Patent Application
20180103032
This application relates generally to methods and apparatuses, including computer readable media, for authorization of computing devices in networked systems, and more specifically to authorization of computing devices using cryptographic action tokens for action authorization.
Computer networks can include numerous computing devices communicating with each other. In such networks, it can be necessary to determine which computing devices are authorized to perform which actions or request the performance of such actions. Present computing network systems typically utilize a central server to provide information on the authorizations for each computing device. However, such systems can require that each computing device communicate with the central server in order to determine if another computing device is authorized to perform an action or request the action's performance. As such, these systems can lack the flexibility to allow individual computing devices to determine whether another computing device is authorized to perform an action or request the action's performance without the computing device having to communicate with the central server.
Accordingly, there is a need for systems and methods for determining a computing device's authorization in a more flexible, distributed manner. By utilizing cryptographic action tokens, the present technology can provide delegation of authority by a computing device to another computing device. Beneficially, the use of the cryptographic action tokens can facilitate a computing device in determining whether another computing device is authorized to perform an action or request the action's performance. In one aspect, there is a method. The method includes receiving, by a delegation system, from a first computing device, delegation request data including a first identification certificate identifying the first computing device, an identifier for a second computing device, and one or more action constraints. The method includes authenticating, by the delegation system, the first computing device based on at least the first identification certificate. The method includes determining, by the delegation system, the first computing device is authorized to delegate as specified in the one or more action constraints. The method includes generating, by the delegation system, a cryptographic action token including he identifier for the second computing device and the action constraints. The method includes authenticating, by the delegation system, the second computing device based on at least a second identification certificate identifying the second computing device. The method includes transmitting, by the delegation system, to the second computing device, the cryptographic action token. The method includes receiving, by a transaction server, from the second computing device, an action request specifying an action for the transaction server to execute, the cryptographic action token, and the second identification certificate. The method includes authenticating, by the transaction server, the second computing device based on at least the second identification certificate. The method includes authenticating, by the transaction server, the cryptographic action token. The method includes determining, by the transaction server, action data based on the action request and the one or more action constraints in the cryptographic action token. The method includes determining, by the transaction server, the action data satisfies the one or more action constraints in the cryptographic action token. The method includes completing, by the transaction server, the transaction the action.
In some embodiments, the second computing device is a mobile device. In some embodiments, the action constraints include one or more of one or more reuse constraints, one or more transaction type constraints, one or more time constraints, one or more location constraints, one or more transaction amount constraints, and one or more authentication constraints. In some embodiments, the action data include one or more of the action specified in the action request, a time of the action request, a location of the second computing device when providing the action request, a transaction amount associated with the action, and authentication data provided by the second computing device.
In another aspect, there is a computer system. The computer system includes a first computing device storing a first identification certificate. The computer system includes a second computing device storing a second identification certificate. The computer system includes a delegation system in data communication with the first computing device and the second computing device, the delegation system configured to: receive, from the first computing device, delegation request data including the first identification certificate, an identifier for the second computing device, and one or more action constraints; authenticate the first computing device based on at least the first identification certificate; determine the first computing device is authorized to delegate as specified in the one or more action constraints; generate a cryptographic action token including the identifier for the second computing device and the action constraints; authenticate the second computing device based on at least the second identification certificate; and transmit, to the second computing device, the cryptographic action token. The computer system includes a transaction server in data communication with the second computing device configured to: receive, from the second computing device, an action request specifying an action for the transaction server to execute, the cryptographic action token, and the second identification certificate; authenticate the second computing device based on at least the second identification certificate; authenticate the cryptographic action token; determine action data based on the action request and the one or more action constraints in the cryptographic action token; determine the action data satisfies the one or more action constraints in the cryptographic action token; and complete the transaction the action.
In some embodiments, the second computing device is a mobile device. In some embodiments, the action constraints include one or more of one or more reuse constraints, one or more transaction type constraints, one or more time constraints, one or more location constraints, one or more transaction amount constraints, and one or more authentication constraints. In some embodiments, the action data include one or more of the action specified in the action request, a time of the action request, a location of the computing device when providing the action request, a transaction amount associated with the action, and authentication data provided by the second computing device.
In another aspect, there is a non-transitory computer readable storage medium including programmatic instructions for operation of a computing environment. The instructions are operable to cause a delegation system in data communication with a first computing device and a second computing device to: receive, from the first computing device, delegation request data including a first identification certificate, an identifier for the second computing device, and one or more action constraints; authenticate the first computing device based on at least the first identification certificate; determine the first computing device is authorized to delegate as specified in the one or more action constraints; generate cryptographic action token including the identifier for the second computing device and the action constraints; authenticate the second computing device based on at least a second identification certificate; and transmit, to the second computing device, the cryptographic action token. The instructions are operable to cause a transaction server in data communication with the second computing device to: receive, from the second computing device, an action request specifying an action for the transaction server to execute, the cryptographic action token, and the second identification certificate; authenticate the second computing device based on at least the second identification certificate; authenticate the cryptographic action token; determine action data based on the action request and the one or more action constraints in the cryptographic action token; determine the action data satisfies the one or more action constraints in the cryptographic action token; and complete the transaction the action.
In some embodiments, the second computing device is a mobile device. In some embodiments, the action constraints include one or more of one or more reuse constraints, one or more transaction type constraints, one or more time constraints, one or more location constraints, one or more transaction amount constraints, and one or more authentication constraints. In some embodiments, the action data include one or more of the action specified in the action request, a time of the action request, a location of the computing device when providing the action request, a transaction amount associated with the action, and authentication data provided by the second computing device.
Other aspects and advantages of the technology will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, illustrating the principles of the technology by way of example only.
The advantages of the technology described above, together with further advantages, may be better understood by referring to the following description taken in conjunction with the accompanying drawings. The drawings are not necessarily to scale, emphasis instead generally being placed upon illustrating the principles of the technology.
Computing device 105 can be, for example, a desktop computer, laptop computer, tablet, mobile device, smartphone, or other networked device. Computing device 110 can be, for example, a desktop computer, laptop computer, tablet, mobile device, smartphone, or other networked device. It should be appreciated that other types of computing devices that are capable of connecting to the components of system 100 can be used without departing from the scope of technology. Although
Certificate authority 120 can be a combination of hardware, including one or more processors and one or more physical memory modules, and specialized software engines that execute on the processors of certificate authority 120. Certificate authority 120 can be a trusted certificate authority, as is well known in computer networking. In some embodiments, computing device 105, computing device 110, delegation system 115, and/or transaction server 125 can communicate with certificate authority 120 to facilitate authenticating another component of system 100. For example, certificate authority 120 can facilitate authentication between the components of system 100 by facilitating verification of a certificate presented by one component of system 100 to another.
Delegation system 115 can be a combination of hardware, including one or more processors and one or more physical memory modules, and specialized software engines that execute on the processors of delegation system 115 to receive data from other components of the system 100, transmit data to other components of the system 100, and generate and/or provide cryptographic action tokens.
Network 130 can be a local network, such as a LAN, a wide area network, such as the Internet and/or a cellular network, or several discrete networks and/or sub-networks (e.g., cellular to Internet, point to point, ad hoc, etc.) that enable the components of system 100 to communicate with each other. For example, computing device 105 and computing device 110 can communicate with delegation system 115 via a cellular network and/or the Internet to initiate generation of and/or receive a cryptographic action token. As a further example; computing device 105 and computing device 110 can communicate with transaction server via a Bluetooth, Near-Field Communication (“NFC”), or ad-hoc WiFi connection.
The delegation request can include one or more action constraints. Generally, action constraints specify the characteristics of the action, providing the scope of the authorization the first computing device is delegating to the second computing device. In some embodiments, an action constraint can specify the action's type. An action constraint can specify quantities associated with the action, such as transaction amounts. An action constraint can specify the time frame in which the second computing device can request the action be performed. An action constraint can specify whether the second computing device is authorized to request a single action or multiple actions. An action constraint can specify a geographical limitation, such as limiting the second device's authorization to a specific city or state. An action constraint can specify the kind of authentication required from the second computing device before the action can be completed.
As an example, the action constraints for a delegation request can specify that the second computing device is authorized to access certain data stored on a computer system. The exemplary action constraints can specify whether the second computing device is authorized to view or modify the data. The exemplary action constraints can further specify the file names or database tables or records containing the data. The exemplary action constraints can further specify the second computing device is authorized to access the data during a specific week.
As another example, the action constraints for a delegation request can specify that the second computing device is authorized to request purchase of 100 shares of a particular company's stock. The exemplary action constraints can further specify the brokerage account from which the price for shares can be withdrawn. The exemplary action constraints can further specify that the trade is authorized to be performed on a specific date.
