Trust information delivery scheme for certificate validation
First Claim
Patent Images
1. A method comprising:
- receiving a trust information object (TIO), wherein the TIO comprises a plurality of hash values and associated trust bits, wherein the plurality of hash values are generated from hashing a public key portion of a plurality of trust entity certificates and the associated trust bits for each hash value indicate a level of trust for an entity associated with the corresponding trust entity certificate;
attempting to load first data from a computing device;
receiving a plurality of unverified certificates from the computing device;
hashing a public key portion of each of the plurality of unverified certificates to generate a plurality of digests;
comparing each of the generated digests against the plurality of hash values found within the TIO to determine if each of the generated digests is found in the TIO; and
when each of the generated digests is found in the TIO and a first associated trust bit of each of the plurality of unverified certificates indicates that the computing device has a predetermined level of trust for an intended operation, loading the first data and executing a script from the first data related to the intended operation.
4 Assignments
0 Petitions
Accused Products
Abstract
A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving a trust information object (TIO), wherein the TIO comprises a plurality of hash values and associated trust bits, wherein the plurality of hash values are generated from hashing a public key portion of a plurality of trust entity certificates and the associated trust bits for each hash value indicate a level of trust for an entity associated with the corresponding trust entity certificate; attempting to load first data from a computing device; receiving a plurality of unverified certificates from the computing device; hashing a public key portion of each of the plurality of unverified certificates to generate a plurality of digests; comparing each of the generated digests against the plurality of hash values found within the TIO to determine if each of the generated digests is found in the TIO; and when each of the generated digests is found in the TIO and a first associated trust bit of each of the plurality of unverified certificates indicates that the computing device has a predetermined level of trust for an intended operation, loading the first data and executing a script from the first data related to the intended operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
a first computing device comprising a memory, wherein the first computing device is configured to; connect to a second computing device, via an unsecure transmission channel, to update an old trust information object (TIO) stored in the memory with a new TIO, the old TIO and new TIO each comprising;
a plurality of hash values and a plurality of trust bit vectors, wherein the plurality of hash values represent hashes generated from a public key portion of a plurality of trust entity certificates and the plurality of trust bit vectors indicate a level of trust associated with each of a plurality of entities associated with the plurality of trust entity certificates;hash a public key portion of a signing certificate certifying the second computing device to generate a first hash value; perform a first check to ensure that the generated first hash value matches a verified hash value from the plurality of hash values in the old TIO; perform a second check to ensure that a predetermined trust bit within one of the plurality of trust bit vectors in the old TIO indicates that a level of trust associated with the second computing device is adequate; perform a third check to ensure that a first timestamp associated with the new TIO is later than a second timestamp associated with the old TIO; and when the first, second, and third checks pass, overwrite the old TIO with the new TIO within the memory. - View Dependent Claims (12, 13, 14, 15, 16)
-
17. A method comprising:
-
receiving a trust information object (TIO), said TIO comprising;
a plurality of hash values, wherein the plurality of hash values represent hashes generated from a public key portion of a plurality of trust entity certificates, said TIO further comprising associated trust information of the plurality of trust entity certificates, said associated trust information indicating a level of trust for each of trusted entities associated with each of said plurality of trust entity certificates;receiving a certificate chain that comprises a plurality of unverified certificates from a server, wherein the plurality of unverified certificates includes a first unverified root certificate of a certificate authority issuing the plurality of unverified certificates; hashing the first unverified root certificate to generate a digest; comparing the resulting digest against the plurality of hash values obtained from said TIO; when the resulting digest and a first corresponding trust bit of the first unverified root certificate are found in said TIO, thereby producing a first match; validating said certificate chain; and having a session with the server. - View Dependent Claims (18, 19, 20)
-
Specification