Restrictions on use of a key

US 10,693,916 B2
Filed: 10/30/2018
Issued: 06/23/2020
Est. Priority Date: 12/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method in a computerized system comprising:

configuring, by a management apparatus, at least one address based restriction on use of a key by source hosts for access to target hosts in the computerized system,determining use of the key for access to a target host,receiving information of an address of a source host from which the key is used for the access to the target host,comparing the address of the source host from which the key is used for the access to the target host against the at least one address based restriction on use of the key, andperforming a management action based on the comparison.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Citations

26 Claims

1. A method in a computerized system comprising:
- configuring, by a management apparatus, at least one address based restriction on use of a key by source hosts for access to target hosts in the computerized system,determining use of the key for access to a target host,receiving information of an address of a source host from which the key is used for the access to the target host,comparing the address of the source host from which the key is used for the access to the target host against the at least one address based restriction on use of the key, andperforming a management action based on the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the at least one address based restriction comprises information on allowed Internet Protocol (IP) addresses.
  - 3. The method of claim 2, wherein the at least one address based restriction comprises information of at least one IP address from which the key can be used for access and/or to which the key can be used for access.
  - 4. The method of claim 1, wherein the key comprises an authorized key.
  - 5. The method of claim 4, comprising determining IP addresses from which the authorized key is used for logins to a user account.
  - 6. The method of claim 4, wherein the management action comprises modifying an authorized key file associated with the source host from which the key is used.
  - 7. The method of claim 1, wherein the key comprises an authentication key provided by one of an authorized key, an identity key, or a Secure Shell (SSH) key.
  - 8. The method of claim 1, wherein the configured at least one address based restriction restricts use of the key to be only from one or more hosts from which the key has been used during a period.
  - 9. The method of claim 1, comprising storing information on the at least one address based restriction at a key manager network element.
  - 10. The method of claim 1, wherein the management action comprises at least one of:
    - preventing use of the key, deletion of the key, rotating the key, modifying the key, removal of the key used for the access to the target host from a file of authorized keys, generating an alert, generating a report, logging an audit notification, indicating the key as suspicious, or indicating the use of the key as suspicious.
  - 11. The method of claim 1, comprising automatically configuring IP address based restrictions for public keys in an authorized key file.
  - 12. The method of claim 1, comprising identifying a host based on the received information of the address of the source host from which the key is used.
  - 13. The method of claim 12, comprising storing information of a plurality of IP addresses for the host and handling the stored information of a plurality of IP addresses as alternative identifiers of the host.
  - 14. The method of claim 1, comprising determining whether the address of the source host from which the key is used belongs to a host under management of the management apparatus.
  - 15. The method of claim 1, comprising determining that an access relationship between hosts based on the key crosses a predefined boundary.
  - 16. The method of claim 1, wherein the management action comprises a management action on the key used by the source host from which the key is used for access to the target host.

17. An apparatus comprising at least one processor, and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus to:
- configure, in the apparatus, at least one address based restriction on use of a key by source hosts for access to target hosts,determine use of the key for access to a target host,receive information of an address of a source host from which the key is used for access to the target host,compare the address of the source host from which the key is used for the access to the target host against the at least one address based restriction on use of the key, andperform a management action based on the evaluation comparison.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The apparatus of claim 17, wherein the at least one address based restriction comprises at least one of information on allowed Internet Protocol (IP) addresses, information of at least one IP address from which the key can be used for access, or information of at least one IP address to which the key can be used for access.
  - 19. The apparatus of claim 17, wherein the key comprises an authorized key, the apparatus being configured to determine IP addresses from which the authorized key is used for logins to a user account.
  - 20. The apparatus of claim 17, configured to restrict use of the key to be only from one or more hosts from which the key has been used during a period.
  - 21. The apparatus of claim 17, comprising a key manager network element.
  - 22. The apparatus of claim 17, configured to store information on the at least one address based restriction at a non-volatile memory.
  - 23. The apparatus of claim 17, configured to, based on the comparison, at least one of prevent use of the key, delete the key, rotate the key, modify the key, remove the key used for the access to the target host from a file of authorized keys, generate an alert, generate a report, log an audit notification, indicate the key as suspicious, or indicate the use of the key as suspicious.
  - 24. The apparatus of claim 17, configured to determine whether the address of the source host from which the key is used belongs to a host under management of the apparatus.
  - 25. The apparatus of claim 17, configured to determine that an access relationship between hosts based on the key crosses a predefined boundary.

26. A non-transitory computer readable media comprising program code for causing an apparatus comprising a processor to perform instructions for:
- configuring at least one address based restriction on use of a key by source hosts for access to target hosts in the apparatus,determining use of the key for access to a target host,receiving information of an address of a source host from which the key is used for access to the target host,comparing the address of the source host from which the key is used for the access to the target host against the at least one address based restriction on use of the key, andperforming a management action based on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Ylonen, Tatu J.
Primary Examiner(s)
Bayou, Yonas A

Application Number

US16/174,427
Publication Number

US 20190075134A1
Time in Patent Office

602 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

H04L 61/4523   using lightweight directory...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321 : involving a third party or ...

H04L 9/3263 : involving certificates, e.g...

H04L 9/3268 : using certificate validatio...

View All

Restrictions on use of a key

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Restrictions on use of a key

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links