Server authentication using multiple authentication chains
First Claim
1. A method to authenticate a server to a client, the server having an associated public key, comprising:
- associating “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA);
responsive to the client initiating a request for a secure channel to the server, providing the client the “
n”
distinct certificates; and
responsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establishing the secure channel between the client and the server;
the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust.
1 Assignment
0 Petitions
Accused Products
Abstract
A client seeking to establish a cryptographically-secure channel to a server has an associated public key acceptance policy. The policy specifies a required number of certificates that must be associated with the server'"'"'s public key, as well as one or more conditions associated with those certificates, that must be met before the client “accepts” the server'"'"'s public key. The one or more conditions typically comprise a trust function that must be satisfied before a threshold level of trust of the client is met. A representative public key acceptance policy would be that certificate chains for the public key are valid and non-overlapping with different root CAs, and that some configurable number of those chains be present. The technique may be implemented within the context of an existing client-server SSL/TLS handshake.
-
Citations
20 Claims
-
1. A method to authenticate a server to a client, the server having an associated public key, comprising:
-
associating “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA);responsive to the client initiating a request for a secure channel to the server, providing the client the “
n”
distinct certificates; andresponsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establishing the secure channel between the client and the server; the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus associated with a server having a public key, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to authenticate the server to a client, the computer program instructions operative to; associate “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA);responsive to the client initiating a request for a secure channel to the server, provide the client the “
n”
distinct certificates; andresponsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establish the secure channel between the client and the server; the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product in a non-transitory computer readable medium for use in a data processing system associated with a server, the server having a public key, the computer program product holding computer program instructions which, when executed by the data processing system, are operative to:
-
associate “
n”
distinct certificates to the server'"'"'s public key, each of the “
n”
distinct certificates being issued by a distinct certificate authority (CA);responsive to the client initiating a request for a secure channel to the server, provide the client the “
n”
distinct certificates; andresponsive to receipt from the client of an indication that the public key satisfies a client public key acceptance policy, establish the secure channel between the client and the server; the client public key acceptance policy specifying a required number of valid, non-overlapping certificate chains that must be present to satisfy a client threshold level of trust. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method to authenticate a server to a client, the server having an associated public key, comprising:
-
specifying a client public key acceptance policy, the client public key acceptance policy identifying a required number of certificates for the server public key that must be received from the server, and a trust function that is applied over information in the certificates and that must be satisfied to establish a client threshold level of trust; responsive to the client initiating a request for a secure channel to the server, receiving from the server “
n”
distinct certificates, each of the “
n”
distinct certificates having been issued to the server by a distinct certificate authority (CA);determining whether the “
n”
distinct certificates are valid; andresponsive to a determination that the “
n”
distinct certificates are valid and are non-overlapping with different root certificate authorities, determining whether certificate chains specified by the received certificates satisfy the trust function of the client public key acceptance policy;responsive to a determination that the certificate chains specified by the received certificates satisfy the trust function client public key acceptance policy, establishing the secure channel. - View Dependent Claims (20)
-
Specification