US20160337374A1 - Access of a service - Google Patents
Access of a service Download PDFInfo
- Publication number
- US20160337374A1 US20160337374A1 US15/218,614 US201615218614A US2016337374A1 US 20160337374 A1 US20160337374 A1 US 20160337374A1 US 201615218614 A US201615218614 A US 201615218614A US 2016337374 A1 US2016337374 A1 US 2016337374A1
- Authority
- US
- United States
- Prior art keywords
- address
- cell
- spoke
- message
- target device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/35—Network arrangements, protocols or services for addressing or naming involving non-standard use of addresses for implementing network functionalities, e.g. coding subscription information within the address or functional addressing, i.e. assigning an address to a function
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Definitions
- SaaS software as a service
- Access control lists have been used to provide group security management.
- An access control list (ACL) provides a list of authorised entities as well as every object in the system.
- An access control monitor may look to the list and determine what entities can or cannot access, share or destroy any object.
- ACLs requires a reasonable level of expertise and does not therefore offer a simple method to control access to services.
- the size of an ACL is related to the number of devices which have been granted access to objects in the system and may become large.
- FIG. 1 shows a system according to an embodiment of the invention
- FIG. 2 shows a cell according to an embodiment of the invention
- FIG. 3 shows a messaging service according to an embodiment of the invention.
- FIG. 4 shows an illustration of communication channels according to an embodiment of the invention.
- FIG. 1 illustrates a system for secure access of services according to an embodiment of the invention.
- the device may be a hardware device such as, for example, a printer, a mobile phone, tablet, personal computer, network-connected printer, TV set-top box or other device which may provide one or more services.
- the one or more services may be provided by a software object, such as a chat or social media, video sharing or collaborative software object, for example.
- object used herein may refer to a hardware device or software object.
- the system will be explained with reference to a network-connected printer which provides printing services to one or more users. Users may access the services provided by the printer using a remotely connected device, such as a print application operably residing on a smart phone.
- a remotely connected device such as a print application operably residing on a smart phone.
- the system comprises a hub device 110 , which is an object that provides one or more services.
- the hub device 110 is the printer noted above.
- the system further comprises a group message system (GMS) server 120 , a host 130 and a spoke device 140 which is a device that accesses at least some of the services provided by the hub device 110 , such as the mobile phone mentioned above.
- GMS group message system
- spoke device 140 which is a device that accesses at least some of the services provided by the hub device 110 , such as the mobile phone mentioned above.
- the GMS 120 is a central message facility which facilitates secure messaging communication.
- the GMS 120 provides a secure message communication facility between individual and groups of devices, as will be explained.
- the GMS 120 provides one or more communication links having an input address and an output address, wherein at least one of the input address and the output address is linked to the other via a cryptographic key.
- the input and output addresses are randomised numbers such that the spoke device 140 only knows the input address and cannot compute the output address for the link.
- the hub device 110 receives communications from the output address of the link which are sent to the input address by the spoke device 140 .
- the host 130 comprises a hub-and-spoke message communication topologies (HSMCT) manager 135 and a policy group manipulator (PGM) 136 .
- the host 130 may be implemented within the hub device 110 or may be accessible to the hub device 110 over a network, such as the Internet, and implemented on at least one remote server.
- the host 130 will be described as implemented as a cloud service which is accessible to a user of the hub device 110 through an interface of the hub device 110 which communicates with the HSMCT manager 135 and consequently the PGM 136 via a suitable API.
- the hub device 110 may support a web browser which allows the user to access the HSMCT manager 135 .
- a user may also access the HSMCT manager 135 without use of the hub device 110 i.e. via a web browser supported by another device.
- the HSMCT manager 135 and PGM 136 may be integrated into a single entity.
- the HSMCT manager 135 is controlled by the user via the hub device 110 to cause the PGM 136 to create one or more policy groups 150 .
- a policy group 150 is provided for controlling access to services of the hub device 110 .
- the policy group controls which spoke devices 140 may access services provided by the hub device 110 , and the services of the hub device 110 which may be accessed by those spoke devices 140 .
- Each policy group 150 is identified by a policy group name and may also be associated with a policy group description.
- the policy group name and description allow the user to identify the policy group 150 and the purpose of the policy group.
- policy groups may be established for the printer 110 having policy group names of “Family” and “Friends”.
- the associated descriptions may identify to the user that, for example, members of the “Family” policy group are allowed to access a colour printing service provided by the printer 110 whilst members of the “Friends” policy group are only able to access a black and white print service provided by the printer 110 .
- the policy group name and description may be altered by the user at any time without affecting the operation of the policy group, or having to communicate the changes to spoke devices 140 .
- Each policy group comprises an f-set 115 and a hub-and-spoke message communication topology HSMCT 125 .
- the f-set 115 is logically connected to the HSMCT 125 by the hub device 110 .
- the HSMCT 125 securely controls message communication between the spoke device 140 , the hub device 110 and the f-set 115 residing on the hub device 110 .
- the f-set 115 defines which functions may be accessed on the hub device 110 and therefore represents a set of functions accessible on the hub device 110 by members of the policy group 150 . Functions of the hub device 110 may be added to, or removed from, the f-set 115 by the user of the hub device 110 accessing the HSMCT manager 125 .
- the HSMCT 125 defines zero or more spoke devices 140 which may access the functions included within the associated f-set 115 .
- the user of the hub device 110 may add or remove spoke devices 140 to/from the HSMCT 125 via the HSMCT manager 135 .
- Each spoke device 140 is uniquely identified to the HSMCT 125 by unique identifying information such as a public key, system account name, mobile phone number etc associated with the spoke device 140 . Therefore a spoke device 140 is able to access a function, such as the colour printing function, of the hub device 110 if the spoke device 140 is included in the HSMCT 125 and the function is included within the corresponding f-set 115 .
- the HSMCT 125 is a structure which allows message communication between the spoke device 140 and the f-set 115 associated with the HSMCT 125 .
- the HSMCT 125 defines a message communication switchboard which is implemented by the GMS 120 allowing the spoke 140 and hub 110 devices to communicate. Specifically, the HSMCT 125 allows spoke devices 140 to access the f-set 115 of functions on the hub device 110 .
- the HSMCT 125 uses low-level data structures referred to as cells. As will be explained, a cell has a random input address and a random output address, wherein the output address may be cryptographically computed from the input address, or visa versa, using a cryptographic key. In this way, an unauthorised device does not have knowledge of a valid input address and cannot compute the output address without the cryptographic key. Knowledge of the input address is assumed to be authorisation to access the functions defined by the f-set 115 .
- the system includes cells 210 , one of which is shown in FIG. 2 , which may receive data from an input address (IA) 220 and send data from an output address (OA) 230 , both of which are randomised by cryptographic numbers.
- the cell 210 represents a communication capability described by the tuple (IA, OA) such that the output address 230 cannot be computed knowing the input address 220 and visa versa without the possession of a secret cryptography key which is possessed by the kernel.
- Users or entities in possession of the input address (IA) 220 can send or write messages to the cell 210 and entities in possession of the output address (OA) 230 can receive or read messages from the cell 210 .
- entities in possession of the input address (IA) 220 cannot receive or read messages from the cell without the output address (OA) 230
- entities in possession of the output address (OA) 230 cannot send or write messages to the cell without the input address (IA) 220 .
- the message service facility 140 provides a messaging service and a control service that are decentralized so that clients can create and manage groups and group communications without interference from the trusted central facility.
- the message service (MS) facility 14 may be implemented by a hardware device including a processor 40 and data storage 42 .
- the central facility includes a number of cells 34 , 34 ′, 34 ′′, as discussed above, which are dynamically created when needed based on a number of cryptographic rules.
- the facility 14 includes one or more master keys 38 , 38 ′, 38 ′′ which are used to calculate, for example, the OA 230 from the IA 220 .
- Users or entities in possession of the input address IA 220 can send or write messages to the cell 34 , and entities in possession of the output address OA 230 can receive or read messages from the cell 34 .
- entities in possession of the input address IA without the output address OA cannot receive or read messages from the cell, and entities in possession of the output address OA without the input address IA cannot send or write messages to the cell.
- Each cell 34 is a virtual switchboard that users of the central facility may use to virtually connect or disconnect their computing devices.
- the MS facility 14 also includes a messaging service 44 and a control service 46 .
- the messaging service 44 allows clients to send messages to one or more other clients.
- the control service 46 allows clients 12 to perform communication control (e.g., read control and/or write control).
- the messaging service 22 includes at least a forwarder 48 and a queue 36 , and a set of queries for writing to the forwarder 48 and reading from the queue 36 .
- the forwarder 48 includes computer readable instructions that copy message(s) received at the forwarder 48 , and transmit the copied message(s) to multiple cells 34 , 34 ′, 34 ′′ that are linked to the forwarder 48 .
- the forwarder 48 enables a user to generate a single message and have it sent to multiple different cells 34 , 34 ′, 34 ′′.
- the forwarder 48 is associated with a forwarder address that can be attached to the input address of one or more cells 34 , 34 ′, 34 ′′ of the same or different type.
- the queue 36 includes computer readable instructions (embedded on a non-transitory, tangible computer readable medium) that retrieve messages sent to a cell 34 , 34 ′, 34 ′′ associated with the queue 36 from one or more cells 34 , 34 ′, 34 ′′ of the same or different type.
- the queue 36 enables a user to retrieve all of his/her messages that have been sent from multiple different cells 34 , 34 ′, 34 ′′.
- the control service 46 defines the links between the cells 34 , 34 ′, 34 ′′, queues 36 , and forwarders 48 , as well as the set of queries for adding, removing and discovering these links.
- a variety of links may be formed, directly or indirectly, between the cells, thus enabling the formation of groups that contain different users, and in some instances, different devices.
- Device to device communication i.e. unicast communication may also be provided by the messaging facility 14 .
- the message facility 14 is implemented in embodiments of the present invention by the GMS 120 .
- the HSMCT 125 defines unicast communication paths between the hub device 110 and each spoke device 140 .
- the unicast communication paths comprise, for each spoke device 140 , a pair of unidirectional communication channels each implemented by a corresponding cell 210 .
- the unicast communication paths allow communication between the spoke device 140 and the f-set 115 to access functions on the hub device 110 .
- the HSMCT 125 may also define multicast communication paths between the hub device 110 and spoke devices 140 . To implement the multicast communication the HSMCT 125 defines a group comprising the hub device 110 and spoke devices 140 of the policy group 150 .
- the multicast communication allows the hub device 110 to communicate information in a multicast manner to spoke devices 140 associated with the HSMCT 125 .
- the multicast communication paths may also allow spoke devices 140 to broadcast information to other spoke devices associated with the HSMCT 125 and the hub device 110 .
- the hub device 110 adds a spoke device 140 to the HSMCT 125 by creating unicast read and write addresses in the HSMCT 125 by generating one or more corresponding cells 210 .
- the hub device 110 may also create one or both of read and/or write multicast addresses on the HSMCT 125 for the spoke device 140 , as will be explained.
- the hub device 110 may also create a write multicast address on the HSMCT 125 for the spoke device 140 .
- the addresses may be created by the hub device 110 communicating with the HSMCT Manager 135 .
- the HSMCT manager 135 consequently controls the PGM 136 to communicate with the GMS 120 by sending a get cell query message to the GMS 120 to cause the creation of one or more cells 210 each having an IA 220 and OA 230 .
- the necessary addresses such as an IA 220 for communication with the f-set 115 , are then communicated to the spoke device 140 , such as by via an out-of-band channel.
- the necessary addresses are also communicated to the hub device 110 , such as the corresponding OA 230 for the input address.
- the out-of-band channel may be, for example, email or via the GMS 120 itself.
- the GMS 120 may create cells in the HSMCT 125 in response to the received get cell query messages.
- the GMS 120 may create one of the IA 220 or the OA 230 of the cell in a pseudorandom manner, such as by using a cryptographically secure PseudoRandom Bit Generator (PRBG).
- PRBG PseudoRandom Bit Generator
- the GMS 120 may create the OA 230 using the PRBG.
- the IA 220 is created based upon the OA 230 .
- the IA 220 is a randomised input address which may be generated in some embodiments using a symmetric key encryption method such as, for example, the US National Institute of Standards and Technology's Advanced Encryption Standard with a key size of 256 bits (AES 256 ).
- the IA may be generated according to:
- E is a symmetric encryption method and K is a system master key possessed by the GMS 120 .
- one of the IA 220 or the OA 230 may be computed based upon a public key associated with the spoke device 140 .
- the public key associated with the spoke device 140 may be obtained by the GMS 120 .
- the GMS 120 may compute one of the OA 230 or the IA 220 using a hash function based upon the public key.
- the other of the IA 220 or the OA 230 may then be computed as described above using the symmetric key encryption method and the system master key K.
- the hub device 110 may also revoke access for a spoke device 140 by deleting the created addresses for that spoke from the HSMCT 125 .
- the hub device 110 can control the capability of spoke devices 140 to communicate with the f-set 115 of the policy group 150 via the HSMCT 125 .
- FIG. 4 illustrates an exemplary system according to an embodiment of the invention.
- the exemplary system includes a hub device 510 having a public key 511 and an f-set 515 , a GMS 520 supporting a HSMCT 425 of a policy group, and two spoke devices 530 , 540 each having a corresponding public key 531 , 541 . It will be realised that the system may comprise other numbers of spoke devices.
- the HSMCT 425 includes two pairs of cells 410 , 420 , 430 , 440 allowing communication between the spoke devices 530 , 540 and the hub device 510 .
- a first pair of cells 410 , 420 allows communication between a first of the spoke devices 530 and the hub device 510 such that the first spoke device 530 may access services having functions included within the f-set 515 of the policy group.
- the first pair of cells 410 , 420 includes two unidirectional cells arranged in opposed directions.
- a second of the spoke devices 540 is associated with two unidirectional cells 430 , 440 such that the second spoke device 540 may access services included within the f-set 515 .
- the HSMCT 425 further comprises a group cell structure 450 .
- the group cell structure 450 is formed by appropriately connected cells on the GMS 520 .
- the group cell structure 450 allows spoke devices 530 , 540 to write to the group cell structure, such that a message is broadcast to the other spoke devices 530 , 540 and the hub device 510 , and also so that the hub device 510 may broadcast messages to all spoke devices 530 , 540 .
- the spoke devices 530 , 540 may only have read access to the broadcast cell structure 450 to receive messages broadcast from the hub device 510 .
- the group cell structure 450 of the HSMCT 425 is formed as a managed group with the HSMCT (not shown in FIG. 4 ) as group manager.
- the HSMCT manager 135 receives the public keys 511 , 531 , 541 of the hub device 510 and spoke devices 530 , 540 .
- the HSMCT manager 135 sends a group creation request to the GMS 520 containing the public keys 511 , 531 , 541 of readers to be added to the group and writers to be added to the group and a public key of the HSMCT manager.
- the group creation request may also contain a challenge response as explained in the cited references to ensure that the request is fresh.
- the GMS 520 creates a group cell (GC) for the group having randomised input IA GC and output OA GC addresses.
- a cell is then created for each writer to the group, referred to as group write cells (GWCs) and for each reader to the group, referred to as group read cells (GRCs).
- GWCs and GRCs have randomised input and output addresses.
- a manager cell (MC) is also created for the HSMCT manager, the hub device 510 .
- the GWCs are then connected to the GC 520 such that any messages sent to the GWCs are sent to the input address IA GC of the GC.
- the output addresses of the group cell OA GC is connected to input addresses of the GRCs such that messages output from the GC are sent to the GRCs.
- the manager cell is used by the HSMCT manager 135 to edit membership of the group. Further details are provided in the cited references.
- the information contains read and write addresses for unicast and multicast communication between the spoke devices 530 , 540 and the hub device 510 , and the HSMCT manager 135 .
- each spoke device 530 , 540 stores spoke address information for communication with the hub device 510 via the HSMCT 425 .
- the spoke HSMCT address information comprises a spoke send address, a spoke receive address, a spoke multicast send address, a spoke multicast receive address.
- the spoke address information for each spoke device 530 , 540 is securely stored as a secret for that spoke address.
- the spoke send address is the IA of cell 410
- the spoke receive address is the OA of cell 420
- the spoke multicast send address is the IA of group cell structure 450
- the spoke multicast receive address is the OA of group cell structure 450 .
- the hub device 510 stores hub address information which comprises an address of the HSMCT 425 , send and receive multicast addresses and send and receive addresses for each spoke device 530 , 540 .
- the HSMCT address is a secret known only to the hub device for managing the HSMCT 425 .
- the multicast send and receive addresses have the same function as for the spoke devices.
- the Hub device 510 uses the respective spoke send and receive addresses to communicate with the spoke device 530 , 540 .
- the hub address information is a secret for the hub device.
- each of the hub 510 , and spoke devices 530 , 540 has a public key 511 , 531 , 541 .
- the public keys may be uncertified.
- the public keys are used to allow secure communication of HSMCT addresses to that device, such as from the hub device 510 to the spoke devices 530 , 540 .
- the system of FIG. 4 may run various application protocols between the spoke devices 530 , 540 and the hub device 510 to support functions identified in the f-set 515 .
- Exemplary application protocols are printing, chat, file store and access which are supported by the hub device 510 .
- Embodiments of the present invention enable the control of access to functions on a service object, such as a hardware device or software object. Access is controlled by adding or removing client entities, such as spoke devices, to a policy group associated with a set of functions of the service object. More than one policy group may be created to enable differing groups of client entities to access differing groups of functions on the service object.
- embodiments of the present invention can be realised in the form of hardware, software or a combination of hardware and software. Any such software may be stored in the form of volatile or non-volatile storage such as, for example, a storage device like a ROM, whether erasable or rewritable or not, or in the form of memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape. It will be appreciated that the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs that, when executed, implement embodiments of the present invention.
- embodiments provide a program comprising code for implementing a system or method as claimed in any preceding claim and a machine readable storage storing such a program. Still further, embodiments of the present invention may be conveyed electronically via any medium such as a communication signal carried over a wired or wireless connection and embodiments suitably encompass the same.
Abstract
In some examples, a messaging service facility receives a message from a spoke device requesting a service provided by a target device. The messaging service facility determines, in response to the message received at the input address of the cell, an output address of the cell. The messaging service facility sends the message to the target device using the determined output address to provide access of the service by the spoke device.
Description
- This is a continuation of U.S. application Ser. No. 14/394,326, filed Oct. 14, 2014, which is a national stage application under 35 U.S.C. §371 of PCT/IN2012/000315, filed Apr. 27, 2012, which are both hereby incorporated by reference in their entirety.
- In a distributed computing system services are provided by computing devices to other, potentially remote, client computing devices. Distributed computing has been found in many applications such as, for example, social networking, online digital mapping, video-sharing websites, collaborative software, remote printing etc. The provision of services in a distributed computing environment has been referred to as software as a service (SaaS). It is often desired to control the services which client computing devices may access, and those client computing devices which may access services.
- Access control lists have been used to provide group security management. An access control list (ACL) provides a list of authorised entities as well as every object in the system. An access control monitor may look to the list and determine what entities can or cannot access, share or destroy any object. However use of ACLs requires a reasonable level of expertise and does not therefore offer a simple method to control access to services. Furthermore, the size of an ACL is related to the number of devices which have been granted access to objects in the system and may become large.
- Embodiments of the invention will now be described by way of example only, with reference to the accompanying figures, in which:
-
FIG. 1 shows a system according to an embodiment of the invention; -
FIG. 2 shows a cell according to an embodiment of the invention; -
FIG. 3 shows a messaging service according to an embodiment of the invention; and -
FIG. 4 shows an illustration of communication channels according to an embodiment of the invention. -
FIG. 1 illustrates a system for secure access of services according to an embodiment of the invention. To illustrate the principles of the present invention the example system will be described with reference to accessing functions supported or provided by a device. The device may be a hardware device such as, for example, a printer, a mobile phone, tablet, personal computer, network-connected printer, TV set-top box or other device which may provide one or more services. It will be realised that in some embodiments of the invention the one or more services may be provided by a software object, such as a chat or social media, video sharing or collaborative software object, for example. Thus the term object used herein may refer to a hardware device or software object. To describe embodiments of the present invention the system will be explained with reference to a network-connected printer which provides printing services to one or more users. Users may access the services provided by the printer using a remotely connected device, such as a print application operably residing on a smart phone. However it will be realised that this is merely illustrative. - The system comprises a
hub device 110, which is an object that provides one or more services. In the illustrative example thehub device 110 is the printer noted above. The system further comprises a group message system (GMS)server 120, ahost 130 and aspoke device 140 which is a device that accesses at least some of the services provided by thehub device 110, such as the mobile phone mentioned above. Although embodiments of the present invention are described with reference tohub 110 and spoke 140 devices, it will be realised that embodiments of the invention may be envisaged which comprise only onehub device 110 and onespoke device 140. - The GMS 120 is a central message facility which facilitates secure messaging communication. The GMS 120 provides a secure message communication facility between individual and groups of devices, as will be explained. In particular, the GMS 120 provides one or more communication links having an input address and an output address, wherein at least one of the input address and the output address is linked to the other via a cryptographic key. The input and output addresses are randomised numbers such that the
spoke device 140 only knows the input address and cannot compute the output address for the link. Thehub device 110 receives communications from the output address of the link which are sent to the input address by thespoke device 140. - The
host 130 comprises a hub-and-spoke message communication topologies (HSMCT)manager 135 and a policy group manipulator (PGM) 136. Thehost 130 may be implemented within thehub device 110 or may be accessible to thehub device 110 over a network, such as the Internet, and implemented on at least one remote server. For the purposes of explanation, thehost 130 will be described as implemented as a cloud service which is accessible to a user of thehub device 110 through an interface of thehub device 110 which communicates with the HSMCTmanager 135 and consequently the PGM 136 via a suitable API. For example, thehub device 110 may support a web browser which allows the user to access the HSMCTmanager 135. It will be further realised that a user may also access the HSMCTmanager 135 without use of thehub device 110 i.e. via a web browser supported by another device. In other embodiments the HSMCTmanager 135 and PGM 136 may be integrated into a single entity. - The HSMCT
manager 135, as shown inFIG. 3 , is controlled by the user via thehub device 110 to cause thePGM 136 to create one ormore policy groups 150. Apolicy group 150 is provided for controlling access to services of thehub device 110. In particular, the policy group controls which spokedevices 140 may access services provided by thehub device 110, and the services of thehub device 110 which may be accessed by thosespoke devices 140. - Each
policy group 150 is identified by a policy group name and may also be associated with a policy group description. The policy group name and description allow the user to identify thepolicy group 150 and the purpose of the policy group. For example, policy groups may be established for theprinter 110 having policy group names of “Family” and “Friends”. The associated descriptions may identify to the user that, for example, members of the “Family” policy group are allowed to access a colour printing service provided by theprinter 110 whilst members of the “Friends” policy group are only able to access a black and white print service provided by theprinter 110. The policy group name and description may be altered by the user at any time without affecting the operation of the policy group, or having to communicate the changes to spokedevices 140. - Each policy group comprises an f-
set 115 and a hub-and-spoke message communication topology HSMCT 125. The f-set 115 is logically connected to the HSMCT 125 by thehub device 110. As will be explained, the HSMCT 125 securely controls message communication between thespoke device 140, thehub device 110 and the f-set 115 residing on thehub device 110. The f-set 115 defines which functions may be accessed on thehub device 110 and therefore represents a set of functions accessible on thehub device 110 by members of thepolicy group 150. Functions of thehub device 110 may be added to, or removed from, the f-set 115 by the user of thehub device 110 accessing the HSMCTmanager 125. - The HSMCT 125 defines zero or
more spoke devices 140 which may access the functions included within the associated f-set 115. The user of thehub device 110 may add or removespoke devices 140 to/from the HSMCT 125 via the HSMCTmanager 135. Eachspoke device 140 is uniquely identified to the HSMCT 125 by unique identifying information such as a public key, system account name, mobile phone number etc associated with thespoke device 140. Therefore aspoke device 140 is able to access a function, such as the colour printing function, of thehub device 110 if thespoke device 140 is included in the HSMCT 125 and the function is included within the corresponding f-set 115. - The HSMCT 125 is a structure which allows message communication between the
spoke device 140 and the f-set 115 associated with the HSMCT 125. The HSMCT 125 defines a message communication switchboard which is implemented by the GMS 120 allowing thespoke 140 andhub 110 devices to communicate. Specifically, the HSMCT 125 allowsspoke devices 140 to access the f-set 115 of functions on thehub device 110. The HSMCT 125 uses low-level data structures referred to as cells. As will be explained, a cell has a random input address and a random output address, wherein the output address may be cryptographically computed from the input address, or visa versa, using a cryptographic key. In this way, an unauthorised device does not have knowledge of a valid input address and cannot compute the output address without the cryptographic key. Knowledge of the input address is assumed to be authorisation to access the functions defined by the f-set 115. - Application PCT/IN2011/000257 entitled “Access Control”, which is herein incorporated by reference in its entirety, discloses an access control system comprising a trusted micro-kernel for a distributed message passing system between many clients. The system includes
cells 210, one of which is shown inFIG. 2 , which may receive data from an input address (IA) 220 and send data from an output address (OA) 230, both of which are randomised by cryptographic numbers. Thecell 210 represents a communication capability described by the tuple (IA, OA) such that theoutput address 230 cannot be computed knowing theinput address 220 and visa versa without the possession of a secret cryptography key which is possessed by the kernel. - Users or entities in possession of the input address (IA) 220 can send or write messages to the
cell 210 and entities in possession of the output address (OA) 230 can receive or read messages from thecell 210. However, entities in possession of the input address (IA) 220 cannot receive or read messages from the cell without the output address (OA) 230, and entities in possession of the output address (OA) 230 cannot send or write messages to the cell without the input address (IA) 220. - Application PCT/IN2011/000731 entitled “A Communication Access Control System”, which is herein incorporated by reference in its entirety, discloses a system which includes a trusted central
message service facility 14, an embodiment of which is shown inFIG. 3 . Themessage service facility 140 provides a messaging service and a control service that are decentralized so that clients can create and manage groups and group communications without interference from the trusted central facility. - The message service (MS)
facility 14 may be implemented by a hardware device including aprocessor 40 anddata storage 42. - The central facility includes a number of cells 34, 34′, 34″, as discussed above, which are dynamically created when needed based on a number of cryptographic rules. The
facility 14 includes one or more master keys 38, 38′, 38″ which are used to calculate, for example, theOA 230 from theIA 220. Users or entities in possession of theinput address IA 220 can send or write messages to the cell 34, and entities in possession of theoutput address OA 230 can receive or read messages from the cell 34. However, entities in possession of the input address IA without the output address OA cannot receive or read messages from the cell, and entities in possession of the output address OA without the input address IA cannot send or write messages to the cell. In this way, thecentral facility 14 provides assurances to the users that messages sent to random cells will be dropped without ever being read. Each cell 34 is a virtual switchboard that users of the central facility may use to virtually connect or disconnect their computing devices. - The
MS facility 14 also includes amessaging service 44 and acontrol service 46. Themessaging service 44 allows clients to send messages to one or more other clients. Thecontrol service 46 allows clients 12 to perform communication control (e.g., read control and/or write control). The messaging service 22 includes at least a forwarder 48 and aqueue 36, and a set of queries for writing to the forwarder 48 and reading from thequeue 36. The forwarder 48 includes computer readable instructions that copy message(s) received at the forwarder 48, and transmit the copied message(s) to multiple cells 34, 34′, 34″ that are linked to the forwarder 48. The forwarder 48 enables a user to generate a single message and have it sent to multiple different cells 34, 34′, 34″. The forwarder 48 is associated with a forwarder address that can be attached to the input address of one or more cells 34, 34′, 34″ of the same or different type. Thequeue 36 includes computer readable instructions (embedded on a non-transitory, tangible computer readable medium) that retrieve messages sent to a cell 34, 34′, 34″ associated with thequeue 36 from one or more cells 34, 34′, 34″ of the same or different type. Thequeue 36 enables a user to retrieve all of his/her messages that have been sent from multiple different cells 34, 34′, 34″. Thecontrol service 46 defines the links between the cells 34, 34′, 34″,queues 36, andforwarders 48, as well as the set of queries for adding, removing and discovering these links. A variety of links may be formed, directly or indirectly, between the cells, thus enabling the formation of groups that contain different users, and in some instances, different devices. Device to device communication i.e. unicast communication may also be provided by themessaging facility 14. Themessage facility 14 is implemented in embodiments of the present invention by theGMS 120. - The
HSMCT 125 defines unicast communication paths between thehub device 110 and each spokedevice 140. The unicast communication paths comprise, for each spokedevice 140, a pair of unidirectional communication channels each implemented by acorresponding cell 210. The unicast communication paths allow communication between thespoke device 140 and the f-set 115 to access functions on thehub device 110. TheHSMCT 125 may also define multicast communication paths between thehub device 110 and spokedevices 140. To implement the multicast communication theHSMCT 125 defines a group comprising thehub device 110 and spokedevices 140 of thepolicy group 150. The multicast communication allows thehub device 110 to communicate information in a multicast manner to spokedevices 140 associated with theHSMCT 125. The multicast communication paths may also allow spokedevices 140 to broadcast information to other spoke devices associated with theHSMCT 125 and thehub device 110. - The
hub device 110 adds aspoke device 140 to theHSMCT 125 by creating unicast read and write addresses in theHSMCT 125 by generating one or morecorresponding cells 210. Thehub device 110 may also create one or both of read and/or write multicast addresses on theHSMCT 125 for thespoke device 140, as will be explained. Thehub device 110 may also create a write multicast address on theHSMCT 125 for thespoke device 140. The addresses may be created by thehub device 110 communicating with theHSMCT Manager 135. TheHSMCT manager 135 consequently controls thePGM 136 to communicate with theGMS 120 by sending a get cell query message to theGMS 120 to cause the creation of one ormore cells 210 each having anIA 220 andOA 230. The necessary addresses, such as anIA 220 for communication with the f-set 115, are then communicated to thespoke device 140, such as by via an out-of-band channel. The necessary addresses are also communicated to thehub device 110, such as the correspondingOA 230 for the input address. The out-of-band channel may be, for example, email or via theGMS 120 itself. - The
GMS 120 may create cells in theHSMCT 125 in response to the received get cell query messages. TheGMS 120 may create one of theIA 220 or theOA 230 of the cell in a pseudorandom manner, such as by using a cryptographically secure PseudoRandom Bit Generator (PRBG). Illustratively, theGMS 120 may create theOA 230 using the PRBG. Subsequently theIA 220 is created based upon theOA 230. TheIA 220 is a randomised input address which may be generated in some embodiments using a symmetric key encryption method such as, for example, the US National Institute of Standards and Technology's Advanced Encryption Standard with a key size of 256 bits (AES256). The IA may be generated according to: -
IA=E(K,OA) - Where E is a symmetric encryption method and K is a system master key possessed by the
GMS 120. - Alternatively, one of the
IA 220 or theOA 230 may be computed based upon a public key associated with thespoke device 140. The public key associated with thespoke device 140 may be obtained by theGMS 120. With the public key, theGMS 120 may compute one of theOA 230 or theIA 220 using a hash function based upon the public key. The other of theIA 220 or theOA 230 may then be computed as described above using the symmetric key encryption method and the system master key K. - The
hub device 110 may also revoke access for aspoke device 140 by deleting the created addresses for that spoke from theHSMCT 125. Thus thehub device 110 can control the capability ofspoke devices 140 to communicate with the f-set 115 of thepolicy group 150 via theHSMCT 125. -
FIG. 4 illustrates an exemplary system according to an embodiment of the invention. The exemplary system includes ahub device 510 having a public key 511 and an f-set 515, aGMS 520 supporting aHSMCT 425 of a policy group, and two spokedevices public key - The
HSMCT 425 includes two pairs ofcells spoke devices hub device 510. A first pair ofcells spoke devices 530 and thehub device 510 such that thefirst spoke device 530 may access services having functions included within the f-set 515 of the policy group. The first pair ofcells spoke devices 540 is associated with twounidirectional cells second spoke device 540 may access services included within the f-set 515. - The
HSMCT 425 further comprises agroup cell structure 450. Thegroup cell structure 450 is formed by appropriately connected cells on theGMS 520. In the example shown inFIG. 4 , thegroup cell structure 450 allows spokedevices other spoke devices hub device 510, and also so that thehub device 510 may broadcast messages to all spokedevices spoke devices broadcast cell structure 450 to receive messages broadcast from thehub device 510. - As explained in the cited references, the
group cell structure 450 of theHSMCT 425 is formed as a managed group with the HSMCT (not shown inFIG. 4 ) as group manager. In order to establish the group, theHSMCT manager 135 receives thepublic keys hub device 510 and spokedevices HSMCT manager 135 sends a group creation request to theGMS 520 containing thepublic keys GMS 520 creates a group cell (GC) for the group having randomised input IAGC and output OAGC addresses. A cell is then created for each writer to the group, referred to as group write cells (GWCs) and for each reader to the group, referred to as group read cells (GRCs). The GWCs and GRCs have randomised input and output addresses. A manager cell (MC) is also created for the HSMCT manager, thehub device 510. The GWCs are then connected to theGC 520 such that any messages sent to the GWCs are sent to the input address IAGC of the GC. Similarly, the output addresses of the group cell OAGC is connected to input addresses of the GRCs such that messages output from the GC are sent to the GRCs. The manager cell is used by theHSMCT manager 135 to edit membership of the group. Further details are provided in the cited references. - Following establishment of the
HSMCT 425 sets of information are sent to each of thespoke devices hub device 510 and theHSMCT manager 135. The information contains read and write addresses for unicast and multicast communication between thespoke devices hub device 510, and theHSMCT manager 135. - In the exemplary system shown in
FIG. 4 , each spokedevice hub device 510 via theHSMCT 425. - The spoke HSMCT address information comprises a spoke send address, a spoke receive address, a spoke multicast send address, a spoke multicast receive address. The spoke address information for each spoke
device first spoke device 530 the spoke send address is the IA ofcell 410, the spoke receive address is the OA ofcell 420, the spoke multicast send address is the IA ofgroup cell structure 450 and the spoke multicast receive address is the OA ofgroup cell structure 450. The spoke address information may be stored as a tuple such as: Spoke_HSMCT_address:=(spoke send address, spoke receive address, spoke multicast-receive address, spoke multicast-send address). - Similarly, the
hub device 510 stores hub address information which comprises an address of theHSMCT 425, send and receive multicast addresses and send and receive addresses for each spokedevice HSMCT 425. The multicast send and receive addresses have the same function as for the spoke devices. TheHub device 510 uses the respective spoke send and receive addresses to communicate with thespoke device - As shown in
FIG. 4 , each of thehub 510, and spokedevices public key hub device 510 to thespoke devices - The system of
FIG. 4 may run various application protocols between thespoke devices hub device 510 to support functions identified in the f-set 515. Exemplary application protocols are printing, chat, file store and access which are supported by thehub device 510. - Embodiments of the present invention enable the control of access to functions on a service object, such as a hardware device or software object. Access is controlled by adding or removing client entities, such as spoke devices, to a policy group associated with a set of functions of the service object. More than one policy group may be created to enable differing groups of client entities to access differing groups of functions on the service object.
- It will be appreciated that embodiments of the present invention can be realised in the form of hardware, software or a combination of hardware and software. Any such software may be stored in the form of volatile or non-volatile storage such as, for example, a storage device like a ROM, whether erasable or rewritable or not, or in the form of memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape. It will be appreciated that the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs that, when executed, implement embodiments of the present invention. Accordingly, embodiments provide a program comprising code for implementing a system or method as claimed in any preceding claim and a machine readable storage storing such a program. Still further, embodiments of the present invention may be conveyed electronically via any medium such as a communication signal carried over a wired or wireless connection and embodiments suitably encompass the same.
- All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.
- Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
- The invention is not restricted to the details of any foregoing embodiments. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed. The claims should not be construed to cover merely the foregoing embodiments, but also any embodiments which fall within the scope of the claims.
Claims (20)
1. A method comprising:
receiving, at an input address of a cell of a messaging service facility, a message from a spoke device requesting a service provided by a target device;
determining, by the messaging service facility in response to the message received at the input address of the cell, an output address of the cell, the determined output address computed by applying a function on the input address and a cryptographic key; and
sending, by the messaging service facility, the message to the target device using the determined output address to provide access of the service by the spoke device.
2. The method of claim 1 , wherein the function is an encryption function applied on the input address and the cryptographic key.
3. The method of claim 1 , wherein the function is a hash function applied on the input address and the cryptographic key.
4. The method of claim 1 , wherein the message is received from the spoke device having the input address of the cell.
5. The method of claim 1 , wherein the determined output address is an address at which the target device receives the message, and the determined output address is unknown to the spoke device.
6. The method of claim 1 , further comprising:
creating a policy group that includes information of the spoke device, the target device, and services of the target device accessible by the spoke device.
7. The method of claim 1 , wherein the cell is a first cell of a pair of cells at the messaging service facility for communications between the spoke device and the target device, the pair of cells further comprising a second cell, the first cell used for unidirectional communication from the spoke device to the target device, and the second cell used for unidirectional communication from the target device to the spoke device.
8. The method of claim 7 , further comprising:
receiving a further message from the target device at an input address of the second cell of the messaging service facility;
determining a further output address of the second cell based upon the input address of the second cell and the cryptographic key; and
sending the further message to the spoke device using the further output address.
9. The method of claim 1 , further comprising:
creating a group to allow multicast communications between the target device and a plurality of spoke devices.
10. The method of claim 9 , comprising:
receiving, at a group cell of the messaging service facility, a multicast message; and
in response to the receiving of the multicast message at the group cell, multicasting the multicast message to members of the group.
11. The method of claim 1 , wherein the input address is a randomized address, and the output address is a randomized address.
12. A service access control system, comprising:
a processor; and
a non-transitory storage medium storing messaging service instructions executable on the processor to:
receive, at an input address of a cell of the service access control system, a message from a spoke device requesting a service provided by a target device;
determine, in response to the message received at the input address of the cell, an output address of the cell, wherein one of the input address and the output address is computed by applying a function on a cryptographic key and the other of the input address and the output address; and
send the message to the target device using the determined output address.
13. The service access control system of claim 12 , wherein the non-transitory storage medium further stores manager instructions executable on the processor to:
create a group that includes information of the spoke device, the target device, and services of the target device accessible by the spoke device.
14. The service access control system of claim 13 , wherein the group further comprises another spoke device, and the service access control system further comprising:
a multicast cell to receive a multicast message from a first member of the group, and to multicast the multicast message to other members of the group.
15. The service access control system of claim 12 , wherein the determined output address is an address at which the target device receives the message, and the determined output address is unknown to the spoke device.
16. The service access control system of claim 12 , wherein the messaging service instructions are executable on the processor to revoke access to the service of the target device by the spoke device by deleting the input address and the output address.
17. The service access control system of claim 12 , wherein the function is an encryption function.
18. The service access control system of claim 12 , wherein the function is a hash function.
19. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
receive, at an input address of a cell of a messaging service facility, a message from a spoke device requesting a service provided by a target device;
determine, by the messaging service facility in response to the message received at the input address of the cell, an output address of the cell, wherein one of the input address and the output address is computed by applying a function on a cryptographic key and the other of the input address and the output address; and
send, by the messaging service facility, the message to the target device using the determined output address to provide access of the service by the spoke device.
20. The non-transitory machine-readable storage medium of claim 19 , wherein the function is an encryption function or a hash function.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/218,614 US20160337374A1 (en) | 2012-04-27 | 2016-07-25 | Access of a service |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IN2012/000315 WO2013160905A1 (en) | 2012-04-27 | 2012-04-27 | Service access control |
US201414394326A | 2014-10-14 | 2014-10-14 | |
US15/218,614 US20160337374A1 (en) | 2012-04-27 | 2016-07-25 | Access of a service |
Related Parent Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/394,326 Continuation US9407641B2 (en) | 2012-04-27 | 2012-04-27 | Service access control |
PCT/IN2012/000315 Continuation WO2013160905A1 (en) | 2012-04-27 | 2012-04-27 | Service access control |
Publications (1)
Publication Number | Publication Date |
---|---|
US20160337374A1 true US20160337374A1 (en) | 2016-11-17 |
Family
ID=49482312
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/394,326 Active US9407641B2 (en) | 2012-04-27 | 2012-04-27 | Service access control |
US15/218,614 Abandoned US20160337374A1 (en) | 2012-04-27 | 2016-07-25 | Access of a service |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/394,326 Active US9407641B2 (en) | 2012-04-27 | 2012-04-27 | Service access control |
Country Status (4)
Country | Link |
---|---|
US (2) | US9407641B2 (en) |
EP (1) | EP2842359A4 (en) |
CN (1) | CN104255048A (en) |
WO (1) | WO2013160905A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11528601B1 (en) | 2021-06-09 | 2022-12-13 | T-Mobile Usa, Inc. | Determining and ameliorating wireless telecommunication network functionalities that are impaired when using end-to-end encryption |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020147771A1 (en) * | 2001-01-22 | 2002-10-10 | Traversat Bernard A. | Peer-to-peer computing architecture |
US6760752B1 (en) * | 1999-06-28 | 2004-07-06 | Zix Corporation | Secure transmission system |
US20040236962A1 (en) * | 2003-05-19 | 2004-11-25 | Wong Ping Wah | Method and apparatus for secure browser-based information service |
US20050190765A1 (en) * | 2004-02-27 | 2005-09-01 | Tomonori Gotoh | Multicast network unit, multicast network system, and multicast method |
US20060031414A1 (en) * | 2004-05-21 | 2006-02-09 | Christopher Betts | Method and apparatus for web service communication |
US20080235336A1 (en) * | 2007-03-23 | 2008-09-25 | Microsoft Corporation | Implementation of private messaging |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5905872A (en) * | 1996-11-05 | 1999-05-18 | At&T Corp. | Method of transferring connection management information in world wideweb requests and responses |
US6502135B1 (en) * | 1998-10-30 | 2002-12-31 | Science Applications International Corporation | Agile network protocol for secure communications with assured system availability |
US7337214B2 (en) * | 2002-09-26 | 2008-02-26 | Yhc Corporation | Caching, clustering and aggregating server |
US7735114B2 (en) | 2003-09-04 | 2010-06-08 | Foundry Networks, Inc. | Multiple tiered network security system, method and apparatus using dynamic user policy assignment |
WO2005032042A1 (en) * | 2003-09-24 | 2005-04-07 | Infoexpress, Inc. | Systems and methods of controlling network access |
CN101005359B (en) | 2006-01-18 | 2010-12-08 | 华为技术有限公司 | Method and device for realizing safety communication between terminal devices |
GB0601913D0 (en) | 2006-01-31 | 2006-03-08 | Ericsson Telefon Ab L M | Packet re-direction in a communication network |
CN101119206B (en) | 2007-09-13 | 2011-03-02 | 北京交通大学 | Identification based integrated network terminal united access control method |
US7886038B2 (en) | 2008-05-27 | 2011-02-08 | Red Hat, Inc. | Methods and systems for user identity management in cloud-based networks |
KR20110040604A (en) | 2009-10-14 | 2011-04-20 | 삼성전자주식회사 | Cloud server, client terminal, device, method for operating cloud server and method for operating client terminal |
US20110137947A1 (en) | 2009-12-03 | 2011-06-09 | International Business Machines Corporation | Dynamic access control for documents in electronic communications within a cloud computing environment |
EP2583211B1 (en) | 2010-06-15 | 2020-04-15 | Oracle International Corporation | Virtual computing infrastructure |
US20120079095A1 (en) | 2010-09-24 | 2012-03-29 | Amazon Technologies, Inc. | Cloud-based device synchronization |
-
2012
- 2012-04-27 WO PCT/IN2012/000315 patent/WO2013160905A1/en active Application Filing
- 2012-04-27 CN CN201280072719.5A patent/CN104255048A/en active Pending
- 2012-04-27 US US14/394,326 patent/US9407641B2/en active Active
- 2012-04-27 EP EP12875328.2A patent/EP2842359A4/en not_active Withdrawn
-
2016
- 2016-07-25 US US15/218,614 patent/US20160337374A1/en not_active Abandoned
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6760752B1 (en) * | 1999-06-28 | 2004-07-06 | Zix Corporation | Secure transmission system |
US20020147771A1 (en) * | 2001-01-22 | 2002-10-10 | Traversat Bernard A. | Peer-to-peer computing architecture |
US20040236962A1 (en) * | 2003-05-19 | 2004-11-25 | Wong Ping Wah | Method and apparatus for secure browser-based information service |
US20050190765A1 (en) * | 2004-02-27 | 2005-09-01 | Tomonori Gotoh | Multicast network unit, multicast network system, and multicast method |
US20060031414A1 (en) * | 2004-05-21 | 2006-02-09 | Christopher Betts | Method and apparatus for web service communication |
US20080235336A1 (en) * | 2007-03-23 | 2008-09-25 | Microsoft Corporation | Implementation of private messaging |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11528601B1 (en) | 2021-06-09 | 2022-12-13 | T-Mobile Usa, Inc. | Determining and ameliorating wireless telecommunication network functionalities that are impaired when using end-to-end encryption |
US11706615B2 (en) | 2021-06-09 | 2023-07-18 | T-Mobile Usa, Inc. | Determining and ameliorating wireless telecommunication network functionalities that are impaired when using end-to-end encryption |
Also Published As
Publication number | Publication date |
---|---|
WO2013160905A1 (en) | 2013-10-31 |
EP2842359A4 (en) | 2015-04-29 |
EP2842359A1 (en) | 2015-03-04 |
CN104255048A (en) | 2014-12-31 |
US9407641B2 (en) | 2016-08-02 |
US20150082388A1 (en) | 2015-03-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10079880B2 (en) | Automatic identification of invalid participants in a secure synchronization system | |
US9900295B2 (en) | Roaming content wipe actions across devices | |
US7577258B2 (en) | Apparatus and method for group session key and establishment using a certified migration key | |
US20180367308A1 (en) | User authentication in a dead drop network domain | |
US20190044796A1 (en) | Dead drop network architecture | |
EP3817320B1 (en) | Blockchain-based system for issuing and validating certificates | |
US10187360B2 (en) | Method, system, server, client, and application for sharing digital content between communication devices within an internet network | |
CN107360252B (en) | Data security access method authorized by heterogeneous cloud domain | |
Palaniappan et al. | Generation of multiple key based on monitoring the user behavior | |
US20160337374A1 (en) | Access of a service | |
WO2015034407A1 (en) | Performing an operation on a data storage | |
US11477182B2 (en) | Creating a credential dynamically for a key management protocol | |
US9294447B2 (en) | Access control | |
Ganesan et al. | Cost‐effective polynomial‐based multicast–unicast key distribution framework for secure group communication in IPv6 multicast networks | |
US9160750B2 (en) | Communication access control system | |
Janiuk et al. | Secure distributed data structures for peer-to-peer-based social networks | |
KR20190017207A (en) | System for iot data access control and method for the same | |
Suthar et al. | PMS-Sharing: Framework for Automatically Authenticating users in a Group to Allow Sharing Storage | |
Zahak et al. | Collaborative privacy management in P2P online social networks | |
Mallela et al. | Verifiable Delegation for Secure Outsourcing in Cloud computing | |
TW202226785A (en) | Internet of things system based on security orientation and group sharing | |
Meshram et al. | Towards Security and Authorization Based Data Deduplication Using Hybrid Cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RAGHU, ANANTHARANGACHAR;KAPALEESWARAN, VISWANATHAN;REEL/FRAME:039460/0818 Effective date: 20121206 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |