External accessibility for network devices
First Claim
1. A method for assuring that a computing device meets preselected requirements of external accessibility before allowing the computing device to access an external network, said method comprising the steps of a policy network access point:
- receiving from the computing device a proof of establishing satisfaction of external accessibility requirements set by the policy enforcing network access point, where the external accessibility requirements include requiring execution of a validated payload, and validation of the payload uses a value unique to said computing device;
checking validity of the proof; and
granting the computing device access to the external network when the validity of the proof has been confirmed by the checking;
wherein satisfaction of the external accessibility requirements comprises satisfaction of one of the following two rules;
there is no software-only method for modifying external accessibility capabilities of the computing device;
there is a method to assure that when the computing device is coupled to the external network, the policy enforcing network access point is informed when external accessibility capabilities of the computing device are modified through software such that the computing device no longer satisfies the external accessibility requirements.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211. In some embodiments, an encryption/decryption key pair 291, 292 is associated with External Access Entity Device 260 to further enhance security.
-
Citations
16 Claims
-
1. A method for assuring that a computing device meets preselected requirements of external accessibility before allowing the computing device to access an external network, said method comprising the steps of a policy network access point:
-
receiving from the computing device a proof of establishing satisfaction of external accessibility requirements set by the policy enforcing network access point, where the external accessibility requirements include requiring execution of a validated payload, and validation of the payload uses a value unique to said computing device; checking validity of the proof; and granting the computing device access to the external network when the validity of the proof has been confirmed by the checking; wherein satisfaction of the external accessibility requirements comprises satisfaction of one of the following two rules; there is no software-only method for modifying external accessibility capabilities of the computing device; there is a method to assure that when the computing device is coupled to the external network, the policy enforcing network access point is informed when external accessibility capabilities of the computing device are modified through software such that the computing device no longer satisfies the external accessibility requirements. - View Dependent Claims (2)
-
-
3. A computing device operated by a user of the computing device, said computing device comprising:
-
an access control module configured to authorize an external access entity to access a cryptographic module located within the computing device, wherein; said authorization comprises verifying a digital signature affixed by the external access entity; the external access entity is not a user; the cryptographic module is configured to use keys in cryptographic computations, including communication keys for encrypted communications with other devices, and to store communication keys for a period of time commencing with or prior to use of the communication keys by the computing device and ending at a time after the communication keys have been used; and the cryptographic module is further configured to provide access to stored communication keys to an external access entity authorized by the access control module;
said computing device further comprising;an access archive module configured to record any authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity.
-
-
4. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
-
using communication keys for encrypted communications with other devices, said using taking place in a cryptographic module located within the computing device; storing the communication keys in the cryptographic module; keeping said communication keys stored for a period of time after use of said communication keys by the computing device; receiving a request from an external access entity to access at least one of the stored communication keys, wherein said request comprises a digital signature not created on the computing device; validating the digital signature of the external access entity request using a public verification key embedded in the computing device; providing the external access entity with access to the requested stored communication keys when the digital signature has been validated; and recording information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity.
-
-
5. A computing device operated by a user of the computing device, said computing device comprising:
-
an access control module configured to authorize an external access entity to access a cryptographic module, wherein; said authorization comprises verifying that a cryptographic computation was correctly computed by the external access entity; the external access entity is not a user and is not a module executing on the computing device; the cryptographic module is configured to use communication keys for encrypted communications with other devices; and the cryptographic module is further configured to provide access to said communication keys to an external access entity authorized by the access control module;
said computing device further comprising;an access archive module configured to record any authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A method for providing a computing device with authorized access to communication keys used for encrypted communications with other devices, said method comprising the steps of the computing device:
-
using the communication keys in a cryptographic module located within the computing device; receiving a request from an external access entity to access at least one of the communication keys, wherein said request comprises the result of a cryptographic computation not computed on the computing device; validating the cryptographic computation of the external access entity request using a public verification key embedded in the computing device; providing the external access entity with access to the requested communication keys when the digital signature cryptographic computation has been validated; and recording information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity. - View Dependent Claims (11, 12)
-
-
13. A computing device operated by a user of the computing device, said computing device comprising:
-
an access control module configured to authorize an external access entity to access a cryptographic module, wherein; said authorization comprises verifying that a cryptographic computation was correctly computed by the external access entity; the external access entity is not a user and is not a module executing on the computing device; the cryptographic module is configured to use cryptographic keys in cryptographic computations, and to store seeds that can be used to derive said cryptographic keys for a period of time after the generation of said seeds; and the cryptographic module is further configured to provide access to the stored seeds to an external access entity authorized by the access control module;
said computing device further comprising;an access archive module configured to record any authorized access of the cryptographic module by an external access entity, wherein a record stored in the access archive module cannot be modified or deleted by an authorized external access entity; and the access archive module is further configured to output recorded information pertaining to authorized access by an external access entity. - View Dependent Claims (14)
-
-
15. A method for providing authorized access to cryptographic keys stored in a computing device, said method comprising the steps of the computing device:
-
generating seeds in a cryptographic module located within the computing device; deriving cryptographic keys from said seeds in said cryptographic module; storing the seeds in the cryptographic module, and keeping said seeds stored for a period of time after use of said cryptographic keys by the computing device; receiving a request from an external access entity to access at least one of the stored seeds, wherein said request comprises the result of a cryptographic computation not performed on the computing device; validating the cryptographic computation of the external access entity request using a public verification key embedded in the computing device; providing the external access entity with access to the requested stored seeds when the cryptographic computation has been validated; and recording information contained in the validated external access entity request in a record that cannot be deleted or modified by the external access entity. - View Dependent Claims (16)
-
Specification