CN103621040A

CN103621040A - Facilitating group access control to data objects in peer-to-peer overlay networks

Info

Publication number: CN103621040A
Application number: CN201280031422.4A
Authority: CN
Inventors: Y·毛; V·纳拉亚南; A·斯瓦弥纳杉
Original assignee: Qualcomm Inc
Current assignee: Qualcomm Inc
Priority date: 2011-06-30
Filing date: 2012-06-29
Publication date: 2014-03-05
Anticipated expiration: 2032-06-29
Also published as: KR101553491B1; EP2727311A1; US20130007442A1; CN103621040B; JP5944501B2; KR20140026619A; JP2014526171A; US8874769B2; WO2013003783A1

Abstract

Methods and apparatuses are provided for facilitating group access controls in peer-to-peer or other similar overlay networks. A group administrator may create a group in the overlay network and may assign peer-specific certificates to each member of the group for indicating membership in the group. A group member peer node can access data objects in the overlay network using its respective peer-specific certificate to authenticate itself as a group member. The authentication is performed by another peer node in the network. The validating peer node can authenticate that the group member is the rightful possessor of the peer-specific certificate using a public key associated with the peer node to which the peer-specific certificate was issued. The validating peer node can also validate that the peer-specific certificate was properly issued to the group member using a public key of the apparatus that issued the peer-specific certificate.

Description

Facilitate the group's access control to data object in reciprocity overlay network

Background

Field

Various feature disclosed herein relates generally to reciprocity overlay network, and at least some features relate to for facilitating equipment and the method for reciprocity overlay network to group's access control of data object.

Background

Equity (or being P2P) and other similar overlay networks are included in the Distributed Application framework of division task between each equity side or operating load.This type of reciprocity overlay network can be structured on bottom-layer network (such as the network that utilizes Internet protocol (IP)).

In typical case, equity side is identical, the impartial participant of privilege in application, and is commonly called formation peer node network.Each peer node cooperates not only to provide service but also safeguard this network each other.Peer node makes the part for their resource (such as disposal ability, disk storage or the network bandwidth) directly can be for other network participants conventionally, and without the concentrated coordination of server or stable main frame.Generally speaking, peer node is the supplier of resource and the consumer of resource, and the conventional client-server model of this client consumption with only having server to provide forms contrast.

Peer-to-peer network and similar overlay network can be used in many environment with being easy to dispose for the low-cost scalability of application.In typical case, such network is opened relatively, thereby allows each equipment (that is, node) arbitrarily add and leave.In some realizations of such network, user's data can be stored on the remote node in this network by distributed way, and this can be known or unknown for user.As a result, some users may not exclusively trust the data storage capacities of this covering, unless can guarantee user's data will be not can accessed with unauthorized manner (for example, read and/or revise).Data owner thus can specify definition who can access the access control of stored data object.

Under regular situation, each data object being stored in reciprocity overlay network has corresponding Access Control List (ACL), and its indication is about the access control policy of this certain data objects.For example, corresponding Access Control List (ACL) can indicate which user or customer group to have the access to the specified type of this data object.Yet, may have or may be without any central authority to provide the access control based on group efficiently may have challenge implement the reciprocity overlay network of access control based on group members relation in.For example, in the situation that there is no central authority, may be difficult to authenticate peer node is effective group members.Therefore, need system, equipment and/or the method for the group members relation between reciprocity overlay network management and authentication peer node.

General introduction

Various features are provided for facilitating the peer node of the access control based on group in reciprocity overlay network.One or more features provide group keeper peer node, and it can comprise communication interface and the storage medium that is coupled to separately treatment circuit.Communication interface can be adapted to the communication of facilitating on reciprocity overlay network.Storage medium can comprise private key and the PKI pair being associated with group keeper peer node.

According to various realizations, treatment circuit can be adapted to and create equity group, and this group is defined as one or more peer node the member of this group.This treatment circuit can further be assigned the certificate because of reciprocity Fang Eryi to the group members peer node of the member as this group, this certificate because of reciprocity Fang Eryi is adapted to the member relation of other peer node authentications in this group in reciprocity overlay network, and comprise group identity, group members peer node identity, issue the identity of device and the signature of the private key by issuing device on one or more parts of this certificate because of reciprocity Fang Eryi.

The method operating in group keeper peer node is also provided.One or more realizations according to these class methods, can obtain the PKI and the private key pair that are associated with group keeper peer node.Can in reciprocity overlay network, create equity group, wherein this group is defined as one or more peer node the member of this group.Can assign the certificate because of reciprocity Fang Eryi to the group members peer node of the member as this group, wherein this certificate because of reciprocity Fang Eryi is adapted to the member relation of other peer node authentications in this group in reciprocity overlay network.This certificate because of reciprocity Fang Eryi can comprise group identity, group members peer node identity, issue the identity of device and the signature of the private key by issuing device on one or more parts of this certificate because of reciprocity Fang Eryi.

At least one other feature provides group members peer node, and it can comprise communication interface and the storage medium that is coupled to separately treatment circuit.Communication interface can be adapted to the communication of facilitating on reciprocity overlay network.Storage medium can comprise private key and the PKI pair being associated with group members peer node.

According to various realizations, treatment circuit can be adapted to via communication interface and receive the group's certificate because of reciprocity Fang Eryi.This group's certificate because of reciprocity Fang Eryi can be given group members peer node from group keeper peer node, and can comprise group identity, group members peer node identity, the identity of group's keeper peer node and the private key by group keeper peer node at this because of the signature on one or more parts of group's certificate of reciprocity Fang Eryi.This treatment circuit can further via communication interface, by this, the group's certificate because of reciprocity Fang Eryi sends to confirmation side's peer node.This treatment circuit also can send to confirmation side's peer node by verify data via communication interface.This verify data can be to use the private key being associated with group members peer node to sign.

The method operating in group members peer node is also provided.One or more realizations according to these class methods, can obtain the PKI and the private key pair that are associated with group members peer node.Can receive the group's certificate because of reciprocity Fang Eryi of giving group members peer node from group keeper peer node.This group's certificate because of reciprocity Fang Eryi can comprise group identity, group members peer node identity, the identity of group's keeper peer node and the private key by group keeper peer node at this because of the signature on one or more parts of group's certificate of reciprocity Fang Eryi.Can by this group's certificate because of reciprocity Fang Eryi, send to the side's of confirmationing peer node take to authenticate this group members peer node be group members, wherein this group certificate because of reciprocity Fang Eryi is adapted to by confirmation side's peer node and authenticates.Also verify data can be sent to confirmation side's peer node, wherein this verify data is to use the private key being associated with this group members peer node to sign.

Supplementary features provide confirmation side's peer node, and it can comprise: communication interface, and it is adapted to the communication of facilitating on reciprocity overlay network; And treatment circuit, it is coupled to this communication interface.According to various realizations, this treatment circuit can be adapted to via communication interface and receive the group's certificate because of reciprocity Fang Eryi from seeking the group members peer node that authentication is group's member.This group's certificate because of reciprocity Fang Eryi can comprise group identity, group members peer node identity, the identity of group's keeper peer node and the private key by group keeper peer node at this because of the signature on one or more parts of group's certificate of reciprocity Fang Eryi.This treatment circuit can obtain group's token from reciprocity overlay network.This group of token can comprise the signature that the private key by group keeper peer node carries out, and can be used as the data object being identified by group's identity and be stored in reciprocity overlay network.This treatment circuit can be verified with the PKI of group keeper peer node the signature of this group of tokens, to confirm that this group of keeper's peer node are authorized, issue this because of group's certificate of reciprocity Fang Eryi, and can verify that this is because of group's certificate of reciprocity Fang Eryi with the PKI being associated with group keeper peer node.

The method operating in confirmation side's peer node is also provided.According to one or more realizations of these class methods, can receive group certificate because of reciprocity Fang Eryi from seeking the group members peer node that authentication is group's member.This group's certificate because of reciprocity Fang Eryi can comprise group identity, group members peer node identity, the identity of group's keeper peer node and the private key by group keeper peer node at this because of the signature on one or more parts of group's certificate of reciprocity Fang Eryi.Can obtain group's token from reciprocity overlay network.This group of token can comprise the signature that the private key by group keeper peer node carries out, and can be used as the data object being identified by group's identity and be stored in reciprocity overlay network.Can verify with the PKI of group keeper peer node the signature of this group of tokens, to confirm that this group of keeper's peer node are authorized, issue this because of group's certificate of reciprocity Fang Eryi, and can verify that this is because of group's certificate of reciprocity Fang Eryi with the PKI being associated with group keeper peer node.

Accompanying drawing summary

Fig. 1 is the block diagram that explains orally the network that comprises reciprocity overlay network, and wherein data object can be stored between each node of this overlay network.

Fig. 2 be explain orally according at least one example for being provided the flow chart of the process of node certificate to the peer node of reciprocity overlay network from trusting authoritative institution.

Fig. 3 be for can't help server or stable main frame centralized the overlay network explanation coordinated for facilitating the block diagram of the network environment of group's management and member authentication.

Fig. 4 (comprising Fig. 4 A and 4B) explains orally according to group members peer node being adopted because of group's management of at least one realization of group's certificate of reciprocity Fang Eryi and the flow chart of member authentication.

Fig. 5 (comprising Fig. 5 A and 5B) explains orally according to group members peer node being adopted because of group's management of at least one realization of the node certificate of reciprocity Fang Eryi and the flow chart of member authentication.

Fig. 6 explains orally according to the block diagram of the assembly selected works of the peer node that is used as crowd keeper of at least one realization.

Fig. 7 be explain orally can in group keeper peer node, operate for facilitating the flow chart of example of at least one realization of method of the group members relation authentication of reciprocity overlay network.

Fig. 8 is the block diagram of assembly selected works of peer node of group members that is used as being intended to visit data object explaining orally according at least one realization.

Fig. 9 be explain orally can in group members peer node, operate for facilitating the flow chart of example of at least one realization of method of the group members relation authentication of reciprocity overlay network.

Figure 10 is the block diagram of assembly selected works of peer node of group members relation that is used to confirm another peer node explaining orally according at least one realization.

Figure 11 be explain orally can in the side's of confirmationing peer node, operate for facilitating the flow chart of example of at least one realization of the method that the group members relation of reciprocity overlay network authenticates.

Describe in detail

In the following description, provided detail so that the thorough understanding to described realization to be provided.Yet, it will be appreciated by the skilled addressee that and not have these details also can put into practice various realizations.For example, circuit may illustrate with block diagram form, in order to avoid these realizations are buried in unnecessary details.In other examples, known circuit, structure and technology may be shown in detail in order to avoid fall into oblivion described realization.

Wording " exemplary " is in this article for representing " as example, example or explanation ".Any realization or the embodiment that are described as " exemplary " herein needn't be interpreted as being better than or surpassing other embodiment or realization.Equally, term " embodiment " do not require that all embodiment comprise discussed feature, advantage or mode of operation.Term used herein " reciprocity overlay network " and " peer node " are intended to broadly be explained.For example, " reciprocity overlay network " can refer to can't help that server or stable main frame are coordinated centralizedly and be included in the overlay network of the Distributed Application framework of division task between each equity side or operating load.In addition, " peer node " can refer to facilitate the equipment of the communication on reciprocity overlay network.The example of " peer node " can comprise printer, flat computer, television set, mobile phone, personal digital assistant, personal media player, laptop computer, notebook, desktop computer etc.

Combine and look at

A feature is facilitated the group's access control in reciprocity overlay network.Can in reciprocity overlay network, be formed by user group.Group is given group title, and group is identified by group's title in reciprocity overlay network, and group's title can be with this equity overlay network in other groups and/or data object different.Group keeper (it can be peer node or the user who creates this group) can manage the member relation of this group.Group keeper can assign the certificate because of reciprocity Fang Eryi to each group members.In some implementations, group keeper can assign the certificate because of reciprocity Fang Eryi by oneself issuing certificate.In other are realized, group keeper can ask to be trusted authoritative institution and issue the certificate because of reciprocity Fang Eryi for each group members.

According to a kind of feature, having each group members because of the certificate of reciprocity Fang Eryi, can to authenticate it with this certificate oneself be effective member of this group.These type of authentication rules can be distributed between each peer node of overlay network.For example, the side's of confirmation peer node can receive the certificate because of reciprocity Fang Eryi from group members, and this group members of susceptible of proof is to authenticate the lawful owner that this group members is this certificate.The PKI of the node that the side's of confirmation peer node is given with this certificate confirms this group members, this PKI or be included in this certificate, otherwise the identity of this peer node that can be associated according to the PKI with included in this certificate is located.In addition, the side's of confirmation peer node also can confirm this certificate itself with the PKI of issuing the device of this certificate, to authenticate this group's certificate because of reciprocity Fang Eryi, is by rights issued.

Example network environment

Fig. 1 illustrates to comprise and can't help the block diagram of network 100 of the overlay network that server or stable main frame coordinate centralizedly, and wherein data object can be stored between each node of this overlay network.This overlay network can comprise reciprocity overlay network 102.This type of reciprocity overlay network 102 can utilize the bottom-layer network (such as IP network) of any type to allow a plurality of peer node 104A-104F on overlay network 102 to communicate with one another.Bottom-layer network can comprise any amount of network type, for example, such as the network of wide area network (WAN), Local Area Network, wireless network (, WWAN, WLAN) and/or any other type.

Peer node 104A-104F can comprise any equipment being suitable for via reciprocity overlay network 102 communications.This kind equipment can comprise and is suitable for facilitating the middleware layer via the communication of reciprocity overlay network 102.As example and non-limiting, peer node 104A-104F can comprise equipment and other equipment such as printer, flat computer, television set, mobile phone, personal digital assistant, personal media player, on knee and notebook and/or desktop computer.

According to described herein one or more, realize, to each peer node 104A-104F, provide private key and PKI pair.Private key is maintained secrecy by corresponding peer node 104A-104F, and only has it oneself to know.PKI can be distributed to other peer node.Each peer node 104A-104F further for example, is obtained node certificate from trusting authoritative institution's (, registration server).Each node certificate can comprise identity and/or user identity, the PKI of peer node, the identity of being trusted authoritative institution of issuing this node certificate and this signature of being trusted authoritative institution of corresponding peer node.The PKI of being trusted authoritative institution can be distributed to each peer node 104A-104F and by this, be trusted the certificate that authoritative institution signs for checking.

Fig. 2 explains orally for to peer node 104(for example being trusted authoritative institution 202, any one in the peer node 104A-104F of Fig. 1) flow chart of at least one example of the process of node certificate is provided.Can be for example, to adding the peer node 104 of reciprocity overlay network (, the reciprocity overlay network 102 of Fig. 1) or the key pair that comprises PKI (PbK-Peer) and private key (PvK-Peer) that its user provides uniqueness, shown in 204.In other are realized, this type of key is to issuing by being trusted authoritative institution 202.Trusted the 202(of authoritative institution such as registration server) there is identity (TA-ID) and there is the private key of uniqueness and PKI to (PvK-TA, PbK-TA), shown in 206.

Peer node 104 can send transmission 208 with requesting node certificate to being trusted authoritative institution 202.If first forward direction peer node 104 provides PKI (PbK-Peer), this transmission can comprise the PKI (PbK-Peer) of this peer node.After receiving this request, trusted authoritative institution 202 and generated reciprocity side's identity (Peer ID) (210).As used herein, reciprocity side's identity can comprise the identity of peer device and/or the user's of peer device identity.Trusted authoritative institution 202 and be can be subsequently peer node 104 generation node certificate (Node Cert) (212), and this node certificate is sent to (214) to peer node 104.This node certificate comprises equity side's identity (Peer ID) of peer node 104, the PKI (PbK-Peer) of this peer node, the identity (TA-ID) of being trusted authoritative institution and the signature (Sig being undertaken by trusting the PKI of authoritative institution _pvK-TA).According to various realizations, the signature (Sig that the PKI of being trusted authoritative institution by this carries out _pvK-TA) can comprise the signature (as shown in the figure) to whole node certificate, or the signature to one or more individual data items sheets (or part) included in this node certificate.The PKI (PbK-TA) of being trusted authoritative institution 202 can be distributed to each peer node on this equity overlay network for checking node certificate.

Node certificate can correspondingly be used to authenticate peer node 104.For example, the side's of confirmation peer node can receive the node certificate from peer node 104.Use the PKI (PbK-Peer) of peer node included in this certificate 104, it is real owners of this node certificate with authenticating peer node 104 that the side's of confirmation peer node can be carried out challenge response.In addition, the side's of confirmation peer node can be used the identity (TA-ID) of being trusted authoritative institution to retrieve the PKI of being trusted authoritative institution 202.The PKI of authoritative institution 202 is trusted in use, and the side's of confirmation peer node is the signature (Sig of this node certificate of susceptible of proof also _pvK-TA), this indicates this node certificate to be trusted authoritative institution 202 by this and issues.

Referring again to Fig. 1, each peer node 104A-104F can communicate with other peer node 104A-104F via reciprocity overlay network 102, and without the concentrated coordination of being undertaken by server or stable main frame.For example, each peer node 104A-104F (for example can make its resource, disposal ability, disk storage, the network bandwidth) a part can be for another peer node, and can utilize the part of the resource of another peer node, and concentrate coordination without server or stable main frame.In at least some are realized, at least some peer node 104A-104F can be stored in data object in reciprocity overlay network 102.When data object is stored in reciprocity overlay network 102, the identifier being associated with this data object is used in reciprocity overlay network, locate this data object when needs are accessed this data object.By this data object being stored in to one of other peer node 104A-104F, locate this data object to be stored in reciprocity overlay network 102 subsequently.

The owner of data object can specify the access control that covers the data object in 102 to being stored in peer-to-peer network.For example, peer node 104 and/or its user can specify be authorized access its be stored in peer node group and/or the customer group of the data object in reciprocity overlay network 102.This type of be authorized peer node group and/or customer group can be called group in this article in general manner.

Facilitate group's management and member authentication

Forward Fig. 3 to, for can't help server or stable main frame centralized the overlay network coordinated show for facilitating the network environment of group's management and member authentication.In this example, the peer node 104A-104F from Fig. 1 is used to explain orally object.When peer node 104A and/or its user appointment (or establishment) group, this peer node 104A and/or its user can manage the member relation of this group in reciprocity overlay network 102, and can be called as in this article crowd keeper.As run through the disclosure and used, the citation of group keeper peer node (for example, group keeper peer node 104A) is referred to this peer node equipment and/or its user.According to a kind of feature, group keeper peer node 104A can assign the certificate because of reciprocity Fang Eryi to each peer node 104 as this group members and/or user.In some implementations, the certificate because of reciprocity Fang Eryi can comprise the group's certificate because of reciprocity Fang Eryi of being issued by group keeper peer node 104A.In other are realized, because can comprising by being trusted authoritative institution, the certificate of reciprocity Fang Eryi after the mandate from group keeper peer node 104A, gives the node certificate because of reciprocity Fang Eryi of each group members.

Peer node and/or user (for example, peer node 104B) as this group members can ask the data object of storing via reciprocity overlay network 102 access subsequently.As used herein, access request can comprise the request to one of access at different levels, includes but not limited to read access or reads/revise access (being read/write access).Peer node and/or user as this group members request access data object can be called as group members peer node (for example, group members peer node 104B) or access side's peer node in this article.Access control can specify the member of this group to be allowed to some access, but can expect to confirm that group members peer node 104B is the member of this group really.

According to a kind of feature, the enforcement of group's access control can be distributed between each peer node of overlay network.For example, a peer node can be used to confirm that group members peer node 104B is actually the member of this group, and as group members peer node, 104B claims.This type of peer node of the group members relation of authentication or confirmation group members peer node 104B can be called as confirmation side peer node 104C in this article.According to one or more, realize, group members peer node 104B can send to its certificate because of reciprocity Fang Eryi (for example, because of group's certificate of reciprocity Fang Eryi, because of the node certificate of reciprocity Fang Eryi) confirmation side peer node 104C.The side of confirmation peer node 104C can use be subsequently at this in certificate because of reciprocity Fang Eryi included otherwise be according to this in certificate because of reciprocity Fang Eryi the PKI of included other information (for example, the identity of group members peer node 104B) location confirm group members peer node 104B.The side of confirmation peer node 104C also can use issue this certificate device (for example, in the situation of the group's certificate because of reciprocity Fang Eryi for group's keeper peer node, in the situation of the node certificate because of reciprocity Fang Eryi for being trusted authoritative institution) PKI confirm that this is because of the certificate of reciprocity Fang Eryi.According to a kind of feature, the side of confirmation peer node 104C can confirm that group members peer node 104B is group's member independently.That is, the side of confirmation peer node 104C can independently confirm the group members relation of group members peer node 104B, and needn't adopt another peer node or central server that confirmatory message is provided or carry out one or more confirmation functions.

Should note, although group keeper peer node 104A, group members peer node 104B and the side of confirmation peer node 104C are depicted as to different peer node according to explained orally realization, but in various realizations, the wheel that a peer node can be carried out a plurality of described peer node turns.For example, group keeper peer node 104A can be also the group members peer node 104B of request access data object and be confirmed by confirmation side peer node 104C.In another example, group keeper peer node 104A can be used to the group members peer node 104B of authorization request visit data object, and in this case, group keeper peer node 104A will be also confirmation side peer node 104C.In another example, group members peer node 104B also can be used as confirmation side peer node 104C and operates when being used to confirm another group members peer node.

Figure 4 and 5 are the flow charts that explain orally according to some examples of group's management of various realizations of the present disclosure and member authentication.First forward Fig. 4 (comprising Fig. 4 A and 4B) to, show and explain orally according to group members peer node being adopted because of group's management of at least one realization of group's certificate of reciprocity Fang Eryi and the flow chart of member authentication.In this example, with reference to the described group of Fig. 1 keeper peer node 104A, group members peer node 104B and the side of confirmation peer node 104C, be used to explain orally object.

At first, group's keeper peer node A104A can for example, be obtained node certificate (Node Cert-A) 402 from trusting authoritative institution's (, being trusted authoritative institution 202) in Fig. 2.Node certificate 402 comprises the identity (Peer-A ID) of peer node A, the PKI (PbK-A) of peer node A, the identity (TA-ID) of being trusted authoritative institution and the signature of being trusted authoritative institution, and can by with reference to the described similar mode of Fig. 2, obtain above.

404, peer node A104A can create group and give this group's one title (for example, group X).Group's title is for identifying the uniqueness title of this group.In order to ensure group's title, be uniqueness, peer node A104A can generated group token and can be by this group of token store (406) under this group of titles in reciprocity overlay network.Group's token (being shown group token 408 in Fig. 4 A) can be stored with monodrome model, wherein in reciprocity overlay network, under any specific names, can only store a data object.Correspondingly, if another data object or group are using this group of names to be referred to as identifier, use the group's token 408 that repeats title by reciprocity overlay network, to be routed to the identical storage side's peer node of object of similarly naming with this another, thereby cause the Name Conflict at this peer node place, side of storage.When there is this type of conflict, can to choose different group's titles to group keeper peer node A104A notice.When not there is Name Conflict, can guarantee that selected group's title is unique to group keeper peer node A104A.

Group's token 408 can comprise this group, and (for example, description Group-X), group keeper's identity are, the member's of this group identity and/or other information.Group's token also can comprise the signature (Group-X token (Sig of the private key generation of using group keeper peer node A104A _pvK-A)).

Created group and group token be stored in reciprocity overlay network in after, each member that group keeper peer node A104A can be this group generates the group's certificate (410) because of reciprocity Fang Eryi, and corresponding group's certificate because of reciprocity Fang Eryi can be sent to each member's peer node (412).For example, can be group certificate (for example, the Group-X_Cert of peer node B104B generation because of reciprocity Fang Eryi 410 _peer-B), and 412, send it to peer node B104B subsequently.Group's certificate (Group-X_Cert because of reciprocity Fang Eryi _peer-B) can comprise group title (Group-X), the identity (Peer-A ID) of group keeper peer node A104A and the identity (Peer-B ID) of recipient's peer node.According at least some, realize, because of group's certificate (Group-X_Cert of reciprocity Fang Eryi _peer-B) also can comprise the PKI (PbK-B) of recipient's peer node.Group's keeper peer node A104A can be with its private key to this (Sig that signs of group's certificate because of reciprocity Fang Eryi _pvK-A).For example, can be with such as RSA signature, ellipse curve signature or other known signature schemes such as algorithm, the group's certificate because of reciprocity Fang Eryi being signed.Although Fig. 4 is by the signature (Sig being undertaken by private key _pvK-A) be shown and comprise the whole group certificate (Group-X_Cert because of reciprocity Fang Eryi _peer-B) signature, but in other are realized, signature (Sig _pvK-A) can comprise the group's certificate (Group-X_Cert because of reciprocity Fang Eryi _peer-B) in the signature of included any one or more individual data items sheets.Peer node B104B can and store this group's certificate because of reciprocity Fang Eryi in the future for it oneself is designated to the member of crowd X in 414 receptions.

Forward Fig. 4 B to, when group members peer node B104B wishes certain data object of visiting demand group members relation, another peer node in this equity overlay network can be used to confirm the member relation of this group members peer node in this group.In the example shown in Fig. 4, peer node C104C is used as the side's of confirmation peer node.The side of confirmation peer node C104C can be the same peer node of the data object of the positive request access of storage group members peer node B104B, or the side of confirmation peer node C104C can be another peer node in this network.In order to confirm the group members relation of group members peer node B104B, group members peer node B104B can be by the group's certificate (Group-X_Cert because of reciprocity Fang Eryi _peer-B) send to confirmation side peer node C104C.

Employing is group's certificate (Group-X_Cert because of reciprocity Fang Eryi from this _peer-B) information, the side of confirmation peer node C104C can authenticate effective member that peer node B104B is crowd X.For example, peer node C104C in the side's of confirmation can verify that group members peer node B104B is that this is because of group's certificate (Group-X_Cert of reciprocity Fang Eryi _peer-B) lawful owner, and this certificate is issued legally by group keeper peer node A104A.

As shown in Figure 4 B, the side of confirmation peer node C104C can obtain the corresponding digital signature of data slice of signing with the private key that uses group members peer node B104B, to verify that group members peer node B104B has, is corresponding with the PKI of this group because of reciprocity Fang Eryi in certificate or is the private key corresponding with the PKI that is associated with peer node B identity (Peer-B ID) included in this group's certificate because of reciprocity Fang Eryi.For example, peer node C104C in the side's of confirmation can send (418) random challenge to group members peer node B104B.Group members peer node B104B can use its private key this random challenge is signed and step 420 by through signature random challenge (Si _gPvK-B(random challenge)) send to confirmation side peer node C104C.The side of confirmation peer node C104C can be used this because of group's certificate (Group-X_Cert of reciprocity Fang Eryi subsequently _peer-B) in the included PKI because of reciprocity Fang Eryi (PbK-B) confirm this through signature response (421).

In other are realized, the side of confirmation peer node C104C can be used the identity (Peer-B ID) from the group members peer node B104B of the group's certificate because of reciprocity Fang Eryi to obtain the PKI (PbK-B) because of reciprocity Fang Eryi from reciprocity overlay network.For example, peer node C104C in the side's of confirmation can be used the identity Peer-B ID from this group of certificates directly from group members peer node B104B, to obtain PKI.In other are realized, the side of confirmation peer node C104C can be used identity Peer-B ID to obtain the node certificate of peer node B104B, this node certificate comprises its PKI as above and further trust is provided, because it is to be issued and sign by trusting authoritative institution.

The side of confirmation peer node C104C also can verify that crowd keeper's peer node A104A is that crowd keeper and this are because of the signature of group's certificate of reciprocity Fang Eryi, to verify that this certificate signed by group keeper peer node A104A really.For example, the side of confirmation peer node C104C can obtain the node certificate (Node Cert-A) of (422) group keeper peer node A104A, and it can be from being trusted the signature (Sig of authoritative institution _pvK-TA) authenticated.In at least one example, the side of confirmation peer node C104C can be used from the group's certificate (Group-X_Cert because of reciprocity Fang Eryi _peer-B) the identity (Peer-A ID) of group's keeper peer node carry out the node certificate (Node Cert-A) of retrieve group keeper peer node 104A.The group because of reciprocity Fang Eryi, may not comprise that at least another example of identity of crowd keeper, the side of confirmation peer node C104C can be used group title (Group-X) to obtain group's token from reciprocity overlay network, to find crowd keeper's identity in certificate.

If the side of confirmation peer node C104C is access burst token not yet, can retrieve this group of tokens (424) from reciprocity overlay network, and from the PKI (PbK-A) of group's keeper peer node A104A of node certificate (Node Cert-A), can be used to verify the signature of this group of tokens, with authenticating peer node A104A be crowd keeper and being authorized issue this because of group's certificate of reciprocity Fang Eryi and/or to this group's certificate because of reciprocity Fang Eryi sign (426).Use is from the PKI (PbK-A) of the node certificate (NodeCert-A) of group keeper peer node A104A, and the side of confirmation peer node C104C also can verify group's certificate (Group-X_Cert because of reciprocity Fang Eryi with this _peer-B) included signature (Sig _pvK-A) (428).

If the side of confirmation peer node C104C good authentication group members peer node B104B be this because of group's certificate (Group-X_Cert of reciprocity Fang Eryi _peer-B) lawful owner and this certificate by group keeper peer node A104A, issued legally, the group members relation of group members peer node B104B is verified (430), and the side of confirmation peer node C104C can grant the access of asked data object (432).If any verification step failure, the group members relation of group members peer node B104B is not established and can be rejected the access of this data object.

According at least some, realize the identity (Peer-A ID) of the cacheable group of the side of confirmation peer node C104C keeper peer node A104A and PKI (PbK-A), together with group's title, for other members that verify in the future same crowd.In the described realization with reference to Fig. 4, group members relation management and being carried out by group keeper peer node because of the certificate authority of reciprocity Fang Eryi.Therefore, trusted authoritative institution and do not participate in group management process, but participate in providing additional trust layer by issuing node certificate to each peer node, these node certificate can be used to verification public key and identity, as set forth herein.

Forward now Fig. 5 (comprising Fig. 5 A and 5B) to, show and explain orally according to group members peer node being adopted because of group's management of at least one realization of the node certificate of reciprocity Fang Eryi and the flow chart of member authentication.In this example, trusted authoritative institution and be responsible for issuing the certificate because of reciprocity Fang Eryi to group members, and the enforcement of group's access control is still distributed between all peer node of reciprocity overlay network.As shown in the figure, with reference to the described group of Fig. 1 keeper peer node A104A, group members peer node B104B and the side of confirmation peer node C104C, and the authoritative institution 202 that trusted of describing with reference to Fig. 2 is used to explain orally object.In the realization shown in Fig. 5, not by group keeper peer node A104A oneself, generate the certificate because of reciprocity Fang Eryi, but group's keeper peer node A104A communicates by letter with trusting authoritative institution 202, and trusted authoritative institution 202 for the node certificate of each group members generation because of reciprocity Fang Eryi.

Initially, with reference to Fig. 5 A, group keeper peer node A104A can obtain node certificate (Node Cert-A) 502 from being trusted authoritative institution 202, and peer node B104B can obtain node certificate (Node Cert-B) 504 from being trusted authoritative institution 202.The node certificate of peer node A comprises the identity (Peer-A ID) of peer node A, the PKI (PbK-A) of peer node A, trusted the identity (TA-ID) of authoritative institution and by the signature (Sig that is trusted authoritative institution 202 and carry out _tA).Similarly, the node certificate of peer node B comprises the identity (Peer-B ID) of peer node B, the PKI (PbK-B) of peer node B, trusted the identity (TA-ID) of authoritative institution and by the signature (Sig that is trusted authoritative institution 202 and carry out _tA).Each corresponding node certificate can by with reference to the described similar mode of Fig. 2, obtain above.

506, peer node A104A can create group and give this group's one title (for example, group X).Group's title is for identifying the uniqueness title of this group.In this example, group keeper peer node A104A is registered (508) by this group under this group of titles to trusting authoritative institution 202.Trusted authoritative institution 202 and checked and guarantee the uniqueness of this group of titles.Trusted authoritative institution 202 and can be maintained the record of all groups titles and the group keeper's of each group identity.In some implementations, to being trusted 202 these groups of registration of authoritative institution, also can work in coordination with group's token store is used on reciprocity overlay network, in this case, being trusted authoritative institution 202 can verify the uniqueness of this group of titles by the checking information in this covering of being stored in, as described with reference to Fig. 4 above.

When peer node or its user wish to add group, can send request to group keeper.For example, if peer node B104B wishes to add group-X(group-X), add the request 510 of group-X can be sent to crowd keeper's peer node A104A.Add the request of group-X to comprise the node certificate (Node Cert-B) of peer node B104B.Group keeper peer node A104A can ratify or refuse this request.If add the request of group-X to go through, group keeper peer node A104A is that peer node B104B assigns the certificate because of reciprocity Fang Eryi.For example, group's keeper peer node A104A can be by being sent request 512 and to require to be trusted authoritative institution 202, peer node B104B be added to the member of group-X and issue and assign the certificate because of reciprocity Fang Eryi because of the node certificate of reciprocity Fang Eryi to peer node B104B to trusting authoritative institution 202.The request of adding peer node B104B can comprise the node certificate of peer node B104B (Node Cert-B) is transmitted to and is trusted authoritative institution 202.

When the request of receiving from group keeper peer node A104A, trusted the node identity (Peer-A ID) of the authentication group keeper of authoritative institution 202 peer node A104A, and verified that this node identity (Peer-A ID) mates the identity (514) of this crowd of keepers in its group records.If this is proved to be successful, is trusted authoritative institution 202 and issued (516) new node certificate (new Node Cert-B) to peer node B104B.This new node certificate comprises that all information in old certificate (Node Cert-B) add group's title that this equity side adds recently.For example, this new node certificate (new Node Cert-B) comprises the identity (Peer-B ID) of peer node B, the PKI (PbK-B) of peer node B, trusted the identity (TA-ID) of authoritative institution and by the signature (Sig that is trusted authoritative institution 202 and carry out _tA) and group's title (Group-X), to indicate peer node B104B, be the member of crowd Group-X.This new node certificate (new Node Cert-B) can directly be sent to peer node B104B from trusting authoritative institution 202, or sends to peer node B104B via group keeper peer node A104A.As used herein, the new node certificate of indication group members relation also can be called as the node certificate because of reciprocity Fang Eryi.

Forward Fig. 5 B to, for example, when peer node B104B (wishes visiting demand group, during certain data object of the member relation Group-X), another peer node in this equity overlay network can be used to confirm the member relation of this group members peer node in this group.In the example shown in Fig. 5, peer node C104C is used as the side's of confirmation peer node.It should be noted that for the sake of clarity, shown in Fig. 5 A, trusted authoritative institution 202 not shown in Fig. 5 B, and peer node A104A and peer node B104B are explained as and proceed on Fig. 5 B.Zone circle ' A ' and zone circle ' B ' is illustrated as describing peer node A104A and peer node B104B proceeds to Fig. 5 B from Fig. 5 A.It shall yet further be noted that and in Fig. 5 B, explained orally peer node C104C, it does not explain orally in Fig. 5 A.

As stated, the confirmation side peer node C104C shown in Fig. 5 B is used to confirm that group members peer node B104B is group's member.The side of confirmation peer node C104C can be the same peer node of the data object of the positive request access of storage group members peer node B104B, or the side of confirmation peer node C104C can be another peer node in this network.In order to confirm the group members relation of group members peer node B104B, group members peer node B104B can send (518) to confirmation side peer node C104C by its node certificate because of reciprocity Fang Eryi (new Node Cert-B).

Employing is from the information of this node certificate because of reciprocity Fang Eryi (new Node Cert-B), and the side of confirmation peer node C104C can authenticate effective member that group members peer node B104B is crowd X.For example, the side of confirmation peer node C104C can verify that group members peer node B104B is the lawful owner of this node certificate because of reciprocity Fang Eryi (new Node Cert-B), and this certificate is issued by trusting authoritative institution 202 really.

In order to verify that group members peer node B104B is the lawful owner of this node certificate because of reciprocity Fang Eryi (new Node Cert-B), the side of confirmation peer node C104C can obtain the digital signature corresponding with the data slice of signing with the private key of group members peer node B104B.The side of confirmation peer node C104C can verify that group members peer node B104B has the private key corresponding with PKI in this node certificate because of reciprocity Fang Eryi (new Node Cert-B) by this digital signature.For example, peer node C104C in the side's of confirmation can send random challenge 520 to group members peer node B104B.Group members peer node B104B can use its private key this random challenge is signed and step 522 by through signature random challenge (Sig _pvK-B(random challenge)) send to confirmation side peer node C104C.The side of confirmation peer node C104C can be used the PKI (PbK-B) because of reciprocity Fang Eryi to confirm that this is through the response (524) of signature subsequently.If this response is confirmed, peer node C104C in the side's of confirmation be sure of that group members peer node B104B has the private key being associated with this node certificate because of reciprocity Fang Eryi (new Node Cert-B).

The side of confirmation peer node C104C also can verify the signature of this node certificate because of reciprocity Fang Eryi (new Node Cert-B), to verify that this certificate issued by trusting authoritative institution 202.For example, peer node C104C in the side's of confirmation can retrieve the PKI (PbK-TA) of being trusted authoritative institution 202.In some instances, the side of confirmation peer node C104C may have the copy of the PKI (PbK-TA) of being trusted authoritative institution, or the side of confirmation peer node C104C can be used the identity of being trusted authoritative institution 202 (Peer-A ID) included in this node certificate because of reciprocity Fang Eryi (new Node Cert-B) to retrieve the PKI (PbK-TA) of being trusted authoritative institution.The PKI (PbK-TA) of authoritative institution 202 is trusted in use, and the side of confirmation peer node C104C can verify with the included signature (Sig of this node certificate because of reciprocity Fang Eryi (new Node Cert-B) _tA) (526).

If the side of confirmation peer node C104C good authentication group members peer node B104B be that lawful owner and this certificate of this node certificate because of reciprocity Fang Eryi (new Node Cert-B) issued legally by trusting authoritative institution 202, the group members relation of group members peer node B104B is verified (528), and the side of confirmation peer node C104C can grant the access of asked data object (530).If any verification step failure, the group members relation of group members peer node B104B is not established and can be rejected the access of this data object.

Exemplary group keeper peer node

Fig. 6 explains orally according to the block diagram of the assembly selected works of the peer node that is used as crowd keeper 600 of at least one realization.Group keeper peer node 600 also can be called as the main peer node of group in this article.Peer node 600 can comprise the treatment circuit 602 that is coupled to storage medium 604 and communication interface 606.

Treatment circuit 602 is generally arranged to obtain, processes and/or sends data, control data access and storage, issue an order, and control other desired operation, and can comprise at least one embodiment the Circuits System that is configured to realize the expectation programming being provided by the medium of just fitting (such as storage medium 604).

Storage medium 604 for example can represent for storage, such as processor executable code or the programming of instruction (, software, firmware), electronic data, database or other digital informations and so on and/or one or more equipment of data.Storage medium 604 can be coupled to treatment circuit 602 so that treatment circuit 602 can be from/to storage medium 604 reading informations and writing information.In alternative, storage medium 604 can be integrated into treatment circuit 602.

The storage medium 604 of group keeper peer node 600 can comprise private key 608, PKI 610 and the node certificate 612 of wherein storage.Private key 608 is used to conventional signature algorithm, the data of being passed on by group keeper peer node 600 be signed, and normally only this group of keeper's peer node 600 know (that is, not being communicated to other peer node).PKI 610 is distributed to other peer node and the data for verifying that use private key 608 is signed.

Storage medium 604 can additionally comprise group's creation operation 614 of wherein storage and assign and operate 616 because of the certificate of reciprocity Fang Eryi.Group's creation operation 614 can for example realize creating group in group's builder module 618 by treatment circuit 602.Each member who assigns operation 616 to be realized with the group to being created in certificate assignor module 620 for example by treatment circuit 602 because of the certificate of reciprocity Fang Eryi assigns the certificate because of reciprocity Fang Eryi.In some implementations, because of the certificate of reciprocity Fang Eryi, assigning operation 616 can be adapted to as the group certificate of each group members generation because of reciprocity Fang Eryi.In other are realized, because of the certificate of reciprocity Fang Eryi, assign operation 616 can be adapted to request and trusted authoritative institution and issue the node certificate because of reciprocity Fang Eryi to each group members.

Communication interface 606 is configured to facilitate the wireless and/or wire communication of peer node 600.For example, communication interface 606 can be configured to about other peer node in reciprocity overlay network two-way convey a message.Communication interface 606 can be coupled to antenna and can comprise radio transceiver circuitry, and/or can comprise network interface unit (NIC), serial or parallel connection, USB (USB) interface, fire-wire interfaces, Thunderbolt(thunder and lightning) interface or for any other suitable arrangement public and/or that private network communicates, wherein radio transceiver circuitry comprises for for example carrying out at least one transmitter 622 of radio communication and/or at least one receiver 624(, one or more emittor/receiver chains with reciprocity overlay network).

According to the one or more features that are implemented as crowd keeper's peer node 600, treatment circuit 602 can be adapted to carries out any or all process, function, step and/or the routine for example, with each population keeper peer node of describing above with reference to Fig. 3-5 (, group keeper peer node 104A) relevant.As used herein, the term " adaptation " relevant to treatment circuit 602 can refer to that treatment circuit 602 has been carried out one or more in configuration, employing, realization or programming to carry out according to the particular procedure of various features, function, step and/or routine.

Fig. 7 is that explain orally can be at the flow chart of the example of at least one realization of the method for the upper operation of peer node (such as group keeper peer node 600).With reference to Fig. 6 and 7 both, in step 702, peer node can obtain PKI and private key pair.For example, peer node 600 can obtain PKI 610 and private key 608.As mentioned above, PKI 610 can be distributed to other peer node and can be used for the data of private key 608 signatures for checking.On the other hand, private key 608 can be only known to this peer node 600.In at least some are realized, this private key and PKI are to obtaining to peer node 600 these type of keys of supply by (for example, by manufacturer), or these keys can be generated by peer node 600 use conventional key generation technique and algorithm.

In step 704, can create equity group, wherein this group of definition are as one or more peer node of the member of this group.As mentioned above, to the citation of one or more groups of peer node, can refer to peer node and/or user.As example, treatment circuit 602 can adopt the group's creation operation 614 from storage medium to create group.For example, can be by group's builder module 618 for the treatment of circuit 602 by selecting group's title and creating this group by one or more peer node being defined as to the member of this group.In some implementations, as a part for group's creation operation 614, treatment circuit 602 also can generated group token, and wherein group's token is stored as in reciprocity overlay network the data object by group's identify label by peer node 600.That is, group's token can be stored as the data object under the title of this group in reciprocity overlay network.Group's token is adapted to and for example, to other peer node (, the side's of confirmation peer node) in reciprocity overlay network, authenticates this group of keeper's peer node 600 and be authorized and issue the group's certificate because of reciprocity Fang Eryi to group members peer node.

Group keeper peer node can for example, be assigned the certificate (706) because of reciprocity Fang Eryi to the group members peer node (, the group members peer node 104B in Fig. 3-5) of the member as this group subsequently.Because the certificate of reciprocity Fang Eryi is adapted to the member relation in this group of indication, and generally can comprise group identity, group members peer node identity, issue the identity of device and the signature of the private key by issuing device on one or more parts of this certificate because of reciprocity Fang Eryi.In some implementations, the certificate because of reciprocity Fang Eryi also can comprise the PKI of group members peer node.According at least one example, treatment circuit 602 can be adapted to (for example, in certificate assignor module 620) and realize the appointment of the certificate because of the reciprocity Fang Eryi operation 616 in storage medium 604, to assign the certificate because of reciprocity Fang Eryi to group members peer node.

In at least one is realized, because of the certificate of reciprocity Fang Eryi, assign operation 616 can comprise being adapted to and for example make treatment circuit 602(, certificate assignor module 620) by generating for group members peer node, assign the instruction because of the certificate of reciprocity Fang Eryi because of group certificate of reciprocity Fang Eryi.The group's certificate because of reciprocity Fang Eryi generating at treatment circuit 602 places can comprise group identity, group members peer node identity, the identity of group keeper peer node and the private key 608 by group keeper peer node 600 at this because of the signature on one or more parts of group's certificate of reciprocity Fang Eryi.In some implementations, the group's certificate because of reciprocity Fang Eryi also can comprise the PKI of group members peer node.As example, the signature being undertaken by private key 608 can adopt conventional signature scheme (such as RSA signature algorithm or ellipse curve signature algorithm etc.) to carry out by treatment circuit 602.In this type of is realized, because of the certificate of reciprocity Fang Eryi, assign operation 616 further to comprise to be adapted to make treatment circuit 602 will send to because of group's certificate of reciprocity Fang Eryi the instruction of group members peer node via communication interface 606.

In at least another kind of realization, because of the certificate of reciprocity Fang Eryi, assign operation 616 can comprise being adapted to and for example make treatment circuit 602(, certificate assignor module 620) by sending request to issue to group members peer node and assign the instruction because of the certificate of reciprocity Fang Eryi because of the node certificate of reciprocity Fang Eryi to being trusted authoritative institution via communication interface 606.By trusted the node certificate because of reciprocity Fang Eryi that authoritative institution issues and can be comprised group identity, group members peer node identity, trusted the identity of authoritative institution and the signature of the private key by being trusted authoritative institution on one or more parts of this node certificate because of reciprocity Fang Eryi.Because the node certificate of reciprocity Fang Eryi also can comprise the PKI of group members peer node.

Be assigned because of the group members peer node of the certificate of reciprocity Fang Eryi can be subsequently by confirmation side's peer node (for example, confirmation side peer node 104C in Fig. 3-5) by following operation, authenticate: use or be included in certificate because of reciprocity Fang Eryi at this, to utilize the identity of this group members peer node to verify this group members peer node from the PKI of this group members peer node of reciprocity overlay network acquisition, and use the PKI that is associated because of the identity of issuing device in the certificate of reciprocity Fang Eryi with this (for example, use public-key 610 or the PKI of being trusted authoritative institution) verify that this is because of the certificate of reciprocity Fang Eryi.

Exemplary group members peer node (that is, access side's peer node)

Fig. 8 is the block diagram of assembly selected works of peer node 800 of group members that is used as being intended to visit data object explaining orally according at least one realization.Group members peer node 800 also can be called as access side's peer node 800 in this article.Peer node 800 can comprise the treatment circuit 802 that is coupled to storage medium 804 and communication interface 804.

Treatment circuit 802 is generally arranged to obtain, processes and/or sends data, control data access and storage, issue an order, and control other desired operation, and can comprise at least one embodiment the Circuits System that is configured to realize the expectation programming being provided by the medium of just fitting (such as storage medium 804).

Storage medium 804 for example can represent for storage, such as processor executable code or the programming of instruction (, software, firmware), electronic data, database or other digital informations and so on and/or one or more equipment of data.Storage medium 804 can be coupled to treatment circuit 802 so that treatment circuit 802 can be from/to storage medium 804 reading informations and writing information.In alternative, storage medium 804 can be integrated into treatment circuit 802.

The storage medium 804 of group members peer node 800 can comprise private key 808 and the PKI 810 of wherein storage.The data that private key 808 is used to being passed on by group members peer node 800 are signed, and are only (that is, not being communicated to other peer node) known to this group members peer node 800 conventionally.PKI 810 is distributed to other peer node and the data for verifying that use private key 808 is signed.

Storage medium 804 also comprises the wherein certificate 812 because of reciprocity Fang Eryi of storage.According to various realizations, because the certificate 812 of reciprocity Fang Eryi can comprise because of group's certificate of reciprocity Fang Eryi or because of the node certificate (that is, new node certificate) of reciprocity Fang Eryi.

Communication interface 806 is configured to facilitate the wireless and/or wire communication of group members peer node 800.For example, communication interface 806 can be configured to about other peer node in reciprocity overlay network two-way convey a message.Communication interface 806 can be coupled to antenna and can comprise radio transceiver circuitry, and/or can comprise network interface unit (NIC), serial or parallel connection, USB (USB) interface, fire-wire interfaces, Thunderbolt(thunder and lightning) interface or for any other suitable arrangement public and/or that private network communicates, wherein radio transceiver circuitry comprises for for example carrying out at least one transmitter 814 of radio communication and/or at least one receiver 816(, one or more emittor/receiver chains with reciprocity overlay network).

According to one or more features of group members peer node 800, treatment circuit 802 can be adapted to carries out any or all process, function, step and/or the routine for example, with the various group members peer node (, group members peer node 104B) of describing above with reference to Fig. 3-5 relevant.As used herein, the term " adaptation " relevant to treatment circuit 802 can refer to that treatment circuit 802 has been carried out one or more in configuration, employing, realization or programming to carry out according to the particular procedure of various features, function, step and/or routine.

Fig. 9 is that explain orally can be at the flow chart of the example of at least one realization of the method for the upper operation of peer node (such as group members peer node 800).With reference to Fig. 8 and 9 both, in step 902, peer node can obtain PKI and private key pair.For example, peer node 800 can obtain PKI 810 and private key 808.As mentioned above, PKI 810 can be distributed to other peer node and can be used for the data that checking is signed with the conventional signature algorithm of private key 808 use.On the other hand, private key 808 can be only known to this peer node 800.In at least some are realized, this private key being associated with group members peer node 800 and PKI are to obtaining to peer node 800 these type of keys of supply by (for example, by manufacturer), or these keys can be generated by peer node 800 use conventional key generation technique and algorithm.

In step 904, peer node 800 can receive the certificate because of reciprocity Fang Eryi.For example, the certificate 812 that treatment circuit 802 can receive because of reciprocity Fang Eryi via communication interface 806.Because the certificate 812 of reciprocity Fang Eryi is for example adapted to, to the member relation in other peer node (, the side's of confirmation peer node) indication group in reciprocity overlay network.Because of the certificate 812 of reciprocity Fang Eryi generally can comprise group identity, group members peer node 800 identity, issue the identity of device and the private key by issuing device at this because of the signature on one or more parts of the certificate 812 of reciprocity Fang Eryi.Because the certificate 812 of reciprocity Fang Eryi can further comprise PKI 810.In some implementations, because can being in response to from peer node 800, the certificate 812 of reciprocity Fang Eryi send to group request of keeper's peer node to be received.

In at least one is realized, because the certificate 812 of reciprocity Fang Eryi can comprise the group's certificate because of reciprocity Fang Eryi of issuing from group keeper peer node.This type of group's certificate because of reciprocity Fang Eryi can comprise group identity, group members peer node 800 identity, the identity of group's keeper peer node and the private key by group keeper peer node at this because of the signature on one or more parts of group's certificate of reciprocity Fang Eryi.Because of reciprocity Fang Eryi group certificate also can comprise PKI 810.At the certificate 812 because of reciprocity Fang Eryi, comprise that in the realization because of group's certificate of reciprocity Fang Eryi, this is stored in group token in reciprocity overlay network because included group identity in group's certificate of reciprocity Fang Eryi can be adapted to location as the data object that identified by this group of identity.As described herein, group's token can be adapted to authentication group keeper peer node and is authorized and issues because of group's certificate of reciprocity Fang Eryi and the group's certificate because of reciprocity Fang Eryi is signed.

In another is realized, because the certificate 812 of reciprocity Fang Eryi can comprise the node certificate because of reciprocity Fang Eryi (or new node certificate) of being issued from trusting authoritative institution.This type of node certificate because of reciprocity Fang Eryi (or new node certificate) can comprise group identity, group members peer node 800 identity, issue the identity of being trusted authoritative institution of this node certificate because of reciprocity Fang Eryi and the signature of the private key by being trusted authoritative institution on one or more parts of this node certificate because of reciprocity Fang Eryi.Because the node certificate of reciprocity Fang Eryi also can comprise PKI 810.In the realization adopting because of the node certificate (or new node certificate) of reciprocity Fang Eryi, because the node certificate (or new node certificate) of reciprocity Fang Eryi can replace the node certificate in the storage medium that may be stored in peer node 800 804 previously having received.

Peer node 800 can adopt this certificate because of reciprocity Fang Eryi to authenticate the member that it oneself is this group subsequently.Correspondingly, in step 906, group members peer node 800 can for example, send certificate because of reciprocity Fang Eryi to authenticate the member that it oneself is this group to confirmation side's peer node (, the confirmation side peer node 104C in Fig. 3-5).For example, treatment circuit 802 can send transmission to confirmation side's peer node via communication interface 806, wherein this transmission comprise because of the certificate 812(of reciprocity Fang Eryi for example, because of group's certificate of reciprocity Fang Eryi or because of the node certificate of reciprocity Fang Eryi).

In step 908, peer node 800 can send verify data to confirmation side's peer node, and this verify data is signed with private key 808.For example, treatment circuit 802 can be used conventional signature algorithm (such as RSA signature algorithm or ellipse curve signature algorithm etc.) to sign to this verify data.Verify data through signature can send to confirmation side's peer node via communication interface 806 by treatment circuit 802.

The group members relation of peer node 800 can be authenticated by following operation by confirmation side's peer node: use from the PKI 810 of this certificate because of reciprocity Fang Eryi or peer-to-peer network acquisition to confirm carrying out authenticating peer node 800 through the verify data of signature.In addition, the PKI that the side's of confirmation peer node can be associated with the identity of issuing device by employing (for example, use the PKI of group keeper peer node or the PKI of being trusted authoritative institution) verify the certificate 812 because of reciprocity Fang Eryi being sent by peer node 800, the identity of issuing device is included in the certificate 812 because of reciprocity Fang Eryi.

Exemplary confirmation side peer node

Figure 10 is the block diagram of assembly selected works of peer node 1000 of group members relation that is used to confirm another peer node explaining orally according at least one realization.The side's of confirmation peer node 1000 can comprise the treatment circuit 1002 that is coupled to storage medium 1004 and communication interface 1006.

Treatment circuit 1002 is generally arranged to obtain, processes and/or sends data, control data access and storage, issue an order, and control other desired operation, and can comprise at least one embodiment the Circuits System that is configured to realize the expectation programming being provided by the medium of just fitting (such as storage medium 1004).

Storage medium 1004 for example can represent for storage, such as processor executable code or the programming of instruction (, software, firmware), electronic data, database or other digital informations and so on and/or one or more equipment of data.Storage medium 1004 can be coupled to treatment circuit 1002 so that treatment circuit 1002 can be from/to storage medium 1004 reading informations and writing information.In alternative, storage medium 1004 can be integrated into treatment circuit 1002.

Storage medium 1004 can comprise wherein the group members verification operation 1008 of storage and because of the certification authentication operation 1010 of reciprocity Fang Eryi.Group members verification operation 1008 and both can for example be realized by treatment circuit 1002 in equity side and certificate verification device module 1012 because of the certification authentication operation 1010 of reciprocity Fang Eryi, for example, to confirm the group members relation of group members peer node (, the group members peer node 104B in Fig. 3-5).In at least some are realized, storage medium 1004 can comprise wherein the data object 1011 of the reciprocity overlay network of storage, and group members relation confirms to be in response to the request of group members peer node and visits data object 1011 as the group's of the visit data object 1011 that is authorized member.

Communication interface 1006 is configured to facilitate the wireless and/or wire communication of confirmation side's peer node 1000.For example, communication interface 1006 can be configured to about other peer node in reciprocity overlay network two-way convey a message.Communication interface 1006 can be coupled to antenna and can comprise radio transceiver circuitry, and/or can comprise network interface unit (NIC), serial or parallel connection, USB (USB) interface, fire-wire interfaces, Thunderbolt(thunder and lightning) interface or for any other suitable arrangement public and/or that private network communicates, wherein radio transceiver circuitry comprises for for example carrying out at least one transmitter 1014 of radio communication and/or at least one receiver 1016(, one or more emittor/receiver chains with reciprocity overlay network).

According to one or more features of confirmation side's peer node 1000, treatment circuit 1002 can be adapted to carries out any or all process, function, step and/or the routine for example, with the various confirmation sides peer node (, the side's of confirmation peer node 104C) of describing above with reference to Fig. 3-5 relevant.As used herein, the term " adaptation " relevant to treatment circuit 1002 can refer to that treatment circuit 1002 has been carried out one or more in configuration, employing, realization or programming to carry out according to the particular procedure of various features, function, step and/or routine.

Figure 11 be explain orally can the upper operation of peer node (such as the side's of confirmationing peer node 1000) for facilitating the flow chart of example of at least one realization of the method that the group members relation of reciprocity overlay network authenticates.With reference to Figure 10 and 11 both, in step 1102, peer node can receive the certificate because of reciprocity Fang Eryi from just seeking the group members peer node that authentication is group's member.For example, treatment circuit 1002 can for example, receive the certificate because of reciprocity Fang Eryi from group members peer node (, the group members peer node 104B in Fig. 3-5) via communication interface 1004.Generally speaking, because of the certificate of reciprocity Fang Eryi can comprise group title, group members peer node identity, issue the identity of device and the signature of the private key by issuing device on one or more parts of this certificate because of reciprocity Fang Eryi.Because the certificate of reciprocity Fang Eryi also can comprise the PKI of group members peer node.

In at least one is realized, the received certificate because of reciprocity Fang Eryi comprises the group's certificate because of reciprocity Fang Eryi of being issued to this group members peer node by group keeper peer node.In this case, because of group's certificate of reciprocity Fang Eryi can comprise group identity, group members peer node identity, the identity of group's keeper peer node and the private key by group keeper peer node at this because of the signature on one or more parts of group's certificate of reciprocity Fang Eryi.Because of reciprocity Fang Eryi group certificate also optionally comprise the PKI of group members peer node.

In another is realized, the received certificate because of reciprocity Fang Eryi comprises the node certificate because of reciprocity Fang Eryi of being issued by trusting authoritative institution.In this case, because of the node certificate of reciprocity Fang Eryi can comprise group identity, group members peer node identity, trusted the identity of authoritative institution and the signature of the private key by being trusted authoritative institution on one or more parts of this node certificate because of reciprocity Fang Eryi.Because the node certificate of reciprocity Fang Eryi also optionally comprises the PKI of group members peer node.

In step, 1108(notes,

step

1104 and 1106 is below being discussed), the side's of confirmation peer node 1000 can receive verify data from group members peer node, and wherein this verify data is to sign by the private key of this group members peer node.For example, treatment circuit 1002 can receive the transmission that comprises the verify data of signing by the private key of this group members peer node via communication interface 1004.

When the verify data of receiving through signing, in step 1110, the side's of confirmation peer node 1000 can be verified with the PKI being associated with this group members peer node the signature of this verify data.The PKI being associated with group members peer node can be (if comprising this PKI) obtaining from this certificate because of reciprocity Fang Eryi or be that the identity because of the included group members peer node of the certificate of reciprocity Fang Eryi obtains from reciprocity overlay network with this in use.For example, the identity of group members peer node can be used to obtain the node certificate of this group members peer node, this node certificate comprise the PKI that is associated with this group members peer node and because of this node certificate be issued and sign especially credible by trusting authoritative institution.For example, treatment circuit 1002(for example, reciprocity side and certificate verification device module 1012) can adopt group members verification operation 1008 use to verify this signature from the PKI of this group members peer node of this certificate because of reciprocity Fang Eryi.According to various realizations, group members verification operation 1008 can be adapted to and adopt conventional signature algorithm to verify this signature, such as RSA signature algorithm, ellipse curve signature algorithm or any other known signature algorithm.

In step 1112, the PKI that the side's of confirmation peer node 1000 also can be associated by the identity of issuing device with finding in certificate because of reciprocity Fang Eryi at this verifies that this is because of the certificate of reciprocity Fang Eryi.For example, treatment circuit 1002 can be with this in certificate because of reciprocity Fang Eryi the included identity of issuing device retrieve the PKI (for example, the PKI of group keeper peer node or the PKI of being trusted authoritative institution) being associated with this identity of issuing device.Utilize this PKI of issuing device, treatment circuit 1002(for example, reciprocity side and certificate verification device module 1012) can adopt and verify with this because of the included signature of the certificate of reciprocity Fang Eryi because of the certification authentication operation 1010 of reciprocity Fang Eryi.According to various realizations, because can being adapted to, the certification authentication operation 1010 of reciprocity Fang Eryi use conventional signature algorithm (such as RSA signature algorithm, ellipse curve signature algorithm or any other known signature algorithm) to verify this signature.

In realization in employing because of group's certificate of reciprocity Fang Eryi, the side's of confirmation peer node 1000 can obtain group's token from reciprocity overlay network, as explained orally in optional step 1104.For example, treatment circuit 1002 can adopt this because the group's identity in group's certificate of reciprocity Fang Eryi obtains as the data object being identified by this group of identity, to be stored in the group's token in reciprocity overlay network.As discussed previously, group's token comprises the signature that the private key by group keeper peer node carries out.Correspondingly, the side's of confirmation peer node 1000 can be verified with the PKI of group keeper peer node the signature of this group of tokens, to confirm that this group of keeper's peer node are that crowd keeper and/or be authorized issues this because of group's certificate of reciprocity Fang Eryi, as explained orally in optional step 1106.

In addition,, in the realization in employing because of group's certificate of reciprocity Fang Eryi, the side's of confirmation peer node (for example, treatment circuit 1002) can be carried out by obtain the node certificate of group keeper peer node from reciprocity overlay network the PKI of retrieve group keeper peer node.As described herein, the node certificate of peer node comprises the PKI of its corresponding peer node and is signed by trusting authoritative institution.

Although group's keeper peer node and trusted authoritative institution and be described in this article equipment separately, the role who it should be noted that crowd keeper and trusted authoritative institution can be complete logicality.Correspondingly, at least some are realized, group keeper and trusted authoritative institution and can comprise two code sheets that reside on Same Physical equipment.In this type of is realized, group keeper with trusted communicating by letter and authenticating between authoritative institution and can be simplified and can be dependent on the API(API of programming).

In addition, the group's concept in the disclosure can be mapped to the service in reciprocity overlay network, and wherein each ISP can be used as crowd keeper and wherein can exist one or morely being trusted authoritative institution and serving all ISPs.In this type of is realized, before each peer node adds group, ISP can require the expense from each peer node.Being trusted authoritative institution also can be by having the business entity of certain (some) commercial agreement to operate with each ISP.

One or more in assembly, step, feature and/or the function explaining orally in Fig. 1,2,3,4,5,6,7,8,9,10 and/or 11 can be rearranged and/or be combined into single component, step, feature or function, or can be embodied in several assemblies, step or function.Also more element, assembly, step and/or function can be added and the scope of the present disclosure can be do not departed from.One or more in method, feature or step that device, equipment and/or the assembly explaining orally in Fig. 1,3,6,8 and/or 10 can be configured to describe in execution graph 2,4,5,7,9 and/or 11.Novel algorithm described herein can also realize efficiently in software and/or be embedded in hardware.

In addition, notice that at least some realizations are to describe as the process that is depicted as flow graph, flow chart, structure chart or block diagram.Although flow chart may be described as sequential process all operations, in these operations, there is many can walking abreast or execution concomitantly.In addition, the order of these operations can be rearranged.Process stops when its operation completes.Process can be corresponding to method, function, rules, subroutine, subprogram etc.When process is during corresponding to function, its termination turns back to called side function or principal function corresponding to this function.

In addition, each embodiment can be realized by hardware, software, firmware, middleware, microcode or its any combination.When realizing in software, firmware, middleware or microcode, program code or the code segment of carrying out necessary task can be stored in the machine readable media or other storage such as storage medium.Processor can be carried out these necessary tasks.Code segment can represent rules, function, subprogram, program, routine, subroutine, module, software kit, class, or any combination of instruction, data structure or program statement.By transmitting and/or reception information, data, independent variable, parameter or memory content, a code segment can be coupled to another code segment or hardware circuit.Information, independent variable, parameter, data etc. can be passed, forward or transmit via any suitable means that comprise Memory Sharing, message transmission, token transmission, Internet Transmission etc.

Various treatment circuit 602,802 described herein and 1002 is generally arranged to obtain, processes and/or sends data, controls data access and storage, issue an order, and control other desired operation.In at least one embodiment, this type for the treatment of circuit can comprise and be configured to realize by just suitable medium, for example, such as storage medium (, storage medium 604,804,1004), and the Circuits System of the expectation providing programming.For example, treatment circuit can be implemented as processor, controller, a plurality of processor and/or be configured to carry out the executable instruction comprise software for example and/or firmware instructions other structures and/or the one in ware circuit or more persons.The embodiment for the treatment of circuit can comprise and is designed to carry out general processor, digital signal processor (DSP), application-specific integrated circuit (ASIC) (ASIC), field programmable gate array (FPGA) or other programmable logic components of function described herein, discrete door or transistor logic, discrete nextport hardware component NextPort or its any combination.General processor can be microprocessor, but in alternative, processor can be processor, controller, microcontroller or the state machine of any routine.Processor can also be embodied as the combination of computation module, such as the combination of DSP and microprocessor, several microprocessor, with one or more microprocessors or any other this type of configuration of DSP central cooperation.These examples for the treatment of circuit are in order to explain orally, and other the suitable configurations within the scope of the disclosure are also conceived.

Various storage medium 604,804 described herein and 1004 for example can represent for storage, separately such as processor executable code or the programming of instruction (, software, firmware), electronic data, database or other digital informations and so on and/or one or more equipment of data.Storage medium can be can be by any usable medium of universal or special processor access.As example and non-limiting, storage medium can comprise read-only memory (for example, ROM, EPROM, EEPROM), random-access memory (ram), magnetic disk storage medium, optical storage media, flash memory device and/or other non-transient computer-readable mediums for the information of storing.

Term " machine readable media ", " computer-readable medium " and/or " processor readable medium " can comprise, but be not limited to portable or fixing memory device, optical storage apparatus and various other the non-transient media that can store, comprise or carry instruction and/or data.Therefore, the whole bag of tricks described herein can be partly or entirely in can being stored in " machine readable media ", " computer-readable medium " and/or " processor readable medium " and instruction and/or the data by one or more processors, machine and/or equipment, carried out realize.

The method of describing in conjunction with example disclosed herein or algorithm can be embodied directly in hardware, in the software module that can be carried out by processor or in the two combination to be implemented with the form of processing unit, programming instruction or other indications, and can be included in individual equipment or across a plurality of device distribution.Software module can reside in the storage medium of RAM memory, flash memory, ROM memory, eprom memory, eeprom memory, register, hard disk, removable dish, CD-ROM or any other form known in the art.Storage medium can be coupled to processor so that this processor can read and writing information from/to this storage medium.In alternative, storage medium can be integrated into processor.

Those skilled in the art can further understand, and various illustrative logical blocks, module, circuit and the algorithm steps in conjunction with embodiment disclosed herein, described can be implemented as electronic hardware, computer software or both combinations.For clearly explaining orally this interchangeability of hardware and software, various illustrative components, frame, module, circuit and step are done vague generalization with its functional form in the above and are described.This type of is functional is implemented as the design constraint that hardware or software depend on concrete application and puts on total system.

The various features of embodiment described herein can be implemented in different system and can not depart from the scope of the present disclosure.It should be noted that above embodiment is only example, and should not be construed as limiting the disclosure.The description of these embodiment is intended to explain orally, and is not intended to limit the scope of claim.Thus, instruction of the present invention can be applied to the device of other types ready-madely, and many replacements, modification and distortion will be apparent for those skilled in the art.

Claims

1. a population keeper peer node, comprising:

Communication interface, it is adapted to the communication of facilitating on reciprocity overlay network;

Storage medium, it comprises private key and the PKI pair being associated with described group keeper peer node; And

Be coupled to the treatment circuit of described communication interface and described storage medium, described treatment circuit is adapted to:

Create equity group, described group is defined as one or more peer node described group's member; And

Group members peer node to the member as described group is assigned the certificate because of reciprocity Fang Eryi, the described certificate because of reciprocity Fang Eryi is adapted to the member relation of other peer node authentications in described group in described reciprocity overlay network, and comprise group identity, described group members peer node identity, issue the identity of device and the signature on one or more parts of the described certificate because of reciprocity Fang Eryi by the described private key of issuing device.

2. as claimed in claim 1 group of keeper's peer node, is characterized in that, described storage medium further comprises by the node certificate of being trusted described group keeper peer node that authoritative institution issues or that signed by described group keeper peer node oneself.

3. as claimed in claim 1 group of keeper's peer node, is characterized in that, the described certificate because of reciprocity Fang Eryi further comprises the PKI being associated with described group members peer node.

4. as claimed in claim 1 group of keeper's peer node, it is characterized in that, once use the PKI being associated with described group members peer node to verify described group members peer node and used with described and verified that because issuing PKI that the identity of device is associated described in the certificate of reciprocity Fang Eryi the described certificate because of reciprocity Fang Eryi just authenticates the group members relation of described group members peer node to other peer node in described reciprocity overlay network once described certificate because of reciprocity Fang Eryi is adapted to.

5. as claimed in claim 1 group of keeper's peer node, is characterized in that, described treatment circuit is further adapted to:

To described group members peer node, issue the group's certificate because of reciprocity Fang Eryi, described group's certificate because of reciprocity Fang Eryi comprises that the identity of described group identity, described group members peer node is, the identity of described group keeper peer node and the signature of the private key by described group keeper peer node on one or more parts of the described group certificate because of reciprocity Fang Eryi.

6. as claimed in claim 5 group of keeper's peer node, is characterized in that, described treatment circuit is adapted to by following operation and issues described group's certificate because of reciprocity Fang Eryi to described group members peer node:

For described group members peer node generates described group's certificate because of reciprocity Fang Eryi; And

Via described communication interface, described group's certificate because of reciprocity Fang Eryi is sent to described group members peer node.

7. as claimed in claim 5 group of keeper's peer node, is characterized in that, described treatment circuit is further adapted to:

Generate group's token of signing with the private key of described group keeper peer node; And

The data object that described group's token is identified as described group's identity included in described group's certificate because of reciprocity Fang Eryi is stored in described reciprocity overlay network;

Wherein said group token is adapted to the described group of other peer node authentications keeper peer node in described reciprocity overlay network and is authorized and issues described group's certificate because of reciprocity Fang Eryi to described group members peer node.

8. as claimed in claim 1 group of keeper's peer node, it is characterized in that, described treatment circuit is adapted to by being sent request to issue to described group members peer node to assign the described certificate because of reciprocity Fang Eryi to described group members peer node because of the node certificate of reciprocity Fang Eryi to trusting authoritative institution, the described node certificate because of reciprocity Fang Eryi comprises described group's identity, the identity of described group members peer node, described identity of being trusted authoritative institution, and by described private key of being trusted authoritative institution the signature on one or more parts of the described node certificate because of reciprocity Fang Eryi.

9. the method operating in group keeper peer node, comprising:

Obtain the PKI and the private key pair that are associated with described group keeper peer node;

In reciprocity overlay network, create equity group, described group is defined as one or more peer node described group's member; And

10. method as claimed in claim 9, is characterized in that, the described certificate because of reciprocity Fang Eryi further comprises the PKI being associated with described group members peer node.

11. methods as claimed in claim 9, it is characterized in that, once use the PKI being associated with described group members peer node to verify described group members peer node and used with described and verified that because issuing PKI that the identity of device is associated described in the certificate of reciprocity Fang Eryi the described certificate because of reciprocity Fang Eryi just authenticates the group members relation of described group members peer node to other peer node in described reciprocity overlay network once described certificate because of reciprocity Fang Eryi is adapted to.

12. methods as claimed in claim 9, is characterized in that, to described group members peer node, assign the described certificate because of reciprocity Fang Eryi to comprise:

13. methods as claimed in claim 12, is characterized in that, issue described group's certificate because of reciprocity Fang Eryi comprise to described group members peer node:

Described group's certificate because of reciprocity Fang Eryi is sent to described group members peer node.

14. methods as claimed in claim 12, is characterized in that, further comprise:

15. methods as claimed in claim 9, is characterized in that, to described group members peer node, assign the described certificate because of reciprocity Fang Eryi to comprise:

To being trusted authoritative institution, send request to issue the node certificate because of reciprocity Fang Eryi to described group members peer node, the described node certificate because of reciprocity Fang Eryi comprise described group identity, described group members peer node identity, described in trusted the identity of authoritative institution and the signature on one or more parts of the described node certificate because of reciprocity Fang Eryi by described private key of being trusted authoritative institution.

16. 1 population keeper peer node, comprising:

For obtaining PKI and the right device of private key being associated with described group keeper peer node;

For create equity group's device at reciprocity overlay network, described group is defined as one or more peer node described group's member; And

Group members peer node for the member to as described group is assigned the device because of the certificate of reciprocity Fang Eryi, the described certificate because of reciprocity Fang Eryi is adapted to the member relation of other peer node authentications in described group in described reciprocity overlay network, and comprise group identity, described group members peer node identity, issue the identity of device and the signature on one or more parts of the described certificate because of reciprocity Fang Eryi by the described private key of issuing device.

17. as claimed in claim 16 groups of keeper's peer node, is characterized in that, further comprise:

For generating the device of group's token of signing with the private key of described group keeper peer node; And

Be used for using described group's token as being stored in the device in described reciprocity overlay network by the described data object identifying because of the included described group's identity of the certificate of reciprocity Fang Eryi;

Wherein said group token is adapted to the described group of other peer node authentications keeper peer node in described reciprocity overlay network and is authorized and issues the group's certificate because of reciprocity Fang Eryi to described group members peer node.

18. 1 kinds of processor readable mediums that are included in the instruction operating in group keeper's peer node, described instruction makes described processor when being carried out by processor:

19. processor readable mediums as claimed in claim 18, is characterized in that, are further included in while being carried out by described processor and make described processor carry out the instruction of following action:

20. 1 kinds of group members peer node, comprising:

Storage medium, it comprises private key and the PKI pair being associated with described group members peer node; And

Via described communication interface, from group keeper peer node, receive the group's certificate because of reciprocity Fang Eryi issue to described group members peer node, described group's certificate because of reciprocity Fang Eryi comprises that the identity of group identity, described group members peer node is, the identity of described group keeper peer node and the signature of the private key by described group keeper peer node on one or more parts of the described group certificate because of reciprocity Fang Eryi;

Via described communication interface, described group's certificate because of reciprocity Fang Eryi send to confirmation side's peer node take being authenticated to described group members peer node is group members, and wherein said group's certificate because of reciprocity Fang Eryi is adapted to by described confirmation side peer node and authenticates; And

Via described communication interface, verify data is sent to described confirmation side peer node, described verify data is to use the private key being associated with described group members peer node to sign.

21. peer node as claimed in claim 20, it is characterized in that, described group's certificate because of reciprocity Fang Eryi is adapted to by described confirmation side peer node and authenticates in the following way: use the PKI being associated with described group members peer node to verify the verify data through signing and use the PKI being associated with described group keeper peer node to verify described group's certificate because of reciprocity Fang Eryi.

22. peer node as claimed in claim 20, it is characterized in that, the described group identity of the described group because of reciprocity Fang Eryi in certificate is adapted to location and is stored in the group's token in described reciprocity overlay network as the data object being identified by described group's identity, and wherein said group's token is adapted to the described group of authentication keeper peer node and is authorized and issues described group's certificate because of reciprocity Fang Eryi and described group's certificate because of reciprocity Fang Eryi is signed.

23. peer node as claimed in claim 20, is characterized in that, described treatment circuit is further adapted to:

To described group keeper peer node, send the request to group members relation, wherein said group's certificate because of reciprocity Fang Eryi is in response to and sends that described request issued by described group keeper peer node.

24. 1 kinds of methods that operate in group members peer node, comprising:

Obtain the PKI and the private key pair that are associated with described group members peer node;

From group keeper peer node, receive the group's certificate because of reciprocity Fang Eryi issue to described group members peer node, described group's certificate because of reciprocity Fang Eryi comprises that the identity of group identity, described group members peer node is, the identity of described group keeper peer node and the signature of the private key by described group keeper peer node on one or more parts of the described group certificate because of reciprocity Fang Eryi;

It is group members that described group's certificate because of reciprocity Fang Eryi send to confirmation side's peer node take to be authenticated to described group members peer node, and wherein said group's certificate because of reciprocity Fang Eryi is adapted to by described confirmation side peer node and authenticates; And

Verify data is sent to described confirmation side peer node, and described verify data is to use the private key being associated with described group members peer node to sign.

25. methods as claimed in claim 24, it is characterized in that, described group's certificate because of reciprocity Fang Eryi is adapted to by described confirmation side peer node and authenticates in the following way: use the PKI being associated with described group members peer node to verify the verify data through signing and use the PKI being associated with described group keeper peer node to verify the described certificate because of reciprocity Fang Eryi.

26. methods as claimed in claim 24, is characterized in that, receive and comprise that described group's certificate because of reciprocity Fang Eryi of described group's identity comprises:

Reception comprises described group's certificate because of reciprocity Fang Eryi of group identity, described group identity is adapted to location and is stored in the group's token in described reciprocity overlay network as the data object being identified by described group's identity, and wherein said group's token is adapted to the described group of authentication keeper peer node and is authorized and issues described group's certificate because of reciprocity Fang Eryi and described group's certificate because of reciprocity Fang Eryi is signed.

27. methods as claimed in claim 24, is characterized in that, further comprise:

28. 1 kinds of group members peer node, comprising:

For obtaining PKI and the right device of private key being associated with described group members peer node;

For receive the device of the group's certificate because of reciprocity Fang Eryi issue to described group members peer node from group keeper peer node, described group's certificate because of reciprocity Fang Eryi comprises that the identity of group identity, described group members peer node is, the identity of described group keeper peer node and the signature of the private key by described group keeper peer node on one or more parts of the described group certificate because of reciprocity Fang Eryi;

For sending to confirmation side's peer node take in described group's certificate because of reciprocity Fang Eryi, authenticate the device that described group members peer node is group members, wherein said group's certificate because of reciprocity Fang Eryi is adapted to by described confirmation side peer node and authenticates; And

For verify data being sent to the device of described confirmation side peer node, described verify data is to sign with the private key of described group members peer node.

29. 1 kinds of processor readable mediums that are included in the instruction operating in group members peer node, described instruction makes described processor when being carried out by processor:

Verify data is sent to described confirmation side peer node, and described verify data is to sign with the private key of described group members peer node.

30. 1 kinds of confirmation side's peer node, comprising:

Be coupled to the treatment circuit of described communication interface, described treatment circuit is adapted to:

Via described communication interface, from seeking the group members peer node that authentication is group's member, receive the group's certificate because of reciprocity Fang Eryi, described group's certificate because of reciprocity Fang Eryi comprises that the identity of group identity, described group members peer node is, the identity of group keeper peer node and the signature of the private key by described group keeper peer node on one or more parts of the described group certificate because of reciprocity Fang Eryi;

From described reciprocity overlay network, obtain group's token, described group's token comprises the signature that the private key by described group keeper peer node carries out, and wherein said group's token is stored in described reciprocity overlay network as the data object being identified by described group's identity;

With the PKI being associated with described group keeper peer node, verify the described signature of described group's token, to confirm that described group keeper peer node is authorized, issue described group's certificate because of reciprocity Fang Eryi; And

With the PKI being associated with described group keeper peer node, verify described group's certificate because of reciprocity Fang Eryi.

31. peer node as claimed in claim 30, is characterized in that, described treatment circuit is adapted to:

From the node certificate of described group keeper peer node, obtain the PKI being associated with described group keeper peer node, wherein said node certificate comprises PKI, the identity of being trusted authoritative institution being associated with described group keeper peer node and the signature being undertaken by described private key of being trusted authoritative institution.

32. peer node as claimed in claim 30, is characterized in that, described treatment circuit is further adapted to:

Via described communication interface, from described group members peer node, receive verify data, wherein said verify data is that the private key by being associated with described group members peer node is signed; And

Use from described group's certificate because of reciprocity Fang Eryi, obtain or utilize in the described identity because of the described group members peer node group's certificate of reciprocity Fang Eryi and verify the verify data through signing from described reciprocity overlay network PKI that obtain, that be associated with described group members peer node.

33. peer node as claimed in claim 30, is characterized in that, further comprise:

Be coupled to the storage medium of described treatment circuit, described storage medium comprises the data object that described group members peer node is asking the member as described group to visit.

34. 1 kinds of methods that operate in confirmation side's peer node, comprising:

From seeking the group members peer node that authentication is group's member, receive the group's certificate because of reciprocity Fang Eryi, described group's certificate because of reciprocity Fang Eryi comprises that the identity of group identity, described group members peer node is, the identity of group keeper peer node and the signature of the private key by described group keeper peer node on one or more parts of the described group certificate because of reciprocity Fang Eryi;

35. methods as claimed in claim 34, is characterized in that, further comprise:

From the node certificate of described group keeper peer node, obtain the PKI being associated with described group keeper peer node, the described node certificate of wherein said group keeper peer node comprises the PKI being associated with described group of keeper's peer node, the identity of being trusted authoritative institution and the signature on one or more parts of described node certificate by described private key of being trusted authoritative institution.

36. methods as claimed in claim 34, is characterized in that, further comprise:

From described group members peer node, receive verify data, wherein said verify data is that the private key by being associated with described group members peer node is signed; And

Use from described group's certificate because of reciprocity Fang Eryi, obtain or from described reciprocity overlay network PKI that obtain, that be associated with described group members peer node, verify the verify data through signing.

37. methods as claimed in claim 34, is characterized in that, further comprise:

From described group members peer node, receive the request that access is stored in to the data object of described confirmation side peer node, wherein the access of described data object is limited to group members.

38. 1 kinds of confirmation side's peer node, comprising:

For receiving the device because of group's certificate of reciprocity Fang Eryi from seeking the group members peer node that authentication is group's member, described group's certificate because of reciprocity Fang Eryi comprises that the identity of group identity, described group members peer node is, the identity of group keeper peer node and the signature of the private key by described group keeper peer node on one or more parts of the described group certificate because of reciprocity Fang Eryi;

For obtain the device of group's token from described reciprocity overlay network, described group token comprises the signature that the private key by described group keeper peer node carries out, and wherein said group's token is stored in described reciprocity overlay network as the data object being identified by described group's identity;

Use the PKI being associated with described group keeper peer node to verify the described signature of described group's token, to confirm that described group keeper peer node is authorized, issue the device of described group's certificate because of reciprocity Fang Eryi; And

Use the PKI being associated with described group keeper peer node to verify the device of described group's certificate because of reciprocity Fang Eryi.

39. confirmation side as claimed in claim 38 peer node, is characterized in that, further comprise:

For receive the device of verify data from described group members peer node, wherein said verify data is that the private key by being associated with described group members peer node is signed; And

Use the device obtaining from described group's certificate because of reciprocity Fang Eryi or verify the verify data through signing from described reciprocity overlay network PKI that obtain, that be associated with described group members peer node.

40. 1 kinds of processor readable mediums that are included in the instruction operating in confirmation side's peer node, described instruction makes described processor when being carried out by processor:

41. processor readable mediums as claimed in claim 40, is characterized in that, are further included in while being carried out by described processor and make described processor carry out the instruction of following action: