External accessibility for network devices

US 10,652,245 B2
Filed: 07/02/2019
Issued: 05/12/2020
Est. Priority Date: 05/04/2017
Status: Active Grant

First Claim

Patent Images

1. A method for assuring that a computing device meets preselected requirements of external accessibility before allowing the computing device to access an external network, said method comprising the steps of a policy network access point:

receiving from the computing device a proof of establishing satisfaction of external accessibility requirements set by the policy enforcing network access point, where the external accessibility requirements include requiring execution of a validated payload, and validation of the payload uses a value unique to said computing device;

checking validity of the proof; and

granting the computing device access to the external network when the validity of the proof has been confirmed by the checking;

wherein satisfaction of the external accessibility requirements comprises satisfaction of one of the following two rules;

there is no software-only method for modifying external accessibility capabilities of the computing device;

there is a method to assure that when the computing device is coupled to the external network, the policy enforcing network access point is informed when external accessibility capabilities of the computing device are modified through software such that the computing device no longer satisfies the external accessibility requirements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211. In some embodiments, an encryption/decryption key pair 291, 292 is associated with External Access Entity Device 260 to further enhance security.

Citations

16 Claims

1. A method for assuring that a computing device meets preselected requirements of external accessibility before allowing the computing device to access an external network, said method comprising the steps of a policy network access point:
- receiving from the computing device a proof of establishing satisfaction of external accessibility requirements set by the policy enforcing network access point, where the external accessibility requirements include requiring execution of a validated payload, and validation of the payload uses a value unique to said computing device;
  
  checking validity of the proof; and
  
  granting the computing device access to the external network when the validity of the proof has been confirmed by the checking;
  
  wherein satisfaction of the external accessibility requirements comprises satisfaction of one of the following two rules;
  
  there is no software-only method for modifying external accessibility capabilities of the computing device;
  
  there is a method to assure that when the computing device is coupled to the external network, the policy enforcing network access point is informed when external accessibility capabilities of the computing device are modified through software such that the computing device no longer satisfies the external accessibility requirements.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein the external accessibility requirements comprise:
    - the computing device validating authorization of an external access payload, by verifying a digital signature affixed to the payload; and
      
      the computing device permitting the authorized external access payload to execute on the computing device.

3. A computing device operated by a user of the computing device, said computing device comprising:
- an access control module configured to authorize an external access entity to access a cryptographic module located within the computing device, wherein;
  
  said authorization comprises verifying a digital signature affixed by the external access entity;
  
  the external access entity is not a user;
  
  the cryptographic module is configured to use keys in cryptographic computations, including communication keys for encrypted communications with other devices, and to store communication keys for a period of time commencing with or prior to use of the communication keys by the computing device and ending at a time after the communication keys have been used; and
  
  the cryptographic module is further configured to provide access to stored communication keys to an external access entity authorized by the access control module;
  
  said computing device further comprising;
  
  an access archive module configured to record any authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and
  
  the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity.

4. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
- using communication keys for encrypted communications with other devices, said using taking place in a cryptographic module located within the computing device;
  
  storing the communication keys in the cryptographic module;
  
  keeping said communication keys stored for a period of time after use of said communication keys by the computing device;
  
  receiving a request from an external access entity to access at least one of the stored communication keys, wherein said request comprises a digital signature not created on the computing device;
  
  validating the digital signature of the external access entity request using a public verification key embedded in the computing device;
  
  providing the external access entity with access to the requested stored communication keys when the digital signature has been validated; and
  
  recording information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity.

