Using authentication certificates for authorization

US 7,130,999 B2
Filed: 03/27/2002
Issued: 10/31/2006
Est. Priority Date: 03/27/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an authentication certificate from a peer requesting a secure connection to an application, the authentication certificate including a certificate chain having at least one certificate, and the authentication certificate comprising an SSL (Secure Sockets Layer) digital certificate; and

using the authentication certificate to authorize the peer to the application by accessing a peer authorized certificates store (PACS) that stores authorized certificates.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment of the invention is a method to use authentication certificates to authorize peers to particular applications. In addition to using authentication certificates to authenticate the identity and trustworthiness of a peer, authentication certificates are additionally used to authorize peers to particular applications. A list of certificates is maintained in a Peer Authorized Certificate Store (PACS), where the certificates may comprise any combination of root certificates, intermediate certificates, and peer certificates. When an authentication certificate is received from a peer, the peer is authenticated using the authentication certificate; and authorized by checking the authentication certificate against a Peer Authorized Certificate Store (PACS).

Citations

19 Claims

1. A method comprising:
- receiving an authentication certificate from a peer requesting a secure connection to an application, the authentication certificate including a certificate chain having at least one certificate, and the authentication certificate comprising an SSL (Secure Sockets Layer) digital certificate; and
  
  using the authentication certificate to authorize the peer to the application by accessing a peer authorized certificates store (PACS) that stores authorized certificates.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein said accessing a PACS to determine authorization comprises determining if any certificate in the certificate chain exists in the PACS, and for a given certificate that exists in the PACS, determining if the given certificate is authorized to the application, and if at least one of the certificates in the certificate chain exists in the PACS and the PACS indicates authorization to the application, then authorizing the peer to the application.

3. A method comprising:
- receiving an authentication certificate from a peer requesting a secure connection to an application, the authentication certificate including a certificate chain that includes at least a root certificate, and the authentication certificate comprasing an SSL (Secure Sockets Layer) digital certificate;
  
  using the authentication certificate to authenticate the peer; and
  
  using the authentication certificate to authorize the peer to the application by accessing a peer authorized certificates store (PACS) that stores authorized certificates.
- View Dependent Claims (4, 5)
- - 4. The method of claim 3, wherein said using the authentication certificate to authenticate the peer comprises verifying each certificate signature in the certificate chain and determining if the root certificate exists in a Trusted Root Certification Authorities Store (TRCAS), and if each signature is verified, and the root certificate exists in the TRCAS, then authenticating the peer to establish the secure connection to the application.
  - 5. The method of claim 4, wherein said using the authentication certificate to authorize the peer comprises comparing the certificates in the certificate chain of the authentication certificate to the authorized certificates in the peer authorized certificates store (PACS), and if at least one of the certificates in the certificate chain exists in the PACS and the PACS indicates authorization to the application, then authorizing the peer to the application.

6. A tangible machine-readable medium having stored thereon data representing sequences of instructions, the sequences of instructions which, when executed by a processor, result in the processor to perform the following:
- determine if a peer is authentic by authenticating an authentication certificate sent by the peer, the authentication certificate including at least a root certificate in a certificate chain, and the authentication certificate comprising an SSL (Secure Sockets Layer) digital certificate; and
  
  determine if the peer is authorized to an application requested by the peer by using a peer authorized certificate store (PACS).
- View Dependent Claims (7, 8)
- - 7. The tangible machine-readable medium of claim 6, the processor to additionally:
    - authenticate the peer if each signature in the certificate chain is verified, and if the root certificate exists in the TRCAS; and
      
      authorize the peer to the application if any certificate in the certificate chain exists in the PACS and the PACS indicates authorization to the application.
  - 8. The tangible machine-readable medium of claim 6, wherein the certificate chain comprises the root certificate and a peer certificate, and the peer is authorized if either one of the root certificate and the peer certificate exists in the PACS and is authorized to the particular application.

9. An apparatus comprising:
- a receiver to receive on a first peer an authentication certificate from a second peer, the authentication certificate having a chain of certificates including at least a root certificate, and at least one intermediate certificate, and the authentication certificate associated with a request for a secure connection to an application;
  
  a checker to determine;
  
  if the root certificate exists in a peer authorized certification authorities store (PACS), and if the PACS indicates the root certificate is authorized to the application; and
  
  if the root certificate does not exist in the PACS, then the checker to determine if any one of the intermediate certificates exists in the PACS and if the PACS indicates any one of the intermediate certificate is authorized to the application; and
  
  a validator to authorize the second peer to the application if at least one of the root certificate end one of the at least one intermediate certificates exists in the PACS, and is authorized to the application.
- View Dependent Claims (10, 11)
- - 10. The apparatus of claim 9, wherein the chain of certificates additionally comprises at least one peer certificate, and the checker determines if any certificate in the chain of certificates exists in the PACS and if the PACS indicates authorization to the application by additionally determining if one of the at least one peer certificates exists in the PACS and indicates authorization to the application.
  - 11. The apparatus of claim 10, wherein the checker determines if the peer certificate exists in the PACS if none of the intermediate certificates exist in the PACS.

12. A system comprising:
- a receiver to receive from a peer an SSL (Secure Sockets Layer) digital certificate having a certificate chain including at least one certificate that is a root certificate;
  
  an authenticator to determine if peer is authentic; and
  
  an authorizer to determine if the peer is authorized to a given application on the system by determining if any certificate in the certificate chain exists in a peer authorized certification authorities store (PACS) and the PACS indicates authorization to the application.
- View Dependent Claims (13)
- - 13. The system of claim 12, wherein the authenticator determines if the peer is authentic by:
    - verifying each certificate signature in the certificate chain; and
      
      determining if the root certificate exists in a trusted root certification authorities store (TRCAS).

14. An apparatus comprising:
- at least one processor; and
  
  a tangible machine-readable medium having instructions encoded thereon, which when executed by the processor, are capable of directing the processor to;
  
  determine if a peer is authentic by authenticating an SSL (Secure Sockets Layer) digital certificate sent by the peer, the SSL digital certificate including at least a root certificate in a certificate chain; and
  
  determine if the peer is authorized to an application requested by the peer by using a peer authorized certificate store (PACS).
- View Dependent Claims (15, 16)
- - 15. The apparatus of claim 14, wherein the instructions are additionally capadle of directing the processor to authenticate the peer by verifying each signature in the certificate chain and finding the root certificate in a trusted root certification authorities store (TRCAS).
  - 16. The apparatus of claim 14, wherein the instructions are additionally capable of directing the processor to authorize the peer to the reguested application by determining that at least one certificate in the certificate chain exists in a PACS.

17. A method comprising:
- receiving on a first peer an authentication certificate from a second peer, the authentication certificate having a chain of certificates including a root certificate, and at least one intermediate certificate, and the authentication certificate associated with a request for a secure connection to an application;
  
  termining if the root certificate exists in a peer authorized certification authorities store (PACS), and if the PACS indicates the root certfficate is authorized to the application;
  
  if the root certificate does not exist in the PACS, then determining if one of the at least one intermediate certificates exists in the PACS and if the PACS indicates the one of the at least one intermediate certificates is authorized to the application; and
  
  authorizing the second peer to the application if one of the root certificate and the at least one intermediate certificates exists in the PACS, and is authorized to the application.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, wherein the chain of certificates additionally comprises at least one peer certificate, the method additionally comprising determining if one of the at least one peer certificates exists in the PACS and indicates authorization to the application.
  - 19. The method of claim 18, wherein said determining if one of the at least one peer certificates exists in the PACS and indicates authorization to the application comprises determining if one of the at least one peer certificates exists in the PACS and indicates authorization to the application if one of the at least one intermediate certificates does not exist in the PACS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Eckardt, Donald J., Yasala, Raju, Brickell, Ernie F.
Primary Examiner(s)
Smithers, Matthew

Application Number

US10/107,388
Publication Number

US 20030188156A1
Time in Patent Office

1,679 Days
Field of Search

713/157, 713/158, 713/156, 726/2, 726/5, 726/4
US Class Current

713/157
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 9/3265   using certificate chains, t...

H04L 9/3271   using challenge-response

Using authentication certificates for authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Using authentication certificates for authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links