Server authentication using multiple authentication chains
First Claim
Patent Images
1. A method to authenticate a server to a client, the server having an associated public key, comprising:
- associating “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA), wherein each of the distinct certificates has a certification chain with a different root certificate authority, wherein the certificate chains for the “
n”
distinct certificates are valid and non-overlapping with respect to their intermediate and root CAs;
responsive to the client initiating a request for a secure channel to the server during a cryptographic handshake, providing the client the “
n”
distinct certificates; and
responsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establishing completing the cryptographic handshake to establish the secure channel between the client and the server;
the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust to thereby improve security of the cryptographic handshake.
1 Assignment
0 Petitions
Accused Products
Abstract
A client seeking to establish a cryptographically-secure channel to a server has an associated public key acceptance policy. The policy specifies a required number of certificates that must be associated with the server'"'"'s public key, as well as one or more conditions associated with those certificates, that must be met before the client “accepts” the server'"'"'s public key. The one or more conditions typically comprise a trust function that must be satisfied before a threshold level of trust of the client is met. A representative public key acceptance policy would be that certificate chains for the public key are valid and non-overlapping with different root CAs, and that some configurable number of those chains be present. The technique may be implemented within the context of an existing client-server SSL/TLS handshake.
72 Citations
14 Claims
-
1. A method to authenticate a server to a client, the server having an associated public key, comprising:
-
associating “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA), wherein each of the distinct certificates has a certification chain with a different root certificate authority, wherein the certificate chains for the “
n”
distinct certificates are valid and non-overlapping with respect to their intermediate and root CAs;responsive to the client initiating a request for a secure channel to the server during a cryptographic handshake, providing the client the “
n”
distinct certificates; andresponsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establishing completing the cryptographic handshake to establish the secure channel between the client and the server; the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust to thereby improve security of the cryptographic handshake. - View Dependent Claims (2, 3, 4)
-
-
5. An apparatus associated with a server having a public key, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to authenticate the server to a client, the computer program instructions configured to; associate “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA), wherein each of the distinct certificates has a certification chain with a different root certificate authority, wherein the certificate chains for the “
n”
distinct certificates are valid and non-overlapping with respect to their intermediate and root CAs;responsive to the client initiating a request for a secure channel to the server during a cryptographic handshake, provide the client the “
n”
distinct certificates; andresponsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, completing the cryptographic handshake to establish the secure channel between the client and the server; the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust to thereby improve security of the cryptographic handshake. - View Dependent Claims (6, 7, 8)
-
-
9. A computer program product in a non-transitory computer readable medium for use in a data processing system associated with a server, the server having a public key, the computer program product holding computer program instructions which, when executed by the data processing system, are configured to:
-
associate “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA), wherein each of the distinct certificates has a certification chain with a different root certificate authority, wherein the certificate chains for the “
n”
distinct certificates are valid and non-overlapping with respect to their intermediate and root CAs;responsive to the client initiating a request for a secure channel to the server, provide the client the “
n”
distinct certificates; andresponsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, completing the cryptographic handshake to establish the secure channel between the client and the server; the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust to thereby improve security of the cryptographic handshake. - View Dependent Claims (10, 11, 12)
-
-
13. A method to authenticate a server to a client, the server having an associated public key, comprising:
-
specifying a client public key acceptance policy, the client public key acceptance policy identifying a required number of certificates for the server public key that must be received from the server, and a trust function that is applied over information in the certificates and that must be satisfied to establish a client threshold level of trust; responsive to the client initiating a request for a secure channel to the server during a cryptographic handshake, receiving from the server “
n”
distinct certificates, each of the “
n”
distinct certificates having been issued to the server by a distinct certificate authority (CA);determining whether the “
n”
distinct certificates are valid;responsive to a determination that the “
n”
distinct certificates are valid and are non-overlapping with different root certificate authorities, determining whether certificate chains specified by the received certificates satisfy the trust function of the client public key acceptance policy; andresponsive to a determination that the certificate chains specified by the received certificates satisfy the trust function of the client public key acceptance policy, completing the cryptographic handshake to establish the secure channel; wherein applying the client public key acceptance policy improves security of the cryptographic handshake. - View Dependent Claims (14)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsPendarakis, Dimitrios, Valdez, Enriquillo
-
Primary Examiner(s)Arani, Taghi T
-
Assistant Examiner(s)champakesan, badridot
-
Application NumberUS15/087,486Publication NumberTime in Patent Office1,006 DaysField of Search713157US Class CurrentCPC Class CodesH04L 63/0823 using certificates cryptogr...
