Specifying security protocols and policy constraints in distributed systems

US 6,256,741 B1
Filed: 10/13/2000
Issued: 07/03/2001
Est. Priority Date: 04/30/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for system security in distributed systems, said method comprising the steps of:

a) making authentic statements by trusted intermediaries;

b) deriving freshness constraints from initial policy assumptions and the authentic statements;

c) imposing freshness constraints by employing recent-secure authenticating principals to effect revocation; and

d) verifying that a relation |t_now−

t_{time stamp}|≦

δ

is satisfied for verification of a secure channel, where t_{time stamp}being a time of a time stamp pertaining to a validity assertion of a particular assertion, δ

being a minimum necessary freshness constraint pertaining to the particular assertion and t_nowbeing the time of verification.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A recent secure authentication service enforcing revocation in distributed systems is provided. Authenticity entities impose freshness constraints, derived from initial policy assumptions and authentic statements made by trusted intermediaries, in authenticated statements made by intermediaries. If freshness constraints are not presented, authentication is questionable. The freshness constraints can be adjusted. The delay for revocation can be arbitrarily bounded. The freshness constraints within certificates results in a secure and highly available revocation service such that less trust is required of the service.

154 Citations

9 Claims

1. A method for system security in distributed systems, said method comprising the steps of:
- a) making authentic statements by trusted intermediaries;
  
  b) deriving freshness constraints from initial policy assumptions and the authentic statements;
  
  c) imposing freshness constraints by employing recent-secure authenticating principals to effect revocation; and
  
  d) verifying that a relation |t_now−
  
  t_{time stamp}|≦
  
  δ
  
  is satisfied for verification of a secure channel, where t_{time stamp}being a time of a time stamp pertaining to a validity assertion of a particular assertion, δ
  
  being a minimum necessary freshness constraint pertaining to the particular assertion and t_nowbeing the time of verification.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method according to claim 1, wherein said step b) comprises the substep I) of normalizing suffix constraints of the freshness constraint prior to applying other rules.
  - 3. A method according to claim 1, wherein said step c) comprises specifying the time of revocation.
  - 4. A method according to claim 3, wherein said step c) includes trusting principals not to lie when specifying the time of revocation certificates.
  - 5. A method according to claim 4, wherein said step c) further comprises the substep I) of arbitrarily bounding certain revocation by adjusting the freshness constraints.

6. A method for enforcing revocation in distributed systems, comprising the steps of:
- a) asserting a time stamped validity assertion pertaining to the validity of an initial assertion;
  
  b) asserting freshness constraints indicating a length of time and the initial assertions that the freshness constraints relate; and
  
  c) verifying that a relation |t_now−
  
  t_{time stamp}|≦
  
  δ
  
  is satisfied for each particular assertion necessary for verification of a secure channel, where t_{time stamp}is a time of a time stamp pertaining to the validity assertion of a particular assertion, δ
  
  being a minimum necessary freshness constraint pertaining to the particular assertion and t_nowbeing the time of verification.

7. A method for protecting an authority of a distinguished principal and enforcing revocation when the authority is compromised, comprising the steps of:
- a) issuing an authoritative assertion by a distinguished principal;
  
  b) asserting freshness constraints on the assertion;
  
  c) asserting a time stamped validity assertion to the assertion indicating the validity of the assertion at the time of the time stamp;
  
  d) verifying that a relation |t_now−
  
  t_{time stamp}|≦
  
  δ
  
  is satisfied for each particular assertion necessary for verification of a secure channel, where t_{time stamp}being the time of a time stamp pertaining to the validity assertion of the particular assertion, δ
  
  being the minimum necessary freshness constraint pertaining to the particular assertion, and t_nowbeing the time of verification.

8. A method for issuing certificates in a system for enforcing revocation in distributed systems, comprising the steps of:
- a) issuing certificates for principals within an organization by the organization;
  
  b) asserting, by the organization, a principal authorized as an authority for issuing time stamped certificates;
  
  c) delegating authority for issuing time stamped certificates;
  
  d) asserting freshness constraints on assertions; and
  
  e) verifying that a relation |t_now−
  
  t_{time stamp}|≦
  
  δ
  
  is satisfied for each particular assertion necessary for verification of a secure channel, where t_{time stamp}being a time of a time stamp pertaining to the validity assertion of a particular assertion, δ
  
  being a minimum necessary freshness constraint pertaining to the particular assertion and t_nowbeing the time of verification.

9. A method for system security in a distributed system network, comprising the steps of:
- a) preparing a statement of an assigned revocation authority in a distributed system network in response to a policy, said revocation authority statement being associated with an initial statement;
  
  b) preparing a statement of a freshness constraint period in the distributed system network in response to said policy, said freshness statement being associated with said revocation authority statement;
  
  c) preparing a validity statement at said assigned revocation authority in the distributed system network in response to said policy, said validity statement including a verification status at some temporal reference;
  
  d) providing said revocation authority statement, said freshness statement, and said validity statement to a verification authority in the distributed system network; and
  
  e) selectively verifying said initial statement at said verification authority in response to said initial statement, said revocation authority statement, said freshness statement, and said validity statement.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hanger Solutions, LLC (IP Investments Group LLC)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Stubblebine, Stuart Gerald
Primary Examiner(s)
Trammell, James P.
Assistant Examiner(s)
ELISCA, PIERRE E

Application Number

US09/689,859
Time in Patent Office

263 Days
Field of Search

713/200, 713/201, 713/202, 713/150, 713/158, 713/156, 713/166, 713/187, 709/229, 340/825.31, 340/825.34
US Class Current

726/10
CPC Class Codes

G06F 21/33 using certificates

G06F 2221/2151 Time stamp

Specifying security protocols and policy constraints in distributed systems

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

154 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Specifying security protocols and policy constraints in distributed systems

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links