VPN Enrollment Protocol Gateway

US 20060179298A1
Filed: 03/30/2006
Published: 08/10/2006
Est. Priority Date: 04/12/2000
Status: Active Grant

First Claim

Patent Images

1. A registration authority comprising:

a protocol converter coupled to receive messages from a router targeting a certificate authority, and to receive messages from the certificate authority targeting the router;

wherein the protocol converter is configured to convert the messages received from the router in accordance with a first protocol and convert the messages received from the router to a second protocol and subsequently communicate the converted messages to the certificate authority; and

wherein the protocol converter is further configured to convert the messages received from the certificate authority in accordance with the second protocol and convert the messages received from the certificate authority to the first protocol and subsequently communicate the converted messages to the router.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual private network (VPN) enrollment protocol gateway is described herein. The protocol gateway is implemented as a registration authority that operates as an intermediary between routers and a certificate authority, allowing routers operating in accordance with one protocol to obtain and maintain certificates for a VPN from a certificate authority operating in accordance with another protocol. In accordance with one aspect, the gateway protocol supports various requests from the router, including router enrollment requests, get certificate revocation list request, get certificate requests, get certificate authority certificate requests, and password requests.

26 Citations

View as Search Results

20 Claims

1. A registration authority comprising:
- a protocol converter coupled to receive messages from a router targeting a certificate authority, and to receive messages from the certificate authority targeting the router;
  
  wherein the protocol converter is configured to convert the messages received from the router in accordance with a first protocol and convert the messages received from the router to a second protocol and subsequently communicate the converted messages to the certificate authority; and
  
  wherein the protocol converter is further configured to convert the messages received from the certificate authority in accordance with the second protocol and convert the messages received from the certificate authority to the first protocol and subsequently communicate the converted messages to the router.
- View Dependent Claims (2)
- - 2. A registration authority as recited in claim 1, wherein the router is unaware that it is communicating with a registration authority rather than directly with the certificate authority.

3. One or more computer-readable media having stored thereon a computer program that, when executed by one or more processors of a registration authority, causes the one or more processors to perform acts including:
- receiving, from a device, a first message in accordance with a first protocol;
  
  generating, based on the first message, a second message in accordance with a second protocol;
  
  sending the second message to a certificate authority;
  
  receiving, from the certificate authority, a third message in response to the second message and in accordance with the second protocol;
  
  generating, based on the third message, a fourth message in accordance with the first protocol; and
  
  sending the fourth message to the device as a response to the first message.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 4. One or more computer readable media as recited in claim 3, wherein the device comprises a router.
  - 5. One or more computer-readable media as recited in claim 3, wherein the first message comprises an enrollment message.
  - 6. One or more computer-readable media as recited in claim 5, wherein generating the second message comprises:
    - verifying that the first message has been digitally signed by the device;
      
      decrypting the first message;
      
      extracting a certificate enrollment request from the first message;
      
      generating a certificate authority request including the certificate enrollment request and a subject alternative names extension; and
      
      creating the second message by digitally signing the certificate authority request.
  - 7. One or more computer-readable media as recited in claim 5, wherein generating the fourth message comprises:
    - extracting a certificate from the third message;
      
      generating a response including the certificate;
      
      encrypting the response; and
      
      creating the fourth message by digitally signing the encrypted response.
  - 8. One or more computer-readable media as recited in claim 7, wherein extracting the certificate comprises accessing a set of certificates corresponding to the third message.
  - 9. One or more computer-readable media as recited in claim 7, wherein the computer program further causes the one or more processors to perform acts including:
    - extracting a certificate chain from the third message; and
      
      including the certificate chain in the response.
  - 10. One or more computer-readable media as recited in claim 5, wherein the third message comprises a certificate authority pending response.
  - 11. One or more computer-readable media as recited in claim 10, wherein generating the fourth message comprises:
    - generating a pending response;
      
      encrypting the pending response; and
      
      creating the fourth message by digitally signing the encrypted pending response.
  - 12. One or more computer-readable media as recited in claim 3, wherein the first message comprises a get certificate revocation list (CRL) message.
  - 13. One or more computer-readable media as recited in claim 12, wherein generating the second message comprises:
    - decrypting the first message;
      
      verifying that the first message has been digitally signed by the device;
      
      extracting a certificate serial number from the decrypted first message; and
      
      creating, as the second message, a get certificate by serial number request.
  - 14. One or more computer-readable media as recited in claim 12, wherein generating the fourth message comprises:
    - extracting a certificate from the third message;
      
      extracting a certificate revocation list distribution point from the certificate;
      
      obtaining a certificate revocation list based on the certificate revocation list distribution point; and
      
      generating, as the fourth message, a response including the certificate revocation list.
  - 15. One or more computer-readable media as recited in claim 14, wherein the certificate revocation list distribution point comprises a uniform resource locator (URL).
  - 16. One or more computer-readable media as recited in claim 14, wherein obtaining the certificate revocation list further comprises retrieving the certificate revocation list from the certificate revocation list distribution point.
  - 17. One or more computer-readable media as recited in claim 3, wherein the first message comprises a get certificate message.
  - 18. One or more computer-readable media as recited in claim 17, wherein generating the second message comprises:
    - decrypting the first message;
      
      verifying that the first message has been digitally signed by the device;
      
      extracting a certificate serial number from the decrypted first message; and
      
      creating, as the second message, a get certificate by serial number request.
  - 19. One or more computer-readable media as recited in claim 3, wherein generating the fourth message comprises:
    - extracting a certificate from the third message; and
      
      generating, as the fourth message, a response including the certificate.
  - 20. One or more computer-readable media as recited in claim 19, wherein generating the fourth message further comprises:
    - extracting a certificate chain from the third message; and
      
      including the certificate chain in the response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Balaz, Rudolph, Su, Xiaohong, Vogel, Keith R., Heller, Victor W.

Granted Patent

US 7,350,073 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 9/3265   using certificate chains, t...

H04L 9/3268   using certificate validatio...

VPN Enrollment Protocol Gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

VPN Enrollment Protocol Gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others