[go: up one dir, main page]

CN102171686A - System and method that uses cryptographic certificates to define groups of entities - Google Patents

System and method that uses cryptographic certificates to define groups of entities Download PDF

Info

Publication number
CN102171686A
CN102171686A CN2008801303786A CN200880130378A CN102171686A CN 102171686 A CN102171686 A CN 102171686A CN 2008801303786 A CN2008801303786 A CN 2008801303786A CN 200880130378 A CN200880130378 A CN 200880130378A CN 102171686 A CN102171686 A CN 102171686A
Authority
CN
China
Prior art keywords
group
stakeholder
prerequisite
title
entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2008801303786A
Other languages
Chinese (zh)
Other versions
CN102171686B (en
Inventor
R·威廉·贝克威思
杰弗里·G·马歇尔
杰弗里·W·奇尔顿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Objective Interface Systems Inc
Original Assignee
Objective Interface Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Objective Interface Systems Inc filed Critical Objective Interface Systems Inc
Publication of CN102171686A publication Critical patent/CN102171686A/en
Application granted granted Critical
Publication of CN102171686B publication Critical patent/CN102171686B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A system and method for issuing a cryptographic certificate comprises describing one or more prerequisite condition on the cryptographic certificate. The one or more prerequisite conditions comprise membership in one or more prerequisite group of entities. An entity may be a participant, a resource or a privilege, etc. The present invention also requires naming one or more target groups of entities on the cryptographic certificate. One or more prerequisite group stakeholder that authorizes an entity in the one or more prerequisite group of entities to be added as members in another group of entities sign the cryptographic certificate. The cryptographic certificate is also signed by one or more target group stakeholders that authorizes an entity to be added as a member of the one or more target groups. Exemplary prerequisite conditions relate to one or more of a membership in another group of entities, a physical characteristic, a temporal characteristic, a location characteristic or a position characteristic, among others.

Description

Access to your password and learn the system and method that certificate defines group of entities
Technical field
The present invention relates to information security field on the whole, relates in particular to protection system on cryptography.
Background technology
Cryptography is relevant with the encrypt/decrypt of the authentication of information security and relevant issues, especially identity and information mathematics and computer science subject.In so-called " data (data-in-movement) in moving " were used, cryptography had been widely used in protecting the information flow of communicating by letter on the communication channel between the participant (for example client node).Cryptography also is applied to the information in protected data storage medium and the database in so-called " being in static data (data-at-rest) " uses.
Symmetric cryptography and asymmetric cryptography are learned and are to use the key with one or more secret parameter to authenticate and the algorithm of the known class of the encryption and decryption of information.In symmetric cryptography, the shared secret that the key representative is known between the communication participant in advance.Utilize the system of symmetric-key algorithm protection to use simple relatively encryption and decryption to calculate.Shared secret be selected, distributes and be safeguarded in this system also need between the communication participant.Destroy and potential discovery for fear of cryptography adversary's security, shared key must often be changed and kept safety during distributing and in the service, and this makes the symmetric-key cryptography impracticable and be difficult to scalable for protecting big system.
Asymmetric cryptography is learned and is used relevant key on a pair of mathematics that is called as PKI and private key, and it has been avoided and need know shared key in advance between the communication participant.Although intensity is bigger on calculating, asymmetric key cryptography has overcome the scalability shortcoming that is associated with the symmetric-key cryptography.(public key infrastructure PKI) is to use asymmetric key cryptography to protect the known system of information to Public Key Infrastructure.In this system, use the private key of creating at random to come digital signing message a side of a computer installation, come certifying signature and use from the PKI of the distribution of this private key derivation a side of another computer installation.The PKI of communication participant is distributed in the corresponding letter of identity, and wherein said letter of identity also is called public key certificate, is to be called being issued by trusted parties of certificate agency (CA) by one or more.Like this, PKI is to having those side's private message of private key, and letter of identity allow to have the PKI that is associated and letter of identity either party verify out that this message creates with private key.Therefore, PKI makes the communication party can authenticate and use the public key information in the letter of identity to come message is carried out encryption and decryption each other, thereby sets up message confidentiality, integrality and authentication and need not exchange in advance and share key.
Each letter of identity comprises digital signature, and digital signature is with PKI and by the identity binding such as the representative of information such as title, e-mail address.By this certificate of digital signing, CA has confirmed that PKI belongs to this identity, that is, and and the people who writes down in this certificate, tissue, server or other entity.CA usually is the third party that the issue digital certificate is trusted for the quilt of communication party's use.Trust and require to force CA to verify communication party's identity secret in some way.Suppose that then they can verify out that also PKI belongs to anyone who is identified in this certificate really if the communication party trusts CA and can verify its signature.
Some enterprise-level PKI systems rely on certificate chain to set up a side identity.In suc scheme, certificate can be issued by CA, and the legitimacy of this CA is set up by the CA of higher level for this reason, and the like.This has produced the certificate level of being made up of several CA (usually being the tissue more than).CA can use the issue of managing certificate from the various computing machines in several sources and supporting interoperability software package.This makes that operation is crucial to standard for PKI.IETF PKIX working group relates to the standardization of the public key certificate form that comprises the certificate standard that is called as X.509.
The various point-to-point secure communication protocols of learning that access to your password are known.The example of these agreements comprises secure socket layer (ssl), Transport Layer Security (TLS), containment (SSH), IP security (IPsec) and the high Internet Protocol inter-operability specification (HAIPIS) that ensures.SSL and TLS be for providing the authentication of cryptography end points in the application based on the intra network communication of client-server, with the eavesdropping that prevents communication period, distort with message and forge.SSH allows to set up one group of standard of safe lane and the procotol that is associated between local computer and remote computer.This agreement cryptography that uses public-key authenticates remote computer.Thereby IPsec encrypts the standard that protection Internet Protocol (IP) is communicated by letter in order to realize authentication, data confidentiality and message integrity to all IP bags.HAiPE (the high Internet Protocol encryption equipment that ensures) is the Class1 encryption device of observing the HAIPEIS of national security agency (NSA).Employed cryptography is also by external member A and the external member B of NSA regulation as the part of cryptography up-to-dateness.HAIPEIS is based on Ipsec's, but has additional restriction and enhancing.HAIPE normally allows the security gateway of two enclaves (enclave) swap data on the network of un-trusted or low classification.Conventional security system such as the security system of using above-mentioned agreement in, based on CA to the authentication of communication party's identity, usually by transmitting encrypted message on the channel of fire wall in network.As long as communication party's identity is certified, conventional security system just allows the communication party to communicate with one another on channel.
Usually use based on the voucher that the user provided visit to resource is provided.Usually, these application verifications user's role and provide visit to resource based on this role.Usually in finance or commercial the application, use the role to come implementation strategy.For example, whether application can be that the size that the member that stipulates the role aligns processed transaction applies restriction according to making requesting users.The office worker can have handling the mandate less than the transaction of defined threshold, and the person in charge can have looser restriction, and the vice president can have looser restriction (or having no restriction).Can also work as the security of using when a plurality of approvals of application need come execution based on the role.This situation can be a purchase system, and wherein any employee can generate the request of purchase, but has only the purchasing agent this request can be converted to the purchase order that can be sent to supplier.
A kind of known identity management system based on the role is that the .NET Framework by Microsoft provides.Under .Net Framework, the identity and the role of " responsible official " representative of consumer, and make action for user's interests..Net Framework uses to make based on responsible official's identity or Role Membership's qualification or these two and authorizes decision.The role is the responsible official (as teller or keeper) who has the designated groups of identical privilege about security.The responsible official can be the member among one or more roles.Therefore, application can use Role Membership's qualification to determine whether the responsible official is authorized to carry out the action of being asked.
Another kind of system based on the role is called Eurekify Sage Enterprise RoleManager (ERM)
Figure BPA00001294422800031
The analysis cooperation platform, it allows tissue to create privilege mode based on the role that also management is disposed in target platform.Sage ERM makes benefit that tissue can utilize the access control (RBAC) based on the role from commercial their privilege of angle management and strategy and realize their identity management and observe target.
At present, Object Management Group OMG has drafted suggestion and has solicited (OMG Document:bmi/2008-02-07), so that define based on role's access control (RBAC) strategy and by RBAC personnel's mandate that working time, environment applied based on role's access strategy (RBAP) meta-model.This meta-model intention becomes the model that is independent of platform (PIM) of the exchange of supporting the RBAP model between modeling tool and the working time system.
In another kind of classic method, be also referred to as the system (http://dsd.lbl.gov/security/Akenti/homepage.html) that the breadboard Lao Lunsi Berkeley of Berkeley National Laboratory has developed a kind of Akenti of being called.Akenti has solved the problem that occurs when permission is carried out limited accass to the resource in the distributed network of being controlled by a plurality of stakeholder.Akenti provides a kind of and has expressed and implement access control policy and do not need the method for central implementer and management organization.The framework intention of Akenti provides scalable security service in distributed network environment.Akenti is designed to allow each stakeholder of resource to implement the access control requirement that it is independent of other stakeholder.Akenti allows each stakeholder to change its requirement at any time and be sure of that new demand will come into force, and the high protection of integrality and the anti-property denied (non-repudiability) is provided in the expression that access control requires.
Akenti has utilized the certificate of digital signing.Certificate can be stated identity (letter of identity), confirms the attribute (Attribute certificate) of main body, and the condition (service condition certificate) that satisfy perhaps is described.Certificate among the Akenti can carry authenticating user identification and resource request for utilization and user property mandate." service condition " among the Akenti relates to the potential user must be by producing the stakeholder's that corresponding Attribute certificate satisfy requirement before being allowed to use resource.But this attribute relates to the feature of people or other identified entities.Stakeholder among the Akenti can apply following service condition: promptly, the user must belong to particular group so that the resource that visit is controlled by this stakeholder.Therefore, the user who wants to visit this resource must prove the membership qualification in this particular group by the Attribute certificate of correspondence.Attribute certificate statement user or resource have the specified attribute of specific service condition.
Yet in the system of Akenti, the stakeholder is associated with resource.These stakeholder come the controlling resource visit based on the service condition that requires the user to satisfy the regulation attribute.Under Akenti, as long as the user satisfies the attribute specification of resource stakeholder defined, resource access just is allowed to.One of shortcoming of the system of Akenti is that it does not provide the mechanism that is not the resource stakeholder or stakeholder's security requirement.If resource stakeholder does not stop user access resources, then these non-resources stakeholder does not have the control to the privilege of user access resources.In other words, the resource stakeholder among the Akenti can allow the user to carry out resource access, and the non-resource stakeholder can forbid that the user carries out this visit.
Also know the computer network authentication agreement of a kind of Kerberos of being called, the individuality that its permission is communicated by letter on unsecured network proves their identity each other in the mode of safety.Having implemented the Kerberos agreement by the cover freeware that Massachusetts Institute of Technology (MIT) (MIT) announces, mainly is to make the client-server model that mutual authentication is provided, thus the two checking of client and server identity each other.The Kerberos protocol message is protected not to be eavesdropped and Replay Attack.
Kerberos is based on the symmetric-key cryptography and need be called the third party that the quilt of key Distribution Center (KDC) is trusted, its by two in logic divided portion form: certificate server (AS) and ticket grant service device (TGS).Kerberos is to be used to proving that " ticket " of user identity is element task.
The database of KDC maintenance key; Each entity on the network, no matter client or server are shared and are had only it self and the key known of KDC.Knowing of this key is used to prove identity of entity.For the communication between two entities, KDC generates session key, and this session key can be used for protecting the mutual of them by them.Yet, use the Kerberos agreement, must verify " ticket " by contact KDS or central server, thereby be that the system that is implemented introduces single failpoint.The single failpoint characteristic of kerberos system is disadvantageous for the system with communication capacity intermittently or that tend to fail such as embedded system or autonomous system.
Therefore, because the security requirement in the infosystem becomes complicated more, need come the security system and the method for management access based on advanced and ripe security parameters.
Description of drawings
Fig. 1 shows the example concept figure that divides into groups to according to the mutual client stations participant of reading and writing and read/write privilege and storage resources.
Fig. 2 shows the example set title.
Fig. 3 shows the group membership certificate (GMC) that the precondition that will be associated with entity is tied to target group.
Fig. 4 shows the GMC that the one or more preconditions that will be associated with a plurality of groups are tied to target group.
Fig. 5 is a block diagram of implementing the system of example embodiment of the present invention.
Fig. 6 shows and is used for example GMC that participant is divided into groups.
Fig. 7 shows and is used for example GMC that resource is divided into groups.
Fig. 8 shows and is used for example GMC that privilege is divided into groups.
Summary of the invention
In brief, according to an aspect of the present invention, the system or the method that are used for releasing pin certificate are described one or more preconditions on the cryptography certificate.Precondition comprises the membership qualification in one or more prerequisite group of entities.One or more prerequisite group stakeholder (or mechanism) sign this cryptography certificate, and this prerequisite group stakeholder's (or mechanism) approval is to use the membership qualification in the prerequisite group to make decision necessary.The example decision of making based on this approval can relate to membership qualification in the allowance group, permit access resources or move.In one embodiment, the identity of prerequisite group or title are associated with prerequisite group stakeholder's identity.For example, stakeholder's PKI can be the part of the identity of prerequisite group.In another embodiment, the privilege of certificate granted access resource.Certificate can be by one or more stakeholder or the mechanism signature of control to the visit of privilege or resource.
In addition, a kind of method that is used to handle the cryptography certificate comprises: receive the cryptography certificate, this cryptography certificate is described at least one precondition that comprises the membership qualification at least one prerequisite group of entities; And determine whether this cryptography certificate is signed effectively by at least one prerequisite group stakeholder, and this at least one prerequisite group stakeholder's approval is to use the membership qualification in the prerequisite group to make decision necessary.
According to a further aspect in the invention, a kind of releasing pin that is used for is learned the system and method for certificate and is included in and describes one or more preconditions on the cryptography certificate.These one or more preconditions comprise the membership qualification in one or more prerequisite group of entities.Entity can be participant, resource or privilege etc.The present invention also requires to specify one or more target entity groups on the cryptography certificate.One or more prerequisite group stakeholder or mechanism sign this cryptography certificate, thereby authorize the entity in these one or more prerequisite groups to be added as the member in another group of entities.This cryptography certificate also is added the member's of these one or more target group of conduct one or more target group stakeholder or mechanism's signature by authorized entity.The example precondition relates to one or more in membership qualification, physical features, temporal characteristics, place feature or position feature in another group of entities or the like.
According to more detailed features more of the present invention, the title of one or more prerequisite groups comprises: the title of authorizing one or more prerequisite group stakeholder of the membership qualification of prerequisite group membership in another group; Authorize one or more prerequisite group stakeholder's of the membership qualification in these one or more prerequisite groups title.The title of these one or more prerequisite groups also can comprise one or more prerequisite group disambiguation (disambiguating) identifier.In an example embodiment, these one or more prerequisite group stakeholder's title comprises these one or more prerequisite group stakeholder's PKI.These one or more prerequisite group stakeholder's signature comprises the cryptography signature of the certificate of the private key signature of using this stakeholder.
Similarly, the title of these one or more target group comprises: authorize the target group entity in another group membership qualification or be added to the title of these the one or more target group stakeholder in another group; And authorized entity becomes the member's of these one or more target group one or more target group stakeholder's title.These one or more target group stakeholder's title comprises these one or more target group stakeholder's PKI, and these one or more target group stakeholder's signature comprises the cryptography signature of the certificate of the private key signature of using these one or more target group stakeholder.
According to a further aspect in the invention, a kind of cryptography certificate comprise the title of one or more prerequisite groups, one or more target group title, authorize entity in the prerequisite group become the entity in another group prerequisite group stakeholder one or more cryptographies signatures and authorize the one or more cryptographies signatures that the entity title added to the target group stakeholder of target group.
According to another aspect of the invention, a kind of system that handles the cryptography certificate comprises a plurality of entities.This system also comprises one or more group membership certificates.The title that each group membership certificate comprises the title of the title of one or more prerequisite groups, one or more target group and takes on one or more stakeholder of one or more prerequisite group stakeholder and target group stakeholder.If the group membership certificate is signed on cryptography by the one or more prerequisite group stakeholder that authorize entity in the prerequisite group to become the entity in another group then is effective.This group membership certificate is also signed one or more target group stakeholder that entity adds these one or more target group to by mandate on cryptography.Node receives the cryptography certificate from entity.The effective group membership certificate of this node inspection, if the cryptography certificate that receives is tied to the prerequisite group of appointment in this effective group membership certificate effectively with this entity, then this node adds this entity to the target group of appointment in this effective group membership certificate.
Embodiment
The present invention relates to applied cryptography and learn system or the method that certificate defines group of entities.The entity that is grouped can be different in nature, do not exceed designated or any characteristic of the ability that is identified in the cryptography certificate because require that they have.Example physical comprises physical entity and logic entity, as the execution example of people, processing unit, node, client stations, file system, computer hardware, computer program, read or write access privileges, operating system privilege, storage resources, computational resource and/or the communication resource or other group.
Fig. 1 shows the example concept figure that divides into groups to according to the mutual client stations participant of one or more privileges and storage resources.Participant comprises and can keep secret and can for example use at ANSI X9.63, is known this secret and does not reveal this secret entity to other participant proof by standardized mutual authentication protocol such as Elliptic Curve MQV (ECMQV) agreement among IEEE 1363-2000 and the ISO/IEC 15946-3.In one embodiment, participant can be realized with hardware or software, and the PKI that can access to your password identifies or specifies.Webpage client, SQL client, file server, Ethernet card, subregion, application, node, system, computing machine or device or the like can be participants.
In an example embodiment, participant be can be with resource the directly mutual and entity by resource and other participant indirect interaction.Resource comprises non-participant entity, includes but not limited to any hardware, firmware, data and/or the software that are performed, use, utilize, create or protect.Resource is not a participant.Together example resources be can on cryptography, be grouped into according to the present invention and the file that is stored in the file system, the port in the network stack, the random access memory in the computing machine etc. comprised.Other example resources comprises any spendable processing power, link, communication channel, I/O bus, memory bus, hardware or software and socket character library (socket library), protocol stack, device driver etc.Resource can also comprise the encryption/decryption element according to any asymmetric and/or symmetric-key cryptographic algorithm and the method suitably of the invention process.
In an exemplary embodiment of the present invention, resource is the entity that can be acted on or be consumed by those participants with necessary privilege.Privilege comprises admissible mutual between one or more participants and the one or more resource.For example the privilege that is associated with file resource can comprise the privilege that reads and/or write to this document resource from this document resource.Another example is to use the privilege of random-access memory (ram) working procedure.
As mentioned above, in an example embodiment, specify or the sign participant, because they can keep secret and can know this secret and can not reveal this secret to other participant proof with the cryptography PKI.Yet, use have the details that is enough to identifying resource or privilege, to the description of resource or privilege specify, indication or identifying resource and privilege.
In general, the present invention relates to use and create as determining that whether one or more designated entities (for example participant, resource or privilege) are the system or the method for one or more certificates of group membership's means.Certificate of the present invention can be verified under the situation of not getting in touch central server.Alternatively, but implement system of the present invention or method and may further include the certificate that allows additional identification information to be associated or be tied to this entity or group with entity or group.Therefore, in the present invention, whether the one or more certificates that are called group membership certificate (GMC) define one or more entities is the member of one or more target group.Can in GMC, specify individual entities and one or more group of entities to have membership qualification in the target group.GMC describes the title of one or more group membership preconditions (GMPC) and target group.Example GMPC may need: the evidence that the condition that can verify of dependence GMC is satisfied when the evaluated satisfiability of GMPC comprises: the membership qualification in another designated groups; It is evidence with entity of specific names; Evidence with physics (for example machinery, optics, calorifics, how several), non-physics, time or non-temporal characteristics, comprise with state, highly, relevant feature such as width, how much, time, place, position, place, amplitude, phase place, frequency, electric current, voltage, resistance.The example evidence comprises the evidence of current place and regulation place coupling, evidence, current date and time and the fixed date of biological characteristic coupling or the evidence of time coupling etc.
For example, a plurality of entities can be parts of specifying the prerequisite group, if satisfy necessary membership qualification precondition, then this appointment prerequisite group itself can become the member of target group.Like this, each GMC illustrates the prerequisite membership condition of designated target set.Satisfy standard and satisfy these one or more preconditions and then authorize membership qualification in the target group according to defined to entity.In various embodiment of the present invention, the prerequisite of the membership qualification in the target group satisfies standard can relate to following any one in satisfying: the satisfying of each prerequisite; Satisfying of one of prerequisite; Satisfying of certain combination of the prerequisite of describing by the Boolean algebra equation, wherein the operator of this equation comprises and computing (and) and exclusive disjunction (or); Certain number m's in n prerequisite satisfies altogether.
As mentioned above, group membership precondition satisfied is that the membership qualification of authorizing in the target group to entity is necessary.As further described below, the stakeholder with necessary power signs GMC should being tied to target group by one or more GMPC, thereby the one or more entities that allow to satisfy these one or more preconditions become the member of designated target set.
Like this, the existing method based on certificate of the present invention by requiring group name to claim to comprise additional information to expand to be used for entity is divided into groups.In an example embodiment, group name claims directly or indirectly to comprise the PKI of following mechanism: the approval of this mechanism is to use the membership qualification in this group necessary as determinative.This means: only when the set of decision-use mechanism be equal to the time, two groups just have identical title.In implementing system of the present invention, group name claims to comprise out of Memory and has additional constraint to identity property, as long as these information of the present invention and constraint are comprised and be employed.Therefore, each GMC is tied to the target group title with one or more preconditions.The template of having showed the example set title among Fig. 2.
In an exemplary embodiment of the present invention, implement two types GMC.Fig. 3 shows the GMC that the precondition that will be associated with entity is tied to target group, and Fig. 4 shows the GMC that one or more preconditions of membership qualification in other group is tied to target group.According to the example GMC of Fig. 3, the group membership precondition comprise have specific names for example the entity of John Doe belong to the evidence of target group, wherein the binding of this entity and target group is proved by the signature of suitable stakeholder on GMC.According to the GMC of Fig. 4, the group membership precondition comprises the evidence that another specifies the membership qualification in the prerequisite group, and again, wherein the binding of title prerequisite group and target group is proved by the signature of suitable stakeholder on GMC.
Therefore, the validity of GMC is learned the existence decision of signature by valid password, and wherein Bi Yao stakeholder has described valid password of signature at this GMC and signs, thereby the group membership precondition is tied to membership qualification in one or more target group.In the group of the title of these one or more target group and appointment in GMPC or individual title, identify the stakeholder.According to one embodiment of present invention, be called the permission of " to this group " stakeholder's a class stakeholder granted permission target approach group.It is necessary that the signature of " to this group " stakeholder on certificate is that expansion belongs to the set of entity of target group.In claiming, group name identifies the another kind of stakeholder who is called " from this group " stakeholder.These group names claim directly or indirectly to comprise the PKI of following mechanism: the approval of this mechanism is to use the membership qualification in this group necessary as determinative.For example, " from this group " stakeholder authorizes the member's that an entity in the group becomes another group permission or additional information such as privilege is tied to the permission of the evidence of the membership qualification in this group.The signature of " from this group " stakeholder on GMC is that to license the evidence of a membership qualification in the group necessary as the prerequisite of the membership qualification in the target group.On other certificate that information is tied to this group (such as authorizing the membership qualification that needs in this group certificate as the privilege of prerequisite), " from this group " signature is essential equally.
No matter prerequisite group or target group are made up of several sections as the title of the group that occurs on GMC.The first, group name claims to comprise the information of the cryptography PKI that is enough to definite each " to this group " stakeholder.The second, group name claims to comprise the information of the cryptography PKI that is enough to definite each " from this group " stakeholder.A kind of exemplary forms of the information that stakeholder's set is described is the distinct tabulation of stakeholder's PKI.Alternatively, can use the set of the identifier of differentiating the unique identity card book, described unique identity card book is tied to PKI with these identifiers.Alternatively, the title of group comprises one or more disambiguation identifiers, and described disambiguation identifier is used for other group mutually difference of this group with the identity set with " to this group " and " from this group " stakeholder.Example disambiguation identifier comprises text common name, digital picture; The cryptographic Hash of digital audio, any identifier listed earlier or the combination in any of identifier listed earlier.
GMC shown in Fig. 3 comprises requirement entity proof, and it has the single GMPC of given title.In addition, GMC comprises the title of being authorized the single target group of membership qualification by this certificate.The target group title comprises " to this group " stakeholder's identifier of being represented by variable m of disambiguation identifier and arbitrary number and " from this group " stakeholder's identifier of being represented by variable n.For effective to the binding of prerequisite entity title and target group title, the GMC of Fig. 3 also comprises the signature of " to this group " stakeholder 1-n of target group.As mentioned above, the membership qualification in " to this group " stakeholder 1-n of the target group of Fig. 3 permission target group is expanded the prerequisite entity title for stipulating among the GMC that is included in Fig. 3.Because the GMC of Fig. 3 does not require the prerequisite of the evidence of the membership qualification in a group as the membership qualification in another group, so that " from this group " stakeholder's signature is not the validity of GMC is desired.
GMC shown in Fig. 4 comprises the GMPC of arbitrary number, comprises that the prerequisite group name of any number of being represented by variable k claims, each all requires entity to prove the membership qualification in the corresponding prerequisite group so that obtain membership qualification in the target group.This GMC is designed to the signature requirement of proof GMC validity when group membership is used as the precondition of GMC.The title that is listed each group of its membership qualification as precondition in the GMC of Fig. 4 has " to this group " stakeholder who is represented by variable m of arbitrary number and " from this group " stakeholder who is represented by variable n.These variablees are within the name scope of prerequisite group; Each prerequisite group name that different m values and n value can be used among the GMC claims.For effective to the binding of prerequisite title and target group title, the GMC of Fig. 4 comprises two types stakeholder's signature.The GMC of Fig. 4 comprises " from this group " stakeholder's the signature that is listed the group of its membership qualification as precondition.On the GMC of Fig. 4 same essential be the signature of " to this group " stakeholder 1-n of the target group of Fig. 4, it is the entity that comprises the membership qualification in the provable prerequisite group of stipulating in the GMC of Fig. 4 that the membership qualification in its permission target group is expanded.
Implement system of the present invention and understand the membership qualification in described group by check each GMC that comprises about the form of group membership essentially.This system at first is thought of as empty group.This system is enough to make entity to become group membership's condition by checking that GMC understands then.In one embodiment of the invention, when a plurality of GMC that comprise different GMPC with same target group for known to this system the time, be enough to make entity to obtain membership qualification in the target group from the prerequisite of any certificate satisfied.Therefore, the system that can not visit the GMC of each issue slips up in the group membership that excludes entity, and other GMC introduced or adds the number that can increase rather than reduce the entity with the membership qualification in given group in this system to.Like this, can under the situation of not getting in touch central server, verify GMC.Therefore, different with kerberos system, the present invention does not introduce single failpoint.
Two group names claim to relate to same group under following situation: " to this group " stakeholder during first group name claims and " from this group " stakeholder's set are identical with " from this group " stakeholder with " to this group " stakeholder during second group name claims, and the disambiguation identifier of first group name in claiming is identical with disambiguation identifier during second group name claims.
The present invention can use GMC under several environment.An example application of the present invention is present in establishment, assessment and the enforcement of the security policies (SP) that the relation of the permission between participant, resource and/or the privilege is described.Relation between participant, resource and/or the privilege is authorized by the stakeholder of correspondence, and by reconciling participant according to privilege (if any) one or more defendances (guard) of the visit of resource is implemented.
Fig. 5 shows the example system of using the invention process to force access control SP.This system is to use one or more nodes to implement.Node generally includes the processing unit (not shown), such as one or more CPU, microprocessor, embedded controller, digital signal processor etc., is used for run time version, program and/or application.Each node can be wired or wireless node, client, server, router, hub, access point or use any one or combination in any other known devices that resource communicates with one another.
In an example embodiment, the node of Fig. 5 is included in subregion that moves under the control that separates kernel (SK) and the client that is connected to the arbitrary number of node by wired or wireless network on hardware.According to example embodiment of the present invention, node moves under the control of SK.At the title of being announced by national security agency (NSA) is the SK that has described an example class can using in the present invention in " U.S.Government Protection Profile forSeparation Kernels in Environment Requiring High Robustness " protection profile (PP) (SKPP), should protect profile integral body to be herein incorporated by reference.Yet, should be understood that, the present invention can be used in any system or network of the computation model that uses any kind, described computation model such as the client-server pattern that has or do not have SK, in real time and non real-time distributed network, central network, peer-to-peer network, embedded system etc.
