Methods and apparatus for identity and role management in communication networks

US 7,992,194 B2
Filed: 03/14/2006
Issued: 08/02/2011
Est. Priority Date: 03/14/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for identity and role management in a communication network, the method comprisingassociating an entity with a key;

associating the entity with a role;

associating the key and the role with a signature;

providing an identity of the entity, the key, the role and the signature to be accessed through the communication network in response to an authentication query specifying the role but not identifying the entity, the entity being selected from a set of entities each associated with the role specified in the authentication query, wherein the providing comprises publishing a resource record group comprising the key, the role and the signature in a name server communicatively coupled to the communication network, wherein the resource record group is associated with the identity; and

receiving a communication message routed through the communication network based on the provided identity of the entity and not the role specified in the authentication query, the identity being different from the role.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for identity and role management in communication networks are disclosed. An example method for identity and role management in a communication network associates an entity with a key, associates the entity with a role, associates the key and the role with a signature, and enables the key, the role and the signature to be accessed through the communication network based on an identity of the entity.

Citations

40 Claims

1. A method for identity and role management in a communication network, the method comprisingassociating an entity with a key;
- associating the entity with a role;
  
  associating the key and the role with a signature;
  
  providing an identity of the entity, the key, the role and the signature to be accessed through the communication network in response to an authentication query specifying the role but not identifying the entity, the entity being selected from a set of entities each associated with the role specified in the authentication query, wherein the providing comprises publishing a resource record group comprising the key, the role and the signature in a name server communicatively coupled to the communication network, wherein the resource record group is associated with the identity; and
  
  receiving a communication message routed through the communication network based on the provided identity of the entity and not the role specified in the authentication query, the identity being different from the role.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A method as defined in claim 1 wherein the entity comprises one of a network user or a network domain.
  - 3. A method as defined in claim 1 wherein the key is a public key for use with an encryption algorithm.
  - 4. A method as defined in claim 1 wherein the role corresponds to at least one of a position or a function associated with at least one of a network domain or a community of entities.
  - 5. A method as defined in claim 4 wherein the network domain corresponds to a business organization and the community of entities corresponds to a plurality of entities that belong to a plurality of network domains.
  - 6. A method as defined in claim 1 wherein the role is associated with a plurality of entities.
  - 7. A method as defined in claim 1 wherein associating the key and the role with the signature comprises generating the signature based on the key and the role.
  - 8. A method as defined in claim 7 wherein the key is a first key and generating the signature comprises encrypting the first key and the role based on a second key.
  - 9. A method as defined in claim 8 wherein the first key and the second key comprise, respectively, a public key and a private key for use with an encryption algorithm.
  - 10. A method as defined in claim 8 wherein the second key is associated with at least one of the entity, a domain to which the entity belongs or a community to which the entity belongs.
  - 11. A method as defined in claim 8 wherein encrypting the first key and the role based on the second key comprises:
    - concatenating the first key and the role to determine a concatenation result;
      
      processing the concatenation result with a hash function to determine a hash result; and
      
      processing the hash result with an encryption algorithm based on the second key.
  - 12. A method as defined in claim 11 wherein the hash function comprises at least one of a message digest algorithm or a secure hash standard algorithm.
  - 13. A method as defined in claim 11 wherein the encryption algorithm comprises at least one of a digital signature algorithm or an RSA algorithm.
  - 14. A method as defined in claim 1 wherein the name server comprises a domain name system server.
  - 15. A method as defined in claim 1 wherein the name server comprises one of a plurality of name servers and the identity is uniquely associated with the name server.
  - 16. A method as defined in claim 1 wherein the identity comprises at least one of an email address, a domain name, a network address or an instant messaging identity.
  - 17. A method as defined in claim 1 further comprising obfuscating the identity of the entity prior to publishing the resource record group in the name server.
  - 18. A method as defined in claim 1 wherein providing the identity of the entity, the key, the role and the signature to be accessed through the communication network in response to the authentication query comprises updating a resource record group comprising the key, the role and the signature in a name server communicatively coupled with the communication network, wherein the resource record group is associated with the identity.
  - 19. A method as defined in claim 1 wherein the role is a first role and further comprising:
    - associating the entity with the second role;
      
      associating the second role with the signature; and
      
      providing the identity of the entity, the key, the first role, the second role and the signature through the communication network in response to the authentication query specifying at least one of the first role or the second role and not identifying the entity.
  - 20. A method as defined in claim 1 wherein the signature is a first signature and further comprising:
    - associating the key and the role with a second signature; and
      
      providing the identity of the entity, the key, the role, the first signature and the second signature through the communication network in response to the authentication query.

21. An article of manufacture storing machine readable instructions on a non-transitory storage medium which, when the machine readable instructions are executed by at least one processor, cause a machine comprising the at least one processor to:
- associate the entity with a key;
  
  associate the entity with a role;
  
  associate the key and the role with a signature;
  
  provide an identity of the entity, the key, the role and the signature to be accessed through a communication network in response to an authentication query specifying the role but not identifying the entity, the entity being selected from a set of entities each associated with the role specified in the authentication query, wherein providing the identity, the key, the role, and the signature comprises publishing a resource record group comprising the key, the role and the signature in a name server communicatively coupled to the communication network, wherein the resource record group is associated with the identity; and
  
  receive a communication message routed through the communication network based on the provided obfuscated identity of the entity and not the role specified in the authentication query, the obfuscated identity being different from the role.
- View Dependent Claims (22, 23, 24, 25)
- - 22. An article of manufacture as defined in claim 21 wherein the machine readable instructions, when executed, further cause the machine to generate the signature based on the key and the role.
  - 23. An article of manufacture as defined in claim 22 wherein the key is a first key and the machine readable instructions, when executed, further cause the machine to generate the signature by encrypting the first key and the role based on a second key.
  - 24. An article of manufacture as defined in claim 23 wherein the first key and the second key comprise, respectively, a public key and a private key for use with an encryption algorithm.
  - 25. An article of manufacture as defined in claim 23 wherein the machine readable instructions, when executed, further cause the machine to generate the signature by:
    - concatenating the first key and the role to determine a concatenation result;
      
      processing the concatenation result with a hash function to determine a hash result; and
      
      processing the hash result with an encryption algorithm having the second key as an input.

26. An identity manager for identity and role management in a communication network, the identity manager comprisinga role manager comprising computer program instructions stored on at least one non-transitory medium, wherein said role manager is to determine a role to associate with an entity, and to associate a keyword with the role;
- a credential manager comprising computer program instructions stored on at least one non-transitory medium, wherein said credential manager is to;
  
  associate a key with the entity; and
  
  associate a signature with the key and the role;
  
  an identity publisher comprising computer program instructions stored on at least one non-transitory medium, wherein said identity publisher is to provide an identity of the entity, the key, the role and the signature to be accessed through the communication network in response to an authentication query specifying the role but not identifying the entity, the entity being selected from a set of entities each associated with the role specified in the authentication query, wherein providing the entity, the key, the role, and the signature comprises publishing a resource record group comprising the key, the role and the signature in a name server communicatively coupled to the communication network, wherein the resource record group is associated with the identity;
  
  a role server comprising computer program instructions stored on at least one non-transitory medium, wherein said role server is to provide the role to the authenticator to replace the keyword provided by the resource record group when the authenticator is determined to be authorized to access the role, the resource record group also including a reference to the role server to enable the authenticator to access the role server.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 27. An identity manager as defined in claim 26 further comprising an identity updater to update at least one of the key, the keyword associated with the protected role or the signature included in the resource record group.
  - 28. An identity manager as defined in claim 26 further comprising an identity obfuscator to obfuscate the identity and associate the resource record group with the obfuscated identity.
  - 29. An identity manager as defined in claim 28 wherein the identity obfuscator is to obfuscate the identity by processing the identity with a hash function.
  - 30. An identity manager as defined in claim 26 further comprising an identity invalidator is to inhibit access to the resource record group over the communication network.
  - 31. An identity manager as defined in claim 30 wherein the identity invalidator is to inhibit access to the resource record group over the communication network by removing the resource record group from a name server communicatively coupled to the communication network.
  - 32. An identity manager as defined in claim 26 wherein the signature is a first signature and further comprising a key replacer to determine a second signature to replace the first signature.
  - 33. An identity manager as defined in claim 32 wherein the key is a first key and the first signature and the second signature are associated with a network domain to which the entity belongs, and wherein the key replacer is to replace the first signature with the second signature when a second key associated with the network domain is replaced with a third key.
  - 34. An identity manager as defined in claim 26 wherein the credential manager is to generate the signature based on the key and the protected role.
  - 35. An identity manager as defined in claim 34 wherein the key is a first key and the credential manager is to generate the signature by encrypting the first key and the protected role based on a second key.
  - 36. An identity manager as defined in claim 35 wherein the first key and the second key comprise, respectively, a public key and a private key for use with an encryption algorithm.
  - 37. An identity manager as defined in claim 35 wherein the credential manager is to encrypt the first key and the protected role based on the second key by:
    - concatenating the first key and the protected role to determine a concatenation result;
      
      processing the concatenation result with a hash function to determine a hash result; and
      
      processing the hash result with an encryption algorithm based on the second key.

38. A system comprising:
- a name server, comprising hardware, communicatively coupled to a communication network, the name server to associate a plurality of identities and a plurality of roles associated with a plurality of entities in the communication network;
  
  an identity manager, comprising hardware, communicatively coupled to at least one of the communication network or the name server, the identity manager to provide an identity of an entity, a key, a role and a signature to be accessed through the communication network in response to an authentication query specifying the role but not identifying the entity, the entity being selected from a set of entities each associated with the role specified in the authentication query, wherein providing the identity, the key, the role, and the signature comprises publishing a resource record group comprising the key, the role and the signature in a name server communicatively coupled to the communication network, wherein the resource record group is associated with the identity, wherein said identity manager manages the plurality of identities and the plurality of roles associated with the plurality of entities; and
  
  an authentication processor, comprising hardware, communicatively coupled to the communication network, the authentication processor to authenticate an identity and a role associated with an entity provided by the name server in response to an authentication query specifying the role associated with the entity but not identifying the entity.
- View Dependent Claims (39, 40)
- - 39. A system as defined in claim 38 wherein the name server is to serve a plurality of resource record groups comprising the plurality of roles and associated with the plurality of identities.
  - 40. A system as defined in claim 38 wherein the identity manager is to determine a plurality of signatures associated with the plurality of entities and based on the plurality of roles and at least one key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Damodaran, Suresh, Leitheiser, Greg
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
VICTORIA, NARCISO F

Application Number

US11/374,721
Publication Number

US 20070220591A1
Time in Patent Office

1,967 Days
Field of Search

713/156, 726 1- 7, 726 17- 19, 726/21, 380277-278, 380/28, 705/67, 705/71, 705/76
US Class Current

726/4
CPC Class Codes

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 63/0823   using certificates cryptogr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/321   involving a third party or ...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

Methods and apparatus for identity and role management in communication networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for identity and role management in communication networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links