Methods and systems for flexible delegation

US 20040073801A1
Filed: 08/06/2003
Published: 04/15/2004
Est. Priority Date: 10/14/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method comprising:

sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request;

receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity; and

sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention generally relates to methods, systems and computer program code for flexible but secure delegation, particularly where a chain of accountability is required in a system where trust is delegated.

A method of delegation is described, for delegating from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another. The method comprises sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request; receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity; and sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token.

Citations

50 Claims

1. A method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method comprising:
- sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request;
  
  receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity; and
  
  sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 14, 15, 16, 17, 18, 41, 42, 45, 47)
- - 2. A method as claimed in claim 1 wherein said reply includes a signature of said second entity, the method further comprising verifying said second entity signature prior to responding to said reply.
  - 3. A method as claimed in claim 2 wherein said second entity signature comprises a signature of at least said delegation token.
  - 4. A method as claimed in claim 1 wherein said reply includes a delegation verification key, and wherein said signature comprises a signature of said delegation token and said delegation verification key.
  - 5. A method as claimed in claim 4 wherein said reply includes a signature of said second entity, the method further comprising verifying said second entity signature prior to responding to said reply.
  - 6. A method as claimed in claim 5 wherein said second entity signature comprises a signature of at least said delegation token.
  - 7. A method as claimed in claim 6 wherein said delegation verification key comprises one key of a pair of keys, the other key of which comprises a delegation signing key, and wherein said reply includes a signature of said delegation verification key generated with said delegation signing key.
  - 8. A method as claimed in claim 1 wherein said sending of said delegation token from said first to said second entity further comprises sending a first entity signature of at least said delegation token.
  - 9. A method as claimed in claim 1 wherein one or both of said delegation token sending and said delegation token signature sending include sending timestamp and/or nonce data for validation by said second entity.
  - 10. A method as claimed in claim 1 wherein said receiving includes receiving timestamp and/or nonce data from said second entity, the method further comprising validating said received timestamp and/or nonce data, and wherein said delegation token signature sending is responsive to said validating.
  - 14. A method of secure cascaded delegation, the method including implementing the method of claim 1 to delegate from said first to said second entity, the method further comprising delegating from said second entity to a third data processing entity by:
    - sending a second delegation token from said second to said third entity;
      
      receiving a reply from said third entity at said second entity, said reply including information for determining acceptance of delegation represented by said delegation token by said third utility; and
      
      sending from said second entity to said third entity, responsive to said reply from said third entity, a second entity delegation token signature comprising a signature of said second delegation token by said second entity, said delegation token from said first entity, and said signature of said delegation token from said first entity.
  - 15. A method of secure cascaded delegation, the method including implementing the method of claim 2 to delegate from said first to said second entity, the method further comprising delegating from said second entity to a third data processing entity by:
    - sending a second delegation token from said second to said third entity;
      
      receiving a reply from said third entity at said second entity, said reply including information for determining acceptance of delegation represented by said delegation token by said third utility; and
      
      sending from said second entity to said third entity, responsive to said reply from said third entity, a second entity delegation token signature comprising a signature of said second delegation token by said second entity, said delegation token from said first entity, and said signature of said delegation token from said first entity, and further comprising;
      
      sending from said second entity to said third entity, responsive to said reply from said third entity, said second entity delegation verification key.
  - 16. A method as claimed in claim 15 further comprising sending from said second entity to said third entity, responsive to said reply from said third entity, a signature for said second entity delegation token signature verifiable using said second entity delegation verification key.
  - 17. A method as claimed in claim 14 extended to delegate to a fourth or further data processing entity.
  - 18. A method of secure multicast delegation comprising implementing a method as claimed in claim 1 for delegation from said first entity to a plurality of said second entities each in bi-directional communication with said first entity, and wherein said sending and receiving is implemented between said first entity and each of said second entities.
  - 41. Processor control code to, when running, implement a method according to claim 1.
  - 42. A carrier carrying processor control code to, when running, implement a method according to claim 1.
  - 45. A data processing entity configured to implement a method as claimed in claim 1.
  - 47. A data processing system configured to implement the method of claim 14.

