordinateur, en mode conversationnel, d'informations provenant de sources humaines et d'informations de base de données préenregistrées qui empêchent de manière sécurisée une commande ou des changements non autorisé(e)(s), effectué(e)(s) par un humain ou un logiciel, sur des ordinateurs en ligne appartenant à un système/réseau, allant au-delà toute sécurité informatique existante.
PCT/US2017/012190 2017-01-04 2017-01-04 Système amélioré de cybersécurité d'accès à un ordinateur en ligne Ceased WO2018128605A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2017/012190 WO2018128605A1 (fr) 2017-01-04 2017-01-04 Système amélioré de cybersécurité d'accès à un ordinateur en ligne

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2017/012190 WO2018128605A1 (fr) 2017-01-04 2017-01-04 Système amélioré de cybersécurité d'accès à un ordinateur en ligne

Publications (1)

Publication Number Publication Date
WO2018128605A1 true WO2018128605A1 (fr) 2018-07-12

Family

ID=62791191

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2017/012190 Ceased WO2018128605A1 (fr) 2017-01-04 2017-01-04 Système amélioré de cybersécurité d'accès à un ordinateur en ligne

Country Status (1)

Country Link
WO (1) WO2018128605A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928620A (zh) * 2022-05-31 2022-08-19 曙光信息产业股份有限公司 用户信息同步方法、装置、设备、存储介质和程序产品

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030079132A1 (en) * 2001-02-23 2003-04-24 International Business Machines Corporation Computer functional architecture and a locked down environment in a client-server architecture
US6799198B1 (en) * 2000-06-23 2004-09-28 Nortel Networks Limited Method and apparatus for providing user specific web-based help in a distributed system environment
US20070010266A1 (en) * 2005-07-08 2007-01-11 Soleo Communications, Inc. System and method for providing interactive wireless data and voice based services
US20100011127A1 (en) * 1999-06-11 2010-01-14 Invensys Systems, Inc. Methods and apparatus for control using control devices that provide a virtual machine environment and that communicate via an ip network
US20120203677A1 (en) * 2009-01-28 2012-08-09 Raleigh Gregory G Network Tools for Analysis, Design, Testing, and Production of Services
US8713641B1 (en) * 1998-12-08 2014-04-29 Nomadix, Inc. Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8713641B1 (en) * 1998-12-08 2014-04-29 Nomadix, Inc. Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device
US20100011127A1 (en) * 1999-06-11 2010-01-14 Invensys Systems, Inc. Methods and apparatus for control using control devices that provide a virtual machine environment and that communicate via an ip network
US6799198B1 (en) * 2000-06-23 2004-09-28 Nortel Networks Limited Method and apparatus for providing user specific web-based help in a distributed system environment
US20030079132A1 (en) * 2001-02-23 2003-04-24 International Business Machines Corporation Computer functional architecture and a locked down environment in a client-server architecture
US20070010266A1 (en) * 2005-07-08 2007-01-11 Soleo Communications, Inc. System and method for providing interactive wireless data and voice based services
US20120203677A1 (en) * 2009-01-28 2012-08-09 Raleigh Gregory G Network Tools for Analysis, Design, Testing, and Production of Services

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928620A (zh) * 2022-05-31 2022-08-19 曙光信息产业股份有限公司 用户信息同步方法、装置、设备、存储介质和程序产品
CN114928620B (zh) * 2022-05-31 2024-03-12 曙光信息产业股份有限公司 用户信息同步方法、装置、设备、存储介质和程序产品

Similar Documents

Publication Publication Date Title
US20210326426A1 (en) System and Method for Identity Management
US20210344662A1 (en) System and Method for Identity Management
US20200119904A1 (en) Tamper-proof privileged user access system logs
US9876803B2 (en) System and method for identity management
JP5231665B2 (ja) バイオメトリックデバイスを用いて企業リソースへのアクセスを可能にするシステム、方法およびコンピュータプログラム製品
EP3938941B1 (fr) Choix d'un utilisateur dans un emplacement de données et adhésion à une politique
US7251831B2 (en) Method and system for architecting a secure solution
US20050171872A1 (en) Techniques for establishing and managing a distributed credential store
CN111316303A (zh) 用于基于区块链的交叉实体认证的系统和方法
CN111213147A (zh) 用于基于区块链的交叉实体认证的系统和方法
US20040088560A1 (en) Secure system access
JP2008524751A (ja) 消費者インターネット認証サービス
CN104718526A (zh) 安全移动框架
KR102190192B1 (ko) 오픈뱅킹 환경에서의 개방형 인증 중개 서비스 제공 방법, 시스템 및 애플리케이션
US10963582B1 (en) Apparatus and method for enabling owner authorized monitored stewardship over protected data in computing devices
US10949503B1 (en) Systems and methods for secure online repositories
CN1601954B (zh) 不中断服务地横跨安全边界移动主体
US20050055556A1 (en) Policy enforcement
US20200210611A1 (en) Hardware safe for protecting sensitive data with controlled external access
WO2018128605A1 (fr) Système amélioré de cybersécurité d'accès à un ordinateur en ligne
US11558338B1 (en) System and method for securing information provided via a social network application
Rao et al. Access controls
Armoni Data security management in distributed computer systems
US20240020355A1 (en) Non-fungible token authentication
Jensen et al. Policy expression and enforcement for handheld devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17890748

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17890748

Country of ref document: EP

Kind code of ref document: A1