5. A computing device operated by a user of the computing device, said computing device comprising:
- an access control module configured to authorize an external access entity to access a cryptographic module, wherein;
  
  said authorization comprises verifying that a cryptographic computation was correctly computed by the external access entity;
  
  the external access entity is not a user and is not a module executing on the computing device;
  
  the cryptographic module is configured to use communication keys for encrypted communications with other devices; and
  
  the cryptographic module is further configured to provide access to said communication keys to an external access entity authorized by the access control module;
  
  said computing device further comprising;
  
  an access archive module configured to record any authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and
  
  the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The computing device of claim 5, wherein:
    - the cryptographic computation computed by the external access entity is a digital signature computation that is not computed on the computing device; and
      
      said authorization comprises verifying the digital signature.
  - 7. The computing device of claim 5, wherein the external access entity is not a user of the computing device.
  - 8. The computing device of claim 5, wherein a user is not able to use software to prevent an authorized external access entity from obtaining the communication keys.
  - 9. The computing device of claim 5, further comprising a stored encryption key, wherein:
    - the cryptographic module is configured to encrypt the communication keys using the stored encryption key;
      
      the cryptographic module is further configured to store the encrypted communication keys for a period of time commencing with the use of the communication keys by the computing device and ending at a time after the communication keys have been used; and
      
      the cryptographic module is further configured to provide access to the stored encrypted communication keys to an external access entity authorized by the access control module.

10. A method for providing a computing device with authorized access to communication keys used for encrypted communications with other devices, said method comprising the steps of the computing device:
- using the communication keys in a cryptographic module located within the computing device;
  
  receiving a request from an external access entity to access at least one of the communication keys, wherein said request comprises the result of a cryptographic computation not computed on the computing device;
  
  validating the cryptographic computation of the external access entity request using a public verification key embedded in the computing device;
  
  providing the external access entity with access to the requested communication keys when the digital signature cryptographic computation has been validated; and
  
  recording information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, wherein:
    - the cryptographic computation underlying said request is a digital signature computation; and
      
      the validation of the cryptographic computation is a digital signature verification.
  - 12. The method of claim 10, further comprising the steps of:
    - encrypting the communication keys using an encryption key stored on the computing device;
      
      storing the encrypted communication keys on the computing device; and
      
      providing the external access entity with access to the encrypted stored communication keys when the cryptographic computation has been validated.

13. A computing device operated by a user of the computing device, said computing device comprising:
- an access control module configured to authorize an external access entity to access a cryptographic module, wherein;
  
  said authorization comprises verifying that a cryptographic computation was correctly computed by the external access entity;
  
  the external access entity is not a user and is not a module executing on the computing device;
  
  the cryptographic module is configured to use cryptographic keys in cryptographic computations, and to store seeds that can be used to derive said cryptographic keys for a period of time after the generation of said seeds; and
  
  the cryptographic module is further configured to provide access to the stored seeds to an external access entity authorized by the access control module;
  
  said computing device further comprising;
  
  an access archive module configured to record any authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and
  
  the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity.
- View Dependent Claims (14)
- - 14. The computing device of claim 13, wherein the cryptographic keys are used for encrypted communications with other devices.

15. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
- generating seeds in a cryptographic module located within the computing device;
  
  deriving cryptographic keys from said seeds in said cryptographic module;
  
  storing the seeds in the cryptographic module, and keeping said seeds stored for a period of time after use of said cryptographic keys by the computing device;
  
  receiving a request from an external access entity to access at least one of the stored seeds, wherein said request comprises the result of a cryptographic computation not performed on the computing device;
  
  validating the cryptographic computation of the external access entity request using a public verification key embedded in the computing device;
  
  providing the external access entity with access to the requested stored seeds when the cryptographic computation has been validated; and
  
  recording information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein the cryptographic keys are used for encrypted communications with other devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Brickell Cryptology LLC
Original Assignee
Ernest Brickell
Inventors
Brickell, Ernest
Primary Examiner(s)
Traore, Fatoumata

Application Number

US16/460,508
Publication Number

US 20190327235A1
Time in Patent Office

315 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 7/588   Random number generators, i...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/302   gathering intelligence info...

H04L 63/306   intercepting packet switche...

H04L 9/0869   involving random numbers or...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04L 9/3247   involving digital signatures

External accessibility for network devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

External accessibility for network devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links