Method for controlling protected communication line in dynamic networks

FIELD: technology for improving lines for transferring audio/video signals and data in dynamic networks and computer environments and, in particular, setting up communication lines with encryption and protection means and controlling thereof in such environment.

SUBSTANCE: invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets.

EFFECT: simplified setup of dynamic protected lines of communication between client computer and server device.

6 cl, 10 dwg

The technical field

This invention relates, generally, to improvements in the transmission of audio/video and data in dynamic networks and computing environments and, in particular, to establish lines of communication with encryption and protection and management in such environments.

Prior art

The phenomenal growth of the network of e-Commerce has led to the emergence of numerous applications, including hosting (hosting services for information), transaction and management of remote communication lines and networks. These applications allow users to interact with each other in the course of business operations or tracking of useful information using secure communications.

Secure communication lines or connections to ensure secure access to computing resources typically use one or more of three operations: authentication, authorization, and accounting (accounting) (AAA). Thus, the concept of security includes the ability to authenticate the side and/or encrypt transmission in order to avoid eavesdropping by unintended recipients or third parties. A secure network is formed by transmission over a secure communication lines. However, it should be understood that there are several levels of authentication and sirawan what I covered by the scope of the invention. Easy transfer of text without authentication is insecure transmission, while deciding about the security of the transmission, use the threshold determined by the situation.

With regard to the trading operations, it is important to authenticate the user, then to authorize the authenticated user access to resources and to create accounts on the use of these resources. With the advent of user roaming", which became possible due to development of mobile computing systems and, in particular, wireless communication lines, the task of AAA is of particular importance. In this regard, to provide wireless communication lines and decentralized operations necessary security protocols. When implementing network access to a personal area network (PVA), a local area network (LAN) or wide area network (WAN), you might encounter a significant delay. However, given the short-term nature of interactions with mobile computing blocks to ensure acceptable working conditions in the network necessary connections with low latency packet. In particular, users should be able to quickly establish connections over secure lines of communication, regardless of whether the access point is in the intranet or on an external, di is amicucci established lines of communication. New users or new employees should be able to get at least limited privileges to use the protected network. Many problems, including the above, remain in the implementation of protective lines that are subject to the enhanced scheme network access control and encryption/authentication or flexible topology conference. These are new problems in the field of network server systems supporting wireless network.

The invention

The present invention aims to solve these problems and to facilitate the creation of a computer network to establish a dynamic secure communications between the client computer and the server device during secure communication over a wide range of network communication lines. In particular, the described protocols for client computers that support the exchange of information to establish a secure connection. In addition, the methods and systems according to the present invention, include the key exchange Protocol in the computing environment with the wireless connection. The key exchange is carried out by proper choice of Protocol extensible authentication (PRA) and transport layer security (STU).

'll look at how to create secure channels data/audio/videos from the galov and management through the exchange of security key, authentication and authorization. The method provides for the implementation of STW in the PRA. A variant embodiment of the invention provides that the machine establishes a secure connection with limited privileges if the user machine does not provide sufficient information that identifies the user. This method allows you to flexibly manage the network containing the machines and network links with different security capabilities and susceptibility. In addition, when the user is not able to provide authentication information identifying the user who starts the registration process machine, which reduces the requirements to the usual registration process and to ensure a basic level of access when you need it.

A variant embodiment of the invention provides that the user connected to a secure network over an insecure line of communication after authentication, receives only limited access to the protected network. User logged in over an insecure communication line, receives a more limited set of privileges than if it is registered through a secure line of communication.

According to a variant embodiment of the invention, the machine establishes a secure communication line without user registration. Therefore, in the network that the same can be specialized servers, on which the user is not required to register. And user registration does not violate protected access machine.

Additional characteristics and advantages of the invention made it clear from the following detailed description of illustrative embodiments described with reference to the accompanying drawings.

