CA2526237A1 - Method for provision of access - Google Patents
Method for provision of access Download PDFInfo
- Publication number
- CA2526237A1 CA2526237A1 CA002526237A CA2526237A CA2526237A1 CA 2526237 A1 CA2526237 A1 CA 2526237A1 CA 002526237 A CA002526237 A CA 002526237A CA 2526237 A CA2526237 A CA 2526237A CA 2526237 A1 CA2526237 A1 CA 2526237A1
- Authority
- CA
- Canada
- Prior art keywords
- data
- access
- ipe1
- entity
- principal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
A method for provision of access for a data requesting entity (IRE) to data related to a principal is disclosed, comprising the steps of (i) creating an access granting ticket comprising an access specification specifying a permission for an access to data related to the principal, said data being available at a data providing entity (IPE1), and a principal identifier representing the principal towards the data providing entity (IPE1), (ii) encrypting the access granting ticket with an encryption key of the data providing entity (IPE1), (iii) communicating to the data requesting entity (IRE) the encrypted access granting ticket accompanied by an identifier of t he data providing entity (IPE1), (iv) communicating from the data requesting entity (IRE) to the data providing entity (IPE1) a request comprising the encrypted access granting ticket, (v) decrypting the encrypted access granti ng ticket with a decryption key of the data providing entity (IPE1) correspondi ng to the encryption key, (vi) providing to the data requesting entity (IRE) access to data related to the principal identifier according to the access specification.
Claims (31)
1. A method for provision of access for a data requesting entity (IRE) to data related to a principal, comprising the following steps:
creating an access granting ticket comprising (a) an access specification specifying a permission for an access to data related to the principal, said data being available at a data providing entity (IPE1), (b) a principal identifier representing the principal towards the data providing entity (IPE1), - encrypting the access granting ticket with an encryption key of the data providing entity (IPE1), - communicating to the data requesting entity (IRE) the encrypted access granting ticket accompanied by an identifier of the data providing entity (IPE1), - communicating from the data requesting entity (IRE) to the data providing entity (IPE1) a request comprising the encrypted access granting ticket, - decrypting the encrypted access granting ticket with a decryption key of the data providing entity (IPE1) corresponding to the encryption key, - providing to the data requesting entity (IRE) access to data related to the principal identifier according to the access specification.
creating an access granting ticket comprising (a) an access specification specifying a permission for an access to data related to the principal, said data being available at a data providing entity (IPE1), (b) a principal identifier representing the principal towards the data providing entity (IPE1), - encrypting the access granting ticket with an encryption key of the data providing entity (IPE1), - communicating to the data requesting entity (IRE) the encrypted access granting ticket accompanied by an identifier of the data providing entity (IPE1), - communicating from the data requesting entity (IRE) to the data providing entity (IPE1) a request comprising the encrypted access granting ticket, - decrypting the encrypted access granting ticket with a decryption key of the data providing entity (IPE1) corresponding to the encryption key, - providing to the data requesting entity (IRE) access to data related to the principal identifier according to the access specification.
2. The method according to claim 1, wherein the encrypted access granting ticket comprises or is accompanied by verification information and access is provided based on an analysis of the verification information.
3. The method according to claim 1 or 2, wherein the request to the data providing entity (IPE1) comprises a specification for requested data related to the principal and access is provided according to a matching of the access specification and the requested data.
4. The method according to any of the preceding claims, wherein the access granting ticket is created based on a data storage correlating at least two items of a group comprising the identifier of the data providing entity (IPE1), the data related to the principal available at the data providing entity (IPE1), the principal identifier, the encryption key, and the access specification.
5. The method according to any of the preceding claims, wherein an indication for the access specification entered into a principal entity (UE) to create the access granting ticket.
6. The method according to any of the preceding claims, wherein the access granting ticket further comprises security information and access is provided based on an analysis of the security information.
7. The method according to any of the preceding claims, wherein the encrypted access granting ticket is accompanied by public information.
8. The method according to claim 7, wherein the request to the data providing entity (IPE1) is communicated based on an analysis of the public information.
9. The method according to claim 7 or 8, wherein the decryption is based on an analysis of the public information.
10. The method according to any of the preceding claims, wherein the data to which access is provided to is transferred to the data requesting entity (IRE).
