FACILITATING GROUP ACCESS CONTROL TO DATA OBJECTS IN PEER-TO-PEER OVERLAY NETWORKS

US 20130007442A1
Filed: 06/30/2011
Published: 01/03/2013
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A group administrator peer node, comprising:

a communications interface adapted to facilitate communication on a peer-to-peer overlay network;

a storage medium including a private key and public key pair associated with the group administrator peer node; and

a processing circuit coupled to the communications interface and the storage medium, the processing circuit adapted to;

create a peer group, the group defining one or more peer nodes as members of the group; and

assign a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses are provided for facilitating group access controls in peer-to-peer or other similar overlay networks. A group administrator may create a group in the overlay network and may assign peer-specific certificates to each member of the group for indicating membership in the group. A group member peer node can access data objects in the overlay network using its respective peer-specific certificate to authenticate itself as a group member. The authentication is performed by another peer node in the network. The validating peer node can authenticate that the group member is the rightful possessor of the peer-specific certificate using a public key associated with the peer node to which the peer-specific certificate was issued. The validating peer node can also validate that the peer-specific certificate was properly issued to the group member using a public key of the apparatus that issued the peer-specific certificate.

85 Citations

View as Search Results

41 Claims

1. A group administrator peer node, comprising:
- a communications interface adapted to facilitate communication on a peer-to-peer overlay network;
  
  a storage medium including a private key and public key pair associated with the group administrator peer node; and
  
  a processing circuit coupled to the communications interface and the storage medium, the processing circuit adapted to;
  
  create a peer group, the group defining one or more peer nodes as members of the group; and
  
  assign a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The group administrator peer node of claim 1, wherein the storage medium further includes a node certificate for the group administrator peer node issued by a trusted authority or self-signed by the group administrator peer node.
  - 3. The group administrator peer node of claim 1, wherein the peer-specific certificate further includes a public key associated with the group member peer node.
  - 4. The group administrator peer node of claim 1, wherein the peer-specific certificate is adapted to authenticate the group membership of the group member peer node to other peer nodes in the peer-to-peer overlay network on verification of the group member peer node using a public key associated with the group member peer node, and on verification of the peer-specific certificate using a public key associated with the identity of the issuing apparatus in the peer-specific certificate.
  - 5. The group administrator peer node of claim 1, wherein the processing circuit is further adapted to:
    - issue a peer-specific group certificate to the group member peer node, the peer-specific group certificate including the group identity, the identity of the group member peer node, an identity of the group administrator peer node and a signature by the private key of the group administrator peer node over one or more components of the peer-specific group certificate.
  - 6. The group administrator peer node of claim 5, wherein the processing circuit is adapted to issue the peer-specific group certificate to the group member peer node by:
    - generating the peer-specific group certificate for the group member peer node; and
      
      sending the peer-specific group certificate to the group member peer node via the communications interface.
  - 7. The group administrator peer node of claim 5, wherein the processing circuit is further adapted to:
    - generate a group token signed with the private key of the group administrator peer node; and
      
      store the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific group certificate;
      
      wherein the group token is adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.
  - 8. The group administrator peer node of claim 1, wherein the processing circuit is adapted to assign the peer-specific certificate to the group member peer node by sending a request to a trusted authority to issue a peer-specific node certificate to the group member peer node, the peer-specific node certificate including the group identity, the identity of the group member peer node, an identity of the trusted authority and a signature by a private key of the trusted authority over one or more components of the peer-specific node certificate.