Brief description of drawings

Although features of the present invention is described in detail in the attached claims, to better understand the invention, to understand its objectives and advantages, refer to the following detailed description in conjunction with the attached drawings, where:

figure 1 is a generalized block diagram illustrative of a computer system to which the present invention;

2 is a diagram of a conventional computing environment in which applied a variant embodiment of the invention;

figure 3 - diagram of another computing environment that uses a wireless communication link between the access point on a secure network and mobile computing unit;

4 is a diagram of a computing environment that supports remote access, mobile computing unit to a secure network, and the authentication of the mobile computing unit performs the remote proxy RADIUS server that are in a relationship of trust with protected CE is d or at least, known to her;

5 is a logical flowchart of the steps of the method of obtaining a trusted user ID of the machine;

6 is a logical block diagram of stages of a method of registering a trusted machine, and to initiate the registration uses the default user ID, with the participation of the system administrator when the machine or the user does not have the proper mandate;

7 is a logical flowchart of the steps of the method of obtaining access to computing resources protected network using an identifier of the machine;

Fig is a logical block diagram of the steps of the method of network access by the user is unable to provide sufficient information to authenticate using the default user ID used to request access from your system administrator without the need to physically visit the Central institutions;

figure 9 is a logical flowchart of the steps of the method of obtaining the remote mobile computing block access to the protected network via a proxy RADIUS server and

figure 10 is a logical flowchart of the steps of the authentication method remote user requesting access to protected network resources.

Detailed description of the invention

The drawings, in which similar elements hereafter is obtained in a similar position, illustrate the invention, implemented in a suitable computing environment. Although not required, the invention will be described generally with reference to a running computer commands, such as program modules, executed in the computing environment. Generally, program modules include procedures, programs, objects, components, data structures, etc. that perform particular task or implement a separate abstract data types. In addition, professionals in this field it is obvious that the invention can be applied to other configurations of computer systems, including handheld devices, multiprocessor systems, consumer electronics, processor-based or programmable, network PCs, mini-computers, General-purpose computers and the like, the Invention is also feasible in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be stored on both local and remote storage devices.

Figure 1 shows an example environment 100 of a computing system suitable for implementing the invention. Environment computing system 100 is merely an example of a suitable computing environment and does not impose nick is their limitations on the scope of application or the principle of the invention. In addition, the computing environment 100 should not be construed as being based or complying with the requirements of one or more components specified in the illustrative operating environment 100.

The invention is applicable to many other environments or configurations of computer systems for General and special purpose. Examples of well known computing systems, environments, and configurations that you can apply the invention include, without limitation, personal computers, server computers, handheld or laptop devices, multiprocessor systems, systems based on microprocessor, set top boxes, programmable consumer appliances, network PCs, mini-computers, General-purpose computers, and distributed computing environments that include any of the above systems or devices.

The invention can be described generally with reference to the instructions executed on the computer, such as software modules running on the computer. Generally, program modules include procedures, programs, objects, components, data structures, etc. that perform particular task or implement a separate abstract data types. The invention also feasible in distributed computing environments where tasks are performed by remote handle what their devices bound to each other through a communication network. In a distributed computing environment, program modules may be stored on both local and remote computer storage media for storing information, comprising a storage device.

According to figure 1, an illustrative system for implementing the invention includes a computing device for General purposes in the form of a computer 110. Components of computer 110 may include, among other things, the processing module 120, system memory 130, and a system bus 121 through which various system components including the system memory connected to the processing module 120. The system bus 121 may refer to different types of bus structures including a memory bus or memory controller, a peripheral bus and a local bus using any of a variety of bus architectures. Such architectures include, for example, among others, the ISA bus (industry standard architecture)bus MCA (microchannel architecture)bus EISA (extended ISA), VESA local bus (Association of manufacturers of video electronics) and PCI (peripheral interface), also referred to as bus second level.

The computer 110 typically includes a variety of machine-readable media. As machine-readable media can in order to enter any of the known carriers, accessed by computer 110, including both volatile and nonvolatile media, removable and fixed media. Machine-readable media may include, for example, without limitation, computer storage media for storing data and environment data. Computer storage media include volatile and nonvolatile, removable and fixed media implemented in any method or technology for storage of information such as machine-readable commands, data structures, program modules or other data. Computer storage media include, without limitation, random access memory (RAM), a persistent storage device (ROM), EEPROM (electronically-programmable ROM), flash memory and other storage devices, CD-ROM, digital versatile disk (DVD) or other optical disk storage media, magnetic cassettes, magnetic tape, magnetic disk storage media or other magnetic storage devices, or any other media that can be used to store useful information and access to which can be done by computer 110. The medium for data transmission typically implement machine-readable commands, data structures, program mnie modules or other data in the form of a signal, the modulated data, for example, a carrier wave or other transport mechanism and include any media. The term "signal, the modulated data signals, one or more characteristics which can be set or changed in such a way as to encode the information. The media data may, for example, without limitation, may include a wired network and wireless environments, such as acoustic, RF (radio frequency), infrared and other optical medium. The term machine-readable medium includes any combination of the above media.

