System and method for distributed group management

US 7,185,194 B2
Filed: 05/16/2001
Issued: 02/27/2007
Est. Priority Date: 05/17/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system of distributed group management for indirectly authenticating membership of a user in a group in order to manage security for a client on a client side and a server for executing a remote processing request from the client side under a predetermined authorization assigned for every group, provided with;

a group certificate issuing apparatus for issuing a group certificate on the client side based on original group information including the name of the group to which the related user belongs when there is said remote processing request; and

a group certificate verification unit for verifying a legitimacy of said group certificate transmitted from the client side in said server, whereinsaid group certificate issuing apparatus adds an issuance side processed value obtained by encrypting the information of the original group information by a cryptographic function to the original group information and defines this as the group certificate,said group certificate verification unit processes part of the information included in the received group certificate by an identical cryptographic function to obtain a verification side processed value and performs said authentication by confirming that said issuance side processed value and said verification side processed value coincide,said group certificate issuing apparatus includes first secret information assigned to said groups in said original group information and performs the processing by said cryptographic function, said first secret information being held only by said group certificate issuing apparatus,said group certificate verification unit includes second secret information assigned to the groups in part of information included in said received group certificate and performs the processing by said cryptographic function, said second secret information being held only by said group certificate verification unit,said first secret information and said second secret information are identical secret information for identical groups, andsaid cryptographic function is a hash function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system of distributed group management for generating authentication information relating to a group to which users belong at a high speed on a client side and, at the same time, wherein a server side can verify this at a high speed. This system provides a group certificate issuing apparatus for issuing a group certificate on a client side based on original group information including the name of the group to which the users belong and a group certificate verification unit for verifying a legitimacy of the certificate transmitted from the client side in a server. Here, the group certificate issuing apparatus adds an issuance side processed value obtained by processing the information of the original group information by a cryptographic function to this original group information to obtain a group certificate, and the group certificate verification unit processes part of information included in the received certificate by an identical cryptographic function to obtain a verification side processed value and performs an authentication by confirming that the issuance side processed value and the verification side processed value coincide.

81 Citations

View as Search Results

24 Claims

1. A system of distributed group management for indirectly authenticating membership of a user in a group in order to manage security for a client on a client side and a server for executing a remote processing request from the client side under a predetermined authorization assigned for every group, provided with;
- a group certificate issuing apparatus for issuing a group certificate on the client side based on original group information including the name of the group to which the related user belongs when there is said remote processing request; and
  
  a group certificate verification unit for verifying a legitimacy of said group certificate transmitted from the client side in said server, whereinsaid group certificate issuing apparatus adds an issuance side processed value obtained by encrypting the information of the original group information by a cryptographic function to the original group information and defines this as the group certificate,said group certificate verification unit processes part of the information included in the received group certificate by an identical cryptographic function to obtain a verification side processed value and performs said authentication by confirming that said issuance side processed value and said verification side processed value coincide,said group certificate issuing apparatus includes first secret information assigned to said groups in said original group information and performs the processing by said cryptographic function, said first secret information being held only by said group certificate issuing apparatus,said group certificate verification unit includes second secret information assigned to the groups in part of information included in said received group certificate and performs the processing by said cryptographic function, said second secret information being held only by said group certificate verification unit,said first secret information and said second secret information are identical secret information for identical groups, andsaid cryptographic function is a hash function.

2. A method of distributed group management for indirectly authenticating membership of a user in a group in order to manage security for a client on a client side and a server for executing the remote processing request from the client side under a predetermined authorization assigned for every group, comprising the step of:
- processing information of original group information including the name of the group to which the related user belongs by a cryptographic function when there is said remote processing request on the client side and issuing a group certificate obtained by adding an issuance side processed value obtained by encrypting the information of the original group information by the cryptographic function to the original group information, and including first secret information assigned to said groups in said original group information and performing the processing by said cryptographic function, said first secret information being held only by a group certificate issuing apparatus,processing the information of the received group certificate by an identical cryptographic function to obtain a verification side processed value on a server side, and including second secret information assigned to the groups in part of information included in said received group certificates and performing the processing by said cryptographic function, said second secret information being held only by a group certificate verification unit, said first secret information and said second secret information being identical secret information for identical groups, andcomparing said verification side processed value and received issuance side processed value on the server side and confirming that they coincide, thereby to perform said authentication, and verify the legitimacy of said group certificate transmitted from the client side in said server, whereinsaid cryptographic function is a hash function.

3. A group certificate issuing apparatus comprising part of a system of distributed group management for indirectly authenticating membership of a user to a group in order to manage security with respect to a client on a client side and a server including a group certificate verification unit for executing a remote processing request from The client side under a predetermined authorization assigned for every group, provided with:
- an issuance side processor for issuing original group information including the name of the group with the related user membership thereto when there is said remote processing request and, at the same time, adding an issuance side processed value obtained by encrypting the information of the original group information by a cryptographic function to the original group information to obtain a group certificate,said group certificate issuing apparatus including first secret information assigned to said groups in said Original group information and performing the processing by said cryptographic function, said first secret information being held only by said group certificate issuing apparatus, andsaid first secret information and second secret information held by said group certificate verification unit to be communicated with said group certificate issuing apparatus are identical secret information for identical groups, whereinsaid cryptographic function is a hash function, and said issuance side processor is provided with a hash facility for performing the processing of the hash function.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 4. A group certificate issuing apparatus as set forth in claim 3, wherein said issuance side processor centrally applies the processing of said hash function with respect to at least the group name and the secret information unique to that group, regards said issuance side processed value as the temporary password “
    - temp”
      
      , and generates said group certificate from at least said group name and said temporary password.
  - 5. A group certificate issuing apparatus as set forth in claim 4, wherein it cooperates with a hash function unit provided in said client and the hash function unit applies the processing of said hash function in times with respect to said temporary password, regards the obtained issuance side processed value as a one-time password, and a log-in request comprised of at least said group name and said one time password is generated by the client in place of said group certificate.
  - 6. A group certificate issuing apparatus as set forth in claim 5, wherein a unique ID generation means is further included and, at the same time,said issuance side processor further adds the valid term information to said group name and the secret information unique to the group and applies the processing of said hash function, obtains said one time password based on an obtained temporary password and generates said log-in request, andsaid unique ID generation means generates the certificate ID for identifying the log-in requests for every user when the log-in requests having the identical contents are issued with respect to plurality of different said users and adds the same to each corresponding log-in request.
  - 7. A group certificate issuing apparatus as set forth in claim 4, wherein it cooperates with a unique ID generation means provided in said client, and the unique ID generation means generates an authentication ID for mutual authentication between said client and said server, contains the authentication ID in said group certificate, and transmits the same to said server.
  - 8. A group certificate issuing apparatus as set forth in claim 7, wherein said transmitted group certificate including said authentication ID is received at said server, a server reply obtained by applying a predetermined processing with respect to this is returned to said client, a server reply expected in the client by using the same processing as the predetermined processing and the returned server reply are compared, and when the two coincide, the client authenticates the server.
  - 9. A group certificate issuing apparatus as set forth in claim 4, wherein it cooperates with an encryption processing unit provided in said client, and the encryption processing unit establishes an encryption session from the client to said server with said temporary password as an encryption key.
  - 10. A group certificate issuing apparatus as set forth in claim 4, wherein provision is made of a log file for recording the log of the session according to each said remote processing request for each of said users, and supervision of each user is performed based on the log.
  - 11. A group certificate issuing apparatus as set forth in claim 10, wherein said temporary password for every said session is included in said log and thereby to identify the sessions.
  - 12. A group certificate issuing apparatus as set forth in claim 4, wherein a unique ID generation means is further included and, at the same time,said issuance side processor further adds valid term information to said group name and the secret information unique to the group and applies the processing of said hash function, regards obtained said issuance side processed value as the temporary password, and generates said group certificate from said group name, said valid term information, and said temporary password, andsaid unique ID generation means generates the certificate ID for identifying these group certificates for every user and adds the same to corresponding each group certificate when the group certificates having the identical contents are issued with respect to plurality of different said users.
  - 13. A group certificate issuing apparatus as set forth in claim 3, wherein provision is made of a user-group mapping storage means, and in the user-group mapping storage means, a plurality of different groups can be assigned for one said user.

14. A group certificate verification unit comprising a system of distributed group management for indirectly authenticating the membership of a user to a group in order to manage security of a client on a client side and a server for executing a remote processing request from the client side under a predetermined authorization assigned for every group, including:
- a verification side processor for processing information included in a group certificate issued by a group certificate issuing apparatus and received from the client side by a cryptographic function to generate a verification side processed value on the server side and performing said authentication by confirming that an issuance side processed value included in the received group certificate and said verification side processed value coincide,said group certificate verification unit including second secret information assigned to the groups in part of information included in said received group certificate and performing the processing by said cryptographic function, said second secret information being held only by said group certificate verification unit, andfirst secret information held by said group certificate issuing apparatus to be communicated with said group certificate verification unit and said second secret information are identical secret information for identical groups, whereinsaid cryptographic function is a hash function and said verification side processor is provided with the hash facility for performing the processing of the hash function.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. A group certificate verification unit as set forth in claim 14, wherein said verification side processor centrally applies the processing of said hash function with respect to at least the group name and the secret information unique to that group included in said group certificate received from the client side so as to reproduce said verification side processed value as the reproduced temporary password.
  - 16. A group certificate verification unit as set forth in claim 15, wherein said verification side processor is a bash function unit, and the hash function unit applies the processing of said hash function to said temporary password rn number of times to reproduce said verification side processed value as a one-time password and confirms that the reproduced one-time password and the one time password extracted from the log-in request including the one-time password similarly generated on the client side coincide to perform said authentication.
  - 17. A group certificate verification unit as set forth in claim 16, wherein it receives log-in requests added with log-in request IDs for identifying these log-in requests for every user from said client and allots said plurality of different users to identical groups by the log-in request ID when said log-in requests having the identical contents are issued with respect to plurality of different said users.
  - 18. A group certificate verification unit as set forth in claim 15, wherein, for the mutual authentication between said client and said server, the authentication ID transmitted included in said group certificate is received from said client, predetermined processing is applied with respect to this to generate a server reply, the server reply is returned to said client and compared with the server reply expected in the client by using the same processing as the predetermined processing, and when the two coincide, the client authenticates the server.
  - 19. A group certificate verification unit as set forth in claim 15, wherein it cooperates with an encryption processing unit provided in said server, said encryption processing unit establishing an encryption session from the server to said client with said temporary password as an encryption key.
  - 20. A group certificate verification unit as set forth in claim 15, wherein it receives group certificates added with certificate IDs for identifying these group certificates for every user from said client and allots said plurality of different users to the identical groups by the certificate IDs when group certificates having identical contents are issued with respect to a plurality of different users.
  - 21. A group certificate verification unit as set forth in claim 15, wherein it cooperates with a log-in request temporary storing unit provided in said server, and, when the assignment of the plurality of different groups is enabled for one said user, it verifies said log-in requests received from said client, stores them in the log-in request temporary storing unit, and switches and uses the stored log-in requests in accordance with said predetermined authorization necessary for the request with respect to following remote processing requests.
  - 22. A group certificate verification unit as set forth in claim 14, wherein it cooperates with a log file provided in said server, the log file recording a log of the session according to each said remote processing request for each of said users, each user being supervised based on the log.
  - 23. A group certificate verification unit as set forth in claim 22, wherein said temporary password for every said session is included in said log to identify the sessions.
  - 24. A group certificate verification unit as set forth in claim 14, wherein it cooperates with a group certificate temporary storing unit provided in said server, and, when the assignment of a plurality of different groups is enabled for one said user, it verifies said group certificates received from said client, stores them in the group certificate temporary storing unit, and switches and uses the stored group certificates in accordance with said predetermined authorization necessary for the request with respect to the following remote processing requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Fukuda, Kenichi, Morikawa, Ikuya, Minoura, Makoto
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
TRUONG, THANHNGA B

Application Number

US09/863,583
Publication Number

US 20010049787A1
Time in Patent Office

2,113 Days
Field of Search

713156-157, 713/167, 713/175, 705/67, 726/2
US Class Current

713/156
CPC Class Codes

H04L 63/105   Multiple levels of security

H04L 63/123   received data contents, e.g...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

System and method for distributed group management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for distributed group management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links