Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Web History | Sign in

Patents

An intermediate entity can generate a necessary credential to allow two other entities to bypass the intermediate entity when establishing communications between two other entities in a computing system represented by either a directed or an undirected graph. The intermediate entity receives credentials for communications links between itself and each of the other two entities. The intermediate entity also receives a chaining parameter associated with the intermediate entity. With the two credentials and the chaining parameter, the intermediate entity can compute a necessary credential to allow communication between the other two entities. In addition, the intermediate entity can compute the necessary credential independent of a security manager during the computation operation.

InventorsPaul Christopeher Leyland, Roger Michael Needham
Original AssigneeMicrosoft Corporation,
Current U.S. Classification713/157; 380/28
International Classification: H04L009/00

View patent at USPTO
Search USPTO Assignment Database
Download USPTO Public PAIR data

Claims

1. A computer program product encoding a computer program for executing on a computer system a computer process for generating a computed credential for establishing a communications link between a first node and a second node in a computing system, wherein the computing system includes at least the first node, the second node, and a third node, the computer process comprising:

receiving a first credential for establishing a communications link between the third node and the first node;
receiving a second credential for establishing a communications link between the third node and the second node;
receiving a chaining parameter associated with the third node;
computing the computed credential for establishing the communications link between the first node and the second node based on the first credential, the second credential, and the chaining parameter.

2. The computer program product of claim 1 wherein the computer process further comprises:

sending the computed credential to the first node to allow the first node to access the second node.

3. The computer program product of claim 1 wherein the computing operation comprises:

multiplying the first credential, the second credential, and the chaining parameter to generate the computed credential for establishing the communications link between the first node and the second node.

4. The computer program product of claim 1 wherein the operation of receiving the first credential comprises receiving the first credential by the third node from the first node, and the operation of receiving the second credential comprises receiving the second credential by the third node from a security manager.

5. The computer program product of claim 1 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, and the first credential includes (pirj2)e mod N, wherein e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by a security manager, and rj is a random prime number associated with the first node and privately stored by the security manager, such that N1/3e6. The computer program product of claim 5 wherein the first node is a manager and the third node is a subordinate in a manager-subordinate relationship.

7. The computer program product of claim 1 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, and the second credential includes (pjrk2)e mod N, wherein e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by a security manager, and rk is a random prime number associated with the second node and privately stored by the security manager, such that N1/3e8. The computer program product of claim 7 wherein the third node is a manager and the second node is a subordinate in a manager-subordinate relationship.

9. The computer program product of claim 1 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by a security manager, rj is a random prime number associated with the third node and privately stored by the security manager, such that N1/3e

receiving the chaining parameter equaling (pjrj2)e mod N from a security manager.

10. The computer program product of claim 1 wherein the operation of receiving the first credential comprises receiving the first credential by the third node from a security manager, and the operation of receiving the second credential comprises receiving the second credential by the third node from a security manager.

11. The computer program product of claim 1 wherein the computer process further comprises:

receiving a chaining parameter associated with the first node.

12. The computer program product of claim 11 wherein the operation of receiving the first credential comprises computing the first credential based on the chaining parameter associated with the first node.

13. The computer program product of claim 1 wherein the third node is represented by Ni, the first node is represented by Nj, the second node is represented by Nk, and the first credential includes (pjpi2)e mod N, wherein e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by the security manager, and pj is a random prime number associated with the first node and privately stored by the security manager, such that N1/3e14. The computer program product of claim 1 wherein the operation of receiving the first credential comprises retrieving the first credential from a storage location accessible to the third node.

15. The computer program product of claim 1 wherein the operation of receiving the second credential comprises retrieving the second credential from a storage location accessible to the third node.

16. The computer program product of claim 1 wherein the operation of receiving the chaining parameter comprises retrieving the chaining paramete r from a storage location accessible to the third node.

17. The computer program product of claim 1 wherein the third node is represented by Ni, the first node is represented by Nj, the second node is represented by Nk, and the second credential includes (pipk2)e mod N, wherein e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by the security manager, and pk is a random prime number associated with the second node and privately stored by the security manager, such that N1/3e18. The computer program product of claim 1 wherein the third node is represented by Ni, the first node is represented by Nj, the second node is represented by Nk, and the second credential includes (pjpk2)e mod N, wherein e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by the security manager, and pk is a random prime number associated with the second node and privately stored by the security manager, such that N1/3e19. The computer program product of claim 1 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by a security manager, such that N1/3e

receiving the chaining parameter equaling pj3e mod N from a security manager.

20. The computer program product of claim 1 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by a security manager, such that N1/3e

receiving the chaining parameter equaling pi3e mod N from a security manager.

21. A method of generating a computed credential for establishing a communications link between a first node and a second node in a computing system, wherein the computing system includes at least the first node, the second node, and a third node, the method comprising:

receiving a first credential for establishing a communications link between the third node and the first node;
receiving a second credential for establishing a communications link between the third node and the second node;
receiving a chaining parameter associated with the third node; and
computing the computed credential for establishing the communications link between the first node and the second node based on the first credential, the second credential, and the chaining parameter.

22. The method of claim 21 further comprising:

sending the computed credential to the first node to allow the first node to access the second node.

23. The method of claim 21 wherein the computing operation comprises:

multiplying the first credential, the second credential, and the chaining parameter to generate the computed credential for establishing the communications link between the first node and the second node.

24. The method of claim 21 wherein the operation of receiving the first credential comprises receiving the first credential by the third node from the first node, and the operation of receiving the second credential comprises receiving the second credential by the third node from a security manager.

25. The method of claim 21 further comprising:

receiving a chaining parameter associated with the first node.

26. The method of claim 25 wherein the operation of receiving the first credential comprises computing the first credential based on the chaining parameter associated with the first node.

27. The method of claim 21 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, and the first credential includes (pirj2)e mod N, wherein e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by a security manager, and rj is a random prime number associated with the first node and privately stored by the security manager, such that N1/3e28. The method of claim 27 wherein the first node is a manager and the third node is a subordinate in a manager-subordinate relationship.

29. The method of claim 21 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, and the second credential includes (pjrk2)e mod N, wherein e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by a security manager, and rk is a random prime number associated with the second node and privately stored by the security manager, such that N1/3e30. The method of claim 29 wherein the third node is a manager and the second node is a subordinate in a manager-subordinate relationship.

31. The method of claim 21 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by a security manager, rj is a random prime number associated with the third node and privately stored by the security manager, such that N1/3e

receiving the chaining parameter equaling (pjr2)e mod N from a security manager.

32. The method of claim 21 wherein the operation of receiving the first credential comprises receiving the first credential by the third node from a security manager, and the operation of receiving the second credential comprises receiving the second credential by the third node from a security manager.

33. The method of claim 21 wherein the third node is represented by Ni, the first node is represented by Nj, the second node is represented by Nk, and the first credential includes (pjpi2)e mod N, wherein e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by the security manager, and pj is a random prime number associated with the first node and privately stored by the security manager, such that N1/3e34. The method of claim 21 wherein the operation of receiving the first credential comprises retrieving the first credential from a storage location accessible to the third node.

35. The method of claim 21 wherein the operation of receiving the second credential comprises retrieving the second credential from a storage location accessible to the third node.

36. The method of claim 21 wherein the operation of receiving the chaining parameter comprises retrieving the chaining parameter from a storage location accessible to the third node.

37. The method of claim 21 wherein the third node is represented by Ni, the first node is represented by Nj, the second node is represented by Nk, and the second credential includes (pipk2)e mod N, wherein e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by the security manager, and pk is a random prime number associated with the second node and privately stored by the security manager, such that N1/3e38. The method of claim 1 wherein the third node is represented by Ni, the first node is represented by Nj, the second node is represented by Nk, and the second credential includes (pjpk2)e mod N, wherein e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by the security manager, and pk is a random prime number associated with the second node and privately stored by the security manager, such that N1/3e39. The method of claim 21 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, e is a public exponent, N is a public modulus, pj is a random prime number associated with the third node and privately stored by a security manager, such that N1/3e

receiving the chaining parameter equaling pj3e mod N from a security manager.

40. The method of claim 21 wherein the first node is represented by Ni, the third node is represented by Nj, the second node is represented by Nk, e is a public exponent, N is a public modulus, pi is a random prime number associated with the third node and privately stored by a security manager, such that N1/3e

receiving the chaining parameter equaling pi3e mod N from a security manager.

Drawings