Server authentication using multiple authentication chains

US 20170289137A1
Filed: 03/31/2016
Published: 10/05/2017
Est. Priority Date: 03/31/2016
Status: Active Grant

First Claim

Patent Images

1. A method to authenticate a server to a client, the server having an associated public key, comprising:

associating “

n”

distinct certificates to the server'"'"'s public key, each of the “

n”

distinct certificates being issued by a distinct certificate authority (CA);

responsive to the client initiating a request for a secure channel to the server, providing the client the “

n”

distinct certificates; and

responsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establishing the secure channel between the client and the server;

the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client seeking to establish a cryptographically-secure channel to a server has an associated public key acceptance policy. The policy specifies a required number of certificates that must be associated with the server'"'"'s public key, as well as one or more conditions associated with those certificates, that must be met before the client “accepts” the server'"'"'s public key. The one or more conditions typically comprise a trust function that must be satisfied before a threshold level of trust of the client is met. A representative public key acceptance policy would be that certificate chains for the public key are valid and non-overlapping with different root CAs, and that some configurable number of those chains be present. The technique may be implemented within the context of an existing client-server SSL/TLS handshake.

Citations

20 Claims

1. A method to authenticate a server to a client, the server having an associated public key, comprising:
- associating “
  
  n”
  
  distinct certificates to the server'"'"'s public key, each of the “
  
  n”
  
  distinct certificates being issued by a distinct certificate authority (CA);
  
  responsive to the client initiating a request for a secure channel to the server, providing the client the “
  
  n”
  
  distinct certificates; and
  
  responsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establishing the secure channel between the client and the server;
  
  the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as described in claim 1 wherein each of the distinct certificates has a certification chain with a different root certificate authority.
  - 3. The method as described in claim 2 wherein the certificate chains for the “
    - n”
      
      distinct certificates are valid and non-overlapping with respect to their intermediate and root CAs.
  - 4. The method as described in claim 1 wherein the client threshold level of trust is designated by a trust function computed over the certificate chains.
  - 5. The method as described in claim 1 further including requesting the “
    - n”
      
      distinct certificates from the distinct certificate authorities.
  - 6. The method as described in claim 1 wherein “
    - n”
      
      is greater than 2.

7. An apparatus associated with a server having a public key, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to authenticate the server to a client, the computer program instructions operative to;
  
  associate “
  
  n”
  
  distinct certificates to the server'"'"'s public key, each of the “
  
  n”
  
  distinct certificates being issued by a distinct certificate authority (CA);
  
  responsive to the client initiating a request for a secure channel to the server, provide the client the “
  
  n”
  
  distinct certificates; and
  
  responsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establish the secure channel between the client and the server;
  
  the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as described in claim 7 wherein each of the distinct certificates has a certification chain with a different root certificate authority.
  - 9. The apparatus as described in claim 8 wherein the certificate chains for the “
    - n”
      
      distinct certificates are valid and non-overlapping with respect to their intermediate and root CAs.
  - 10. The apparatus as described in claim 7 wherein the client threshold level of trust is designated by a trust function computed over the certificate chains.
  - 11. The apparatus as described in claim 7 further including requesting the “
    - n”
      
      distinct certificates from the distinct certificate authorities.
  - 12. The apparatus as described in claim 7 wherein “
    - n”
      
      is greater than 2.

13. A computer program product in a non-transitory computer readable medium for use in a data processing system associated with a server, the server having a public key, the computer program product holding computer program instructions which, when executed by the data processing system, are operative to:
- associate “
  
  n”
  
  distinct certificates to the server'"'"'s public key, each of the “
  
  n”
  
  distinct certificates being issued by a distinct certificate authority (CA);
  
  responsive to the client initiating a request for a secure channel to the server, provide the client the “
  
  n”
  
  distinct certificates; and
  
  responsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establish the secure channel between the client and the server;
  
  the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus as described in claim 13 wherein each of the distinct certificates has a certification chain with a different root certificate authority.
  - 15. The apparatus as described in claim 14 wherein the certificate chains for the “
    - n”
      
      distinct certificates are valid and non-overlapping with respect to their intermediate and root CAs.
  - 16. The apparatus as described in claim 13 wherein the client threshold level of trust is designated by a trust function computed over the certificate chains.
  - 17. The apparatus as described in claim 13 further including requesting the “
    - n”
      
      distinct certificates from the distinct certificate authorities.
  - 18. The apparatus as described in claim 13 wherein “
    - n”
      
      is greater than 2.

19. A method to authenticate a server to a client, the server having an associated public key, comprising:
- specifying a client public key acceptance policy, the client public key acceptance policy identifying a required number of certificates for the server public key that must be received from the server, and a trust function that is applied over information in the certificates and that must be satisfied to establish a client threshold level of trust;
  
  responsive to the client initiating a request for a secure channel to the server, receiving from the server “
  
  n”
  
  distinct certificates, each of the “
  
  n”
  
  distinct certificates having been issued to the server by a distinct certificate authority (CA);
  
  determining whether the “
  
  n”
  
  distinct certificates are valid; and
  
  responsive to a determination that the “
  
  n”
  
  distinct certificates are valid and are non-overlapping with different root certificate authorities, determining whether certificate chains specified by the received certificates satisfy the trust function of the client public key acceptance policy;
  
  responsive to a determination that the certificate chains specified by the received certificates satisfy the trust function client public key acceptance policy, establishing the secure channel.
- View Dependent Claims (20)
- - 20. The method as described in claim 19 wherein the trust function applies a trust metric over certificate chains in the received certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Pendarakis, Dimitrios, Valdez, Enriquillo

Granted Patent

US 10,171,452 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

Server authentication using multiple authentication chains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Server authentication using multiple authentication chains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links