System and method for privilege delegation and control
First Claim
1. A system for delegating a privilege and associated attributes from a security token to at least a first data processing unit, said privilege enabling access to at least one resource by said at least a first data processing unit subject to requirements prescribed in said associated attributes comprising:
- i. said security token including said privilege and said associated attributes and delegation means for delegating said privilege to said at least a first data processing unit, ii. said at least a first data processing unit including privilege processing means for implementing said privilege in accordance with said requirements prescribed in said associated attributes, iii. communications means for performing data exchanges between said security token and said at least a first data processing unit.
4 Assignments
0 Petitions
Accused Products
Abstract
This invention provides a privilege delegation mechanism, which allows a privilege and associated control attributes to be delegated from a security token to another security token or an intelligent device such as a computer system. The privilege may be in the form of an attribute certificate, a key component of a cryptographic key, a complete cryptographic key, digital certificate, digital right, license or loyalty credits. The purpose of the delegation is to allow another security token or computer system to act as a surrogate for the security token or to access a resource which requires components from both units before access is permitted. Attributes associated with the delegated privilege control the scope and use of the privilege. The delegation may allow the surrogate to perform authentications, access data or resources included on another security token or computer system. Authentications are performed prior to transferring of the delegable privileges.
147 Citations
42 Claims
-
1. A system for delegating a privilege and associated attributes from a security token to at least a first data processing unit, said privilege enabling access to at least one resource by said at least a first data processing unit subject to requirements prescribed in said associated attributes comprising:
-
i. said security token including said privilege and said associated attributes and delegation means for delegating said privilege to said at least a first data processing unit, ii. said at least a first data processing unit including privilege processing means for implementing said privilege in accordance with said requirements prescribed in said associated attributes, iii. communications means for performing data exchanges between said security token and said at least a first data processing unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for delegating a privilege from a security token to at least a first data processing unit, wherein said privilege enables said at least a first data processing unit to perform a function selected from the group consisting of;
surrogate operations for said security token, terminal activation, personalization of an intelligent device, access to a resource included in or accessible through at least a second data processing unit, or loyalty credit management. - View Dependent Claims (15)
-
16. A method for delegating a privilege having associated attributes from a security token to at least a first data processing unit, said privilege enabling said at least a first data processing unit to use said privilege subject to requirements prescribed in said associated attributes, said method comprising:
-
i. performing a mutual authentication transaction between said security token and said at least a first data processing unit, ii. securely transferring said privilege including said associated attributes to said at least a first data processing unit, iii. using said privilege as prescribed by said associated attributes. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A privilege delegation system comprising:
-
i. a security token including at least one delegable privilege and attributes associated with said delegable privilege, ii. at least a first data processing unit including means to use said privilege subject to requirements prescribed in said associated attributes. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
-
28. A privilege delegation system comprising:
-
i. a security token including at least a first part of a delegable privilege and attributes associated with said first part of said delegable privilege and transfer means for transferring said first part of said delegable privilege and said attributes to at least a first data processing unit, ii. said at least a first data processing unit including a second part of said delegable privilege, first combining means for combining said first part of said delegable privilege with said second part of said delegable privilege to form an operable privilege. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification