Methods and apparatus for identity and role management in communication networks

US 20070220591A1
Filed: 03/14/2006
Published: 09/20/2007
Est. Priority Date: 03/14/2006
Status: Active Grant

First Claim

Patent Images

1. A method for identity and role management in a communication network, the method comprising associating an entity with a key;

associating the entity with a role;

associating the key and the role with a signature; and

enabling the key, the role and the signature to be accessed through the communication network based on an identity of the entity.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for identity and role management in communication networks are disclosed. An example method for identity and role management in a communication network associates an entity with a key, associates the entity with a role, associates the key and the role with a signature, and enables the key, the role and the signature to be accessed through the communication network based on an identity of the entity.

58 Citations

View as Search Results

102 Claims

1. A method for identity and role management in a communication network, the method comprising associating an entity with a key;
- associating the entity with a role;
  
  associating the key and the role with a signature; and
  
  enabling the key, the role and the signature to be accessed through the communication network based on an identity of the entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A method as defined in claim 1 wherein the entity comprises one of a network user or a network domain.
  - 3. A method as defined in claim 1 wherein the key is a public key for use with an encryption algorithm.
  - 4. A method as defined in claim 1 wherein the role corresponds to at least one of a position or a function associated with at least one of a network domain or a community of entities.
  - 5. A method as defined in claim 4 wherein the network domain corresponds to a business organization and the community of entities corresponds to a plurality of entities that belong to a plurality of network domains.
  - 6. A method as defined in claim 1 wherein the role is associated with a plurality of entities.
  - 7. A method as defined in claim 1 wherein associating the key and the role with the signature comprises generating the signature based on the key and the role.
  - 8. A method as defined in claim 7 wherein the key is a first key and generating the signature comprises encrypting the first key and the role based on a second key.
  - 9. A method as defined in claim 8 wherein the first key and the second key comprise, respectively, a public key and a private key for use with an encryption algorithm.
  - 10. A method as defined in claim 8 wherein the second key is associated with at least one of the entity, a domain to which the entity belongs or a community to which the entity belongs.
  - 11. A method as defined in claim 8 wherein encrypting the first key and the role based on the second key comprises:
    - concatenating the first key and the role to determine a concatenation result;
      
      processing the concatenation result with a hash function to determine a hash result; and
      
      processing the hash result with an encryption algorithm based on the second key.
  - 12. A method as defined in claim 11 wherein the hash function comprises at least one of a message digest algorithm or a secure hash standard algorithm.
  - 13. A method as defined in claim 11 wherein the encryption algorithm comprises at least one of a digital signature algorithm or an RSA algorithm.
  - 14. A method as defined in claim 1 wherein enabling the key, the role and the signature to be accessed through the communication network based on the identity of the entity comprises publishing a resource record group comprising the key, the role and the signature in a name server communicatively coupled to the communication network, wherein the resource record group is associated with the identity.
  - 15. A method as defined in claim 14 wherein the name server comprises a domain name system server.
  - 16. A method as defined in claim 14 wherein the name server comprises one of a plurality of name servers and the identity is uniquely associated with the name server.
  - 17. A method as defined in claim 14 wherein the identity comprises at least one of an email address, a domain name, a network address or an instant messaging identity.
  - 18. A method as defined in claim 14 further comprising obfuscating the identity of the entity prior to publishing the resource record group in the name server.
  - 19. A method as defined in claim 1 wherein enabling the key, the role and the signature to be accessed through the communication network based on the identity of the entity comprises updating a resource record group comprising the key, the role and the signature in a name server communicatively coupled with the communication network, wherein the resource record group is associated with the identity.
  - 20. A method as defined in claim 1 wherein the role is a first role and further comprising:
    - associating the entity with the second role;
      
      associating the second role with the signature; and
      
      enabling the key, the first role, the second role and the signature to be accessed through the communication network based on the identity of the entity.
  - 21. A method as defined in claim 1 wherein the signature is a first signature and further comprising:
    - associating the key and the role with a second signature; and
      
      enabling the key, the role, the first signature and the second signature to be accessed through the communication network based on the identity of the entity.

