Method and hybrid system for authenticating communications

US 7,552,321 B2
Filed: 11/20/2003
Issued: 06/23/2009
Est. Priority Date: 11/20/2003
Status: Active Grant

First Claim

Patent Images

1. A hybrid authentication system for securing digital communications in a network and enabling a global enterprise, comprising:

a distributed authentication infrastructure including a plurality of nodes in communication with each other, each of said plurality of nodes having an identification and intended to perform a series of functions, one of said series of functions for verifying said identification of said plurality of nodes; and

a centralized authentication infrastructure integrated into said distributed authentication infrastructure and including a central server, said central server being coupled to said plurality of nodes and being utilized for verifying said identification of said plurality of nodes, wherein said central server can be utilized for supporting or replacing at least one of said plurality of nodes;

wherein said distributed authentication infrastructure is initially implemented and said centralized authentication infrastructure is later integrated into said distributed authenticated infrastructure;

wherein said distributed authentication infrastructure is selected from the group consisting of a threshold cryptography service model and a web-of-trust service model;

wherein said centralized authentication system is selected from the group consisting of a public key infrastructure and a kerberos service model;

wherein said plurality of nodes include at least one of a personal digital assistant, a digital pager, a digital fax machine, a video teleconferencing device, a wireless telephone, a portable computer, a desktop computer, and a communication device, wherein said plurality of nodes includes a verifying node coupled to a new entity for verifying the identification of said new entity and enrolling said new entity into the hybrid authentication system and wherein said verifying node signs a certificate related to said new entity and said central server publishes a certificate revocation list, said verifying node examining said certificate revocation list for determining whether said certificate has been revoked.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention is a hybrid authentication system (10) for securing communication. In this embodiment, the system (10) includes a distributed authentication infrastructure (12) with a series of nodes (16) in communication with each other. These nodes (16) are intended to perform a series of functions, one of these functions being the authentication of other nodes. The system further includes a centralized authentication infrastructure (14), which is later integrated into the distributed authentication infrastructure (12) after the distributed authentication infrastructure (12) has been established. The centralized authentication infrastructure (14) includes a central server (22) coupled to the nodes (16) for verifying the identification of the nodes (16) and/or granting permission to those nodes (16).

Citations

30 Claims

1. A hybrid authentication system for securing digital communications in a network and enabling a global enterprise, comprising:
- a distributed authentication infrastructure including a plurality of nodes in communication with each other, each of said plurality of nodes having an identification and intended to perform a series of functions, one of said series of functions for verifying said identification of said plurality of nodes; and
  
  a centralized authentication infrastructure integrated into said distributed authentication infrastructure and including a central server, said central server being coupled to said plurality of nodes and being utilized for verifying said identification of said plurality of nodes, wherein said central server can be utilized for supporting or replacing at least one of said plurality of nodes;
  
  wherein said distributed authentication infrastructure is initially implemented and said centralized authentication infrastructure is later integrated into said distributed authenticated infrastructure;
  
  wherein said distributed authentication infrastructure is selected from the group consisting of a threshold cryptography service model and a web-of-trust service model;
  
  wherein said centralized authentication system is selected from the group consisting of a public key infrastructure and a kerberos service model;
  
