System, apparatus and method for managing lifecycle of secure publish-subscribe system

US 10,230,696 B2
Filed: 09/25/2015
Issued: 03/12/2019
Est. Priority Date: 06/09/2015
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable storage medium comprising instructions that when executed enable a system to:

receive a first request, for a first security ticket, from a first device, wherein the first request includes;

(a)(i) a first device identity credential corresponding to a role for the first device with a publish-subscribe protocol of a distributed network, and (a)(ii) a first filter element associated with a publish-subscribe protocol;

send the first security ticket, which is restricted to the first filter element, to the first device;

receive a second request, for a second security ticket, from a second device that is a publisher for the first filter element, wherein the second request includes the first filter element; and

send the second security ticket to the second device, the second security ticket being restricted to the first filter element;

wherein (a) the first security ticket includes a first key, (b) the second security ticket includes a second key, (c) the second key is a symmetric group key, (d) receiving the first request includes receiving the first request into a memory, and (e) sending the first security ticket includes sending the first security ticket via a processor that is coupled to the memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method includes: request enrollment of the device with an identity provider, the enrollment including at least one role for the device for a publish-subscribe protocol of a distributed network; receiving a device identity credential from the identity provider and store the device identity credential in the device; receiving a ticket credential for a first topic associated with a first publisher, the ticket credential including the at least one role for the device; receiving a group key from a key manager for a group associated with the publish-subscribe protocol; and receiving content for the first topic in the device, the content protected by the group key.

15 Citations

View as Search Results

24 Claims

1. At least one non-transitory computer readable storage medium comprising instructions that when executed enable a system to:
- receive a first request, for a first security ticket, from a first device, wherein the first request includes;
  
  (a)(i) a first device identity credential corresponding to a role for the first device with a publish-subscribe protocol of a distributed network, and (a)(ii) a first filter element associated with a publish-subscribe protocol;
  
  send the first security ticket, which is restricted to the first filter element, to the first device;
  
  receive a second request, for a second security ticket, from a second device that is a publisher for the first filter element, wherein the second request includes the first filter element; and
  
  send the second security ticket to the second device, the second security ticket being restricted to the first filter element;
  
  wherein (a) the first security ticket includes a first key, (b) the second security ticket includes a second key, (c) the second key is a symmetric group key, (d) receiving the first request includes receiving the first request into a memory, and (e) sending the first security ticket includes sending the first security ticket via a processor that is coupled to the memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The at least one non-transitory computer readable storage medium of claim 1, further comprising instructions that when executed enable the system to:
    - receive a third request, for a third security ticket, from a third device, wherein the third request includes;
      
      (b)(i) a third device identity credential corresponding to a role for the third device with the publish-subscribe protocol, and (b)(ii) the first filter element; and
      
      send the third security ticket, which is restricted to the first filter element and includes a third key, to the third device.
  - 3. The at least one non-transitory computer readable storage medium of claim 2, wherein the first device is one of a subscriber and a broker for the first filter element and the third device is another of a subscriber and a broker for the first filter element.
  - 4. The at least one non-transitory computer readable storage medium of claim 2, wherein the role for the first device corresponds to a first set of publish-subscribe protocol privileges and the role for the third device corresponds to another set of publish-subscribe protocol privileges unequal to the first set of publish-subscribe protocol privileges.
  - 5. The at least one non-transitory computer readable storage medium of claim 2, wherein the first security ticket includes the first device identity credential, which corresponds to a first set of publish-subscribe protocol privileges.
  - 6. The at least one non-transitory computer readable storage medium of claim 1, further comprising instructions that when executed enable the system to:
    - receive an additional first request, for an additional first security ticket, from the first device, wherein the additional first request includes an additional first device identity credential corresponding to an additional role for the first device with the publish-subscribe protocol; and
      
      send the additional first security ticket, which includes an additional first key, to the first device;
      
      wherein the role is unequal to the additional role.
  - 7. The at least one non-transitory computer readable storage medium of claim 1, further comprising instructions that when executed enable the system to:
    - receive an additional first request, for an additional first security ticket, from the first device, wherein the additional first request includes;
      
      (a)(i) an additional first device identity credential corresponding to an additional role for the first device with the publish-subscribe protocol, and (a)(ii) an additional first filter element associated with the publish-subscribe protocol;
      
      send the additional first security ticket, which is restricted to the additional first filter element and includes an additional first key, to the first device;
      
      wherein the role is unequal to the additional role and the first filter element is unequal to the additional first filter element.
  - 8. The at least one non-transitory computer readable storage medium of claim 7, wherein the role is one of publisher and subscriber and the additional role is another of publisher and subscriber.
  - 9. The at least one non-transitory computer readable storage medium of claim 1, wherein the first identity credential includes a certificate from a certificate authority that attests to the role for the first device.
  - 10. The at least one non-transitory computer readable storage medium of claim 1, wherein the first filter element includes one of a topic for a topic-based publish-subscribe protocol and a defined constraint for a content-based publish-subscribe protocol.
  - 11. The at least one non-transitory computer readable storage medium of claim 1, further comprising instructions that when executed enable the system to:
    - receive the first request from the first device via an unsecure public internet domain;
      
      send the first security ticket to the first device via the unsecure public internet domain;
      
      receive the second request from the second device via the unsecure public internet domain; and
      
      send the second security ticket to the second device via the unsecure public internet domain.
  - 12. The at least one non-transitory computer readable storage Medium of claim 1, further comprising instructions that when executed enable the system to:
    - receive a third request, to delete the symmetric group key, from at least one of the first device, the second device, and a third device; and
      
      delete the symmetric group key.
  - 13. The at least one non-transitory computer readable storage medium of claim 1, wherein the symmetric group key is a temporal session key.