The system memory 130 includes computer storage media in the form of volatile and non-volatile memory, such as ROM, RAM 131 and 132. The system basic input/output system (BIOS) 133 that contains the basic procedures for the transfer of information between elements of the computer 110, for example, when starting up, is typically stored in ROM 131. RAM 132 typically stored data and software modules to which the processing module 120 must act quickly to contact or which he handles in the moment. Figure 1 shows that without loss of generality, the operating system 134, application programs 135, other program modules 136, and data 137 used by the programs (program data). For maintenance of the applied p is ogram 135 operating system 134 often uses one or more PIP (program interfaces application) (not shown). Because such services provided by the operating system 134, application developers 135 there is no need to re-develop software code to implement these services. Examples of PIP provided by operating systems such as WINDOWS, Microsoft, known from the prior art.

The computer 110 may also include other removable/fixed, volatile/nonvolatile computer storage media. For example, figure 1 shows the interface 140 of the hard disk, which provides read/write data from/to a stationary/St non-volatile/th magnetic/th media/ü, the actuator 151 a magnetic disk that may be internal or external, and which carries out read/write from/to removable/St non-volatile/th magnetic/th disk 152, and an actuator 155 of the optical disk, which carries out read/write from/to removable/St non-volatile/th optical/s disk 156 such as a CD-ROM. In the illustrative operating environment, you can also use other removable/fixed, volatile/nonvolatile computer storage media, for example, among others, the tape cartridge, flash memory card, DVD, tape to digital video RAM on chip and ROM on chip. The hard disk drive 141, which may be internal or external, is a rule connected to the system bus 121 through a fixed interface of the storage device, for example, the interface 140 and the actuator 151 a magnetic disk and an actuator 155 of the optical disk are typically connected to the system bus 121 via a plug-in interface storage device, such as interface 150.

The above and depicted in figure 1 drives and associated computer storage media provide storage of machine-readable commands, data structures, program modules and other data for the computer 110. For example, according to figure 1, the hard disk drive 141 is stored the operating system 144, application programs 145, other program modules 146, and program data 147. Note that these components may be identical to the operating system 134, application programs 135, other program modules 136 and program data 137 or different from them. Operating system 144, application programs 145, other program modules 146, and program data 147 are marked in other positions, because they can represent other copies. The user can enter commands and information into the computer 110 through input devices, such as a keyboard 162 and pointing device 161, which may be a mouse, trackball or touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish and a scanner. These and other the disorder of input is usually connected to the processing module 120 via the interface 160 user input, connected to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port or a universal serial bus (USB). A monitor 191 or other display device connected to the system bus 121 via an interface, such as a video interface 190. In addition to the monitor, computers may also include other peripheral output devices such as speakers 197 or printer 196, which may be connected via interface 195 peripheral output devices.

The computer 110 may operate in a networked environment using logical lines of communication with one or more remote computers, such as a remote computer 180. The remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above in relation to computer 110, although figure 1 shows only the memory device 181. Logical lines of communication indicated in figure 1 include a local area network (LAN) 171 and a wide area network (WAN) 173, but may also, and other networks. Such networking environments are widely used in offices, show-business, intranets and the Internet.

When using a network environment LAN to mputer 110 is connected to the LAN 171 through a network interface or adapter 170. When using a network environment HS computer 110 typically includes a modem 172 or other means of communication through HS 173, such as the Internet. The modem 172, which may be internal or external, may be connected to the system bus 121 via the interface 160 user input or by other suitable mechanism. In a networked environment, program modules specified in relation to the computer 110, or fragments thereof may be stored in a remote storage device. According to figure 1, but not mandatory, remote application programs 185 stored in the storage device 181, which may be internal or external to the remote computer 180. It should be understood that in addition to a network of communication lines, shown as an example, you can use other means of establishing lines of communication between computers.

In the following description, the invention will be described with reference to acts and symbolic representations of operations performed by one or more computers, unless indicated otherwise. Therefore, it is obvious that such action or operation that is sometimes referred to as running on the computer include the manipulation processing module computer electrical signals representing data in a structured form. This manipulation is reduced to the pre is the education or support them in the cells of the memory system of computer, what data Preconfiguring or otherwise alter the operation of the computer, as is known to experts in this field. Data structures that support data represent the physical memory cells, the specific properties of which are determined by the data format. However, this approach to the description of the invention is not restrictive as specialists in this area is a clear opportunity for the hardware implementation described here, a variety of actions and operations.

In the scheme of authentication/encryption to provide network access or connectivity primarily supposed to authenticate one or more parties using a communication line. Usually use a certificate issued by a trusted source. In relation to protected conference, the party requesting a connection to a secure conference, need to prove their claimed identity. In some embodiments, the implementation for confirmation of identity may be required konferencni site. The certificate contains information on the party that represents the certificate, and includes a protective tool that allows you to detect any changes, including those made by the party submitting the information.

To understand the basic procedure, consider the encryption scheme asymmetric the m key. According to this scheme, in the process of encryption/decryption using two keys, which, for convenience, called the public key and the private key. The private key is kept secret, for example stored in protected memory of the computer or on a smart card. The public key is available to all. Public and private keys are mathematically related, but to calculate one from the other is difficult. In particular, knowing the public key, it is impossible to calculate the private key within a foreseeable period of time. In addition, a message encrypted with one key can only be decrypted using the other key.

The user need to authenticate your identity, ask a trusted certification authority (SS) certificate of identity. This query preferable to encode the public key of the SS. This goal can be achieved in different ways, for example to first encrypt the claimed identity of the private key of the user, and then encrypt the message with a copy of the public key potential new user using the public key of the SS. Thus, SS will know which public key to use for further decryption after will decrypt the message with his own private key. In addition, successful decryption of the message is guaranteed to SS what message is sent by the user for, if it can be decrypted with the public key of the user, it should be encoded with the private key of the user. Thus, the SS, in particular, that gave a user's private key, can verify the claimed identity, consulting the database.

Then SS encrypts the information about the identity of the user that includes the public key corresponding to the private key using its own private key to generate an authentication certificate, possibly with an electronic signature. The party wishing to authenticate the identity of the user, decrypt the certificate using the public key of the SS. Thus, the advantage of the certificate is that it also provides the party wishing to authenticate the identity of the user, the user's public key.

Although the user can read the information certified by the SS, the user may not modify the information so that it was not detected because the user does not know the private key of the SS. In addition, the SS can attach an encrypted one-way hashed version of the message so that the recipient could then be sure that the entire message is authentic, even if it's got small parts. Function one-way hashing is often used flux is, what to change the message while maintaining the same hashing process is very difficult, in order to confirm the authenticity of the attached message. In other words, the encrypted message can be read by many as the key decoding is the public key, but cannot be modified without changing the state, provided the sign. In addition, such certificate of authentication and the appropriate keys can be provided to end-time action to avoid criminal acts and engineering analysis.

Further details on the key exchange, authentication and authorization requests for secure communications between the client and the server, as described in the attached documents in the application entitled "IEEE 802.11 Security White Paper", "IEEE 802.IX Supported Scenarios" and "Bluetooth Security Architecture Version 1.0", fully incorporated in this application.

Figure 2 shows an illustrative computing environment 200 that contains a set of dynamic lines, a combination of static lines and the collection of devices. Computing environment 200 includes intranet 205 connected to the router 210, which, in turn, is connected to the Internet 215. At least one mobile computing unit 220 connected to the Internet 215 through dynamic communication line 225. Alternatively, the mobile is acyclically unit 215 may connect to intranet 205 through the communication line 230, the presence of which does not exclude the possibility of the existence of dynamic communication line 225. Mobile computing unit 220 is not necessarily a computer, but may be any mobile computing device, such as a mobile communication device or a device that provides audio/video information through access to information online (operational) mode, etc. the Set of devices in the computing environment 200 includes a workstation 235, the server 240 and 245 printer managed by the server 240. Under static lines understand the connections forming intranet 205, and the dynamic lines of communication see communication, which are characterized by a high probability of failure, such as a communication line 225 or communication line 230 between the mobile computing unit 220 and the Internet 215 or intranet 205, respectively.

To guarantee the security of static lines of communication easier, than to secure dynamic communication line. Protection dynamic communication lines are more difficult to implement effective short-term nature dynamic lines of communication and more stringent constraints on delay and bandwidth, operating on these lines. In addition, due to the mobile nature of portable computing devices, such as computing unit 220, a necessary protection against unauthorized network access the UPA.

The strategy for the expansion of protected lines of communication to trusted users and trusted machine related transitive relations of trust, allows you to implement a secure computing environment without the need for centralized management of all relations of protection. Explicit relationships of trust allow you to track breach protection. In addition, explicit relationships of trust simplify managed authentication procedures, at the same time maintaining low delays when establishing a secure connection.

Restrict access to trusted users and trusted machines that can be implemented in software or hardware, has the advantage of allowing only trusted machines to access the network without network access authenticated users and at the same time allows trusted users to access the network from any machine. This strategy prevents unauthorized access by users and machines without acceptable authentication. On the other hand, the possibility of machine authentication machine provides a valid standard levels mandate access for a user with a valid mandate. A user without a valid (reliable) mandate gets limited authorized access the UE on a machine without a valid mandate. This provides access to unauthenticated users basic access. Such users may be visitors, new or former employees, etc. who need some access to a secure network. Trusted users can access network resources through trusted or untrusted machines connected to the network.

Providing a limited form of access to new users or users who has entered an incorrect password or otherwise poorly registered, facilitates their adaptation to the computing environment. Similarly, the provision of adequate access, allowing new users and employees to interact directly with the system administrator, decentralize the process of adding and deleting users, at the same time maintaining centralized control.

Decentralization must be understood in the sense that the new employee does not have to physically go to the Central office to obtain authorization of restricted access to computing resources. Access restrictions imposed by unauthenticated users, regulate so as to avoid compromising the security of network resources. To do this, the same user can have different authorization levels to better reflect the relative degree of risk is s security related to the circumstances of the user registration. For example, a user accessing the computing resources of the remote device, may have more limited privileges than the user operating the machine in the building where deployed intranet 205, or the user of the trusted machine. Thus, the disclosed method and system allow users with mobile processing units to access computing environment with different levels of access, i.e. authorization, depending on the identity of the mobile computing unit and/or the circumstances under which access is requested.

Figure 3 shows the computing environment 300 that is capable of supporting wireless communication line. Mobile computing unit 305 via the communication 310 can communicate with the computing environment 300 having an access point 315. Access point 315 acts as a means of authentication for mobile computing unit 305, giving him access to computing resources of the computing environment 300. From the access point 315 IDs and certificates provided by the mobile computing unit 305, arrives at the server 325 "service remote authentication user dial-up connection" (RADIUS), which performs the authentication provided by identificatore is. Requests for identification and confirmation of the identity server 325 RADIUS sends to the mobile computing unit 305 via the access point 315, to avoid any direct exchange between the server 325 RADIUS and unauthenticated mobile computing unit 305.

Figure 4 shows a mobile computing unit 400, which, being remote, trying to access an intranet 405. Mobile computing unit 400 communicates with the remote location 410, which acts as a means of authentication, and uses the proxy server 415 RADIUS for authentication of the mobile computing unit 400. In case of successful authentication access point 410 sends a packet addressed to the network, the switch 420 VLAN (virtual LAN). The switch 420 VLAN consults with the server 430 registration to determine whether the mobile computing unit 400 remote access VLAN 425 connected to the intranet 405. In case of successful registration of the mobile computing unit 400 transmission, addressed to the VLAN 425 or the server 435 connected via intranet 504, duly forwarded. In case of unsuccessful authentication, the further passage of packets on VLAN 425 or the server 435 is blocked.

According to the invention, there are two possible States registration for user and machine according to the respectively: a user with a valid (reliable) mandate; a user without a valid mandate; machine with a valid mandate and the machine without a valid mandate. State registration of the machine and the user together give rise to four possible States of the Desk. The invention includes embodiments of expressing a preference for one of the possible States of the Desk in front of the other possible States of the Desk.

According to a variant of the invention, in case of failure to authenticate the identity of the user machine, on which the user may provide an identifier that allows the machine registration procedure to ensure restricted access. Figure 5, which should not be construed as the only possible variant of the method, shows a possible sequence of steps by which, trusted machine can register on the basis of their native identity. For this trusted user initially sets the status of the trust of the machine. According to figure 5, in step 500 a trusted user requests the ID of the machine on which you are working. Network server, such as domain controller, determines whether the user is trusted, at step 505, and authorized, at step 510, to make such a request. If the user is authorized to perform the request, the network server provides a unique machine ID (step 515). Otherwise, at step 520, the network, the server denies the request. At step 525, the network server requests the SS to provide a certificate confirming the identity of the machine, and at step 530 sends the certificate to the machine. At step 535, the machine ID and the certificate preferably remain on the machine for later use.

According to a variant implementation, illustrated in Fig.6, the machine authentication and user authentication are performed either by using an appropriate mandate or using the default user ID that allows a system administrator to intervene in the authentication process of the machine or user. At step 600 make a request for access to the network. In the presence of the mandate of the machine is transferred from step 605 to step 610 authentication machine. Although in this embodiment, the user cannot be authenticated on the same machine, this fact should not be construed as limiting the scope of the invention. Stage 610 is especially useful for running servers on the network without the need for simultaneous registration of the user. Moreover, some machines in preferred locations may even not provide the user interface. Step 615 is relevant to the duty to regulate the occasion of unsuccessful authentication machine. On the other hand, if the machine does not have a mandate from the stage 605 is transferred to step 620. At step 620, the machine uses the default user ID to initiate authentication of the machine, which completes either successfully at step 625, or fail at step 630. Upon completion of steps 620, 625 and 630 go to step 635. At step 635 is executed, the initiating user registration. In the presence of the mandate of the user is transferred to step 645, which corresponds to a successful authentication of the user, then the procedure terminates. On the other hand, if the mandate of the user are not acceptable, then at step 650 fixed unsuccessful authentication of the user, and the procedure is terminated. In case of absence of the mandate of the user at step 640 go to step 655 successfully use the default user ID. If you are unable to authenticate the user via the default user ID, go to step 660 and, respectively, completing the procedure.

Illustrative version of the implementation environment, compatible with the Protocol extensible authentication (PRA), provides for the use of the initial message PRA. Of course, in other environments, you can use other initial message, for example, to reduce the amounts of mogo the number of messages used for the initial transaction.

7 illustrates a variant implementation of the authentication procedure in respect of the trusted machine. At step 700, the user issues a start message, expressing a request for access to the computing environment. The wireless access point receives the initial message for establishing a wireless link. The implementation of wireless access point does not allow it to forward the data traffic coming from the connection is not authenticated, nor in the underlying wired network or to another wireless mobile computing device. Access point, acting as a means of authentication, provides limited interaction for authentication of the requesting party to establish appropriate lines of communication. For this step 705, the access point requests the identification of the requesting party to initiate the authentication procedure in case of lack of information to identify, for example, in the initial message. In response to the query at step 710, the requesting party shall identify the information required for authentication, if one is available. When this definition is applied, the period of interruption. Alternatively, the requesting party clearly indicates the inability to provide the requested and artificials information.

With the availability of the requested identifying information at step 715 is a standard authentication procedure. In the standard procedure, the access point sends a claimed identity to the RADIUS server. The RADIUS server passes the request to the access point, which, in turn, forwards it to the mobile computing unit. Mobile computing unit and the RADIUS server cannot directly communicate with each other, which guarantees the protection of network resources. However, in the absence of sufficient identifying information trusted machine provides the identifier of the machine on the stage 720. The access point sends the ID of the trusted host to the RADIUS server, which in turn provides the request forwarded by the access point to the mobile computing unit.

At step 725, the access point requests the claimed identity, requesting confirmation of the claimed identity in accordance with the request received from the RADIUS server. At step 730, the mobile computing unit provides the access point certificate confirming the identity of the machine. At step 735, the access point provides limited access, and courteous and the authenticated identity of the machine, if the certificate is valid.

On Fig illustrated the method using the Oia default user ID to ensure your system administrator. This method is advantageous to use for authentication and registration of new users without requiring their physical presence in the Central institution. After issuance of the initial message at step 800 for requesting access to a computing environment at step 805 ask for identification. At step 810, the user provides the default user ID, which can be an empty string. Having the default user ID, the system denies the user access, and instead causes the system administrator, who decides whether to grant the user access to the computing environment, and determines the authorization level at step 815. If the system administrator confirms the identity of the user, i.e. authenticates the user, the domain controller allows the user to register on the stage 830. The domain controller then receives a certificate to provide the user ID at step 835. At step 840 retain the certificate to confirm the identity of the user, subsequent attempts to access computing resources without the need to contact the system administrator.

Figure 9 presents an illustrative method of providing the user with limited access from the remote and exposed the CSOs device, moreover, the method is to request to use one or more machines, whose identity is unknown or who are physically located outside the intranet. In such a scenario, it is preferable to provide limited access, which does not reflect all of the privileges, which could have a specific user, working on a secure node or secure machine. At step 900 requesting access point remote access through a proxy server, then at step 905 request of the claimed identity in the usual way. Received at step 910, the identifier may be a user ID or a car, request at step 915 confirmation of the claimed identity. At step 920 the requestor confirms the claimed identity, providing a certificate issued by a trusted certification service. Proxy RADIUS server performs the corresponding transaction, and the RADIUS server, feature a security check, provides the user with a uniform resource locator (URL)is actually the address of the port, providing access to computing resources at step 925. This URL usually provides the user with a lower level of access to network resources compared to that which he would have received through the access point in the network.

Figure 10 shows the steps of another embodiment implementing the image is etenia for remote access to the protected computing resource. At step 1000, the remote user requests access to a resource protected computing environment. This request may be made at the point of access to another network or the Internet. The RADIUS server processes the request and provides the URL at step 1005, to provide authentication of the requesting party on a remote computing device. This connection is probably secure connection, as indicated at step 1010, and can use SSL (secure sockets layer) and other similar technologies for authentication of the requesting party. In addition, the web page used for authentication may also request and receive information for the purposes of accounting. This information includes credit card numbers, time and nature of the requested resources, etc. At step 1015 determine the presence or absence of the requested services. If service is available and authentication is successful at step 1020 is granted authorization to access the requested resources, then the procedure ends. On the other hand, in the absence of the requested resources are transferred from step to step 1015 1030 to inform the requesting party about the lack of resource or access, then the procedure ends at step 1025.

The above methods provide automatic administration of a collection of users, who some of which have mobile computing units, in networks with dynamic lines of communication, due to machine or user authentication combined with different authorization levels, reflecting the relative threat of security for different users and communication lines.

Secure line of communication established ways described here, includes encryption. Encryption is provided by the exchange, at least one key and generate additional keys in the access point and the mobile computing unit, to create a secure connection. These keys can be symmetric or asymmetric. Each encryption requires frequent change of key to increase the level of protection. In addition, in the event of a breach of protected lines of communication, with subsequent recovery in the new access point connected to the previously used access point, the mobile computing unit is just the identity previously used access points, and declares its identity. New access point confirms the previous authentication of the mobile computing unit and allows access without requiring re-authentication of the mobile computing unit. This strategy, combined with the break provides the best working conditions in the network by reducing the delay due to the time required for authentication novog the mobile unit.

Due to the large number of possible embodiments to which the applicable principles of this invention, it should be understood that an implementation option, described here with reference to the drawings is merely illustrative and should not be construed as limiting the scope of the invention. For example, specialists in this field it is obvious that the elements illustrated variant implementation, shown in the form of software, can be implemented in hardware and Vice versa or that the illustrated version of the implementation can be modified in terms of structure and detail, without departing from the scope of the invention. Therefore, this invention encompasses all such embodiments of and corresponds to the volume of the following claims and its equivalents.

All of these references, including patents, patent applications and publications, are included in the present description of the invention in its entirety by reference.

1. Method of providing a mobile computing unit privileged access to a computing resource, the method contains the steps that detect an unsuccessful attempt by a user of the mobile computing unit to register in order to access a computing resource, and then p is get a certificate with a unique ID of the mobile computing unit to facilitate authentication of the identity of the above-mentioned block, provide the certificate to the authentication unit to confirm the identity of the mobile computing unit, and the unit authentication controls access to a computing resource, and establish a limited access to a computing resource usage information authorization obtained from the block of authentication and authorization information corresponds to the authenticated identity of the mobile computing unit.

2. The method according to claim 1, characterized in that the mobile computing unit associated with the computing resource using at least one wireless link.

3. The method according to claim 1, wherein the authorization information includes a key for encrypting transmissions from the mobile computing unit to an input port.

4. The method according to claim 3, wherein the key is a symmetric session key.

5. The method according to claim 1, characterized in that it further comprises a stage on which to determine that the mobile computing unit does not have a certificate confirming the identity of the machine, and in response perform the step of obtaining the certificate.

6. The method according to claim 1, characterized in that it further comprises a stage on which retain the unique identifier of the machine on the mobile computing unit for later use.

7. the procedure according to claim 1, characterized in that it further comprises a stage on which to store the certificate on the mobile computing unit.

8. The method according to claim 1, characterized in that it further comprises a stage on which take a unique machine ID.

9. The method according to claim 1, characterized in that it further comprises the steps on which the domain controller receives a certificate from a certification authority and accept the certificate from the domain controller.

10. The method according to claim 9, characterized in that the domain controller receives a certificate in response to a user request received from the user, and the user uses the mobile computing unit to access a computing resource.

11. The method of providing the user with privileged access to a computing resource, and access to a computing resource is limited, the method contains the steps for requesting access to a computing resource, provide a default user ID to initiate the registration process to gain limited access to a computing resource, accepted by the administrator's default user ID, confirm by administrator the identity of the user and, in response, provide the information for which the access to a computing resource, and transmit and receive data to the computing resource, and from him to complete the registration process.

12. The method according to claim 11, characterized in that it further comprises a stage on which access a computing resource, subject to successful registration on the domain controller and the domain controller corresponds to a computing resource.

13. The method according to claim 11, characterized in that it further comprises the steps on which the domain controller receives a certificate to authenticate the user, and the user receives from the domain controller certificate for user authentication.

14. The method according to claim 11, wherein the user accesses the computing resource using at least one wireless link.

15. The method of providing the user with secure access to a computing resource from an external device, the method contains the steps that send the access request to a computing resource, provide the ID of the user authenticating to the proxy server via remote access, the user ID corresponds to the claimed identity, in response to a request to provide authentication to the proxy server through the remote access certificate to authenticate the claimed identichnost is and accept from the authentication proxy server address for sending and receiving data on the computing resource and the address corresponds to the limited access to the computing resource.

16. The method according to item 15, wherein the address for sending and receiving data is a uniform resource locator.

17. The method according to item 16, wherein the user optionally accepts a key to encrypt the transmission to the computing resource.

18. The method according to 17, characterized in that it additionally uses the key to decrypt the transmission from the computing resource.

19. Machine-readable media containing executable computer commands for implementing the steps of the method of providing privileged access from the mobile computing unit to a computing resource, the method contains the steps that detect an unsuccessful attempt by a user of the mobile computing unit to register in order to access a computing resource, and then receive a certificate with a unique ID of the mobile computing unit to facilitate authentication of the identity of the mobile computing unit,

provide the certificate to the authentication unit to confirm the identity of the mobile computing unit, and the unit authentication controls access to a computing resource, and establish access to a computing resource to use is Itanium information authorization obtained from the block of authentication and authorization information corresponds to the authenticated identity of the mobile computing unit.

20. Machine-readable media according to claim 19, containing executable computer commands for phase identity of the machine when the user of the machine is unable to register for access to a computing resource.

21. Machine-readable media according to claim 19, containing executable computer commands, wherein the mobile computing unit associated with the computing resource using at least one wireless link.

22. Machine-readable media according to claim 19, containing executable computer commands, wherein the authorization information includes a key for encrypting transmissions from the mobile computing unit to an input port.

23. Machine-readable media according to claim 19, containing executable computer commands for implementing the additional step of preserving the unique identifier of the machine on the mobile computing unit for later use.

24. Machine-readable media according to claim 19, containing executable computer commands to implement the additional step of saving the certificate to the abundant computing unit.

25. Machine-readable media according to claim 19, containing executable computer commands to implement the additional steps of obtaining a domain controller certificate from Microsoft certificate services and receive the certificate from the domain controller.

26. Machine-readable media on A.25 containing executable computer commands, characterized in that the domain controller receives a certificate in response to a user request from a user to use the computing resource.

27. Machine-readable media containing executable computer commands for implementing the steps of the method of providing the user with privileged access to a computing resource, with access to a computing resource is limited, and the method contains the steps for requesting access to a computing resource, provide a default user ID to initiate the registration process to gain limited access to a computing resource accepted by the administrator's default user ID, and in response provide information to gain access to a computing resource, and transmit and receive data to the computing resource, and from him to complete the process of registration is I.

28. Machine-readable media according to item 27, containing executable computer commands for phase gain access to a computing resource, subject to successful registration on the domain controller and the domain controller corresponds to a computing resource.

29. Machine-readable media according to item 27, containing executable computer commands to perform the steps of obtaining a domain controller certificate to authenticate a user and receiving a user certificate for user authentication from a domain controller.

30. Machine-readable media according to item 27, containing executable computer command, wherein the user accesses the computing resource using at least one wireless link.

31. Machine-readable media containing executable computer commands for implementing the steps of the method of providing the user with secure access to a computing resource from an external device, and the method comprises the stages on which to send the request for access to a computing resource, provide the user ID and the user ID corresponds to the claimed identity, to initiate registration for access to computing is Asura, provide in response to the request for the certificate to authenticate the claimed identity to gain access to a computing resource, and

accept from the authentication proxy server address for sending and receiving data on the computing resource and from him.

32. Machine-readable media on p containing executable computer commands, characterized in that the address for sending and receiving data is a uniform resource locator.

33. Machine-readable media on p containing executable computer commands for the implementation of the round key for encryption of transmission to the computing resource.

34. Machine-readable media on p containing executable computer commands for phase use the key to decrypt the transmission from the computing resource.