Proxy system for security processing without entrusting certified secret information to a proxy

US 9,729,311 B2
Filed: 09/28/2012
Issued: 08/08/2017
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A security processing proxy system, comprising:

a first communication unit in a wireless multihop network that communicates with a further network, the first communication unit being one of a plurality of multihop communication units that relay messages among themselves in hops so as to communicate with the further network;

a second communication unit outside the wireless multihop network which communicates with the further network; and

a proxy server between the wireless multihop network and the further network which communicates with the further network and which acts for said first communication unit to conduct security processing with said second communication unit via the further communication network, the security processing including key exchange processing, authentication processing, or processing for providing compatibility of an encryption scheme,wherein each of the second communication unit and the proxy server is connected to the further network independently of each other, and the wireless multihop network is connected to the further network via the proxy server,wherein said first communication unit holds a public key of said first communication unit certified by a certification authority on a public key infrastructure (PKI) as well as secret information associated with a public key certificate of said first communication unit,wherein said first communication unit includes;

a delegation information generator using the secret information of said first communication unit to generate delegation information required for the security processing; and

a delegation information notifier supplying the delegation information to said proxy server via the multihop network,wherein said proxy server includes;

a delegation information acquirer acquiring the delegation information from said first communication unit; and

a security processing proxy transmitting the delegation information to said second communication unit via the further network to perform the security processing with said second communication unit,wherein said second communication unit includes;

a receiver receiving the delegation information from said proxy server via the further network; and

a security processor using a certification authority public key held for verifying the public key certificate as being issued by the certification authority on the PKI to certify that the delegation information is generated by said first communication unit to thereby carry out the security processing with said proxy server, andwherein at least one of said first communication unit, said second communication unit, and said proxy server is implemented on a computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

First communication units use a public key thereof certified by a certification authority on a PKI (Public Key Infrastructure), which is held by the first communication units in advance, and a secret key of the first communication units or delegation information generated by using secret information, as public key certificate, of the first communication units to thereby allow a proxy server to perform security processing, i.e. key exchange processing, authentication processing or processing for providing compatibility of encryption schemes, between the first communication units and a second communication unit on behalf of the first communication units.

21 Citations

6 Claims

1. A security processing proxy system, comprising:
- a first communication unit in a wireless multihop network that communicates with a further network, the first communication unit being one of a plurality of multihop communication units that relay messages among themselves in hops so as to communicate with the further network;
  
  a second communication unit outside the wireless multihop network which communicates with the further network; and
  
  a proxy server between the wireless multihop network and the further network which communicates with the further network and which acts for said first communication unit to conduct security processing with said second communication unit via the further communication network, the security processing including key exchange processing, authentication processing, or processing for providing compatibility of an encryption scheme,wherein each of the second communication unit and the proxy server is connected to the further network independently of each other, and the wireless multihop network is connected to the further network via the proxy server,wherein said first communication unit holds a public key of said first communication unit certified by a certification authority on a public key infrastructure (PKI) as well as secret information associated with a public key certificate of said first communication unit,wherein said first communication unit includes;
  
  a delegation information generator using the secret information of said first communication unit to generate delegation information required for the security processing; and
  
  a delegation information notifier supplying the delegation information to said proxy server via the multihop network,wherein said proxy server includes;
  
  a delegation information acquirer acquiring the delegation information from said first communication unit; and
  
  a security processing proxy transmitting the delegation information to said second communication unit via the further network to perform the security processing with said second communication unit,wherein said second communication unit includes;
  
  a receiver receiving the delegation information from said proxy server via the further network; and
  
  a security processor using a certification authority public key held for verifying the public key certificate as being issued by the certification authority on the PKI to certify that the delegation information is generated by said first communication unit to thereby carry out the security processing with said proxy server, andwherein at least one of said first communication unit, said second communication unit, and said proxy server is implemented on a computer.
- View Dependent Claims (2, 3)
- - 2. The security processing proxy system in accordance with claim 1,wherein said delegation information generator generates delegation information that includes information about a term of validity, andwherein said security processor derives the information about the term of validity from the delegation information to determine whether or not the delegation information is valid to thereby carry out the security processing with said proxy server.
  - 3. The security processing proxy system in accordance with claim 1,wherein the delegation information includes:
    - (1) an entrust public key and/or an entrust secret key generated by said delegation information generator in conformity with an appropriate public key cryptographic algorithm;
      
      (2) an entrust public key certificate produced by said delegation information generator by attaching a signature with the secret key of said first communication unit; and
      
      (3) a public key certificate of said first communication unit, andwherein said security processor;
      
      derives from the delegation information, received via a receiver, the entrust public key, the entrust secret key, the entrust public key certificate, and the public key certificate of said first communication unit;
      
      uses the held certification authority public key to certify the public key certificate of said first communication unit, thereby acquiring the public key of said first communication unit; and
      
      uses the public key of said first communication unit to verify the entrust public key certificate and to thereby certify that the entrust public key is generated by said first communication unit.

4. A security processing proxy system, comprising:
- a first communication unit in a wireless multihop network that communicates with a further network, the first communication unit being one of a plurality of multihop communication units that relay messages among themselves in hops so as to communicate with the further network;
  
  a second communication unit outside the wireless multihop network which communicates with the further network; and
  
  a proxy server between the wireless multihop network and the further network which communicates with the further network and which acts for said first communication unit to conduct security processing with said second communication unit via the further communication network, the security processing including key exchange processing, authentication processing, or processing for providing compatibility of encryption schemes,wherein each of the second communication unit and the proxy server is connected to the further network independently of each other,wherein said first communication unit holds a public key of said first communication unit certified by a certification authority on a public key infrastructure (PKI), a secret key of said first communication unit, and a public key certificate of said first communication unit as well as a certification authority public key for verifying the public key certificate as being issued by the certificate authority on the PKI,wherein said first communication unit includes;
  
  a receiver receiving from said proxy server the public key certificate of said proxy server certified by the certification authority on the PKI; and
  
  a delegation information generator using the certification authority public key to verify the public key certificate of said proxy server and to thereby acquire the public key of said proxy server via the multihop network,wherein said delegation information generator produces an entrust public key certificate for certifying that the public key of said proxy server is signed by the secret key of said first communication unit, and additionally uses the entrust public key certificate and the public key certificate of said first communication unit to generate delegation information necessary for the security processing, and additionally sends the delegation information to said proxy server,wherein said proxy server includes;
  
  a delegation information acquirer acquiring the delegation information from said first communication unit via the multihop network; and
  
  a security processing proxy transmitting the delegation information to said second communication unit to perform the security processing with said second communication unit,wherein said second communication unit includes;
  
  a receiver receiving the delegation information from said proxy server via the further network; and
  
  a security processor using the certification authority public key acquired beforehand for verifying that the public key certificate as being issued by the certification authority on the PKI to certify that the delegation information is generated by said first communication unit to thereby carry out the security processing with said proxy server, andwherein at least one of said first communication unit, said second communication unit, and said proxy server is implemented on a computer.
- View Dependent Claims (5, 6)
- - 5. The security processing proxy system in accordance with claim 4,wherein said delegation information generator generates delegation information including information about a term of validity, andwherein said security processor derives the information about the term of validity from the delegation information to determine whether or not the delegation information is valid to thereby carry out the security processing with said proxy server.
  - 6. The security processing proxy system in accordance with claim 4,wherein said security processor uses the certification authority public key to verify the public key certificate of said first communication unit and the entrust public key certificate and to thereby acquire the public key of said first communication unit and the public key of said proxy server, andwherein said security processor uses the public key of said first communication unit to verify the entrust public key certificate to thereby certify that the entrust public key is produced by said first communication unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OKI Electric Industry Company Limited
Original Assignee
OKI Electric Industry Company Limited
Inventors
Yao, Taketsugu, Nakashima, Jun, Fukui, Kiyoshi
Primary Examiner(s)
King, John B

Application Number

US13/630,226
Publication Number

US 20130086378A1
Time in Patent Office

1,775 Days
Field of Search

713156
US Class Current
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0281   Proxies

H04L 63/0884   by delegation of authentica...

H04L 9/006   involving public key infras...

Proxy system for security processing without entrusting certified secret information to a proxy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

6 Claims

Specification

Use Cases

Quick Links

Others

Proxy system for security processing without entrusting certified secret information to a proxy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

6 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others