System and method for access control

US 20060080534A1
Filed: 12/03/2004
Published: 04/13/2006
Est. Priority Date: 10/12/2004
Status: Active Grant

First Claim

Patent Images

1. In a gateway server, a method of controlling access to a resource comprising:

receiving a digital certificate from a device;

extracting an identifier embedded into said certificate;

determining if said identifier is valid;

if said identifier is determined to be valid, permitting said device to access said resource; and

, if said identifier is determined to be invalid, denying said device access to said resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for access control is provided. In one embodiment, a system includes a computing device connected to an access server that controls the ability of the computing device to access to a computing resource, such as the Internet. The access server connects to an activation server via a network. The activation server is operable to receive a request for to generate a certificate for the computing device from the activation server. The activation server is operable to generate the certificate and embed a unique identifier of the computing device and/or the access server and/or the like inside the certificate. Once generated, the certificate is installed in the computing device. When the computing device initiates a request to access the computing resource, the computing device initially sends the certificate to the access server. If the certificate received by the access server does not include the expected unique identifier(s), then access to the computing resource is prevented and/or restricted. If the key received by the access server includes the expected unique identifier(s), then access to the computing resource is permitted.

84 Citations

View as Search Results

54 Claims

1. In a gateway server, a method of controlling access to a resource comprising:
- receiving a digital certificate from a device;
  
  extracting an identifier embedded into said certificate;
  
  determining if said identifier is valid;
  
  if said identifier is determined to be valid, permitting said device to access said resource; and
  
  , if said identifier is determined to be invalid, denying said device access to said resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1 further comprising, if said identifier is determined to be invalid, revoking said digital certificate.
  - 3. The method of claim 1 further comprising determining whether said certificate has been revoked, and, if said certificate has been revoked, denying said device access to said resource.
  - 4. The method of claim 1 wherein said identifier is a gateway identifier associated with said gateway server and said determining step involves comparing said extracted identifier with a local store of said identifier.
  - 5. The method of claim 4 wherein said identifier is selected from the group consisting of a serial number associated with a central processing unit of said gateway server;
    - a hard drive identifier associated with a hard drive local to said gateway server;
      
      a unique name of said server assigned to an operating system executing on said server;
      
      a name associated with a set of gateway servers.
  - 6. The method of claim 1 wherein said identifier is a device identifier unique to said device.
  - 7. The method of claim 6 wherein said determining step comprises comparing said extracted identifier with a list of one or more valid device identifiers for at least one of the gateway server and the resource.
  - 8. The method of claim 6 wherein said determining step comprises receiving a second device identifier from the device and comparing said extracted identifier with said second device identifier, said device identifier being valid if said extracted device identifier is equivalent to said second device identifier.
  - 9. The method of claim 8 wherein said step of receiving the digital certificate comprises receiving one or more packets from the device and the step of receiving the second device identifier comprises extracting said second device identifier from a header of at least one of the packets.
  - 10. The method of claim 6 wherein said identifier is selected from the group consisting of a serial number associated with a central processing unit of said device;
    - a hard drive identifier associated with a hard drive local to said device;
      
      a unique name of said device assigned to an operating system executing on said device.
  - 11. The method of claim 1 wherein said certificate includes a device public encryption key associated with said device and said identifier is a digital signature generated by signing said device public encryption key with a gateway server public encryption key associated with said server, and wherein said determining step comprises determining a validity of said digital signature using a gateway server private encryption key, said identifier being invalid if said digital signature cannot be verified using said gateway server private encryption key.
  - 12. The method of claim 1 wherein said identifier is at least one of:
    - a) a gateway identifier associated with said gateway server;
      
      b) a device identifier unique to said device; and
      
      c) a digital signature generated by signing a device public encryption key embedded in said certificate.
  - 13. The method of claim 1 wherein said extracted identifier comprises a plurality of identifiers and wherein said determining step comprises determining if each of said plurality of identifiers is valid.
  - 14. The method of claim 13 wherein said plurality of identifiers comprise a gateway identifier associated with said gateway server and a device identifier unique to said device.
  - 15. The method of claim 14, wherein said step of determining if each of said plurality of identifiers is valid comprises comparing said gateway identifier with a local store of said gateway identifier;
    - and comparing said device identifier with a list of one or more valid device identifiers for at least one of the gateway server and the resource.
  - 16. The method of claim 14 wherein said step of determining if each of said plurality of identifiers is valid comprises comparing said gateway identifier with a local store of said gateway identifier;
    - and receiving a second device identifier from the device and comparing said extracted device identifier with said second device identifier, said device identifier being valid if said extracted device identifier is equivalent to said second device identifier.
  - 17. The method of claim 14, wherein said certificate includes a device public encryption key associated with said device and said plurality of identifiers further comprise a digital signature generated by signing said device public encryption key with a gateway server public encryption key associated with said server;
    - and wherein said step of determining if each of said plurality of identifiers is valid further comprises determining a validity of said digital signature using a gateway server private encryption key, said digital signature being invalid if said digital signature cannot be verified using said gateway server private encryption key.
  - 18. The method of claim 13 wherein said certificate includes a device public encryption key associated with said device and said plurality of identifiers comprise a device identifier unique to said device and a digital signature generated by signing said device public encryption key with a gateway server public encryption key associated with said server;
    - and wherein said step of determining if each of said plurality of identifiers is valid comprises determining if said device identifier is valid; and
      
      determining a validity of said digital signature using a gateway server private encryption key, said digital signature being invalid if said digital signature cannot be verified using said gateway server private encryption key.
  - 19. The method of claim 18 wherein the step of determining if said device identifier is valid comprises comparing said device identifier with a list of one or more valid device identifiers for at least one of the gateway server and the resource.
  - 20. The method of claim 18 wherein the step of determining if said device identifier is valid comprises receiving a second device identifier from the device and comparing said extracted device identifier with said second device identifier, said device identifier being valid if said extracted device identifier is equivalent to said second device identifier.
  - 21. The method of claim 1 wherein said resource is selected from the group consisting of at least one of the Internet and a local area network.

22. A gateway server comprising a first interface for connection to a local device and a second interface for connection to a resource, said server further comprising a microcomputer intermediate said interfaces, said microcomputer operable to receive a request for access to said resources from said device, said request including a certificate received from said device, said microcomputer operable to extract an identifier embedded into said certificate and further operable to permit said device to access said resource if said identifier is valid;
- and to deny said device access to said resource if said identifier is invalid.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 23. The server of claim 22 wherein said microcomputer is further operable to revoke said certificate if said identifier is invalid.
  - 24. The server of claim 22 wherein said microcomputer is further operable to determine whether said certificate has been revoked using a certificate revocation list and, if said certificate has been revoked, denying said device access to said resource.
  - 25. The server of claim 22 wherein said identifier is a gateway identifier associated with said gateway server.
  - 26. The server of claim 25 wherein said identifier is selected from the group consisting of a serial number associated with a central processing unit of said gateway server;
    - a hard drive identifier associated with a hard drive local to said gateway server;
      
      a unique name of said server assigned to an operating system executing on said server;
      
      a name associated with a set of gateway servers.
  - 27. The server of claim 22 wherein said identifier is a device identifier unique to said device.
  - 28. The server of claim 27 wherein the microcomputer is operable to determine a validity of said device identifier using a list of one or more valid device identifiers for at least one of the gateway server and the resource, said identifier being valid if said device identifier is within the list of valid device identifiers.
  - 29. The server of claim 27 wherein the microcomputer is operable to determine a validity of said device identifier using a second device identifier received from said device, said device identifier being valid if said extracted device identifier is equivalent to said second device identifier.
  - 30. The method of claim 29 wherein the microcomputer is operable to extract said second device identifier from a header of at least one packet received from said device.
  - 31. The server of claim 27 wherein said identifier is selected from the group consisting of a serial number associated with a central processing unit of said device;
    - a hard drive identifier associated with a hard drive local to said device;
      
      a unique name of said server assigned to an operating system executing on said device.
  - 32. The server of claim 22 wherein said certificate includes a device public encryption key associated with said device and said identifier is a digital signature generated by signing said device public encryption key with a gateway server public encryption key associated with said server, and wherein said microcomputer is operable to determine a validity of said digital signature using a gateway server private encryption key, said identifier being invalid if said digital signature cannot be verified using said gateway server private encryption key.
  - 33. The server of claim 22 wherein said identifier is at least one of:
    - a) a gateway identifier associated with said gateway server;
      
      b) a device identifier unique to said device; and
      
      c) a digital signature generated by signing a device public encryption key embedded in said certificate.
  - 34. The server of claim 22 wherein said identifier comprises a plurality of identifiers and wherein said microcomputer is operable to permit said device to access said resource if each of said plurality of identifiers is valid.
  - 35. The server of claim 34 wherein said plurality of identifiers comprise a gateway identifier associated with said gateway server and a device identifier unique to said device.
  - 36. The server of claim 35 wherein said microcomputer is operable to determine a validity of said gateway identifier using a local store of said gateway identifier, said gateway identifier being valid if said gateway identifier is equivalent to said local store of said gateway identifier;
    - and said microcomputer is operable to determine a validity of said device identifier using a list of one or more valid device identifiers for at least one of the gateway server and the resource, said device identifier being valid if said device identifier is within the list of valid device identifiers.
  - 37. The server of claim 35 wherein said microcomputer is operable to determine a validity of said gateway identifier using a local store of said gateway identifier, said gateway identifier being valid if said gateway identifier is equivalent to said local store of said gateway identifier;
    - and said microcomputer is operable to determine a validity of said device identifier using a second device identifier received from said device, said device identifier being valid if said extracted device identifier is equivalent to said second device identifier.
  - 38. The server of claim 35 wherein said certificate includes a device public encryption key associated with said device and said plurality of identifiers further comprise a digital signature generated by signing said device public encryption key with a gateway server public encryption key associated with said server;
    - and wherein said microcomputer is operable to determine a validity of said digital signature using a gateway server private encryption key, said digital signature being invalid if said digital signature cannot be verified using said gateway server private encryption key.
  - 39. The server of claim 34 wherein said certificate includes a device public encryption key associated with said device and said plurality of identifiers comprise a device identifier unique to said device and a digital signature generated by signing said device public encryption key with a gateway server public encryption key associated with said server.
  - 40. The server of claim 39 wherein said microcomputer is operable to determine a validity of said device identifier using a list of one or more valid device identifiers for at least one of the gateway server and the resource, said device identifier being valid if said device identifier is within the list of valid device identifiers;
    - and said microcomputer is operable to determine a validity of said digital signature using a gateway server private encryption key, said digital signature being invalid if said digital signature cannot be verified using said gateway server private encryption key.
  - 41. The server of claim 39 wherein said microcomputer is operable to determine a validity of said device identifier using a second device identifier received from said device, said device identifier being valid if said extracted device identifier is equivalent to said second device identifier;
    - and said microcomputer is operable to determine a validity of said digital signature using a gateway server private encryption key, said digital signature being invalid if said digital signature cannot be verified using said gateway server private encryption key.
  - 42. The server of claim 22 wherein said resource is selected from the group consisting of at least one of the Internet and a local area network.

43. A digital certificate for use on a client device, said digital certificate including an identifier embedded therein, said identifier being extractable by a server to which said device can connect such that said server can permit or deny access to a resource connected to said server based on a validity of said identifier.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51)
- - 44. The certificate of claim 43 wherein said identifier is an identifier associated with said server.
  - 45. The certificate of claim 44 wherein said identifier is selected from the group consisting of a serial number associated with a central processing unit of said gateway server;
    - a hard drive identifier associated with a hard drive local to said gateway server;
      
      a unique name of said server assigned to an operating system executing on said server;
      
      a name associated with a set of gateway servers.
  - 46. The certificate of claim 43 wherein said identifier is a device identifier unique to said device.
  - 47. The certificate of claim 46 wherein said identifier is selected from the group consisting of a serial number associated with a central processing unit of said device;
    - a hard drive identifier associated with a hard drive local to said device;
      
      a unique name of said server assigned to an operating system executing on said device.
  - 48. The certificate of claim 43 wherein said certificate includes a device public encryption key associated with said device and said identifier is a digital signature generated by signing said device public encryption key with a server public encryption key associated with said server, and wherein said server is operable to determine said validity of said digital signature using a gateway server private encryption key, said identifier being invalid if said digital signature cannot be verified using said server private encryption key.
  - 49. The certificate of claim 43 wherein said identifier is at least one identifier selected from the group consisting of:
    - a) a gateway identifier associated with said gateway server;
      
      b) a device identifier unique to said device; and
      
      c) a digital signature generated by signing a device public encryption key embedded in said certificate.
  - 50. The certificate of claim 43 wherein said identifier is a plurality of identifiers selected from the group consisting of:
    - a) a gateway identifier associated with said gateway server;
      
      b) a device identifier unique to said device; and
      
      c) a digital signature generated by signing a device public encryption key embedded in said certificate.
  - 51. The certificate of claim 43 wherein said resource is selected from the group consisting of at least one of the Internet and a local area network.

52. A method of generating a digital certificate for use on a client device comprising:
- receiving at least one unique identifier;
  
  generating a digital certificate payload;
  
  embedding said at least one unique identifier and said payload into a certificate.
- View Dependent Claims (53)
- - 53. The method of claim 52 wherein said unique identifier is at least one identifier selected from the group consisting of:
    - a) a gateway identifier associated with said gateway server;
      
      b) a device identifier unique to said device; and
      
      c) a digital signature generated by signing a device public encryption key embedded in said certificate.

54. A computer readable media containing a set of programming instructions for use in a gateway server, said instructions including a method of controlling access to a resource comprising:
- receiving a digital certificate from a device;
  
  extracting an identifier embedded into said certificate;
  
  determining if said identifier is valid;
  
  if said identifier is determined to be valid, permitting said device to access said resource; and
  
  , if said identifier is determined to be invalid, denying said device access to said resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BCE Incorporated
Original Assignee
BCE Incorporated
Inventors
Lou, Dafu, O'Brien, William G., Yeap, Tet Hin

Granted Patent

US 7,904,952 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0823   using certificates cryptogr...

H04W 12/069   using certificates or pre-s...

H04W 12/082   using revocation of authori...

H04W 12/084   using delegated authorisati...

System and method for access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links