Distributed management of crypto module white lists

US 8,196,182 B2
Filed: 08/21/2008
Issued: 06/05/2012
Est. Priority Date: 08/24/2007
Status: Active Grant

First Claim

Patent Images

1. A method for forming a trust relationship between an array of mutually trusting systems and a new system, each comprising a processor and memory, the method comprising:

introducing the new system to a first system of the array of mutually trusting systems, wherein the introduction includes the first system forming the trust relationship with the new system;

transferring information to the first system of the array of mutually trusting systems from the new system, wherein the information identifies the new system;

requesting a second system of the array of mutually trusting systems to form the trust relationship with the new system;

in response to the request for the second system to form the trust relationship with the new system, the second system requesting if any other system of the array of mutually trusting systems already trusts the new system;

in response to the second system requesting if any other system of the array of mutually trusting systems already trusts the new system, the first system responding and transferring the information to the second system of the array of mutually trusting systems; and

establishing the trust relationship between the new system and each remaining system of the array of mutually trusting systems.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for managing the distribution and expansion of public keys held by a group or array of systems in white lists. The addition of a new system to the array entails a manual input to authorize the introduction of the new system to one trusted system in the array. After the introduction the new system is trusted by the one member and the white list of the one member is loaded into the white list of the new system. The new system then requests joining each of the other systems in the array. For each system in the array asked by the new system, the systems in the array ask if any other systems in the array already trust the new member. In response, a system of the array that trusts the new system responds by sending its white list (containing the public key of the new system) to the requesting system. Eventually the public key of the new system is in the white lists of all the systems in the array. In practice this trusts expansion occurs in the background with respect to running applications.

Citations

18 Claims

1. A method for forming a trust relationship between an array of mutually trusting systems and a new system, each comprising a processor and memory, the method comprising:
- introducing the new system to a first system of the array of mutually trusting systems, wherein the introduction includes the first system forming the trust relationship with the new system;
  
  transferring information to the first system of the array of mutually trusting systems from the new system, wherein the information identifies the new system;
  
  requesting a second system of the array of mutually trusting systems to form the trust relationship with the new system;
  
  in response to the request for the second system to form the trust relationship with the new system, the second system requesting if any other system of the array of mutually trusting systems already trusts the new system;
  
  in response to the second system requesting if any other system of the array of mutually trusting systems already trusts the new system, the first system responding and transferring the information to the second system of the array of mutually trusting systems; and
  
  establishing the trust relationship between the new system and each remaining system of the array of mutually trusting systems.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 where establishing the trust relationship between the new system and each remaining system of the array of mutually trusting systems, further comprises:
    - requesting each remaining system of the array of mutually trusting systems, that has not already established the trust relationship with the new system, to form the trust relationship with the new system wherein each remaining system asks whether any other system of the array of mutually trusting systems already trusts the new system, wherein one of the other systems responds by sending the information that includes the information identifying the new system, to each remaining system that asks, so that the identity of the new system becomes known to all systems in the array of mutually trusting systems.
  - 3. The method of claim 1 wherein the trust relationship occurs in a background process with respect to other operating applications.
  - 4. The method of claim 1 wherein the trust relationship includes having public keys of the array of mutually trusting systems within white lists stored in each of the new system, the first system, and the second system.
  - 5. The method of claim 1 wherein transferring information comprises using a nonce to ensure freshness of the transferred information.
  - 6. The method of claim 4 further comprising authenticating public keys in the white lists of the array of mutually trusting systems and flushing unauthenticated public keys from the white lists.

7. A method for forming a trust relationship between an array of mutually trusting systems and a new system, comprising a processor and a memory, that has already established a trust relationship with a first system of the array of mutually trusting systems, the method comprising:
- requesting, by the new system, that a second system of the array of mutually trusting systems accept the new system as a member of the array of mutually trusting systems;
  
  the second system requesting if any system of the array of mutually trusting systems has already established the trust relationship with the new system;
  
  sending, by the first system of the array of mutually trusting systems that trusts the new system, a white list including a new system public key identifying the new system to the second system, in response to the second system requesting if any system of the array of mutually trusting systems has already established the trust relationship with the new system;
  
  requesting, by the new system, to form the trust relationship with each remaining system of the array of mutually trusting systems;
  
  in response to the request to form the trust relationship with each remaining system, requesting, by each remaining system, if any system of the array of mutually trusting systems has already established the trust relationship with the new system; and
  
  in response to the request by each remaining system, transferring, by a particular system of the mutually trusting systems that has already established the trust relationship with the new system, the white list including the new system public key that identifies the new system, to each remaining system of the array of mutually trusting systems until the new system is trusted by all systems of the array of mutually trusting systems.

8. An apparatus for adding a new system to an array of trusted systems, each comprising a processor and a memory, the apparatus comprising:
- a white list stored in each system of the array of trusted systems, the white list containing public keys identifying each trusted system in the array of trusted systems;
  
  a trusted authority that enters a new public key of the new system into the white list of a first system of the array of trusted systems;
  
  the new system to establish a trust relationship with each remaining system of the array of trusted systems, wherein each remaining system requests whether the new system has previously established the trust relationship with any system of the array of trusted systems; and
  
  in response to the request from each remaining system, transferring, by a particular system of the array of trusted systems that has already established the trust relationship with the new system, the white list that includes the new public key of the new system to each remaining system of the array of trusting systems.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8 wherein the new system appends the white list containing the public keys identifying each trusted system in the array of trusted systems to a previous white list.
  - 10. The apparatus of claim 8 further comprising:
    - a first message from the new system to a second system of the array of trusted systems requesting to form the trust relationship with the second system,a second message from the second system to other systems of the array of trusted systems asking if any of the other systems trusts the new system; and
      
      a third message from the first system including the white list that includes the new public key to the second system.
  - 11. The apparatus of claim 8 wherein the new system and the array of trusted systems comprise secure storage systems.
  - 12. The apparatus of claim 10 further comprising:
    - a fourth message from the new system to a third system in the array of trusted systems, wherein the message requests the third system to form the trust relationship with the new system,a fifth message from the third system to other systems of the array of trusted systems asking if any of the other systems trusts the new system,a sixth message from one of the systems of the array of trusted systems including the white list that includes a new public key of the new system to the third system.
  - 13. The apparatus of claim 8 further comprising a nonce utilized to ensure freshness of the transferred public keys.
  - 14. The apparatus of claim 8 further comprising a message sent to all systems of the array of trusted systems that commands all systems of the array of trusted systems to authenticate the public keys in the white lists and flush unauthenticated public keys.

15. An apparatus for forming a trust relationship between an array of mutually trusting systems and a new system, comprising a processor and a memory, that is trusted by a first system of the array of mutually trusting systems, the apparatus comprising:
- a message from the new system requesting a second system of the array of mutually trusting systems to accept the new system as a trusted member of the array of mutually trusting systems;
  
  a message from the second system asking if any system of the array of trusted systems already trusts the new system; and
  
  a message from the first system to the second system that includes the first system'"'"'s white list that includes the new system'"'"'s public key that was added to the white list when the first system formed the trust relationship with the new system.
- View Dependent Claims (16)
- - 16. The apparatus of claim 15 further comprising:
    - a first message from the new system to each remaining system of the array of mutually trusting systems requesting that each remaining system of the array of mutually trusting systems accept the new system as the trusted member the array;
      
      a second message from each remaining system of the array of mutually trusting systems asking if any system of the array of mutually trusting systems already trusts the new system; and
      
      a third message from a particular system of the array of mutually trusting systems including the white list that includes the new system'"'"'s public key to each remaining system of the array of mutually trusting systems.

17. An apparatus for forming a trust relationship between an array of mutually trusting systems and a new system, comprising a processor and a memory, the apparatus comprising:
- means for introducing the new system to a first system of the array of mutually trusting systems, wherein the introduction includes the first system forming the trust relationship with the new system,means for transferring first information to the first system from the new system identifying the new system,means for transferring second information from the first system to the new system identifying all the systems in the array of mutually trusting systems;
  
  means for establishing the trust relationship between the new system and each remaining system of the array of mutually trusting systems, wherein the means for establishing the trust relationship with the each remaining system comprises;
  
  means for requesting, by each remaining system of the array of mutually trusting systems, whether any other system of the array of mutually trusting systems has already established the trust relationship with the new system, andmeans for sending, by a particular system of the array of mutually trusting systems that has already established the trust relationship with the new system, the second information to each remaining system of the array of mutually trusting systems.
- View Dependent Claims (18)
- - 18. The apparatus of claim 17 further comprising;
    - means for requesting a second system of the array to form the trust relationship with the new system,means for asking, by the second system, if any other system of the array of mutually trusting systems already trusts the new system, andmeans for sending, by the first system, an identity of the new system to the second system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Sussland, Robert J., Silberman, Joshua Oran, Subramanian, Ananthan, Chang, Lawrence Wen-Hao
Primary Examiner(s)
Shiferaw, Eleni

Application Number

US12/195,507
Publication Number

US 20090055646A1
Time in Patent Office

1,384 Days
Field of Search

713/168, 713/155, 713/157, 713/161, 709/223, 709/224, 726/3, 726/4, 726/18, 726/21, 726/27, 380/44, 380/283, 380/286, 455/518
US Class Current

726/3
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 2221/2129   Authenticate client device ...

H04L 63/0442   wherein the sending and rec...

Distributed management of crypto module white lists

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed management of crypto module white lists

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links