Method and apparatus for graph-based partition of cryptographic functionality
IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
UP-0631989
(2003-07-31)
|
등록번호 |
US-7730518
(2010-06-22)
|
발명자
/ 주소 |
- Jakobsson, Bjorn Markus
- Kaliski, Jr., Burton S.
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
3 인용 특허 :
8 |
초록
▼
Techniques are disclosed for partitioning of cryptographic functionality, such as authentication code verification or generation ability, so as to permit delegation of at least one of a number of distinct portions of the cryptographic functionality from a delegating device to at least one recipient
Techniques are disclosed for partitioning of cryptographic functionality, such as authentication code verification or generation ability, so as to permit delegation of at least one of a number of distinct portions of the cryptographic functionality from a delegating device to at least one recipient device. The cryptographic functionality is characterizable as a graph comprising a plurality of nodes, and a given set of the nodes is associated with a corresponding one of the distinct portions of the cryptographic functionality. Information representative of one or more of the nodes is transmitted from the delegating device to the recipient device such that the recipient device is thereby configurable for authorized execution of a corresponding one of the distinct portions of the cryptographic functionality. Advantageously, the invention provides a particularly efficient mechanism for the provision of cryptographic functionality in accordance with a subscription model.
대표청구항
▼
What is claimed is: 1. A method for partitioning of cryptographic functionality so as to permit delegation of at least one of a plurality of distinct portions of the cryptographic functionality from a delegating device to at least one recipient device, the cryptographic functionality being characte
What is claimed is: 1. A method for partitioning of cryptographic functionality so as to permit delegation of at least one of a plurality of distinct portions of the cryptographic functionality from a delegating device to at least one recipient device, the cryptographic functionality being characterized as a graph comprising a plurality of nodes, the method comprising the steps of: associating a given set of the nodes with a corresponding one of the plurality of distinct portions of the cryptographic functionality; and transmitting from the delegating device to the recipient device information representative of one or more of the nodes; the recipient device being configured based on the transmitted information for authorized execution of a corresponding one of the plurality of distinct portions of the cryptographic functionality; wherein the nodes of the graph are arranged in a plurality of levels with one or more nodes at each level; wherein the nodes correspond to respective seeds; wherein a first seed associated with a node of a first one of the levels is computed as a function of a second seed associated with a node of a second one of the levels higher than the first level; the transmitted information including the first seed but not the second seed; wherein the delegating device and the recipient device perform distinct functions; and wherein the delegating device and said at least one recipient device collectively perform the cryptographic functionality. 2. The method of claim 1 wherein at least one of the nodes of the graph corresponds to a seed the possession of which permits execution of a corresponding one of the distinct portions of the cryptographic functionality. 3. The method of claim 1 wherein the transmitting step further comprises transmitting from the delegating device to the recipient device information representative of at least two of the nodes. 4. The method of claim 1 wherein the transmitting step further comprises transmitting from the delegating device to the recipient device information representative of at least one parent node of the graph. 5. The method of claim 1 wherein the transmitting step further comprises transmitting from the delegating device to the recipient device information representative of at least one child node of a parent node of the graph. 6. The method of claim 1 wherein the graph comprises at least first and second root nodes. 7. The method of claim 1 wherein the graph comprises a tree having at least first and second subtrees associated with respective first and second ones of the plurality of distinct portions of the cryptographic functionality. 8. The method of claim 1 wherein the graph comprises a chain. 9. The method of claim 1 wherein the graph comprises L levels of nodes, an Lth one of the levels comprising a parent node vL,1, and a first one of these levels comprising a set of seeds v1,1, v1,2, . . . v1,n, where n is the total number of seeds, each of the seeds being derivable from the parent node. 10. The method of claim 9 wherein an ith node of a kth one of the levels is computed as ƒk(i, vk+1), where ƒk is a one-way function. 11. The method of claim 10 wherein the nodes of one or more of the levels are arranged in the form of tuples of designated numbers of nodes. 12. The method of claim 11 wherein the ith node of a jth tuple of the kth level is computed as ƒk(j, i, vk+1,j). 13. The method of claim 1 wherein the cryptographic functionality comprises a cryptographic functionality provided by a hardware-based authentication token. 14. The method of claim 1 wherein the cryptographic functionality comprises an ability to verify at least one of an authentication code and a distress code generated by a hardware-based authentication token. 15. The method of claim 14 wherein the authentication token is configured to store at least two seeds, and the cryptographic functionality comprises a verification operation performed collaboratively by at least first and second servers each storing one of the seeds. 16. The method of claim 1 wherein the cryptographic functionality comprises an ability to generate at least one of an authentication code and a distress code utilizing a hardware-based authentication token. 17. The method of claim 1 wherein the cryptographic functionality comprises at least one of an ability to verify a signature and an ability to generate a signature. 18. The method of claim 1 wherein the cryptographic functionality comprises an ability to generate one or more values of a one-way chain. 19. The method of claim 1 wherein the cryptographic functionality comprises an ability to perform symmetric cryptographic operations. 20. The method of claim 1 wherein the cryptographic functionality comprises an ability to perform asymmetric cryptographic operations. 21. The method of claim 1 wherein the cryptographic functionality comprises an ability to derive one or more cryptographic keys. 22. The method of claim 1 wherein the cryptographic functionality comprises an ability to compute one or more seeds. 23. The method of claim 22 wherein at least one of the seeds corresponds to at least one of the nodes of the graph. 24. The method of claim 1 wherein the cryptographic functionality is partitioned in accordance with a subscription model which requires compliance with at least one specified criterion for transmission from the delegating device to the recipient device of the information representative of one or more of the nodes. 25. The method of claim 24 wherein compliance with the specified criterion is satisfied upon receipt of a designated payment. 26. The method of claim 1 wherein the recipient device and the delegating device collaborate to perform at least one of a cryptographic verification function and a cryptographic generation function. 27. The method of claim 26 wherein the recipient device includes only a limited computational ability associated with performance of the cryptographic function. 28. An apparatus comprising: a processing device comprising a processor coupled to a memory; the processing device being utilized in conjunction with partitioning of cryptographic functionality so as to permit delegation of at least one of a plurality of distinct portions of the cryptographic functionality from the processing device, configured as a delegating device, to at least one recipient device, the cryptographic functionality being characterized as a graph comprising a plurality of nodes; the processing device being configured to associate a given set of the nodes with a corresponding one of the plurality of distinct portions of the cryptographic functionality, and to transmit to the recipient device information representative of one or more of the nodes, the recipient device being configured based on the transmitted information for authorized execution of a corresponding one of the plurality of distinct portions of the cryptographic functionality; wherein the nodes of the graph are arranged in a plurality of levels with one or more nodes at each level; wherein the nodes correspond to respective seeds; wherein a first seed associated with a node of a first one of the levels is computed as a function of a second seed associated with a node of a second one of the levels higher than the first level; the transmitted information including the first seed but not the second seed; wherein the delegating device and the recipient device perform distinct functions; and wherein the delegating device and said at least one recipient device collectively perform the cryptographic functionality. 29. An apparatus comprising: a processing device comprising a processor coupled to a memory; the processing device being utilized in conjunction with partitioning of cryptographic functionality so as to permit delegation of at least one of a plurality of distinct portions of the cryptographic functionality to the processing device, configured as a recipient device, from at least one delegating device, the cryptographic functionality being characterized as a graph comprising a plurality of nodes; a given set of the nodes being associated with a corresponding one of the plurality of distinct portions of the cryptographic functionality; the processing device being operative to receive from the delegating device information representative of one or more of the nodes, the processing device being configured based on the received information for authorized execution of a corresponding one of the plurality of distinct portions of the cryptographic functionality; wherein the nodes of the graph are arranged in a plurality of levels with one or more nodes at each level; wherein the nodes correspond to respective seeds; wherein a first seed associated with a node of a first one of the levels is computed as a function of a second seed associated with a node of a second one of the levels higher than the first level; the received information including the first seed but not the second seed; wherein the recipient device and the delegating device perform distinct functions; and wherein the recipient device and said at least one delegating device collectively perform the cryptographic functionality. 30. A non-transitory machine-readable storage medium containing one or more software programs for use in partitioning of cryptographic functionality so as to permit delegation of at least one of a plurality of distinct portions of the cryptographic functionality from a delegating device to at least one recipient device, the cryptographic functionality being characterized as a graph comprising a plurality of nodes, wherein the one or more software programs when executed by the delegating device implement the steps of: associating a given set of the nodes with a corresponding one of the plurality of distinct portions of the cryptographic functionality; and transmitting from the delegating device to the recipient device information representative of one or more of the nodes; the recipient device being configured based on the transmitted information for authorized execution of a corresponding one of the plurality of distinct portions of the cryptographic functionality; wherein the nodes of the graph are arranged in a plurality of levels with one or more nodes at each level; wherein the nodes correspond to respective seeds; wherein a first seed associated with a node of a first one of the levels is computed as a function of a second seed associated with a node of a second one of the levels higher than the first level; the transmitted information including the first seed but not the second seed; wherein the delegating device and the recipient device perform distinct functions; and wherein the delegating device and said at least one recipient device collectively perform the cryptographic functionality.
이 특허에 인용된 특허 (8)
-
Mashayekhi,Cameron, Apparatus and method for automatically authenticating a network client.
-
Johnson ; Jr. William S., Cryptography security for remote dispenser transactions.
-
Merkle Ralph C. (1134 Pimento Ave. Sunnyvale CA 94087), Digital signature system and method based on a conventional encryption function.
-
Micali Silvio, Fair cryptosystems and methods of use.
-
Kocher, Paul C., Leak-resistant cryptographic indexed key update.
-
Chen,Shigang; Wei,Liman, Method and apparatus for negotiating Diffie-Hellman keys among multiple parties using a distributed recursion approach.
-
Brainard,John G.; Kaliski, Jr.,Burton S.; Nystr철m,Magnus; Rivest,Ronald L., System and method for authentication seed distribution.
-
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
이 특허를 인용한 특허 (3)
-
Bailey, Daniel V.; Duane, William M., Access point—authentication server combination.
-
Chase, Melissa E.; Kamara, Seny F., Graph encryption.
-
Gallois, Xavier; Vibert, Guillaume, Method for enhancing data reliability in a computer.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.