According to example embodiment of the present invention, at least one node as shown in Figure 5 moves under the control of the SK of correspondence.Each SK provides not only anti-tamper but also the subregion and the information flow control characteristic of the high protection that can not eavesdrop to its software program of administering.SK comprises hardware and/or software mechanism, and its major function is to create a plurality of subregions of node.Subregion is the extraction that the resource under being controlled according to all or part of configuration data of implementing one or more SP, from this SK by SK is implemented.As describing in further detail, the security parameters that the SP that the present invention's use is signed by the stakeholder comes implementation system.Each SK subregion comprises at least one main body and/or resource.Main body is to carry out the interior any entity of range of control of the node of function, for example inter-node communication function.Main body can be individually or is side by side used resource, to allow the information in the principal access resource.Participant in the system of the present invention can be realized in the different nodes coupled to each other by one or more communication channels or the defined main body of one or more SK on the same node or subregion or node.
The information flow that main body of moving in the subregion of the Node Protection of working under the control of SK on this node and resource are not violated SP influences.This SK is divided into equivalence class based on strategy with resource, and gives the resource of subregion and the information flow between the main body according to the configuration data Control Allocation of SK.In one embodiment, node comprises any hardware resource that moves single SK, wherein this SK control according to the configuration data of SK between a plurality of subregions of this node and/or within information flow.Specifically, each node moves its oneself SK, and this SK protects the exclusive resource of this node.Preferably, this SK configuration data specification is clear and definite, and allows supervisory personnel's (may utilize the instrument support) to determine whether this strategy and each resources allocation rule that should the strategy defined allow any given potential connection.
The present invention uses various tool to create or approval and the PKI and the private key of the digital signing that obtains to implement to expect that SP is required.Each node has the node identity (NI) that is associated, and it comprises a pair of PKI and private key.Each subregion on the node also has corresponding subregion identity (PI).The PI of each subregion comprises by the PKI of the NI of the node that creates the division thereon and relates to a pair of value that the unique index of the subregion on the node is formed.
In the system of Fig. 5, in by the subregion of trust, implement defendance in order to the resource of the file system in the protection subregion.This defendance must guarantee not take on the access right of the client acquisition of participant to file partition, unless this visit meets SP.Those clients that only meet SP could the access file system partitioning.In one embodiment, file partition is attempted to satisfy each and is presented to their request, and does not participate in implementing SP.Replace it, any strategy that the data of a client of protection are not influenced by another client is implemented by this defendance.Network connects the clients to the defendance subregion, and this defendance subregion is taken on the reference monitor of file partition.Client can be moved and separate kernel operations system or legacy operating system, as Windows of Microsoft or Linux.In another embodiment, resource stakeholder mandate also may be that the access file system is needed.
Defendance can realize with hardware or software.The example defendance comprises partitioning communication system (PCS) and virtual private networks (VPN) enforcement.Disclose PCS on October 5th, 2005 in No. 11/125099 U.S. Patent application that submit to and that transfer the assignee of the present invention, by reference this application integral body has been herein incorporated.PCS supports multilevel security (MLS) system, and it has realized constituting the safe distribution communication on the basis of many more advanced techniques.Therefore, PCS can be used as the structure piece of implementing credible distributed system.PCS be on one or more channels with the communication controler of the intranodal of another node or client Data transmission.PCT supports by the traffic policing between the subregion of SK management.PCS disposes the combination of hardware and/or software, and it provides communication can moving between the node/client that maybe can not move under the control of corresponding SK.Like this, PCS can create following multiple-domain network: the security of described multiple-domain network does not rely on physical hardware separation and protection or any concrete network hardware.
In the present invention; many kinds of resources can be protected or control to defendance shown in Fig. 5, comprises Ethernet switch; network router; operating system nucleus; display monitor; keyboard; mouse; projector; cable set top box; desktop computer; laptop computer; server computer; satellite; sensor; shooter; automatic driving vehicle; the avionics device; individual video and/or audio devices; phone; cell phone; telephone exchange; television broadcasting apparatus; televisor; database server; cross-domain defendance; separate kernel; file server; the video and/or audio server; smart card or PDA.
Use GMC to come the entity of any kind of obeying SP is divided into groups in the present invention.For example, GMC can be used to create the participant group, and it can be associated with privilege then.With each individual participant is different with traditional access control system based on the role that the expectation privilege is associated, allow simpler and clearer, more maintainable SP explanation according to grouping of the present invention.Describe " to this group " that separate and " from this group " stakeholder's the set that group name claims owing to exist, use GMC of the present invention the ability to express stronger than traditional RBAC is provided.Be different from and trusted when privilege being distributed to this group or using membership qualification in this group to obtain set to the stakeholder of the access right of another group whenever trusting in order to permit set that entity enters one group stakeholder, this of stakeholder separately is desired.For example, the quality control inspector can be trusted in order to permit radio enters standard compliant wireless group of representative, enters the group that makes that this radio can transmit on characteristic frequency but independent stakeholder (as FCC) can be responsible for permitting this radio.
In another embodiment, GMC can be used to implement SP by the establishing resource group.Replace authorizing the privilege of specifying specific resources, this embodiment of the present invention authorizes by the privilege on each resource in the resource group of applicable GMC definition.For example, when resource is computer documents, can make those files become the member of the group that defines by corresponding GMC.When new GMC is published, can increase by the set of the file of this group definition.In yet another embodiment of the present invention, privilege can be divided into groups, and can be with each the granting privileges participant in the privileged set on the given resource.In addition, any combination of GMC can be combined in the individual system, thereby allow participant, resource and/or privilege to be grouped as required.
Therefore, GMC of the present invention can be used for the SP that implements to expect.They satisfy some preconditions such as after having specific names in the proof of the defendance on network, and GMC can present to this defendance by client.This proof can by in conjunction with letter of identity X.509 present the operation cipher authentication and key is set up agreement such as ECMQV finishes.Wish that the stakeholder who utilizes GMC enforcement to be used for the Bell-LaPadula model of multilevel security can handle client as participant, and they are divided into groups according to the people's who uses this client security audit level.In addition, file partition can be handled as resource and they is divided into groups according to their category level.Use the people's of client security audit level factor in addition also can help to determine and authorized client visit given file partition.These ingredients that the present invention allows to determine are expressed respectively, and allow to determine to appoint the control of not losing to the satisfying of each ingredient of difference side consequent mandate decision.
As an example, control can determine that to the stakeholder of the visit of confidential sensitive document system partitioning following condition is essential for those subregions of read access: use the people of this client to hold the security audit qualification of this confidential or higher level; Client is positioned within the safety installations; Client is just in security of operation operating system.In addition, this confidential stakeholder knows each the individual or tissue in these factors that can determine any given client, and wishes the checking of each condition is appointed individually to the individual or tissue of knowing.Yet this stakeholder does not wish to use under other environment the ability of these decisions to appoint to those individual or tissues of carrying out different checkings.
Use the present invention, the confidential stakeholder specifies four groups.First designated groups is described the client computer through the secret audit, and comprises as unique " to this group " stakeholder of this group and unique " from this group " stakeholder's confidential stakeholder.This has guaranteed that the confidential stakeholder can issue the sole entity that the GMC of privilege is provided to this group, and guarantees that the confidential stakeholder can issue to permit the sole body that client enters the GMC of this group.
Next, confidential stakeholder each precondition that must satisfy secret responsive file system institute at visit is specified additional a group.Titles of these additional groups are listed and are trusted in order to the tissue of verifying this condition as " to this group " stakeholder, and list the confidential stakeholder as " from this group " stakeholder.This has guaranteed that the stakeholder who is appointed can permit the sole entity that client enters the group of representative condition checking, and has guaranteed that the confidential stakeholder can use as those condition checkings of prerequisite to organize the unique stakeholder who issues certificate.These groups are represented the precondition of the membership qualification in the target group.
At last, as shown in Figure 6, the confidential stakeholder signs GMC, thereby permission becomes the member of confidential groups of clients as the member's of three groups representing the precondition checking client.Because the confidential stakeholder is these prerequisite groups " from this group " stakeholder and this target group " to this group " stakeholder, so this GMC effectively and not needs other signature.When someone wishes that new client computer has the right to visit the information that needs the membership qualification in this confidential groups of clients, the this person can communicate by letter with specified " to this group " stakeholder of the confidential stakeholder in the title of precondition group, and works so that they be sure of that described condition is satisfied with those stakeholder.In case those conditions checking stakeholder is be sure of that they just can issue following GMC: described GMC list client computer as the prerequisite entity and list represent the condition that their verify group as target group.Because condition checking stakeholder lists " to this role " mechanism during this group name claims, and does not relate to other group, so GMC does not need other signature.Therefore, new client can become the member of this confidential groups of clients and not relate to this confidential stakeholder; It is essential having only the communicating by letter of stakeholder of condition checking of being appointed with this stakeholder.
The present invention can be used for further strengthening as follows the defendance among Fig. 5: the security-sensitive rank of the resource of protecting according to this defendance is divided into groups to these resources.For example, if two file partition are that subregion 1 and subregion 2 all have confidential susceptibility, then the confidential stakeholder can create the confidential susceptibility group that comprises these two resource partitionings.As shown in Figure 7, this group can use the GMC that resource is divided into groups to create.Defendance with the certificate among Fig. 7 with the privilege that allows to be awarded the participant on the target group of those certificates be applicable to subregion 1 and subregion 2 the two.
Use GMC that privileged set is incorporated in the group to the further improvement of the system of Fig. 5.For example, when the several privilege of single name delivery, discrete privilege can be read and write, and they become the group read access privilege and the write access privilege of appointment.The entity that can use the GMC of Fig. 8 to permit being called " control fully " enters this two groups.When defendance had this GMC, it can be handled as having the read and write privilege by " control fully " entity, because they have membership qualification in read access privileged set and write access privileged set.
According to aforementioned content, in an example embodiment, group name claims to be associated with directly or indirectly one or more stakeholder's identity, for example, its approval is to use make decision necessary those stakeholder's PKI of the membership qualification in this group, and the decision of being done for example is to allow access resources, carry out function or authorize membership qualification in another group.The stakeholder also can sign the cryptography certificate, is added as the member in one or more target group to authorize the entity in the prerequisite group.In addition, a kind of method that is used for handling the cryptography certificate receives the cryptography certificate that at least one precondition to the membership qualification that comprises at least one prerequisite group of entities is described, and determines that whether this cryptography certificate is to use membership qualification in this prerequisite group necessary at least one the prerequisite group stakeholder that makes decision to sign effectively by its approval.
In an example embodiment, each resource on the SK also can be controlled by one or more resource stakeholder that must ratify the visit of those resources.In order to ratify, described one or more resource stakeholder signs corresponding cryptography authorization (CAP), this be disclosed in fully title of submitting on April 9th, 2007 for " SYSTEM AND METHOD FORACCESSING INFORMATION RESOURCES USINGCRYPTOGRAPHIC AUTHORIZATION PERMITS " the 11/783rd, in No. 359 U.S. Patent applications, this application integral body by reference is herein incorporated.In one embodiment, CAP is signed by one or more resource stakeholder, and GMC uses their private key signatures separately by one or more " to these groups " and " from this group " stakeholder.Yet the approval deficiency of having only described one or more resource stakeholder is so that the participant access resources.On the contrary, one or more " from this group " stakeholder also ratifies the prerequisite group membership independently and visits this resource.Like this, the notion that can make up GMC and CAP is to provide privilege or to the visit of resource based on prerequisite group membership condition.In fact, CAP and GMC can implement on identical or different certificate.
In an example embodiment, PCS reconciles mutual via channel according to two security policies: channel connectivity strategy and policy in resource management.The admissible connection of channel connectivity policy definition.In fact, this strategy is the access privileges control strategy of definition all-access privilege.Policy in resource management describe be used to implement channel shared communication resource how interchannel distribute and by use shared resource make channel can (collaboratively or wittingly non-) effect each other.
Channel comprises from source partition and to comprise any physics or logical block to the connection that is present in the one or more destinations subregion on the identical or different node, is used for the uniflux of inbound or outbound information.The subregion that the read access privilege allows to be authorized to is read message from channel, and the subregion that the write access privilege allows to be authorized to is write message to channel.Channel is used to implement point-to-point between node, put multiple spot or multiple spot to multi-point.Each channel has the symmetric cryptography/decryption key that is associated that is used for institute's message transmitted.This symmetric-key is the shared key that is used for when the channel access privilege is authorized between the each side of pass-along message on the channel.Should share key and stand periodic variation according to defined security parameters.
All communications between the subregion of each separate nodes in the network all are to finish by pass-along message on channel (that is, reading or writing message).Use GMC, one or more subregions can be grouped into write access privilege, read access privilege or the two the participant of waiting to be awarded to one or one group channel.In addition, write access privilege, read access privilege or the two can use GMC to be grouped to be applied to the group of each participant or channel or participant or channel.
Alternatively, the CAP through signature by one or more resource stakeholder's issues authorizes reading and writing or the write access privilege of subregion to channel, and the GMC through signature by one or more " to these groups " and " from this group " stakeholder's issue authorizes participant access resources or resource group, if these participants satisfy the prerequisite group membership condition of regulation.Each channel has one or more resource stakeholder that are associated, and the described stakeholder who is associated is responsible for authorizing from this channel and reads message or write the necessary access privileges of message to this channel.The identity of each channel comprises that control is to the resource stakeholder's of the read and write privilege of this channel PKI and the unique channel indexes under resource stakeholder's control.Otherwise but the channel that is had different controlling resource stakeholder by its identity of index in the same manner is considered to different channels.
The example embodiment of the system shown in Fig. 5 is used two types subregion: control subregion and application partition (being also referred to as user partition).All intranodals between the subregion are controlled in conjunction with separating kernel by the control subregion of node alternately.The control subregion only with separate kernel, its oneself node on other subregion communicate by letter with the control subregion on other node.Each node has at least one control subregion, although in particular implementation, the function of subregion can use a plurality of subregions to implement.The control subregion is stored (storing in mode secret and that can not forget) data of safety value safely, comprises the private key of node and the CAP and the GMC of PKI, other node PKI and implementation system security.Application partition by by local SK according to the means of the authorization parameter authorization of the configuration data of correspondence and CAP and GMC, communicate by letter with other subregion on comprising the same node of controlling subregion.The control subregion provides a kind of mechanism, when receiving by the CAP of separately stakeholder signature or GMC, can change the security parameters of the security policies of SK by this mechanism.
Before pass-along message, PCS guarantees to participate in nodes in communication and has the consistent configuration data of authorizing this communication.For all shared resources, as access hardware/software, cryptography hardware/software etc., the PCS initialization is also tested these resources.For each channel, transmitting channel end points (CE) subregion and each receive CE and authenticate mutually, and set up and share key.Authentication is on the cryptography mutually, and is associated with the access privileges of authorizing channel.This authentication is made up of the identity of checking communication main body and their access privileges.The checking of subject identity can be undertaken by the identity that operation ECMQV protocol authentication comprises node and/or subregion.The successful operation of this agreement will cause sharing key only for known to the CE that carries out this authentication.The privilege that checking is communicated by letter on channel need be verified and be included in the CAP that authorizes some this channel of principal access or the signature among the GMC.Must further verify to guarantee that those signatures are corresponding to being identified as the stakeholder who is responsible for the channel in this channel identity of protection.At last, the main body that CE will appointment in CAP and GMC is mated with the main body of its identity of checking in previous step.If all CE are the successful execution above-mentioned steps.Shared key is used to message transmitted on channel is carried out encryption and decryption.
In case finished the initialization of shared resource and channel, just notified the described channel of CP ready for the transmission of message.Need be responsible for permitting to the visit of channel according to the independent of one or more stakeholder of SP issue CAP that is issued or GMC.May need the independent of a plurality of mechanisms to authorize by CAP and/or GMC to the visit of channel.As mentioned above, the present invention uses the strategy by mechanism's signature of implementing security parameters.In example embodiment, the strategy of being signed comprises the tabulation of the tabulation of CAP and GMC and corresponding stakeholder's PKI.This strategy is by one or more stakeholder's signatures of one or more stakeholder that are responsible for the protection channel and responsible control group membership.The combination of GMC and CAP allows to implement security policies highly scalablely in any infosystem; GMC allows participant to be grouped into equivalence class, and CAP can use this equivalence class to replace the participant identity as prerequisite, thereby avoids repetition.In addition, binding provides further scalability as follows by the transitivity of GMC: the permission group according to other group " with " and " or " make up and be defined.Other scheme that this and role's (or attribute) must be directly bound to participant forms contrast.
Should be understood that what the mandate of entity grouping was based on by the PKI of one or more stakeholder's issues according to aforementioned content, and each GMC comprises the cryptography certificate by these stakeholder's digital signings.One or more stakeholder's that entity grouping need be controlled the precondition of authorizing this entity grouping cryptography signature.
The present invention implements security policies under the situation of the system node number not being had pre-set limit.The present invention does not require has any restriction to the number of the security domain that identifies or the information flow strategy implemented on these territories.Therefore, the security policies of this system can dynamically change along with the appearance of needs, and need not to change the software of being disposed.In addition, the system of being created by the present invention does not rely on checking is carried out in third party's's (comprising mechanism or stakeholder) visit.Checking can be carried out by any entity of the PKI of handling GMC and stakeholder.When any node loss or when being out of order, these systems in performance or security seldom or do not have to work under the situation of deterioration.The present invention can be used for Military Application, category level, notice restriction, banking, uses the settlement center of independent subregion at independent account.

Claims (45)

1. one kind is used for the method that releasing pin is learned certificate, comprising:
Describe at least one precondition on described cryptography certificate, wherein said at least one precondition comprises the membership qualification at least one prerequisite group of entities; And
Sign described cryptography certificate by at least one prerequisite group stakeholder, described at least one prerequisite group stakeholder's approval is to use the membership qualification in the described prerequisite group to make decision necessary.
2. method according to claim 1, wherein said decision relate to permit entity obtain in another group membership qualification, permit access resources, privileged or carry out in the action at least one.
3. method according to claim 1, the title of wherein said at least one prerequisite group is associated with described prerequisite group stakeholder's identity.
4. method according to claim 3, wherein said at least one prerequisite group stakeholder's described identity comprises this stakeholder's PKI.
5. method according to claim 1, wherein said cryptography certificate are also by the one or more resource stakeholder signatures of control to the visit of privilege or resource.
6. method according to claim 1, wherein said one or more prerequisite group stakeholder authorizes the entity in the prerequisite group to become entity at least one target group, and wherein said cryptography certificate also is added at least one target group stakeholder signature of described at least one target group as the member by authorized entity.
7. method according to claim 1, wherein said at least one precondition relate at least one in membership qualification, physical features, non-physical features, temporal characteristics, non-temporal characteristics, place feature or the position feature in another group of entities.
8. method according to claim 1, the title of wherein said at least one prerequisite group comprises: authorize entity in the prerequisite group to become the member's of another group of entities described at least one prerequisite group stakeholder's title; And at least one prerequisite group stakeholder's of the membership qualification of authorized entity in described at least one prerequisite group title.
9. method according to claim 8, the title of wherein said at least one prerequisite group also comprise at least one prerequisite group disambiguation identifier.
10. method according to claim 8, wherein prerequisite group stakeholder's title comprises described prerequisite group stakeholder's PKI, and described prerequisite group stakeholder's signature comprises the cryptography signature of the described cryptography certificate of the private key signature of using this stakeholder.
11. method according to claim 6, wherein the title of target group comprises: at least one target group stakeholder's of the membership qualification of the entity member who authorizes described target group in another group title; And authorized entity becomes the member's of described target group at least one target group stakeholder's title.
12. method according to claim 11, the title of wherein said target group also comprise at least one target group disambiguation identifier.
13. method according to claim 11, wherein said target group stakeholder's title comprises described target group stakeholder's PKI, and described target group stakeholder's signature comprises the cryptography signature of the described cryptography certificate of the private key signature of using described target group stakeholder.
14. method according to claim 1, wherein entity comprises at least one in participant, resource or the privilege.
15. a method that is used to handle the cryptography certificate comprises:
Receive described cryptography certificate, described cryptography certificate is described at least one precondition, and described at least one precondition comprises the membership qualification at least one prerequisite group of entities; And
Determine whether described cryptography certificate is signed effectively by at least one prerequisite group stakeholder, and described at least one prerequisite group stakeholder's approval is to use the membership qualification in the described prerequisite group to make decision necessary.
16. method according to claim 15, wherein said decision relate to permit entity obtain in another group membership qualification, permit access resources, privileged or carry out in the action at least one.
17. method according to claim 15, wherein said one or more prerequisite group stakeholder authorizes the entity in the prerequisite group to become entity at least one target group, and wherein said method also comprises and determines whether described cryptography certificate is signed as at least one target group stakeholder that the member is added to described at least one target group effectively by authorized entity.
18. method according to claim 15, the title of wherein said at least one prerequisite group is associated with described at least one prerequisite group stakeholder's identity.
19. method according to claim 18, wherein said at least one prerequisite group stakeholder's identity comprises this stakeholder's PKI.
20. method according to claim 15 also comprises and determines whether described cryptography certificate is signed effectively by control at least one resource stakeholder to the visit of privilege or resource.
21. method according to claim 15, wherein said precondition relate in membership qualification, physical features, non-physical features, temporal characteristics, non-temporal characteristics, place feature or the position feature in another group of entities at least one.
22. method according to claim 15, the title of wherein said at least one prerequisite group comprises: authorize entity in the prerequisite group to become the member's of another group of entities at least one prerequisite group stakeholder's title; And at least one prerequisite group stakeholder's of the membership qualification of authorized entity in described at least one prerequisite group title.
23. method according to claim 22, the title of wherein said at least one prerequisite group also comprise at least one prerequisite group disambiguation identifier.
24. method according to claim 22, wherein prerequisite group stakeholder's title comprises described prerequisite group stakeholder's PKI, and described prerequisite group stakeholder's signature comprises the cryptography signature of the described cryptography certificate of the private key signature of using this stakeholder.
25. method according to claim 17, the title of wherein said at least one target group comprises: at least one target group stakeholder's of the membership qualification of the entity member of described at least one target group of mandate in another group title; And authorized entity becomes the member's of described at least one target group at least one target group stakeholder's title.
26. method according to claim 25, the title of wherein said at least one target group also comprise at least one target group disambiguation identifier.
27. method according to claim 25, wherein target group stakeholder's title comprises described target group stakeholder's PKI, and described target group stakeholder's signature comprises the cryptography signature of the described cryptography certificate of the private key signature of using described target group stakeholder.
28. method according to claim 15, wherein entity comprises at least one in participant, resource or the privilege.
29. a cryptography certificate comprises:
The title of one or more prerequisite groups; And
One or more cryptography signatures of prerequisite group stakeholder, described prerequisite group stakeholder's approval is to use the membership qualification in the described prerequisite group to make decision necessary.
30. cryptography certificate according to claim 29, wherein said one or more prerequisite group stakeholder authorize the entity in the prerequisite group to become entity in one or more target group.
31. cryptography certificate according to claim 29 also comprises: the title of described one or more target group; And one or more target group stakeholder's of target group cryptography signature is added entity in mandate.
32. cryptography certificate according to claim 29, wherein said decision relate to permit entity obtain in another group membership qualification, permit access resources, privileged or carry out in the action at least one.
33. cryptography certificate according to claim 29, the title of wherein said prerequisite group is associated with described one or more prerequisite group stakeholder's identity.
34. cryptography certificate according to claim 33, wherein prerequisite group stakeholder's identity comprises this stakeholder's PKI.
35. cryptography certificate according to claim 29 also comprises the cryptography signature of control to one or more resource stakeholder of the visit of privilege or resource.
36. cryptography certificate according to claim 29, wherein said precondition relate in membership qualification, physical features, non-physical features, temporal characteristics, non-temporal characteristics, place feature or the position feature in another group of entities at least one.
37. cryptography certificate according to claim 29, wherein the title of prerequisite group comprises: authorize entity in the prerequisite group to become the member's of at least one target entity group one or more prerequisite group stakeholder's title; And one or more prerequisite group stakeholder's of the membership qualification of authorized entity in described at least one prerequisite group title.
38. according to the described cryptography certificate of claim 37, the title of wherein said prerequisite group also comprises at least one prerequisite group disambiguation identifier.
39. according to the described cryptography certificate of claim 37, wherein prerequisite group stakeholder's title comprises described prerequisite group stakeholder's PKI, and described prerequisite group stakeholder's signature comprises the cryptography signature of the described cryptography certificate of the private key signature of using this stakeholder.
40. cryptography certificate according to claim 30 also comprises the title of target group.
41. according to the described cryptography certificate of claim 40, the title of wherein said target group comprises: one or more target group stakeholder's of the membership qualification of the entity member who authorizes described target group in another group title; And authorized entity becomes the member's of described target group one or more target group stakeholder's title.
42. according to the described cryptography certificate of claim 41, the title of wherein said target group also comprises at least one target group disambiguation identifier.
43. according to the described cryptography certificate of claim 41, wherein target group stakeholder's title comprises described target group stakeholder's PKI, and described target group stakeholder's signature comprises the cryptography signature of the described cryptography certificate of the private key signature of using described target group stakeholder.
44. cryptography certificate according to claim 29, wherein entity comprises at least one in participant, resource or the privilege.
45. a system that handles the cryptography certificate comprises:
A plurality of entities;
One or more group membership certificates, each group membership certificate comprises the title of one or more prerequisite groups and the title of one or more target group;
The one or more stakeholder that take on one or more prerequisite group stakeholder and target group stakeholder, if the group membership certificate sign on cryptography by those one or more prerequisite group stakeholder that authorize entity title in the prerequisite group to become the entity title in another group then is effectively, described group membership certificate is also signed on cryptography by those one or more target group stakeholder that mandate is added the entity title to described one or more target group; And
Receive the node of cryptography certificate from entity; The effective group membership certificate of described node inspection, if the cryptography certificate that receives is tied to the prerequisite group that is included in described effective group membership certificate effectively with the entity of correspondence, then described node adds the entity title of correspondence to the target group of appointment in described effective group membership certificate.
CN200880130378.6A 2008-05-16 2008-05-16 System and method that uses cryptographic certificates to define groups of entities Active CN102171686B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2008/006346 WO2009139750A1 (en) 2008-05-16 2008-05-16 System and method that uses cryptographic certificates to define groups of entities

Publications (2)

Publication Number Publication Date
CN102171686A true CN102171686A (en) 2011-08-31
CN102171686B CN102171686B (en) 2014-08-27

Family

ID=41318944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200880130378.6A Active CN102171686B (en) 2008-05-16 2008-05-16 System and method that uses cryptographic certificates to define groups of entities

Country Status (7)

Country Link
EP (1) EP2300940A4 (en)
JP (1) JP5466698B2 (en)
CN (1) CN102171686B (en)
AU (1) AU2008356253A1 (en)
CA (1) CA2724703C (en)
NZ (1) NZ589966A (en)
WO (1) WO2009139750A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030229452A1 (en) * 2002-01-14 2003-12-11 Lewis Barrs S. Multi-user system authoring, storing, using, and verifying animal information
US20060143700A1 (en) * 2004-12-24 2006-06-29 Check Point Software Technologies, Inc. Security System Providing Methodology for Cooperative Enforcement of Security Policies During SSL Sessions
US20060155985A1 (en) * 2002-11-14 2006-07-13 France Telecom Method and system with authentication, revocable anonymity and non-repudiation
US20060242407A1 (en) * 2004-07-29 2006-10-26 Kimmel Gerald D Cryptographic key management

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101401062A (en) * 2006-02-16 2009-04-01 移动容量网络公司 Method and system for determining related sources, querying and merging results of multiple content sources

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030229452A1 (en) * 2002-01-14 2003-12-11 Lewis Barrs S. Multi-user system authoring, storing, using, and verifying animal information
US20060155985A1 (en) * 2002-11-14 2006-07-13 France Telecom Method and system with authentication, revocable anonymity and non-repudiation
US20060242407A1 (en) * 2004-07-29 2006-10-26 Kimmel Gerald D Cryptographic key management
US20060143700A1 (en) * 2004-12-24 2006-06-29 Check Point Software Technologies, Inc. Security System Providing Methodology for Cooperative Enforcement of Security Policies During SSL Sessions

Also Published As

Publication number Publication date
AU2008356253A1 (en) 2009-11-19
CA2724703A1 (en) 2009-11-19
CA2724703C (en) 2017-06-20
JP2011524661A (en) 2011-09-01
EP2300940A4 (en) 2011-10-19
WO2009139750A1 (en) 2009-11-19
CN102171686B (en) 2014-08-27
NZ589966A (en) 2014-01-31
EP2300940A1 (en) 2011-03-30
JP5466698B2 (en) 2014-04-09

Similar Documents

Publication Publication Date Title
US12088568B2 (en) Systems and methods for secure key service
US8380981B2 (en) System and method that uses cryptographic certificates to define groups of entities
US11538031B2 (en) Method and system for identity and access management for blockchain interoperability
Zissis et al. Addressing cloud computing security issues
Chakrabarti Grid computing security
US10999276B2 (en) Industrial internet encryption system
CN101107611B (en) Private and controlled ownership sharing method, device and system
US20010020228A1 (en) Umethod, system and program for managing relationships among entities to exchange encryption keys for use in providing access and authorization to resources
US8443191B2 (en) System and method for accessing information resources using cryptographic authorization permits
CN113901432B (en) Blockchain identity authentication method, device, storage medium and computer program product
Kravitz Transaction immutability and reputation traceability: Blockchain as a platform for access controlled iot and human interactivity
US20230421543A1 (en) Method, apparatus, and computer-readable medium for secured data transfer over a decentrlaized computer network
EP3785409B1 (en) Data message sharing
Kyriakidou et al. Decentralized identity with applications to security and privacy for the internet of things
Shaik et al. Advanced Identity Access Management and Blockchain Integration: Techniques, Protocols, and Real-World Applications for Enhancing Security, Privacy, and Scalability in Modern Digital Infrastructures
CN103166969A (en) A method for accessing secure cloud controller based on cloud computing platform
Das et al. Design of a trust-based authentication scheme for blockchain-enabled iov system
Tiwari et al. Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos
WO2022175001A1 (en) Puf and blockchain based iot event recorder and method
Ya-Jun et al. An access control model for ubiquitous computing application
EP4475481A1 (en) Central unit, service provider unit, three-layer digital asset management system, and method for operating said system
CN102171686B (en) System and method that uses cryptographic certificates to define groups of entities
CN115442049A (en) Method, device, equipment and storage medium for cooperation in block chain
Ko et al. Viotsoc: Controlling access to dynamically virtualized iot services using service object capability
Fleming Decentralized Identity Management for a Maritime Digital Infrastructure: With focus on usability and data integrity

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant