US20150074417A1 - Apparatus and method for access control of content in distributed environment network - Google Patents
Apparatus and method for access control of content in distributed environment network Download PDFInfo
- Publication number
- US20150074417A1 US20150074417A1 US14/543,077 US201414543077A US2015074417A1 US 20150074417 A1 US20150074417 A1 US 20150074417A1 US 201414543077 A US201414543077 A US 201414543077A US 2015074417 A1 US2015074417 A1 US 2015074417A1
- Authority
- US
- United States
- Prior art keywords
- key
- content
- signature
- encrypted
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/062—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
Definitions
- the following description relates to an apparatus and a method for access control of content in a distributed environment network.
- An access control of content based on an encryption technology may generally manage and control access authorization of the corresponding content based on whether a data encryption key (DEK) used for a content encryption is secured.
- DEK data encryption key
- a user securing the DEK may be considered to have read and access authorization in relation to the corresponding content.
- read and write authorizations may not be separately managed based on whether the DEK is secured.
- an additional scheme for managing write authorization in a case of the access control of content based on an encryption technology may be desireable.
- an apparatus for generating a key for access control of content in a distributed environment network includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization and distribute the access control list and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.
- the access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
- the first key may be neither generated nor predicted using the second key.
- the second key may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
- the first key distributor, the second key distributor, or any combination thereof may be implemented by a processor.
- the apparatus may include a list generator to generate the access control list.
- the apparatus may include a first key generator to generate the first key, and a second key generator to generate the second key.
- an apparatus for generating content for an access control of content in a distributed environment network includes a key decryption unit configured to secure a first key by decrypting a first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, an encryption key generator configured to generate an encryption key using a second key generated using the first key, a content encryption unit configured to generate an encrypted content by encrypting content using the encryption key, a signature generator configured to generate a signature using the first key, a content and a signature key in response to members included in an access control list having write authorization as a result of checking access authorization of the members, and a distributor configured to distribute the encrypted content and the signature through a network.
- the encryption key generator may generate the encryption key using information of the content and the second key.
- the first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
- the second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
- the signature generator may generate the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key, the distributor may distribute a value of the m in addition to the encrypted content and the signature and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
- the signature generator may generate the signature using an algorithm having a one-way homomorphic characteristic.
- the signature key may be generated based on a Rivest Shamir Adleman (RSA) encryption scheme.
- RSA Rivest Shamir Adleman
- an apparatus for verification of content for an access control of content in a distributed environment network includes a receiver configured to receive an encrypted content, a signature of the encrypted content, and an access control list, and to receive a second encrypted key from a network in response to the apparatus being determined to have read authorization as a result of checking the access control list, a key decryption unit configured to secure a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have read authorization as a result of checking the access control list, a signature verification unit configured to verify the signature using the second key and the encrypted content, a decryption key generator configured to generate a decryption key using the second key in response to the signature verification being successful, and a content decryption unit configured to decrypt the encrypted content using the decryption key.
- the apparatus may include a second key generator configured to generate the second key using a first key.
- the receiver may receive a first encrypted key from the network, and the key decryption unit may secure the first key by decrypting the first encrypted key using the secret key in response to the apparatus being determined to have write authorization as a result of checking the access control list.
- the first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
- the second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
- a method for an access control of content in an apparatus for generating a key of a distributed environment network includes generating a second key corresponding to a key for read authorization using a first key corresponding to a key for write authorization, generating first encrypted keys by encrypting the first key using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization, distributing the access control list and the first encrypted keys to the members having write authorization, generating second encrypted keys by encrypting the second key using each public key of members having read authorization among members included in the access control list, and distributing the access control list and the second encrypted keys to the members having read authorization.
- a method for an access control of content in an apparatus for generating content of a distributed environment network includes requesting and receiving an access control list and a first encrypted key from a network, securing a first key corresponding to a key for write authorization by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have write authorization as a result of checking the access control list, generating an encryption key using information of a content and a second key corresponding to a key for read authorization using the first key, generating an encrypted content by encrypting content using the encryption key, generating a signature using the first key, the content, and a signature key, and distributing the encrypted content and the signature through the network.
- the generating of the signature may include generating the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content and the signature key, the distributing may include distributing a value of the m in addition to the encrypted content and the signature, and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key, the value of n being an integer greater than 0.
- the generating of the signature may include generating the signature using an algorithm having a one-way homomorphic characteristic.
- a method for an access control of content in an apparatus for verification of content of a distributed environment network includes checking access authorization of an encrypted content in an access control list to verify access requirements are satisfied, securing a second key corresponding to a key for read authorization in response to the encrypted content being determined to be accessible as a result of the verification, verifying a signature of the encrypted content using the second key and the encrypted content, generating a decryption key using the second key in response to the signature verification being successful, and decrypting the encrypted content using the decryption key.
- the securing may include receiving a second encrypted key from the network in response to the apparatus being determined to have read authorization as a result of checking the access control list, and securing a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key.
- the securing may include receiving a first encrypted key from the network in response to the apparatus being determined to have write authorization as a result of checking the access control list, securing a first key by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, and generating the second key using the first key.
- FIG. 1 is a diagram illustrating an example of an apparatus for generating a key for an access control of content in a distributed environment network.
- FIG. 2 is a diagram illustrating an example of an apparatus for generating content for an access control of content in a distributed environment network.
- FIG. 3 is a diagram illustrating an example of an apparatus for verification of content for an access control of content in a distributed environment network.
- FIG. 4 is a flowchart illustrating an example of a process of generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key in a distributed environment network.
- FIG. 5 is a flowchart illustrating an example of a process of generating and distributing content for an access control of content in an apparatus for generating content in a distributed environment network.
- FIG. 6 is a flowchart illustrating an example of a process of verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network.
- Examples relate to an apparatus for generating a key, an apparatus for generating content, and an apparatus for verification of content for separately controlling read authorization and write authorization with respect to content and a method thereof in a distributed environment network.
- FIG. 1 includes an example of an apparatus for generating a key 100 for an access control of content in a distributed environment network.
- the apparatus for generating a key 100 may include a control unit 110 , a communication unit 120 , a storage unit 130 , a list generator 111 , a first key generator 112 , a second key generator 113 , a first key distributor 114 , and a second key distributor 115 .
- the communication unit 120 may transmit and receive data through a wired and/or a wireless network.
- the network may correspond to a content centric network (CCN) or a named data network (NDN).
- CCN content centric network
- NDN named data network
- the storage unit 130 may store an operating system, an application program, and data for controlling an operation of the apparatus for generating a key 100 .
- the storage unit 130 may store an access control list generated by the list generator 111 , a first key generated by the first key generator 112 and a second key generated by the second key generator 113 .
- the access control list may includes information of at least one user and information relating to access authorization.
- the access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of the members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
- a structure of the access control list may be as shown in the following Table 1.
- Name relates to identification information for identifying an access control list
- Size relates to a number of Principals or a size of the access control list
- Option Flag relates to identification information for identifying optional components
- Version relates to a time stamp
- Nonce relates to a random value for generating an encryption key
- Index relates to information of a hash key
- Principal[i] relates to identification information of a user or a user group
- Principal[i]'s rights relate to information about access authorization assigned to the Principal[i]
- Key Link[i] relates to identification information of a key assigned to the Principal[i]
- Signature relates to a signature of a generator of the access control list.
- the first key generator 112 may generate a first key.
- the first key may correspond to a key for write authorization.
- the second key generator 113 may generate a second key.
- the second key may correspond to a key for read authorization using the first key.
- the second key generator 113 may be generated based on the following Equation 1.
- Equation 1 K relates to the second key for read authorization, NK relates to the first key for write authorization, H( ) relates to a hash function, and H n ( ) relates to performing a hash n times.
- N may be an integer greater than zero.
- the first key may be neither generated nor predicted using the second key.
- the first key distributor 114 may generate first encrypted keys by encrypting the first key using each public key of members having write authorization.
- the members having write authorization may be included in the access control list.
- the first key distributor 114 may distribute the access control list and the first encrypted keys to the members having write authorization.
- the second key distributor 115 may generate second encrypted keys by encrypting the second key using each public key of members having read authorization.
- the members having read authorization may be included in the access control list.
- the second key distributor 115 may distribute the access control list and second encrypted keys to the members having read authorization.
- the control unit 110 may control an overall operation of the apparatus for generating a key 100 .
- the control unit 110 may function as the list generator 111 , the first key generator 112 , the second key generator 113 , the first key distributor 114 , and the second key distributor 115 .
- the control unit 110 , the list generator 111 , the first key generator 112 , the second key generator 113 , the first key distributor 114 , and the second key distributor 115 are separately illustrated to separately describe each function.
- the control unit 110 may include at least one processor to function as an entire or a portion of the list generator 111 , the first key generator 112 , the second key generator 113 , the first key distributor 114 , and the second key distributor 115 .
- the apparatus for generating a key 100 may newly generate and distribute a first key and a second key.
- a user whose authorization is deleted may not use content generated after deletion of authorization.
- content generated and distributed before deletion of authorization of the user may be continued to be used by the user.
- the apparatus for generating a key 100 may newly encrypt and distribute a key corresponding to authorization assigned to the added user.
- the key corresponding to authorization assigned to the added user may be encrypted and distributed using a public key of the added user.
- FIG. 2 includes an example of an apparatus for generating content 200 for an access control of content in a distributed environment network.
- the apparatus for generating content 200 may include a control unit 210 , a communication unit 220 , a storage unit 230 , a receiver 211 , a key decryption unit 212 , a second key generator 213 , a content generator 214 , an encryption key generator 215 , a content encryption unit 216 , a signature generator 217 , and a distributor 218 .
- the communication unit 220 may transmit and receive data through a wired and/or wireless network.
- the network may correspond to a CCN or an NDN.
- the storage unit 230 may store an operating system, an application program, and data for controlling an overall operation of the apparatus for generating content 200 .
- the storage unit 230 may store an access control list received through the receiver 211 , a first key decrypted by the key decryption unit 212 and a second generated by the second key generator 213 .
- the receiver 211 may request and receive an access control list from a network.
- the receiver 211 may request and receive a first encrypted key from the network.
- the key decryption unit 212 may secure a first key corresponding to a key for write authorization by decrypting the first encrypted key using a secret key corresponding to the public key.
- the first encrypted key may be encrypted by using a public key.
- the second key generator 213 may generate a second key.
- the second key may be generated using the first key and may correspond to a key for read authorization.
- the content generator 214 may generate content.
- the encryption key generator 215 may generate an encryption key.
- the encryption key may be generated using the second key.
- the encryption key may be generated using information of the content and the second key.
- the encryption key generator 215 may generate the encryption key based on the following Equation 2.
- DEK relates to an encryption key
- KGF( ) relates to a function for generating an encryption key
- K relates to the second key for read authorization
- Content Inform relates to information of content.
- the content encryption unit 216 may encrypt content using the encryption key to generate an encrypted content.
- the signature generator 217 may generate a signature using the first key, the content, a signature key, or any combination thereof. In this instance, the signature generator 217 may generate the signature using an algorithm which has a one-way homomorphic characteristic. As another aspect, the signature generator 217 may generate the signature based on the following Equation 3.
- Signature( ) relates to a function for generating a signature
- F( ) relates to a function which has a one-way homomorphic characteristic
- C relates to an encrypted content
- NK relates to the first key
- m relates to a random value less than n corresponding to a parameter used for generating the second key
- n relates to a number of times the first key is hashed to generate the second key and may be an integer greater than 0.
- the signature generator 217 may generate a signature key based on Equation 4.
- Equation 4 h relates to H(C), C relates to an encrypted content, H( ) relates to a function having a one-way homomorphic characteristic, d relates to a signature key, NK relates to the first key, m relates to a random value less than n corresponding to a parameter used for generating the second key, n relates to a number of times the first key is hashed to generate the second key, and H m ( ) relates to performing a hash m times.
- Equation 5 may be satisfied.
- the one-way homomorphic characteristic may have the following three characteristics.
- F(X) may be easily evaluated for a given X, X may be difficult to be evaluated from F(X).
- F(X) may have the one-way homomorphic characteristic.
- F(X) ⁇ 1 may be difficult to be evaluated.
- the distributor 218 may distribute the encrypted content and the signature through the network.
- the control unit 210 may control an operation of the apparatus for generating content 200 .
- the control unit 210 may function as the receiver 211 , the key decryption unit 212 , the second key generator 213 , the content generator 214 , the encryption key generator 215 , the content encryption unit 216 , the signature generator 217 and the distributor 218 .
- the control unit 210 , the receiver 211 , the key decryption unit 212 , the second key generator 213 , the content generator 214 , the encryption key generator 215 , the content encryption unit 216 , the signature generator 217 and the distributor 218 are separately illustrated to separately describe each function.
- control unit 210 may include at least one processor to function as an entire or a portion of the receiver 211 , the key decryption unit 212 , the second key generator 213 , the content generator 214 , the encryption key generator 215 , the content encryption unit 216 , the signature generator 217 , and the distributor 218 .
- FIG. 3 includes an example of an apparatus for verification of content 300 for an access control of content in a distributed environment network.
- the apparatus for verification of content 300 may include a control unit 310 , a communication unit 320 , a storage unit 330 , a receiver 311 , a key decryption unit 312 , a decryption key generator 313 , a second key generator 314 , a signature verification unit 315 , and a content decryption unit 316 .
- the communication unit 320 may transmit and receive data through a wired and/or wireless network.
- the network may correspond to a CCN or an NDN.
- the storage unit 330 may store an operating system, an application program and data for storage for controlling an overall operation of the apparatus for verification of content 300 .
- the storage unit 330 may store an access control list, a first key and a second key.
- the receiver 311 may receive an encrypted content, a signature of the encrypted content and an access control list. That is, in response to the receiver 311 being determined to have write authorization as a result of verification of the access control list, the receiver 311 may receive a first encrypted key from the network. Further, in response to the receiver 311 being determined to have read authorization as a result of verification of the access control list, the receiver 311 may receive a second encrypted key from the network.
- the key decryption unit 312 may decrypt the first encrypted key or the second encrypted key using a secret key.
- the secret key may correspond to a public key.
- the second key generator 314 may generate the second key.
- the second key may correspond to a key for read authorization using the first key.
- the second key may be generated based on Equation 1.
- the signature verification unit 315 may verify a signature using the second key and the encrypted content.
- the signature verification unit 315 may perform verification based on the following Equation 6.
- Verify( ) relates to a function for verifying a signature
- Sig relates to a signature
- K relates to the second key corresponding to a key for read authorization
- H( ) relates to a hash function
- m relates to a random value less than n corresponding to a to parameter used for generating the second key
- n relates to a number of times the first key is hashed to generate the second key.
- the value of n may be an integer greater than 0.
- the signature verification unit 315 may verify a signature based on the following Equation 7.
- Equation 7 Sig relates to a signature, NK relates to the first key, K relates to the second key corresponding to a key for read authorization, h relates to H(C), C relates to an encrypted content, H( ) relates to a hash function which has a one-way homomorphic characteristic, d relates to a signature key, e relates to a signature verification key, m relates to a random value less than n corresponding to a parameter used for generating the second key, and n relates to a number of times the first key is hashed to generate the second key.
- n may be an integer greater than 0.
- the signature verification unit 315 may calculate A′ using a received signature, calculate B using K and the received encrypted content, and determine whether the verification is successful by comparing A′ to B.
- K may correspond to the second key of the signature verification unit 315 .
- the decryption key generator 313 may generate a decryption key based on the second key.
- the decryption key generator 313 may generate the decryption key using information of content and the second key.
- the generation of the decryption key may be based on the same scheme as the encryption key generator 215 .
- the decryption key generator 313 may use the encryption key generated based on Equation 2 as the decryption key.
- the content decryption unit 316 may use the decryption key to decrypt the encrypted content.
- the control unit 310 may control an overall operation of the apparatus for verification of content 300 .
- the control unit 310 may function as the key decryption unit 312 , the decryption key generator 313 , the second key generator 314 , the signature verification unit 315 , and the content decryption unit 316 .
- the control unit 310 , the key decryption unit 312 , the decryption key generator 313 , the second key generator 314 , the signature verification unit 315 , and the content decryption unit 316 are separately illustrated to describe the function of each.
- control unit 310 may include at least one processor configured to function as an entire or a portion of the key decryption unit 312 , the decryption key generator 313 , the second key generator 314 , the signature verification unit 315 , and the content decryption unit 316 .
- FIG. 4 illustrates an example of a process for generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key 100 in a distributed environment network.
- the apparatus for generating a key 100 may generate an access control list.
- the access control list may include information of at least one user and information about access authorization.
- the apparatus for generating a key 100 may generate a first key.
- the first key may correspond to a key for write authorization.
- the apparatus for generating a key 100 may generate a second key.
- the second key may correspond to a key for read authorization using the first key.
- the apparatus for generating a key 100 may encrypt the first key using each public key of members having write authorization among members to generate first encrypted keys.
- the members having write authorization among members may be included in the access control list.
- the apparatus for generating a key 100 may distribute the access control list and the generated first encrypted keys to the members having write authorization.
- the apparatus for generating a key 100 may encrypt the second key using each public key of members having read authorization among members to generate second encrypted keys.
- the members having read authorization among members may be included in the access control list.
- the apparatus for generating a key 100 may distribute the access control list and the second encrypted keys to the members having read authorization.
- FIG. 5 illustrates an example of a process for generating and distributing content for an access control of content in an apparatus for generating content 200 in a distributed environment network.
- the apparatus for generating content 200 may generate content.
- the apparatus for generating content 200 may request and receive an access control list and a first encrypted key from a network.
- the apparatus for generating content 200 may verify whether the apparatus for generating content 200 has write authorization by checking access authorization of members based on the access control list.
- the apparatus for generating content 200 may decrypt the first encrypted key to secure a first key corresponding to a key for write authorization using a secret key in response to the apparatus for generating content 200 being determined to have write authorization as a result of the verification in operation 514 .
- the first encrypted key may be encrypted using a public key.
- the secret key may correspond to the public key.
- the apparatus for generating content 200 may generate a second key corresponding to a key for read authorization using the first key.
- the apparatus for generating content 200 may generate an encryption key using information of the content and the second key.
- the apparatus for generating content 200 may encrypt content using the encryption key to generate an encrypted content.
- the apparatus for generating content 200 may generate a signature using a value.
- the value may be obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key.
- the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
- the value n may be an integer greater than 0.
- the apparatus for generating content 200 may distribute the encrypted content, the signature, and the value m through the network.
- FIG. 6 includes an example of a process for verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network.
- an apparatus for verification of content 300 may receive an encrypted content and a signature of the encrypted content.
- the apparatus for verification of content 300 may receive an access control list from a network.
- the apparatus for verification of content 300 may check access authorization of the encrypted content in the access control list to verify satisfaction of access requirements.
- the apparatus for verification of content 300 may secure a second key in response to the encrypted content being determined to be accessible as a result of the verification in operation 614 .
- the second key may correspond to a key for read authorization.
- the apparatus for verification of content 300 may receive a second encrypted key from the network in response to the apparatus for verification of content 300 being determined to have read authorization as a result of checking the access control list.
- the apparatus for verification of content 300 may decrypt the second encrypted key to secure a second key using a secret key.
- the second encrypted key may be encrypted by using a public key.
- the secret key may correspond to the public key.
- the apparatus for verification of content 300 may receive a first encrypted key from the network in response to the apparatus for verification of content 300 being determined to have write authorization as a result of checking the access control list, secure a first key by decrypting the first encrypted key using a secret key, and generate the second key using the first key.
- the first encrypted key may be encrypted by using a public key.
- the secret key may correspond to the public key.
- the apparatus for verification of content 300 may verify the signature using the second key and the encrypted content, and check whether the signature verification is successful.
- the apparatus for verification of content 300 may generate a decryption key using the second key in response to the signature verification being determined to succeed as a result of the verification in operation 618 .
- the decryption key may be identical to the decryption key generated by the apparatus for generating content 200 .
- the apparatus for verification of content 300 may decrypt the encrypted content using the decryption key.
- Program instructions to perform a method described herein, or one or more operations thereof, may be recorded, stored, or fixed in one or more computer-readable storage media.
- the program instructions may be implemented by a computer.
- the computer may cause a processor to execute the program instructions.
- the media may include, alone or in combination with the program instructions, data files, data structures, and the like.
- Examples of computer-readable media include magnetic media, such as hard disks, floppy disks, and magnetic tape; optical media such as CD ROM disks and DVDs; magneto-optical media, such as optical disks; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory (ROM), random access memory (RAM), flash memory, and the like.
- Examples of program instructions include machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter.
- the program instructions that is, software
- the program instructions may be distributed over network coupled computer systems so that the software is stored and executed in a distributed fashion.
- the software and data may be stored by one or more computer readable recording mediums.
- functional programs, codes, and code segments for accomplishing the example embodiments disclosed herein can be easily construed by programmers skilled in the art to which the embodiments pertain based on and using the flow diagrams and block diagrams of the figures and their corresponding descriptions as provided herein.
- the described unit to perform an operation or a method may be hardware, software, or some combination of hardware and software.
- the unit may be a software package running on a computer or the computer on which that software is running.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
An apparatus for generating a key for access control of content in a distributed environment network is provided. The apparatus includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and distribute the access control list and information about access authorization and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.
Description
- This application is a Divisional of U.S. patent application Ser. No. 13/410,762 filed on Mar. 2, 2012, which claims the benefit under 35 U.S.C. §119(a) of Korean Patent Application No. 10-2011-0018664, filed on Mar. 2, 2011, in the Korean Intellectual Property Office, the entire disclosure of which is incorporated herein by reference for all purposes.
- 1. Field
- The following description relates to an apparatus and a method for access control of content in a distributed environment network.
- 2. Description of Related Art
- An access control of content based on an encryption technology may generally manage and control access authorization of the corresponding content based on whether a data encryption key (DEK) used for a content encryption is secured. A user securing the DEK may be considered to have read and access authorization in relation to the corresponding content.
- Since a user having read and access authorization may previously secure the DEK or may generate the DEK, read and write authorizations may not be separately managed based on whether the DEK is secured.
- Accordingly, an additional scheme for managing write authorization in a case of the access control of content based on an encryption technology may be desireable.
- In one general aspect, an apparatus for generating a key for access control of content in a distributed environment network is provided. The apparatus includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization and distribute the access control list and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.
- The access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
- The first key may be neither generated nor predicted using the second key.
- The second key may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
- The first key distributor, the second key distributor, or any combination thereof may be implemented by a processor.
- The apparatus may include a list generator to generate the access control list.
- The apparatus may include a first key generator to generate the first key, and a second key generator to generate the second key.
- In another aspect, an apparatus for generating content for an access control of content in a distributed environment network is provided. The apparatus includes a key decryption unit configured to secure a first key by decrypting a first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, an encryption key generator configured to generate an encryption key using a second key generated using the first key, a content encryption unit configured to generate an encrypted content by encrypting content using the encryption key, a signature generator configured to generate a signature using the first key, a content and a signature key in response to members included in an access control list having write authorization as a result of checking access authorization of the members, and a distributor configured to distribute the encrypted content and the signature through a network.
- The encryption key generator may generate the encryption key using information of the content and the second key.
- The first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
- The second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
- The signature generator may generate the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key, the distributor may distribute a value of the m in addition to the encrypted content and the signature and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
- The signature generator may generate the signature using an algorithm having a one-way homomorphic characteristic.
- The signature key may be generated based on a Rivest Shamir Adleman (RSA) encryption scheme.
- In another aspect, an apparatus for verification of content for an access control of content in a distributed environment network is provided. The apparatus includes a receiver configured to receive an encrypted content, a signature of the encrypted content, and an access control list, and to receive a second encrypted key from a network in response to the apparatus being determined to have read authorization as a result of checking the access control list, a key decryption unit configured to secure a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have read authorization as a result of checking the access control list, a signature verification unit configured to verify the signature using the second key and the encrypted content, a decryption key generator configured to generate a decryption key using the second key in response to the signature verification being successful, and a content decryption unit configured to decrypt the encrypted content using the decryption key.
- The apparatus may include a second key generator configured to generate the second key using a first key. The receiver may receive a first encrypted key from the network, and the key decryption unit may secure the first key by decrypting the first encrypted key using the secret key in response to the apparatus being determined to have write authorization as a result of checking the access control list.
- The first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
- The second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
- In another aspect, a method for an access control of content in an apparatus for generating a key of a distributed environment network is provided. The method includes generating a second key corresponding to a key for read authorization using a first key corresponding to a key for write authorization, generating first encrypted keys by encrypting the first key using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization, distributing the access control list and the first encrypted keys to the members having write authorization, generating second encrypted keys by encrypting the second key using each public key of members having read authorization among members included in the access control list, and distributing the access control list and the second encrypted keys to the members having read authorization.
- In another aspect, a method for an access control of content in an apparatus for generating content of a distributed environment network is provided. The method includes requesting and receiving an access control list and a first encrypted key from a network, securing a first key corresponding to a key for write authorization by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have write authorization as a result of checking the access control list, generating an encryption key using information of a content and a second key corresponding to a key for read authorization using the first key, generating an encrypted content by encrypting content using the encryption key, generating a signature using the first key, the content, and a signature key, and distributing the encrypted content and the signature through the network.
- The generating of the signature may include generating the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content and the signature key, the distributing may include distributing a value of the m in addition to the encrypted content and the signature, and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key, the value of n being an integer greater than 0.
- The generating of the signature may include generating the signature using an algorithm having a one-way homomorphic characteristic.
- In another aspect, a method for an access control of content in an apparatus for verification of content of a distributed environment network is provided. The method includes checking access authorization of an encrypted content in an access control list to verify access requirements are satisfied, securing a second key corresponding to a key for read authorization in response to the encrypted content being determined to be accessible as a result of the verification, verifying a signature of the encrypted content using the second key and the encrypted content, generating a decryption key using the second key in response to the signature verification being successful, and decrypting the encrypted content using the decryption key.
- The securing may include receiving a second encrypted key from the network in response to the apparatus being determined to have read authorization as a result of checking the access control list, and securing a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key. The securing may include receiving a first encrypted key from the network in response to the apparatus being determined to have write authorization as a result of checking the access control list, securing a first key by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, and generating the second key using the first key.
- Other features and aspects may be apparent from the following detailed description, the drawings, and the claims.
-
FIG. 1 is a diagram illustrating an example of an apparatus for generating a key for an access control of content in a distributed environment network. -
FIG. 2 is a diagram illustrating an example of an apparatus for generating content for an access control of content in a distributed environment network. -
FIG. 3 is a diagram illustrating an example of an apparatus for verification of content for an access control of content in a distributed environment network. -
FIG. 4 is a flowchart illustrating an example of a process of generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key in a distributed environment network. -
FIG. 5 is a flowchart illustrating an example of a process of generating and distributing content for an access control of content in an apparatus for generating content in a distributed environment network. -
FIG. 6 is a flowchart illustrating an example of a process of verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network. - Throughout the drawings and the detailed description, unless otherwise described, the same drawing reference numerals will be understood to refer to the same elements, features, and structures. The relative size and depiction of these elements may be exaggerated for clarity, illustration, and convenience.
- The following detailed description is provided to assist the reader in gaining a comprehensive understanding of the methods, apparatuses, and/or systems described herein. Accordingly, various changes, modifications, and equivalents of the systems, apparatuses and/or methods described herein will be suggested to those of ordinary skill in the art. Also, descriptions of well-known functions and constructions may be omitted for increased clarity and conciseness.
- Examples relate to an apparatus for generating a key, an apparatus for generating content, and an apparatus for verification of content for separately controlling read authorization and write authorization with respect to content and a method thereof in a distributed environment network.
-
FIG. 1 includes an example of an apparatus for generating akey 100 for an access control of content in a distributed environment network. - Referring to
FIG. 1 , the apparatus for generating akey 100 may include acontrol unit 110, acommunication unit 120, astorage unit 130, alist generator 111, afirst key generator 112, asecond key generator 113, afirst key distributor 114, and asecond key distributor 115. - The
communication unit 120 may transmit and receive data through a wired and/or a wireless network. In this instance, the network may correspond to a content centric network (CCN) or a named data network (NDN). - The
storage unit 130 may store an operating system, an application program, and data for controlling an operation of the apparatus for generating a key 100. Thestorage unit 130 may store an access control list generated by thelist generator 111, a first key generated by the firstkey generator 112 and a second key generated by the secondkey generator 113. - The access control list may includes information of at least one user and information relating to access authorization.
- In this instance, the access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of the members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
- A structure of the access control list may be as shown in the following Table 1.
-
TABLE 1 Structure Name Size Option Flag Version (optional) Nonce (optional) Index (optional) Principal[1] Principal[1]'s rights Key Link[1] * * * Principal[n] Principal[n]'s rights Key Link[n] Signature - In Table 1, Name relates to identification information for identifying an access control list, Size relates to a number of Principals or a size of the access control list, Option Flag relates to identification information for identifying optional components, Version relates to a time stamp, Nonce relates to a random value for generating an encryption key, Index relates to information of a hash key, Principal[i] relates to identification information of a user or a user group, Principal[i]'s rights relate to information about access authorization assigned to the Principal[i], Key Link[i] relates to identification information of a key assigned to the Principal[i] and Signature relates to a signature of a generator of the access control list.
- The first
key generator 112 may generate a first key. The first key may correspond to a key for write authorization. - The second
key generator 113 may generate a second key. The second key may correspond to a key for read authorization using the first key. The secondkey generator 113 may be generated based on the following Equation 1. -
K=H n(NK) [Equation 1] - In Equation 1, K relates to the second key for read authorization, NK relates to the first key for write authorization, H( ) relates to a hash function, and Hn( ) relates to performing a hash n times. N may be an integer greater than zero.
- The first key may be neither generated nor predicted using the second key.
- The first
key distributor 114 may generate first encrypted keys by encrypting the first key using each public key of members having write authorization. The members having write authorization may be included in the access control list. The firstkey distributor 114 may distribute the access control list and the first encrypted keys to the members having write authorization. - The second
key distributor 115 may generate second encrypted keys by encrypting the second key using each public key of members having read authorization. The members having read authorization may be included in the access control list. The secondkey distributor 115 may distribute the access control list and second encrypted keys to the members having read authorization. - The
control unit 110 may control an overall operation of the apparatus for generating a key 100. Thecontrol unit 110 may function as thelist generator 111, the firstkey generator 112, the secondkey generator 113, the firstkey distributor 114, and the secondkey distributor 115. Thecontrol unit 110, thelist generator 111, the firstkey generator 112, the secondkey generator 113, the firstkey distributor 114, and the secondkey distributor 115 are separately illustrated to separately describe each function. Furthermore, thecontrol unit 110 may include at least one processor to function as an entire or a portion of thelist generator 111, the firstkey generator 112, the secondkey generator 113, the firstkey distributor 114, and the secondkey distributor 115. - In response to authorization of a user included in the access control list being changed or deleted, the apparatus for generating a key 100 may newly generate and distribute a first key and a second key. In this instance, a user whose authorization is deleted may not use content generated after deletion of authorization. As another aspect, content generated and distributed before deletion of authorization of the user may be continued to be used by the user.
- In response to a new user being added to the access control list, the apparatus for generating a key 100 may newly encrypt and distribute a key corresponding to authorization assigned to the added user. The key corresponding to authorization assigned to the added user may be encrypted and distributed using a public key of the added user.
-
FIG. 2 includes an example of an apparatus for generatingcontent 200 for an access control of content in a distributed environment network. - Referring to
FIG. 2 , the apparatus for generatingcontent 200 may include acontrol unit 210, acommunication unit 220, astorage unit 230, areceiver 211, akey decryption unit 212, a secondkey generator 213, acontent generator 214, anencryption key generator 215, acontent encryption unit 216, asignature generator 217, and adistributor 218. - The
communication unit 220 may transmit and receive data through a wired and/or wireless network. In this instance, the network may correspond to a CCN or an NDN. - The
storage unit 230 may store an operating system, an application program, and data for controlling an overall operation of the apparatus for generatingcontent 200. Thestorage unit 230 may store an access control list received through thereceiver 211, a first key decrypted by thekey decryption unit 212 and a second generated by the secondkey generator 213. - The
receiver 211 may request and receive an access control list from a network. Thereceiver 211 may request and receive a first encrypted key from the network. - The
key decryption unit 212 may secure a first key corresponding to a key for write authorization by decrypting the first encrypted key using a secret key corresponding to the public key. The first encrypted key may be encrypted by using a public key. - The second
key generator 213 may generate a second key. The second key may be generated using the first key and may correspond to a key for read authorization. - The
content generator 214 may generate content. - The
encryption key generator 215 may generate an encryption key. The encryption key may be generated using the second key. In another example, the encryption key may be generated using information of the content and the second key. In this instance, theencryption key generator 215 may generate the encryption key based on the following Equation 2. -
DEK=KGF(K,Content Inform) [Equation 2] - In Equation 2, DEK relates to an encryption key, KGF( ) relates to a function for generating an encryption key, K relates to the second key for read authorization, and Content Inform relates to information of content.
- The
content encryption unit 216 may encrypt content using the encryption key to generate an encrypted content. - In response to members included in the access control list having write authorization as a result of checking access authorization of the members included in the access control list, the
signature generator 217 may generate a signature using the first key, the content, a signature key, or any combination thereof. In this instance, thesignature generator 217 may generate the signature using an algorithm which has a one-way homomorphic characteristic. As another aspect, thesignature generator 217 may generate the signature based on the following Equation 3. -
Sig=Signature(F(H m(NK),H(C)),signature key) [Equation 3] - In Equation 3, Signature( ) relates to a function for generating a signature, F( ) relates to a function which has a one-way homomorphic characteristic, C relates to an encrypted content, NK relates to the first key, m relates to a random value less than n corresponding to a parameter used for generating the second key and n relates to a number of times the first key is hashed to generate the second key and may be an integer greater than 0.
- In response to a Rivest Shamir Adleman (RSA) encryption scheme being used, the
signature generator 217 may generate a signature key based on Equation 4. -
Sig=(H m(NK*h))d [Equation 4] - In Equation 4, h relates to H(C), C relates to an encrypted content, H( ) relates to a function having a one-way homomorphic characteristic, d relates to a signature key, NK relates to the first key, m relates to a random value less than n corresponding to a parameter used for generating the second key, n relates to a number of times the first key is hashed to generate the second key, and Hm ( ) relates to performing a hash m times.
- Depending on the one-way homomorphic characteristic of H( ) in Equation 4, the following Equation 5 may be satisfied.
-
(H m(NK*h))d=(H m(NK)·H m(h))d [Equation 5] - The one-way homomorphic characteristic may have the following three characteristics.
- First, even though F(X) may be easily evaluated for a given X, X may be difficult to be evaluated from F(X). F(X) may have the one-way homomorphic characteristic.
- Secondly, F(A*B)=F(A)·F(B).
- Thirdly, F(X)−1 may be difficult to be evaluated.
- The
distributor 218 may distribute the encrypted content and the signature through the network. - The
control unit 210 may control an operation of the apparatus for generatingcontent 200. Thecontrol unit 210 may function as thereceiver 211, thekey decryption unit 212, the secondkey generator 213, thecontent generator 214, theencryption key generator 215, thecontent encryption unit 216, thesignature generator 217 and thedistributor 218. Thecontrol unit 210, thereceiver 211, thekey decryption unit 212, the secondkey generator 213, thecontent generator 214, theencryption key generator 215, thecontent encryption unit 216, thesignature generator 217 and thedistributor 218 are separately illustrated to separately describe each function. Thus, thecontrol unit 210 may include at least one processor to function as an entire or a portion of thereceiver 211, thekey decryption unit 212, the secondkey generator 213, thecontent generator 214, theencryption key generator 215, thecontent encryption unit 216, thesignature generator 217, and thedistributor 218. -
FIG. 3 includes an example of an apparatus for verification ofcontent 300 for an access control of content in a distributed environment network. - Referring to
FIG. 3 , the apparatus for verification ofcontent 300 may include acontrol unit 310, acommunication unit 320, astorage unit 330, areceiver 311, akey decryption unit 312, adecryption key generator 313, a secondkey generator 314, asignature verification unit 315, and acontent decryption unit 316. - The
communication unit 320 may transmit and receive data through a wired and/or wireless network. In this instance, the network may correspond to a CCN or an NDN. - The
storage unit 330 may store an operating system, an application program and data for storage for controlling an overall operation of the apparatus for verification ofcontent 300. Thestorage unit 330 may store an access control list, a first key and a second key. - The
receiver 311 may receive an encrypted content, a signature of the encrypted content and an access control list. That is, in response to thereceiver 311 being determined to have write authorization as a result of verification of the access control list, thereceiver 311 may receive a first encrypted key from the network. Further, in response to thereceiver 311 being determined to have read authorization as a result of verification of the access control list, thereceiver 311 may receive a second encrypted key from the network. - In response to the
receiver 311 receiving the first encrypted key or the second encrypted key, thekey decryption unit 312 may decrypt the first encrypted key or the second encrypted key using a secret key. The secret key may correspond to a public key. - The second
key generator 314 may generate the second key. The second key may correspond to a key for read authorization using the first key. In this instance, the second key may be generated based on Equation 1. - The
signature verification unit 315 may verify a signature using the second key and the encrypted content. Thesignature verification unit 315 may perform verification based on the following Equation 6. -
Verify(Sig,n,m,K,H(C),signature verification key) [Equation 6] - In Equation 6, Verify( ) relates to a function for verifying a signature, Sig relates to a signature, K relates to the second key corresponding to a key for read authorization, H( ) relates to a hash function, m relates to a random value less than n corresponding to a to parameter used for generating the second key, and n relates to a number of times the first key is hashed to generate the second key. The value of n may be an integer greater than 0.
- In response to the
signature generator 217 generating a signature key using a Rivest Shamir Adleman (RSA) encryption scheme such as Equation 4, thesignature verification unit 315 may verify a signature based on the following Equation 7. -
A=Sige=((H m(NK*h))d)e =H m(NK*h)=H m(NK)·H m(h) -
A′=H n-m(A)=H n(NK)·H n(h) -
B=K·H n(h) -
If A′=B,Sig is valid -
If A′≠B,Sig is invalid [Equation 7] - In Equation 7, Sig relates to a signature, NK relates to the first key, K relates to the second key corresponding to a key for read authorization, h relates to H(C), C relates to an encrypted content, H( ) relates to a hash function which has a one-way homomorphic characteristic, d relates to a signature key, e relates to a signature verification key, m relates to a random value less than n corresponding to a parameter used for generating the second key, and n relates to a number of times the first key is hashed to generate the second key.
- The value of n may be an integer greater than 0.
- In response to the RSA encryption scheme such as Equation 4 being used, the
signature verification unit 315 may calculate A′ using a received signature, calculate B using K and the received encrypted content, and determine whether the verification is successful by comparing A′ to B. K may correspond to the second key of thesignature verification unit 315. - A signature scheme using the
signature generator 217 and thesignature verification unit 315 may be satisfactory for security, for the reasons discussed below. Since a user having read authorization may have information of K=Hn(NK) and m<n, Hm(NK) used for generating Sig may not be evaluated using information of K due to a one-way homomorphic characteristic. Even though Sige=H(NK)me×H(C) is secured in a verification operation, a signature key k of a user having write authorization may be used to secure Hm(NK). Thus, a valid signature may not be generated without collaboration from the user having write authorization. - In response to the signature verification succeeding, the
decryption key generator 313 may generate a decryption key based on the second key. In another aspect, thedecryption key generator 313 may generate the decryption key using information of content and the second key. The generation of the decryption key may be based on the same scheme as theencryption key generator 215. Thedecryption key generator 313 may use the encryption key generated based on Equation 2 as the decryption key. - The
content decryption unit 316 may use the decryption key to decrypt the encrypted content. - The
control unit 310 may control an overall operation of the apparatus for verification ofcontent 300. Thecontrol unit 310 may function as thekey decryption unit 312, thedecryption key generator 313, the secondkey generator 314, thesignature verification unit 315, and thecontent decryption unit 316. Thecontrol unit 310, thekey decryption unit 312, thedecryption key generator 313, the secondkey generator 314, thesignature verification unit 315, and thecontent decryption unit 316 are separately illustrated to describe the function of each. Thus, thecontrol unit 310 may include at least one processor configured to function as an entire or a portion of thekey decryption unit 312, thedecryption key generator 313, the secondkey generator 314, thesignature verification unit 315, and thecontent decryption unit 316. - Hereinafter, an example of a method for an access control of content in a distributed environment network will be described with reference to
FIG. 4 throughFIG. 6 . -
FIG. 4 illustrates an example of a process for generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key 100 in a distributed environment network. - Referring to
FIG. 4 , inoperation 410, the apparatus for generating a key 100 may generate an access control list. The access control list may include information of at least one user and information about access authorization. - In
operation 412, the apparatus for generating a key 100 may generate a first key. The first key may correspond to a key for write authorization. - In
operation 414, the apparatus for generating a key 100 may generate a second key. The second key may correspond to a key for read authorization using the first key. - In
operation 416, the apparatus for generating a key 100 may encrypt the first key using each public key of members having write authorization among members to generate first encrypted keys. The members having write authorization among members may be included in the access control list. - In
operation 418, the apparatus for generating a key 100 may distribute the access control list and the generated first encrypted keys to the members having write authorization. - In
operation 420, the apparatus for generating a key 100 may encrypt the second key using each public key of members having read authorization among members to generate second encrypted keys. The members having read authorization among members may be included in the access control list. - In
operation 422, the apparatus for generating a key 100 may distribute the access control list and the second encrypted keys to the members having read authorization. -
FIG. 5 illustrates an example of a process for generating and distributing content for an access control of content in an apparatus for generatingcontent 200 in a distributed environment network. - Referring to
FIG. 5 , inoperation 510, the apparatus for generatingcontent 200 may generate content. - In
operation 512, the apparatus for generatingcontent 200 may request and receive an access control list and a first encrypted key from a network. - In
operation 514, the apparatus for generatingcontent 200 may verify whether the apparatus for generatingcontent 200 has write authorization by checking access authorization of members based on the access control list. - In
operation 516, the apparatus for generatingcontent 200 may decrypt the first encrypted key to secure a first key corresponding to a key for write authorization using a secret key in response to the apparatus for generatingcontent 200 being determined to have write authorization as a result of the verification inoperation 514. The first encrypted key may be encrypted using a public key. The secret key may correspond to the public key. - In
operation 518, the apparatus for generatingcontent 200 may generate a second key corresponding to a key for read authorization using the first key. - In
operation 520, the apparatus for generatingcontent 200 may generate an encryption key using information of the content and the second key. - In
operation 522, the apparatus for generatingcontent 200 may encrypt content using the encryption key to generate an encrypted content. - In
operation 524, the apparatus for generatingcontent 200 may generate a signature using a value. The value may be obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key. In this instance, the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key. The value n may be an integer greater than 0. - In
operation 526, the apparatus for generatingcontent 200 may distribute the encrypted content, the signature, and the value m through the network. -
FIG. 6 includes an example of a process for verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network. - Referring to
FIG. 6 , inoperation 610, an apparatus for verification ofcontent 300 may receive an encrypted content and a signature of the encrypted content. - In
operation 612, the apparatus for verification ofcontent 300 may receive an access control list from a network. - In
operation 614, the apparatus for verification ofcontent 300 may check access authorization of the encrypted content in the access control list to verify satisfaction of access requirements. - In
operation 616, the apparatus for verification ofcontent 300 may secure a second key in response to the encrypted content being determined to be accessible as a result of the verification inoperation 614. The second key may correspond to a key for read authorization. - In
operation 616, the apparatus for verification ofcontent 300 may receive a second encrypted key from the network in response to the apparatus for verification ofcontent 300 being determined to have read authorization as a result of checking the access control list. The apparatus for verification ofcontent 300 may decrypt the second encrypted key to secure a second key using a secret key. The second encrypted key may be encrypted by using a public key. The secret key may correspond to the public key. - In
operation 616, the apparatus for verification ofcontent 300 may receive a first encrypted key from the network in response to the apparatus for verification ofcontent 300 being determined to have write authorization as a result of checking the access control list, secure a first key by decrypting the first encrypted key using a secret key, and generate the second key using the first key. The first encrypted key may be encrypted by using a public key. The secret key may correspond to the public key. - In
operation 618, the apparatus for verification ofcontent 300 may verify the signature using the second key and the encrypted content, and check whether the signature verification is successful. - In
operation 620, the apparatus for verification ofcontent 300 may generate a decryption key using the second key in response to the signature verification being determined to succeed as a result of the verification inoperation 618. In this instance, the decryption key may be identical to the decryption key generated by the apparatus for generatingcontent 200. - In
operation 622, the apparatus for verification ofcontent 300 may decrypt the encrypted content using the decryption key. - Program instructions to perform a method described herein, or one or more operations thereof, may be recorded, stored, or fixed in one or more computer-readable storage media. The program instructions may be implemented by a computer. For example, the computer may cause a processor to execute the program instructions. The media may include, alone or in combination with the program instructions, data files, data structures, and the like. Examples of computer-readable media include magnetic media, such as hard disks, floppy disks, and magnetic tape; optical media such as CD ROM disks and DVDs; magneto-optical media, such as optical disks; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory (ROM), random access memory (RAM), flash memory, and the like. Examples of program instructions include machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter. The program instructions, that is, software, may be distributed over network coupled computer systems so that the software is stored and executed in a distributed fashion. For example, the software and data may be stored by one or more computer readable recording mediums. Also, functional programs, codes, and code segments for accomplishing the example embodiments disclosed herein can be easily construed by programmers skilled in the art to which the embodiments pertain based on and using the flow diagrams and block diagrams of the figures and their corresponding descriptions as provided herein. Also, the described unit to perform an operation or a method may be hardware, software, or some combination of hardware and software. For example, the unit may be a software package running on a computer or the computer on which that software is running.
- A number of examples have been described above. Nevertheless, it will be understood that various modifications may be made. For example, suitable results may be achieved if the described techniques are performed in a different order and/or if components in a described system, architecture, device, or circuit are combined in a different manner and/or replaced or supplemented by other components or their equivalents. Accordingly, other implementations are within the scope of the following claims.
Claims (17)
1. An apparatus for generating content for an access control of content in a distributed environment network, the apparatus comprising:
a key decryption unit configured to secure a first key by decrypting a first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key;
an encryption key generator configured to generate an encryption key using a second key generated using the first key;
a content encryption unit configured to generate an encrypted content by encrypting content using the encryption key;
a signature generator configured to generate a signature using the first key, a content and a signature key in response to members included in an access control list having write authorization as a result of checking access authorization of the members; and
a distributor configured to distribute the encrypted content and the signature through a network.
2. The apparatus of claim 1 , wherein the encryption key generator generates the encryption key using information of the content and the second key.
3. The apparatus of claim 1 , wherein the first key corresponds to a key for write authorization and is neither generated nor predicted using the second key.
4. The apparatus of claim 1 , wherein the second key corresponds to a key for read authorization and is a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
5. The apparatus of claim 1 , wherein:
the signature generator generates the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key,
the distributor distributes a value of the m in addition to the encrypted content and the signature and
the value m corresponds to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
6. The apparatus of claim 1 , wherein the signature generator generates the signature using an algorithm having a one-way homomorphic characteristic.
7. The apparatus of claim 1 , wherein the signature key is generated based on a Rivest Shamir Adleman (RSA) encryption scheme.
8. An apparatus for verification of content for an access control of content in a distributed environment network, the apparatus comprising:
a receiver configured to receive an encrypted content, a signature of the encrypted content, and an access control list, and to receive a second encrypted key from a network in response to the apparatus being determined to have read authorization as a result of checking the access control list;
a key decryption unit configured to secure a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have read authorization as a result of checking the access control list;
a signature verification unit configured to verify the signature using the second key and the encrypted content;
a decryption key generator configured to generate a decryption key using the second key in response to the signature verification being successful; and
a content decryption unit configured to decrypt the encrypted content using the decryption key.
9. The apparatus of claim 8 , further comprising:
a second key generator configured to generate the second key using a first key,
wherein the receiver receives a first encrypted key from the network, and
the key decryption unit secures the first key by decrypting the first encrypted key using the secret key in response to the apparatus being determined to have write authorization as a result of checking the access control list.
10. The apparatus of claim 9 , wherein the first key corresponds to a key for write authorization and is neither generated nor predicted using the second key.
11. The apparatus of claim 9 , wherein the second key corresponds to a key for read authorization and is a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
12. A method for an access control of content in an apparatus for generating content of a distributed environment network, the method comprising:
requesting and receiving an access control list and a first encrypted key from a network;
securing a first key corresponding to a key for write authorization by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have write authorization as a result of checking the access control list;
generating an encryption key using information of a content and a second key corresponding to a key for read authorization using the first key;
generating an encrypted content by encrypting content using the encryption key;
generating a signature using the first key, the content, and a signature key; and
distributing the encrypted content and the signature through the network.
13. The method of claim 12 , wherein:
the generating of the signature comprises generating the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content and the signature key,
the distributing comprises distributing a value of the m in addition to the encrypted content and the signature, and
the value m corresponds to a random value less than n corresponding to a number of times the first key is hashed to generate the second key, the value of n being an integer greater than 0.
14. The method of claim 12 , wherein the generating of the signature comprises generating the signature using an algorithm having a one-way homomorphic characteristic.
15. A method for an access control of content in an apparatus for verification of content of a distributed environment network, the method comprising:
checking access authorization of an encrypted content in an access control list to verify access requirements are satisfied;
securing a second key corresponding to a key for read authorization in response to the encrypted content being determined to be accessible as a result of the verification;
verifying a signature of the encrypted content using the second key and the encrypted content;
generating a decryption key using the second key in response to the signature verification being successful; and
decrypting the encrypted content using the decryption key.
16. The method of claim 15 , wherein the securing comprises:
receiving a second encrypted key from the network in response to the apparatus being determined to have read authorization as a result of checking the access control list; and
securing a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key.
17. The method of claim 15 , wherein the securing comprises:
receiving a first encrypted key from the network in response to the apparatus being determined to have write authorization as a result of checking the access control list;
securing a first key by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key; and
generating the second key using the first key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/543,077 US20150074417A1 (en) | 2011-03-02 | 2014-11-17 | Apparatus and method for access control of content in distributed environment network |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2011-0018664 | 2011-03-02 | ||
KR1020110018664A KR20120100046A (en) | 2011-03-02 | 2011-03-02 | Apparatus and method for access control of contents in distributed environment network |
US13/410,762 US8918635B2 (en) | 2011-03-02 | 2012-03-02 | Apparatus and method for access control of content in distributed environment network |
US14/543,077 US20150074417A1 (en) | 2011-03-02 | 2014-11-17 | Apparatus and method for access control of content in distributed environment network |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/410,762 Division US8918635B2 (en) | 2011-03-02 | 2012-03-02 | Apparatus and method for access control of content in distributed environment network |
Publications (1)
Publication Number | Publication Date |
---|---|
US20150074417A1 true US20150074417A1 (en) | 2015-03-12 |
Family
ID=46754050
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/410,762 Active 2032-12-28 US8918635B2 (en) | 2011-03-02 | 2012-03-02 | Apparatus and method for access control of content in distributed environment network |
US14/543,077 Abandoned US20150074417A1 (en) | 2011-03-02 | 2014-11-17 | Apparatus and method for access control of content in distributed environment network |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/410,762 Active 2032-12-28 US8918635B2 (en) | 2011-03-02 | 2012-03-02 | Apparatus and method for access control of content in distributed environment network |
Country Status (2)
Country | Link |
---|---|
US (2) | US8918635B2 (en) |
KR (1) | KR20120100046A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107317678A (en) * | 2017-06-05 | 2017-11-03 | 北京网证科技有限公司 | A kind of electronics confirmation request processing method and system based on internet |
CN107682151A (en) * | 2017-10-30 | 2018-02-09 | 武汉大学 | A kind of GOST digital signature generation method and system |
Families Citing this family (84)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10181953B1 (en) * | 2013-09-16 | 2019-01-15 | Amazon Technologies, Inc. | Trusted data verification |
US9456054B2 (en) | 2008-05-16 | 2016-09-27 | Palo Alto Research Center Incorporated | Controlling the spread of interests and content in a content centric network |
US8923293B2 (en) | 2009-10-21 | 2014-12-30 | Palo Alto Research Center Incorporated | Adaptive multi-interface use for content networking |
US20140181985A1 (en) * | 2012-12-21 | 2014-06-26 | Broadcom Corporation | Content Specific Data Scrambling |
GB2514428B (en) * | 2013-08-19 | 2016-01-13 | Visa Europe Ltd | Enabling access to data |
US10098051B2 (en) | 2014-01-22 | 2018-10-09 | Cisco Technology, Inc. | Gateways and routing in software-defined manets |
US9954678B2 (en) * | 2014-02-06 | 2018-04-24 | Cisco Technology, Inc. | Content-based transport security |
US9836540B2 (en) | 2014-03-04 | 2017-12-05 | Cisco Technology, Inc. | System and method for direct storage access in a content-centric network |
US9626413B2 (en) | 2014-03-10 | 2017-04-18 | Cisco Systems, Inc. | System and method for ranking content popularity in a content-centric network |
US20150261693A1 (en) * | 2014-03-14 | 2015-09-17 | International Business Machines Corporation | Dynamic storage key assignment |
US9716622B2 (en) | 2014-04-01 | 2017-07-25 | Cisco Technology, Inc. | System and method for dynamic name configuration in content-centric networks |
US9473576B2 (en) | 2014-04-07 | 2016-10-18 | Palo Alto Research Center Incorporated | Service discovery using collection synchronization with exact names |
US9992281B2 (en) | 2014-05-01 | 2018-06-05 | Cisco Technology, Inc. | Accountable content stores for information centric networks |
US9609014B2 (en) | 2014-05-22 | 2017-03-28 | Cisco Systems, Inc. | Method and apparatus for preventing insertion of malicious content at a named data network router |
US9949115B2 (en) | 2014-06-10 | 2018-04-17 | Qualcomm Incorporated | Common modulus RSA key pairs for signature generation and encryption/decryption |
US9699198B2 (en) | 2014-07-07 | 2017-07-04 | Cisco Technology, Inc. | System and method for parallel secure content bootstrapping in content-centric networks |
US9621354B2 (en) | 2014-07-17 | 2017-04-11 | Cisco Systems, Inc. | Reconstructable content objects |
US9729616B2 (en) | 2014-07-18 | 2017-08-08 | Cisco Technology, Inc. | Reputation-based strategy for forwarding and responding to interests over a content centric network |
US9590887B2 (en) | 2014-07-18 | 2017-03-07 | Cisco Systems, Inc. | Method and system for keeping interest alive in a content centric network |
US9882964B2 (en) | 2014-08-08 | 2018-01-30 | Cisco Technology, Inc. | Explicit strategy feedback in name-based forwarding |
US9729662B2 (en) | 2014-08-11 | 2017-08-08 | Cisco Technology, Inc. | Probabilistic lazy-forwarding technique without validation in a content centric network |
US9391777B2 (en) * | 2014-08-15 | 2016-07-12 | Palo Alto Research Center Incorporated | System and method for performing key resolution over a content centric network |
US9800637B2 (en) | 2014-08-19 | 2017-10-24 | Cisco Technology, Inc. | System and method for all-in-one content stream in content-centric networks |
US10069933B2 (en) | 2014-10-23 | 2018-09-04 | Cisco Technology, Inc. | System and method for creating virtual interfaces based on network characteristics |
US9590948B2 (en) | 2014-12-15 | 2017-03-07 | Cisco Systems, Inc. | CCN routing using hardware-assisted hash tables |
US10237189B2 (en) | 2014-12-16 | 2019-03-19 | Cisco Technology, Inc. | System and method for distance-based interest forwarding |
US10003520B2 (en) | 2014-12-22 | 2018-06-19 | Cisco Technology, Inc. | System and method for efficient name-based content routing using link-state information in information-centric networks |
US9660825B2 (en) | 2014-12-24 | 2017-05-23 | Cisco Technology, Inc. | System and method for multi-source multicasting in content-centric networks |
US9946743B2 (en) | 2015-01-12 | 2018-04-17 | Cisco Technology, Inc. | Order encoded manifests in a content centric network |
US9954795B2 (en) | 2015-01-12 | 2018-04-24 | Cisco Technology, Inc. | Resource allocation using CCN manifests |
US9832291B2 (en) | 2015-01-12 | 2017-11-28 | Cisco Technology, Inc. | Auto-configurable transport stack |
US9916457B2 (en) | 2015-01-12 | 2018-03-13 | Cisco Technology, Inc. | Decoupled name security binding for CCN objects |
US10333840B2 (en) | 2015-02-06 | 2019-06-25 | Cisco Technology, Inc. | System and method for on-demand content exchange with adaptive naming in information-centric networks |
US10075401B2 (en) | 2015-03-18 | 2018-09-11 | Cisco Technology, Inc. | Pending interest table behavior |
US10075402B2 (en) | 2015-06-24 | 2018-09-11 | Cisco Technology, Inc. | Flexible command and control in content centric networks |
US10701038B2 (en) | 2015-07-27 | 2020-06-30 | Cisco Technology, Inc. | Content negotiation in a content centric network |
US9986034B2 (en) | 2015-08-03 | 2018-05-29 | Cisco Technology, Inc. | Transferring state in content centric network stacks |
US9832123B2 (en) | 2015-09-11 | 2017-11-28 | Cisco Technology, Inc. | Network named fragments in a content centric network |
US10355999B2 (en) | 2015-09-23 | 2019-07-16 | Cisco Technology, Inc. | Flow control with network named fragments |
US9977809B2 (en) | 2015-09-24 | 2018-05-22 | Cisco Technology, Inc. | Information and data framework in a content centric network |
US10313227B2 (en) | 2015-09-24 | 2019-06-04 | Cisco Technology, Inc. | System and method for eliminating undetected interest looping in information-centric networks |
US10454820B2 (en) | 2015-09-29 | 2019-10-22 | Cisco Technology, Inc. | System and method for stateless information-centric networking |
US10263965B2 (en) | 2015-10-16 | 2019-04-16 | Cisco Technology, Inc. | Encrypted CCNx |
US9912776B2 (en) | 2015-12-02 | 2018-03-06 | Cisco Technology, Inc. | Explicit content deletion commands in a content centric network |
US10097346B2 (en) | 2015-12-09 | 2018-10-09 | Cisco Technology, Inc. | Key catalogs in a content centric network |
US10257271B2 (en) | 2016-01-11 | 2019-04-09 | Cisco Technology, Inc. | Chandra-Toueg consensus in a content centric network |
US10305864B2 (en) | 2016-01-25 | 2019-05-28 | Cisco Technology, Inc. | Method and system for interest encryption in a content centric network |
US10043016B2 (en) | 2016-02-29 | 2018-08-07 | Cisco Technology, Inc. | Method and system for name encryption agreement in a content centric network |
US10003507B2 (en) | 2016-03-04 | 2018-06-19 | Cisco Technology, Inc. | Transport session state protocol |
US10051071B2 (en) | 2016-03-04 | 2018-08-14 | Cisco Technology, Inc. | Method and system for collecting historical network information in a content centric network |
US10742596B2 (en) | 2016-03-04 | 2020-08-11 | Cisco Technology, Inc. | Method and system for reducing a collision probability of hash-based names using a publisher identifier |
US10038633B2 (en) | 2016-03-04 | 2018-07-31 | Cisco Technology, Inc. | Protocol to query for historical network information in a content centric network |
US9832116B2 (en) | 2016-03-14 | 2017-11-28 | Cisco Technology, Inc. | Adjusting entries in a forwarding information base in a content centric network |
US10212196B2 (en) | 2016-03-16 | 2019-02-19 | Cisco Technology, Inc. | Interface discovery and authentication in a name-based network |
US11436656B2 (en) | 2016-03-18 | 2022-09-06 | Palo Alto Research Center Incorporated | System and method for a real-time egocentric collaborative filter on large datasets |
US10067948B2 (en) | 2016-03-18 | 2018-09-04 | Cisco Technology, Inc. | Data deduping in content centric networking manifests |
US10091330B2 (en) | 2016-03-23 | 2018-10-02 | Cisco Technology, Inc. | Interest scheduling by an information and data framework in a content centric network |
US10033639B2 (en) | 2016-03-25 | 2018-07-24 | Cisco Technology, Inc. | System and method for routing packets in a content centric network using anonymous datagrams |
US10320760B2 (en) | 2016-04-01 | 2019-06-11 | Cisco Technology, Inc. | Method and system for mutating and caching content in a content centric network |
US9930146B2 (en) | 2016-04-04 | 2018-03-27 | Cisco Technology, Inc. | System and method for compressing content centric networking messages |
US10425503B2 (en) | 2016-04-07 | 2019-09-24 | Cisco Technology, Inc. | Shared pending interest table in a content centric network |
US10027578B2 (en) | 2016-04-11 | 2018-07-17 | Cisco Technology, Inc. | Method and system for routable prefix queries in a content centric network |
US10404450B2 (en) | 2016-05-02 | 2019-09-03 | Cisco Technology, Inc. | Schematized access control in a content centric network |
US10320675B2 (en) | 2016-05-04 | 2019-06-11 | Cisco Technology, Inc. | System and method for routing packets in a stateless content centric network |
US10547589B2 (en) | 2016-05-09 | 2020-01-28 | Cisco Technology, Inc. | System for implementing a small computer systems interface protocol over a content centric network |
US10084764B2 (en) | 2016-05-13 | 2018-09-25 | Cisco Technology, Inc. | System for a secure encryption proxy in a content centric network |
US10063414B2 (en) | 2016-05-13 | 2018-08-28 | Cisco Technology, Inc. | Updating a transport stack in a content centric network |
US10103989B2 (en) | 2016-06-13 | 2018-10-16 | Cisco Technology, Inc. | Content object return messages in a content centric network |
US10305865B2 (en) | 2016-06-21 | 2019-05-28 | Cisco Technology, Inc. | Permutation-based content encryption with manifests in a content centric network |
US10148572B2 (en) | 2016-06-27 | 2018-12-04 | Cisco Technology, Inc. | Method and system for interest groups in a content centric network |
US10009266B2 (en) | 2016-07-05 | 2018-06-26 | Cisco Technology, Inc. | Method and system for reference counted pending interest tables in a content centric network |
US9992097B2 (en) | 2016-07-11 | 2018-06-05 | Cisco Technology, Inc. | System and method for piggybacking routing information in interests in a content centric network |
US10122624B2 (en) | 2016-07-25 | 2018-11-06 | Cisco Technology, Inc. | System and method for ephemeral entries in a forwarding information base in a content centric network |
US10069729B2 (en) | 2016-08-08 | 2018-09-04 | Cisco Technology, Inc. | System and method for throttling traffic based on a forwarding information base in a content centric network |
US10956412B2 (en) | 2016-08-09 | 2021-03-23 | Cisco Technology, Inc. | Method and system for conjunctive normal form attribute matching in a content centric network |
US10033642B2 (en) | 2016-09-19 | 2018-07-24 | Cisco Technology, Inc. | System and method for making optimal routing decisions based on device-specific parameters in a content centric network |
US10212248B2 (en) | 2016-10-03 | 2019-02-19 | Cisco Technology, Inc. | Cache management on high availability routers in a content centric network |
US10447805B2 (en) | 2016-10-10 | 2019-10-15 | Cisco Technology, Inc. | Distributed consensus in a content centric network |
US10135948B2 (en) | 2016-10-31 | 2018-11-20 | Cisco Technology, Inc. | System and method for process migration in a content centric network |
US10243851B2 (en) | 2016-11-21 | 2019-03-26 | Cisco Technology, Inc. | System and method for forwarder connection information in a content centric network |
KR102617151B1 (en) * | 2018-08-17 | 2023-12-26 | 배영식 | Contents blockchain platform |
WO2020036267A1 (en) * | 2018-08-17 | 2020-02-20 | 주식회사 후본 | Platform and method for content management |
BR112019007995A2 (en) * | 2018-11-30 | 2019-11-12 | Alibaba Group Holding Ltd | “Computer-implemented method, computer-readable medium, and system for implementing a method |
US11424922B2 (en) * | 2020-05-14 | 2022-08-23 | Paypal, Inc. | Hashing schemes for cryptographic private key generation |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040123104A1 (en) * | 2001-03-27 | 2004-06-24 | Xavier Boyen | Distributed scalable cryptographic access contol |
US20050228990A1 (en) * | 2001-12-13 | 2005-10-13 | Kazuhiko Kato | Software safety execution system |
US20090158043A1 (en) * | 2007-12-17 | 2009-06-18 | John Michael Boyer | Secure digital signature system |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH07253931A (en) | 1994-03-16 | 1995-10-03 | Fujitsu Ltd | Destruction prevention system for program data storage area |
US6330671B1 (en) * | 1997-06-23 | 2001-12-11 | Sun Microsystems, Inc. | Method and system for secure distribution of cryptographic keys on multicast networks |
JP2003024867A (en) | 2001-07-18 | 2003-01-28 | Kansai Paint Co Ltd | Method of evaluating mixed state of multi-liquid type coating material |
JP4157709B2 (en) | 2002-01-31 | 2008-10-01 | 富士通株式会社 | Access control method and storage device |
US7412063B2 (en) * | 2004-03-31 | 2008-08-12 | International Business Machines Corporation | Controlling delivery of broadcast encryption content for a network cluster from a content server outside the cluster |
US20100146589A1 (en) | 2007-12-21 | 2010-06-10 | Drivesentry Inc. | System and method to secure a computer system by selective control of write access to a data storage medium |
US20090300307A1 (en) | 2008-05-30 | 2009-12-03 | International Business Machines Corporation | Protection and security provisioning using on-the-fly virtualization |
KR101016126B1 (en) | 2008-12-22 | 2011-02-17 | 서울대학교산학협력단 | System and method for data encryption |
US8364984B2 (en) | 2009-03-13 | 2013-01-29 | Microsoft Corporation | Portable secure data files |
KR101203804B1 (en) | 2009-04-10 | 2012-11-22 | 닉스테크 주식회사 | Security mobile storage apparatus and the control method |
-
2011
- 2011-03-02 KR KR1020110018664A patent/KR20120100046A/en not_active Application Discontinuation
-
2012
- 2012-03-02 US US13/410,762 patent/US8918635B2/en active Active
-
2014
- 2014-11-17 US US14/543,077 patent/US20150074417A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040123104A1 (en) * | 2001-03-27 | 2004-06-24 | Xavier Boyen | Distributed scalable cryptographic access contol |
US20050228990A1 (en) * | 2001-12-13 | 2005-10-13 | Kazuhiko Kato | Software safety execution system |
US20090158043A1 (en) * | 2007-12-17 | 2009-06-18 | John Michael Boyer | Secure digital signature system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107317678A (en) * | 2017-06-05 | 2017-11-03 | 北京网证科技有限公司 | A kind of electronics confirmation request processing method and system based on internet |
CN107682151A (en) * | 2017-10-30 | 2018-02-09 | 武汉大学 | A kind of GOST digital signature generation method and system |
Also Published As
Publication number | Publication date |
---|---|
US20120226902A1 (en) | 2012-09-06 |
KR20120100046A (en) | 2012-09-12 |
US8918635B2 (en) | 2014-12-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8918635B2 (en) | Apparatus and method for access control of content in distributed environment network | |
US8856530B2 (en) | Data storage incorporating cryptographically enhanced data protection | |
JP5432999B2 (en) | Encryption key distribution system | |
US20200320178A1 (en) | Digital rights management authorization token pairing | |
US20080209231A1 (en) | Contents Encryption Method, System and Method for Providing Contents Through Network Using the Encryption Method | |
US20100005318A1 (en) | Process for securing data in a storage unit | |
US20070127719A1 (en) | Efficient management of cryptographic key generations | |
US7877604B2 (en) | Proof of execution using random function | |
CN109981255B (en) | Method and system for updating key pool | |
US20170085543A1 (en) | Apparatus and method for exchanging encryption key | |
JP5670272B2 (en) | Information processing apparatus, server apparatus, and program | |
US20090138708A1 (en) | Cryptographic module distribution system, apparatus, and program | |
US20130259227A1 (en) | Information processing device and computer program product | |
CN114697040B (en) | Electronic signature method and system based on symmetric key | |
CN114157488B (en) | Key acquisition method, device, electronic equipment and storage medium | |
KR102496436B1 (en) | Method of storing plurality of data pieces in storage in blockchain network and method of receiving plurality of data pieces | |
CN107769915B (en) | Data encryption and decryption system and method with fine-grained user control | |
JP2010141619A (en) | Communication apparatus, server apparatus, communication program, and data | |
CN114666039A (en) | RFID group tag authentication system and method based on quantum cryptography network | |
KR101512891B1 (en) | Server for providing contents and operating method of the server, terminal thereof | |
CN118018310B (en) | Revocable identity-based key encryption method, storage medium and device | |
KR20110075089A (en) | System and method for reading a classified digital document using environmental information | |
CN106921623B (en) | Identification key updating method and system | |
JP5739078B1 (en) | Server apparatus, communication method, and program | |
KR20190006899A (en) | Apparatus and method for distributing copyright content in icn |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE |