Facilitating access control in peer-to-peer overlay networks
First Claim
1. A method operational in a requesting peer node, comprising:
- generating a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and
sending the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatuses are provided for facilitating access controls for digital objects stored within a peer-to-peer overlay network. A privacy-preserving method is provided for matching identities between a first peer node and a second peer node in a peer-to-peer network. Such identity matching may be used, for example, to ascertain whether the first peer node should provide access to certain digital object stored in the peer-to-peer overlay network. Rather than providing its identities in an unprotected format, the second peer may provide its identities to the first peer node in a concealed representation so as to prevent the first peer from learning about non-matching identities. Such concealed representation may be a data structure that cryptographically conceals one or more identities of the second peer node or a user of the second peer node within a shared data space of the data structure.
21 Citations
47 Claims
-
1. A method operational in a requesting peer node, comprising:
-
generating a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and sending the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A requesting peer node, comprising:
- a communication interface for communicating with other peer nodes over an overlay network;
a processing circuit coupled to the communication interface, the processing circuit adapted to;generate a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and send the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node match or the user of the requesting peer node corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node. - View Dependent Claims (14, 15, 16, 17, 18, 19)
- a communication interface for communicating with other peer nodes over an overlay network;
-
20. A requesting peer node, comprising:
-
means for generating a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and means for sending the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node or the user of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A non-transitory processor-readable medium comprising instructions operational on a requesting peer node, which when executed by a processor cause the processor to:
-
generate a first data structure that cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; and send the first data structure to a validating peer node as part of a request to access a digital object stored by the validating peer node, wherein the digital object is accessible to the requesting peer node if the one or more identities of the requesting peer node or the user of the requesting peer node match corresponding one or more identities of the validating peer node by sending authentication data corresponding to the matching access identity to the validating peer node. - View Dependent Claims (26)
-
-
27. A method operational in a validating peer node, comprising:
-
receiving a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; obtaining one or more access identities that are allowed to access the digital object; generating a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object; performing a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and sending information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object, wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A validating peer node, comprising:
- a communication interface for communicating with other peer nodes over an overlay network;
a processing circuit coupled to the communication interface, the processing circuit adapted to;receive a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; obtain one or more access identities that are allowed to access the digital object; generate a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object; perform a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and send information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object, wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity. - View Dependent Claims (39, 40, 41)
- a communication interface for communicating with other peer nodes over an overlay network;
-
42. A validating peer node, comprising:
-
means for receiving a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; means for obtaining one or more access identities that are allowed to access the digital object; means for generating a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object; means for performing a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and means for sending information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object, wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity. - View Dependent Claims (43, 44)
-
-
45. A non-transitory processor-readable medium comprising instructions operational on a validating peer node, which when executed by a processor causes the processor to:
-
receive a first data structure from a requesting peer node as part of a request to access a digital object, where the first data structure cryptographically conceals one or more identities of the requesting peer node or a user of the requesting peer node within a shared data space of the first data structure, wherein a representation of each of the one or more identities is uniformly and randomly distributed along the shared data space; obtain one or more access identities that are allowed to access the digital object; generate a second data structure for each of the access identities, where the second data structure cryptographically conceals an access identity of the digital object; perform a comparison between the first data structure and the second data structure to ascertain whether there is an intersection of identities indicating a potential match; and send information to the requesting peer node indicating whether one or more identities of the requesting peer node or the user of the requesting peer node is a match to one or more access identities that are allowed to access the digital object, wherein the requesting peer node is configured to provide authenticating data if any of the one or more identities of the requesting peer node or the user of the requesting peer node is a match to the one or more access identities that are allowed to access the digital object, where the authenticating data corresponds to a matching access identity. - View Dependent Claims (46, 47)
-
Specification