Patents by Inventor Ching-Yun Chao
Ching-Yun Chao has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 7908492Abstract: A data processing method accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit.Type: GrantFiled: May 12, 2008Date of Patent: March 15, 2011Assignee: International Business Machines CorporationInventors: Steven A. Bade, Ching-Yun Chao
-
Patent number: 7870234Abstract: A cluster system is treated as a set of resource groups, each resource group including a highly available application and the resources upon which it depends. A resource group may have between 2 and M data processing systems, where M is small relative to the cluster size N of the total cluster. Configuration and status information for the resource group is fully replicated only on those data processing systems which are members of the resource group. A configuration object/database record for the resource group has an associated owner list identifying the data processing systems which are members of the resource group and which may therefore manage the application.Type: GrantFiled: June 13, 2008Date of Patent: January 11, 2011Assignee: International Business Machines CorporationInventors: James W. Arendt, Ching-Yun Chao, Rodolfo Ausgusto Mancisidor
-
Patent number: 7870235Abstract: A cluster system is treated as a set of resource groups, each resource group including a highly available application and the resources upon which it depends. A resource group may have between 2 and M data processing systems, where M is small relative to the cluster size N of the total cluster. Configuration and status information for the resource group is fully replicated only on those data processing systems which are members of the resource group. A configuration object/database record for the resource group has an associated owner list identifying the data processing systems which are members of the resource group and which may therefore manage the application.Type: GrantFiled: June 13, 2008Date of Patent: January 11, 2011Assignee: International Business Machines CorporationInventors: James W. Arendt, Ching-Yun Chao, Rodolfo Ausgusto Mancisidor
-
Patent number: 7849326Abstract: A data processing system accepts a removable hardware device, which becomes electrically engaged with a system unit within the data processing system, after which the removable hardware device and the hardware security unit mutually authenticate themselves. The removable hardware device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable hardware device. In response to successfully performing the mutual authentication operation between the removable hardware device and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable hardware device remains electrically engaged with the system unit.Type: GrantFiled: January 8, 2004Date of Patent: December 7, 2010Assignee: International Business Machines CorporationInventor: Ching-Yun Chao
-
Patent number: 7822206Abstract: Systems, methods and media for managing and generating encryption keys are disclosed. In one embodiment, a processor executes encryption key processing computer code to receive requests for keys from an application program. The processor determines whether the requesting application program executes on a node or server that is within the scope of machines authorized to receive the requested keys. If authorized, the processor produces a key map and sends the key map to the application program, enabling the application program to access one or more keys in the key map. The keys are updated automatically according to a specifiable schedule.Type: GrantFiled: October 26, 2006Date of Patent: October 26, 2010Assignee: International Business Machines CorporationInventors: Peter D. Birk, Keys D. Botzum, Ching-Yun Chao, Hyen V. Chung, Alaine DeMyers, Ut Van Lee, James L. Lentz, Mickella A. Rosiles
-
Patent number: 7810132Abstract: Objects on application servers are distributed to one or more application servers; a user is allowed to declare in a list which objects residing on each application server are to be protected; the list is read by an interceptor; responsive to exportation of a Common Object Request Broker Architecture (“CORBA”) compliant Interoperable Object Reference (“IOR”) for a listed object, the interceptor associates one or more application server security flags with interfaces to the listed objects by tagging components of the IOR with one or more security flags; and one or more security operations are performed by an application server according to the security flags tagged to the IOR when a client accesses an application server-stored object, the security operations including an operation besides establishing secure communications between the client process and the server-stored object.Type: GrantFiled: May 20, 2008Date of Patent: October 5, 2010Assignee: International Business Machines CorporationInventors: Peter Daniel Birk, Ching-Yun Chao, Hyen Vui Chung, Carlton Keith Mason, Ajaykumar Karkala Reddy, Vishwanath Venkataramappa
-
Patent number: 7765585Abstract: Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client's user identifier and password. The server authenticates the client and stores the client's user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.Type: GrantFiled: April 17, 2008Date of Patent: July 27, 2010Assignee: International Business Machines CorporationInventors: Ching-Yun Chao, Hyen Vui Chung, Ajay Reddy, Vishwanath Venkataramappa
-
Patent number: 7756830Abstract: A method and apparatus for providing a recent set of replicas for a cluster data resource within a cluster having a plurality of nodes. Each of the nodes having a group services client with membership and voting services. The method of the present invention concerns broadcasting a data resource open request to the nodes of the cluster, determining a recent replica of the cluster data resource among the nodes, and distributing the recent replica to the nodes of the cluster. The apparatus of the present invention is for providing a recent set of replicas for a cluster data resource. The apparatus has a cluster having a plurality of nodes in a peer relationship, each node has an electronic memory for storing a local replica of the cluster data resource. A group services client, which is executable by each node of the cluster, has cluster broadcasting and cluster voting capability.Type: GrantFiled: March 31, 1999Date of Patent: July 13, 2010Assignee: International Business Machines CorporationInventors: Ching-Yun Chao, Roger Eldred Hough, Rodolfo Augusto Mancisidor-Landa, Javashree Ramanathan, Amal Ahmed Shaheen
-
Patent number: 7752452Abstract: A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code. This invention stores the user credentials in a distributed cache and provides a system and method to compute the unique key based on the dynamic security credentials for cache lookup.Type: GrantFiled: February 2, 2009Date of Patent: July 6, 2010Assignee: International Business Machines CorporationInventors: Peter Daniel Birk, Ching-Yun Chao, Hyen Vui Chung
-
Patent number: 7734918Abstract: A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object.Type: GrantFiled: January 17, 2008Date of Patent: June 8, 2010Assignee: International Business Machines CorporationInventors: Peter Daniel Birk, Ching-Yun Chao, Hyen Vui Chung
-
Patent number: 7711951Abstract: A mechanism is provided for securing cryptographic functionality within a host system such that it may only be used when a system administrator physically allows it via a hardware security token. In addition, a hardware security unit is integrated into a data processing system, and the hardware security unit acts as a hardware certificate authority. The hardware security unit may be viewed as supporting a trust hierarchy or trust framework within a distributed data processing system. The hardware security unit can sign software that is installed on the machine that contains the hardware security unit. Server processes that use the signed software that is run on the machine can establish mutual trust relationships with the hardware security unit and amongst the other server processes based on their common trust of the hardware security unit.Type: GrantFiled: January 8, 2004Date of Patent: May 4, 2010Assignee: International Business Machines CorporationInventor: Ching-Yun Chao
-
Patent number: 7676831Abstract: Embodiments of the present invention address deficiencies of the art in respect to access control and provide a method, system and computer program product for access control management for a collection of heterogeneous application components. In a first embodiment, a data processing system for role-based access control management for multiple heterogeneous application components can include at least one business role descriptor associating a business role with multiple, different application roles for corresponding, disparate application components. The system also can include at least one access policy associating a user with the business role. Finally, the system can include policy deployment logic include program code enabled to process the access policy to assign the user to the different application roles in the disparate application components.Type: GrantFiled: September 8, 2005Date of Patent: March 9, 2010Assignee: International Business Machines CorporationInventors: Kathryn H. Britton, Dieter Buehler, Ching-Yun Chao, Timothy J. Hahn, Anthony J. Nadalin, Nataraj Nagaratnam, Yi-Hsiu Wei, ChunHui Yang
-
Patent number: 7661111Abstract: A method for assuring event record integrity including registering at least one callback function, the callback function being associated with a first callback function identifier, receiving an event having a second callback function identifier, identifying the callback function based on matching the second callback function identifier to the first callback function identifier, and calling the identified registered callback function to validate authenticity of the event.Type: GrantFiled: October 13, 2005Date of Patent: February 9, 2010Assignee: Inernational Business Machines CorporationInventor: Ching-Yun Chao
-
Publication number: 20090327763Abstract: A data processing method accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit.Type: ApplicationFiled: May 12, 2008Publication date: December 31, 2009Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Steven A. Bade, Ching-Yun Chao
-
Publication number: 20090313470Abstract: A first data processing system, which includes a first cryptographic device, is communicatively coupled with a second data processing system, which includes a second cryptographic device. The cryptographic devices then mutually authenticate themselves. The first cryptographic device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the second data processing system. The second cryptographic device stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the first data processing system.Type: ApplicationFiled: January 5, 2009Publication date: December 17, 2009Applicant: International Business Machines CorporationInventors: Steven A. Bade, Ching-Yun Chao
-
Patent number: 7634803Abstract: An extensible token framework is provided for identifying purpose and behavior of run time security objects. The framework includes a set of marker token interfaces, which extends from a default token interface. A service provider may implement one or more marker token interfaces for a Subject or a thread of execution. A service provider may also implement its own custom marker tokens to perform custom operations. The security infrastructure runtime recognizes behavior and purpose of run time security objects based on the marker or custom marker token interfaces the token implements and handles the security objects accordingly.Type: GrantFiled: June 30, 2004Date of Patent: December 15, 2009Assignee: International Business Machines CorporationInventors: Peter Daniel Birk, Ching-Yun Chao, Hyen Vui Chung
-
Publication number: 20090138951Abstract: A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code.Type: ApplicationFiled: February 2, 2009Publication date: May 28, 2009Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Peter Daniel Birk, Ching-Yun Chao, Hyen Vui Chung
-
Patent number: 7526798Abstract: Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client's user identifier and password. The server authenticates the client and stores the client's user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.Type: GrantFiled: October 31, 2002Date of Patent: April 28, 2009Assignee: International Business Machines CorporationInventors: Ching-Yun Chao, Hyen Vui Chung, Ajay Reddy, Vishwanath Venkataramappa
-
Patent number: 7526799Abstract: A method for tracking security attributes along invocation chain using secure propagation token. When a user is authenticated, a propagation token is created. The propagation token includes a caller list, a host list, and custom attributes. The propagation token may be propagated downstream along with other marker tokens. A service provider may associate custom attributes in the propagation token or create custom propagation token to be propagated. The propagation token tracks the original caller and subsequent callers when user switches occur and a list of hosts at which the propagation token lands on.Type: GrantFiled: June 30, 2004Date of Patent: April 28, 2009Assignee: International Business Machines CorporationInventors: Peter Daniel Birk, Keys Dylan Botzum, Ching Yun Chao, Hyen-Vui Chung
-
Patent number: 7487361Abstract: A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code.Type: GrantFiled: June 30, 2004Date of Patent: February 3, 2009Assignee: International Business Machines CorporationInventors: Peter Daniel Birk, Ching-Yun Chao, Hyen Vui Chung