APPARATUS AND METHODS FOR PROTECTING NETWORK RESOURCES

US 20110087882A1
Filed: 10/12/2009
Published: 04/14/2011
Est. Priority Date: 10/12/2009
Status: Active Grant

First Claim

Patent Images

1. A method of protecting an organization'"'"'s network resources, comprising:

maintaining a root certificate of a first cryptographic infrastructure;

maintaining a root certificate of a second cryptographic infrastructure associated with the organization;

issuing, to each authenticator within a network operated by the organization, an initial intermediate CA certificate within the second cryptographic infrastructure; and

after a given authenticator issues to a new client computing device a client certificate within the second cryptographic infrastructure, issuing to the given authenticator a replacement intermediate CA certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization'"'"'s network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network.

63 Citations

View as Search Results

19 Claims

1. A method of protecting an organization'"'"'s network resources, comprising:
- maintaining a root certificate of a first cryptographic infrastructure;
  
  maintaining a root certificate of a second cryptographic infrastructure associated with the organization;
  
  issuing, to each authenticator within a network operated by the organization, an initial intermediate CA certificate within the second cryptographic infrastructure; and
  
  after a given authenticator issues to a new client computing device a client certificate within the second cryptographic infrastructure, issuing to the given authenticator a replacement intermediate CA certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - issuing, to each client device enabler configured to provision a client computing device within the organization network, an initial client certificate within the first cryptographic infrastructure.
  - 3. The method of claim 2, further comprising:
    - after a given client device enabler is operated to provision a client computing device, issuing a replacement client certificate within the first cryptographic infrastructure to the given client device enabler.
  - 4. The method of claim 2, further comprising:
    - recording identifiers of authenticators and client device enablers authorized to operate in the organization network.
  - 5. The method of claim 4, further comprising:
    - disseminating the recorded identifiers to all authenticators operating in the organization network.
  - 6. The method of claim 1, further comprising:
    - recording identifiers of client computing devices authorized to access the organization network.
  - 7. The method of claim 6, further comprising:
    - disseminating the recorded identifiers to all authenticators operating in the organization network.
  - 8. The method of claim 7, wherein the identifiers comprise digital certificates issued to the client computing devices.
  - 9. The method of claim 7, wherein the identifiers comprise fingerprints of digital certificates issued to the client computing devices.
  - 10. The method of claim 1, wherein an authenticator is configured to:
    - authenticate a client device enabler prior to provisioning of a client computing device by the client device enabler.
  - 11. The method of claim 10, wherein an authenticator is further configured to:
    - authenticate the client computing device after said provisioning.
  - 12. The method of claim 1, further comprising:
    - issuing server certificates within the first cryptographic infrastructure to all authenticators operating in the organization network.

13. A computer-readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of protecting an organization'"'"'s network resources, the method comprising:
- maintaining a root certificate of a first cryptographic infrastructure;
  
  maintaining a root certificate of a second cryptographic infrastructure associated with the organization;
  
  issuing, to each authenticator within a network operated by the organization, an initial intermediate CA certificate within the second cryptographic infrastructure; and
  
  after a given authenticator issues to a new client computing device a client certificate within the second cryptographic infrastructure, issuing to the given authenticator a replacement intermediate CA certificate.

14. An apparatus for protecting an organization'"'"'s network, the apparatus comprising:
- a certificate authority for a first cryptographic infrastructure, wherein digital certificates signed by the certificate authority for the first cryptographic infrastructure are issued to authenticators and client device enablers operating within multiple organizations'"'"' network; and
  
  for each of the multiple organizations;
  
  a certificate authority for a second cryptographic infrastructure, wherein digital certificates signed by the certificate authority for the second cryptographic infrastructure of a given organization are issued to every authenticator and every client device authorized to operate within the organization; and
  
  identifiers of entities authorized to access the organization'"'"'s network;
  
  wherein said identifiers are disseminated to all authenticators operating within the organization'"'"'s network.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, further comprising:
    - authorization logic for mutually authenticating an authenticator operating within an organization'"'"'s network.
  - 16. The apparatus of claim 14, wherein:
    - digital certificates issued by the certificate authority for the second cryptographic infrastructure to an authenticator include a intermediate CA certificate usable by the authenticator to issue client digital certificates to client computing devices.
  - 17. The apparatus of claim 16, wherein:
    - digital certificates issued by the certificate authority for the second cryptographic infrastructure to an authenticator further include a replacement intermediate CA certificate;
      
      wherein a replacement intermediate CA certificate is issued to the authenticator after the authenticator issues a client digital certificate to a client computing device.
  - 18. The apparatus of claim 14, wherein:
    - digital certificates issued by the certificate authority for the first cryptographic infrastructure to a client device enabler includes a client digital certificate with which the client device enabler may authenticate itself to an authenticator prior to provisioning a new client computing device.
  - 19. The apparatus of claim 18, wherein:
    - digital certificates issued by the certificate authority for the first cryptographic infrastructure to a client device enabler further include a replacement client certificate;
      
      wherein a replacement client certificate is issued to the client device enabler after the client device enabler provisions the new client computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PowerCloud Systems, Inc. (Comcast Corporation)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Barber, Simon E. M., Smetters, Diana K., Wang, Li-Jen, Kuo, Ted T., Abramowitz, Jeffrey D., Peiro, Andrea, Yang, Bo-chieh

Granted Patent

US 8,555,054 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 9/006   involving public key infras...

H04L 9/3263   involving certificates, e.g...

APPARATUS AND METHODS FOR PROTECTING NETWORK RESOURCES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

APPARATUS AND METHODS FOR PROTECTING NETWORK RESOURCES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others