14. At least one non-transitory computer readable storage medium comprising instructions that when executed enable a first device to:
- request enrollment of the first device with an identity provider, the enrollment including a role for the first device for a publish-subscribe protocol of a distributed network;
  
  receive a first device identity credential, from the identity provider and corresponding to the role, and store the first device identity credential in at least one memory of the first device;
  
  send a first request, for a first security ticket, to a key manager, wherein the first request includes;
  
  (a)(i) the first device identity credential, and (a)(ii) a first filter element associated with the a publish-subscribe protocol; and
  
  receive the first security ticket, which is restricted to the first filter element, from the key manager;
  
  wherein (a) the first security ticket includes a first key, (b) receiving the first security ticket includes receiving the first security ticket into the at least one memory, and (c) sending the first request includes sending the first request via a processor that is coupled to the at least one memory.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The at least one non-transitory computer readable storage medium of claim 14, further comprising instructions that when executed enable the first device to:
    - send a second request, for a second security ticket, to the key manager, wherein (b)(i) the first device is a publisher for the first filter element, and (b)(ii) the second request includes the first filter element; and
      
      receive the second security ticket from the key manager, the second security ticket being restricted to the first filter element and including a second key that is a symmetric group key.
  - 16. The at least one non-transitory computer readable storage medium of claim 15, further comprising instructions that when executed enable the first device to:
    - receive content, for the first filter element, which is encrypted by the second key; and
      
      decrypt the content with the second key.
  - 17. The at least one non-transitory computer readable storage medium of claim 16, wherein the first device is one of a subscriber and a broker for the first filter element.
  - 18. The at least one non-transitory computer readable storage medium of claim 16, wherein the first security ticket includes the first device identity credential, which corresponds to a first set of publish-subscribe protocol privileges.
  - 19. The at least one non-transitory computer readable storage medium of claim 14, further comprising instructions that when executed enable the first device to:
    - request an additional enrollment of the first device with the identity provider, the additional enrollment including an additional role for the first device for the publish-subscribe protocol;
      
      receive an additional first device identity credential, from the identity provider and corresponding to the additional role, and store the additional first device identity credential in the at least one memory of the first device;
      
      send an additional first request, for an additional first security ticket, to the key manager, wherein the additional first request includes the additional first device identity credential; and
      
      receive the additional first security ticket, which includes an additional first key, from the key manager;
      
      wherein the role is unequal to the additional role.
  - 20. The at least one non-transitory computer readable storage medium of claim 14, further comprising instructions that when executed enable the first device to:
    - send an additional first request, for an additional first security ticket, to the key manager, wherein the additional first request includes;
      
      (a)(i) an additional first device identity credential corresponding to an additional role for the first device with the publish-subscribe protocol, and (a)(ii) an additional first filter element associated with the publish-subscribe protocol;
      
      receive the additional first security ticket, which is restricted to the additional first filter element and includes an additional first key, from the key manager;
      
      wherein the role is unequal to the additional role and the first filter element is unequal to the additional first filter element.
  - 21. The at least one non-transitory computer readable storage medium of claim 14, wherein the first identity credential includes a certificate from a certificate authority that attests to the role for the first device.
  - 22. The at least one non-transitory computer readable storage medium of claim 15, further comprising instructions that when executed enable the first device to send a third request to delete the symmetric group key to the key manager.

23. An apparatus comprising:
- at least one memory; and
  
  at least one processor, coupled to the at least one memory, to perform operations comprising;
  
  request at least one enrollment with at least one identity provider, the enrollment including at least one role for the apparatus for a publish-subscribe protocol of a distributed network;
  
  receive at least one first identity credential, from the at least one identity provider and corresponding to the at least on role, and store the at least one first device identity credential in the at least one memory;
  
  send at least one first request, for at least one first security ticket, to at least one key manager, wherein the at least one first request includes;
  
  (a)(i) the at least one first identity credential, and (a)(ii) at least one first filter element associated with the a publish-subscribe protocol; and
  
  receive the at least one first security ticket, which is restricted to the at least one first filter element, from the at least one key manager;
  
  wherein (a) the at least one first security ticket includes at least one first key, (b) receiving the at least one first security ticket includes receiving the at least one first security ticket into the at least one memory, and (c) sending the at least one first request includes sending the at least one first request via the at least one processor.
- View Dependent Claims (24)
- - 24. The apparatus of claim 23, wherein the operations comprise:
    - send at least one second request, for at least one second security ticket, to the at least one key manager, wherein (b)(i) the apparatus is a publisher for the at least one first filter element, and (b)(ii) the at least one second request includes the at least one first filter element; and
      
      receive the at least one second security ticket from the at least one key manager, the at least one second security ticket being restricted to the at least one first filter element and including at least one second key;
      
      receive content, for the at least one first filter element, which is encrypted by the at least one second key; and
      
      decrypt the content with the at least one second key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Heldt-Sheller, Nathan
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Saadoun, Hassan

Application Number

US14/864,957
Publication Number

US 20160366111A1
Time in Patent Office

1,264 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 67/125   involving control of end-de...

H04L 67/562   Brokering proxy services

H04L 69/03   Protocol definition or spec...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 4/80   Services using short range ...

H04W 84/18   Self-organising networks, e...

System, apparatus and method for managing lifecycle of secure publish-subscribe system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for managing lifecycle of secure publish-subscribe system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links