11. A method of flexible delegation comprising:
- implementing a method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method of delegation comprising sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request, receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity, and sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token;
  
  determining a desired level of security; and
  
  selecting optional additional information to be included in said sending and receiving responsive to said determining, wherein said additional information is selected from at least one of;
  
  a delegation verification key, a signature of said delegation token and a delegation verification key;
  
  a signature of said first entity;
  
  a signature of said second entity;
  
  a signature of said delegation token;
  
  a signature of a delegation verification key;
  
  timestamp data; and
  
  nonce data.

12. A method of flexible delegation comprising:
- implementing a method of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bidirectional communication link with one another, the method of delegation comprising sending a delegation token from said first entity to said second entity, said delegation token including information relating to a delegation request, receiving a reply from said second entity at said first entity, said reply including information for determining acceptance of delegation represented by said delegation token by said second entity, and sending a signature from said first entity to said second entity responsive to said reply, said signature comprising a signature of at least said delegation token;
  
  determining a desired level of security; and
  
  selecting optional additional information to be included in said sending and receiving responsive to said determining.
- View Dependent Claims (13)
- - 13. A method of flexible delegation as claimed in claim 12 wherein said selecting of said optional additional information comprises selecting;
    - optional additional information for sending with said delegation token comprising a PKI signature of said first entity; and
      
      /or optional additional information for receiving with said reply comprising one or more of;
      
      a delegation verification key comprising one of a pair of keys held by said second entity, a PKI signature of said second entity, and data signed by the other of said pair of keys.

19. A method of confining acceptance of delegation from a first data processing entity to a second data processing entity, said first and second entities having a bi-directional communication link with one another, the method comprising:
- receiving a delegation token from said first entity, said delegation token including information relating to a delegation request;
  
  generating a reply for said first entity, said reply including at least a delegation verification key comprising one key of a pair of keys, the other key of which comprises a delegation signing key, said delegation signing key being a key usable to generate a signature for a message from said second entity, said delegation verification key being usable to verify said signature; and
  
  sending said reply to said first entity to confirm acceptance of said delegation.
- View Dependent Claims (20, 21, 43, 44, 46)
- - 20. A method as claimed in claim 19 wherein said reply includes a signature of said delegation verification key generated with said delegation signing key.
  - 21. A method as claimed in claim 19 wherein said reply includes a signature of said delegation token by said second entity.
  - 43. Processor control code to, when running, implement a method according to claim 19.
  - 44. A carrier carrying processor control code to, when running, implement a method according to claim 19.
  - 46. A data processing entity configured to implement a method as claimed in claim 19.

22. A method of requesting a service, by a delegate data processing entity in a chain of delegate data processing entities of length at least one, from an end point data processing entity, the method comprising sending a request from said delegate entity to said end point entity, said request comprising:
- a set of delegation tokens, one from each delegate entity in said chain, each said delegation token including information relating to a delegation request;
  
  a set of delegation token signatures, one from each delegate entity in said chain, each comprising a respective delegate entity signature of a respective said delegation token; and
  
  service request data.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. A method as claimed in claim 22, said request further comprising a public key infrastructure (PKI) signature of at least said service request data, the method further comprising signing said service request data with a private key of a PKI key pair of said delegate entity sending said request data to said end point entity.
  - 24. A method as claimed in claim 22, wherein each said delegation token signature comprises a signature of both a said delegation token and an associated delegation token verification key, said request further comprising a set of said delegation verification keys, one from each delegate entity in said chain.
  - 25. A method as claimed in claim 24 wherein a said delegation verification key comprises one key of a pair of keys, the other key comprising a delegation signing key, and wherein said request further comprises a signature of at least said service request data generated using a delegation signing key associated with said delegate utility sending said request data to said end point, the method further comprising signing said service request data using said delegation signing key.
  - 26. A method as claimed in claim 23, wherein each said delegation token signature comprises a signature of both a said delegation token and an associated delegation token verification key, said request further comprising a set of said delegation verification keys, one from each delegate entity in said chain.
  - 27. A method as claimed in claim 26 wherein a said delegation verification key comprises one key of a pair of keys, the other key comprising a delegation signing key, and wherein said request further comprises a signature of at least said service request data generated using a delegation signing key associated with said delegate utility sending said request data to said end point, the method further comprising signing said service request data using said delegation signing key.

