US20150074417A1 - Apparatus and method for access control of content in distributed environment network - Google Patents

Apparatus and method for access control of content in distributed environment network Download PDF

Info

Publication number
US20150074417A1
US20150074417A1 US14/543,077 US201414543077A US2015074417A1 US 20150074417 A1 US20150074417 A1 US 20150074417A1 US 201414543077 A US201414543077 A US 201414543077A US 2015074417 A1 US2015074417 A1 US 2015074417A1
Authority
US
United States
Prior art keywords
key
content
signature
encrypted
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/543,077
Inventor
Dae Youb Kim
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Priority to US14/543,077 priority Critical patent/US20150074417A1/en
Publication of US20150074417A1 publication Critical patent/US20150074417A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Definitions

  • the following description relates to an apparatus and a method for access control of content in a distributed environment network.
  • An access control of content based on an encryption technology may generally manage and control access authorization of the corresponding content based on whether a data encryption key (DEK) used for a content encryption is secured.
  • DEK data encryption key
  • a user securing the DEK may be considered to have read and access authorization in relation to the corresponding content.
  • read and write authorizations may not be separately managed based on whether the DEK is secured.
  • an additional scheme for managing write authorization in a case of the access control of content based on an encryption technology may be desireable.
  • an apparatus for generating a key for access control of content in a distributed environment network includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization and distribute the access control list and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.
  • the access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
  • the first key may be neither generated nor predicted using the second key.
  • the second key may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
  • the first key distributor, the second key distributor, or any combination thereof may be implemented by a processor.
  • the apparatus may include a list generator to generate the access control list.
  • the apparatus may include a first key generator to generate the first key, and a second key generator to generate the second key.
  • an apparatus for generating content for an access control of content in a distributed environment network includes a key decryption unit configured to secure a first key by decrypting a first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, an encryption key generator configured to generate an encryption key using a second key generated using the first key, a content encryption unit configured to generate an encrypted content by encrypting content using the encryption key, a signature generator configured to generate a signature using the first key, a content and a signature key in response to members included in an access control list having write authorization as a result of checking access authorization of the members, and a distributor configured to distribute the encrypted content and the signature through a network.
  • the encryption key generator may generate the encryption key using information of the content and the second key.
  • the first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
  • the second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
  • the signature generator may generate the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key, the distributor may distribute a value of the m in addition to the encrypted content and the signature and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
  • the signature generator may generate the signature using an algorithm having a one-way homomorphic characteristic.
  • the signature key may be generated based on a Rivest Shamir Adleman (RSA) encryption scheme.
  • RSA Rivest Shamir Adleman
  • an apparatus for verification of content for an access control of content in a distributed environment network includes a receiver configured to receive an encrypted content, a signature of the encrypted content, and an access control list, and to receive a second encrypted key from a network in response to the apparatus being determined to have read authorization as a result of checking the access control list, a key decryption unit configured to secure a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have read authorization as a result of checking the access control list, a signature verification unit configured to verify the signature using the second key and the encrypted content, a decryption key generator configured to generate a decryption key using the second key in response to the signature verification being successful, and a content decryption unit configured to decrypt the encrypted content using the decryption key.
  • the apparatus may include a second key generator configured to generate the second key using a first key.
  • the receiver may receive a first encrypted key from the network, and the key decryption unit may secure the first key by decrypting the first encrypted key using the secret key in response to the apparatus being determined to have write authorization as a result of checking the access control list.
  • the first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
  • the second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
  • a method for an access control of content in an apparatus for generating a key of a distributed environment network includes generating a second key corresponding to a key for read authorization using a first key corresponding to a key for write authorization, generating first encrypted keys by encrypting the first key using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization, distributing the access control list and the first encrypted keys to the members having write authorization, generating second encrypted keys by encrypting the second key using each public key of members having read authorization among members included in the access control list, and distributing the access control list and the second encrypted keys to the members having read authorization.
  • a method for an access control of content in an apparatus for generating content of a distributed environment network includes requesting and receiving an access control list and a first encrypted key from a network, securing a first key corresponding to a key for write authorization by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have write authorization as a result of checking the access control list, generating an encryption key using information of a content and a second key corresponding to a key for read authorization using the first key, generating an encrypted content by encrypting content using the encryption key, generating a signature using the first key, the content, and a signature key, and distributing the encrypted content and the signature through the network.
  • the generating of the signature may include generating the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content and the signature key, the distributing may include distributing a value of the m in addition to the encrypted content and the signature, and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key, the value of n being an integer greater than 0.
  • the generating of the signature may include generating the signature using an algorithm having a one-way homomorphic characteristic.
  • a method for an access control of content in an apparatus for verification of content of a distributed environment network includes checking access authorization of an encrypted content in an access control list to verify access requirements are satisfied, securing a second key corresponding to a key for read authorization in response to the encrypted content being determined to be accessible as a result of the verification, verifying a signature of the encrypted content using the second key and the encrypted content, generating a decryption key using the second key in response to the signature verification being successful, and decrypting the encrypted content using the decryption key.
  • the securing may include receiving a second encrypted key from the network in response to the apparatus being determined to have read authorization as a result of checking the access control list, and securing a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key.
  • the securing may include receiving a first encrypted key from the network in response to the apparatus being determined to have write authorization as a result of checking the access control list, securing a first key by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, and generating the second key using the first key.
  • FIG. 1 is a diagram illustrating an example of an apparatus for generating a key for an access control of content in a distributed environment network.
  • FIG. 2 is a diagram illustrating an example of an apparatus for generating content for an access control of content in a distributed environment network.
  • FIG. 3 is a diagram illustrating an example of an apparatus for verification of content for an access control of content in a distributed environment network.
  • FIG. 4 is a flowchart illustrating an example of a process of generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key in a distributed environment network.
  • FIG. 5 is a flowchart illustrating an example of a process of generating and distributing content for an access control of content in an apparatus for generating content in a distributed environment network.
  • FIG. 6 is a flowchart illustrating an example of a process of verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network.
  • Examples relate to an apparatus for generating a key, an apparatus for generating content, and an apparatus for verification of content for separately controlling read authorization and write authorization with respect to content and a method thereof in a distributed environment network.
  • FIG. 1 includes an example of an apparatus for generating a key 100 for an access control of content in a distributed environment network.
  • the apparatus for generating a key 100 may include a control unit 110 , a communication unit 120 , a storage unit 130 , a list generator 111 , a first key generator 112 , a second key generator 113 , a first key distributor 114 , and a second key distributor 115 .
  • the communication unit 120 may transmit and receive data through a wired and/or a wireless network.
  • the network may correspond to a content centric network (CCN) or a named data network (NDN).
  • CCN content centric network
  • NDN named data network
  • the storage unit 130 may store an operating system, an application program, and data for controlling an operation of the apparatus for generating a key 100 .
  • the storage unit 130 may store an access control list generated by the list generator 111 , a first key generated by the first key generator 112 and a second key generated by the second key generator 113 .
  • the access control list may includes information of at least one user and information relating to access authorization.
  • the access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of the members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
  • a structure of the access control list may be as shown in the following Table 1.
  • Name relates to identification information for identifying an access control list
  • Size relates to a number of Principals or a size of the access control list
  • Option Flag relates to identification information for identifying optional components
  • Version relates to a time stamp
  • Nonce relates to a random value for generating an encryption key
  • Index relates to information of a hash key
  • Principal[i] relates to identification information of a user or a user group
  • Principal[i]'s rights relate to information about access authorization assigned to the Principal[i]
  • Key Link[i] relates to identification information of a key assigned to the Principal[i]
  • Signature relates to a signature of a generator of the access control list.
  • the first key generator 112 may generate a first key.
  • the first key may correspond to a key for write authorization.
  • the second key generator 113 may generate a second key.
  • the second key may correspond to a key for read authorization using the first key.
  • the second key generator 113 may be generated based on the following Equation 1.
  • Equation 1 K relates to the second key for read authorization, NK relates to the first key for write authorization, H( ) relates to a hash function, and H n ( ) relates to performing a hash n times.
  • N may be an integer greater than zero.
  • the first key may be neither generated nor predicted using the second key.
  • the first key distributor 114 may generate first encrypted keys by encrypting the first key using each public key of members having write authorization.
  • the members having write authorization may be included in the access control list.
  • the first key distributor 114 may distribute the access control list and the first encrypted keys to the members having write authorization.
  • the second key distributor 115 may generate second encrypted keys by encrypting the second key using each public key of members having read authorization.
  • the members having read authorization may be included in the access control list.
  • the second key distributor 115 may distribute the access control list and second encrypted keys to the members having read authorization.
  • the control unit 110 may control an overall operation of the apparatus for generating a key 100 .
  • the control unit 110 may function as the list generator 111 , the first key generator 112 , the second key generator 113 , the first key distributor 114 , and the second key distributor 115 .
  • the control unit 110 , the list generator 111 , the first key generator 112 , the second key generator 113 , the first key distributor 114 , and the second key distributor 115 are separately illustrated to separately describe each function.
  • the control unit 110 may include at least one processor to function as an entire or a portion of the list generator 111 , the first key generator 112 , the second key generator 113 , the first key distributor 114 , and the second key distributor 115 .
  • the apparatus for generating a key 100 may newly generate and distribute a first key and a second key.
  • a user whose authorization is deleted may not use content generated after deletion of authorization.
  • content generated and distributed before deletion of authorization of the user may be continued to be used by the user.
  • the apparatus for generating a key 100 may newly encrypt and distribute a key corresponding to authorization assigned to the added user.
  • the key corresponding to authorization assigned to the added user may be encrypted and distributed using a public key of the added user.
  • FIG. 2 includes an example of an apparatus for generating content 200 for an access control of content in a distributed environment network.
  • the apparatus for generating content 200 may include a control unit 210 , a communication unit 220 , a storage unit 230 , a receiver 211 , a key decryption unit 212 , a second key generator 213 , a content generator 214 , an encryption key generator 215 , a content encryption unit 216 , a signature generator 217 , and a distributor 218 .
  • the communication unit 220 may transmit and receive data through a wired and/or wireless network.
  • the network may correspond to a CCN or an NDN.
  • the storage unit 230 may store an operating system, an application program, and data for controlling an overall operation of the apparatus for generating content 200 .
  • the storage unit 230 may store an access control list received through the receiver 211 , a first key decrypted by the key decryption unit 212 and a second generated by the second key generator 213 .
  • the receiver 211 may request and receive an access control list from a network.
  • the receiver 211 may request and receive a first encrypted key from the network.
  • the key decryption unit 212 may secure a first key corresponding to a key for write authorization by decrypting the first encrypted key using a secret key corresponding to the public key.
  • the first encrypted key may be encrypted by using a public key.
  • the second key generator 213 may generate a second key.
  • the second key may be generated using the first key and may correspond to a key for read authorization.
  • the content generator 214 may generate content.
  • the encryption key generator 215 may generate an encryption key.
  • the encryption key may be generated using the second key.
  • the encryption key may be generated using information of the content and the second key.
  • the encryption key generator 215 may generate the encryption key based on the following Equation 2.
  • DEK relates to an encryption key
  • KGF( ) relates to a function for generating an encryption key
  • K relates to the second key for read authorization
  • Content Inform relates to information of content.
  • the content encryption unit 216 may encrypt content using the encryption key to generate an encrypted content.
  • the signature generator 217 may generate a signature using the first key, the content, a signature key, or any combination thereof. In this instance, the signature generator 217 may generate the signature using an algorithm which has a one-way homomorphic characteristic. As another aspect, the signature generator 217 may generate the signature based on the following Equation 3.
  • Signature( ) relates to a function for generating a signature
  • F( ) relates to a function which has a one-way homomorphic characteristic
  • C relates to an encrypted content
  • NK relates to the first key
  • m relates to a random value less than n corresponding to a parameter used for generating the second key
  • n relates to a number of times the first key is hashed to generate the second key and may be an integer greater than 0.
  • the signature generator 217 may generate a signature key based on Equation 4.
  • Equation 4 h relates to H(C), C relates to an encrypted content, H( ) relates to a function having a one-way homomorphic characteristic, d relates to a signature key, NK relates to the first key, m relates to a random value less than n corresponding to a parameter used for generating the second key, n relates to a number of times the first key is hashed to generate the second key, and H m ( ) relates to performing a hash m times.
  • Equation 5 may be satisfied.
  • the one-way homomorphic characteristic may have the following three characteristics.
  • F(X) may be easily evaluated for a given X, X may be difficult to be evaluated from F(X).
  • F(X) may have the one-way homomorphic characteristic.
  • F(X) ⁇ 1 may be difficult to be evaluated.
  • the distributor 218 may distribute the encrypted content and the signature through the network.
  • the control unit 210 may control an operation of the apparatus for generating content 200 .
  • the control unit 210 may function as the receiver 211 , the key decryption unit 212 , the second key generator 213 , the content generator 214 , the encryption key generator 215 , the content encryption unit 216 , the signature generator 217 and the distributor 218 .
  • the control unit 210 , the receiver 211 , the key decryption unit 212 , the second key generator 213 , the content generator 214 , the encryption key generator 215 , the content encryption unit 216 , the signature generator 217 and the distributor 218 are separately illustrated to separately describe each function.
  • control unit 210 may include at least one processor to function as an entire or a portion of the receiver 211 , the key decryption unit 212 , the second key generator 213 , the content generator 214 , the encryption key generator 215 , the content encryption unit 216 , the signature generator 217 , and the distributor 218 .
  • FIG. 3 includes an example of an apparatus for verification of content 300 for an access control of content in a distributed environment network.
  • the apparatus for verification of content 300 may include a control unit 310 , a communication unit 320 , a storage unit 330 , a receiver 311 , a key decryption unit 312 , a decryption key generator 313 , a second key generator 314 , a signature verification unit 315 , and a content decryption unit 316 .
  • the communication unit 320 may transmit and receive data through a wired and/or wireless network.
  • the network may correspond to a CCN or an NDN.
  • the storage unit 330 may store an operating system, an application program and data for storage for controlling an overall operation of the apparatus for verification of content 300 .
  • the storage unit 330 may store an access control list, a first key and a second key.
  • the receiver 311 may receive an encrypted content, a signature of the encrypted content and an access control list. That is, in response to the receiver 311 being determined to have write authorization as a result of verification of the access control list, the receiver 311 may receive a first encrypted key from the network. Further, in response to the receiver 311 being determined to have read authorization as a result of verification of the access control list, the receiver 311 may receive a second encrypted key from the network.
  • the key decryption unit 312 may decrypt the first encrypted key or the second encrypted key using a secret key.
  • the secret key may correspond to a public key.
  • the second key generator 314 may generate the second key.
  • the second key may correspond to a key for read authorization using the first key.
  • the second key may be generated based on Equation 1.
  • the signature verification unit 315 may verify a signature using the second key and the encrypted content.
  • the signature verification unit 315 may perform verification based on the following Equation 6.
  • Verify( ) relates to a function for verifying a signature
  • Sig relates to a signature
  • K relates to the second key corresponding to a key for read authorization
  • H( ) relates to a hash function
  • m relates to a random value less than n corresponding to a to parameter used for generating the second key
  • n relates to a number of times the first key is hashed to generate the second key.
  • the value of n may be an integer greater than 0.
  • the signature verification unit 315 may verify a signature based on the following Equation 7.
  • Equation 7 Sig relates to a signature, NK relates to the first key, K relates to the second key corresponding to a key for read authorization, h relates to H(C), C relates to an encrypted content, H( ) relates to a hash function which has a one-way homomorphic characteristic, d relates to a signature key, e relates to a signature verification key, m relates to a random value less than n corresponding to a parameter used for generating the second key, and n relates to a number of times the first key is hashed to generate the second key.
  • n may be an integer greater than 0.
  • the signature verification unit 315 may calculate A′ using a received signature, calculate B using K and the received encrypted content, and determine whether the verification is successful by comparing A′ to B.
  • K may correspond to the second key of the signature verification unit 315 .
  • the decryption key generator 313 may generate a decryption key based on the second key.
  • the decryption key generator 313 may generate the decryption key using information of content and the second key.
  • the generation of the decryption key may be based on the same scheme as the encryption key generator 215 .
  • the decryption key generator 313 may use the encryption key generated based on Equation 2 as the decryption key.
  • the content decryption unit 316 may use the decryption key to decrypt the encrypted content.
  • the control unit 310 may control an overall operation of the apparatus for verification of content 300 .
  • the control unit 310 may function as the key decryption unit 312 , the decryption key generator 313 , the second key generator 314 , the signature verification unit 315 , and the content decryption unit 316 .
  • the control unit 310 , the key decryption unit 312 , the decryption key generator 313 , the second key generator 314 , the signature verification unit 315 , and the content decryption unit 316 are separately illustrated to describe the function of each.
  • control unit 310 may include at least one processor configured to function as an entire or a portion of the key decryption unit 312 , the decryption key generator 313 , the second key generator 314 , the signature verification unit 315 , and the content decryption unit 316 .
  • FIG. 4 illustrates an example of a process for generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key 100 in a distributed environment network.
  • the apparatus for generating a key 100 may generate an access control list.
  • the access control list may include information of at least one user and information about access authorization.
  • the apparatus for generating a key 100 may generate a first key.
  • the first key may correspond to a key for write authorization.
  • the apparatus for generating a key 100 may generate a second key.
  • the second key may correspond to a key for read authorization using the first key.
  • the apparatus for generating a key 100 may encrypt the first key using each public key of members having write authorization among members to generate first encrypted keys.
  • the members having write authorization among members may be included in the access control list.
  • the apparatus for generating a key 100 may distribute the access control list and the generated first encrypted keys to the members having write authorization.
  • the apparatus for generating a key 100 may encrypt the second key using each public key of members having read authorization among members to generate second encrypted keys.
  • the members having read authorization among members may be included in the access control list.
  • the apparatus for generating a key 100 may distribute the access control list and the second encrypted keys to the members having read authorization.
  • FIG. 5 illustrates an example of a process for generating and distributing content for an access control of content in an apparatus for generating content 200 in a distributed environment network.
  • the apparatus for generating content 200 may generate content.
  • the apparatus for generating content 200 may request and receive an access control list and a first encrypted key from a network.
  • the apparatus for generating content 200 may verify whether the apparatus for generating content 200 has write authorization by checking access authorization of members based on the access control list.
  • the apparatus for generating content 200 may decrypt the first encrypted key to secure a first key corresponding to a key for write authorization using a secret key in response to the apparatus for generating content 200 being determined to have write authorization as a result of the verification in operation 514 .
  • the first encrypted key may be encrypted using a public key.
  • the secret key may correspond to the public key.
  • the apparatus for generating content 200 may generate a second key corresponding to a key for read authorization using the first key.
  • the apparatus for generating content 200 may generate an encryption key using information of the content and the second key.
  • the apparatus for generating content 200 may encrypt content using the encryption key to generate an encrypted content.
  • the apparatus for generating content 200 may generate a signature using a value.
  • the value may be obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key.
  • the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
  • the value n may be an integer greater than 0.
  • the apparatus for generating content 200 may distribute the encrypted content, the signature, and the value m through the network.
  • FIG. 6 includes an example of a process for verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network.
  • an apparatus for verification of content 300 may receive an encrypted content and a signature of the encrypted content.
  • the apparatus for verification of content 300 may receive an access control list from a network.
  • the apparatus for verification of content 300 may check access authorization of the encrypted content in the access control list to verify satisfaction of access requirements.
  • the apparatus for verification of content 300 may secure a second key in response to the encrypted content being determined to be accessible as a result of the verification in operation 614 .
  • the second key may correspond to a key for read authorization.
  • the apparatus for verification of content 300 may receive a second encrypted key from the network in response to the apparatus for verification of content 300 being determined to have read authorization as a result of checking the access control list.
  • the apparatus for verification of content 300 may decrypt the second encrypted key to secure a second key using a secret key.
  • the second encrypted key may be encrypted by using a public key.
  • the secret key may correspond to the public key.
  • the apparatus for verification of content 300 may receive a first encrypted key from the network in response to the apparatus for verification of content 300 being determined to have write authorization as a result of checking the access control list, secure a first key by decrypting the first encrypted key using a secret key, and generate the second key using the first key.
  • the first encrypted key may be encrypted by using a public key.
  • the secret key may correspond to the public key.
  • the apparatus for verification of content 300 may verify the signature using the second key and the encrypted content, and check whether the signature verification is successful.
  • the apparatus for verification of content 300 may generate a decryption key using the second key in response to the signature verification being determined to succeed as a result of the verification in operation 618 .
  • the decryption key may be identical to the decryption key generated by the apparatus for generating content 200 .
  • the apparatus for verification of content 300 may decrypt the encrypted content using the decryption key.
  • Program instructions to perform a method described herein, or one or more operations thereof, may be recorded, stored, or fixed in one or more computer-readable storage media.
  • the program instructions may be implemented by a computer.
  • the computer may cause a processor to execute the program instructions.
  • the media may include, alone or in combination with the program instructions, data files, data structures, and the like.
  • Examples of computer-readable media include magnetic media, such as hard disks, floppy disks, and magnetic tape; optical media such as CD ROM disks and DVDs; magneto-optical media, such as optical disks; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory (ROM), random access memory (RAM), flash memory, and the like.
  • Examples of program instructions include machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter.
  • the program instructions that is, software
  • the program instructions may be distributed over network coupled computer systems so that the software is stored and executed in a distributed fashion.
  • the software and data may be stored by one or more computer readable recording mediums.
  • functional programs, codes, and code segments for accomplishing the example embodiments disclosed herein can be easily construed by programmers skilled in the art to which the embodiments pertain based on and using the flow diagrams and block diagrams of the figures and their corresponding descriptions as provided herein.
  • the described unit to perform an operation or a method may be hardware, software, or some combination of hardware and software.
  • the unit may be a software package running on a computer or the computer on which that software is running.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

An apparatus for generating a key for access control of content in a distributed environment network is provided. The apparatus includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and distribute the access control list and information about access authorization and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.

Description

    CROSS-REFERENCE TO RELATED APPLICATION(S)
  • This application is a Divisional of U.S. patent application Ser. No. 13/410,762 filed on Mar. 2, 2012, which claims the benefit under 35 U.S.C. §119(a) of Korean Patent Application No. 10-2011-0018664, filed on Mar. 2, 2011, in the Korean Intellectual Property Office, the entire disclosure of which is incorporated herein by reference for all purposes.
  • BACKGROUND
  • 1. Field
  • The following description relates to an apparatus and a method for access control of content in a distributed environment network.
  • 2. Description of Related Art
  • An access control of content based on an encryption technology may generally manage and control access authorization of the corresponding content based on whether a data encryption key (DEK) used for a content encryption is secured. A user securing the DEK may be considered to have read and access authorization in relation to the corresponding content.
  • Since a user having read and access authorization may previously secure the DEK or may generate the DEK, read and write authorizations may not be separately managed based on whether the DEK is secured.
  • Accordingly, an additional scheme for managing write authorization in a case of the access control of content based on an encryption technology may be desireable.
  • SUMMARY
  • In one general aspect, an apparatus for generating a key for access control of content in a distributed environment network is provided. The apparatus includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization and distribute the access control list and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.
  • The access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
  • The first key may be neither generated nor predicted using the second key.
  • The second key may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
  • The first key distributor, the second key distributor, or any combination thereof may be implemented by a processor.
  • The apparatus may include a list generator to generate the access control list.
  • The apparatus may include a first key generator to generate the first key, and a second key generator to generate the second key.
  • In another aspect, an apparatus for generating content for an access control of content in a distributed environment network is provided. The apparatus includes a key decryption unit configured to secure a first key by decrypting a first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, an encryption key generator configured to generate an encryption key using a second key generated using the first key, a content encryption unit configured to generate an encrypted content by encrypting content using the encryption key, a signature generator configured to generate a signature using the first key, a content and a signature key in response to members included in an access control list having write authorization as a result of checking access authorization of the members, and a distributor configured to distribute the encrypted content and the signature through a network.
  • The encryption key generator may generate the encryption key using information of the content and the second key.
  • The first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
  • The second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
  • The signature generator may generate the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key, the distributor may distribute a value of the m in addition to the encrypted content and the signature and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
  • The signature generator may generate the signature using an algorithm having a one-way homomorphic characteristic.
  • The signature key may be generated based on a Rivest Shamir Adleman (RSA) encryption scheme.
  • In another aspect, an apparatus for verification of content for an access control of content in a distributed environment network is provided. The apparatus includes a receiver configured to receive an encrypted content, a signature of the encrypted content, and an access control list, and to receive a second encrypted key from a network in response to the apparatus being determined to have read authorization as a result of checking the access control list, a key decryption unit configured to secure a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have read authorization as a result of checking the access control list, a signature verification unit configured to verify the signature using the second key and the encrypted content, a decryption key generator configured to generate a decryption key using the second key in response to the signature verification being successful, and a content decryption unit configured to decrypt the encrypted content using the decryption key.
  • The apparatus may include a second key generator configured to generate the second key using a first key. The receiver may receive a first encrypted key from the network, and the key decryption unit may secure the first key by decrypting the first encrypted key using the secret key in response to the apparatus being determined to have write authorization as a result of checking the access control list.
  • The first key may correspond to a key for write authorization and may be neither generated nor predicted using the second key.
  • The second key may correspond to a key for read authorization and may be a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
  • In another aspect, a method for an access control of content in an apparatus for generating a key of a distributed environment network is provided. The method includes generating a second key corresponding to a key for read authorization using a first key corresponding to a key for write authorization, generating first encrypted keys by encrypting the first key using each public key of members having write authorization among members included in an access control list including information of at least one user and information about access authorization, distributing the access control list and the first encrypted keys to the members having write authorization, generating second encrypted keys by encrypting the second key using each public key of members having read authorization among members included in the access control list, and distributing the access control list and the second encrypted keys to the members having read authorization.
  • In another aspect, a method for an access control of content in an apparatus for generating content of a distributed environment network is provided. The method includes requesting and receiving an access control list and a first encrypted key from a network, securing a first key corresponding to a key for write authorization by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have write authorization as a result of checking the access control list, generating an encryption key using information of a content and a second key corresponding to a key for read authorization using the first key, generating an encrypted content by encrypting content using the encryption key, generating a signature using the first key, the content, and a signature key, and distributing the encrypted content and the signature through the network.
  • The generating of the signature may include generating the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content and the signature key, the distributing may include distributing a value of the m in addition to the encrypted content and the signature, and the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key, the value of n being an integer greater than 0.
  • The generating of the signature may include generating the signature using an algorithm having a one-way homomorphic characteristic.
  • In another aspect, a method for an access control of content in an apparatus for verification of content of a distributed environment network is provided. The method includes checking access authorization of an encrypted content in an access control list to verify access requirements are satisfied, securing a second key corresponding to a key for read authorization in response to the encrypted content being determined to be accessible as a result of the verification, verifying a signature of the encrypted content using the second key and the encrypted content, generating a decryption key using the second key in response to the signature verification being successful, and decrypting the encrypted content using the decryption key.
  • The securing may include receiving a second encrypted key from the network in response to the apparatus being determined to have read authorization as a result of checking the access control list, and securing a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key. The securing may include receiving a first encrypted key from the network in response to the apparatus being determined to have write authorization as a result of checking the access control list, securing a first key by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key, and generating the second key using the first key.
  • Other features and aspects may be apparent from the following detailed description, the drawings, and the claims.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram illustrating an example of an apparatus for generating a key for an access control of content in a distributed environment network.
  • FIG. 2 is a diagram illustrating an example of an apparatus for generating content for an access control of content in a distributed environment network.
  • FIG. 3 is a diagram illustrating an example of an apparatus for verification of content for an access control of content in a distributed environment network.
  • FIG. 4 is a flowchart illustrating an example of a process of generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key in a distributed environment network.
  • FIG. 5 is a flowchart illustrating an example of a process of generating and distributing content for an access control of content in an apparatus for generating content in a distributed environment network.
  • FIG. 6 is a flowchart illustrating an example of a process of verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network.
  • Throughout the drawings and the detailed description, unless otherwise described, the same drawing reference numerals will be understood to refer to the same elements, features, and structures. The relative size and depiction of these elements may be exaggerated for clarity, illustration, and convenience.
  • DETAILED DESCRIPTION
  • The following detailed description is provided to assist the reader in gaining a comprehensive understanding of the methods, apparatuses, and/or systems described herein. Accordingly, various changes, modifications, and equivalents of the systems, apparatuses and/or methods described herein will be suggested to those of ordinary skill in the art. Also, descriptions of well-known functions and constructions may be omitted for increased clarity and conciseness.
  • Examples relate to an apparatus for generating a key, an apparatus for generating content, and an apparatus for verification of content for separately controlling read authorization and write authorization with respect to content and a method thereof in a distributed environment network.
  • FIG. 1 includes an example of an apparatus for generating a key 100 for an access control of content in a distributed environment network.
  • Referring to FIG. 1, the apparatus for generating a key 100 may include a control unit 110, a communication unit 120, a storage unit 130, a list generator 111, a first key generator 112, a second key generator 113, a first key distributor 114, and a second key distributor 115.
  • The communication unit 120 may transmit and receive data through a wired and/or a wireless network. In this instance, the network may correspond to a content centric network (CCN) or a named data network (NDN).
  • The storage unit 130 may store an operating system, an application program, and data for controlling an operation of the apparatus for generating a key 100. The storage unit 130 may store an access control list generated by the list generator 111, a first key generated by the first key generator 112 and a second key generated by the second key generator 113.
  • The access control list may includes information of at least one user and information relating to access authorization.
  • In this instance, the access control list may include identification information for identifying the access control list from other access control lists, information about a size of the access control list, information about a version of the access control list, information about an identification of each of the members, information about access authorization of each of the members, information about a public key of each of the members, information about a signature of a generator generating the access control list, or any combination thereof.
  • A structure of the access control list may be as shown in the following Table 1.
  • TABLE 1
    Structure
    Name Size Option Flag
    Version (optional) Nonce (optional) Index (optional)
    Principal[1] Principal[1]'s rights Key Link[1]
    * * *
    Principal[n] Principal[n]'s rights Key Link[n]
    Signature
  • In Table 1, Name relates to identification information for identifying an access control list, Size relates to a number of Principals or a size of the access control list, Option Flag relates to identification information for identifying optional components, Version relates to a time stamp, Nonce relates to a random value for generating an encryption key, Index relates to information of a hash key, Principal[i] relates to identification information of a user or a user group, Principal[i]'s rights relate to information about access authorization assigned to the Principal[i], Key Link[i] relates to identification information of a key assigned to the Principal[i] and Signature relates to a signature of a generator of the access control list.
  • The first key generator 112 may generate a first key. The first key may correspond to a key for write authorization.
  • The second key generator 113 may generate a second key. The second key may correspond to a key for read authorization using the first key. The second key generator 113 may be generated based on the following Equation 1.

  • K=H n(NK)  [Equation 1]
  • In Equation 1, K relates to the second key for read authorization, NK relates to the first key for write authorization, H( ) relates to a hash function, and Hn( ) relates to performing a hash n times. N may be an integer greater than zero.
  • The first key may be neither generated nor predicted using the second key.
  • The first key distributor 114 may generate first encrypted keys by encrypting the first key using each public key of members having write authorization. The members having write authorization may be included in the access control list. The first key distributor 114 may distribute the access control list and the first encrypted keys to the members having write authorization.
  • The second key distributor 115 may generate second encrypted keys by encrypting the second key using each public key of members having read authorization. The members having read authorization may be included in the access control list. The second key distributor 115 may distribute the access control list and second encrypted keys to the members having read authorization.
  • The control unit 110 may control an overall operation of the apparatus for generating a key 100. The control unit 110 may function as the list generator 111, the first key generator 112, the second key generator 113, the first key distributor 114, and the second key distributor 115. The control unit 110, the list generator 111, the first key generator 112, the second key generator 113, the first key distributor 114, and the second key distributor 115 are separately illustrated to separately describe each function. Furthermore, the control unit 110 may include at least one processor to function as an entire or a portion of the list generator 111, the first key generator 112, the second key generator 113, the first key distributor 114, and the second key distributor 115.
  • In response to authorization of a user included in the access control list being changed or deleted, the apparatus for generating a key 100 may newly generate and distribute a first key and a second key. In this instance, a user whose authorization is deleted may not use content generated after deletion of authorization. As another aspect, content generated and distributed before deletion of authorization of the user may be continued to be used by the user.
  • In response to a new user being added to the access control list, the apparatus for generating a key 100 may newly encrypt and distribute a key corresponding to authorization assigned to the added user. The key corresponding to authorization assigned to the added user may be encrypted and distributed using a public key of the added user.
  • FIG. 2 includes an example of an apparatus for generating content 200 for an access control of content in a distributed environment network.
  • Referring to FIG. 2, the apparatus for generating content 200 may include a control unit 210, a communication unit 220, a storage unit 230, a receiver 211, a key decryption unit 212, a second key generator 213, a content generator 214, an encryption key generator 215, a content encryption unit 216, a signature generator 217, and a distributor 218.
  • The communication unit 220 may transmit and receive data through a wired and/or wireless network. In this instance, the network may correspond to a CCN or an NDN.
  • The storage unit 230 may store an operating system, an application program, and data for controlling an overall operation of the apparatus for generating content 200. The storage unit 230 may store an access control list received through the receiver 211, a first key decrypted by the key decryption unit 212 and a second generated by the second key generator 213.
  • The receiver 211 may request and receive an access control list from a network. The receiver 211 may request and receive a first encrypted key from the network.
  • The key decryption unit 212 may secure a first key corresponding to a key for write authorization by decrypting the first encrypted key using a secret key corresponding to the public key. The first encrypted key may be encrypted by using a public key.
  • The second key generator 213 may generate a second key. The second key may be generated using the first key and may correspond to a key for read authorization.
  • The content generator 214 may generate content.
  • The encryption key generator 215 may generate an encryption key. The encryption key may be generated using the second key. In another example, the encryption key may be generated using information of the content and the second key. In this instance, the encryption key generator 215 may generate the encryption key based on the following Equation 2.

  • DEK=KGF(K,Content Inform)  [Equation 2]
  • In Equation 2, DEK relates to an encryption key, KGF( ) relates to a function for generating an encryption key, K relates to the second key for read authorization, and Content Inform relates to information of content.
  • The content encryption unit 216 may encrypt content using the encryption key to generate an encrypted content.
  • In response to members included in the access control list having write authorization as a result of checking access authorization of the members included in the access control list, the signature generator 217 may generate a signature using the first key, the content, a signature key, or any combination thereof. In this instance, the signature generator 217 may generate the signature using an algorithm which has a one-way homomorphic characteristic. As another aspect, the signature generator 217 may generate the signature based on the following Equation 3.

  • Sig=Signature(F(H m(NK),H(C)),signature key)  [Equation 3]
  • In Equation 3, Signature( ) relates to a function for generating a signature, F( ) relates to a function which has a one-way homomorphic characteristic, C relates to an encrypted content, NK relates to the first key, m relates to a random value less than n corresponding to a parameter used for generating the second key and n relates to a number of times the first key is hashed to generate the second key and may be an integer greater than 0.
  • In response to a Rivest Shamir Adleman (RSA) encryption scheme being used, the signature generator 217 may generate a signature key based on Equation 4.

  • Sig=(H m(NK*h))d  [Equation 4]
  • In Equation 4, h relates to H(C), C relates to an encrypted content, H( ) relates to a function having a one-way homomorphic characteristic, d relates to a signature key, NK relates to the first key, m relates to a random value less than n corresponding to a parameter used for generating the second key, n relates to a number of times the first key is hashed to generate the second key, and Hm ( ) relates to performing a hash m times.
  • Depending on the one-way homomorphic characteristic of H( ) in Equation 4, the following Equation 5 may be satisfied.

  • (H m(NK*h))d=(H m(NKH m(h))d  [Equation 5]
  • The one-way homomorphic characteristic may have the following three characteristics.
  • First, even though F(X) may be easily evaluated for a given X, X may be difficult to be evaluated from F(X). F(X) may have the one-way homomorphic characteristic.
  • Secondly, F(A*B)=F(A)·F(B).
  • Thirdly, F(X)−1 may be difficult to be evaluated.
  • The distributor 218 may distribute the encrypted content and the signature through the network.
  • The control unit 210 may control an operation of the apparatus for generating content 200. The control unit 210 may function as the receiver 211, the key decryption unit 212, the second key generator 213, the content generator 214, the encryption key generator 215, the content encryption unit 216, the signature generator 217 and the distributor 218. The control unit 210, the receiver 211, the key decryption unit 212, the second key generator 213, the content generator 214, the encryption key generator 215, the content encryption unit 216, the signature generator 217 and the distributor 218 are separately illustrated to separately describe each function. Thus, the control unit 210 may include at least one processor to function as an entire or a portion of the receiver 211, the key decryption unit 212, the second key generator 213, the content generator 214, the encryption key generator 215, the content encryption unit 216, the signature generator 217, and the distributor 218.
  • FIG. 3 includes an example of an apparatus for verification of content 300 for an access control of content in a distributed environment network.
  • Referring to FIG. 3, the apparatus for verification of content 300 may include a control unit 310, a communication unit 320, a storage unit 330, a receiver 311, a key decryption unit 312, a decryption key generator 313, a second key generator 314, a signature verification unit 315, and a content decryption unit 316.
  • The communication unit 320 may transmit and receive data through a wired and/or wireless network. In this instance, the network may correspond to a CCN or an NDN.
  • The storage unit 330 may store an operating system, an application program and data for storage for controlling an overall operation of the apparatus for verification of content 300. The storage unit 330 may store an access control list, a first key and a second key.
  • The receiver 311 may receive an encrypted content, a signature of the encrypted content and an access control list. That is, in response to the receiver 311 being determined to have write authorization as a result of verification of the access control list, the receiver 311 may receive a first encrypted key from the network. Further, in response to the receiver 311 being determined to have read authorization as a result of verification of the access control list, the receiver 311 may receive a second encrypted key from the network.
  • In response to the receiver 311 receiving the first encrypted key or the second encrypted key, the key decryption unit 312 may decrypt the first encrypted key or the second encrypted key using a secret key. The secret key may correspond to a public key.
  • The second key generator 314 may generate the second key. The second key may correspond to a key for read authorization using the first key. In this instance, the second key may be generated based on Equation 1.
  • The signature verification unit 315 may verify a signature using the second key and the encrypted content. The signature verification unit 315 may perform verification based on the following Equation 6.

  • Verify(Sig,n,m,K,H(C),signature verification key)  [Equation 6]
  • In Equation 6, Verify( ) relates to a function for verifying a signature, Sig relates to a signature, K relates to the second key corresponding to a key for read authorization, H( ) relates to a hash function, m relates to a random value less than n corresponding to a to parameter used for generating the second key, and n relates to a number of times the first key is hashed to generate the second key. The value of n may be an integer greater than 0.
  • In response to the signature generator 217 generating a signature key using a Rivest Shamir Adleman (RSA) encryption scheme such as Equation 4, the signature verification unit 315 may verify a signature based on the following Equation 7.

  • A=Sige=((H m(NK*h))d)e =H m(NK*h)=H m(NKH m(h)

  • A′=H n-m(A)=H n(NKH n(h)

  • B=K·H n(h)

  • If A′=B,Sig is valid

  • If A′≠B,Sig is invalid  [Equation 7]
  • In Equation 7, Sig relates to a signature, NK relates to the first key, K relates to the second key corresponding to a key for read authorization, h relates to H(C), C relates to an encrypted content, H( ) relates to a hash function which has a one-way homomorphic characteristic, d relates to a signature key, e relates to a signature verification key, m relates to a random value less than n corresponding to a parameter used for generating the second key, and n relates to a number of times the first key is hashed to generate the second key.
  • The value of n may be an integer greater than 0.
  • In response to the RSA encryption scheme such as Equation 4 being used, the signature verification unit 315 may calculate A′ using a received signature, calculate B using K and the received encrypted content, and determine whether the verification is successful by comparing A′ to B. K may correspond to the second key of the signature verification unit 315.
  • A signature scheme using the signature generator 217 and the signature verification unit 315 may be satisfactory for security, for the reasons discussed below. Since a user having read authorization may have information of K=Hn(NK) and m<n, Hm(NK) used for generating Sig may not be evaluated using information of K due to a one-way homomorphic characteristic. Even though Sige=H(NK)me×H(C) is secured in a verification operation, a signature key k of a user having write authorization may be used to secure Hm(NK). Thus, a valid signature may not be generated without collaboration from the user having write authorization.
  • In response to the signature verification succeeding, the decryption key generator 313 may generate a decryption key based on the second key. In another aspect, the decryption key generator 313 may generate the decryption key using information of content and the second key. The generation of the decryption key may be based on the same scheme as the encryption key generator 215. The decryption key generator 313 may use the encryption key generated based on Equation 2 as the decryption key.
  • The content decryption unit 316 may use the decryption key to decrypt the encrypted content.
  • The control unit 310 may control an overall operation of the apparatus for verification of content 300. The control unit 310 may function as the key decryption unit 312, the decryption key generator 313, the second key generator 314, the signature verification unit 315, and the content decryption unit 316. The control unit 310, the key decryption unit 312, the decryption key generator 313, the second key generator 314, the signature verification unit 315, and the content decryption unit 316 are separately illustrated to describe the function of each. Thus, the control unit 310 may include at least one processor configured to function as an entire or a portion of the key decryption unit 312, the decryption key generator 313, the second key generator 314, the signature verification unit 315, and the content decryption unit 316.
  • Hereinafter, an example of a method for an access control of content in a distributed environment network will be described with reference to FIG. 4 through FIG. 6.
  • FIG. 4 illustrates an example of a process for generating an access control list for an access control of content and separately generating and distributing a key between write authorization and read authorization in an apparatus for generating a key 100 in a distributed environment network.
  • Referring to FIG. 4, in operation 410, the apparatus for generating a key 100 may generate an access control list. The access control list may include information of at least one user and information about access authorization.
  • In operation 412, the apparatus for generating a key 100 may generate a first key. The first key may correspond to a key for write authorization.
  • In operation 414, the apparatus for generating a key 100 may generate a second key. The second key may correspond to a key for read authorization using the first key.
  • In operation 416, the apparatus for generating a key 100 may encrypt the first key using each public key of members having write authorization among members to generate first encrypted keys. The members having write authorization among members may be included in the access control list.
  • In operation 418, the apparatus for generating a key 100 may distribute the access control list and the generated first encrypted keys to the members having write authorization.
  • In operation 420, the apparatus for generating a key 100 may encrypt the second key using each public key of members having read authorization among members to generate second encrypted keys. The members having read authorization among members may be included in the access control list.
  • In operation 422, the apparatus for generating a key 100 may distribute the access control list and the second encrypted keys to the members having read authorization.
  • FIG. 5 illustrates an example of a process for generating and distributing content for an access control of content in an apparatus for generating content 200 in a distributed environment network.
  • Referring to FIG. 5, in operation 510, the apparatus for generating content 200 may generate content.
  • In operation 512, the apparatus for generating content 200 may request and receive an access control list and a first encrypted key from a network.
  • In operation 514, the apparatus for generating content 200 may verify whether the apparatus for generating content 200 has write authorization by checking access authorization of members based on the access control list.
  • In operation 516, the apparatus for generating content 200 may decrypt the first encrypted key to secure a first key corresponding to a key for write authorization using a secret key in response to the apparatus for generating content 200 being determined to have write authorization as a result of the verification in operation 514. The first encrypted key may be encrypted using a public key. The secret key may correspond to the public key.
  • In operation 518, the apparatus for generating content 200 may generate a second key corresponding to a key for read authorization using the first key.
  • In operation 520, the apparatus for generating content 200 may generate an encryption key using information of the content and the second key.
  • In operation 522, the apparatus for generating content 200 may encrypt content using the encryption key to generate an encrypted content.
  • In operation 524, the apparatus for generating content 200 may generate a signature using a value. The value may be obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key. In this instance, the value m may correspond to a random value less than n corresponding to a number of times the first key is hashed to generate the second key. The value n may be an integer greater than 0.
  • In operation 526, the apparatus for generating content 200 may distribute the encrypted content, the signature, and the value m through the network.
  • FIG. 6 includes an example of a process for verifying content where access to content is controlled in an apparatus for verification of content in a distributed environment network.
  • Referring to FIG. 6, in operation 610, an apparatus for verification of content 300 may receive an encrypted content and a signature of the encrypted content.
  • In operation 612, the apparatus for verification of content 300 may receive an access control list from a network.
  • In operation 614, the apparatus for verification of content 300 may check access authorization of the encrypted content in the access control list to verify satisfaction of access requirements.
  • In operation 616, the apparatus for verification of content 300 may secure a second key in response to the encrypted content being determined to be accessible as a result of the verification in operation 614. The second key may correspond to a key for read authorization.
  • In operation 616, the apparatus for verification of content 300 may receive a second encrypted key from the network in response to the apparatus for verification of content 300 being determined to have read authorization as a result of checking the access control list. The apparatus for verification of content 300 may decrypt the second encrypted key to secure a second key using a secret key. The second encrypted key may be encrypted by using a public key. The secret key may correspond to the public key.
  • In operation 616, the apparatus for verification of content 300 may receive a first encrypted key from the network in response to the apparatus for verification of content 300 being determined to have write authorization as a result of checking the access control list, secure a first key by decrypting the first encrypted key using a secret key, and generate the second key using the first key. The first encrypted key may be encrypted by using a public key. The secret key may correspond to the public key.
  • In operation 618, the apparatus for verification of content 300 may verify the signature using the second key and the encrypted content, and check whether the signature verification is successful.
  • In operation 620, the apparatus for verification of content 300 may generate a decryption key using the second key in response to the signature verification being determined to succeed as a result of the verification in operation 618. In this instance, the decryption key may be identical to the decryption key generated by the apparatus for generating content 200.
  • In operation 622, the apparatus for verification of content 300 may decrypt the encrypted content using the decryption key.
  • Program instructions to perform a method described herein, or one or more operations thereof, may be recorded, stored, or fixed in one or more computer-readable storage media. The program instructions may be implemented by a computer. For example, the computer may cause a processor to execute the program instructions. The media may include, alone or in combination with the program instructions, data files, data structures, and the like. Examples of computer-readable media include magnetic media, such as hard disks, floppy disks, and magnetic tape; optical media such as CD ROM disks and DVDs; magneto-optical media, such as optical disks; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory (ROM), random access memory (RAM), flash memory, and the like. Examples of program instructions include machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter. The program instructions, that is, software, may be distributed over network coupled computer systems so that the software is stored and executed in a distributed fashion. For example, the software and data may be stored by one or more computer readable recording mediums. Also, functional programs, codes, and code segments for accomplishing the example embodiments disclosed herein can be easily construed by programmers skilled in the art to which the embodiments pertain based on and using the flow diagrams and block diagrams of the figures and their corresponding descriptions as provided herein. Also, the described unit to perform an operation or a method may be hardware, software, or some combination of hardware and software. For example, the unit may be a software package running on a computer or the computer on which that software is running.
  • A number of examples have been described above. Nevertheless, it will be understood that various modifications may be made. For example, suitable results may be achieved if the described techniques are performed in a different order and/or if components in a described system, architecture, device, or circuit are combined in a different manner and/or replaced or supplemented by other components or their equivalents. Accordingly, other implementations are within the scope of the following claims.

Claims (17)

What is claimed is:
1. An apparatus for generating content for an access control of content in a distributed environment network, the apparatus comprising:
a key decryption unit configured to secure a first key by decrypting a first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key;
an encryption key generator configured to generate an encryption key using a second key generated using the first key;
a content encryption unit configured to generate an encrypted content by encrypting content using the encryption key;
a signature generator configured to generate a signature using the first key, a content and a signature key in response to members included in an access control list having write authorization as a result of checking access authorization of the members; and
a distributor configured to distribute the encrypted content and the signature through a network.
2. The apparatus of claim 1, wherein the encryption key generator generates the encryption key using information of the content and the second key.
3. The apparatus of claim 1, wherein the first key corresponds to a key for write authorization and is neither generated nor predicted using the second key.
4. The apparatus of claim 1, wherein the second key corresponds to a key for read authorization and is a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
5. The apparatus of claim 1, wherein:
the signature generator generates the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content, and the signature key,
the distributor distributes a value of the m in addition to the encrypted content and the signature and
the value m corresponds to a random value less than n corresponding to a number of times the first key is hashed to generate the second key.
6. The apparatus of claim 1, wherein the signature generator generates the signature using an algorithm having a one-way homomorphic characteristic.
7. The apparatus of claim 1, wherein the signature key is generated based on a Rivest Shamir Adleman (RSA) encryption scheme.
8. An apparatus for verification of content for an access control of content in a distributed environment network, the apparatus comprising:
a receiver configured to receive an encrypted content, a signature of the encrypted content, and an access control list, and to receive a second encrypted key from a network in response to the apparatus being determined to have read authorization as a result of checking the access control list;
a key decryption unit configured to secure a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have read authorization as a result of checking the access control list;
a signature verification unit configured to verify the signature using the second key and the encrypted content;
a decryption key generator configured to generate a decryption key using the second key in response to the signature verification being successful; and
a content decryption unit configured to decrypt the encrypted content using the decryption key.
9. The apparatus of claim 8, further comprising:
a second key generator configured to generate the second key using a first key,
wherein the receiver receives a first encrypted key from the network, and
the key decryption unit secures the first key by decrypting the first encrypted key using the secret key in response to the apparatus being determined to have write authorization as a result of checking the access control list.
10. The apparatus of claim 9, wherein the first key corresponds to a key for write authorization and is neither generated nor predicted using the second key.
11. The apparatus of claim 9, wherein the second key corresponds to a key for read authorization and is a result obtained by hashing the first key n times, the value of n being an integer greater than 0.
12. A method for an access control of content in an apparatus for generating content of a distributed environment network, the method comprising:
requesting and receiving an access control list and a first encrypted key from a network;
securing a first key corresponding to a key for write authorization by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key in response to the apparatus being determined to have write authorization as a result of checking the access control list;
generating an encryption key using information of a content and a second key corresponding to a key for read authorization using the first key;
generating an encrypted content by encrypting content using the encryption key;
generating a signature using the first key, the content, and a signature key; and
distributing the encrypted content and the signature through the network.
13. The method of claim 12, wherein:
the generating of the signature comprises generating the signature using a value obtained by hashing the first key m times, a value obtained by hashing the content and the signature key,
the distributing comprises distributing a value of the m in addition to the encrypted content and the signature, and
the value m corresponds to a random value less than n corresponding to a number of times the first key is hashed to generate the second key, the value of n being an integer greater than 0.
14. The method of claim 12, wherein the generating of the signature comprises generating the signature using an algorithm having a one-way homomorphic characteristic.
15. A method for an access control of content in an apparatus for verification of content of a distributed environment network, the method comprising:
checking access authorization of an encrypted content in an access control list to verify access requirements are satisfied;
securing a second key corresponding to a key for read authorization in response to the encrypted content being determined to be accessible as a result of the verification;
verifying a signature of the encrypted content using the second key and the encrypted content;
generating a decryption key using the second key in response to the signature verification being successful; and
decrypting the encrypted content using the decryption key.
16. The method of claim 15, wherein the securing comprises:
receiving a second encrypted key from the network in response to the apparatus being determined to have read authorization as a result of checking the access control list; and
securing a second key by decrypting the second encrypted key, encrypted by using a public key, using a secret key corresponding to the public key.
17. The method of claim 15, wherein the securing comprises:
receiving a first encrypted key from the network in response to the apparatus being determined to have write authorization as a result of checking the access control list;
securing a first key by decrypting the first encrypted key, encrypted by using a public key, using a secret key corresponding to the public key; and
generating the second key using the first key.
US14/543,077 2011-03-02 2014-11-17 Apparatus and method for access control of content in distributed environment network Abandoned US20150074417A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/543,077 US20150074417A1 (en) 2011-03-02 2014-11-17 Apparatus and method for access control of content in distributed environment network

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2011-0018664 2011-03-02
KR1020110018664A KR20120100046A (en) 2011-03-02 2011-03-02 Apparatus and method for access control of contents in distributed environment network
US13/410,762 US8918635B2 (en) 2011-03-02 2012-03-02 Apparatus and method for access control of content in distributed environment network
US14/543,077 US20150074417A1 (en) 2011-03-02 2014-11-17 Apparatus and method for access control of content in distributed environment network

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/410,762 Division US8918635B2 (en) 2011-03-02 2012-03-02 Apparatus and method for access control of content in distributed environment network

Publications (1)

Publication Number Publication Date
US20150074417A1 true US20150074417A1 (en) 2015-03-12

Family

ID=46754050

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/410,762 Active 2032-12-28 US8918635B2 (en) 2011-03-02 2012-03-02 Apparatus and method for access control of content in distributed environment network
US14/543,077 Abandoned US20150074417A1 (en) 2011-03-02 2014-11-17 Apparatus and method for access control of content in distributed environment network

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/410,762 Active 2032-12-28 US8918635B2 (en) 2011-03-02 2012-03-02 Apparatus and method for access control of content in distributed environment network

Country Status (2)

Country Link
US (2) US8918635B2 (en)
KR (1) KR20120100046A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107317678A (en) * 2017-06-05 2017-11-03 北京网证科技有限公司 A kind of electronics confirmation request processing method and system based on internet
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system

Families Citing this family (84)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10181953B1 (en) * 2013-09-16 2019-01-15 Amazon Technologies, Inc. Trusted data verification
US9456054B2 (en) 2008-05-16 2016-09-27 Palo Alto Research Center Incorporated Controlling the spread of interests and content in a content centric network
US8923293B2 (en) 2009-10-21 2014-12-30 Palo Alto Research Center Incorporated Adaptive multi-interface use for content networking
US20140181985A1 (en) * 2012-12-21 2014-06-26 Broadcom Corporation Content Specific Data Scrambling
GB2514428B (en) * 2013-08-19 2016-01-13 Visa Europe Ltd Enabling access to data
US10098051B2 (en) 2014-01-22 2018-10-09 Cisco Technology, Inc. Gateways and routing in software-defined manets
US9954678B2 (en) * 2014-02-06 2018-04-24 Cisco Technology, Inc. Content-based transport security
US9836540B2 (en) 2014-03-04 2017-12-05 Cisco Technology, Inc. System and method for direct storage access in a content-centric network
US9626413B2 (en) 2014-03-10 2017-04-18 Cisco Systems, Inc. System and method for ranking content popularity in a content-centric network
US20150261693A1 (en) * 2014-03-14 2015-09-17 International Business Machines Corporation Dynamic storage key assignment
US9716622B2 (en) 2014-04-01 2017-07-25 Cisco Technology, Inc. System and method for dynamic name configuration in content-centric networks
US9473576B2 (en) 2014-04-07 2016-10-18 Palo Alto Research Center Incorporated Service discovery using collection synchronization with exact names
US9992281B2 (en) 2014-05-01 2018-06-05 Cisco Technology, Inc. Accountable content stores for information centric networks
US9609014B2 (en) 2014-05-22 2017-03-28 Cisco Systems, Inc. Method and apparatus for preventing insertion of malicious content at a named data network router
US9949115B2 (en) 2014-06-10 2018-04-17 Qualcomm Incorporated Common modulus RSA key pairs for signature generation and encryption/decryption
US9699198B2 (en) 2014-07-07 2017-07-04 Cisco Technology, Inc. System and method for parallel secure content bootstrapping in content-centric networks
US9621354B2 (en) 2014-07-17 2017-04-11 Cisco Systems, Inc. Reconstructable content objects
US9729616B2 (en) 2014-07-18 2017-08-08 Cisco Technology, Inc. Reputation-based strategy for forwarding and responding to interests over a content centric network
US9590887B2 (en) 2014-07-18 2017-03-07 Cisco Systems, Inc. Method and system for keeping interest alive in a content centric network
US9882964B2 (en) 2014-08-08 2018-01-30 Cisco Technology, Inc. Explicit strategy feedback in name-based forwarding
US9729662B2 (en) 2014-08-11 2017-08-08 Cisco Technology, Inc. Probabilistic lazy-forwarding technique without validation in a content centric network
US9391777B2 (en) * 2014-08-15 2016-07-12 Palo Alto Research Center Incorporated System and method for performing key resolution over a content centric network
US9800637B2 (en) 2014-08-19 2017-10-24 Cisco Technology, Inc. System and method for all-in-one content stream in content-centric networks
US10069933B2 (en) 2014-10-23 2018-09-04 Cisco Technology, Inc. System and method for creating virtual interfaces based on network characteristics
US9590948B2 (en) 2014-12-15 2017-03-07 Cisco Systems, Inc. CCN routing using hardware-assisted hash tables
US10237189B2 (en) 2014-12-16 2019-03-19 Cisco Technology, Inc. System and method for distance-based interest forwarding
US10003520B2 (en) 2014-12-22 2018-06-19 Cisco Technology, Inc. System and method for efficient name-based content routing using link-state information in information-centric networks
US9660825B2 (en) 2014-12-24 2017-05-23 Cisco Technology, Inc. System and method for multi-source multicasting in content-centric networks
US9946743B2 (en) 2015-01-12 2018-04-17 Cisco Technology, Inc. Order encoded manifests in a content centric network
US9954795B2 (en) 2015-01-12 2018-04-24 Cisco Technology, Inc. Resource allocation using CCN manifests
US9832291B2 (en) 2015-01-12 2017-11-28 Cisco Technology, Inc. Auto-configurable transport stack
US9916457B2 (en) 2015-01-12 2018-03-13 Cisco Technology, Inc. Decoupled name security binding for CCN objects
US10333840B2 (en) 2015-02-06 2019-06-25 Cisco Technology, Inc. System and method for on-demand content exchange with adaptive naming in information-centric networks
US10075401B2 (en) 2015-03-18 2018-09-11 Cisco Technology, Inc. Pending interest table behavior
US10075402B2 (en) 2015-06-24 2018-09-11 Cisco Technology, Inc. Flexible command and control in content centric networks
US10701038B2 (en) 2015-07-27 2020-06-30 Cisco Technology, Inc. Content negotiation in a content centric network
US9986034B2 (en) 2015-08-03 2018-05-29 Cisco Technology, Inc. Transferring state in content centric network stacks
US9832123B2 (en) 2015-09-11 2017-11-28 Cisco Technology, Inc. Network named fragments in a content centric network
US10355999B2 (en) 2015-09-23 2019-07-16 Cisco Technology, Inc. Flow control with network named fragments
US9977809B2 (en) 2015-09-24 2018-05-22 Cisco Technology, Inc. Information and data framework in a content centric network
US10313227B2 (en) 2015-09-24 2019-06-04 Cisco Technology, Inc. System and method for eliminating undetected interest looping in information-centric networks
US10454820B2 (en) 2015-09-29 2019-10-22 Cisco Technology, Inc. System and method for stateless information-centric networking
US10263965B2 (en) 2015-10-16 2019-04-16 Cisco Technology, Inc. Encrypted CCNx
US9912776B2 (en) 2015-12-02 2018-03-06 Cisco Technology, Inc. Explicit content deletion commands in a content centric network
US10097346B2 (en) 2015-12-09 2018-10-09 Cisco Technology, Inc. Key catalogs in a content centric network
US10257271B2 (en) 2016-01-11 2019-04-09 Cisco Technology, Inc. Chandra-Toueg consensus in a content centric network
US10305864B2 (en) 2016-01-25 2019-05-28 Cisco Technology, Inc. Method and system for interest encryption in a content centric network
US10043016B2 (en) 2016-02-29 2018-08-07 Cisco Technology, Inc. Method and system for name encryption agreement in a content centric network
US10003507B2 (en) 2016-03-04 2018-06-19 Cisco Technology, Inc. Transport session state protocol
US10051071B2 (en) 2016-03-04 2018-08-14 Cisco Technology, Inc. Method and system for collecting historical network information in a content centric network
US10742596B2 (en) 2016-03-04 2020-08-11 Cisco Technology, Inc. Method and system for reducing a collision probability of hash-based names using a publisher identifier
US10038633B2 (en) 2016-03-04 2018-07-31 Cisco Technology, Inc. Protocol to query for historical network information in a content centric network
US9832116B2 (en) 2016-03-14 2017-11-28 Cisco Technology, Inc. Adjusting entries in a forwarding information base in a content centric network
US10212196B2 (en) 2016-03-16 2019-02-19 Cisco Technology, Inc. Interface discovery and authentication in a name-based network
US11436656B2 (en) 2016-03-18 2022-09-06 Palo Alto Research Center Incorporated System and method for a real-time egocentric collaborative filter on large datasets
US10067948B2 (en) 2016-03-18 2018-09-04 Cisco Technology, Inc. Data deduping in content centric networking manifests
US10091330B2 (en) 2016-03-23 2018-10-02 Cisco Technology, Inc. Interest scheduling by an information and data framework in a content centric network
US10033639B2 (en) 2016-03-25 2018-07-24 Cisco Technology, Inc. System and method for routing packets in a content centric network using anonymous datagrams
US10320760B2 (en) 2016-04-01 2019-06-11 Cisco Technology, Inc. Method and system for mutating and caching content in a content centric network
US9930146B2 (en) 2016-04-04 2018-03-27 Cisco Technology, Inc. System and method for compressing content centric networking messages
US10425503B2 (en) 2016-04-07 2019-09-24 Cisco Technology, Inc. Shared pending interest table in a content centric network
US10027578B2 (en) 2016-04-11 2018-07-17 Cisco Technology, Inc. Method and system for routable prefix queries in a content centric network
US10404450B2 (en) 2016-05-02 2019-09-03 Cisco Technology, Inc. Schematized access control in a content centric network
US10320675B2 (en) 2016-05-04 2019-06-11 Cisco Technology, Inc. System and method for routing packets in a stateless content centric network
US10547589B2 (en) 2016-05-09 2020-01-28 Cisco Technology, Inc. System for implementing a small computer systems interface protocol over a content centric network
US10084764B2 (en) 2016-05-13 2018-09-25 Cisco Technology, Inc. System for a secure encryption proxy in a content centric network
US10063414B2 (en) 2016-05-13 2018-08-28 Cisco Technology, Inc. Updating a transport stack in a content centric network
US10103989B2 (en) 2016-06-13 2018-10-16 Cisco Technology, Inc. Content object return messages in a content centric network
US10305865B2 (en) 2016-06-21 2019-05-28 Cisco Technology, Inc. Permutation-based content encryption with manifests in a content centric network
US10148572B2 (en) 2016-06-27 2018-12-04 Cisco Technology, Inc. Method and system for interest groups in a content centric network
US10009266B2 (en) 2016-07-05 2018-06-26 Cisco Technology, Inc. Method and system for reference counted pending interest tables in a content centric network
US9992097B2 (en) 2016-07-11 2018-06-05 Cisco Technology, Inc. System and method for piggybacking routing information in interests in a content centric network
US10122624B2 (en) 2016-07-25 2018-11-06 Cisco Technology, Inc. System and method for ephemeral entries in a forwarding information base in a content centric network
US10069729B2 (en) 2016-08-08 2018-09-04 Cisco Technology, Inc. System and method for throttling traffic based on a forwarding information base in a content centric network
US10956412B2 (en) 2016-08-09 2021-03-23 Cisco Technology, Inc. Method and system for conjunctive normal form attribute matching in a content centric network
US10033642B2 (en) 2016-09-19 2018-07-24 Cisco Technology, Inc. System and method for making optimal routing decisions based on device-specific parameters in a content centric network
US10212248B2 (en) 2016-10-03 2019-02-19 Cisco Technology, Inc. Cache management on high availability routers in a content centric network
US10447805B2 (en) 2016-10-10 2019-10-15 Cisco Technology, Inc. Distributed consensus in a content centric network
US10135948B2 (en) 2016-10-31 2018-11-20 Cisco Technology, Inc. System and method for process migration in a content centric network
US10243851B2 (en) 2016-11-21 2019-03-26 Cisco Technology, Inc. System and method for forwarder connection information in a content centric network
KR102617151B1 (en) * 2018-08-17 2023-12-26 배영식 Contents blockchain platform
WO2020036267A1 (en) * 2018-08-17 2020-02-20 주식회사 후본 Platform and method for content management
BR112019007995A2 (en) * 2018-11-30 2019-11-12 Alibaba Group Holding Ltd “Computer-implemented method, computer-readable medium, and system for implementing a method
US11424922B2 (en) * 2020-05-14 2022-08-23 Paypal, Inc. Hashing schemes for cryptographic private key generation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123104A1 (en) * 2001-03-27 2004-06-24 Xavier Boyen Distributed scalable cryptographic access contol
US20050228990A1 (en) * 2001-12-13 2005-10-13 Kazuhiko Kato Software safety execution system
US20090158043A1 (en) * 2007-12-17 2009-06-18 John Michael Boyer Secure digital signature system

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07253931A (en) 1994-03-16 1995-10-03 Fujitsu Ltd Destruction prevention system for program data storage area
US6330671B1 (en) * 1997-06-23 2001-12-11 Sun Microsystems, Inc. Method and system for secure distribution of cryptographic keys on multicast networks
JP2003024867A (en) 2001-07-18 2003-01-28 Kansai Paint Co Ltd Method of evaluating mixed state of multi-liquid type coating material
JP4157709B2 (en) 2002-01-31 2008-10-01 富士通株式会社 Access control method and storage device
US7412063B2 (en) * 2004-03-31 2008-08-12 International Business Machines Corporation Controlling delivery of broadcast encryption content for a network cluster from a content server outside the cluster
US20100146589A1 (en) 2007-12-21 2010-06-10 Drivesentry Inc. System and method to secure a computer system by selective control of write access to a data storage medium
US20090300307A1 (en) 2008-05-30 2009-12-03 International Business Machines Corporation Protection and security provisioning using on-the-fly virtualization
KR101016126B1 (en) 2008-12-22 2011-02-17 서울대학교산학협력단 System and method for data encryption
US8364984B2 (en) 2009-03-13 2013-01-29 Microsoft Corporation Portable secure data files
KR101203804B1 (en) 2009-04-10 2012-11-22 닉스테크 주식회사 Security mobile storage apparatus and the control method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123104A1 (en) * 2001-03-27 2004-06-24 Xavier Boyen Distributed scalable cryptographic access contol
US20050228990A1 (en) * 2001-12-13 2005-10-13 Kazuhiko Kato Software safety execution system
US20090158043A1 (en) * 2007-12-17 2009-06-18 John Michael Boyer Secure digital signature system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107317678A (en) * 2017-06-05 2017-11-03 北京网证科技有限公司 A kind of electronics confirmation request processing method and system based on internet
CN107682151A (en) * 2017-10-30 2018-02-09 武汉大学 A kind of GOST digital signature generation method and system

Also Published As

Publication number Publication date
US20120226902A1 (en) 2012-09-06
KR20120100046A (en) 2012-09-12
US8918635B2 (en) 2014-12-23

Similar Documents

Publication Publication Date Title
US8918635B2 (en) Apparatus and method for access control of content in distributed environment network
US8856530B2 (en) Data storage incorporating cryptographically enhanced data protection
JP5432999B2 (en) Encryption key distribution system
US20200320178A1 (en) Digital rights management authorization token pairing
US20080209231A1 (en) Contents Encryption Method, System and Method for Providing Contents Through Network Using the Encryption Method
US20100005318A1 (en) Process for securing data in a storage unit
US20070127719A1 (en) Efficient management of cryptographic key generations
US7877604B2 (en) Proof of execution using random function
CN109981255B (en) Method and system for updating key pool
US20170085543A1 (en) Apparatus and method for exchanging encryption key
JP5670272B2 (en) Information processing apparatus, server apparatus, and program
US20090138708A1 (en) Cryptographic module distribution system, apparatus, and program
US20130259227A1 (en) Information processing device and computer program product
CN114697040B (en) Electronic signature method and system based on symmetric key
CN114157488B (en) Key acquisition method, device, electronic equipment and storage medium
KR102496436B1 (en) Method of storing plurality of data pieces in storage in blockchain network and method of receiving plurality of data pieces
CN107769915B (en) Data encryption and decryption system and method with fine-grained user control
JP2010141619A (en) Communication apparatus, server apparatus, communication program, and data
CN114666039A (en) RFID group tag authentication system and method based on quantum cryptography network
KR101512891B1 (en) Server for providing contents and operating method of the server, terminal thereof
CN118018310B (en) Revocable identity-based key encryption method, storage medium and device
KR20110075089A (en) System and method for reading a classified digital document using environmental information
CN106921623B (en) Identification key updating method and system
JP5739078B1 (en) Server apparatus, communication method, and program
KR20190006899A (en) Apparatus and method for distributing copyright content in icn

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE