Access control for computers

US 20020066016A1
Filed: 03/14/2001
Published: 05/30/2002
Est. Priority Date: 03/15/2000
Status: Active Grant

First Claim

Patent Images

1. A method for verifying the identity of a message-originator program (D) by a message-receiver program (S), the method comprising the steps of:

receiving from said message-originator program (D) a message comprising a program-specific identifier (H(D)), which has been provided for said message-originator program (D) by means of a trusted computing base (TCB); and

verifying whether said received program-specific identifier (H(D)) is known to said message-receiver program (S).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a general and flexible mechanism for a secure access control on a computer. Cryptographic checksums are applied for the identification of a program to another program. These cryptographic checksums are generated automatically for the programs. Each program has its program-specific identifier which can be regarded as a substantially unique value or name. Such a program-specific identifier can be used to verify the validity of one program to another program. Mutual trust relationships between different programs can therewith be set up easily.

52 Citations

View as Search Results

15 Claims

1. A method for verifying the identity of a message-originator program (D) by a message-receiver program (S), the method comprising the steps of:
- receiving from said message-originator program (D) a message comprising a program-specific identifier (H(D)), which has been provided for said message-originator program (D) by means of a trusted computing base (TCB); and
  
  verifying whether said received program-specific identifier (H(D)) is known to said message-receiver program (S).
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 4. Method according to claim 1, wherein the message-receiver program (S) afterwards becomes a response-message-originator program and sends a response-message to the message-originator program (D) comprising:
    - a response-program-specific identifier (H(S)), which has been provided for said response-message-originator program by means of the trusted computing base (TCB); and
      
      an acknowledgment if the program-specific identifier (H(D)) has been verified as being known.
  - 5. Method according to claim 1, wherein a substantially unique cryptographic identifier that is derived by applying a cryptographic function (H) to the message-originator program (D), preferably a hash function, and more preferably a one-way-hash function, such as MD5 or SHA-1, is used as the program-specific identifier (H(D)).
  - 6. Method according to claim 1, further comprising the step of signing the program-specific identifier (H(D)) and/or the message by use of a private cryptographic key (k⁻
    - 1) to establish trust between different programs.
  - 7. Method according to claim 6, wherein the message further comprises an additional program-specific identifier (H(G)) that is signed by use of the private cryptographic key (k⁻
    - 1) to establish a membership of an additional program in a trust relationship.
  - 8. Method according to claim 1, wherein the message-receiver program (S) has a public cryptographic key (k).
  - 9. Method according to claim 1, wherein the message-receiver program (S) and/or the trusted computing base (TCB) use(s) a list comprising pre-stored program-specific identifiers and wherein said message-receiver program (S) verifies whether the program-specific identifier (H(D)) is identical to one of said pre-stored program-specific identifiers.
  - 10. Method according to claim 1, wherein the message-receiver program (S) sends a rejection-message if the program-specific identifier (H(D)) is not verified as being known.
  - 11. Method according to claim 1, wherein the message-originator program (D) and the message-receiver program (S) are executed on different systems and are connectable via a network, each having its trusted computing base (TCB) for providing program-specific cryptographic identifiers.
  - 12. A computer program comprising program code means for performing the steps of claim 1, when said program is run on a computer.
  - 13. A computer program product comprising program code means stored on a computer readable medium for performing the method of claim 1, when said program product is run on a computer.

2. A method for disclosing the identity of a message-originator program (D) to a message-receiver program (S), the method comprising:
- sending from said message-originator program (D) to said message-receiver program (S) a message comprising a program-specific identifier (H(D)), which has been provided for said message-originator program (D) by means of a trusted computing base (TCB), said program-specific identifier (H(D)) being verifiable at said message-receiver program (S) whether it is known to said message-receiver program (S).

3. A method for verifying the identity of a message-originator program (D) by a message-receiver program (S), the method comprising the steps of:
- providing a program-specific identifier (H(D)) for said message-originator program (D) by means of a trusted computing base (TCB);
  
  sending from said message-originator program (D) to said message-receiver program (S) a message comprising said program-specific identifier (H(D));
  
  receiving at said message-receiver program (S) said message; and
  
  verifying whether said received program-specific identifier (H(D)) is known to said message-receiver program (S).

14. An apparatus for verifying the identity of a message-originator program (D) by a message-receiver program (S) on a computer, the apparatus comprising:
- computing means;
  
  a receiver-module for receiving from said message-originator program (D) a message comprising a program-specific identifier (H(D)), which has been provided for said message-originator program (D) by means of a trusted computing base (TCB); and
  
  a verifier-module that verifies whether said program-specific identifier (H(D)) is known to said message-receiver program (S).

15. An apparatus for disclosing the identity of a message-originator program (D) by a message-receiver program (S) on a computer, the apparatus comprising:
- computing means;
  
  a trusted computing base (TCB) comprising a generator-module for creating a program-specific identifier (H(D)); and
  
  a sender-module for sending from said message-originator program (D) a message comprising said program-specific identifier (H(D)), said program-specific identifier (H(D)) being verifiable at said message-receiver program (S) whether it is known to said message-receiver program (S).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Riordan, James

Granted Patent

US 7,134,018 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

G06F 21/445 by mutual authentication, e...

G06F 2221/2103 Challenge-response

Access control for computers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Access control for computers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links