公开(公告)号：US08510789B2

公开(公告)日：2013-08-13

申请号：US10664069

申请日：2003-09-16

申请人： Cheh Goh ,  Liqun Chen ,  Stephen James Crane ,  Marco Casassa Mont ,  Keith Alexander Harrison

发明人： Cheh Goh ,  Liqun Chen ,  Stephen James Crane ,  Marco Casassa Mont ,  Keith Alexander Harrison

IPC分类号： G06F17/00

CPC分类号： G06F21/608 ,  G06F2221/2107 ,  G06F2221/2115 ,  H04L9/3073

摘要： Data to be output to a removable storage medium is encrypted for sending to an output device by an encryption process based on encryption parameters comprising public data of a trusted party and an encryption key string comprising a policy for allowing the output of the data. The trusted party provides a decryption key to the output device but only after being satisfied that the policy has been met. The decryption key is generated in dependence on the encryption key string and private data of the trusted party. The output device uses the decryption key in decrypting the data to be output. Embodiments are provided that involve multiple policies and trusted parties.

摘要翻译： 要输出到可移动存储介质的数据被加密，用于通过基于包括可信方的公共数据的加密参数的加密处理和包括用于允许输出数据的策略的加密密钥串来发送到输出设备。 可信方向输出设备提供解密密钥，但只有在满足该策略已被满足之后。 解密密钥根据加密密钥串和可信方的专用数据生成。 输出设备在解密要输出的数据时使用解密密钥。 提供涉及多个策略和受信任方的实施例。

公开(公告)号：US06688230B2

公开(公告)日：2004-02-10

申请号：US10270322

申请日：2002-10-15

申请人： Cheh Goh ,  Marco Casassa Mont

发明人： Cheh Goh ,  Marco Casassa Mont

IPC分类号： B41F154

CPC分类号： G07F17/42 ,  G06Q20/382 ,  G06Q20/389 ,  G07F7/08 ,  G07F7/125

摘要： A method of printing a token by printer (5), in which the printer (5) includes a digital identification device (1) configured to generate a series of distinct print job counter numbers and to provide a public key of a cryptographic public key/private key pair. The method includes the steps of sending a printer generated print job counter number and an encryption key to a token issuer (4) the token issuer (4) sending to the printer (5) a message encrypted by the encryption key, the message including the print job counter number and information representative of the token (9) to be printed and the printer (5) decrypting the encrypted message and printing the token using the information representative of the token (9) if the print job counter number is valid.

摘要翻译： 一种通过打印机（5）打印令牌的方法，其中打印机（5）包括数字识别装置（1），其被配置为生成一系列不同的打印作业计数器号码，并提供密码公钥/ 私钥对。 该方法包括以下步骤：将打印机生成的打印作业计数器号码和加密密钥发送到令牌发行者（4）令牌发行者（4）向打印机（5）发送由加密密钥加密的消息，该消息包括 打印作业计数器编号和表示要打印的令牌（9）的信息，以及打印机（5）如果打印作业计数器号有效，则使用表示令牌（9）的信息来打印加密消息并打印令牌。

公开(公告)号：US20050102512A1

公开(公告)日：2005-05-12

申请号：US10664069

申请日：2003-09-16

申请人： Cheh Goh ,  Liqun Chen ,  Stephen Crane ,  Marco Mont ,  Keith Harrison

发明人： Cheh Goh ,  Liqun Chen ,  Stephen Crane ,  Marco Mont ,  Keith Harrison

IPC分类号： G06F21/60 ,  H04L9/08 ,  H04L9/30 ,  H04L9/00

CPC分类号： G06F21/608 ,  G06F2221/2107 ,  G06F2221/2115 ,  H04L9/3073

摘要： Data to be output to a removable storage medium is encrypted for sending to an output device by an encryption process based on encryption parameters comprising public data of a trusted party and an encryption key string comprising a policy for allowing the output of the data. The trusted party provides a decryption key to the output device but only after being satisfied that the policy has been met. The decryption key is generated in dependence on the encryption key string and private data of the trusted party. The output device uses the decryption key in decrypting the data to be output. Embodiments are provided that involve multiple policies and trusted parties.

