Exchange of network access control information using tightly-constrained network access control protocols
First Claim
1. A method comprising:
- receiving, with an access control device through a tightly-constrained handshake sequence of a network protocol, a first request to access a first network, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights for the first network;
in response to the first request and after the tightly-constrained handshake sequence, negotiating a set of nonce information with the endpoint device and receiving a trusted platform module (“
TPM”
) value from the endpoint device, wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate the set of nonce information during the tightly-constrained handshake sequence;
receiving, with the access control device, a second request to access the first network through a second tightly-constrained handshake sequence of the network protocol, wherein the second request includes a digital signature;
in response to the second request, determining with the access control device whether the digital signature is valid according to the TPM value and the set of nonce information previously negotiated with the endpoint device in response to the first request; and
granting the access rights to the endpoint device when the digital signature is valid.
12 Assignments
0 Petitions
Accused Products
Abstract
In general, techniques are described for securely exchanging network access control information. The techniques may be useful in situations where an endpoint device and an access control device perform a tightly-constrained handshake sequence of a network protocol when the endpoint device requests access to a network. The handshake sequence may be constrained in a variety of ways. Due to the constraints of the handshake sequence, the endpoint device and the access control device may be unable to negotiate a set of nonce information during the handshake sequence. For this reason, the access control device uses a previously negotiated set of nonce information and other configuration information associated with the endpoint device as part of a process to determine whether the endpoint device should be allowed to access the protected networks.
22 Citations
25 Claims
-
1. A method comprising:
-
receiving, with an access control device through a tightly-constrained handshake sequence of a network protocol, a first request to access a first network, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights for the first network; in response to the first request and after the tightly-constrained handshake sequence, negotiating a set of nonce information with the endpoint device and receiving a trusted platform module (“
TPM”
) value from the endpoint device, wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate the set of nonce information during the tightly-constrained handshake sequence;receiving, with the access control device, a second request to access the first network through a second tightly-constrained handshake sequence of the network protocol, wherein the second request includes a digital signature; in response to the second request, determining with the access control device whether the digital signature is valid according to the TPM value and the set of nonce information previously negotiated with the endpoint device in response to the first request; and granting the access rights to the endpoint device when the digital signature is valid. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An access control device comprising:
-
a request reception module that receives a digital signature through a tightly-constrained handshake sequence of a network protocol, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights, wherein the digital signature is generated from a trusted platform module (“
TPM”
) value and a nonce value, and wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate a set of nonce information during the tightly-constrained handshake sequence;a cache management module that determines whether the access control device has previously negotiated the set of nonce information with the endpoint device in response to a previous access request from the endpoint device; a TPM evaluation module that determines whether the TPM value was previously received from the endpoint device in response to the previous access request and was determined to be associated with an acceptable configuration; a nonce evaluation module that determines whether the nonce value is acceptable based on the set of nonce information previously negotiated with the endpoint device; a signature verification module that determines whether the digital signature is valid when the digital signature is based on the TPM value previously received from the endpoint device and the set of nonce information previously negotiated with the endpoint device in response to the previous access request; and an access instruction module that grants the access rights to the endpoint device when the digital signature is valid. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable medium comprising instructions, wherein the instructions cause one or more programmable processors of an access control device to:
-
receive, with an access control device through a tightly-constrained handshake sequence of a network protocol, a first request to access a first network, wherein an endpoint device initiates the tightly-constrained handshake sequence when the endpoint device is requesting access rights for the first network; in response to the first request and after the tightly-constrained handshake sequence, negotiate a set of nonce information with the endpoint device and receive a trusted platform module (“
TPM”
) value from the endpoint device, wherein, due to constraints of the tightly-constrained handshake sequence, the access control device and the endpoint device are unable to negotiate the set of nonce information during the tightly-constrained handshake sequence;receive a second request to access the first network through a second tightly-constrained handshake sequence of the network protocol, wherein the second request includes a digital signature; in response to the second request, determine with the access control device whether the digital signature was generated from the TPM value and the set of nonce information previously negotiated with the endpoint device in response to the first request; and grant the access rights to the endpoint device when the digital signature is valid. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification