Mechanisms for Certificate Revocation Status Verification on Constrained Devices

US 20130340064A1
Filed: 06/05/2013
Published: 12/19/2013
Est. Priority Date: 06/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

using a nonce of an authentication protocol request message to derive a nonce for a revocation status protocol request; and

deriving a secure nonce with a processor, using the nonce from the authentication protocol request as an operator of a key derivation function.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process is provided for communication security certificate revocation status verification by using the client device as a proxy in online status verification protocol. The process utilizes a nonce of an authentication protocol request message (nonce_A) to derive the nonce for the revocation status protocol request (nonce_S) to reduce the number of message exchanges needed between the client and the verifier devices, and a mechanism to send the nonce (nonce_S) prior to actual authentication protocol execution to ease the connectivity requirement of client device from on-demand connectivity to periodic connectivity. Similar functionality is achieved using a random seed established between the verifier and client. The verifier picks a seed for random number generation and sends that seed to the client. The client derives the nonce_S from the seed before status protocol execution, and the verifier derives the nonce_S from the seed before proxied status response verification.

Citations

28 Claims

1. A method comprising:
- using a nonce of an authentication protocol request message to derive a nonce for a revocation status protocol request; and
  
  deriving a secure nonce with a processor, using the nonce from the authentication protocol request as an operator of a key derivation function.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - receiving a revocation status protocol response.
  - 3. The method of claim 2 further comprising:
    - verifying the revocation status protocol response using the secure nonce.
  - 4. The method of claim 1 wherein only two messages are necessary to exchange in an authentication protocol for a single authentication protocol request.
  - 5. A computer program product comprising a computer readable storage medium having computer coded instructions stored therein, said instructions configured to cause an apparatus to perform the method of claim 1.

6. A method comprising:
- receiving a random nonce at a client device before authentication protocol execution;
  
  obtaining revocation status information using the random nonce in the client device when network connectivity is available; and
  
  executing the authentication protocol with a processor.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 wherein executing the authentication protocol further comprises:
    - receiving an authentication protocol request having an authentication nonce.
  - 8. The method of claim 7 wherein executing the authentication protocol further comprises:
    - returning the authentication nonce and the random nonce for authentication.
  - 9. The method of claim 6 further comprising:
    - starting a timer when the random nonce is sent to the client device.
  - 10. The method of claim 9 wherein the authentication protocol is executed only if the timer has not expired.
  - 11. A computer program product comprising a computer readable storage medium having computer coded instructions stored therein, said instructions configured to cause an apparatus to perform the method of claim 6.

12. A method comprising:
- receiving a random seed value at a client device from a verifier device;
  
  deriving at the client device a revocation status nonce for a revocation status protocol request;
  
  verifying an authentication protocol response with an authentication protocol nonce; and
  
  verifying the revocation status response with the revocation status nonce.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, further comprising:
    - starting a timer when the seed value for the revocation status nonce is sent to the client device.
  - 14. The method of claim 13 wherein the authentication protocol is executed only if the timer has not expired.
  - 15. A computer program product comprising a computer readable storage medium having computer coded instructions stored therein, said instructions configured to cause an apparatus to perform the method of claim 12.

16. An apparatus comprising a processor, a memory in communication with the processor and having computer coded instructions stored therein, said instructions configured, when executed by the processor, to cause the apparatus to perform:
- using a nonce of an authentication protocol request message to derive a nonce for a revocation status protocol request; and
  
  deriving a secure nonce using the nonce from the authentication protocol request as an operator of a key derivation function.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, further comprising instructions configured to cause the apparatus to perform:
    - receiving a revocation status protocol response.
  - 18. The apparatus of claim 17, further comprising instructions configured to cause the apparatus to perform:
    - verifying the revocation status protocol response using the secure nonce.
  - 19. The apparatus of claim 16 wherein only two messages are necessary to exchange in an authentication protocol for a single authentication protocol request.
  - 20. A computer program product comprising a computer readable storage medium having computer coded instructions stored therein, said instructions configured to cause an apparatus to perform the method of claim 16.

21. An apparatus comprising a processor, a memory in communication with the processor and having computer coded instructions stored therein, said instructions configured, when executed by the processor, to cause the apparatus to perform:
- receiving a random nonce at a client device before authentication protocol execution;
  
  obtaining revocation status information using the random nonce in the client device when network connectivity is available; and
  
  executing the authentication protocol.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The apparatus of claim 21 wherein executing the authentication protocol comprises:
    - receiving an authentication protocol request having an authentication nonce.
  - 23. The apparatus of claim 22 wherein executing the authentication protocol further comprises:
    - returning the authentication nonce and the random nonce for authentication.
  - 24. The apparatus of claim 21, further comprising instructions configured to cause the apparatus to perform:
    - starting a timer when the random nonce is sent to the client device.
  - 25. The apparatus of claim 21 wherein the authentication protocol is executed only if the timer has not expired.

26. An apparatus comprising a processor, a memory in communication with the processor and having computer coded instructions stored therein, said instructions configured, when executed by the processor, to cause the apparatus to perform:
- receiving a random seed value at a client device from a verifier device;
  
  deriving at the client device a revocation status nonce for a revocation status protocol request;
  
  verifying an authentication protocol response with an authentication protocol nonce; and
  
  verifying the revocation status response with the revocation status nonce.
- View Dependent Claims (27, 28)
- - 27. The apparatus of claim 26 wherein executing the authentication protocol further comprises:
    - starting a timer when the seed value for the revocation status nonce is sent to the client device.
  - 28. The apparatus of claim 27 wherein the authentication protocol is executed only if the timer has not expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Kostiainen, Kari, Asokan, Nadarajah

Granted Patent

US 9,756,036 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 9/0869   involving random numbers or...

H04L 9/3268   using certificate validatio...

H04L 9/3271   using challenge-response

Mechanisms for Certificate Revocation Status Verification on Constrained Devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanisms for Certificate Revocation Status Verification on Constrained Devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links