9. A method operational in a group administrator peer node, comprising:
- obtaining a public and private key pair associated with the group administrator peer node;
  
  creating a peer group in a peer-to-peer overlay network, the group defining one or more peer nodes that are members of the group; and
  
  assigning a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the peer-specific certificate further includes a public key associated with the group member peer node.
  - 11. The method of claim 9, wherein the peer-specific certificate is adapted to authenticate the group membership of the group member peer node to other peer nodes in the peer-to-peer overlay network on verification of the group member peer node using a public key associated with the group member peer node, and on verification of the peer-specific certificate using a public key associated with the identity of the issuing apparatus in the peer-specific certificate.
  - 12. The method of claim 9, wherein assigning the peer-specific certificate to the group member peer node comprises:
    - issuing a peer-specific group certificate to the group member peer node, the peer-specific group certificate including the group identity, the identity of the group member peer node, an identity of the group administrator peer node and a signature by the private key of the group administrator peer node over one or more components of the peer-specific group certificate.
  - 13. The method of claim 12, wherein issuing the peer-specific group certificate to the group member peer node, comprises:
    - generating the peer-specific group certificate for the group member peer node; and
      
      sending the peer-specific group certificate to the group member peer node.
  - 14. The method of claim 12, further comprising:
    - generating a group token that is signed by the private key of the group administrator peer node; and
      
      storing the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific group certificate;
      
      wherein the group token is adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.
  - 15. The method of claim 9, wherein assigning the peer-specific certificate to the group member peer node comprises:
    - sending a request to a trusted authority to issue a peer-specific node certificate to the group member peer node, the peer-specific node certificate including the group identity, the identity of the group member peer node, an identity of the trusted authority and a signature by a private key of the trusted authority over one or more components of the peer-specific node certificate.

16. A group administrator peer node, comprising:
- means for obtaining a public and private key pair associated with the group administrator peer node;
  
  means for creating a peer group in a peer-to-peer overlay network, the group defining one or more peer nodes that are members of the group; and
  
  means for assigning a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate.
- View Dependent Claims (17)
- - 17. The group administrator peer node of claim 16, further comprising:
    - means for generating a group token that is signed by the private key of the group administrator peer node; and
      
      means for storing the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific certificate;
      
      wherein the group token is adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue a peer-specific group certificate to the group member peer node.

18. A processor-readable medium comprising instructions operational on a group administrator peer node, which when executed by a processor causes the processor to:
- obtain a public and private key pair associated with the group administrator peer node;
  
  create a peer group in a peer-to-peer overlay network, the group defining one or more peer nodes that are members of the group; and
  
  assign a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate.
- View Dependent Claims (19)
- - 19. The processor-readable medium of claim 18, further comprising instructions, which when executed by the processor cause the processes to:
    - generate a group token that is signed by the private key of the group administrator peer node; and
      
      store the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific group certificate;
      
      wherein the group token is adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.

20. A group member peer node, comprising:
- a communications interface adapted to facilitate communication on a peer-to-peer overlay network;
  
  a storage medium including a private key and a public key pair associated with the group member peer node; and
  
  a processing circuit coupled to the communications interface and the storage medium, the processing circuit adapted to;
  
  receive via the communications interface a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  send via the communications interface the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  send via the communications interface authentication data to the validating peer node, the authentication data being signed using the private key associated with the group member peer node.
- View Dependent Claims (21, 22, 23)
- - 21. The peer node of claim 20, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node by verification of the signed authentication data using the public key associated with the group member peer node, and by verification of the peer-specific group certificate using a public key associated with the group administrator peer node.
  - 22. The peer node of claim 20, wherein the group identity in the peer-specific group certificate is adapted to locate a group token stored in the peer-to-peer overlay network as a data object identified by the group identity, where the group token is adapted to authenticate that the group administrator peer node was authorized to issue and sign the peer-specific group certificate.
  - 23. The peer node of claim 20, wherein the processing circuit is further adapted to:
    - send a request for group membership to the group administrator peer node, wherein the peer-specific group certificate is issued by the group administrator peer node in response to sending the request.

24. A method operational in a group member peer node, comprising:
- obtaining a public and private key pair associated with the group member peer node;
  
  receiving a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  sending the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  sending authentication data to the validating peer node, the authentication data being signed using the private key associated with the group member peer node.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node by verification of the signed authentication data using the public key associated with the group member peer node, and by verification of the peer-specific certificate using a public key associated with the group administrator peer node.
  - 26. The method of claim 24, wherein receiving the peer-specific group certificate including the group identity comprises:
    - receiving the peer-specific group certificate including a group identity adapted to locate a group token stored in the peer-to-peer overlay network as a data object identified by the group identity, where the group token is adapted to authenticate that the group administrator peer node was authorized to issue and sign the peer-specific group certificate.
  - 27. The method of claim 24, further comprising:
    - sending a request for group membership to the group administrator peer node, wherein the peer-specific group certificate is issued by the group administrator peer node in response to sending the request.

28. A group member peer node, comprising:
- means for obtaining a public and private key pair associated with the group member peer node;
  
  means for receiving a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  means for sending the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  means for sending authentication data to the validating peer node, the authentication data being signed using the private key of the group member peer node.

29. A processor-readable medium comprising instructions operational on a group member peer node, which when executed by a processor causes the processor to:
- obtain a public and private key pair associated with the group member peer node;
  
  receive a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  send the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  send authentication data to the validating peer node, the authentication data being signed using the private key of the group member peer node.

30. A validating peer node, comprising:
- a communications interface adapted to facilitate communication on a peer-to-peer overlay network;
  
  a processing circuit coupled to the communications interface, the processing circuit adapted to;
  
  receive via the communications interface a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  obtain a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  verify the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  verify the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (31, 32, 33)
- - 31. The peer node of claim 30, wherein the processing circuit is adapted to:
    - obtain the public key associated with the group administrator peer node from a node certificate of the group administrator peer node, wherein the node certificate includes the public key associated with the group administrator peer node, an identity of a trusted authority and a signature by a private key of the trusted authority.
  - 32. The peer node of claim 30, wherein the processing circuit is further adapted to:
    - receive via the communications interface authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      verify the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network using the identity of the group member peer node in the peer-specific group certificate.
  - 33. The peer node of claim 30, further comprising:
    - a storage medium coupled to the processing circuit, the storage medium including a data object which the group member peer node is requesting to access as a member of the group.

34. A method operational in a validating peer node, comprising:
- receiving a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  obtaining a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  verifying the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  verifying the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (35, 36, 37)
- - 35. The method of claim 34, further comprising:
    - obtaining the public key associated with the group administrator peer node from a node certificate of the group administrator peer node, wherein the node certificate of the group administrator peer node includes the public key associated with the group administrator peer node, an identity of a trusted authority and a signature by a private key of the trusted authority over one or more components of the node certificate.
  - 36. The method of claim 34, further comprising:
    - receiving authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      verifying the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network.
  - 37. The method of claim 34, further comprising:
    - receiving a request from the group member peer node to access a data object stored at the validating peer node, wherein access to the data object is restricted to group members.

38. A validating peer node, comprising:
- means for receiving a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  means for obtaining a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  means for verifying the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  means for verifying the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (39)
- - 39. The validating peer node of claim 38, further comprising:
    - means for receiving authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      means for verifying the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network.

40. A processor-readable medium comprising instructions operational on a validating peer node, which when executed by a processor causes the processor to:
- receive a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  obtain a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  verify the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  verify the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (41)
- - 41. The processor-readable medium of claim 40, further comprising instruction, which when executed by the processor, cause the processor to:
    - receive authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      verify the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Mao, Yinian, Narayanan, Vidya, Swaminathan, Ashwin

Granted Patent

US 8,874,769 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

H04L 67/1044   Group management mechanisms...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3268   using certificate validatio...

FACILITATING GROUP ACCESS CONTROL TO DATA OBJECTS IN PEER-TO-PEER OVERLAY NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

FACILITATING GROUP ACCESS CONTROL TO DATA OBJECTS IN PEER-TO-PEER OVERLAY NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links