Assuring external accessibility for devices on a network
First Claim
1. A computing device having an access control module comprising a verification public key and a computing device signature key, said access control module configured to:
- verify authorization of an external access payload, by verifying a digital signature affixed to the payload using the verification public key;
permit the external access payload to execute on the computing device when the external access payload has been authorized;
receive from a network access device information associated with a network access request lodged by the computing device; and
create a plurality of digital signatures, using the computing device signature key, linking said information associated with the network access request with the verification public key, whereby granting the network access request is facilitated.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.
43 Citations
19 Claims
-
1. A computing device having an access control module comprising a verification public key and a computing device signature key, said access control module configured to:
-
verify authorization of an external access payload, by verifying a digital signature affixed to the payload using the verification public key; permit the external access payload to execute on the computing device when the external access payload has been authorized; receive from a network access device information associated with a network access request lodged by the computing device; and create a plurality of digital signatures, using the computing device signature key, linking said information associated with the network access request with the verification public key, whereby granting the network access request is facilitated. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A policy enforcing network access point comprising an access policy validation module configured to determine whether an external access policy is acceptably configured to:
-
receive a request from a computing device to access an external network; receive from the computing device a proof of satisfying external access policy, where external accessibility requirements include requiring execution of a validated payload, where validation of the payload uses a value unique to said computing device; validate the proof of satisfying external access policy received from the computing device; and restrict access to the external network when the proof of satisfying external access policy is not deemed acceptable. - View Dependent Claims (8, 9)
-
-
10. A computing device operated by a user of the computing device, said computing device comprising:
-
an access control module configured to authorize an external access entity to access a cryptographic module located within the computing device, wherein; said authorization comprises verifying a digital signature affixed by the external access entity; the external access entity is not the user; the cryptographic module is configured to use keys in cryptographic computations, generate and use communication encryption keys for encrypted communications with other devices, and to store communication encryption keys for a period of time commencing with or prior to use of the communication encryption keys by the computing device and ending at a time after the communication encryption keys have been used; and the cryptographic module is further configured to provide access to stored communication encryption keys to an external access entity authorized by the access control module. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
-
generating communication encryption keys in a cryptographic module located within the computing device; storing the communication encryption keys in the cryptographic module, and keeping said communication encryption keys stored for a period of time after use of said communication encryption keys by the computing device; receiving a request from an external access entity to access at least one of the stored communication encryption keys, wherein said request comprises a digital signature not created on the computing device; validating the digital signature of the external access entity request using a public verification key embedded in the computing device; and providing the external access entity with access to the requested stored communication encryption cryptographic keys when the digital signature has been validated. - View Dependent Claims (16, 17)
-
-
18. A computing device operated by a user of the computing device, said computing device comprising:
-
an access control module configured to authorize an external access entity to access a cryptographic module located within the computing device, wherein; said authorization comprises verifying a digital signature affixed by the external access entity; the external access entity is not the user; the cryptographic module is configured to use keys in cryptographic computations, and to store keys for a period of time commencing with or prior to use of the keys by the computing device and ending at a time after the keys have been used; the cryptographic module is further configured to provide access to stored keys to an external access entity authorized by the access control module; the access archive module is further configured to record an authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity.
-
-
19. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
-
generating keys in a cryptographic module located within the computing device; storing the keys in the cryptographic module, and keeping said keys stored for a period of time after use of said keys by the computing device; receiving a request from an external access entity to access at least one of the stored keys, wherein said request comprises a digital signature not created on the computing device; validating the external access entity request by validating the digital signature using a public verification key embedded in the computing device; providing the external access entity with access to at least one of the requested stored cryptographic keys when the digital signature has been validated; and recording in the computing device information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity.
-
Specification