APPARATUS AND METHODS FOR PROTECTING NETWORK RESOURCES
First Claim
1. A method of protecting an organization'"'"'s network resources, comprising:
- maintaining a root certificate of a first cryptographic infrastructure;
maintaining a root certificate of a second cryptographic infrastructure associated with the organization;
issuing, to each authenticator within a network operated by the organization, an initial intermediate CA certificate within the second cryptographic infrastructure; and
after a given authenticator issues to a new client computing device a client certificate within the second cryptographic infrastructure, issuing to the given authenticator a replacement intermediate CA certificate.
2 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization'"'"'s network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network.
63 Citations
19 Claims
-
1. A method of protecting an organization'"'"'s network resources, comprising:
-
maintaining a root certificate of a first cryptographic infrastructure; maintaining a root certificate of a second cryptographic infrastructure associated with the organization; issuing, to each authenticator within a network operated by the organization, an initial intermediate CA certificate within the second cryptographic infrastructure; and after a given authenticator issues to a new client computing device a client certificate within the second cryptographic infrastructure, issuing to the given authenticator a replacement intermediate CA certificate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of protecting an organization'"'"'s network resources, the method comprising:
-
maintaining a root certificate of a first cryptographic infrastructure; maintaining a root certificate of a second cryptographic infrastructure associated with the organization; issuing, to each authenticator within a network operated by the organization, an initial intermediate CA certificate within the second cryptographic infrastructure; and after a given authenticator issues to a new client computing device a client certificate within the second cryptographic infrastructure, issuing to the given authenticator a replacement intermediate CA certificate.
-
-
14. An apparatus for protecting an organization'"'"'s network, the apparatus comprising:
-
a certificate authority for a first cryptographic infrastructure, wherein digital certificates signed by the certificate authority for the first cryptographic infrastructure are issued to authenticators and client device enablers operating within multiple organizations'"'"' network; and for each of the multiple organizations; a certificate authority for a second cryptographic infrastructure, wherein digital certificates signed by the certificate authority for the second cryptographic infrastructure of a given organization are issued to every authenticator and every client device authorized to operate within the organization; and identifiers of entities authorized to access the organization'"'"'s network; wherein said identifiers are disseminated to all authenticators operating within the organization'"'"'s network. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification