Key generation for hierarchical data access
First Claim
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining a key-holder key set comprising a key for each key holder of a plurality of key holders, each obtained key having been derived based at least in part on a key-holder key for a corresponding key holder and a set of key-use restrictions;
calculating, by at least inputting into a function the set of key-use restrictions and a result of performing an operation on the key-holder set, a signing key;
generating, based at least in part on the signing key, an expected signature for a message submitted in connection with a message signature; and
transmitting an electronic message that indicates whether the expected signature matches the message signature, the electronic message being usable to evaluate whether access to one or more computing resources is permitted, the set of key-use restrictions preventing the expected signature from matching the message signature when the message signature is submitted out of compliance with the set of key-use restrictions.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder'"'"'s ability to decrypt data depends on the key'"'"'s position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.
-
Citations
19 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, obtaining a key-holder key set comprising a key for each key holder of a plurality of key holders, each obtained key having been derived based at least in part on a key-holder key for a corresponding key holder and a set of key-use restrictions; calculating, by at least inputting into a function the set of key-use restrictions and a result of performing an operation on the key-holder set, a signing key; generating, based at least in part on the signing key, an expected signature for a message submitted in connection with a message signature; and transmitting an electronic message that indicates whether the expected signature matches the message signature, the electronic message being usable to evaluate whether access to one or more computing resources is permitted, the set of key-use restrictions preventing the expected signature from matching the message signature when the message signature is submitted out of compliance with the set of key-use restrictions. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A signature verification system, comprising:
-
one or more processors; and memory including instructions that, when executed by one or more processors of a computer system, cause the computer system to; obtain a key-holder key set comprising a key for each key holder of a plurality of key holders, each obtained key having been derived based at least in part on a key-holder key for a corresponding key holder and a set of key-use restrictions; calculate, by at least inputting into a function the set of key-use restrictions and a result of performing an operation on the key-holder set, a signing key; generate, based at least in part on the signing key, an expected signature for a message submitted in connection with a message signature; and transmit an electronic message that indicates whether the expected signature matches the message signature, the electronic message being usable to evaluate whether access to one or more computing resources is permitted, the set of key-use restrictions preventing the expected signature from matching the message signature when the message signature is submitted out of compliance with the set of key-use restrictions. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by a computer system, cause the computer system:
-
obtain a key-holder key set comprising a key for each key holder of a plurality of key holders, each obtained key having been derived based at least in part on a key-holder key for a corresponding key holder and a set of key-use restrictions; calculate, by at least inputting into a function the set of key-use restrictions and a result of performing an operation on the key-holder set, a signing key; generate, based at least in part on the signing key, an expected signature for a message submitted in connection with a message signature; and transmit an electronic message that indicates whether the expected signature matches the message signature, the electronic message being usable to evaluate whether access to one or more computing resources is permitted, the set of key-use restrictions preventing the expected signature from matching the message signature when the message signature is submitted out of compliance with the set of key-use restrictions. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification