Methods and apparatus for secure data communication links
First Claim
1. A method of initializing a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data, the method of initializing a secure communication link comprising:
- generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;
encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and
sending said encrypted first message from said first system to said second system to initialize said secure communications link.
1 Assignment
0 Petitions
Accused Products
Abstract
This invention generally relates to methods, apparatus and computer program code for secure communication links, in particular where accountability is required.
A method of initialising a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data is described. The method comprises: generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system; encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and sending said encrypted first message from said first system to said second system to initialize said secure communications link.
The method is particularly useful for establishing chains of accountability in systems where trust is delegated.
130 Citations
32 Claims
-
1. A method of initializing a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data, the method of initializing a secure communication link comprising:
-
generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;
encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and
sending said encrypted first message from said first system to said second system to initialize said secure communications link. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20, 21, 27, 28, 29, 30, 31)
-
-
10. A method of initializing a secure communications chain between first, second and third data processing systems, the method comprising initializing a secure communications link between first and second data processing systems, using a first token comprising a first key and associated first request data, and comprising:
-
generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;
encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and
sending said encrypted first message from said first system to said second system to initialize said secure communications link, the method of initializing a secure communications chain between first, second and third data processing systems further comprising;
decrypting, at said second system, said encrypted first message;
generating at said second system, a second message comprising said first token and said first authentication data, and a second token and second authentication data, said second token comprising a second key and associated second request data, said second authentication data comprising data generated by operating on at least one of said second key and said second request data with a secret key of said second system;
encrypting said second message using a key known at least to both said second and third data processing systems; and
sending said encrypted second message from said second system to said third system. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method of initializing a secure chain of communication for a chain of data processing systems, the chain comprising a start data processing system and an end data processing system linked via one or more intermediate data processing systems, the method comprising:
-
initializing successive links of the chain by successive applications of a method of initializing a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data, the method of initialising a secure communication link comprising;
generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;
encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and
sending said encrypted first message from said first system to said second system to initialize said secure communications link. - View Dependent Claims (17, 18, 19)
-
-
22. A method of establishing a chain of secure communication links between a plurality of data processing machines such that the identify of each successive data processing machine making up the chain is confirmable, the method comprising performing, at each successive data processing machine in the chain after a first machine, the steps of:
-
receiving from a previous data processing machine in the chain an encrypted message comprising authentication data and a delegation token including a delegation key;
decrypting said encrypted message;
adding to the decrypted message a delegation token and authentication data for said successive data processing machine to form an extended message;
encrypting said extended message; and
forwarding said encrypted extended message to the next machine in the chain;
until an end machine of the chain is reached, whereby said chain of secure communication links is established. - View Dependent Claims (23, 24, 25)
-
-
26. A method as claimed in 22, further comprising generating said authentication data at each successive machine by performing a cryptographic operation on said delegation token.
-
32. Data processing apparatus comprising:
-
a data memory operable to store data to be processed;
an instruction memory storing processor implementable instructions; and
a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to;
generate a message comprising a token and authentication data, the token comprising a key and associated request data, the authentication data being generated by operating on at least one of said key and said request data with a secret key of the data processing apparatus;
encrypt said message using a key known to a second data processor to form an encrypted message; and
send said encrypted message to said second data processor to initialize a secure communications link between said data processing apparatus and said second data processor.
-
Specification