Method for operating a network, a system management device, a network and a computer program therefor

US 8,539,235 B2
Filed: 09/28/2009
Issued: 09/17/2013
Est. Priority Date: 10/06/2008
Status: Active Grant

First Claim

Patent Images

1. A method for operating a network, comprising a node and a system management device, the system management device comprising a root keying material being a set of functions each having a degree of complexity of α

, and the node being provided with a node keying material share having a degree of complexity of α

, the node keying material share being derived from the root keying material, the method comprising, upon receipt at the system management device of a request for an external user to gain access to the node;

a) generating, by the system management device, an external user keying material share and an access identifier, the external user keying material share having a degree of complexity α and

being generated from the root keying material;

b) generating, by the system management device, an access keying material and an identifier of the node, the access keying material having a degree of complexity less than α and

being generated from the external user keying material share;

c) the system management device providing the external user with the access keying material share and the access identifier;

d) the external user deriving a key from the access keying material share, and transmitting this key and the access identifier to the node;

e) the node computing a key from the access identifier and the node keying material share; and

f) the node comparing the key transmitted by the external user and the key computed by the node, so as to authenticate the external user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method for operating a network comprising communicating devices representing nodes of the network. More precisely, the invention relates to a method for operating a network (1), comprising a node (D1) and a system management device (3), the system management device comprising a root keying material being a set of alpha-secure functions having a degree of complexity of, and the node being provided with a node keying material share of degree of complexity α derived from the root keying material. The method comprises the following steps, upon receipt at the system management device of a request for an external user (4) to gain access to the node (D1): the system management device generates an external user keying material share of degree of complexity α from the root keying material and an access identifier, the system management device generates an access keying material of degree of complexity less than α, from the external user keying material share and an identifier of the node, the system management device provides the external user with the access keying material share and the access identifier, the external user derives a key from the access keying material share, and transmitting this key and the access certificate to the node, the node computes a key from the access identifier and the node keying material share, and the node compares the key transmitted by the external user and the key computed by the node, so as to authenticate the external user.

Citations

14 Claims

1. A method for operating a network, comprising a node and a system management device, the system management device comprising a root keying material being a set of functions each having a degree of complexity of α
- , and the node being provided with a node keying material share having a degree of complexity of α
  
  , the node keying material share being derived from the root keying material, the method comprising, upon receipt at the system management device of a request for an external user to gain access to the node;
  
  a) generating, by the system management device, an external user keying material share and an access identifier, the external user keying material share having a degree of complexity α and
  
  being generated from the root keying material;
  
  b) generating, by the system management device, an access keying material and an identifier of the node, the access keying material having a degree of complexity less than α and
  
  being generated from the external user keying material share;
  
  c) the system management device providing the external user with the access keying material share and the access identifier;
  
  d) the external user deriving a key from the access keying material share, and transmitting this key and the access identifier to the node;
  
  e) the node computing a key from the access identifier and the node keying material share; and
  
  f) the node comparing the key transmitted by the external user and the key computed by the node, so as to authenticate the external user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 13)
- - 2. The method of claim 1, wherein the access identifier is the result of a hash function performed on an access certificate based on the request received by the system management device, and the node being provided with the hash function, wherein step c) further comprises the system management device providing the external user with the access certificate, wherein step d) further comprises the external user transmitting the access certificate to the node, and the method further comprising:
    - g) the node verifying the access certificate by computing the hash function of the access certificate and comparing the result with the received access identifier.
  - 3. The method of claim 2, wherein the request received by the system management device comprises at least one access attribute, and the access certificate depends on this attribute.
  - 4. The method of claim 3, wherein the access attribute comprises at least one of:
    - a node identifier, a parameter defining a period of validity, a parameter defining a limited set of actions authorized for the external user.
  - 5. The method of claim 1, wherein the root keying material is a bivariate polynomial of total degree alpha.
  - 6. The method of claim 5, wherein step a) comprises evaluating a bivariate root keying material share at a first point corresponding to the access identifier, to obtain a monovariate polynomial of degree alpha corresponding to the user keying material, and step b) comprises b1) pre-computing, at least partly, the monovariate polynomial at a second point corresponding to the node identifier to obtain a monovariate polynomial of decreased degree.
  - 7. The method of claim 6 wherein step b1) comprises computing the monovariate polynomial of degree α
    - for a set of the highest degree coefficients at the second point.
  - 8. The method as recited in claim 7, wherein α
    - −
      
      1 highest degree coefficients are computed.
  - 9. The method of claim 1, wherein the root keying material and the access certificates are protected by means of uncorrelation methods.
  - 10. The method of claim 1 wherein the system allows the delegation of access rights from a first node that got a keying material share from the system management device to a third node, so that the third device can access a second node that got keying material from the system management device.
  - 13. A network comprising a system management device according to claim 1.

11. A system management device comprising a root keying material being a set of functions having a degree of complexity of α
- +1 in each variable, the system management device being included in a network also comprising a node, and the system management device comprising;
  
  a processor configured togenerate an external user keying material share and an access identifier upon receipt of a request for an external user to gain access to the node, the external user keying material share having a degree of complexity α
  
  +1 and being generated from the root keying material, andgenerate an access keying material and an identifier of the node, the access keying material having a degree of complexity less than α
  
  +1 and being generated from the external user keying material share; and
  
  a transmitter configured to provide the external user with the access keying material share and the access identifier.
- View Dependent Claims (12)
- - 12. The system management device of claim 11, wherein the processor is further configured to:
    - delegate access rights from a first node in the network to an external user so that the user can access a second node in the network without requiring communication with the system management device, anduncorrelate the keying material shares distributed to the nodes in the network so that an attacker cannot get any information from the keying material shares distributed to the nodes in the network but the nodes in the network can still verify the access and delegation certificates linked to the keying material shares distributed from the system management device.

14. A computer tangible non-transitory medium configured to instruct a processor to perform a method, the method comprising:
- generating an external user keying material share and an access identifier upon receipt of a request for an external user to gain access to a node, the external user keying material share having a degree of complexity α
  
  +1 and being generated from a root keying material;
  
  generating an access keying material and an identifier of the node, the access keying material having a degree of complexity less than α
  
  +1 and being generated from the external user keying material share; and
  
  providing the external user with the access keying material share and the access identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Koninklijke Philips Electronics N.V. (Koninklijke Philips N.V.)
Original Assignee
Koninklijke Philips N.V.
Inventors
Garcia Morchon, Oscar, Erdmann, Bozena
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US13/122,767
Publication Number

US 20110197064A1
Time in Patent Office

1,450 Days
Field of Search

713/168
US Class Current

713/168
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/061   applying further key deriva...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 9/083   involving central third par...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3093   involving Lattices or polyn...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 84/10   Small scale networks; Flat ...

Method for operating a network, a system management device, a network and a computer program therefor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method for operating a network, a system management device, a network and a computer program therefor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links