System and method for accessing information resources using cryptographic authorization permits

US 20080250253A1
Filed: 04/09/2007
Published: 10/09/2008
Est. Priority Date: 04/09/2007
Status: Active Grant

First Claim

Patent Images

1. A node for an information system, comprising:

a separation kernel (SK) that defines a plurality of partitions on the node, wherein at least one partition has one or more subjects and at least one other partition has one or more resources; and

one or more authorities that each sign a corresponding cryptographic authorization permit (CAP) to authorize a subject in the at least one partition to access a resource in the at least one other partition.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for securing information associates a party with a node that communicates messages over one or more channels based on a channel access privilege. One or more authorities sign a cryptographic authorization permit (CAP) to authorize the channel access privilege, which can be a write privilege or a read privilege. In one embodiment, the authorization for the channel access privilege is based on a public key issued by an authority and the CAP comprises a cryptographic certificate digitally signed by the authority.

26 Citations

View as Search Results

20 Claims

1. A node for an information system, comprising:
- a separation kernel (SK) that defines a plurality of partitions on the node, wherein at least one partition has one or more subjects and at least one other partition has one or more resources; and
  
  one or more authorities that each sign a corresponding cryptographic authorization permit (CAP) to authorize a subject in the at least one partition to access a resource in the at least one other partition.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The node of claim 1, wherein the authorization is based on a cryptographic signature made with a private key corresponding to a public key associated with at least one of the one or more authorities.
  - 3. The node of claim 1, wherein the one or more authorities are independent of each other.
  - 4. The node of claim 1, wherein the CAP is based on an X.509 Certificate
  - 5. The node of claim 1, wherein the validity of the CAP is determined in part by the verification of an asymmetric cryptographic signature.
  - 6. The node of claim 5, where the asymmetric cryptographic signature is based on at least one of RSA, DSA, or ECDSA signatures.

7. In an information system, a node associated with one or more channels comprising:
- a partitioning communication system (PCS) that separates the one or more channels from each other;
  
  a separation kernel (SK) running on the node that creates a plurality of partitions, wherein at least one partition on the node communicates messages over the one or more channels based on a channel access privilege; and
  
  one or more authorities that each sign a cryptographic authorization permit (CAP) to authorize the channel access privilege.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The information system of claim 7, wherein the SK creates a PCS-specific partition and at least one application partition, wherein one or more CAPs are stored in the PCS specific partition and the messages are communicated with the at least one application partition via the PCS-specific partition.
  - 9. The information system of claim 7, wherein the authorization for the access privilege is based on a cryptographic signature made with a private key corresponding to a public key associated with at least one of the one or more authorities.
  - 10. The information system of claim 7, wherein the one or more authorities are independent of each other.
  - 11. The information system of claim 7, wherein at least one partition has at least of a subject and a resources, and wherein the node is identified by corresponding node public and private keys issued by at least one of the one or more authorities, and wherein the public and private keys are used as identifiers for at least one of a subject and a resource in a partition.
  - 12. The information system of claim 7, wherein the messages are communicated over the one or more channels based on a shared secret key.
  - 13. The information system of claim 7 wherein the CAP is based on an X.509 Certificate.
  - 14. The information system of claim 7, wherein the validity of the CAP is determined in part by the verification of an asymmetric cryptographic signature.
  - 15. The information system of claim 7, where the cryptographic signature contained in the CAP is based on at least one of RSA, DSA, or ECDSA signatures.

16. A secure information system, comprising:
- a first node that is partitioned by a first separation kernel to a plurality of first partitions and a second node that is partitioned by a second separation kernel to a plurality of second partitions;
  
  one or more channels for communicating messages between the first node and second node;
  
  a partitioning communication system (PCS) that separates the one or more channels from each other, wherein at least one of the plurality of first partitions on the first node communicates messages over the one or more channels based on a first channel access privilege and at least one of the plurality of second partitions on the second node communicates messages over the one or more channels based on a second channel access privilege; and
  
  one or more authorities that each sign a cryptographic authorization permit (CAPs) to authorize the first and second channel access privileges.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The secure information system of claim 16, wherein the authorities are independent of each other.
  - 18. The information system of claim 16 wherein the CAP is based on an X.509 Certificate
  - 19. The information system of claim 16, wherein the validity of the CAP is determined in part by the verification of an asymmetric cryptographic signature.
  - 20. The information system of claim 16, where the cryptographic signature contained in the CAP is based on at least one of RSA, DSA, or ECDSA signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Objective Interface Systems, Inc.
Original Assignee
Objective Interface Systems, Inc.
Inventors
Beckwith, Reynolds William, Chilton, Jeffrey W., Marshall, Jeffrey G.

Granted Patent

US 8,443,191 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

H04L 9/006   involving public key infras...

H04L 9/3215   using a plurality of channe...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

System and method for accessing information resources using cryptographic authorization permits

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for accessing information resources using cryptographic authorization permits

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links