Private key/public key resource protection scheme
First Claim
Patent Images
1. A method comprising:
- securing a resource with an access control mechanism;
provisioning the secured resource for access by;
identifying a plurality of users for provisioning, wherein the plurality of users may or may not be present for provisioning,identifying any users of the plurality of users having a public key in the provisioning system,identifying any users of the plurality of users having a public key from a public/private key in a directory external to the provisioning system,notifying the users in the plurality of users that do not have the public/private key pair that provisioning is unavailable and instructing the users to generate a key pair for access to the resource, and provide the key pair to an administrator,modifying the plurality of users for provisioning to include only users that have a public/private key pair but not including users without the public/private key pair, to yield a plurality of users that can be provisioned, andconstructing a public key collection of the public keys in the provisioning system and the public keys retrieved from the directory,encrypting the access control mechanism for the plurality of users that can be provisioned, with the plurality of user public keys in the public key collection;
having each of the plurality of user private keys associated with the plurality of user public keys protected by an authentication mechanism, such that the access control mechanism is released to make available the secured resource with the user private key, and the user private key is released by the authentication mechanism; and
in order to add access to the resource to an additional user, decrypting the access control mechanism using an existing private key, adding a new public key of the additional user to the plurality of user public keys, and encrypting the access control mechanism using the plurality of public keys including the new public key of the additional user.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus of enabling access to a resource secured with a shared access control mechanism is provided. The method includes providing a public key and an authentication protected private key for a user. The private key is released to the user after receiving correct authentication. In one embodiment, the authentication may be one or more of a password, pass phrase, biometric, and smart card. The private key may be used to release the shared access control mechanism for the resource. In one embodiment, a plurality of users may have their private key provide access to the shared access control mechanism.
58 Citations
20 Claims
-
1. A method comprising:
-
securing a resource with an access control mechanism; provisioning the secured resource for access by; identifying a plurality of users for provisioning, wherein the plurality of users may or may not be present for provisioning, identifying any users of the plurality of users having a public key in the provisioning system, identifying any users of the plurality of users having a public key from a public/private key in a directory external to the provisioning system, notifying the users in the plurality of users that do not have the public/private key pair that provisioning is unavailable and instructing the users to generate a key pair for access to the resource, and provide the key pair to an administrator, modifying the plurality of users for provisioning to include only users that have a public/private key pair but not including users without the public/private key pair, to yield a plurality of users that can be provisioned, and constructing a public key collection of the public keys in the provisioning system and the public keys retrieved from the directory, encrypting the access control mechanism for the plurality of users that can be provisioned, with the plurality of user public keys in the public key collection; having each of the plurality of user private keys associated with the plurality of user public keys protected by an authentication mechanism, such that the access control mechanism is released to make available the secured resource with the user private key, and the user private key is released by the authentication mechanism; and in order to add access to the resource to an additional user, decrypting the access control mechanism using an existing private key, adding a new public key of the additional user to the plurality of user public keys, and encrypting the access control mechanism using the plurality of public keys including the new public key of the additional user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus comprising:
-
a secured resource protected by an access control mechanism; a first processor implementing a crypto-logic designed to provision the secured resource, the first processor comprising; a provisioning logic to identify a first plurality of users for provisioning, the provisioning logic further to collect a first one or more public keys from within the provisioning logic and a second one or more public keys from a directory for at least one of the first plurality of users, the first processor further to modify the first plurality of users to include only users that have a public/private key pair to yield a plurality of users that can be provisioned, and notifying the keyless users that provisioning is unavailable and instructing the users to generate a key pair, and providing the key pair to an administrator; a second processor implementing key construction/release logic to enable a user in the plurality of users that can be provisioned to release a protected private key, associated with the user public key, when a user is successfully authenticated, the private key used to decrypt the access control mechanism and thereby provide access to the secured resource; the first processor to enable addition of a new user to the access control mechanism by decrypting the access control mechanism using a provisioned private key, and parallel encrypting the access control mechanism with an updated plurality of user public keys including the public key of the new user. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
identifying a plurality of users, wherein the plurality of users need not be present, to be provisioned for access to a secured resource; for each user in the plurality of users, determining whether there is a public key in a provisioning system, when the user does not have the public key in the provisioning system, determining whether the user has the public key in an external directory system, and when the user does not have the public key in the external directory system, identifying the user as a keyless user; obtaining at least one public key/private key pair for one or more users of the plurality of users to be provisioned for access to the secured resource, from the provisioning system and the external directory system; modifying the first plurality of users to include only users that have a public/private key pair to yield a plurality of users that can be provisioned;
notifying the keyless user that provisioning is unavailable, and instructing the keyless user to generate a key pair, and to provide their newly generated key pair to an administrator, wherein the private key of the key pair is provided as a protected key; andencrypting an access mechanism to the secured resource using parallel encryption including the at least one public key for the plurality of users that can be provisioned. - View Dependent Claims (20)
-
Specification