Abstract: A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions.

Abstract: A system is presented for facilitating management of user attribute information at one or more attribute information providers (AIPs), which can manage the user's attribute information in accordance with user-selected or administratively-determined options, including options that are stored in attribute release policies and/or dynamically determined during a transaction. E-commerce service providers (ECSPs), such as online banks or merchants, may maintain a trust relationship with an AIP such that the ECSP can trust the user attribute information that is provided by the AIP on behalf of the user. The user can complete transactions that require user attribute information at any ECSP without having to have previously established a relationship with that particular ECSP. If the ECSP does not have a trust relationship with one of the user's AIPs, then the ECSP can rely upon a trust proxy to interpret and validate an attribute assertion that is received from an AIP.

Abstract: A method, apparatus, system, and computer program product are presented in which federated domains interact within a federated environment. Domains within a federation are able to initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. To enhance security, domains may also require users to re-prove their identity through proof-of-possession challenges that are executed after a user has initiated a single-sign-on operation.

Abstract: A computer system is presented for facilitating storage and retrieval of user attribute information within a federated environment at entities that manage such information as a service. Through enrollment processes, certain domains inform online service providers of identities of attribute information providers that may be used to retrieve user attribute information for a particular user. When performing a user-specific operation with respect to a requested resource, e.g., for personalizing documents using user attribute information or for determining user access privileges for the resource, an e-commerce service provider requires user attribute information, which is retrieved from an attribute information provider that has been previously specified through an enrollment operation. The e-commerce service provider may store the identity of the user's attribute information providers in a persistent token, e.g., an HTTP cookie, that is available when the user sends a request for access to a resource.

Abstract: An Internet user transfers directly to a domain within an e-community without returning to a home domain or re-authenticating. The user's home domain server prepares and forwards a home domain identity cookie (DIDC) with an enrollment request to a user's browser, with the enrollment request being redirected to an affiliated domain server in the e-community. The affiliated domain server prepares and sends an affiliated DIDC with an enrollment confirmation to the user's browser, redirecting the enrollment confirmation to the home domain server. The home domain server modifies the home DIDC to include a symbol which indicates successful enrollment at the affiliated site. The process may be repeated for a plurality of affiliated domains to achieve automatic enrollment a portion of or an entire e-community.

Abstract: A method, software, and device for encrypting data, exchanging keys, and processing data that includes exponentiating by iteratively cisponentiating according to cisponentiator C(G, E, B, R, m)=GEBR mod m, wherein G is a fleeting multiplicand base, E is an enduring cisponent, B is a recurring multiplier, R is an enduring factor, and m is a persistent modulus. E may be a fixed characteristic of the cisponentiator. E may also be a power of 2. R may be fixed. In one of many possible combinations, E is a fixed characteristic of the cisponentiator, while R is fixed. In that case also, E may be a power of 2. Modulus m may be fixed. In one of many possible combinations, E is a fixed characteristic of the cisponentiator, R is fixed, and m is fixed. As one of many alternatives, data may be encrypted using asymmetric encryption.

Abstract: A data encryption method performed with ring arithmetic operations using a residue number multiplication process wherein a first conversion to a first basis is done using a mixed radix system and a second conversion to a second basis is done using a mixed radix system. In some embodiments, a modulus C is be chosen of the form 2w−L, wherein C is a w-bit number and L is a low Hamming weight odd integer less than 2(w−1)/2. And in some of those embodiments, the residue mod C is calculated via several steps. P is split into 2 w-bit words H1 and L1. S1 is calculated as equal to L1+(H12x1)+(H12x2)+ . . . +(H12xk)+H1. S1 is split into two w-bit words H2 and L2. S2 is computed as being equal to L2+(H22x1)+(H22x2)+ . . . +(H22xk)+H2. S3 is computed as being equal to S2+(2x1+ . . . +2xk+1). And the residue is determined by comparing S3 to 2w. If S3<2w, then the residue equals S2. If S3>2w, then the residue equals S3−2w.

Abstract: A system, method and article of manufacture for integrating object security service authorization in a distributed computing environment, includes one or more processors, a storage system, a system bus, a display sub-system controlling a display device, a cursor control device, an I/O controller for controlling I/O devices, all connected by system bus an operating system such as the OS/2* operating system program (OS/2 is a registered trademark of International Business Machines Corporation), one or more application programs for executing user tasks and an object oriented control program, such as, DSOM Objects program, which is a commercially available product of International Business Machines Corporation, the object oriented control program including mapping a set of methods defined by a given class to a finite and a fixed set of access rights from which a method required access rights set is assigned, and selecting the access rights set by examining two components, first, a family right type and, second, a

Abstract: A system and method for controlling client access to enterprise resources through a middle tier server. Enterprise resource authorizations are maintained in a middle tier server. Users authenticate with the server causing it to map and transform the client access authorization into enterprise resource credentials. Enterprise resources are accessed after authorizing using the transformed credentials.

Abstract: A network system server that provides password synchronization between a main data store and a plurality of secondary data stores is disclosed. The network system server includes a security server, which is coupled to the main data store, a plurality of clients, which is coupled to the security server for accessing the main data store wherein each client maintains a unique, modifiable password, a password synchronization server, which is coupled to security server and the plurality of secondary data stores, and a password repository, which is coupled to the password synchronization server, that stores the passwords. One of the secondary data stores can retrieve the passwords via the password synchronization server so that each client is able to maintain a single, unique password among the plurality of secondary data stores. Password retrieval is instigated by at least one of the plurality of secondary data stores regardless of the current password status of the secondary data stores.

Abstract: A network system server that provides password synchronization between a main data store and a plurality of secondary data stores is disclosed. The network server further includes a security server, which is coupled to the main data store, a plurality of clients, coupled to the security server for accessing the main data store wherein each client maintains a unique, modifiable password, and a password synchronization server, coupled to the security server and the plurality of secondary data stores, that provides password propagation synchronization to each of the secondary data stores from a user associated with one of the plurality of clients so that user is able to maintain a single, unique password among plurality of secondary data stores. The password propagation is imposed on the plurality of secondary data stores regardless of the current password status of the secondary data stores.

Abstract: A system, method and article of manufacture for improving object security in distributed object systems, in an information handling system employing object oriented technology, includes one or more workstations, each workstation having one or more processors, a memory system, an input/output subsystem which may include one or more input/output controllers, each controlling one or more input/output devices, such as communications devices, cursor control devices, keyboards, and display devices, an operating system program such as the OS/2 multi-tasking operating system (OS/2 is a registered trademark of International Business Machines Corporation), and an object oriented control program such as the Distributed System Object Method (DSOM) program available from International Business Machines Corporation, wherein the object oriented control program includes a vault object containing security credentials for objects in the distributed system.

Abstract: A system, method and article of manufacture, for improving object security in an object oriented system, includes one or more processors, a memory system, one or more I/O controllers, each controlling one or more I/O devices, a bus connecting the processors, the memory system and the I/O controllers, an operating system controlling operation of the processors, the memory system and the I/O controllers, and an object oriented control means which includes means for grouping objects which share common access control policies, where an access control list becomes associated with each object group and the policy applicable to the members of the group. An object may be part of multiple groups, and based upon an environment's policy, granting access to the object may be based on a single default object group or on the access granted by the union of all of its object groups.

Abstract: A system, method and article of manufacture, for improving object security in distributed object systems, in an information handling system employing object oriented technology, includes one or more processors, a storage system, a system bus, a display sub-system controlling a display device, a cursor control device, an I/O controller for controlling I/O devices, all connected by system bus an operating system such as the OS/2* operating system program (OS/2 is a registered trademark of International Business Machines Corporation), one or more application programs for executing user tasks and an object oriented control program, such as, DSOM Objects program, which is a commercially available product of International Business Machines Corporation, the object oriented control program including a system authorization policy (SAP) object, a system authorization oracle (SAO) object, and a system registration object (SRO). The SAP object encapsulates management of a resource authorization policy.