22-41. -41. (canceled)

42. An article of manufacture storing machine readable instructions which, when executed, cause a machine to:
- associate an entity with a key;
  
  associate an entity with a role;
  
  associate the key and the role with a signature; and
  
  enable the key, the role and the signature to be accessed through a communication network based on the identity of the entity.
- View Dependent Claims (45, 46, 47, 49)
- - 45. An article of manufacture as defined in claim 42 wherein the machine readable instructions, when executed, further cause the machine to generate the signature based on the key and the role.
  - 46. An article of manufacture as defined in claim 45 wherein the key is a first key and the machine readable instructions, when executed, further cause the machine to generate the signature by encrypting the first key and the role based on a second key.
  - 47. An article of manufacture as defined in claim 46 wherein the first key and the second key comprise, respectively, a public key and a private key for use with an encryption algorithm.
  - 49. An article of manufacture as defined in claim 46 wherein the machine readable instructions, when executed, further cause the machine to generate the signature by:
    - concatenating the first key and the role to determine a concatenation result;
      
      processing the concatenation result with a hash function to determine a hash result; and
      
      processing the hash result with an encryption algorithm having the second key as an input.

43-44. -44. (canceled)

48. (canceled)

50-62. -62. (canceled)

63. An identity manager for identity and role management in a communication network, the identity manager comprising a role manager configured to determine a role to associate with an entity;
- a credential manager configured to;
  
  associate a key with the entity; and
  
  associate a signature with the key and the role; and
  
  an identity publisher configured to publish a resource record group comprising the key, the role and the signature, wherein the resource record group is accessible over the communication network based on an identity of the entity.
- View Dependent Claims (64, 67, 68, 69, 70, 71, 72, 73, 75, 76, 77, 79)
- - 64. An identity manager as defined in claim 63 wherein the identity publisher is further configured to publish the resource record group in a name server communicatively coupled to the communication network.
  - 67. An identity manager as defined in claim 63 further comprising an identity updater configured to update at least one of the key, the role or the signature included in the resource record group.
  - 68. An identity manager as defined in claim 63 further comprising an identity obfuscator configured to obfuscate the identity and associate the resource record group with the obfuscated identity.
  - 69. An identity manager as defined in claim 68 wherein the identity obfuscator is configured to obfuscate the identity by processing the identity with a hash function.
  - 70. An identity manager as defined in claim 63 further comprising an identity invalidator configured is to inhibit access to the resource record group over the communication network.
  - 71. An identity manager as defined in claim 70 wherein the identity invalidator is configured to inhibit access to the resource record group over the communication network by removing the resource record group from a name server communicatively coupled to the communication network.
  - 72. An identity manager as defined in claim 63 wherein the signature is a first signature and further comprising a key replacer configured to determine a second signature to replace the first signature.
  - 73. An identity manager as defined in claim 72 wherein the key is a first key and the first signature and the second signature are associated with a network domain to which the entity belongs, and wherein the key replacer is further configured to replace the first signature with the second signature when a second key associated with the network domain is replaced with a third key.
  - 75. An identity manager as defined in claim 63 wherein the credential manager is further configured to generate the signature based on the key and the role.
  - 76. An identity manager as defined in claim 75 wherein the key is a first key and the credential manager is further configured to generate the signature by encrypting the first key and the role based on a second key.
  - 77. An identity manager as defined in claim 76 wherein the first key and the second key comprise, respectively, a public key and a private key for use with an encryption algorithm.
  - 79. An identity manager as defined in claim 76 wherein the credential manager is further configured to encrypt the first key and the role based on the second key by:
    - concatenating the first key and the role to determine a concatenation result;
      
      processing the concatenation result with a hash function to determine a hash result; and
      
      processing the hash result with an encryption algorithm based on the second key.

65-66. -66. (canceled)

74. (canceled)

78. (canceled)

80-94. -94. (canceled)

95. A system comprising:
- a communication network;
  
  a name server communicatively coupled to the communication network and configured to associate a plurality of identities and a plurality roles associated with a plurality of entities in the communication network;
  
  an identity manager communicatively coupled to at least one of the communication network or the name server and configured to manage the plurality of identities and the plurality roles associated with the plurality of entities; and
  
  an authentication processor communicatively coupled to the communication network and configured to authenticate an identity and a role associated with an entity.
- View Dependent Claims (99, 101)
- - 99. A system as defined in claim 95 wherein the name server is configured to serve a plurality of resource record groups comprising the plurality roles and associated with the plurality of identities.
  - 101. A system as defined in claim 95 wherein the identity manager is configured to determine a plurality of signatures associated with the plurality of entities and based on the plurality of roles and at least one key.

96-98. -98. (canceled)

100. (canceled)

102-114. -114. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
IBM International Group BV (International Business Machines Corporation)
Inventors
Damodaran, Suresh, Leitheiser, Greg

Granted Patent

US 7,992,194 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 63/0823   using certificates cryptogr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/321   involving a third party or ...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

Methods and apparatus for identity and role management in communication networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

102 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus for identity and role management in communication networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

102 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others