11. The method according to any of the preceding claims, wherein at least one further encrypted access granting ticket for further data related to the principal available at at least one further data providing entity (IPE2) is created and communicated to the date requesting entity (IRE) for provision of access to the further principal related data available at the at least one further data providing entity (IPE2), the at least one further encrypted access granting ticket being accompanied by at least one further identifier of the at least one further data providing entity (IPE2).
12. A principal entity (UE) for provision of access for a data requesting entity (IRE) to data related to a principal, comprising a transmission unit for sending of messages and information and a processing unit for processing of messages and information, wherein the processing unit is adapted to create an access granting ticket comprising an access specification specifying a permission for an access to data related to the principal, said data being available at a data providing entity (IPE1), and a principal identifier representing the principal towards the data providing entity (IPE1), to encrypt the access granting ticket with an encryption key of the data providing entity (IPE1), and to obtain an identifier of the data providing entity (IPE1), and the transmission unit is adapted to send the encrypted access granting ticket accompanied by the identifier of the data providing entity (IPE1) to the data requesting entity (IRE).
13. The principal entity (UE) according to claim 12, wherein the processing unit is adapted to include verification information into the access granting ticket and/or to attach verification information to the encrypted access granting ticket and the transmission unit is adapted to send the encrypted access granting ticket accompanied by the attached verification information to the data requesting entity (IRE).
14. The principal entity (UE) according to claim 12 or 13, wherein the processing unit is adapted to access a data storage correlating at least two items of a group comprising of the identifier of the data providing entity (IPE1), the data related to the principal available of the data providing entity (IPE1), the principal identifier, the encryption key, and the access specification, an to create the access granting ticket based on the data storage.
15. The principal entity (UE) according to any of the claims 12 to 14, wherein the processing unit is adapted to create the access granting ticket based on an indication for the access specification entered into an input unit of the principal entity (UE).
16. The principal entity (UE) according to any of the claims 12 to 15, wherein the processing unit is adapted to include security information into the access granting ticket.
17. The principal entity (UE) according to any of the claims 12 to 16, wherein the processing unit is adapted to obtain public information and the transmission unit is adapted to send the encrypted access granting ticket accompanied by the public information to the data requesting entity (IRE).
18. The principal entity (UE) according to any of the claims 12 to 17, wherein the processing unit is adapted to create at least one further encrypted access granting ticket for further data related to the principal available at at least one further data providing entity (IPE2) and the transmission unit is adapted to send the further encrypted access granting ticket to the data requesting entity (IRE) accompanied by at least one further identifier of the at least one further data providing entity (IPE2) for provision of access to the further principal related data accessible at the at least one further data providing entity (IPE2).
19. A data requesting entity (IRE) comprising a receiving unit for receiving messages and information, a transmission unit for sending of messages and information, and a processing unit for processing of messages and information, the receiving unit is adapted to receive a first encrypted access granting ticket for provision of access to first data related to a principal, said first data being available at a first data providing entity (IPE1), the first encrypted access granting ticket being accompanied by an identifier of the first data providing entity (IPE1) and to receive a further encrypted access granting ticket for provision of access to further data related to the principal, said further data being available at a further data providing entity (IPE2), the further encrypted access granting ticket being accompanied by a further identifier of the further data providing entity (IPE2), the processing unit is adapted to generate a first request comprising the first encrypted access granting ticket and a further request comprising the further encrypted access granting ticket and the transmission unit is adapted to send the first request to the first data providing entity (IPE1) and the further request to the further data providing entity (IPE2), and the receiving unit is adapted to receive a first indication for access provision to the first data from the first data providing entity (IPE1) and a further indication for access provision to the further data from the further data providing entity (IPE2).
20. The data requesting entity (IRE) according to claim 19, wherein at least one of the first encrypted access granting ticket and the further encrypted access granting ticket is accompanied by public information and the processing unit is adapted to analyze the public information before the generation of at least one of the first request and the further request.
21. The data requesting entity (IRE) according to claim 19 or 20, wherein the first indication comprises the first data related to the principal and the further indication comprises the further data related to the principal.
22. A data providing entity (IPE1) for provision of access to data related to a principal, the data providing entity (IPE1) comprising a receiving unit for receiving messages and information, a transmission unit for sending of messages and information, and a processing unit for processing of messages and information, wherein the receiving unit is adapted to receive a request from a data requesting entity (IRE), the request comprising an access granting ticket encrypted with an encryption key of the data providing entity (IPE1), the access granting ticket comprising an access specification specifying a permission for an access to data related to the principal, said data being available at the data providing entity (IPE1), and a principal identifier representing the principal towards the data providing entity (IPE1) the processing unit is adapted to decrypt the encrypted access granting ticket with a decryption key of the data providing entity (IPE1) corresponding to the encryption key and to provide to the data requesting entity (IRE) access to data related to the principal identifier according to the access specification.
23. The data providing entity (IPE1) according to claim 22, wherein the encrypted access granting ticket comprises or is accompanied by verification information and the processing unit is adapted to provide access based on an analysis of the verification information.
24. The data providing entity (IPE1) according to claim 22 or 23, wherein the request comprises a specification for requested data related to the principal and the processing unit is adapted to provide access according to a matching of the access specification and the requested data.
25. The data providing entity (IPE1) according to any of the claims 22 to 24, wherein the access granting ticket further comprises security information and the processing unit is adapted to provide access based on an analysis of the security information.
26. The data providing entity (IPE1) according to any of the claims 22 to 25, wherein the encrypted access granting ticket is accompanied by public information and the processing unit is adapted to initiate the decryption based on an analysis of the public information.
27. The data providing entity (IPE1) according to any of the claims 22 to 26, wherein the transmission unit is adapted to send the data, to which access is provided to, to the data requesting entity (IRE).
28. A computer program loadable into the processing unit of a principal entity, wherein the computer program comprises code adapted to create an access granting ticket comprising an access specification specifying a permission for an access to data related to the principal, said data being available at a data providing entity (IPE1), and a principal identifier representing a principal towards the data providing entity (IPE1), to encrypt the access granting ticket with an encryption key of the data providing entity (IPE1), to obtain an identifier of a data providing entity (IPE1), and to initiate a sending of the encrypted access granting ticket accompanied by the identifier of the data providing entity (IPE1) to the data requesting entity (IRE).
29. A computer program loadable into the processing unit of a data requesting entity (IRE), wherein the computer program comprises code adapted to process a first encrypted access granting ticket for provision of access to first data related to a principal, said first data being available at a first data providing entity (IPE1), the first encrypted access granting ticket being accompanied by an identifier of the first data providing entity (IPE1) and to process a further encrypted access granting ticket for provision of access to further data related to the principal, said further data being available at a further data providing entity (IPE2), the further encrypted access granting ticket being accompanied by a further identifier of the further data providing entity (IPE2), to generate a first request comprising the first encrypted access granting ticket and a further request comprising the further encrypted access granting ticket and to initiate a sending of the first request to the first data providing entity (IPE1) and of the further request to the further data providing entity (IPE2), and to process a first indication for access provision to the first data from the first data providing entity (IPE1) and a further indication for access provision to the further data from the further data providing entity (IPE2).
30. A computer program loadable into the processing unit of a data providing entity (IPE1), wherein the computer program comprises code adapted to process a request from a data requesting entity (IRE), the request comprising an access granting ticket encrypted with an encryption key of the data providing entity (IPE1), the access granting ticket comprising an access specification specifying a permission for an access to data related to a principal, said data being available at the data providing entity (IPE1), and a principal identifier representing the principal towards the data providing entity (IPE1), to decrypt the encrypted access granting ticket with a decryption key of the data providing entity (IPE1) corresponding to the encryption key and to provide to the data requesting entity (IRE) access to data related to the principal identifier according to the access specification.
31. The computer program according to any of the claims 28 to 30, wherein the computer program comprises code adapted to perform any of the steps of a method according to any of the claims 1 to 11.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/EP2003/003539 WO2004088947A1 (en) | 2003-04-04 | 2003-04-04 | Method for provision of access |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2526237A1 true CA2526237A1 (en) | 2004-10-14 |
| CA2526237C CA2526237C (en) | 2012-10-23 |
Family
ID=33104030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2526237A Expired - Fee Related CA2526237C (en) | 2003-04-04 | 2003-04-04 | Method for provision of access |
Country Status (11)
| Country | Link |
|---|---|
| US (1) | US7958548B2 (en) |
| EP (1) | EP1611725B8 (en) |
| JP (1) | JP4607602B2 (en) |
| CN (1) | CN1759585B (en) |
| AT (1) | ATE343294T1 (en) |
| AU (1) | AU2003227565A1 (en) |
| CA (1) | CA2526237C (en) |
| DE (1) | DE60309216T2 (en) |
| ES (1) | ES2274229T3 (en) |
| MX (1) | MXPA05010126A (en) |
| WO (1) | WO2004088947A1 (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1632091A4 (en) * | 2003-05-12 | 2006-07-26 | Gtech Corp | Method and system for authentication |
| US8095500B2 (en) | 2003-06-13 | 2012-01-10 | Brilliant Digital Entertainment, Inc. | Methods and systems for searching content in distributed computing networks |
| US7729992B2 (en) * | 2003-06-13 | 2010-06-01 | Brilliant Digital Entertainment, Inc. | Monitoring of computer-related resources and associated methods and systems for disbursing compensation |
| EP1678566A1 (en) * | 2003-10-31 | 2006-07-12 | Telefonaktiebolaget LM Ericsson (publ) | Method and devices for the control of the usage of content |
| CN100549985C (en) * | 2004-05-03 | 2009-10-14 | 捷讯研究有限公司 | The system and method that is used for application authorization |
| US8220042B2 (en) * | 2005-09-12 | 2012-07-10 | Microsoft Corporation | Creating secure interactive connections with remote resources |
| US8347090B2 (en) * | 2006-10-16 | 2013-01-01 | Nokia Corporation | Encryption of identifiers in a communication system |
| US8208900B2 (en) * | 2008-03-04 | 2012-06-26 | Apple Inc. | Secure device configuration profiles |
| CN102237999B (en) * | 2010-04-23 | 2016-04-13 | 中兴通讯股份有限公司 | Message treatment method and message dispensing device |
| EP2690571A4 (en) * | 2011-03-23 | 2014-08-20 | Nec Corp | Permit issuance apparatus and permit issuance method |
| EP2560124A1 (en) * | 2011-08-02 | 2013-02-20 | Tata Consultancy Services Limited | Access rights management in enterprise digital rights management systems |
| US11250423B2 (en) * | 2012-05-04 | 2022-02-15 | Institutional Cash Distributors Technology, Llc | Encapsulated security tokens for electronic transactions |
| US8844026B2 (en) | 2012-06-01 | 2014-09-23 | Blackberry Limited | System and method for controlling access to secure resources |
| WO2015023341A2 (en) | 2013-05-23 | 2015-02-19 | Intertrust Technologies Corporation | Secure authorization systems and methods |
| WO2015142339A1 (en) * | 2014-03-20 | 2015-09-24 | Hewlett-Packard Development Company, L.P. | Storage system transactions |
| US10588019B2 (en) * | 2016-05-05 | 2020-03-10 | Qualcomm Incorporated | Secure signaling before performing an authentication and key agreement |
| CN110084003B (en) * | 2018-01-26 | 2021-04-09 | 北大方正集团有限公司 | Method and system for accessing encryption lock based on middleware |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1179293C (en) * | 1997-11-07 | 2004-12-08 | 瑞士电信流动电话公司 | Method, system and device for authenticating persons |
| US6023510A (en) * | 1997-12-24 | 2000-02-08 | Philips Electronics North America Corporation | Method of secure anonymous query by electronic messages transported via a public network and method of response |
| US6484258B1 (en) * | 1998-08-12 | 2002-11-19 | Kyber Pass Corporation | Access control using attributes contained within public key certificates |
| JP2001186122A (en) * | 1999-12-22 | 2001-07-06 | Fuji Electric Co Ltd | Authentication system and authentication method |
| JP2002082917A (en) * | 2000-07-04 | 2002-03-22 | Sony Computer Entertainment Inc | Contents distribution method, contents distribution server, and client terminal in contents distribution infrastructure |
