Secure Network Location Awareness

US 20090070582A1
Filed: 09/12/2007
Published: 03/12/2009
Est. Priority Date: 09/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method at a client comprising:

receiving a signed message from an access node of a communications network, the signed message comprising at least a freshness indicator, a signature and a public key;

validating the freshness indicator;

verifying the signature of the signed message using the public key; and

if the validation and the verification processes are successful, accessing stored settings for use with the network, that access being made on the basis of information at least about the public key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure network location awareness is provided whereby a client is able to use appropriate settings when communicating with an access node of a communications network. In an embodiment a client receives a signed message from the access node, the signed message comprising at least a certificate chain having a public key. In some embodiments the certificate chain may be only a self-signed certificate and in other embodiments the certificate chain is two or more certificates in length. The client validates the certificate chain and verifies the signature of the signed message. If this is successful the client accesses stored settings for use with the access node. The stored settings are accessed at least using information about the public key. In another embodiment the signed message also comprises a location identifier which is, for example, a domain name system (DNS) suffix of the access node.

Citations

20 Claims

1. A method at a client comprising:
- receiving a signed message from an access node of a communications network, the signed message comprising at least a freshness indicator, a signature and a public key;
  
  validating the freshness indicator;
  
  verifying the signature of the signed message using the public key; and
  
  if the validation and the verification processes are successful, accessing stored settings for use with the network, that access being made on the basis of information at least about the public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as claimed in claim 1 wherein the public key is conveyed as a part of a certificate chain.
  - 3. A method as claimed in claim 2 wherein the certificate chain comprises only a self-signed certificate.
  - 4. A method as claimed in claim 1 wherein the signed message further comprises a location identifier and the access to the stored settings is made on the basis of the combination of at least the public key and the location identifier.
  - 5. A method as claimed in claim 4 wherein the public key is the root public key of a certificate chain and the client further checks that the location identifier matches a name in the certificate chain.
  - 6. A method as claimed in claim 5 wherein the location identifier is a DNS suffix and the client checks that that the location identifier is a suffix of a fully-qualified domain name of the access node, that fully-qualified domain name being provided in the certificate chain.
  - 7. A method as claimed in claim 1 wherein the freshness indicator comprises any of a random number, a pseudo-random number, a time stamp, and a number from a number sequence.
  - 8. A method as claimed in claim 7 wherein the freshness indicator has a value being one of a random number and a pseudo-random number and wherein the method further comprises checking that the signed message comprises the same freshness indicator value.
  - 9. A method as claimed in claim 4 wherein the stored settings are accessed using a hash of at least the public key and the location identifier.
  - 10. A method as claimed in claim 1 which further comprises making an earlier connection to the access node, selecting settings for use with the access node and storing information about those selected settings together with information about a public key advertised by the access node.
  - 11. A method as claimed in claim 10 which further comprises storing information about the selected settings together with information about the public key and information about a location identifier provided by the access node.
  - 12. A method as claimed in claim 1 wherein the stored settings have been stored using information from a different access node, that different access node having been certified by a common root certification authority between the access nodes.

13. A method at an access node of a communications network comprising:
- receiving a request from a client requiring a response from the access node;
  
  sending a signed message to the client, the signed message comprising at least a freshness indicator, location identifier, signature and a certificate chain comprising one or more certificates, the certificate chain having a public key;
  
  wherein the sending is arranged such that the message can be received only in a specified region of the communications network; and
  
  wherein the public key is suitable for verifying the signature and the location identifier matches a name in the certificate chain.
- View Dependent Claims (14, 15)
- - 14. A method as claimed in claim 13 wherein the location identifier is a suffix of the fully qualified domain name of the access node, that fully-qualified domain name being provided in the certificate chain.
  - 15. A method as claimed in claim 13 wherein the received freshness indicator is one of a random number and a pseudo-random number and wherein the method comprises copying that freshness indicator into the signed message.

16. A method at a client comprising:
- authenticating a communications network;
  
  determining a network identifier by computing a cryptographic hash function of data comprising at least a public key of the communications network; and
  
  accessing stored settings for use with the network, that access being made on the basis of the network identifier.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A method as claimed in claim 16 which further comprises receiving an authenticated location identifier from the communications network and including the location identifier in input to the cryptographic hash function.
  - 18. A method as claimed in claim 17 which further comprises obtaining a certificate chain of the communications network;
    - including a root public key of the certificate chain in the cryptographic hash function input; and
      
      checking that the location identifier matches a name in the certificate chain.
  - 19. A method as claimed in claim 18 wherein the client checks that the certificate chain comprises only a self-signed certificate.
  - 20. A method as claimed in claim 18 wherein the client checks that the location identifier is a suffix of a fully qualified domain name, the fully qualified domain name being provided in the certificate chain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Aura, Tuomas, Murdoch, Steven, Roe, Michael

Granted Patent

US 8,806,565 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0823   using certificates cryptogr...

H04L 9/3265   using certificate chains, t...

Secure Network Location Awareness

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Network Location Awareness

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links