Specifying security protocols and policy constraints in distributed systems
First Claim
Patent Images
1. A method for system security in distributed systems, said method comprising the steps of:
- a) making authentic statements by trusted intermediaries;
b) deriving freshness constraints from initial policy assumptions and the authentic statements;
c) imposing freshness constraints by employing recent-secure authenticating principals to effect revocation; and
d) verifying that a relation |tnow−
ttime stamp|≦
δ
is satisfied for verification of a secure channel, where ttime stamp being a time of a time stamp pertaining to a validity assertion of a particular assertion, δ
being a minimum necessary freshness constraint pertaining to the particular assertion and tnow being the time of verification.
7 Assignments
0 Petitions
Accused Products
Abstract
A recent secure authentication service enforcing revocation in distributed systems is provided. Authenticity entities impose freshness constraints, derived from initial policy assumptions and authentic statements made by trusted intermediaries, in authenticated statements made by intermediaries. If freshness constraints are not presented, authentication is questionable. The freshness constraints can be adjusted. The delay for revocation can be arbitrarily bounded. The freshness constraints within certificates results in a secure and highly available revocation service such that less trust is required of the service.
154 Citations
9 Claims
-
1. A method for system security in distributed systems, said method comprising the steps of:
-
a) making authentic statements by trusted intermediaries;
b) deriving freshness constraints from initial policy assumptions and the authentic statements;
c) imposing freshness constraints by employing recent-secure authenticating principals to effect revocation; and
d) verifying that a relation |tnow−
ttime stamp|≦
δ
is satisfied for verification of a secure channel, where ttime stamp being a time of a time stamp pertaining to a validity assertion of a particular assertion, δ
being a minimum necessary freshness constraint pertaining to the particular assertion and tnow being the time of verification.- View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for enforcing revocation in distributed systems, comprising the steps of:
-
a) asserting a time stamped validity assertion pertaining to the validity of an initial assertion;
b) asserting freshness constraints indicating a length of time and the initial assertions that the freshness constraints relate; and
c) verifying that a relation |tnow−
ttime stamp|≦
δ
is satisfied for each particular assertion necessary for verification of a secure channel, where ttime stamp is a time of a time stamp pertaining to the validity assertion of a particular assertion, δ
being a minimum necessary freshness constraint pertaining to the particular assertion and tnow being the time of verification.
-
-
7. A method for protecting an authority of a distinguished principal and enforcing revocation when the authority is compromised, comprising the steps of:
-
a) issuing an authoritative assertion by a distinguished principal;
b) asserting freshness constraints on the assertion;
c) asserting a time stamped validity assertion to the assertion indicating the validity of the assertion at the time of the time stamp;
d) verifying that a relation |tnow−
ttime stamp|≦
δ
is satisfied for each particular assertion necessary for verification of a secure channel, where ttime stamp being the time of a time stamp pertaining to the validity assertion of the particular assertion, δ
being the minimum necessary freshness constraint pertaining to the particular assertion, and tnow being the time of verification.
-
-
8. A method for issuing certificates in a system for enforcing revocation in distributed systems, comprising the steps of:
-
a) issuing certificates for principals within an organization by the organization;
b) asserting, by the organization, a principal authorized as an authority for issuing time stamped certificates;
c) delegating authority for issuing time stamped certificates;
d) asserting freshness constraints on assertions; and
e) verifying that a relation |tnow−
ttime stamp|≦
δ
is satisfied for each particular assertion necessary for verification of a secure channel, where ttime stamp being a time of a time stamp pertaining to the validity assertion of a particular assertion, δ
being a minimum necessary freshness constraint pertaining to the particular assertion and tnow being the time of verification.
-
-
9. A method for system security in a distributed system network, comprising the steps of:
-
a) preparing a statement of an assigned revocation authority in a distributed system network in response to a policy, said revocation authority statement being associated with an initial statement;
b) preparing a statement of a freshness constraint period in the distributed system network in response to said policy, said freshness statement being associated with said revocation authority statement;
c) preparing a validity statement at said assigned revocation authority in the distributed system network in response to said policy, said validity statement including a verification status at some temporal reference;
d) providing said revocation authority statement, said freshness statement, and said validity statement to a verification authority in the distributed system network; and
e) selectively verifying said initial statement at said verification authority in response to said initial statement, said revocation authority statement, said freshness statement, and said validity statement.
-
Specification