Authentication device and computer system

US 20050102522A1
Filed: 02/26/2004
Published: 05/12/2005
Est. Priority Date: 11/12/2003
Status: Active Grant

First Claim

Patent Images

1. An authentication device that certifies a communication device that is connected via a predetermined communication line, wherein the communication device imports a certificate therein, which has been issued by a certification authority and contains address information of the communication device, the authentication device comprising:

a receiving module that receives a packet including address information of a source of the packet and the certificate; and

a certification processing module that validates whether or not the source of the packet is the communication device based on the address information of the source of the packet, which is included in the packet, and the address information that is recorded on the certificate in the packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To restrict actions such as spoofing and thereby prevent tapping and leakages of data by certifying whether or not each communication device such as a storage device on a communication line is to be connected to the communication line.

Upon receipt of a packet that contains an IP address in its IP header and stores a certificate in its certificate payload from a storage device 300, an authentication device 200 compares an IP address that is recorded in the certificate and the IP address that is recorded on the IP header of the packet. If the comparison results in a match of these IP addresses, the authentication device 200 can certify that the storage device 300 is a device for which a certificate issuing device 100 has properly issued the certificate.

Citations

16 Claims

1. An authentication device that certifies a communication device that is connected via a predetermined communication line, wherein the communication device imports a certificate therein, which has been issued by a certification authority and contains address information of the communication device, the authentication device comprising:
- a receiving module that receives a packet including address information of a source of the packet and the certificate; and
  
  a certification processing module that validates whether or not the source of the packet is the communication device based on the address information of the source of the packet, which is included in the packet, and the address information that is recorded on the certificate in the packet.
- View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 10, 11)
- - 2. An authentication device according to claim 1, wherein the authentication device imports a public key of the certification authority therein;
    - the certificate that is imported in the communication device further includes a digital signature of the certification authority, which has been encrypted with a private key of the certification authority; and
      
      the certification processing module further decrypts the digital signature of the certification authority, which is recorded on the certificate in the packet that has been received by the receiving module, with the public key of the certification authority, and based on a result of the decryption, validates whether or not the certificate in the received packet is the one that has been issued by the certificate authority.
  - 3. An authentication device according to claim 1, wherein the certificate that is imported in the communication device further contains a public key of the communication device;
    - the packet further includes a digital signature of the source of the packet, which has been encrypted with a private key of the source of the packet; and
      
      the certification processing module further decrypts the digital signature of the source of the packet, which is included in the packet that has been received by the receiving module, with the public key of the communication device, which is recorded on the certificate in the received packet, and based on a result of the decryption, validates whether or not the digital signature of the source of the packet is a digital signature of the communication device.
  - 5. An authentication device according to claim 1, further comprising:
    - a caching module that caches certificates that have been successfully validated by the certification processing module.
  - 6. An authentication device according to claim 5, wherein the certification processing module does not carry out the validation if the same certificate as the one in the packet that has been received by the receiving module is cached in the caching module.
  - 7. An authentication device according to claim 1, wherein the receiving module inputs the packet from the communication device at the time the communication device connects to the communication line.
  - 8. An authentication device according to claim 1, wherein the certificate is a public key certificate that is based on X.509, and the address information of the communication device is recorded on an extension field of the public key certificate.
  - 9. An authentication device according to claim 1, wherein the address information is a piece of IP address.
  - 10. An authentication device according to claim 1, wherein the communication device is a storage device.
  - 11. An authentication device according to claim 1, further comprising:
    - a certificate retaining module that retains a second certificate, which has been issued by the certification authority and contains address information of the authentication device; and
      
      a transmitting module that transmits a packet including the address information of the authentication device and the second certificate.

