System and method for privilege delegation and control
Abstract
This invention provides a privilege delegation mechanism, which allows a privilege and associated control attributes to be delegated from a security token to another security token or an intelligent device such as a computer system. The privilege may be in the form of an attribute certificate, a key component of a cryptographic key, a complete cryptographic key, digital certificate, digital right, license or loyalty credits. The purpose of the delegation is to allow another security token or computer system to act as a surrogate for the security token or to access a resource which requires components from both units before access is permitted. Attributes associated with the delegated privilege control the scope and use of the privilege. The delegation may allow the surrogate to perform authentications, access data or resources included on another security token or computer system. Authentications are performed prior to transferring of the delegable privileges.
Claims
exact text as granted — not AI-modified1 .- 42 . (canceled)
43 . Computer software, provided in a non-transitory computer-readable medium, that transfers a cryptographic key and its usage policies from a security token to at least a first data processing unit, the software comprising:
executable code that performs mutual authentication between the security token and the first data processing unit by exchanging data therebetween; executable code that transfers the key from the security token to a first data processing unit following performing mutual authentication; and executable code that applies the key in accordance with the usage policies, wherein the key enables access to at least one resource by the first data processing unit subject to requirements prescribed in the usage policies only if the key is present in the first data processing unit and verified by at least a second data processing unit and wherein the key facilitates the at least first data processing unit to perform a function selected from the group consisting of: surrogate operations for the security token, terminal activation, personalization of an intelligent device, access to the at least one resource, and loyalty credit management.
44 . Computer software according to claim 43 wherein the security token is a hardware device having the key, the usage policies, and a transfer section that transfers the key to said at least a first data processing unit.
45 . Computer software according to claim 43 wherein the first data processing unit includes a key application section that applies the key in accordance with the requirements prescribed in the usage policies,
46 . Computer software according to claim 43 wherein the security token includes a communications section that provides a secure messaging protocol.
47 . Computer software according to claim 43 wherein the key is updateable by replacement of at least a portion of the usage policies with one or more new usage policies.
48 . Computer software according to claim 43 wherein the at least a first data processing unit is an intelligent device.
49 . Computer software according to claim 43 wherein said at least a first data processing unit is another security token.
50 . Computer software according to claim 43 wherein said usage policies include control aspects.
51 . Computer software according to claim 50 wherein the control aspects includes security policies.
52 . Computer software according to claim 51 wherein the control aspects includes at least one privilege state.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.