Facilitating access control in peer-to-peer overlay networks

US 8,880,880 B2
Filed: 07/29/2011
Issued: 11/04/2014
Est. Priority Date: 07/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method operational in a requesting peer node, comprising:

generating a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and

sending the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses are provided for facilitating access controls for digital objects stored within a peer-to-peer overlay network. A privacy-preserving method is provided for matching identities between a first peer node and a second peer node in a peer-to-peer network. Such identity matching may be used, for example, to ascertain whether the first peer node should provide access to certain digital object stored in the peer-to-peer overlay network. Rather than providing its identities in an unprotected format, the second peer may provide its identities to the first peer node in a concealed representation so as to prevent the first peer from learning about non-matching identities. Such concealed representation may be a data structure that cryptographically conceals one or more identities of the second peer node or a user of the second peer node within a shared data space of the data structure.

21 Citations

View as Search Results

47 Claims

1. A method operational in a requesting peer node, comprising:
- generating a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and
  
  sending the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - receiving information from the validating peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to a corresponding identity of the validating peer node, thereby enabling access to the digital object.
  - 3. The method of claim 2, further comprising:
    - identifying a first identity as a match from the received information;
      
      selecting authentication data corresponding to the first identity; and
      
      sending the selected authentication data to the validating peer node to authenticate access to the digital object.
  - 4. The method of claim 3, further comprising:
    - obtaining access to the digital object if the selected authentication data is successfully authenticated by the validating peer node.
  - 5. The method of claim 2, wherein the information received from the validating peer node includes a second data structure, the second data structure cryptographically concealing an access identity of the digital object and further comprising:
    - comparing the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and
      
      accessing the digital object based on the intersection of identities.
  - 6. The method of claim 1, wherein the one or more identities of the requesting peer node or the user of the requesting peer node comprise group identities and the digital object includes data for which access is limited to members of a group corresponding to a certain one of the group identities.
  - 7. The method of claim 1, wherein the requesting peer node and the validating peer node communicate wirelessly over an overlay peer-to-peer network.
  - 8. The method of claim 1, wherein the first data structure is a binary vector in which each of the one or more identities are represented by a plurality of bits that are uniformly and randomly distributed along the binary vector.
  - 9. The method of claim 8, wherein the binary vector is generated by:
    - applying a cryptographic hash function to a first identity to generate a binary string;
      
      partitioning the binary string into binary segments;
      
      converting each binary segment into a position index within the binary vector; and
      
      setting a vector value at an indicated position index of the binary vector to a non-default value.
  - 10. The method of claim 9, wherein a plurality of additional identities are converted to position indexes that are set in the binary vector to the non-default value.
  - 11. The method of claim 1, wherein the first data structure is a Bloom filter vector in which each identity is represented by a plurality of bits uniformly and randomly distributed along the Bloom filter vector.
  - 12. The method of claim 1, wherein the first data structure is a probabilistic data structure where false positive identity matches are possible.

13. A requesting peer node, comprising:
- a communication interface for communicating with other peer nodes over an overlay network;
  
  a processing circuit coupled to the communication interface, the processing circuit adapted to;
  
  generate a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and
  
  send the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node,wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node match or the user of the requesting peer node corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The requesting peer node of claim 13, wherein the processing circuit is further adapted to:
    - receive information from the validating peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to a corresponding identity of the validating peer node, thereby enabling access to the requested digital object.
  - 15. The requesting peer node of claim 14, wherein the processing circuit is furtheradapted to:
    - identify a first identity as a match from the received information;
      
      select authentication data corresponding to the first identity; and
      
      send the selected authentication data to the validating peer node to authenticate access to the digital object.
  - 16. The requesting peer node of claim 15, wherein the processing circuit is further adapted to:
    - obtain access to the digital object if the selected authentication data is successfully authenticated by the validating peer node.
  - 17. The requesting peer node of claim 14, wherein the information received from the validating peer node includes a second data structure, the second data structure cryptographically concealing an access identity of the digital object and wherein the processing circuit is further adapted to:
    - compare the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and
      
      access the digital object based on the intersection of identities.
  - 18. The requesting peer node of claim 13, wherein the first data structure comprises a binary vector in which each of the one or more identities are represented by a plurality of bits that are uniformly and randomly distributed along the binary vector.
  - 19. The requesting peer node of claim 18, wherein the binary vector isgenerated by:
    - applying a cryptographic hash function to a first identity to generate a binary string;
      
      subdividing the binary string into binary segments;
      
      converting each binary segment into a position index within the binary vector; and
      
      setting a vector value at an indicated position index of the binary vector to a non-default value.

20. A requesting peer node, comprising:
- means for generating a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and
  
  means for sending the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node,wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node or the user of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The requesting peer node of claim 20, further comprising:
    - means for receiving information from the validating peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to a corresponding identity of the validating peer node, thereby enabling access to the requested digital object.
  - 22. The requesting peer node of claim 21, further comprising:
    - means for identifying a first identity as a match from the received information;
      
      means for selecting authentication data corresponding to the first identity; and
      
      means for sending the selected authentication data to the validating peer node to authenticate access to the digital object.
  - 23. The requesting peer node of claim 22, further comprising:
    - means for obtaining access to the digital object if the selected authentication data is successfully authenticated by the validating peer node.
  - 24. The requesting peer node of claim 21, wherein the information received from the validating peer node includes a second data structure, the second data structure cryptographically concealing an access identity of the digital object and further comprising:
    - means for comparing the first data structure and the second data structure, wherein the requesting peer node is configured to access the digital object if there is a match of at least one identity of the requesting peer node and the validating peer node.

25. A non-transitory processor-readable medium comprising instructions operational on a requesting peer node, which when executed by a processor cause the processor to:
- generate a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and
  
  send the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node or the user of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node.
- View Dependent Claims (26)
- - 26. The processor-readable medium of claim 25, comprising further instructions which when executed by a processor cause the processor to:
    - receive information from the validating peer node indicating whether any of the one or more identities of the requesting peer node is a match to a corresponding identity of the validating peer node, wherein the information received from the validating peer node includes a second data structure, the second data structure cryptographically concealing an access identity of the digital object;
      
      compare the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and
      
      access the digital object based on the intersection of identities.

27. A method operational in a validating peer node, comprising:
- receiving a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space;
  
  obtaining one or more access identities that are allowed to access the digital object;
  
  generating a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object;
  
  performing a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and
  
  sending information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object,wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 28. The method of claim 27, wherein the information sent to the requesting peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the requested digital object comprises a matching identity or a concealed version of a matching identity.
  - 29. The method of claim 28, further comprising:
    - receiving authentication data associated with a matching identity identified by the validating peer device; and
      
      granting the requesting peer node access to the requested digital object if the received authentication data is successfully authenticated.
  - 30. The method of claim 29, further comprising:
    - authenticating the authentication data to verify that the requesting peer node is a member of a group identified by the matching identity.
  - 31. The method of claim 28, wherein the information sent to the requesting peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the requested digital object comprises a matching identity.
  - 32. The method of claim 28, wherein the information sent to the requesting peer node indicating whether any of the one or more identities of the requesting peer node is a match to the one or more access identities that are allowed to access the requested digital object comprises a concealed version of the matching identity.
  - 33. The method of claim 27, wherein the first data structure is a binary vector in which each of the one or more identities of the requesting peer node or the user of the requesting peer node are represented by a plurality of bits that are uniformly and randomly distributed along the binary vector.
  - 34. The method of claim 33, wherein at least one of the first data structure and the second data structure is a Bloom filter vector in which each identity is represented by a plurality of bits uniformly and randomly distributed along the binary vector.
  - 35. The method of claim 27, wherein the second data structure is abinary vector is generated by:
    - applying a cryptographic hash function to a first identity to generate a binary string;
      
      partitioning the binary string into binary segments;
      
      converting each binary segment into a position index within the binary vector; and
      
      setting a vector value at an indicated position index of the binary vector to a non-default value.
  - 36. The method of claim 27, wherein the requested digital object is stored by the validating peer node.
  - 37. The method of claim 27, wherein the requested digital object is stored by a storing peer node.

38. A validating peer node, comprising:
- a communication interface for communicating with other peer nodes over an overlay network;
  
  a processing circuit coupled to the communication interface, the processing circuit adapted to;
  
  receive a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space;
  
  obtain one or more access identities that are allowed to access the digital object;
  
  generate a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object;
  
  perform a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and
  
  send information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object,wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity.
- View Dependent Claims (39, 40, 41)
- - 39. The validating peer node of claim 38, wherein the information sent to the requesting peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the requested digital object comprises a concealed version of a matching identity.
  - 40. The validating peer node of claim 39, wherein the processing circuit is further adapted to:
    - receive authentication data associated with a matching identity identified by the validating peer device; and
      
      grant the requesting peer node access to the requested digital object if the received authentication data is successfully authenticated.
  - 41. The validating peer node of claim 40, wherein the processing circuit is further adapted to:
    - authenticate the authentication data to verify that the requesting peer node is a member of a group identified by the matching identity.

42. A validating peer node, comprising:
- means for receiving a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space;
  
  means for obtaining one or more access identities that are allowed to access the digital object;
  
  means for generating a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object;
  
  means for performing a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and
  
  means for sending information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object,wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity.
- View Dependent Claims (43, 44)
- - 43. The validating peer node of claim 42, wherein the information sent to the requesting peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the requested digital object comprises a concealed version of a matching identity.
  - 44. The validating peer node of claim 43, further comprising:
    - means for receiving authentication data associated with a matching identity identified by the validating peer device; and
      
      means for granting the requesting peer node access to the requested digital object if the received authentication data is successfully authenticated.

45. A non-transitory processor-readable medium comprising instructions operational on a validating peer node, which when executed by a processor causes the processor to:
- receive a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space;
  
  obtain one or more access identities that are allowed to access the digital object;
  
  generate a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object;
  
  perform a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and
  
  send information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object,wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity.
- View Dependent Claims (46, 47)
- - 46. The processor-readable medium of claim 45 wherein the information sent to the requesting peer node indicating whether any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object comprises a concealed version of a matching identity.
  - 47. The processor-readable medium of claim 46 comprising further instructions which when executed by a processor causes the processor to:
    - receive authentication data associated with a matching identity identified by the validating peer device; and
      
      grant the requesting peer node access to the digital object if the received authentication data is successfully authenticated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Mao, Yinian, Craig, David W.
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US13/194,812
Publication Number

US 20130031367A1
Time in Patent Office

1,194 Days
Field of Search

713/168, 726/4
US Class Current

713/168
CPC Class Codes

H04L 63/0407   wherein the identity of one...

H04L 63/10   for controlling access to d...

H04L 67/104   Peer-to-peer [P2P] networks

Facilitating access control in peer-to-peer overlay networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating access control in peer-to-peer overlay networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links