System and method for selectively confirming digital certificates in a virtual private network

US 20020178240A1
Filed: 05/24/2001
Published: 11/28/2002
Est. Priority Date: 05/24/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of establishing a secure communication path between two computer systems comprising:

creating a communication path to exchange data such as identification data and digital certification data between the two systems;

determining, based on the identification data, whether to confirm the digital certification data; and

creating a secure communication path, without confirming the digital certification data if it is determined the digital certification data should not be confirmed, or after confirming the digital certification data if it is determined that the digital certification data should be confirmed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing multiple virtual private networks (VPNs) from a computer system. Configuration information is maintained for connections, or tunnels, established between a local computer system and a number of remote computer systems. The configuration information includes information about the endpoints, or local-remote computer pairs, policies used to determine preferred access methods for connecting a given pair of computers, pre-shared keys, and digital certificates for providing keys to encrypt and decipher data. A local-remote pair is selected from an endpoints table. A policy corresponding to the selected local-remote pair is selected determining the access method(s) to be attempted in securely connecting the two computer systems. If an access method uses a digital certificate, the corresponding information is retrieved from a digital certificate table. The decision whether to check the digital certification has been revoked is stored in the endpoints table.

54 Citations

View as Search Results

20 Claims

1. A method of establishing a secure communication path between two computer systems comprising:
- creating a communication path to exchange data such as identification data and digital certification data between the two systems;
  
  determining, based on the identification data, whether to confirm the digital certification data; and
  
  creating a secure communication path, without confirming the digital certification data if it is determined the digital certification data should not be confirmed, or after confirming the digital certification data if it is determined that the digital certification data should be confirmed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the determining step includes the step of consulting an internal table, the internal table including identification data of all computer systems whose digital certification need not be confirmed.
  - 3. The method as described in claim 2 wherein the two computer systems include a local and a remote computer system, the exchanged data further including one or more authentication proposals from the local computer system and a selected authentication proposal from the remote system.
  - 4. The method as described in claim 1 further comprising:
    - selecting an access method in response to determining to confirm the digital certification data; and
      
      invoking the selected access method.
  - 5. The method as described in claim 1 further comprising:
    - selecting a local-remote pair from an endpoints table corresponding to the computer systems;
      
      selecting a policy from a policy table based on the selected local-remote pair, the policy including one or more access methods; and
      
      transmitting one or more security proposals corresponding to the selected policy to the remote computer system.
  - 6. The method as described in claim 1 further comprising:
    - receiving a remote digital certificate from the other computer system; and
      
      verifying that a signing certificate included in the remote digital certificate corresponds to a certification authority.
  - 7. The method as described in claim 1 further comprising:
    - digitally signing a message using a private key corresponding to one of the computer systems; and
      
      sending the signed message to the other computer system.

8. An information handling system comprising:
- one or more processors;
  
  a memory accessible by the processors;
  
  a nonvolatile storage accessible by the processors;
  
  a network interface connecting the information handling system to a computer network; and
  
  a network security tool to create a secure path between computer systems, the network security tool including;
  
  means for creating a non-secure communication path to exchange data such as identification data and digital certification data between the two systems;
  
  means for determining, based on the identification data, whether to confirm the digital certification data; and
  
  means for creating a secure communication path, without confirming the digital certification data if it is determined the digital certification data should not be confirmed, or after confirming the digital certification data if it is determined that the digital certification data should be confirmed.
- View Dependent Claims (9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20)
- - 9. The information handling system as described in claim 8 wherein the means for determining includes means for consulting an internal table, the internal table including identification data of all computer systems whose digital certification need not be confirmed.
  - 10. The information handling system as described in claim 9 wherein the two computer systems include a local and a remote computer system, the exchanged data further including one or more authentication proposals from the local computer system and a selected authentication proposal from the remote system.
  - 11. The information handling system as described in claim 8 further comprising:
    - means for selecting an access method in response to determining to confirm the digital certification data; and
      
      means for invoking the selected access method.
  - 12. The information handling system as described in claim 8 further comprising:
    - means for selecting a local-remote pair from an endpoints table corresponding to the computer systems;
      
      means for selecting a policy from a policy table based on the selected local-remote pair, the policy including one or more access methods; and
      
      means for transmitting one or more security proposals corresponding to the selected policy to the remote computer system.
  - 13. The information handling system as described in claim 8 further comprising:
    - means for receiving a remote digital certificate from the other computer system; and
      
      means for verifying that a signing certificate included in the remote digital certificate corresponds to a certification authority.
  - 15. The computer program product as described in claim 14 wherein the means for determining includes means for consulting an internal table, the internal table including identification data of all computer systems whose digital certification need not be confirmed.
  - 16. The computer program product as described in claim 15 wherein the two computer systems include a local and a remote computer system, the exchanged data further including one or more authentication proposals from the local computer system and a selected authentication proposal from the remote system.
  - 17. The computer program product as described in claim 14 further comprising:
    - means for selecting an access method in response to determining to confirm the digital certification data; and
      
      means for invoking the selected access method.
  - 18. The computer program product as described in claim 14 further comprising:
    - means for selecting a local-remote pair from an endpoints table corresponding to the computer systems;
      
      means for selecting a policy from a policy table based on the selected local-remote pair, the policy including one or more access methods; and
      
      means for transmitting one or more security proposals corresponding to the selected policy to the remote computer system.
  - 19. The computer program product as described in claim 14 further comprising:
    - means for receiving a remote digital certificate from the other computer system; and
      
      means for verifying that a signing certificate included in the remote digital certificate corresponds to a certification authority.
  - 20. The computer program product as described in claim 14 further comprising:
    - means for digitally signing a message using a private key corresponding to one of the computer systems; and
      
      means for sending the signed message to the other computer system.

14. A computer program product stored on a computer operable medium for providing one or more secure connections from a computer system, said computer program product comprising:
- means for creating a non-secure communication path to exchange data such as identification data and digital certification data between the two systems;
  
  means for determining, based on the identification data, whether to confirm the digital certification data; and
  
  means for creating a secure communication path, without confirming the digital certification data if it is determined the digital certification data should not be confirmed, or after confirming the digital certification data if it is determined that the digital certification data should be confirmed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Genty, Denise Marie, Venkataraman, Guha Prasad, Wilson, Jacqueline Hegedus, Fiveash, William Alton

Application Number

US09/864,110
Publication Number

US 20020178240A1
Time in Patent Office

Days
Field of Search
US Class Current

709/221
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

System and method for selectively confirming digital certificates in a virtual private network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for selectively confirming digital certificates in a virtual private network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links