28. A method of delegating from a first data processing entity to a second data processing entity using a delegation protocol, said delegation protocol including sending a signed delegation token from said first to said second entity said signed delegation token comprising a signature of a delegation token and of a key received from said second entity by said first entity.
- View Dependent Claims (29)
- - 29. A method as claimed in claim 28 further comprising:
    - determining at least one security parameter for said delegating; and
      
      increasing the security of said sending in response to a result of said determining.

30. A method of delegating from a first data processing entity to a second delegation protocol entity, the method comprising:
- sending a message from said first to said second entity, the message including at least;
  
  a delegation token;
  
  a signature of a combination of said delegation token and a secret key; and
  
  an encrypted version of said secret key.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. A method as claimed in claim 30 wherein said signature allows recovery of a message which was signed, and wherein said delegation token and said encrypted secret key are provided within said signature.
  - 32. A method as claimed in claim 30 wherein said secret key comprises a private key for an asymmetric cryptographic algorithm.
  - 33. A method as claimed in claim 32 wherein said message includes a key pair for an asymmetric cryptographic algorithm, said key pair including said secret key.
  - 34. A method as claimed in claim 30 wherein said secret key comprises a shared secret key for a symmetric cryptographic algorithm.
  - 35. A method as claimed in claim 34 further comprising generating said secret key prior to said sending.
  - 36. A method as claimed in claim 30 wherein said secret key comprises a shared secret key for a symmetric cryptographic algorithm, and wherein said encrypted version of said secret key is encrypted using a public key of said second entity.
  - 37. A method as claimed in claim 30 further comprising:
    - determining at least one security parameter for said delegating; and
      
      increasing the security of said sending in response to a result of said determining.
  - 38. A method as claimed in claim 37 wherein said at least one security parameter includes a parameter indicating a level of security of a communications medium employed for sending said message.
  - 39. A method as claimed in claim 37 wherein said at least one security parameter includes a parameter indicating a level of trustworthiness of said second entity.
  - 40. A method as claimed in claim 37 wherein said determining is performed automatically.

48. Data processing apparatus configured for delegation to a second data processor, the apparatus comprising:
- a data memory operable to store data to be processed;
  
  an instruction memory storing processor implementable instructions; and
  
  a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to;
  
  send a delegation token to said second processor, said delegation token including information relating to a delegation request;
  
  receive a reply from said second processor, said reply including information for determining acceptance of delegation represented by said delegation token by said second processor; and
  
  send a signature to said second processor responsive to said reply, said signature comprising a signature of at least said delegation token.

49. Data processing apparatus configured for accepting delegation from a delegating data processor, the apparatus comprising:
- a data memory operable to store data to be processed;
  
  an instruction memory storing processor implementable instructions; and
  
  a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to;
  
  receive a delegation token from said delegating processor, said delegation token including information relating to a delegation request;
  
  generate a reply for said delegating processor, said reply including at least a delegation verification key comprising one key of a pair of keys, the other key of which comprises a delegation signing key, said delegation signing key being a key usable to generate a signature for a message from the data processing apparatus, said delegation verification key being usable to verify said signature; and
  
  send said reply to said delegating processor to confirm acceptance of said delegation.

50. A data processor configured to request a service from an end point data processor when in a chain of delegate data processors, the chain having a length of at least one, the data processor comprising:
- a data memory operable to store data to be processed;
  
  an instruction memory storing processor implementable instructions; and
  
  a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to send a request to said end point processor, said request comprising;
  
  a set of delegation tokens, one from each delegate processor in said chain, each said delegation token including information relating to a delegation request;
  
  a set of delegation token signatures, one from each delegate processor in said chain, each comprising a respective delegate entity signature of a respective said delegation token; and
  
  service request data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Inventors
Yeun, Chan Yeob, Kalogridis, Georgios, Clemo, Gary

Application Number

US10/634,813
Publication Number

US 20040073801A1
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/51   at application loading time...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2151   Time stamp

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/0823   using certificates cryptogr...

H04L 9/32   including means for verifyi...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Methods and systems for flexible delegation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for flexible delegation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links