Abstract: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.

Abstract: The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

Abstract: Messages, including messages in conformance with various protocols, can be hashed and the hash values added to an event log and provided to a Trusted Platform Module (TPM), which can extend one or more Platform Configuration Registers (PCRs) with the hash value, much as it would with the hash of a component that was installed or executed on the computing device with the TPM. Subsequently, the TPM can sign one or more of the PCRs and the signed PCRs can be transmitted, together with the event log and a copy of the messages. The recipient can verify the sender based on the signed PCRs, can confirm that the signed PCRs match the event log, and can verify the hash of the message in the event log by independently hashing it. In another embodiment, an intermediate hashing of the message can avoid transmission of potentially malicious executable instructions within a message.

Abstract: Computer-executable instructions can implement a software-based Trusted Platform Module (TPM) that can have more computational power than the hardware TPM. The software TPM can be protected from modification, or other unauthorized access, via a memory partitioning scheme that enables other computer-executable instructions to access the software TPM in a predefined manner, but yet prohibits other access. A tri-partied partitioning scheme can be used wherein the computer executable instructions of the software TPM reside in a first region, a jump table to appropriate ones of those instructions resides in a second region, and everything else resides in the third region. The storage key of the software TPM can be sealed by the hardware TPM to be released only if the software TPM, and the computing device, are in a known good state, as determined by the Platform Configuration Registers of the hardware TPM, thereby further protecting the software TPM from tampering.

Abstract: Data stored on a storage medium can be referenced by multiple independently addressable active symbolic links, with each active symbolic link representing the data through a different transformation. The active symbolic links can be in the form of file system objects, such as files or directories. A single active symbolic link can reference the data stored in multiple collections, or, conversely, a subset of data from a single collection. Active symbolic links can be automatically created for common data transformations. Searching across active symbolic links referencing encrypted data can be performed by multiple protection-specific search engines, or a single search engine that can generate a protection-level aware search index.

Abstract: The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group.

Abstract: Messages, including messages in conformance with various protocols, can be hashed and the hash values added to an event log and provided to a Trusted Platform Module (TPM), which can extend one or more Platform Configuration Registers (PCRs) with the hash value, much as it would with the hash of a component that was installed or executed on the computing device with the TPM. Subsequently, the TPM can sign one or more of the PCRs and the signed PCRs can be transmitted, together with the event log and a copy of the messages. The recipient can verify the sender based on the signed PCRs, can confirm that the signed PCRs match the event log, and can verify the hash of the message in the event log by independently hashing it. In another embodiment, an intermediate hashing of the message can avoid transmission of potentially malicious executable instructions within a message.

Abstract: Computer-executable instructions can implement a software-based Trusted Platform Module (TPM) that can have more computational power than the hardware TPM. The software TPM can be protected from modification, or other unauthorized access, via a memory partitioning scheme that enables other computer-executable instructions to access the software TPM in a predefined manner, but yet prohibits other access. A tri-partied partitioning scheme can be used wherein the computer executable instructions of the software TPM reside in a first region, a jump table to appropriate ones of those instructions resides in a second region, and everything else resides in the third region. The storage key of the software TPM can be sealed by the hardware TPM to be released only if the software TPM, and the computing device, are in a known good state, as determined by the Platform Configuration Registers of the hardware TPM, thereby further protecting the software TPM from tampering.

Abstract: The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

Abstract: The subject disclosure pertains to systems and methods that facilitate entity-based for access management. Typically, access to one or more resources is managed based upon identifiers assigned to entities. Groups of identifiers can be assigned to access rights. An authority component can manage an exclusion group that excludes an entity, regardless of the identifier utilized by the entity. Access control components can utilize exclusion groups in access policies to define access rights to a resource.

Abstract: The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group.