Challenge-response access control using context-based proof
First Claim
1. A method for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, said method comprising:
- transmitting to the requesting entity a challenge data set;
receiving from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system;
querying the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and
authorizing the requesting entity for access only if the response is the same as the correct representation;
in which the event validation system is a keyless, hash tree-based signing infrastructure, further comprising;
inputting the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and computing a data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set,whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity.
2 Assignments
0 Petitions
Accused Products
Abstract
Access by a requesting entity to an asset is authorized by an access-controlling entity, which transmits to the requesting entity a challenge data set and then receives from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system. The access-controlling entity queries the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form, and authorizes the requesting entity for access only if the response is correct representation. Non-repudiation can be established through entry into a blockchain, or using a hash-tree-based digital signature infrastructure.
14 Citations
22 Claims
-
1. A method for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, said method comprising:
-
transmitting to the requesting entity a challenge data set; receiving from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system; querying the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and authorizing the requesting entity for access only if the response is the same as the correct representation; in which the event validation system is a keyless, hash tree-based signing infrastructure, further comprising; inputting the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and computing a data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set, whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, comprising computer-executable code embodied in a non-volatile storage medium, which, when executed by a processor, causes the access-controlling entity:
-
to transmit to the requesting entity a challenge data set; to receive from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system; to query the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and to authorize the requesting entity for access only if the response is the same as the correct representation; in which the event validation system is a keyless, hash tree-based signing infrastructure configured; to input the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and to compute a data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set, whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification