Extending credential type to group key management interoperability protocol (KMIP) clients

US 20130044878A1
Filed: 08/19/2011
Published: 02/21/2013
Est. Priority Date: 08/19/2011
Status: Active Grant

First Claim

Patent Images

1. A method for processing device type information certificate authentication process, comprising:

receiving a client request for key material, the client request including a client-side certificate and a custom credential;

using the client-side certificate to authenticate the client;

using the custom credential to identify the client and determine whether key material for the client has been provisioned;

serving the key material to the client if the client has been identified by the custom credential and the key material for the client has been provisioned.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.

Citations

25 Claims

1. A method for processing device type information certificate authentication process, comprising:
- receiving a client request for key material, the client request including a client-side certificate and a custom credential;
  
  using the client-side certificate to authenticate the client;
  
  using the custom credential to identify the client and determine whether key material for the client has been provisioned;
  
  serving the key material to the client if the client has been identified by the custom credential and the key material for the client has been provisioned.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 further including associating the client request to pre-provisioned cryptographic material for one of:
    - a particular device, and a device group.
  - 3. The method as described in claim 1 wherein the key material identifies a device type.
  - 4. The method as described in claim 3 wherein a plurality of devices having a same device type share a pool of key material.
  - 5. The method as described in claim 1 further including taking a given action if the custom credential fails to identify the key or the key material has not been provisioned.
  - 6. The method as described in claim 1 wherein the given action is one of:
    - refusing the client request, and placing the client request in a queue.
  - 7. The method as described in claim 1 wherein the client request is associated with a key management protocol and the custom credential is passed in a header file of the key management protocol.
  - 8. The method as described in claim 7 wherein the key management protocol is the Key Management Interoperability Protocol (KMIP).

9. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method comprising;
  
  receiving a client request for key material, the client request including a client-side certificate and a custom credential;
  
  using the client-side certificate to authenticate the client;
  
  using the custom credential to identify the client and determine whether key material for the client has been provisioned;
  
  serving the key material to the client if the client has been identified by the custom credential and the key material for the client has been provisioned.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 24)
- - 10. The apparatus as described in claim 9 wherein the method further includes associating the client request to pre-provisioned cryptographic material for one of:
    - a particular device, and a device group.
  - 11. The apparatus as described in claim 9 wherein the key material identifies a device type.
  - 12. The apparatus as described in claim 11 wherein a plurality of devices having a same device type share a pool of key material.
  - 13. The apparatus as described in claim 9 wherein the method further includes taking a given action if the custom credential fails to identify the key or the key material has not been provisioned.
  - 14. The apparatus as described in claim 9 wherein the given action is one of:
    - refusing the client request, and placing the client request in a queue.
  - 15. The apparatus as described in claim 9 wherein the client request is associated with a key management protocol and the custom credential is passed in a header file of the key management protocol.
  - 16. The apparatus as described in claim 15 wherein the key management protocol is the Key Management Interoperability Protocol (KMIP).
  - 24. The computer program product as described in claim 15 wherein the key management protocol is the Key Management Interoperability Protocol (KMIP).

17. A computer program product in a computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
- receiving a client request for key material, the client request including a client-side certificate and a custom credential;
  
  using the client-side certificate to authenticate the client;
  
  using the custom credential to identify the client and determine whether key material for the client has been provisioned;
  
  serving the key material to the client if the client has been identified by the custom credential and the key material for the client has been provisioned.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The computer program product as described in claim 17 wherein the method further includes associating the client request to pre-provisioned cryptographic material for one of:
    - a particular device, and a device group.
  - 19. The computer program product as described in claim 17 wherein the key material identifies a device type.
  - 20. The computer program product as described in claim 19 wherein a plurality of devices having a same device type share a pool of key material.
  - 21. The computer program product as described in claim 17 wherein the method further includes taking a given action if the custom credential fails to identify the key or the key material has not been provisioned.
  - 22. The computer program product as described in claim 17 wherein the given action is one of:
    - refusing the client request, and placing the client request in a queue.
  - 23. The computer program product as described in claim 17 wherein the client request is associated with a key management protocol and the custom credential is passed in a header file of the key management protocol.

25. Client apparatus, comprising:
- a processor;
  
  computer memory storing computer program instructions executed by the processor to generate and serve to a key management server apparatus a request including a request header, the request header including an extended credential that encodes information sufficient to enable the key management server apparatus to associate the request to pre-provisioned key material for one of;
  
  a particular device, and a device group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Rich, Bruce Arland, Arnold, Gordon Kent, Peck, John Thomas

Granted Patent

US 8,798,273 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/083   involving central third par...

Extending credential type to group key management interoperability protocol (KMIP) clients

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Extending credential type to group key management interoperability protocol (KMIP) clients

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links