摘要:
A system and method are disclosed that enable exclusive rights in generic goods to be transferred from one party to another. A party holds an exclusive right to a good through a rescindable capability. When two parties agree on a transfer of the exclusive right to the good, a goods description memorializing the agreement is created which is in synergy with the rescindable capability. The goods description includes an acquire method that is the only method that can extract rights from the rescindable capability with which it is in synergy. The object from which the generic right is being transferred sends a message to the recipient with a reference to the rescindable capability. Upon receiving the message, the recipient invokes the acquire method of the referenced goods description, which returns a new rescindable capability that encompasses the generic right just transferred. Once the recipient holds a reference to the new rescindable capability, the sender has had its rights rescinded. Because details of a transfer are implemented between a rescindable capability and a goods description, rights to goods of any type can be transferred. This is useful in escrow transactions, where a trusted third party with no knowledge of goods being exchanged can effect exchanges of exclusive rights to generic goods by two mutually-suspicious parties.
摘要:
A system and method is disclosed that provides persistent capabilities for distributed, object-oriented applications running on generally available hardware. The disclosed system and method operate in a transparent distributed object system where inter-process messaging between the program objects is effected by paired transport managers, proxies and matched in-table and out-table slots. Each object needing to communicate with an object in another address space does so by transparently issuing messages to that object's local proxy. Each process provides a registrar that includes a secret code table wherein an object is registered with a unique, practically unguessable secret code. Anticipating the need to re-establish object-proxy links following a inter-process communications fault, proxies are made revivable, meaning that their links with corresponding remote objects can be revived following a communications interruption. This is accomplished by a makeRevivable method that stores a revivable proxy's expiration date (the date beyond which the proxy is not revivable) and its corresponding remote object's secret code into the proxy's out-table slot. Upon the occurrence of a communications fault, all transport managers and tables are nulled out and then, when the communications fault is corrected, rebuilt by the transport managers. Sometime after the restoration of communications, a revived method is invoked that restores the links between, registered objects and proxies. The objects and proxies are brought back in a consistent state based on limited checkpointed data stored by the distributed program for the registered objects.
摘要:
A system providing capability security for distributed object systems is disclosed. The basic tenet of capability security is that the right to do something to an object (e.g., invoke a particular object's methods) is represented solely by the holding of a reference to that object. In each of the preferred embodiments described herein, an object is presumed to hold legitimately a reference to a particular object only if the object knows some unpublicized (except under the conditions required by capability security) key associated with the particular object. That is, an object's key is required along with the object's reference. So that capability security is preserved when object references are passed between objects in different processes, the object references being passed are encrypted upon transmission and then decrypted upon arrival at their intended destination. This cryptography can be performed by objects or processes using a variety of techniques, including Diffie-Helman or public/private key cryptography. The cryptography performed in the various embodiments ensures that only the intended recipient of the message can decode the object reference and that a misbehaving object cannot convince another object that it possesses a capability it does not have. Some of the disclosed embodiments provide capability security for distributed object systems wherein the objects and processes directly handle inter-object and inter-process communications and message encryption and decryption.
摘要:
A distributed garbage collection system and method is disclosed that is compatible with local ref-count or full garbage collection and that ensures that no local object's storage is deleted by the local garbage collector unless it is certain that there are no actual or potential remote references to that local object. The disclosed system and method are implemented in the context of a transparent distributed object system in which communications between objects in different processes are enabled by dedicated proxy objects that are linked to corresponding remote objects via a pair of transport objects. Additional proxy holder objects and proxy holder proxies ensure that objects for which third-party object references are passed (i.e., where one object in a first process passes a remote object in a second process a reference to a third object in a third process) are not collected until a direct link is established between the remote object in the second process and the third object in the third object space. As appropriate, secret number table pointers maintained by a local registrar for each object that has been accessed via a third party message are deleted, allowing the objects to be collected when there are no other actual or pending remote references to that object. The transport managers encrypt all inter-process messages so as to provide full capability security within the distributed system. This enables the disclosed garbage collection system and methods to operate under attack from misbehaving participants.
摘要:
A system providing capability security for distributed object systems is disclosed. The basic tenet of capability security is that the right to do something to an object (e.g., invoke a particular object's methods) is represented solely by the holding of a reference to that object. In each of the preferred embodiments described herein, an object is presumed to hold legitimately a reference to a particular object only if the object knows some unpublicized (except under the conditions required by capability security) key associated with the particular object. That is, an object's key is required along with the object's reference. So that capability security is preserved when object references are passed between objects in different processes, the object references being passed are encrypted upon transmission and then decrypted upon arrival at their intended destination. This cryptography can be performed by objects or processes using a variety of techniques, including Diffie-Helman or public/private key cryptography. The cryptography performed in the various embodiments ensures that only the intended recipient of the message can decode the object reference and that a misbehaving object cannot convince another object that it possesses a capability it does not have. Some of the disclosed embodiments provide capability security for transparent distributed object systems, wherein a pair of matched transports handle and encrypt inter-process communications between objects in their respective processes.
摘要:
A diverse goods arbitration system and method allocates computer resources among bidding requesters. Bid slates are transmitted to an arbiter by users (requesters) requesting use of specified portions of the available computer resources. Each bid slate may contain a plurality of bids, each bid representing a requested set of resources and a bid price. The arbiter selects combinations of bids from the bid slates, where each bid combination consists of no more than one bid from each of the received bid slates. The arbiter rejects all bid combinations whose constituent bids exceed an established maximum allocation level for any computer resource. It then selects as a winning bid combination the bid combination having the highest total bid price. Computer resources are then allocated for a next time period based on the winning bid. Costs are allocating to each successful requester in accordance with a predefined opportunity cost function. In particular, for each successful requester, the arbitration process is repeated while excluding that successful requester's bid slate from the set of bid slates considered, resulting in the selection of a second winning bid that excludes the successful requester. The successful requester is then assessed a cost corresponding to the difference between the winning bid's total bid prices, excluding the price in the successful requester's granted bid, and the total bid prices associated with the second winning bid.
摘要:
A system and method is disclosed that provides lightweight non-repudiability for networked computer systems. Each party to a two-party communication maintains hashes on its incoming and outgoing messages. At its discretion, either party can request that the other party commit to the conversation. The second party (if it agrees) then sends signed hashes that third parties can use to verify the content of the conversation. The party requesting the commitment stores its corresponding hashes when it sends the request. If the hashes from both parties are the same for the same positions in their conversation, the two parties can verify that their conversation is error-free. If the sending party also maintains logs of both sides (incoming and outgoing) of the conversation and stores hashes corresponding to the beginning of the logs, the sending party is also able to verify to a third party that the logged portion of the conversation was between the first party and the second party. Non-repudiability for entire conversations consisting of millions of messages can therefore be provided using a single pair of commit message and commitment/signature messages.
摘要:
A document is digitally signed with a digital signature that is unique to the signer/document pair. A document digest is generated by applying a predefined one-way hash function to the document. A pseudo-random key is generated by combining the document digest with at least one other value in accordance with a predefined computational procedure. The digital signature is then generated as a predefined function of the private key, the document digest, and the pseudo-random key k. A distinct pseudo-random key is generated for each distinct specified document, and for a given value of the private key, a distinct digital signature is generated for each distinct specified document. In a preferred embodiment the pseudo-random key generating step includes combining the document digest with a value corresponding to the private key to generate an intermediate value, and hashing the intermediate value with the predefined one-way hash function to generate the pseudo-random key k. In another preferred embodiment the pseudo-random key generating step includes hashing the private key with the predefined one-way hash function to generate a first intermediate value, combining the document digest with a value corresponding to the first intermediate value and an ancillary secret value to generate a second intermediate value, and hashing the second intermediate value with the predefined one-way hash function to generate the pseudo-random key k.
摘要:
An electronic communication authority server that provides centralized key management, implementation of role-based enterprise policies and workflow and projection of corporate authorities over trusted networks. The authority server includes a key database that associates keys, signatures and indicators of corporate authority (such as letterhead) with particular corporate roles. There can be multiple roles or a single role (e.g., employee) for each authority server. Users associated with one or more roles are permitted by the authority server to exercise authority or include the indicators of authority in their communications. The authority server also encrypts/decrypts and signs/verifies communications from/to a user using the keys and signatures associated with the role being exercised by the user for that communication. The authority server permits roles to be delegated or transferred, which facilitates the execution by the authority server of role-dependent workflow procedures. In another embodiment, keys are not associated with individual roles but with servers and/or groups of users. In this embodiment a server processes a request from one of its users in accordance with the role-based policies it embodies and then, if necessary, indicates the identity of the requesting user in the end product of the request, which it then signs using its own key and encrypts with appropriate destination keys.