Method for authorizing and authenticating data
First Claim
Patent Images
1. A method, comprising:
- generating, by a first device, a first key pair comprising a first public key portion and a first private key portion;
transferring, by the first device, the first public key portion to a second device having a second key pair, the second key pair comprising a second public key portion and a second private key portion, wherein the second key pair is associated with second entitlements comprising second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the second device is configured to;
authorize the first key pair by signing the first public key portion using the second private key portion to produce a first key signature of the first key pair,associate first entitlements with the first public key portion, the first entitlements comprising first data entitlements that are within the second signing entitlements and further comprising first signing entitlements that are within the first data entitlements, andtransfer the first public key portion, the first key signature, and the first entitlements to a digital processing system, wherein upon receipt of the first public key portion, the first key signature, and the first entitlements, the digital processing system is configured to authenticate the first public key portion by using the first public key portion to verify that the first key signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements;
signing, by the first device, data with the first private key portion to generate a data signature; and
sending, by the first device, the data and the data signature to the digital processing system, wherein receiving the data and the data signature causes the digital processing system to authenticate the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data, and wherein failing to authenticate the data causes the digital processing system to reset to limited operations.
7 Assignments
0 Petitions
Accused Products
Abstract
A method and a corresponding apparatus for authenticating data in a digital processing system (DPS) is disclosed, wherein a root/first tier key pair associated with a first tier/root authority may sign data and second tier keys for authorizing data for processing in the DPS. The first tier/root authority may pass entitlements to the authorized second tier key, which may itself authorize third tier keys and pass entitlements to said key.
31 Citations
23 Claims
-
1. A method, comprising:
-
generating, by a first device, a first key pair comprising a first public key portion and a first private key portion; transferring, by the first device, the first public key portion to a second device having a second key pair, the second key pair comprising a second public key portion and a second private key portion, wherein the second key pair is associated with second entitlements comprising second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the second device is configured to; authorize the first key pair by signing the first public key portion using the second private key portion to produce a first key signature of the first key pair, associate first entitlements with the first public key portion, the first entitlements comprising first data entitlements that are within the second signing entitlements and further comprising first signing entitlements that are within the first data entitlements, and transfer the first public key portion, the first key signature, and the first entitlements to a digital processing system, wherein upon receipt of the first public key portion, the first key signature, and the first entitlements, the digital processing system is configured to authenticate the first public key portion by using the first public key portion to verify that the first key signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements; signing, by the first device, data with the first private key portion to generate a data signature; and sending, by the first device, the data and the data signature to the digital processing system, wherein receiving the data and the data signature causes the digital processing system to authenticate the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data, and wherein failing to authenticate the data causes the digital processing system to reset to limited operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A digital processing system, comprising:
-
a memory; a processor coupled to the memory, the processor configured to; receive, from a device having a second key pair comprising a second public key portion and a second private key portion, the second public key portion and second entitlements associated with the second public key portion, wherein the second entitlements comprise second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the device having the second key pair is configured to receive a first public key portion from a device having a first key pair comprising the first public key portion and a first private key portion, receive, from the device having the second key pair, the first public key portion, first entitlements associated with the first public key portion, and a first key signature associated with the first public key portion, wherein the first key signature was produced by the device having the second key pair when signing the first public key portion using the second private key portion to authorized the first key pair, and wherein the first entitlements comprise first data entitlements that are within the second signing entitlements and further comprise first signing entitlements that are within the first data entitlements, store the first and second public key portions, the first and second entitlements, and the second key signature in the memory, authenticate the first public key portion by using the second public key portion to verify that the first key pair signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements, receive, from the device having the first key pair, data and a data signature generated by signing the data with the first private key portion, authenticate the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data; and reset the digital processing system to limited operations when failing to authenticate the data. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method, comprising:
-
receiving, by a digital processing system, from a device having a second key pair comprising a second public key portion and a second private key portion, the second public key portion and second entitlements associated with the second public key portion, wherein the second entitlements comprise second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the device having the second key pair is configured to receive a first public key portion from a device having a first key pair comprising the first public key portion and a first private key portion; receiving, by the digital processing system, from the device having the second key pair, the first public key portion, first entitlements associated with the first public key portion, and a first key signature associated with the first public key portion, wherein the first key signature was produced by the device having the second key pair when signing the first public key portion using the second private key portion to authorize the first key pair, and wherein the first entitlements comprise first data entitlements that are within the second signing entitlements and further comprise first signing entitlements that are within the first data entitlements; authenticating, by the digital processing system, the first public key portion by using the second public key portion to verify that the first key signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements; receiving, by the digital processing system, from the device having the first key pair, data and a data signature generated by signing the data with the first private key portion; authenticating, by the digital processing system, the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data; and resetting, by the digital processing system, the digital processing system to limited operations when failing to authenticate the data.
-
Specification