Defending the name space

US 20040255137A1
Filed: 01/08/2004
Published: 12/16/2004
Est. Priority Date: 01/09/2003
Status: Abandoned Application

First Claim

Patent Images

1. A global digital entity identification mean comprising a plurality of identification schemes for personal key storage units or key boxes belonging to the said entity used to contain key data for security means comprise a public cryptographic one etc. The said key data comprises the collection of all relevant information pertaining to the key or keys for the said security means. The said key storage units may have names comprising “

key boxes”

(used in the sequel), “

key containers”

, “

key storages”

, etc., stored in any media, which serves as logical key boxes used in the application domains implicitly or explicitly claimed by this patent.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention is about an global entity oriented declarative authentication and security system that can be used in the present and future internet based distributed applications and services. An entity here refers to an unique object (most likely to be physical or human) or aspect that can hardly be duplicated. The system provides both authentication and security (A & S). It can be used in areas comprising one to one or one to many (OR or AND) content publication or distribution so that maximum granularity of access control is made possible. Examples comprise 1) A & S in messaging or communication (one to one). 2) A & S in publication or distribution or information sharing (one to many(OR)). 3) Secured document escrowing (one to many(AND)). 4) Declarative just in time A & S for web-services. 5) Copyright protection for digital products. 6) Digital cash. 7) Internet based electronic voting system. 8) Witnessed digital legal papers. 9) Support large scale virtualized virtual private network and its applications. 10) etc.

171 Citations

58 Claims

1. A global digital entity identification mean comprising a plurality of identification schemes for personal key storage units or key boxes belonging to the said entity used to contain key data for security means comprise a public cryptographic one etc. The said key data comprises the collection of all relevant information pertaining to the key or keys for the said security means. The said key storage units may have names comprising “
- key boxes”
  
  (used in the sequel), “
  
  key containers”
  
  , “
  
  key storages”
  
  , etc., stored in any media, which serves as logical key boxes used in the application domains implicitly or explicitly claimed by this patent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 58)
- - 2. The method of claim 1, wherein the collection of digital information used in the said identification scheme to identify a key data constitutes one of the digital IDs for the said entity to whom the key data belong.
  - 3. The method of claim 1, wherein the identification scheme comprise an unique global identification number (GID) for a particular key box and a locally unique identification number for a particular personal key data inside the said key box.
  - 4. The method of claim 3, wherein the said GID and possiblly the local id together constitutes one of the digital IDs for the entity to whom the key data (keys and certificate) belong.
  - 5. The method of claim 1 realized in a public cryptographic security system, wherein there are two copies of a public key encapsulated in different forms for a public cryptographic system.
  - 6. The method of dependent claim 5, wherein the first one is a private copy containing the status information of the key pair comprising 1) a list of remote certificate listing sites where the corresponding key certificate is published 2) the key properties 3) whether or not the certificate on the remote site is uptodate, etc.
  - 7. The method of dependent claim 5, wherein the second one is a public copy, or the key certificate. It contains, among others, the entities registered name and the public key, which is digitally protected against modifying.
  - 8. The certificate of dependent claim 7 containing subjective attributes.
  - 9. The attributes of claim 8, wherein a subjective trust factor in key certificates of human entities is used. The private copy of a peer'"'"'s certificate in the local storage of a human entity can be adjusted based on his/her degree of trust of the said certificate and/or the entity behind it. The public copy of entity certificates published in a plurality of public accessible means have a neutral trust value.
  - 10. The certificate of claim 7, wherein anonymous certificates are generated with null or common value replacing the personal information.
  - 11. The method of dependent claim 3, wherein the said GID further comprises forms derived from a 16 byte value and a corresponding hash code and the local id comprising forms that can be derived or mapped from a value at least 2 bits in length.
  - 12. The method of dependent claim 11, wherein the said GID is either produced in a form comprise any characteristics and their derivatives about the entity and/or the environment pertaining to the said entity or in a random form.
  - 13. The method of claim 1 realized in a public cryptographic security system, wherein the said private key is secured in a plurality of ways without saving the selected set of the entity'"'"'s unique characteristics, which are used to access the key boxes and private keys belonging to the said entity.
  - 14. The method of dependent claim 13, wherein two pieces of an entity'"'"'s unique characteristics are used, which are processed to generate two keys using a plurality of algorithms. The said two keys are used in the following ways. (a) Using one of the said key, the hash value of the private key is computed using a plurality of keyed hash functions. (b) The private key is encrypted by one of a plurality of block ciphers using another one of the said keys. (c) The encrypted private key and its keyed hash value are packed in a plurality of means and saved in the private key box with or without a descriptive header preceded.
  - 15. The method of claim 1, wherein the said key box is access controlled by a plurality of means which utilize a key derived from one of the entity'"'"'s unique characteristics, i.e., the hash value of a privately memorized passphrase or other digitizable ones. Either the said key or a value derived from it is used to identify a user cryptographic account of the system or an independent said account identification scheme is used.
  - 16. The method of claim 1, wherein each key box has a backup copy stored in a storage media. The said copy is used to prevent key corruption and/or to facilitate account duplication and synchronization between different copies of the same said cryptographic account.
  - 17. The method of claim 1, wherein there is a protected field in the key box for the private key in which a fail counter is used to record the failed attempts of retrieving any one of the private keys inside the key box.
  - 18. A format for secured messages comprises an major header that contains global identification information of claim 1 about the sender, an encrypted minor header and an encrypted content body. The said major header is either encrypted or not encrypted.
  - 19. The method of claim 18 realized in a public key cryptographic security system, wherein the major header contains the digital ID of a “
    - sender” and
      
      that of zero to a finite number of “
      
      receivers”
      
      used to retrieve the corresponding cryptographic keys and the corresponding certificates. It also includes an document serial number of multiple bytes used to validate the content body. It can further include a maximum length field and other relevant information comprising the date of the production, return and expiration, the header version number, header and document access authorization, content format, etc.
  - 20. The method of claim 18, further includes an encrypted random session key and the initialization vector (IV) used to derive a key for a cipher to encrypt the minor header and the content. The encrypted random session key is processed in steps comprising (a) Encryption by a private key of the “
    - sender”
      
      . (b) Encryption by a sequence of zero to any number of public keys belonging to the corresponding sequence of “
      
      receivers”
      
      , including the zero one.
  - 21. The method of dependent claim 20, wherein the case of (a) Zero encrypting “
    - receiver”
      
      is used to provide public access means to the content. (b) One encrypting “
      
      receiver”
      
      is used to provide private access means to the content. (c) More than one encrypting “
      
      receivers”
      
      is used to provide content escrow means by the group of receivers.
  - 22. The process of providing content template or container services based on dependent claim 19, wherein the return date is used to manage leased or rented said services. It may include the feature that any version of a content can be accessed if the receiver has already acquired the access right for earlier versions of the same content.
  - 23. The method of claim 18, wherein the minor header contains information comprising padding information about the encrypted content and the document serial number of multiple bytes that is used to match the one in the major header and a multi-byte document version number used to identify different versions of updated content. It is encrypted by the session key contained in the major header.
  - 24. The method of dependent claims 20, wherein the key for the cipher used to encrypt the message body is regenerated using a deterministic algorithm seeded by the session key stored in the major header and the data derived from the minor header.
  - 25. The method of claim 18, wherein the content body is formatted in forms comprising (a) The content contains selected secured sections. A selected group of the said sections are each first digitally signed by one or more corresponding entities and then encrypted and the rest of the said sections are encrypted but not digitally signed. The signer for each one of the randomly secured sections can either be different or the same. (b) Block secured sections in which the content is divided into blocks of fixed size (except for the last one). These blocks are first all digitally signed by a single entity and then encrypted or all encrypted without been digitally signed. (c) Stream secured in which a stream cipher is used to secure the content body.
  - 26. The options of dependent claim 25, wherein the sender can be different from the signer or signers.
  - 27. The method of claim 19, wherein there two packing schemes for the message:
    - (a) The major header, the minor header and the content body is stored in a common storage location or transmitted across thread or process boundaries in a sequential order. (b) The major header which is encapsulated into an access token that serves as a secured three ends virtual link is stored separately from the minor header and the content body.
  - 28. A process derived from the method of dependent claim 26, wherein the sender acts as an arbitrator, witness or notary agent for the signing of papers by a group of signers of the said papers, which are prepared in the said random sectioned format.
  - 29. A secured virtual link comprising information about sending, receiving entities and cryptographically processed content, which serves the purpose or realizes the functionality of the major header in claim 18. It is also called access token in the sequel.
  - 30. The method of claim 29, wherein the components of the said virtual link comprise the message major header, the value of a digital signature or hash operation on the said major header and other information, including the URI of the encrypted content.
  - 31. The process based on the method of dependent claim 29, wherein access control scheme is used in providing selected multiple (including one) private access control to a secured content where the security and integrity of the content and the authentication of the sending and receiving entities are assured.
  - 32. The method of dependent claim 31, wherein the escrow mechanism is used to providing additional access channels to guarantee the accessibility of the content.
  - 33. The process based on the method of claim 29, wherein the receiving entity'"'"'s access right is transfered to itself or to a different entity.
  - 34. The method of dependent claim 33, wherein such a mechanism is used in ownership trading activities comprising copyright protected contents, digital cash or its future equivalents, valuable goods trading, etc.
  - 58. The system, process of managing, protecting, distributing, transferring and utilizing digital ownership or any other “
    - rights”
      
      conceivable embodied in the access tokens of claim 29.

35. A crypto-gateway “
- server”
  
  approach to centralized entity cryptographic keys and peer certificates management, cryptographic processing, etc., to provide a mean for establishing a scalable declarative digital identification and authentication system in distributed or centralized applications wherein the “
  
  server”
  
  comprise any hardware or virtual devices, operation systems virtual or not, systems, software collections, etc. that processes requests either in a serialized or concurrent fashion with control means comprise monolithic, micro-kerneled, centralized, distributed, etc. The term “
  
  server”
  
  is also used to denote any processes, fibres, jobs, threads running within the client software'"'"'s process or running outside of it or running on a different operating system or on a different hardware platform controlled by the same or different operating system as the one where its clients reside, that serves the purpose of a server. The scope of “
  
  centralization”
  
  is limited to a trusted local area network, a single computer (virtual or not), a group of related fibres, jobs, processes, application domain, or even threads, etc. The said crypto-gateway server communicates with client softwares using a plurality of protocols.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 36. The system of claim 35, further include means of communication with the client software or process using available ones at the time inside an environment that can be considered internal and/or at least partially secure.
  - 37. The system of claim 35, wherein the crypto-gateway server comprises at least one of the following components (a) An extended server component that understand common protocols. In addition it also understand specialized control protocols for the purposes comprising the control of the behaviors of the crypto-gateway server. This component communicate with its client software in the said internal environment. (b) A client proxy component to communicate to the external network for the said client software using common protocols. The client software can be a server, client or both to other softwares inside or outside of the said internal environment. (c) A cryptographic engine serves the purpose of cryptographic processing described above. It contains sub-components comprising any combinations of the following with at least one crypto-graphic channel involved i. Direct pass channel, in which the content is delivered to or from the client proxy without modification. ii. Messaging channel, in which the content is cryptographically processed, packed in whole before passed to the client proxy or received by client software. iii. Streaming channel, in which the content is sent to or received from the client proxy in small chunks during the cryptographic processing. iv. Components used to interact with local and remote key and peer'"'"'s certificate storage or databases according to the control commands of the client software. It can run in the same or different process spaces, the same or different computers (virtual or not), etc., compared to the crypto-gateway server.
  - 38. The dependent claim 37, further include an external server component that understand common protocols that is used to response to requests from external network. The external server component can run in (a) The same process space as the crypto-gateway server. (b) An independent process space as the crypto-gateway server. (c) A different computer or device from the crypto-gateway server.
  - 39. The dependent claim 37, wherein the server component establishes a security session to keep an expirable security state related to the said cryptosystem for each one of the independent instances of a plurality of running client softwares in the said internal environment.
  - 40. The system of claim 35, wherein the media for the distributed application environment comprises the internet, within or across, e.g., intranets, wide area networks or local area networks. The media further include wireless networks that is independent or part of the internet or connected to the internet directly or through gateways.
  - 41. The system of claim 35, wherein crypto-gateway server or/and its components is realized by single or multi-purpose systems comprising (a) Specialized processors, chips, etc. (b) Specialized operating systems based on specialized or common hardware, including smart cards. (c) Any other virtual machine or systems not yet included.
  - 42. The system of dependent claims 37, further include application to copyright protection of digital products, where the digital products comprise (a) Textual, graphical or visual, audio, etc., media. (b) Executables comprise programs, program components, dynamic libraries, assemblies, byte-codes, etc. It can further include data files consumed by the said executables, which are also access controlled using the plurality ways of this invention wherein the data files contain content comprising i. Cryptographic keys of the software. ii. Scripts, compiled intermediate codes, assemblies, dynamic libraries, etc. for the said executables. iii. Initialization data. iv. Any combination of above. (c) Any combination of above.
  - 43. The method of dependent claim 42, wherein the copyright protection is realized by using access tokens which is protected by a plurality of copy management techniques for the said access token.
  - 44. The method of dependent claim 42, wherein the digital products are content container or templates.
  - 45. The system of dependent claims 37, further include application to group collaboration on the internet, which comprise at least one of any combination of the following steps:
    - (a) The project initiator publish an initial set of contents in project servers comprising web-server, ftp-server, etc. (b) The project contents are divided into different portions. (c) The project members are divided into different groups. (d) Each portion is cryptographic processed to generate a set of corresponding crypto-images. (e) For each crypto-image belonging a group, a set of READ only access tokens are issued to each member of the group and some access token with READ &
      
      WRITE authorization are generated. (f) Any WRITE enabled access token has limited numbers, e.g., one. (g) The WRITE enabled access tokens are passed, transferred among members of the group to serve the purpose of content update synchronization lock. (h) For any new contents added in during the development, repeat above process. (i) The member possessing WRITE enabled access tokens has the chance of updating the corresponding portion of the project contents.
  - 46. The system of dependent claim 37, further include application to secure peer to peer data exchange and/or communication across any network connected to the internet, including wireless networks that are independent or part of the internet or connected to the internet directly or through gateways, where entity authentication is required at least for one peer.
  - 47. The method of dependent claim 46, wherein the messaging mean comprise electronic mail system, message queue system, remoting system and their extensions into the wireless network system comprising (a) A real-time peer to peer network system. (b) A supporting or application layer for a secured remote function call infrastructure system. (c) A hybrid of any possible combinations of the said systems and their ramifications. One of the said messaging means is also used as a direct or a relay channel to initiate secured communication.
  - 48. The method of dependent claim 37, further include application to secure web-services using access tokens prepared and distributed by the provider of the said service.
  - 49. The method of dependent claim 48, further include setting up access auditing and filtering subsystems at the access points of the service where three levels of auditing can be performed:
    - (a) Indiscriminative (b) Group granularity and (c) User granularity.
  - 50. The method of dependent claim 48, wherein user and service authentications comprises 1) first time authentication combined with traditional trust based authorization 2) just in time authentication and authorization.
  - 51. The method of dependent claim 48, further includes an external web-server running in a different process or computer from both the crypto-gateway server and the web-service to serve as the first allowed access point of the web-service, where access information logging can be turned on or off. It can also be used to protect the web-service from anonymous denial of service or distributed denial of service attacks by blocking suspicious or abnormal attempts.
  - 52. The system of dependent claim 37, further include application to digital cash used to carry out financial transactions in which the issuer choose to hold a chosen amount of contemporary recognized value or its representation, comprising gold, diamond, paper currency, etc., out of circulation or it/he/she does not choose to do so. The issuer secures digital bills using the separated packing mode for messages (content) of this invention by setting itself as the sender end of the virtual secured link and the digital cash receiver as the receiver end of the same link with the encrypted bill of selected face value as the crypto-image.
  - 53. The method of dependent claim 52, wherein the digital cash is used in an anonymous way or in an semianonymous way in which a group of agents comprise the issuer, its representatives, other authorized agents, etc. assists or monitors the transaction in certain ways.
  - 54. The method of dependent claim 52, further include digital cash escrow activities wherein agents who act as trusted third parties in financial transactions of relatively large quantity. One embodiment is that one of the said agent temporarily hold the digital cash payment for products or services until both sides involved in a transaction, especially the client side, is satisfied or if problems arise, until the problems get settled either between themselves or in the court of law.
  - 55. The system of dependent claim 37, further include a secured peer to peer data exchange and/or communication component, wherein the secured communication channels are used to form a general purpose virtual private network on top of an existing network using a plurality initialization means over the said existing network where the initiator and the acceptor are authenticated and a common block cipher key is set for both peers involved.
  - 56. The method of dependent claim 55, wherein the secured peer to peer communication channels are utilized in a plurality of scenarios comprise (a) Providing a foundation for secured extension of existing remoting infrastructures. (b) Supporting new type of remoting infrastructures. (c) Providing a virtual private channel for delivering a wide variety of real-time data, copyright protected or not.
  - 57. The method of dependent claim 37, further include application to provide a security and management layer for building digital voting system using the technologies of this invention.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shuqian Ying
Original Assignee
Shuqian Ying
Inventors
Ying, Shuqian

Application Number

US10/752,695
Publication Number

US 20040255137A1
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0884   by delegation of authentica...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

Defending the name space

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

58 Claims

Specification

Use Cases

Quick Links

Others

Defending the name space

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

58 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others