4. An authentication device that certifies a communication device that is connected via a predetermined communication line, wherein the communication device imports a certificate therein, which has been issued by a certification authority and contains address information of the communication device, a digital signature of the certification authority, which has been encrypted with a private key of the certification authority, and a public key of the communication device;
- the authentication device imports a public key of the certification authority therein; and
  
  the authentication device includes;
  
  a receiving module that receives a packet including address information of a source of the packet, the certificate, and a digital signature of the source of the packet, which has been encrypted with a private key of the source of the packet; and
  
  a certification processing module that;
  
  decrypts the digital signature of the certification authority, which is recorded on the certificate in the packet, with the public key of the certification authority, and based on a result of the decryption, validates whether or not the certificate in the received packet is the one that has been issued by the certificate authority;
  
  further validates whether or not the source of the packet is the communication device based on the address information of the source of the packet, which is included in the packet, and the address information that is recorded on the certificate in the packet; and
  
  further decrypts the digital signature of the source of the packet, which is included in the packet, with the public key of the communication device, which is recorded on the certificate in the received packet, and based on a result of the decryption, validates whether or not the digital signature of the source of the packet is a digital signature of the communication device.

12. A computer system comprising a plurality of storage devices and an authentication device, wherein each of the storage devices includes:
- a certificate retaining module that retains a certificate, which has been issued by a certification authority and contains address information of the storage device; and
  
  a receiving module that receives a packet including the address information of the storage device and the certificate, the authentication device includes;
  
  a receiving module that receives a packet including address information of a source of the packet and a certificate of the source of the packet; and
  
  a certification processing module that validates the source of the packet based on the address information of the source of the packet, which is included in the packet, and the address information that is recorded on the certificate in the packet, upon receipt of a notification of an output of data from one storage device to another storage device from the one storage device, the receiving module of the authentication device receives the packet from each of the one storage device and the another storage device, and the certification processing module of the authentication device validates each of the received packets, and if the validation is successful, notifies the one storage device of permission of the output of data.

13. A computer system comprising a plurality of storage devices and an authentication device, wherein each of the storage devices includes:
- a certificate retaining module that retains a certificate, which has been issued by a certification authority and contains address information of the storage device; and
  
  a receiving module that receives a packet including the address information of the storage device and the certificate, the authentication device includes;
  
  a receiving module that receives a packet including address information of a source of the packet and a certificate of the source of the packet; and
  
  a certification processing module that validates the source of the packet based on the address information of the source of the packet, which is included in the packet, and the address information that is recorded on the certificate in the packet, upon receipt of a notification of an output of data from one storage device to one of other storage devices from the one storage device, the receiving module of the authentication device receives the packet from each of the one storage device and the one of other storage devices that has been selected based on a predetermined condition, and the certification processing module of the authentication device validates each of the received packets, and if the validation is successful, notifies the one storage device of the selected storage device and of permission of the output of data.
- View Dependent Claims (14)
- - 14. A computer system according to claim 13, wherein each of the storage devices is a SAN type storage device;
    - the certificate contains a fiber channel address of the storage device for which the certificate has been issued; and
      
      the certification processing module of the authentication device validates each of the received packets, and if the validation is successful, notifies the one storage device of the fiber channel address of the selected storage device and of permission of the output of data.

15. A method of certifying a communication device that is connected to a computer via a predetermined communication line, wherein the communication device imports a certificate therein, which has been issued by a certification authority and contains address information of the communication device, the method comprising the steps of:
- receiving a packet including address information of a source of the packet and the certificate; and
  
  validating whether or not the source of the packet is the communication device based on the address information of the source of the packet, which is included in the packet, and the address information that is recorded on the certificate in the packet.

16. A computer readable recording medium in which a computer program is recorded, the computer program causing a computer to certify a communication device that is connected thereto via a predetermined communication line, wherein the communication device imports a certificate therein, which has been issued by a certification authority and contains address information of the communication device, the computer program comprising:
- a first program code for receiving a packet including address information of a source of the packet and the certificate; and
  
  a second program code for validating whether or not the source of the packet is the communication device based on the address information of the source of the packet, which is included in the packet, and the address information that is recorded on the certificate in the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Hitachi, Ltd.
Inventors
Kanda, Akitsugu

Granted Patent

US 7,424,607 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/1466 Active attacks involving in...

Authentication device and computer system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication device and computer system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links