Secure communications improvements

US 10,511,448 B1
Filed: 03/15/2013
Issued: 12/17/2019
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a memory;

a security agent, at least a portion of which is to be implemented in a hardware processor, to extract and examine a certificate, wherein the certificate is used in authentication of a first secure communication channel with a domain,wherein the security agent stores in a non-transitory computer readable medium a relationship indicator between the domain and the certificate based on the detection of a pinning indicator within the extracted and examined certificate used in authentication of the first secure communication channel, wherein the detection of the pinning indicator comprises comparing the value of a field of the certificate with a predetermined value, and wherein data to be communicated over a second secure communication channel with the domain is secured via Secure Socket Layer (SSL) or Transport Layer Security (TLS) based on the stored relationship indicator between the domain and the certificate; and

wherein the relationship indicator comprises a pin in the certificate which records the domain, the certificate, and pin information into the memory for either the security agent or a web browser to enforce the pin.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus related to improving secure communications are described. In an embodiment, a security agent pins a domain to a certificate. The certificate is used in authenticating the domain, and the existence of a pinning indicator within the certificate is used in authenticating the domain. Once the security agent pins the domain to a certificate, a relationship between the domain and the certificate used in authenticating the domain is stored. Other embodiments are also disclosed and claimed.

Citations

21 Claims

1. An apparatus comprising:
- a memory;
  
  a security agent, at least a portion of which is to be implemented in a hardware processor, to extract and examine a certificate, wherein the certificate is used in authentication of a first secure communication channel with a domain,wherein the security agent stores in a non-transitory computer readable medium a relationship indicator between the domain and the certificate based on the detection of a pinning indicator within the extracted and examined certificate used in authentication of the first secure communication channel, wherein the detection of the pinning indicator comprises comparing the value of a field of the certificate with a predetermined value, and wherein data to be communicated over a second secure communication channel with the domain is secured via Secure Socket Layer (SSL) or Transport Layer Security (TLS) based on the stored relationship indicator between the domain and the certificate; and
  
  wherein the relationship indicator comprises a pin in the certificate which records the domain, the certificate, and pin information into the memory for either the security agent or a web browser to enforce the pin.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the stored relationship indicator based on the detection of the pinning indicator is used by a web browser.
  - 3. The apparatus of claim 2, wherein the stored relationship indicator based on the detection of the pinning indicator is used by a web browser for all subsequent communication channels.
  - 4. The apparatus of claim 1, wherein the relationship indicator is to comprise one or more bits of data.
  - 5. The apparatus of claim 1, wherein the relationship indicator is to comprise information corresponding to the certificate and the domain.
  - 6. The apparatus of claim 1, wherein the field of the certificate is related to a certificate issuer.
  - 7. The apparatus of claim 6, wherein the predetermined value identifies the certificate issuer by one or more of:
    - an AuthorityKeyIdentifier, an AuthorityInformationAccess, an Object Identifier (OID), or a Certification Practice Statement (CPS).
  - 8. The apparatus of claim 7, wherein the Object Identifier (OID) is an Extended Validation (EV) Object Identifier (OID).
  - 9. The apparatus of claim 7, wherein the Object Identifier (OID) is an Organization Validated (OV) Object Identifier (OID).
  - 10. The apparatus of claim 7, wherein the predetermined value is retrieved from storage.
  - 11. The apparatus of claim 6, wherein the predetermined value identifies an authorized pinning issuer.

12. A method to improve secure communications comprising:
- securing a first secure communication channel using one or more digital certificates;
  
  extracting a certificate from the one or more digital certificates used to secure the first communication channel;
  
  determining whether a pinning indicator is present within the extracted certificate by comparing a value of a field from the certificate with a predetermined value;
  
  pinning a domain to the extracted certificate based on the determination of whether the pinning indicator is present, wherein pinning the domain involves storing a relationship between the domain and the extracted certificate used to secure the first secure communication channel; and
  
  securing a second secure communication channel based on the stored relationship between the domain and the extracted certificate used to secure the first secure communication channel, wherein data communicated over the second secure communication channel is secured via Secure Socket Layer (SSL) or Transport Layer Security (TLS); and
  
  wherein the relationship indicator comprises a pin in the certificate which records the domain, the certificate, and pin information into the memory for either the security agent or a web browser to enforce the pin.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the relationship between the domain and the certificate is distributed to a client.
  - 14. The method of claim 12, wherein the digital certificates are X.509v3 certificates.
  - 15. The method of claim 14, wherein the value of a field from the extracted certificate is related to the issuer of the certificate and the predetermined value is an authorized pinning issuer, and wherein the authorized pinning issuer is retrieved from storage.
  - 16. The method of claim 12, wherein the predetermined value is an Extended Validation (EV) Object Identifier (OID).

17. A non-transitory computer-readable medium comprising instructions, that when executed, perform:
- examining certificate issuer information of a certificate, wherein the certificate is used in authentication of a first secure communication channel with a domain;
  
  determining without an indication from the domain, whether to add a pin a-for the domain to the certificate based on the certificate issuer information of the certificate used to authenticate the domain; and
  
  based on the determination whether to add a pin for the domain to the certificate, adding a pin for the domain to the certificate, wherein adding a pin for the domain to the certificate comprises adding a relationship between the domain and the certificate to an existing set of relationships between domains and certificates;
  
  securing a second secure communication channel based on the stored relationship between the domain and the extracted certificate used to secure the first secure communication channel, wherein data communicated over the second secure communication channel is secured via Secure Socket Layer (SSL) or Transport Layer Security (TLS); and
  
  wherein the relationship indicator comprises a pin in the certificate which records the domain, the certificate, and pin information into the memory for either the security agent or a web browser to enforce the pin.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The non-transitory computer readable medium of claim 17, wherein the certificate issuer information includes one or more of:
    - an AuthorityKeyIdentifier certificate field, an AuthorityInformationAccess certificate field, an Extended Validation ObjectIdentifier within a certificate field, or a Certificate Practice Statement referencing indication to pin.
  - 19. The non-transitory computer readable medium of claim 17, wherein the certificate is an x.509v3 Certificate.
  - 20. The non-transitory computer readable medium of claim 19, wherein the result of the determination is distributed to a client.
  - 21. The non-transitory computer readable medium of claim 17, wherein adding a relationship between the domain and the certificate to an existing set of relationships between domains and certificates comprises storing to a storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jeffrey E. Brinskelle
Original Assignee
Jeffrey E. Brinskelle
Inventors
Brinskelle, Jeffrey E.
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Golriz, Arya

Application Number

US13/843,663
Time in Patent Office

2,468 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

H04L 9/3263   involving certificates, e.g...

Secure communications improvements

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communications improvements

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links