Managing authenticators in a computer system

US 10,530,814 B2
Filed: 03/15/2017
Issued: 01/07/2020
Est. Priority Date: 12/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method of managing keys by a management apparatus comprising at least one processor and memory in a computer system, comprising:

collecting from the computer system, by the management apparatus, information of existing public key infrastructure keys existing in the computer system,determining, by the management apparatus, further information associated with the collected information of the existing public key infrastructure keys,defining, by the management apparatus, an equivalence group comprising members based on the collected information of the existing public key infrastructure keys and associated with the members and the determined further information,associating, by the management apparatus, at least one policy action to the equivalence group, andcausing, by the management apparatus, performing of the at least one policy action on the existing public key infrastructure keys of all of the members of the equivalence group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Citations

20 Claims

1. A method of managing keys by a management apparatus comprising at least one processor and memory in a computer system, comprising:
- collecting from the computer system, by the management apparatus, information of existing public key infrastructure keys existing in the computer system,determining, by the management apparatus, further information associated with the collected information of the existing public key infrastructure keys,defining, by the management apparatus, an equivalence group comprising members based on the collected information of the existing public key infrastructure keys and associated with the members and the determined further information,associating, by the management apparatus, at least one policy action to the equivalence group, andcausing, by the management apparatus, performing of the at least one policy action on the existing public key infrastructure keys of all of the members of the equivalence group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the equivalence group comprises multiple hosts.
  - 3. The method of claim 2, wherein the determining of further information comprises determining whether the multiple hosts are sufficiently identical.
  - 4. The method of claim 3, wherein determining whether the multiple hosts are sufficiently identical comprises determining at least one of whether the multiple hosts have the same user data sources with the same filters, whether the multiple hosts have the same users, whether the multiple hosts mount the same network file systems, whether the multiple hosts have the same operating system and/or version, whether the multiple hosts have the same patches installed, and whether the multiple hosts have the same software packages installed.
  - 5. The method of claim 2, wherein the multiple hosts each comprise at least one of a computer, a computing node or apparatus on a network that has its own IP address and/or domain name, a mobile device, a cluster of computers, a distributed computer, and a virtual machine.
  - 6. The method of claim 1, wherein the at least one policy action comprises copying of a file to the members of the equivalence group.
  - 7. The method of claim 6, wherein the file is a key file.
  - 8. The method of claim 6, wherein the copying comprises copying the file in a system directory or to a home directory.
  - 9. The method of claim 1, wherein the at least one policy action on existing public key infrastructure keys of all members of the equivalence group comprises one of rotating keys, adding new keys, removing keys, and renewing keys.
  - 10. The method of claim 1, wherein the existing public key infrastructure keys comprise at least one of a public key and a private key.

11. An apparatus for managing keys in a computer system, the apparatus comprising at least one processor, and at least one memory for storing instructions that, when executed, cause the apparatus to:
- collect, from the computer system, information of existing public key infrastructure keys existing in the computer system,determine further information associated with the collected information of the existing public key infrastructure keys,determine an equivalence group comprising members based on the collected information of the existing public key infrastructure keys and associated with the members and the determined further information,associate at least one policy action to the equivalence group, andcause performing of the at least one policy action on the existing public key infrastructure keys of all of the members of the equivalence group.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein the equivalence group comprises multiple hosts.
  - 13. The apparatus of claim 12, configured to determine whether the multiple hosts are sufficiently identical.
  - 14. The apparatus of claim 13, wherein the determination whether the multiple hosts are sufficiently identical comprises determination of at least one of whether the multiple hosts have the same user data sources with the same filters, whether the multiple hosts have the same users, whether the multiple hosts mount the same network file systems, whether the multiple hosts have the same operating system and/or version, whether the multiple hosts have the same patches installed, and whether the multiple hosts have the same software packages installed.
  - 15. The apparatus of claim 12, wherein the multiple hosts each comprise at least one of a computer, a computing node or apparatus on a network that has its own IP address and/or domain name, a mobile device, a cluster of computers, a distributed computer, and a virtual machine.
  - 16. The apparatus of claim 11, configured to cause copying of a file to the members of the equivalence group.
  - 17. The apparatus of claim 16, wherein the file comprises a key file.
  - 18. The apparatus of claim 16, wherein the copying comprises copying the file in a system directory or to a home directory.
  - 19. The apparatus of claim 11, wherein the at least one policy action on existing public key infrastructure keys of all members of the equivalence group comprises one of rotating keys, adding new keys, removing keys, and renewing keys.
  - 20. The apparatus of claim 11, wherein the existing public key infrastructure keys comprise at least one of a public key and a private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Ylonen, Tatu J.
Primary Examiner(s)
Bayou, Yonas A

Application Number

US15/459,287
Publication Number

US 20170222995A1
Time in Patent Office

1,028 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

H04L 61/4523   using lightweight directory...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321 : involving a third party or ...

H04L 9/3263 : involving certificates, e.g...

H04L 9/3268 : using certificate validatio...

View All

Managing authenticators in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managing authenticators in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links