As another example, the action constraints for a delegation request can specify that the second computing device is authorized to request purchase of up to 100 shares of a particular company's stock at a price between $25 and $35 per share. The exemplary action constraints can further specify the brokerage account from which the price for the shares can be withdrawn. The exemplary action constraints can further specify that the trade is authorized to be performed during a specific date range. The exemplary action constraints can further specify the second computing device is authorized to perform the trades in more than one transaction.
As the above examples illustrate, in some instances the action constraints can fully specify the action that the second computing device is authorized to perform by specifying all aspects of the action. In some instances, the action constraints may not fully specify the action that the second computing device is authorized perform, permitting the second computing device to control some aspects of the action, provided all action constraints are satisfied.
This disclosure makes use of the following notations in describing cryptographic aspects of the technology:
In accordance with embodiments of the technology, the first computing device can cryptographically sign the identifier for the second computing device and the action constraints in the delegation request. For example, the identifier for the second computing device and the action constraints can be signed with the first computing device's private key, as follows:
At step 210, the delegation system can authenticate the first computing device. For example, the delegation system can authenticate the first computing device using the first computing device's certificate provided in the delegation request. The delegation system can then use the first computing device's public key, S-PubKCD1, to verify the first computing device's signature on the delegation request. At step 215, the delegation system can determine whether the first computing device is authorized to delegate authorization to the second computing device for the action specified by the action constraints. For example, if the action constraints would give the second computing device authorization to view certain data, the delegation server can determine whether the first computing device is authorized to the view the data and whether the first computing device is authorized to delegate authorization for such access. As another example, if the action constraints would give the second computing device authorization to conduct a stock trade for a particular brokerage account, the delegation server can determine whether the first computing device is authorized to use that brokerage account and whether the first computing device is authorized to delegate authorization for such use. If the first computing device is not authorized, the delegation system can send a message to the first computing device indicating the delegation request was denied.
If the first computing device is authorized, the delegation system can generate a cryptographic action token at step 220. In some embodiments, the cryptographic action token can take the following form:
At step 225, the delegation system can send a notification of the cryptographic action token to the second computing device. In some embodiments, the delegation server can send a push notification to the second computing device. In response to the notification, the second computing device can send a request for the cryptographic action token to the delegation system. The request from the second computing device can include a certificate identifying the second computing device. For example, the certificate can be a public key certificate assigned to the second computing device by a certificate authority. The certificate can, for example, provide the second computing device's public key and can be cryptographically signed by the certificate authority. At step 235, the delegation system can authenticate the second computing device. For example, the delegation system can authenticate the second computing device using the second computing device's certificate provided in the request for the cryptographic action token.
At step 240, the delegation system can send the cryptographic action token to the second computing device. The delegation system can protect the token as shown below:
The second computing device can sign the cryptographic action token and send it to the transaction server in the following form:
At step 310, the transaction server can authenticate the second computing device. For example, the transaction server can authenticate the second computing device using the second computing device's certificate provided in the action request. At step 315, the transaction server can authenticate the cryptographic action token. For example, the transaction servers can receive the cryptographic action token in the following form:
At step 320, the transaction can determine the action data from the action request (e.g., the details of the requested action). At step 325, the transaction server can determine whether the action satisfies the action constraints. The transaction server can compare the action data to the constraints obtained from the cryptographic action token to confirm the requested action complies with the constraints. For example, if the action data indicates the requested action is accessing a specified file, the transaction server can verify that the action constraints permit accessing the specified file. As noted above, in some instances, the action constraints can fully specify the authorized action. In such instances, the transaction server can determine the action data from the action constraints in the cryptographic action token. If the action data satisfies the action constraints, the transaction server can complete the transaction.
Method steps can be performed by one or more special-purpose processors executing a computer program to perform functions of the technology by operating on input data and/or generating output data. Method steps can also be performed by, and an apparatus can be implemented as, special-purpose logic circuitry, e.g., a FPGA (field programmable gate array), a FPAA (field-programmable analog array), a CPLD (complex programmable logic device), a PSoC (Programmable System-on-Chip), ASIP (application-specific instruction-set processor), or an ASIC (application-specific integrated circuit), or the like. Subroutines can refer to portions of the stored computer program and/or the processor, and/or the special circuitry that implement one or more functions.
Processors suitable for the execution of a computer program include, by way of example, special-purpose microprocessors. Generally, a processor receives instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a specialized processor for executing instructions and one or more specifically-allocated memory devices for storing instructions and/or data. Memory devices, such as a cache, can be used to temporarily store data. Memory devices can also be used for long-term data storage. Generally, a computer also includes, or is operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. A computer can also be operatively coupled to a communications network in order to receive instructions and/or data from the network and/or to transfer instructions and/or data to the network. Computer-readable storage mediums suitable for embodying computer program instructions and data include all forms of volatile and non-volatile memory, including by way of example semiconductor memory devices, e.g., DRAM, SRAM, EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and optical disks, e.g., CD, DVD, HD-DVD, and Blu-ray disks. The processor and the memory can be supplemented by and/or incorporated in special purpose logic circuitry.
To provide for interaction with a user, the above described techniques can be implemented on a computing device in communication with a display device, e.g., a CRT (cathode ray tube), plasma, or LCD (liquid crystal display) monitor, a mobile device display or screen, a holographic device and/or projector, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse, a trackball, a touchpad, or a motion sensor, by which the user can provide input to the computer (e.g., interact with a user interface element). Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, and/or tactile input.
The above-described techniques can be implemented in a distributed computing system that includes a back-end component. The back-end component can, for example, be a data server, a middleware component, and/or an application server. The above described techniques can be implemented in a distributed computing system that includes a front-end component. The front-end component can, for example, be a client computer having a graphical user interface, a Web browser through which a user can interact with an example implementation, and/or other graphical user interfaces for a transmitting device. The above described techniques can be implemented in a distributed computing system that includes any combination of such back-end, middleware, or front-end components.
The components of the computing system can be interconnected by transmission medium, which can include any form or medium of digital or analog data communication (e.g., a communication network). Transmission medium can include one or more packet-based networks and/or one or more circuit-based networks in any configuration. Packet-based networks can include, for example, the Internet, a carrier internet protocol (IP) network (e.g., local area network (LAN), wide area network (WAN), campus area network (CAN), metropolitan area network (MAN), home area network (HAN)), a private IP network, an IP private branch exchange (IPBX), a wireless network (e.g., radio access network (RAN), Bluetooth, near field communications (NFC) network, Wi-Fi, WiMAX, general packet radio service (GPRS) network, HiperLAN), and/or other packet-based networks. Circuit-based networks can include, for example, the public switched telephone network (PSTN), a legacy private branch exchange (PBX), a wireless network (e.g., RAN, code-division multiple access (CDMA) network, time division multiple access (TDMA) network, global system for mobile communications (GSM) network), and/or other circuit-based networks.
Information transfer over transmission medium can be based on one or more communication protocols. Communication protocols can include, for example, Ethernet protocol, Internet Protocol (IP), Voice over IP (VOIP), a Peer-to-Peer (P2P) protocol, Hypertext Transfer Protocol (HTTP), Session Initiation Protocol (SIP), H.323, Media Gateway Control Protocol (MGCP), Signaling System #7 (SS7), a Global System for Mobile Communications (GSM) protocol, a Push-to-Talk (PTT) protocol, a PTT over Cellular (POC) protocol, Universal Mobile Telecommunications System (UMTS), 3GPP Long Term Evolution (LTE) and/or other communication protocols.
Devices of the computing system can include, for example, a computer, a computer with a browser device, a telephone, an IP phone, a mobile device (e.g., cellular phone, personal digital assistant (PDA) device, smart phone, tablet, laptop computer, electronic mail device), and/or other communication devices. The browser device includes, for example, a computer (e.g., desktop computer and/or laptop computer) with a World Wide Web browser (e.g., Chrome™ from Google, Inc., Microsoft® Internet Explorer® available from Microsoft Corporation, and/or Mozilla® Firefox available from Mozilla Corporation). Mobile computing device include, for example, a Blackberry® from Research in Motion, an iPhone® from Apple Corporation, and/or an Android™-based device. IP phones include, for example, a Cisco® Unified IP Phone 7985G and/or a Cisco® Unified Wireless Phone 7920 available from Cisco Systems, Inc.
Comprise, include, and/or plural forms of each are open ended and include the listed parts and can include additional parts that are not listed. And/or is open ended and includes one or more of the listed parts and combinations of the listed parts.
One skilled in the art will realize the subject matter may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing embodiments are therefore to be considered in all respects illustrative rather than limiting of the subject matter described herein.