  wherein said plurality of nodes include at least one of a personal digital assistant, a digital pager, a digital fax machine, a video teleconferencing device, a wireless telephone, a portable computer, a desktop computer, and a communication device, wherein said plurality of nodes includes a verifying node coupled to a new entity for verifying the identification of said new entity and enrolling said new entity into the hybrid authentication system and wherein said verifying node signs a certificate related to said new entity and said central server publishes a certificate revocation list, said verifying node examining said certificate revocation list for determining whether said certificate has been revoked.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 24, 25, 26, 27, 28, 29, 30)
- - 2. The hybrid authentication system of claim 1 wherein said new entity provides said verifying node with at least one predetermined credential.
  - 3. The hybrid authentication system of claim 1 wherein a quorum of said plurality of nodes publishes a certificate revocation list, said verifying node examining said certificate revocation list for determining whether said certificate has been revoked.
  - 4. The hybrid authentication system of claim 1 wherein said central server is said new entity.
  - 5. The hybrid authentication system of claim 1 wherein said distributed authentication infrastructure requires a quorum of said plurality of nodes for enrolling a new entity into the hybrid authentication system.
  - 6. The hybrid authentication system of claim 5 wherein each node of said quorum utilizes a partial key for partially signing a certificate related to said new entity so as to provide said new entity with a full signature.
  - 7. The hybrid authentication system of claim 6 wherein said central server publishes a certificate revocation list, each node of said quorum examining said certificate revocation list for determining whether said certificate has been revoked.
  - 8. The hybrid authentication system of claim 6 wherein said central server is said new entity.
  - 9. The hybrid authentication system of claim 1 wherein said central server is coupled to a new entity and is utilized for verifying the identification of said new entity and enrolling said new entity into the hybrid authentication system, said central server producing a log for recording a plurality of failed authentications and a plurality of failed enrollments by said plurality of nodes.
  - 10. The hybrid authentication system of claim 1 wherein said central server is coupled to said plurality of nodes for at least one of issuing a global directive thereto and bolstering said plurality of nodes by assisting with at least one of an enrollment task, an authentication task, and a permission granting task.
  - 11. The hybrid authentication system of claim 10 wherein said global directive includes at least one of a rekey instruction and a critical trust chain path, said rekey instruction and said critical trust chain path for providing a secured data transfer line.
  - 12. The hybrid authentication system of claim 1 wherein said plurality of nodes includes a first node and a second node coupled to said first node, said first node presenting a first certificate to said second node for authenticating said first node.
  - 13. The hybrid authentication system of claim 12 wherein said second node examines a certificate revocation list prepared by said central server, said second node examining said certificate revocation list for determining whether said first certificate has been revoked.
  - 14. The hybrid authentication system of claim 12 wherein said second node examines a certificate revocation list prepared by a quorum of said plurality of nodes, said second node examining said certificate revocation list for determining whether said first certificate has been revoked.
  - 15. The hybrid authentication system of claim 12 wherein said second node is coupled to a trusted third party node from said plurality of nodes, said second node producing an authentication task signed by said first node and sending said authentication task to said trusted third party node, said trusted third party node verifying said identification of said first node.
  - 16. The hybrid authentication system of claim 12 wherein said second node presents a second certificate to said first node for authenticating said second node.
  - 17. The hybrid authentication system of claim 16 wherein said first node examines a certificate revocation list prepared by said central server, said first node examining said certificate revocation list for determining whether said second certificate has been revoked.
  - 18. The hybrid authentication system of claim 16 wherein said first node examines a certificate revocation list prepared by a quorum of said plurality of nodes, said first node examining said certificate revocation list for determining whether said second certificate has been revoked.
  - 19. The hybrid authentication system of claim 15 wherein said first node is coupled to a trusted third party node from said plurality of nodes, said first node producing an authentication task signed by said second node and sending said authentication task to said trusted third party node, said trusted third party node verifying said identification of said first node.
  - 24. A method for creating the hybrid authentication system recited in claim 1, comprising:
    - first coupling a plurality of nodes to each other in a distributed authentication infrastructure;
      
      then migrating said distributed authentication infrastructure to a centralized authentication structure; and
      
      allocating at least one of an enrollment function and an authentication function between said central server and said plurality of nodes.
  - 25. The method of claim 24 wherein migrating comprises coupling a central server to said plurality of nodes.
  - 26. The method recited in claim 25 further comprising:
    - coupling said central server to a verifying node of said plurality of nodes;
      
      sending at least one predetermined credential from said central server to said verifying node;
      
      enrolling said central server into the hybrid authentication system.
  - 27. The method recited in claim 25 further comprising:
    - coupling said central server to a verifying node of said plurality of nodes;
      
      sending a certificate revocation list from said central server to said verifying node;
      
      enrolling said central server into the hybrid authentication system.
  - 28. The method recited in claim 24 further comprising:
    - coupling a new entity to one of said plurality of nodes;
      
      sending at least one predetermined credential from said new entity to said verifying node;
      
      enrolling said new entity into the hybrid authentication system.
  - 29. The method recited in claim 24 further comprising:
    - coupling a new entity to a verifying node of said plurality of nodes;
      
      sending a certificate revocation list from said new entity to said verifying node;
      
      enrolling said new entity into the hybrid authentication system.
  - 30. The method recited in claim 24 further comprising:
    - appointing said central server as a proxy for a quorum of said plurality of nodes and for fulfilling an enrollment task; and
      
      enrolling said new entity into the hybrid authentication system.

20. A hybrid authentication system, comprising:
- a distributed authentication infrastructure based on a threshold cryptography service model and including a plurality of nodes in communication with each other, each of said plurality of nodes having an identification and intended to perform a series of functions, one of said series of functions for verifying said identification of said plurality of nodes; and
  
  a centralized authentication infrastructure based on a public key infrastructure and integrated into said distributed authentication infrastructure, said centralized authentication infrastructure including a certificate authority coupled to said plurality of nodes and utilized for verifying said identification of said plurality of nodes;
  
  wherein said plurality of nodes includes a verifying node coupled to a new entity for verifying the identification of said new entity and enrolling said new entity into the hybrid authentication system and wherein said verifying node signs a certificate related to said new entity and said central server publishes a certificate revocation list, said verifying node examining said certificate revocation list for determining whether said certificate has been revoked, wherein said distributed authentication infrastructure is initially implemented and said centralized authentication infrastructure is later integrated into said distributed authenticated infrastructure.

21. A hybrid authentication system, comprising:
- a distributed authentication infrastructure based on a web-of-trust service model and including a plurality of nodes in communication with each other, each of said plurality of nodes having an identification and intended to perform a series of functions, one of said series of functions for verifying said identification of said plurality of nodes; and
  
  a centralized authentication infrastructure based on a public key infrastructure and integrated into said distributed authentication infrastructure, said centralized authentication infrastructure including a certificate authority coupled to said plurality of nodes and utilized for verifying said identification of said plurality of nodes;
  
  wherein said distributed authentication infrastructure is initially implemented and said centralized authentication infrastructure is later integrated into said distributed authenticated infrastructure, and wherein said plurality of nodes is a plurality of members including a first member and a second member, said certificate authority issuing a first group certificate to said first member that provides said first member with a first permission level, said certificate authority issuing a second group certificate to said second member that provides said second member with a second permission level, wherein said first permission level is greater than said second permission level;
  
  wherein said first group certificate enables said first member to enroll a new entity into the system and provide said new entity with a new permission level equivalent up to said first permission level.
- View Dependent Claims (22)
- - 22. The hybrid authentication system recited in claim 21 wherein said second group certificate enables said second member to enroll a new entity into the system and provide said new entity with a new permission level equivalent up to said second permission level.

23. A hybrid authentication system, comprising:
- a distributed authentication infrastructure including a plurality of nodes in communication with each other, each of said plurality of nodes having an identification and intended to perform a series of functions, one of said series of functions for verifying said identification of said plurality of nodes; and
  
  a centralized authentication infrastructure integrated into said distributed authentication infrastructure, said centralized authentication infrastructure including a certificate authority coupled to said plurality of nodes and utilized for verifying said identification of said plurality of nodes;
  
  wherein said centralized authentication infrastructure provides a signed certificate for verifying said identification and wherein said distributed authentication infrastructure is initially implemented and said centralized authentication infrastructure is later integrated into said distributed authenticated infrastructure;
  
  wherein said certificate authority is coupled to said plurality of nodes for at least one of issuing a global directive thereto and supporting said plurality of nodes by assisting with at least one of an enrollment task, an authentication task, and a permission granting task;
  
  wherein said global directive includes at least one of a rekey instruction and a critical trust chain path, said rekey instruction and said critical trust chain path for providing a secured data transfer line.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Rockwood, Troy, Ryu, Bong Kyu
Primary Examiner(s)
Sheikh; Ayaz R
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/707,100
Publication Number

US 20050114650A1
Time in Patent Office

2,042 Days
Field of Search

726/2, 380/258, 713/161, 713168-169, 713/176, 713/155, 713/156, 713/157, 713/158, 398/46, 709/220, 709/223, 709/227
US Class Current

713/155
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/12   Applying verification of th...

Method and hybrid system for authenticating communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and hybrid system for authenticating communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links