Method for authorizing and authenticating data

摘要

A method and a corresponding apparatus for authenticating data in a digital processing system (DPS) is disclosed, wherein a root/first tier key pair associated with a first tier/root authority may sign data and second tier keys for authorizing data for processing in the DPS. The first tier/root authority may pass entitlements to the authorized second tier key, which may itself authorize third tier keys and pass entitlements to said key.

主权项

1. A method, comprising:
generating, by a first device, a first key pair comprising a first public key portion and a first private key portion; transferring, by the first device, the first public key portion to a second device having a second key pair, the second key pair comprising a second public key portion and a second private key portion, wherein the second key pair is associated with second entitlements comprising second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the second device is configured to:
authorize the first key pair by signing the first public key portion using the second private key portion to produce a first key signature of the first key pair,associate first entitlements with the first public key portion, the first entitlements comprising first data entitlements that are within the second signing entitlements and further comprising first signing entitlements that are within the first data entitlements, andtransfer the first public key portion, the first key signature, and the first entitlements to a digital processing system, wherein upon receipt of the first public key portion, the first key signature, and the first entitlements, the digital processing system is configured to authenticate the first public key portion by using the first public key portion to verify that the first key signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements; signing, by the first device, data with the first private key portion to generate a data signature; and sending, by the first device, the data and the data signature to the digital processing system, wherein receiving the data and the data signature causes the digital processing system to authenticate the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data, and wherein failing to authenticate the data causes the digital processing system to reset to limited operations.