Mobile certificate distribution in a PKI

US 7,787,865 B2
Filed: 02/22/2008
Issued: 08/31/2010
Est. Priority Date: 02/06/2001
Status: Expired due to Term

First Claim

Patent Images

1. A system for distributing certificates to a plurality of mobile devices capable of communicating directly with each other, said system comprising an access point having a first communication link to at least one of said plurality of mobile devices and a second communication link to a communication network for obtaining said certificates, said access point being configured to attempt to establish a mobile ad hoc network (MANET) between said plurality of mobile devices at periodic predetermined times over said first communication link;

and if said MANET can be established such that at least one of said plurality of mobile devices in said MANET is capable of obtaining certificates from said access point, said access point being further configured to distribute a certificate through said MANET to one or more of said plurality of mobile devices.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of providing certificate issuance and revocation checks involving mobile devices in a mobile ad-hoc network (MANET). The wireless devices communicate with each other via Bluetooth wireless technology in the MANET, with an access point (AP) to provide connectivity to the Internet. A Certificate authority (CA) distributes certificates and certification revocation lists (CRLs) to the devices via the access point (AP). Each group of devices has the name of the group associated with the certificate and signed by the CA. A device that is out of the radio range of the access point may still connect to the CA to validate a certificate or download the appropriate CRL by having all the devices participate in the MANET.

Citations

23 Claims

1. A system for distributing certificates to a plurality of mobile devices capable of communicating directly with each other, said system comprising an access point having a first communication link to at least one of said plurality of mobile devices and a second communication link to a communication network for obtaining said certificates, said access point being configured to attempt to establish a mobile ad hoc network (MANET) between said plurality of mobile devices at periodic predetermined times over said first communication link;
- and if said MANET can be established such that at least one of said plurality of mobile devices in said MANET is capable of obtaining certificates from said access point, said access point being further configured to distribute a certificate through said MANET to one or more of said plurality of mobile devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 wherein a time period for which said certificate is valid is correlated to said periodic predetermined times.
  - 3. The system of claim 1 wherein if one of said plurality of mobile devices is unable to retrieve a corresponding certificate within a preset time after said MANET is established, said access point enables said one of said plurality of mobile devices to subsequently attempt to participate in another ad-hoc network prior to a next predetermined time to retrieve said corresponding certificate.
  - 4. The system of claim 1 wherein if one of said plurality of mobile devices is unable to retrieve a corresponding certificate within a preset time after said MANET is established, said access point enables said one of said plurality of mobile devices to initiate a packet data call to obtain said corresponding certificate.
  - 5. The system of claim 1 further comprising an entity to track which of said plurality of mobile devices have received currently valid certificates.
  - 6. The system of claim 5 wherein said access point is further configured to have corresponding certificates of said plurality of mobile devices which have not received an up-to-date certificate be distributed to another one of said plurality of mobile devices that communicates with said entity.
  - 7. The system of claim 1 wherein said predetermined times are determined dynamically based upon measurements of times at which said plurality of mobile devices encounter each other.
  - 8. The system of claim 1 wherein said certificate comprises a subset of full certificate information and said subset includes changed timing information and a signature.

9. A system for distributing certificates in a mobile ad-hoc network (MANET), said system comprising an access point to be included in said MANET for connecting to a communication network, said MANET comprising a plurality of mobile devices to be connected to said communication network through said access point, said access point being configured to retrieve a plurality of certificates associated with respective ones of said plurality of mobile devices;
- said access point being further configured to store said plurality of certificates; and
  
  upon establishing said MANET, said access point being further configured to forward said certificates through said MANET to said respective ones of said plurality of mobile devices.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9 wherein said access point is further configured to query those of said plurality of mobile devices with which it can exchange packets to determine an embedded root key.
  - 11. The system of claim 10 wherein said access point is further configured to obtain said plurality of certificates based upon said embedded root key.
  - 12. The system of claim 9 further comprising an online entity for association with at least one of said plurality of mobile devices, to be responsible for both distributing a certificate of said at least one of said plurality of mobile devices within said MANET and for obtaining other certificates needed to allow validation by corresponding others of said plurality of mobile devices in said MANET.
  - 13. The system of claim 12 wherein said at least one of said plurality of devices is responsible for collecting embedded root keys of said others of said plurality of devices upon coming into contact therewith.
  - 14. The system of claim 13 wherein said online entity obtains reports pertaining to said root keys.
  - 15. The system of claim 14 wherein said online entity is further configured to return other certificates to said at least one of said plurality of devices based upon reported root keys.

16. A mobile device capable of communicating with another mobile device, said mobile device comprising a non-volatile memory and a processor for securely setting a time source, said processor being configured for:
- establishing a shared secret with said another mobile device using certificates;
  
  storing said shared secret in said non-volatile memory;
  
  authenticating said another mobile device using said shared secret; and
  
  obtaining a time from said another mobile device to enable said time source to be set.
- View Dependent Claims (17, 18)
- - 17. The mobile device of claim 16 wherein said processor is further configured to destroy said shared secret after an expiration time.
  - 18. The mobile device of claim 16 further configured for setting a clock via a secure time source upon establishing a connection thereto.

19. A mobile device comprising a processor configured for validating another mobile device, said mobile devices being capable of communicating with each other, said processor being configured for:
- obtaining a certificate from said another mobile device;
  
  determining if said certificate has expired;
  
  if said certificate has not expired, using said certificate to validate said another mobile device; and
  
  if said certificate has expired, obtaining another certificate for said another mobile device using a pointer provided by said another mobile device and validating said another mobile device using said another certificate.

20. A system for distributing certificates when a first mobile device is unable to retrieve a certificate at a first time due to a lack of connectivity to a network, said system being configured for:
- if said certificate has not been obtained by a second time, receiving a request for assistance of other devices for said first mobile device;
  
  having a second device from said other devices which has connectivity to said network request said certificate on behalf of said first device;
  
  upon obtaining said certificate, having said second device re-establish communication with said first device; and
  
  having said second device send said certificate to said first device.

21. A method of distributing certificates to a plurality of mobile devices capable of communicating directly with each other, said method comprising:
- obtaining data pertaining to time periods wherein said plurality of mobile devices are in range of one another;
  
  determining one or more establishment periods according to said time periods;
  
  attempting to establish a mobile ad hoc network (MANET) between said plurality of devices at times according to said one or more establishment periods; and
  
  if said MANET can be established such that at least one of said plurality of mobile devices in said MANET is capable of obtaining certificates, distributing a certificate through said MANET to one or more of said plurality of mobile devices.

22. A method of distributing certificates from a certificate authority (CA) to a first mobile device configured to communicate with other mobile devices in one or more mobile ad hoc networks (MANETs), each said MANET having one or more access points (APs) for connecting to a communication network, said CA capable of communicating with said one or more APs over said communication network, said method comprising:
- said CA obtaining information pertaining to ones of said one or more APs of which said first device is within range; and
  
  upon generating a certificate for said first mobile device, said CA pushing said certificate to said ones of said one or more APs to enable said first mobile device to obtain said certificate upon coming into range of any one of said ones of said one or more APs.

23. A method of a first device obtaining certificates for a second device, said second device being a lower power device than said first device, said method comprising:
- said first device participating in a mobile ad hoc network (MANET) with at least one other device, one of said at least one other device being an access point (AP) capable of connecting to a communication network;
  
  said first device obtaining from said AP, a certificate for said second device having been stored at said AP; and
  
  said first device providing said certificate to said second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Certicom Corporation (Blackberry Limited)
Inventors
Blake-Wilson, Simon, Willey, William Daniel
Primary Examiner(s)
Nguyen; Lee

Application Number

US12/071,576
Publication Number

US 20080307068A1
Time in Patent Office

921 Days
Field of Search

455 412- 413, 455410-411, 380/247, 380/270, 713168-172
US Class Current

455/411
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 9/3268   using certificate validatio...

H04W 12/041   Key generation or derivation

H04W 12/069   using certificates or pre-s...

H04W 4/06   Selective distribution of b...

H04W 84/18   Self-organising networks, e...

Mobile certificate distribution in a PKI

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile certificate distribution in a PKI

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links