| US20020152393A1 (en) * | 2001-01-09 | 2002-10-17 | Johannes Thoma | Secure extensible computing environment |
| SE518725C2 (en) * | 2001-03-16 | 2002-11-12 | Smarttrust Systems Oy | Procedure and arrangement in a communication system |
| JP2003016364A (en) * | 2001-07-04 | 2003-01-17 | Jcb:Kk | Credit card dealing requesting device, credit settlement server, credit card dealing requesting method, computer program, and ic chip |
-
2003
- 2003-04-04 DE DE60309216T patent/DE60309216T2/en not_active Expired - Lifetime
- 2003-04-04 US US10/551,855 patent/US7958548B2/en active Active
- 2003-04-04 AU AU2003227565A patent/AU2003227565A1/en not_active Abandoned
- 2003-04-04 ES ES03724957T patent/ES2274229T3/en not_active Expired - Lifetime
- 2003-04-04 MX MXPA05010126A patent/MXPA05010126A/en active IP Right Grant
- 2003-04-04 EP EP03724957A patent/EP1611725B8/en not_active Expired - Lifetime
- 2003-04-04 AT AT03724957T patent/ATE343294T1/en not_active IP Right Cessation
- 2003-04-04 WO PCT/EP2003/003539 patent/WO2004088947A1/en active IP Right Grant
- 2003-04-04 CN CN038262622A patent/CN1759585B/en not_active Expired - Fee Related
- 2003-04-04 JP JP2004570031A patent/JP4607602B2/en not_active Expired - Fee Related
- 2003-04-04 CA CA2526237A patent/CA2526237C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| EP1611725B8 (en) | 2007-02-28 |
| ATE343294T1 (en) | 2006-11-15 |
| CN1759585B (en) | 2011-08-03 |
| EP1611725B1 (en) | 2006-10-18 |
| US7958548B2 (en) | 2011-06-07 |
| DE60309216T2 (en) | 2007-08-23 |
| US20070067836A1 (en) | 2007-03-22 |
| EP1611725A1 (en) | 2006-01-04 |
| WO2004088947A1 (en) | 2004-10-14 |
| AU2003227565A1 (en) | 2004-10-25 |
| CN1759585A (en) | 2006-04-12 |
| ES2274229T3 (en) | 2007-05-16 |
| DE60309216D1 (en) | 2006-11-30 |
| CA2526237C (en) | 2012-10-23 |
| JP4607602B2 (en) | 2011-01-05 |
| JP2006522374A (en) | 2006-09-28 |
| MXPA05010126A (en) | 2005-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8712041B2 (en) | Content protection apparatus and content encryption and decryption apparatus using white-box encryption table | |
| CA2526237A1 (en) | Method for provision of access | |
| CN102077213B (en) | Techniques for ensuring authentication and integrity of communications | |
| MXPA06000364A (en) | Method for generating and managing a local area network. | |
| RU2010114241A (en) | MULTIFACTOR CONTENT PROTECTION | |
| EP0874300A3 (en) | Information transmission, reception and recording | |
| WO2001097480A3 (en) | System and method for controlling the access to digital works through a network | |
| EP0874299A3 (en) | Data transmission, reception, encryption, decryption and recording | |
| IL179466A0 (en) | A method of encrypting and transferring data between a sender and a receiver using a network | |
| TW200641642A (en) | Stateless methods for resource hiding and access control support based on URI encryption | |
| US20090158035A1 (en) | Public Key Encryption For Web Browsers | |
| WO2008032304A3 (en) | Method and system for secure data collection and distribution | |
| AU2002252241A1 (en) | Method and system for providing bus encryption based on cryptographic key exchange | |
| WO2002033881A3 (en) | Fast escrow delivery | |
| CN101526985A (en) | Client system and method of digital rights management and digital rights management system | |
| GB2404535B (en) | Secure transmission of data within a distributed computer system | |
| CN110996319A (en) | System and method for performing activation authorization management on software service | |
| CA2565508A1 (en) | Secure license key method and system | |
| KR970056124A (en) | Differential Factor Cryptography Method and System | |
| CN101399663B (en) | Method, system and device for digital content authentication | |
| CN112528309A (en) | Data storage encryption and decryption method and device | |
| CN104717213A (en) | Encryption and decryption method and system for network data transmission | |
| EP3883177B1 (en) | General data protection method for multicentric sensitive data storage and sharing | |
| WO2009004590A3 (en) | Method, apparatus, system and computer program for key parameter provisioning | |
| KR20090024482A (en) | Key management system for using content and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20210406 |