EXCHANGE OF NETWORK ACCESS CONTROL INFORMATION USING TIGHTLY-CONSTRAINED NETWORK ACCESS CONTROL PROTOCOLS
First Claim
1. A method comprising:
- receiving, with an access control device, a digital signature through a tightly-constrained handshake sequence of a network protocol, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights, wherein the digital signature is based on a trusted platform module (“
TPM”
) value and a nonce value, and wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate a set of nonce information during the tightly-constrained handshake sequence;
determining whether the access control device has previously negotiated the set of nonce information with the endpoint device;
determining whether the TPM value is associated with an acceptable configuration;
determining whether the nonce value is acceptable;
determining whether the digital signature is valid; and
granting the access rights to the endpoint device when the access control device has previously negotiated the set of nonce information, when the TPM value is associated with the acceptable configuration, when the nonce value is acceptable, and when the digital signature is valid.
12 Assignments
0 Petitions
Accused Products
Abstract
In general, techniques are described for securely exchanging network access control information. The techniques may be useful in situations where an endpoint device and an access control device perform a tightly-constrained handshake sequence of a network protocol when the endpoint device requests access to a network. The handshake sequence may be constrained in a variety of ways. Due to the constraints of the handshake sequence, the endpoint device and the access control device may be unable to negotiate a set of nonce information during the handshake sequence. For this reason, the access control device uses a previously negotiated set of nonce information and other configuration information associated with the endpoint device as part of a process to determine whether the endpoint device should be allowed to access the protected networks.
-
Citations
25 Claims
-
1. A method comprising:
-
receiving, with an access control device, a digital signature through a tightly-constrained handshake sequence of a network protocol, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights, wherein the digital signature is based on a trusted platform module (“
TPM”
) value and a nonce value, and wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate a set of nonce information during the tightly-constrained handshake sequence;determining whether the access control device has previously negotiated the set of nonce information with the endpoint device; determining whether the TPM value is associated with an acceptable configuration; determining whether the nonce value is acceptable; determining whether the digital signature is valid; and granting the access rights to the endpoint device when the access control device has previously negotiated the set of nonce information, when the TPM value is associated with the acceptable configuration, when the nonce value is acceptable, and when the digital signature is valid. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An access control device comprising:
-
a request reception module that receives a digital signature through a tightly-constrained handshake sequence of a network protocol, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights, wherein the digital signature is based on a trusted platform module (“
TPM”
) value and a nonce value, and wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate a set of nonce information during the tightly-constrained handshake sequence;a cache management module that determines whether the access control device has previously negotiated the set of nonce information with the endpoint device; a TPM evaluation module that determines whether the TPM value is associated with an acceptable configuration; a nonce evaluation module that determines whether the nonce value is acceptable; a signature verification module that determines whether the digital signature is valid; and an access instruction module that grants the access rights to the endpoint device when the access control device has previously negotiated the set of nonce information, when the TPM value is associated with the acceptable configuration, when the nonce value is acceptable, and when the digital signature is valid. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable medium comprising instructions, wherein the instructions cause one or more programmable processors of an access control device to:
-
receive a digital signature through a tightly-constrained handshake sequence of a network protocol, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights, wherein the digital signature is based on a trusted platform module (“
TPM”
) value and a nonce value, and wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate a set of nonce information during the tightly-constrained handshake sequence;determine whether the access control device has previously negotiated the set of nonce information with the endpoint device; determine whether the TPM value is associated with an acceptable configuration; determine whether the nonce value is acceptable; determine whether the digital signature is valid; and grant the access rights to the endpoint device when the access control device has previously negotiated the set of nonce information with the endpoint device, when the TPM value is associated with the acceptable configuration, when the nonce value is acceptable, and when the digital signature is valid. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification