Facilitating group access control to data objects in peer-to-peer overlay networks

US 8,874,769 B2
Filed: 06/30/2011
Issued: 10/28/2014
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A group administrator peer node, comprising:

a communications interface adapted to facilitate communication on a peer-to-peer overlay network;

a storage medium including a private key and public key pair associated with the group administrator peer node; and

a processing circuit coupled to the communications interface and the storage medium, the processing circuit adapted to;

create a peer group, the group defining one or more peer nodes as members of the group;

assign a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, a public key associated with the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate; and

obtain a group token adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses are provided for facilitating group access controls in peer-to-peer or other similar overlay networks. A group administrator may create a group in the overlay network and may assign peer-specific certificates to each member of the group for indicating membership in the group. A group member peer node can access data objects in the overlay network using its respective peer-specific certificate to authenticate itself as a group member. The authentication is performed by another peer node in the network. The validating peer node can authenticate that the group member is the rightful possessor of the peer-specific certificate using a public key associated with the peer node to which the peer-specific certificate was issued. The validating peer node can also validate that the peer-specific certificate was properly issued to the group member using a public key of the apparatus that issued the peer-specific certificate.

Citations

39 Claims

1. A group administrator peer node, comprising:
- a communications interface adapted to facilitate communication on a peer-to-peer overlay network;
  
  a storage medium including a private key and public key pair associated with the group administrator peer node; and
  
  a processing circuit coupled to the communications interface and the storage medium, the processing circuit adapted to;
  
  create a peer group, the group defining one or more peer nodes as members of the group;
  
  assign a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, a public key associated with the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate; and
  
  obtain a group token adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The group administrator peer node of claim 1, wherein the storage medium further includes a node certificate for the group administrator peer node issued by a trusted authority or self-signed by the group administrator peer node.
  - 3. The group administrator peer node of claim 1, wherein the peer-specific certificate is adapted to authenticate the group membership of the group member peer node to other peer nodes in the peer-to-peer overlay network on verification of the group member peer node using a public key associated with the group member peer node, and on verification of the peer-specific certificate using a public key associated with the identity of the issuing apparatus in the peer-specific certificate.
  - 4. The group administrator peer node of claim 1, wherein the processing circuit is further adapted to:
    - issue a peer-specific group certificate to the group member peer node, the peer-specific group certificate including the group identity, the identity of the group member peer node, an identity of the group administrator peer node and a signature by the private key of the group administrator peer node over one or more components of the peer-specific group certificate.
  - 5. The group administrator peer node of claim 4, wherein the processing circuit is adapted to issue the peer-specific group certificate to the group member peer node by:
    - generating the peer-specific group certificate for the group member peer node; and
      
      sending the peer-specific group certificate to the group member peer node via the communications interface.
  - 6. The group administrator peer node of claim 1, wherein the processing circuit is further adapted to:
    - generate the group token as a token signed with the private key of the group administrator peer node; and
      
      store the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific group certificate.
  - 7. The group administrator peer node of claim 1, wherein the processing circuit is adapted to assign the peer-specific certificate to the group member peer node by sending a request to a trusted authority to issue a peer-specific node certificate to the group member peer node, the peer-specific node certificate including the group identity, the identity of the group member peer node, an identity of the trusted authority and a signature by a private key of the trusted authority over one or more components of the peer-specific node certificate.

8. A method operational in a group administrator peer node, comprising:
- obtaining a public and private key pair associated with the group administrator peer node;
  
  creating a peer group in a peer-to-peer overlay network, the group defining one or more peer nodes that are members of the group;
  
  assigning a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, a public key associated with the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate; and
  
  obtaining a group token adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the peer-specific certificate is adapted to authenticate the group membership of the group member peer node to other peer nodes in the peer-to-peer overlay network on verification of the group member peer node using a public key associated with the group member peer node, and on verification of the peer-specific certificate using a public key associated with the identity of the issuing apparatus in the peer-specific certificate.
  - 10. The method of claim 8, wherein assigning the peer-specific certificate to the group member peer node comprises:
    - issuing a peer-specific group certificate to the group member peer node, the peer-specific group certificate including the group identity, the identity of the group member peer node, an identity of the group administrator peer node and a signature by the private key of the group administrator peer node over one or more components of the peer-specific group certificate.
  - 11. The method of claim 10, wherein issuing the peer-specific group certificate to the group member peer node, comprises:
    - generating the peer-specific group certificate for the group member peer node; and
      
      sending the peer-specific group certificate to the group member peer node.
  - 12. The method of claim 8, further comprising:
    - generating the group token as a token that is signed with the private key of the group administrator peer node; and
      
      storing the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific group certificate.
  - 13. The method of claim 8, wherein assigning the peer-specific certificate to the group member peer node comprises:
    - sending a request to a trusted authority to issue a peer-specific node certificate to the group member peer node, the peer-specific node certificate including the group identity, the identity of the group member peer node, an identity of the trusted authority and a signature by a private key of the trusted authority over one or more components of the peer-specific node certificate.

14. A group administrator peer node, comprising:
- means for obtaining a public and private key pair associated with the group administrator peer node;
  
  means for creating a peer group in a peer-to-peer overlay network, the group defining one or more peer nodes that are members of the group;
  
  means for assigning a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, a public key associated with the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate; and
  
  means for obtaining a group token adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.
- View Dependent Claims (15)
- - 15. The group administrator peer node of claim 14, wherein the means for obtaining the group token further comprises:
    - means for generating the group token as a token that is signed with the private key of the group administrator peer node; and
      
      means for storing the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific certificate.

16. A processor-readable non-transitory medium comprising instructions operational on a group administrator peer node, which when executed by a processor causes the processor to:
- obtain a public and private key pair associated with the group administrator peer node;
  
  create a peer group in a peer-to-peer overlay network, the group defining one or more peer nodes that are members of the group;
  
  assign a peer-specific certificate to a group member peer node that is a member of the group, the peer-specific certificate adapted to authenticate membership in the group to other peer nodes in the peer-to-peer overlay network and including a group identity, an identity of the group member peer node, a public key associated with the group member peer node, an identity of an issuing apparatus and a signature by a private key of the issuing apparatus over one or more components of the peer-specific certificate;
  
  obtain a group token adapted to authenticate to other peer nodes in the peer-to-peer overlay network that the group administrator peer node is authorized to issue the peer-specific group certificate to the group member peer node.
- View Dependent Claims (17)
- - 17. The processor-readable non-transitory medium of claim 16, further comprising instructions, which when executed by the processor cause the processor to:
    - generate the group token as a token that is signed with the private key of the group administrator peer node; and
      
      store the group token in the peer-to-peer overlay network as a data object identified by the group identity included in the peer-specific group certificate.

18. A group member peer node, comprising:
- a communications interface adapted to facilitate communication on a peer-to-peer overlay network;
  
  a storage medium including a private key and a public key pair associated with the group member peer node; and
  
  a processing circuit coupled to the communications interface and the storage medium, the processing circuit adapted to;
  
  receive via the communications interface a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate, the peer-specific group certificate including information identifying a group token adapted to authenticate that the group administrator peer node was authorized to issue the peer-specific group certificate;
  
  send via the communications interface the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  send via the communications interface authentication data to the validating peer node, the authentication data being signed using the private key associated with the group member peer node.
- View Dependent Claims (19, 20, 21)
- - 19. The peer node of claim 18, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node by verification of the signed authentication data using the public key associated with the group member peer node, and by verification of the peer-specific group certificate using a public key associated with the group administrator peer node.
  - 20. The peer node of claim 18, wherein the group identity in the peer-specific group certificate is adapted to locate the group token, which is stored in the peer-to-peer overlay network as a data object identified by the group identity.
  - 21. The peer node of claim 18, wherein the processing circuit is further adapted to:
    - send a request for group membership to the group administrator peer node, wherein the peer-specific group certificate is issued by the group administrator peer node in response to sending the request.

22. A method operational in a group member peer node, comprising:
- obtaining a public and private key pair associated with the group member peer node;
  
  receiving a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate, the peer-specific group certificate including information identifying a group token adapted to authenticate that the group administrator peer node was authorized to issue the peer-specific group certificate;
  
  sending the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  sending authentication data to the validating peer node, the authentication data being signed using the private key associated with the group member peer node.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node by verification of the signed authentication data using the public key associated with the group member peer node, and by verification of the peer-specific certificate using a public key associated with the group administrator peer node.
  - 24. The method of claim 22, wherein receiving the peer-specific group certificate including the group identity comprises:
    - receiving the peer-specific group certificate including a group identity adapted to locate the group token, which is stored in the peer-to-peer overlay network as a data object identified by the group identity.
  - 25. The method of claim 22, further comprising:
    - sending a request for group membership to the group administrator peer node, wherein the peer-specific group certificate is issued by the group administrator peer node in response to sending the request.

26. A group member peer node, comprising:
- means for obtaining a public and private key pair associated with the group member peer node;
  
  means for receiving a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate, the peer-specific group certificate including information identifying a group token adapted to authenticate that the group administrator peer node was authorized to issue the peer-specific group certificate;
  
  means for sending the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  means for sending authentication data to the validating peer node, the authentication data being signed using the private key of the group member peer node.

27. A processor-readable non-transitory medium comprising instructions operational on a group member peer node, which when executed by a processor causes the processor to:
- obtain a public and private key pair associated with the group member peer node;
  
  receive a peer-specific group certificate issued to the group member peer node from a group administrator peer node, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of the group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate, the peer-specific group certificate including information identifying a group token adapted to authenticate that the group administrator peer node was authorized to issue the peer-specific group certificate;
  
  send the peer-specific group certificate to a validating peer node to authenticate the group member peer node as a group member, wherein the peer-specific group certificate is adapted to be authenticated by the validating peer node; and
  
  send authentication data to the validating peer node, the authentication data being signed using the private key of the group member peer node.

28. A validating peer node, comprising:
- a communications interface adapted to facilitate communication on a peer-to-peer overlay network;
  
  a processing circuit coupled to the communications interface, the processing circuit adapted to;
  
  receive via the communications interface a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  obtain a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  verify the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  verify the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (29, 30, 31)
- - 29. The peer node of claim 28, wherein the processing circuit is adapted to:
    - obtain the public key associated with the group administrator peer node from a node certificate of the group administrator peer node, wherein the node certificate includes the public key associated with the group administrator peer node, an identity of a trusted authority and a signature by a private key of the trusted authority.
  - 30. The peer node of claim 28, wherein the processing circuit is further adapted to:
    - receive via the communications interface authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      verify the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network using the identity of the group member peer node in the peer-specific group certificate.
  - 31. The peer node of claim 28, further comprising:
    - a storage medium coupled to the processing circuit, the storage medium including a data object which the group member peer node is requesting to access as a member of the group.

32. A method operational in a validating peer node, comprising:
- receiving a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  obtaining a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  verifying the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  verifying the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (33, 34, 35)
- - 33. The method of claim 32, further comprising:
    - obtaining the public key associated with the group administrator peer node from a node certificate of the group administrator peer node, wherein the node certificate of the group administrator peer node includes the public key associated with the group administrator peer node, an identity of a trusted authority and a signature by a private key of the trusted authority over one or more components of the node certificate.
  - 34. The method of claim 32, further comprising:
    - receiving authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      verifying the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network.
  - 35. The method of claim 32, further comprising:
    - receiving a request from the group member peer node to access a data object stored at the validating peer node, wherein access to the data object is restricted to group members.

36. A validating peer node, comprising:
- means for receiving a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  means for obtaining a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  means for verifying the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  means for verifying the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (37)
- - 37. The validating peer node of claim 36, further comprising:
    - means for receiving authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      means for verifying the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network.

38. A processor-readable non-transitory medium comprising instructions operational on a validating peer node, which when executed by a processor causes the processor to:
- receive a peer-specific group certificate from a group member peer node seeking authentication as a member of a group, the peer-specific group certificate including a group identity, an identity of the group member peer node, an identity of a group administrator peer node and a signature by a private key of the group administrator peer node over one or more components of the peer-specific group certificate;
  
  obtain a group token from the peer-to-peer overlay network, the group token including a signature by the private key of the group administrator peer node, wherein the group token is stored in the peer-to-peer overlay network as a data object identified by the group identity;
  
  verify the signature of the group token using a public key associated with the group administrator peer node to validate that the group administrator peer node was authorized to issue the peer-specific group certificate; and
  
  verify the peer-specific group certificate using the public key associated with the group administrator peer node.
- View Dependent Claims (39)
- - 39. The processor-readable non-transitory medium of claim 38, further comprising instruction, which when executed by the processor, cause the processor to:
    - receive authentication data from the group member peer node, wherein the authentication data is signed by a private key associated with the group member peer node; and
      
      verify the signed authentication data using a public key associated with the group member peer node and obtained from the peer-specific group certificate or from the peer-to-peer overlay network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Mao, Yinian, Narayanan, Vidya, Swaminathan, Ashwin
Primary Examiner(s)
Vaughan, Michael R
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US13/174,532
Publication Number

US 20130007442A1
Time in Patent Office

1,216 Days
Field of Search

713/168, 713/156, 726/27, 726/29, 370/219, 370/328, 370/338, 709/249, 709/204, 709/228, 709/229, 709/246, 707/102
US Class Current

709/229
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

H04L 67/1044   Group management mechanisms...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3268   using certificate validatio...

Facilitating group access control to data objects in peer-to-peer overlay networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating group access control to data objects in peer-to-peer overlay networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links