摘要翻译： 要输出到可移动存储介质的数据被加密，用于通过基于包括可信方的公共数据的加密参数的加密处理和包括用于允许输出数据的策略的加密密钥串来发送到输出设备。 可信方向输出设备提供解密密钥，但只有在满足该策略已被满足之后。 解密密钥根据加密密钥串和可信方的专用数据生成。 输出设备在解密要输出的数据时使用解密密钥。 提供涉及多个策略和受信任方的实施例。

公开(公告)号：US07308572B2

公开(公告)日：2007-12-11

申请号：US10270393

申请日：2002-10-15

申请人： Cheh Goh ,  David A Clarke

发明人： Cheh Goh ,  David A Clarke

IPC分类号： H04L9/00 ,  H04K1/00 ,  G06F9/44 ,  G06F15/16 ,  G06F1/00 ,  G06F3/12 ,  G06F3/14 ,  H04M1/64 ,  H04L9/30 ,  H04L9/32

CPC分类号： G07F7/08 ,  G06Q20/389 ,  G07F7/125

摘要： A method of printing a document (10) stored at a home computing system (5) on a printer (9) of a remote computing system, the home and remote computing system including a home trusted print proxy (HTPP) (3) and a remote trusted print proxy (RTPP) (2), respectively, which are configured to be able to establish communication via a communications link, in which the printer (9) includes a digital identification device (1) configured to provide a printer public key of a cryptographic public key/private key pair and the RTPP (2) is configured to supply a one time token on request, the method including the steps of using a mobile device (4) to interrogate the RTPP (2) and printer (9) to obtain a one time token and the printer public key using the mobile device (4) to transmit to the home computing system (5) a print request including the one time token and printer public and identification of the document (10) to be printed establishing a secure communications channel between the home and remote computing system via at least the HTPP and RTPP the home computing system (5) transmitting the document encrypted by the printer public key to the printer (9) via the secure communications channel and the printer (9) decrypting the encrypted document and initiating printing of the document only if the mobile device is in communication with the printer (9).

摘要翻译： 一种在家庭计算系统（5）上存储在远程计算系统的打印机（9）上的文档（10）的方法，所述家庭和远程计算系统包括家庭可信打印代理（HTPP）（3）和 远程可信打印代理（RTPP）（2），其被配置为能够经由通信链路建立通信，其中打印机（9）包括数字识别装置（1），其被配置为提供打印机公钥 密码公钥/私钥对和RTPP（2）被配置为根据请求提供一次令牌，该方法包括以下步骤：使用移动设备（4）询问RTPP（2）和打印机（9） 使用所述移动设备（4）获得一次令牌和所述打印机公钥，以向所述家庭计算系统（5）传送包括所述一次令牌和打印机公开的打印请求以及要打印的所述文档（10）的标识 建立一个安全通信系统 至少通过HTPP和RTPP将家庭计算系统（5）通过安全通信信道传送到打印机（9）的家庭计算系统（5），打印机（9）将家庭和远程计算系统（5）传送到打印机 加密文档，并且仅当移动设备与打印机通信时才开始打印文档（9）。

公开(公告)号：US06978379B1

公开(公告)日：2005-12-20

申请号：US09578503

申请日：2000-05-26

申请人： Cheh Goh ,  Casassa Mont Marco ,  Adrian John Baldwin

发明人： Cheh Goh ,  Casassa Mont Marco ,  Adrian John Baldwin

IPC分类号： G06F1/00 ,  G06F21/60 ,  G06F21/62 ,  H04L9/00

CPC分类号： G06F21/604 ,  G06F21/6218

摘要： An apparatus (22,44) is described for use in generating configuration information for a computer system (12) employing hierarchical entities.A policy template (24) is employed which contains a definition of an abstract high-level policy, for the configuration of the system, and permitted refinements to that policy, the definition referring to a plurality of the entities. An information and system model (16) contains information about the computer system and its environment including the entities referred to in the high-level policy definition, the hierarchy thereof and non-hierarchical relations between the entities. A policy authoring engine (26) refines the high-level policy definition with reference to the permitted refinements thereto and the stored information about the entities to which the high-level policy definition relates in order to produce a refined policy definition. In doing this, the engine presents refinement options to a user (10) via a user interface (28) and refines the high-level policy definition in dependence upon options selected by the user via the user interface. Some of the entities stored in the model (16) may be abstract entities, but with pointers to data in the computer system representing an instance of that abstract entity. The refined policy may be in terms of a policy context, referring to unbound entities, and a policy statement. A policy deployer (20) stores rules for interpreting the policy statement as instructions executable by the computer system and is operable, with reference to the information and system model (16), to bind the unbound entities in the policy context to instances of those entities, and, with reference to the stored rules, to interpret the policy statement into a series of instructions to the computer system referring to the bound instances or derivatives of them.The apparatus facilitates the refinement of abstract policies and implementation of the refined policies.

公开(公告)号：US07516321B2

公开(公告)日：2009-04-07

申请号：US10797715

申请日：2004-03-08

申请人： Liqun Chen ,  Stephen James Crane ,  Cheh Goh

发明人： Liqun Chen ,  Stephen James Crane ,  Cheh Goh

IPC分类号： H04L9/00

CPC分类号： H04L9/0847 ,  H04L9/3073 ,  H04L2209/127 ,  H04L2209/38

摘要： A trusted authority delegates authority to a device. This delegation of authority is effected by providing a yet-to-be completed chain of public/private cryptographic key pairs linked in a subversion-resistant manner. The chain terminates with a penultimate key pair formed by public/private data, and a link towards an end key pair to be formed by an encryption/decryption key pair of an Identifier-Based Encryption, IBE, scheme. The private data is securely stored in the device for access only by an authorized key-generation process that forms the link to the end key pair and is arranged to provide the IBE decryption key generated using the private data and encryption key. This key generation/provision is normally only effected if at least one condition, for example specified in the encryption key, is satisfied. Such a condition may be one tested against data provided by the trusted authority and stored in the device.

摘要翻译： 受信任的权威机构将权限委托给设备。 这种权力的授权是通过提供一个尚未完成的公开/私人加密密钥对链，以颠覆性的方式连接起来。 链终止于由公共/私有数据形成的倒数第二个密钥对，以及通过基于标识符的加密（IBE）方案的加密/解密密钥对形成的终端密钥对的链接。 专用数据被安全地存储在设备中，仅由形成到终端密钥对的链接的授权密钥生成过程访问，并且被设置为提供使用专用数据和加密密钥生成的IBE解密密钥。 这种密钥生成/提供通常仅在满足例如在加密密钥中指定的至少一个条件时才有效。 这样的条件可以针对由可信管理机构提供并存储在设备中的数据进行测试。

公开(公告)号：US20050058294A1

公开(公告)日：2005-03-17

申请号：US10797715

申请日：2004-03-08

申请人： Liqun Chen ,  Stephen Crane ,  Cheh Goh

发明人： Liqun Chen ,  Stephen Crane ,  Cheh Goh

IPC分类号： H04L9/08 ,  H04L9/30 ,  H04L9/00

CPC分类号： H04L9/0847 ,  H04L9/3073 ,  H04L2209/127 ,  H04L2209/38

摘要： A trusted authority delegates authority to a device. This delegation of authority is effected by providing a yet-to-be completed chain of public/private cryptographic key pairs linked in a subversion-resistant manner. The chain terminates with a penultimate key pair formed by public/private data, and a link towards an end key pair to be formed by an encryption/decryption key pair of an Identifier-Based Encryption, IBE, scheme. The private data is securely stored in the device for access only by an authorized key-generation process that forms the link to the end key pair and is arranged to provide the IBE decryption key generated using the private data and encryption key. This key generation/provision is normally only effected if at least one condition, for example specified in the encryption key, is satisfied. Such a condition may be one tested against data provided by the trusted authority and stored in the device.

摘要翻译： 受信任的权威机构将权限委托给设备。 这种权力的授权是通过提供一个尚未完成的公开/私人加密密钥对链，以颠覆性的方式连接起来。 链终止于由公共/私有数据形成的倒数第二个密钥对，以及通过基于标识符的加密（IBE）方案的加密/解密密钥对形成的终端密钥对的链接。 专用数据被安全地存储在设备中，仅由形成到终端密钥对的链接的授权密钥生成过程访问，并且被设置为提供使用专用数据和加密密钥生成的IBE解密密钥。 这种密钥生成/提供通常仅在满足例如在加密密钥中指定的至少一个条件时才有效。 这样的条件可以针对由可信管理机构提供并存储在设备中的数据进行测试。

公开(公告)号：US07650498B2

公开(公告)日：2010-01-19

申请号：US10825596

申请日：2004-04-14

申请人： Cheh Goh ,  Liqun Chen

发明人： Cheh Goh ,  Liqun Chen

IPC分类号： H04L29/06 ,  G06F7/04

CPC分类号： G06F21/6245 ,  G06F19/00 ,  G16H10/60

摘要： To control access to target data whilst relieving the data provider of policing obligations, the data provider provides the target data in encrypted form to a requesting party as part of a data set with which first and second trusted authorities are associated in a non-subvertible manner. Recovery of the target data in clear by the party requires the first trusted authority to verify that a specific individual is a professional accredited with it, the second trusted authority to verify that a particular organisation is accredited with it, the particular organisation to verify that the specific individual is engaged by it, and at least one of the particular organisation and the first trusted authority to verify that the party is the specific individual. Various ways of encrypting the target data are provided, the preferred ways being based on Identifier-Based Encryption schemas.

摘要翻译： 为了控制对目标数据的访问，同时缓解数据提供者的监管义务，数据提供者将加密形式的目标数据提供给请求方，作为数据集的一部分，第一和第二信任机构以不可颠覆的方式与之相关联 。 由缔约方明确恢复目标数据要求第一个受信任的机构核实具体个人是否是经过认证的专业人员，第二个受信任的机构核实特定组织是否被认证，特定机构要验证 具体个人由其参与，以及至少一个特定组织和第一个受信任的机构来验证该方是具体个人。 提供了加密目标数据的各种方法，优选的方式是基于基于标识符的加密模式。

公开(公告)号：US20050010760A1

公开(公告)日：2005-01-13

申请号：US10825596

申请日：2004-04-14

申请人： Cheh Goh ,  Liqun Chen

发明人： Cheh Goh ,  Liqun Chen

IPC分类号： G06F19/00 ,  G06F21/00 ,  G06F21/62 ,  H04L9/00

CPC分类号： G06F21/6245 ,  G06F19/00 ,  G16H10/60

摘要： To control access to target data whilst relieving the data provider of policing obligations, the data provider provides the target data in encrypted form to a requesting party as part of a data set with which first and second trusted authorities are associated in a non-subvertible manner. Recovery of the target data in clear by the party requires the first trusted authority to verify that a specific individual is a professional accredited with it, the second trusted authority to verify that a particular organisation is accredited with it, the particular organisation to verify that the specific individual is engaged by it, and at least one of the particular organisation and the first trusted authority to verify that the party is the specific individual. Various ways of encrypting the target data are provided, the preferred ways being based on Identifier-Based Encryption schemas.

摘要翻译： 为了控制对目标数据的访问，同时缓解数据提供者的监管义务，数据提供者将加密形式的目标数据提供给请求方，作为数据集的一部分，第一和第二信任机构以不可颠覆的方式与之相关联 。 由缔约方明确恢复目标数据要求第一个受信任的机构核实具体个人是否是经过认证的专业人员，第二个受信任的机构核实特定组织是否被认证，特定机构要验证 具体个人由其参与，以及至少一个特定组织和第一个受信任的机构来验证该方是具体个人。 提供了加密目标数据的各种方法，优选的方式是基于基于标识符的加密模式。