Dynamic host configuration protocol

US 8,239,549 B2
Filed: 09/12/2007
Issued: 08/07/2012
Est. Priority Date: 09/12/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method at a dynamic host configuration protocol (DHCP) client, comprising:

sending a DHCP request message comprising at least a first freshness indicator comprising a first nonce to a DHCP server, the DHCP server certified by a certification authority of a communications network, wherein the first nonce is generated by the DHCP client, wherein the sent DHCP request message comprises a DHCPDISCOVER message comprising the first nonce;

receiving, at least in response to the sending, a signed DHCP response message from the DHCP server of the communications network, the signed message comprising at least a second freshness indicator comprising a second nonce, a signature, and a public key issued by the certification authority;

validating that the received second freshness indicator matches the sent first freshness indicator;

checking that the signed message comprises a same nonce value as the DHCPDISCOVER message;

verifying the signature of the signed message using the public key issued by the certification authority; and

when the validation and the verification processes are successful, accessing stored settings for use with the network, wherein the stored network settings have been stored using information from another DHCP server different from the DHCP server, the other DHCP server having been certified and bound into one logical network location with the DHCP server by the certification authority, and that access being made on the basis of information at least about the public key issued by the certification authority.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamic host configuration protocol (DHCP) is extended in order to assist with secure network location awareness. In an embodiment a DHCP client receives a signed DHCP response message from a DHCP server, the signed message comprising at least a certificate chain having a public key. In that embodiment the DHCP client validates the certificate chain and verifies the signature of the signed message. If this is successful the DHCP client accesses stored settings for use with the server. The stored settings are accessed at least using information about the public key. In some embodiments signed DHCPOFFER messages and signed DHCPACK messages are used. In another embodiment the signed DHCP message comprises a location identifier which is, for example, a domain name system (DNS) suffix of a DHCP server.

Citations

17 Claims

1. A method at a dynamic host configuration protocol (DHCP) client, comprising:
- sending a DHCP request message comprising at least a first freshness indicator comprising a first nonce to a DHCP server, the DHCP server certified by a certification authority of a communications network, wherein the first nonce is generated by the DHCP client, wherein the sent DHCP request message comprises a DHCPDISCOVER message comprising the first nonce;
  
  receiving, at least in response to the sending, a signed DHCP response message from the DHCP server of the communications network, the signed message comprising at least a second freshness indicator comprising a second nonce, a signature, and a public key issued by the certification authority;
  
  validating that the received second freshness indicator matches the sent first freshness indicator;
  
  checking that the signed message comprises a same nonce value as the DHCPDISCOVER message;
  
  verifying the signature of the signed message using the public key issued by the certification authority; and
  
  when the validation and the verification processes are successful, accessing stored settings for use with the network, wherein the stored network settings have been stored using information from another DHCP server different from the DHCP server, the other DHCP server having been certified and bound into one logical network location with the DHCP server by the certification authority, and that access being made on the basis of information at least about the public key issued by the certification authority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as claimed in claim 1 wherein the signed DHCP response message is a DHCPOFFER message.
  - 3. A method as claimed in claim 1 wherein the signed DHCP response message is a DHCPACK message.
  - 4. A method as claimed in claim 1 wherein the signed message further comprises a location identifier provided using a DHCP option in the signed message, that DHCP option being any of a domain name option and a network name option.
  - 5. A method as claimed in claim 4 wherein the location identifier is any of a network name and a domain name system (DNS) suffix of the DHCP server.
  - 6. A method as claimed in claim 5 wherein the location identifier is a DNS suffix and which further comprises checking that the location identifier is a suffix of a fully-qualified domain name of the DHCP server, the fully-qualified domain name being provided in a certificate chain.
  - 7. A method as claimed in claim 5 wherein the stored settings are accessed using a hash of at least the public key issued by the certification authority and the location identifier.
  - 8. A method as claimed in claim 1 which further comprises sending any of a DHCPDISCOVER message, a DHCPREQUEST message, a DHCPINFORM message, a SOLICIT message, a REQUEST message, a RENEW message, a REBIND message and an INFORMATION-REQUEST message to the DHCP server and receiving any of a DHCPOFFER message, a DHCPACK message, an ADVERTISE message and a REPLY message in response, the received message being signed by the DHCP server and comprising a certificate chain comprising one or more certificates.
  - 9. A method as claimed in claim 1 wherein the first nonce comprises a random number or a pseudo-random number.
  - 10. A method as claimed in claim 1 which further comprises making a connection to the DHCP server prior to receiving the DHCP response message from the DHCP server, selecting settings for use with the DHCP server and storing information about those selected settings together with information about a public key issued by the certification authority and advertised by the DHCP server.
  - 11. A method as claimed in claim 10 which further comprises storing information about the selected settings together with information about the public key issued by the certification authority and information about a location identifier provided by the DHCP server.

12. A method at a dynamic host configuration protocol (DHCP) server of a communications network comprising:
- receiving a DHCP request message from a DHCP client requiring a response from the DHCP server, wherein the received DHCP request message comprises at least a first freshness indicator comprising a first nonce generated by the DHCP client;
  
  sending a signed DHCP response message to the client, the signed message comprising at least a second freshness indicator comprising a second nonce, a location identifier, a Signature, and a certificate chain comprising one or more certificates, the certificate chain having a public key issued by a certification authority, the certification authority binding the DHCP server to at least another DHCP server different from the DHCP server into one logical network location, wherein the sent second freshness indicator comprising a second nonce matches a value of the received first freshness indicator comprising a first nonce, wherein the sending is arranged such that the signed DHCP response message can be received only in a specified region of the communications network, and wherein the public key is suitable for verifying, by the client, the signature, and the location identifier matches a name in the certificate chain, wherein the location identifier is a DNS suffix advertised by the DHCP server and the other DHCP server; and
  
  checking that location identifier is a suffix of a fully-qualified domain name of the server, the fully-qualified domain name being provided in a certificate chain.
- View Dependent Claims (13, 14, 15)
- - 13. A method as claimed in claim 12 wherein the DHCP request message is selected from any of any of a DHCPDISCOVER message, a DHCPREQUEST message, a DHCPINFORM message, a SOLICIT message, a REQUEST message, a RENEW message, a REBIND message and an INFORMATION-REQUEST message.
  - 14. A method as claimed in claim 12 wherein the location identifier is any of a network name and a domain name system (DNS) suffix of an access node.
  - 15. A method as claimed in claim 12 wherein the received first nonce comprises a random number or a pseudo-random number, and wherein the method comprises copying the first nonce value into the signed DHCP response message.

16. One or more computer-readable memory storing computer-readable instructions that, when executed on a processor of a server, configure the processor to perform acts for sending a signed dynamic host configuration protocol (DHCP) response message in a communications network, the acts comprising:
- sending a signed DHCP response message to a client device in response to receiving a DHCP request from the client device, wherein the DHCP request includes at least a DHCPDISCOVER message comprising a first freshness indicator comprising a first nonce with a value comprising a random number or a pseudo-random number, wherein the first nonce is generated by the client device, wherein the signed DHCP response message will be received by the client only in a specified region of the communications network, and wherein the Signed DHCP response message comprises;
  
  a location identifier stored in a network name option, wherein the location identifier is a DNS suffix of a fully-qualified domain name of the server and the DNS suffix is advertised by the server and at least another server different from the server, the fully-qualified domain name being provided in a certificate chain;
  
  a second freshness indicator comprising a second nonce with a value comprising a random number or a pseudo-random number that is a copy of the first nonce received in the DHCPDISCOVER message of the DHCP request; and
  
  a certificate chain comprising one or more certificates having a public key issued by a certification authority, the certification authority binding the server to at least the other server into one logical network location, wherein the location identifier is present in a certificate of the certificate chain.
- View Dependent Claims (17)
- - 17. The one or more computer-readable memory as claimed in claim 16 wherein the location identifier comprises any of a network name and a DNS suffix of an access node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Aura, Tuomas, Roe, Michael, Murdoch, Steven
Primary Examiner(s)
RECEK, JASON D

Application Number

US11/854,298
Publication Number

US 20090070474A1
Time in Patent Office

1,791 Days
Field of Search

709/228, 709/229
US Class Current

709/228
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

Dynamic host configuration protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic host configuration protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links