Signed group criteria

Details Signed group criteria Signed group criteria

1999-09-21

2001-07-17

Swann, Tod (Department: 2132)

Electrical computers and digital processing systems: support

Multiple computer communication using cryptography

Central trusted authority provides computer authentication

C705S076000, C713S155000, C713S158000, C713S171000, C713S175000, C713S179000

Reexamination Certificate

active

06263434

ABSTRACT:

CROSS REFERENCE TO RELATED APPLICATIONS
N/A
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
N/A
BACKGROUND OF THE INVENTION
The present invention relates to techniques for verifying that an applicant is a member of a group having predetermined privileges without explicitly listing the members of the group.
In many computer and security systems, it is desirable to restrict access or privileges to a specified resource or a secure area to certain individuals. For example, it is necessary in certain situations to limit access to a secure area only to certain privileged individuals who require such access. Further, in other applications it is necessary or desirable to limit access or rights with respect to certain files, directories, databases, web pages or other computer resources to specific individuals within a defined group. Typically, the identification of the individuals or applicants who are “privileged” members of the group having access to the specified resource is accomplished by identifying the individuals that have access privileges in an access control list or in a group membership list. The applicants may, in differing applications constitute individuals, or alternatively, computer or electronic devices. The use of access control lists (containing an identification of group members along with their respective access rights) and group membership lists (containing an identification of group members) have certain disadvantages. Such lists must be kept current. The maintenance of such lists can be a formidable task for a large organization or community in which the legitimate members of the group change as a matter of course or access rights for the respective members vary over time.
It would therefore be desirable in certain applications to be able to determine whether an individual or applicant is a member of a group having the right of access to a resource without explicitly listing the members of the group. It would also be desirable to be able to perform this function in a secure manner so that an access granting authority can assure that unauthorized applicants are not improperly granted access to the resource.
BRIEF SUMMARY OF THE INVENTION
Consistent with the present invention a method and apparatus are disclosed for restricting access to a predetermined resource to certain members of a privileged access group. Such is accomplished without explicitly listing the members of the group. A test is defined which serves to identify whether an applicant is or is not a member of the privileged group. The test definition, and optionally, a group identification code is input to a criterion generator which may include a computer. The criterion generator forms a group criterion message based at least upon the test definition. The group criterion message may also include the group identification code. The criterion generator authenticates the group criterion message via use of a digital signature using well known public key encryption techniques, via use of a shared key or via any other suitable authentication technique. The authenticated group criterion message is then conveyed, either directly or indirectly, to at least one criterion evaluator. The criterion evaluator, which may also include a computer, serves to evaluate a credential or credentials presented by, or associated with, an applicant to ascertain whether the credentials satisfy the criterion for access to the resource specified within the test definition.
More specifically, upon receipt of the authenticated group criterion message, the criterion evaluator verifies that the group criterion message received by the respective criterion evaluator was actually sent by the criterion generator and that the information contained within the group criterion message, including the test definition and the group identification code (if present) were not modified. In response to the presentation of a credential or information by an applicant, the criterion evaluator then utilizes the test definition to determine whether the applicant should be granted access to the resource. In the event the credential or information presented by the applicant satisfies the test definition, access is granted. In the event that the credential does not satisfy the test definition, access is denied.
In the foregoing manner, once the signed group membership criterion has been received, access control determinations may be made securely without reference to any explicit list of group members and without contacting the trusted party that authenticated the group criterion message.


REFERENCES:
patent: 5311591 (1994-05-01), Fischer
patent: 5339403 (1994-08-01), Parker
patent: 5757920 (1998-05-01), Misra et al.
Verisign, Verisign CPS, Verisign Certification Practice Statement, Version 1.2, May 15, 1997.*
ITU, Information Technology—Open Systems Interconnection—The Directory: Authentication Framework, Recommendation X.509, Nov. 1993.*
Network SecurtyPrivate Communication in a Public World, 1995, pp. 198-201.

Affiliated with

Also associated with

Rating

Signed group criteria does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Signed group criteria, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Signed group criteria will most certainly appreciate the feedback.

Rate now

Comments { 0 }

Profile ID: LFUS-PAI-O-2498718