Methods and systems for flexible delegation
First Claim
1. A method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method comprising:
- sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request;
receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity; and
sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token.
1 Assignment
0 Petitions
Accused Products
Abstract
This invention generally relates to methods, systems and computer program code for flexible but secure delegation, particularly where a chain of accountability is required in a system where trust is delegated.
A method of delegation is described, for delegating from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another. The method comprises sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request; receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity; and sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token.
-
Citations
50 Claims
-
1. A method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method comprising:
-
sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request;
receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity; and
sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 14, 15, 16, 17, 18, 41, 42, 45, 47)
-
-
11. A method of flexible delegation comprising:
-
implementing a method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method of delegation comprising sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request, receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity, and sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token;
determining a desired level of security; and
selecting optional additional information to be included in said sending and receiving responsive to said determining, wherein said additional information is selected from at least one of;
a delegation verification key, a signature of said delegation token and a delegation verification key;
a signature of said first entity;
a signature of said second entity;
a signature of said delegation token;
a signature of a delegation verification key;
timestamp data; and
nonce data.
-
-
12. A method of flexible delegation comprising:
-
implementing a method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method of delegation comprising sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request, receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity, and sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token;
determining a desired level of security; and
selecting optional additional information to be included in said sending and receiving responsive to said determining. - View Dependent Claims (13)
-
-
19. A method of confining acceptance of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bi-directional communication link with one another, the method comprising:
-
receiving a delegation token from said first entity, said delegation token including information relating to a delegation request;
generating a reply for said first entity, said reply including at least a delegation verification key comprising one key of a pair of keys, the other key of which comprises a delegation signing key, said delegation signing key being a key usable to generate a signature for a message from said second entity, said delegation verification key being usable to verify said signature; and
sending said reply to said first entity to confirm acceptance of said delegation. - View Dependent Claims (20, 21, 43, 44, 46)
-
-
22. A method of requesting a service, by a delegate data processing entity in a chain of delegate data processing entities of length at least one, from an end point data processing entity, the method comprising sending a request from said delegate entity to said end point entity, said request comprising:
-
a set of delegation tokens, one from each delegate entity in said chain, each said delegation token including information relating to a delegation request;
a set of delegation token signatures, one from each delegate entity in said chain, each comprising a respective delegate entity signature of a respective said delegation token; and
service request data. - View Dependent Claims (23, 24, 25, 26, 27)
-
- 28. A method of delegating from a first data processing entity to a second data processing entity using a delegation protocol, said delegation protocol including sending a signed delegation token from said first to said second entity said signed delegation token comprising a signature of a delegation token and of a key received from said second entity by said first entity.
-
30. A method of delegating from a first data processing entity to a second delegation protocol entity, the method comprising:
sending a message from said first to said second entity, the message including at least;
a delegation token;
a signature of a combination of said delegation token and a secret key; and
an encrypted version of said secret key. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
48. Data processing apparatus configured for delegation to a second data processor, the apparatus comprising:
-
a data memory operable to store data to be processed;
an instruction memory storing processor implementable instructions; and
a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to;
send a delegation token to said second processor, said delegation token including information relating to a delegation request;
receive a reply from said second processor, said reply including information for determining acceptance of delegation represented by said delegation token by said second processor; and
send a signature to said second processor responsive to said reply, said signature comprising a signature of at least said delegation token.
-
-
49. Data processing apparatus configured for accepting delegation from a delegating data processor, the apparatus comprising:
-
a data memory operable to store data to be processed;
an instruction memory storing processor implementable instructions; and
a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to;
receive a delegation token from said delegating processor, said delegation token including information relating to a delegation request;
generate a reply for said delegating processor, said reply including at least a delegation verification key comprising one key of a pair of keys, the other key of which comprises a delegation signing key, said delegation signing key being a key usable to generate a signature for a message from the data processing apparatus, said delegation verification key being usable to verify said signature; and
send said reply to said delegating processor to confirm acceptance of said delegation.
-
-
50. A data processor configured to request a service from an end point data processor when in a chain of delegate data processors, the chain having a length of at least one, the data processor comprising:
-
a data memory operable to store data to be processed;
an instruction memory storing processor implementable instructions; and
a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to send a request to said end point processor, said request comprising;
a set of delegation tokens, one from each delegate processor in said chain, each said delegation token including information relating to a delegation request;
a set of delegation token signatures, one from each delegate processor in said chain, each comprising a respective delegate entity signature of a respective said delegation token; and
service request data.
-
Specification