Assuring external accessibility for devices on a network

US 10,348,706 B2
Filed: 05/04/2017
Issued: 07/09/2019
Est. Priority Date: 05/04/2017
Status: Active Grant

First Claim

Patent Images

1. A computing device having an access control module comprising a verification public key and a computing device signature key, said access control module configured to:

verify authorization of an external access payload, by verifying a digital signature affixed to the payload using the verification public key;

permit the external access payload to execute on the computing device when the external access payload has been authorized;

receive from a network access device information associated with a network access request lodged by the computing device; and

create a plurality of digital signatures, using the computing device signature key, linking said information associated with the network access request with the verification public key, whereby granting the network access request is facilitated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.

43 Citations

View as Search Results

19 Claims

1. A computing device having an access control module comprising a verification public key and a computing device signature key, said access control module configured to:
- verify authorization of an external access payload, by verifying a digital signature affixed to the payload using the verification public key;
  
  permit the external access payload to execute on the computing device when the external access payload has been authorized;
  
  receive from a network access device information associated with a network access request lodged by the computing device; and
  
  create a plurality of digital signatures, using the computing device signature key, linking said information associated with the network access request with the verification public key, whereby granting the network access request is facilitated.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing device of claim 1, wherein the payload'"'"'s digital signature used to verify authorization of the external access payload is not generated on the computing device.
  - 3. The computing device of claim 1, wherein creating a plurality of digital signatures using the computing device signature key comprises using the computing device signature key to digitally sign a message comprising information derived from said information associated with the network access request.
  - 4. The computing device of claim 1, wherein creating a plurality of digital signatures using the computing device signature key comprises one of the following:
    - using the computing device signature key to digitally sign a message comprising information derived from the verification public key;
      
      providing a digital certificate for a computing device verification key;
      
      wherein;
      
      the digital certificate references the verification public key; and
      
      the computing device verification key and the computing device signature key are a public/private key pair in a digital signature system.
  - 5. The computing device of claim 1, wherein said access control module further comprises:
    - an access archive module configured to record any external access payload authorized by the access control module, wherein;
      
      a record stored in the access archive module cannot be modified or deleted by any authorized external access payload; and
      
      the access archive module is further configured to output a record of any authorized external access payload.
  - 6. The computing device of claim 1, wherein the access control module is further configured to implement one of the following two rules:
    - prevent any software-only method from reducing external accessibility capabilities of the computing device;
      
      assure that when the computing device is coupled to the network access device, the access control module informs the network access device when external accessibility capabilities of the computing device are modified through software such that the computing device no longer meets the requirements for external accessibility established by the network access device.

7. A policy enforcing network access point comprising an access policy validation module configured to determine whether an external access policy is acceptably configured to:
- receive a request from a computing device to access an external network;
  
  receive from the computing device a proof of satisfying external access policy, where external accessibility requirements include requiring execution of a validated payload, where validation of the payload uses a value unique to said computing device;
  
  validate the proof of satisfying external access policy received from the computing device; and
  
  restrict access to the external network when the proof of satisfying external access policy is not deemed acceptable.
- View Dependent Claims (8, 9)
- - 8. The policy enforcing network access point of claim 7, wherein:
    - the access policy validation module further comprises a set of acceptable access verification public keys;
      
      the proof of satisfying external access policy received from the computing device comprises reference to an access verification public key used by the computing device; and
      
      the validation of the proof comprises checking whether the access verification public key referenced in the proof is contained in the set of acceptable access verification public keys.
  - 9. The policy enforcing network access point of claim 7, wherein the validation of the proof of satisfying external access policy comprises verifying a digital signature.

10. A computing device operated by a user of the computing device, said computing device comprising:
- an access control module configured to authorize an external access entity to access a cryptographic module located within the computing device, wherein;
  
  said authorization comprises verifying a digital signature affixed by the external access entity;
  
  the external access entity is not the user;
  
  the cryptographic module is configured to use keys in cryptographic computations, generate and use communication encryption keys for encrypted communications with other devices, and to store communication encryption keys for a period of time commencing with or prior to use of the communication encryption keys by the computing device and ending at a time after the communication encryption keys have been used; and
  
  the cryptographic module is further configured to provide access to stored communication encryption keys to an external access entity authorized by the access control module.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computing device of claim 10, wherein:
    - the cryptographic module comprises a verification public key; and
      
      no digital signatures verified by the verification public key are generated on the computing device.
  - 12. The computing device of claim 10, wherein the cryptographic module is further configured to provide access to the external access entity to stored communication encryption keys that were previously used to encrypt communication messages in a specified previous time window.
  - 13. The computing device of claim 10, wherein the user is not able to use software to prevent an authorized external access entity from obtaining any of the stored keys.
  - 14. The computing device of claim 10, wherein the cryptographic module is further configured to:
    - generate and store future keys to be used in future cryptographic computations; and
      
      provide access to stored future keys to an external access entity authorized by the access control module.

15. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
- generating communication encryption keys in a cryptographic module located within the computing device;
  
  storing the communication encryption keys in the cryptographic module, and keeping said communication encryption keys stored for a period of time after use of said communication encryption keys by the computing device;
  
  receiving a request from an external access entity to access at least one of the stored communication encryption keys, wherein said request comprises a digital signature not created on the computing device;
  
  validating the digital signature of the external access entity request using a public verification key embedded in the computing device; and
  
  providing the external access entity with access to the requested stored communication encryption cryptographic keys when the digital signature has been validated.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein:
    - the request of the external access entity for access to the stored cryptographic keys comprises a time window; and
      
      the stored cryptographic keys provided by the computing device to the external access entity are restricted to keys used by the computing device within said time window.
  - 17. The method of claim 15, wherein:
    - the cryptographic module generates future cryptographic keys for use in the future; and
      
      said future cryptographic keys are provided by the computing device to the external access entity only when the time window in the request includes corresponding future times.

18. A computing device operated by a user of the computing device, said computing device comprising:
- an access control module configured to authorize an external access entity to access a cryptographic module located within the computing device, wherein;
  
  said authorization comprises verifying a digital signature affixed by the external access entity;
  
  the external access entity is not the user;
  
  the cryptographic module is configured to use keys in cryptographic computations, and to store keys for a period of time commencing with or prior to use of the keys by the computing device and ending at a time after the keys have been used;
  
  the cryptographic module is further configured to provide access to stored keys to an external access entity authorized by the access control module;
  
  the access archive module is further configured to record an authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and
  
  the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity.

19. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
- generating keys in a cryptographic module located within the computing device;
  
  storing the keys in the cryptographic module, and keeping said keys stored for a period of time after use of said keys by the computing device;
  
  receiving a request from an external access entity to access at least one of the stored keys, wherein said request comprises a digital signature not created on the computing device;
  
  validating the external access entity request by validating the digital signature using a public verification key embedded in the computing device;
  
  providing the external access entity with access to at least one of the requested stored cryptographic keys when the digital signature has been validated; and
  
  recording in the computing device information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Brickell Cryptology LLC
Original Assignee
Ernest Brickell
Inventors
Brickell, Ernest
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US15/586,681
Publication Number

US 20180324158A1
Time in Patent Office

796 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/123   received data contents, e.g...

H04L 63/306   intercepting packet switche...

H04L 9/0869   involving random numbers or...

H04L 9/0872   using geo-location informat...

H04L 9/0891   Revocation or update of sec...

H04L 9/12   Transmitting and receiving ...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Assuring external accessibility for devices on a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Assuring external accessibility for devices on a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links