Policy-based security certificate filtering

US 8,458,768 B2
Filed: 05/19/2011
Issued: 06/04/2013
Est. Priority Date: 04/17/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented policy-based security certificate filtering method, comprising:

receiving, by a first entity in a communications network during a handshaking protocol exchange for establishing a secure connection with a second entity, a security certificate of the second entity; and

responsive to detecting that a certificate authority certificate in a certificate authority chain of the security certificate is not available at the first entity and the security certificate therefore cannot be authenticated, using policy-based security certificate filtering as a substitute for the authentication, comprising;

searching a storage repository to locate at least one policy specification that is applicable to the security certificate;

evaluating each of the located at least one policy specification until reaching a decision on whether to permit the handshaking protocol exchange to continue; and

continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.

22 Citations

View as Search Results

20 Claims

1. A computer-implemented policy-based security certificate filtering method, comprising:
- receiving, by a first entity in a communications network during a handshaking protocol exchange for establishing a secure connection with a second entity, a security certificate of the second entity; and
  
  responsive to detecting that a certificate authority certificate in a certificate authority chain of the security certificate is not available at the first entity and the security certificate therefore cannot be authenticated, using policy-based security certificate filtering as a substitute for the authentication, comprising;
  
  searching a storage repository to locate at least one policy specification that is applicable to the security certificate;
  
  evaluating each of the located at least one policy specification until reaching a decision on whether to permit the handshaking protocol exchange to continue; and
  
  continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein the first entity is a client device and the second entity is a server device.
  - 3. The method according to claim 1, wherein the first entity is a server device and the second entity is a client device.
  - 4. The method according to claim 1, wherein:
    - the searching locates a plurality of policy specifications that are applicable to the security certificate;
      
      each located policy specification specifies at least one condition; and
      
      the evaluating evaluates the located plurality of policy specifications in order, from the located policy specification for which the specified at least one condition is most-specific to the located policy specification for which the specified at least one condition is least-specific.
  - 5. The method according to claim 1, wherein the policy specifications comprise policy rules, each policy rule comprising at least one condition to be used in the evaluation and an action to be used upon reaching the decision.
  - 6. The method according to claim 1, wherein the decision that the handshaking protocol exchange is permitted to continue is reached upon evaluating at least one of the located at least one policy specification that specifies conditions under which the security certificate is permitted.
  - 7. The method according to claim 1, wherein the decision that the handshaking protocol exchange is not permitted to continue is reached upon evaluating at least one of the located at least one policy specification that specifies conditions under which the security certificate is blocked.
  - 8. The method according to claim 1, wherein the evaluating further comprises comparing each of at least one condition specified in each evaluated policy specification to information pertaining to the security certificate.
  - 9. The method according to claim 8, where the information pertaining to the security certificate comprises an identification of an issuer of the security certificate and a validity period of the security certificate.
  - 10. The method according to claim 1, wherein:
    - an identification of an issuer of the security certificate is extracted from the security certificate;
      
      the searching uses the extracted identification to locate the at least one policy specification that is applicable to the security certificate; and
      
      at least one of the located at least one policy specification pertains to authenticating certificate authority certificates in the certificate authority chain of the security certificate.
  - 11. The method according to claim 1, wherein the searching further comprises locating at least one policy specification that pertains to at least one value specified in the security certificate.
  - 12. The method according to claim 1, wherein the searching further comprises locating at least one policy specification that pertains to the first entity.
  - 13. The method according to claim 1, wherein the searching further comprises locating at least one policy specification that pertains to the second entity.

14. A system for policy-based security certificate filtering, comprising:
- a first entity communicably coupled to a second entity in a communications network;
  
  a policy repository that stores, at least temporarily, at least two policy specifications pertaining to secure communications between the first entity and the second entity;
  
  a security certificate of the second entity, received by the first entity from the second entity by communications over the communications network during a handshaking protocol exchange for establishing a secure connection between the first entity and the second entity;
  
  a computer comprising a processor; and
  
  instructions which are executable, using the processor, to implement functions comprising;
  
  searching the policy repository, responsive to detecting that at least one certificate authority certificate in a certificate authority chain of the received security certificate is not locally stored by the first entity and the received security certificate therefore cannot be authenticated, to locate at least one of the stored policy specifications that is applicable to the received security certificate;
  
  evaluating each of the located at least one policy specification, as a substitute for the authentication, until reaching a decision on whether to permit the handshaking protocol exchange to continue; and
  
  continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise.
- View Dependent Claims (15, 16, 17)
- - 15. The system according to claim 14, wherein the decision that the handshaking protocol exchange is permitted to continue is reached upon evaluating at least one of the located at least one policy specification that specifies conditions under which the security certificate is permitted.
  - 16. The system according to claim 14, wherein the decision that the handshaking protocol exchange is not permitted to continue is reached upon evaluating at least one of the located at least one policy specification that specifies conditions under which the security certificate is blocked.
  - 17. The system according to claim 14, wherein:
    - an identification of an issuer of the security certificate is extracted from the security certificate;
      
      the searching uses the extracted identification to locate the at least one policy specification that is applicable to the security certificate; and
      
      at least one of the located at least one policy specification pertains to authenticating certificate authority certificates in the certificate authority chain of the security certificate.

18. A computer program product for policy-based security certificate filtering, the computer program product embodied on one or more non-transitory computer-usable storage media and comprising computer-readable program code that, when executed on a computer, causes the computer to:
- determine whether a first entity that receives a security certificate from a second entity during a handshaking protocol exchange will continue the handshaking protocol exchange for establishing a secure connection with the second entity, responsive to detecting that a certificate authority certificate in a certificate authority chain of the security certificate is not available at the first entity and the security certificate therefore cannot be authenticated, comprising;
  
  searching a storage repository to locate at least one policy specification that is applicable to the security certificate;
  
  evaluating each of the located at least one policy specification, as a substitute for the authentication, until reaching a decision on whether to permit the handshaking protocol exchange to continue; and
  
  continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise.
- View Dependent Claims (19, 20)
- - 19. The computer program product according to claim 18, wherein:
    - the evaluating further comprises comparing each of at least one condition specified in each evaluated policy specification to information pertaining to the security certificate; and
      
      the information pertaining to the security certificate comprises at least one of an identification of an issuer of the security certificate and a validity period of the security certificate.
  - 20. The computer program product according to claim 18, wherein the searching further comprises locating at least one policy specification that pertains to at least one value specified in the security certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Brabson, Roy F., Mosakowski, Barry, Overby, Linwood H. Jr.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US13/111,907
Publication Number

US 20110219442A1
Time in Patent Office

747 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/33   using certificates

H04L 2209/80   Wireless network architectu...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/166   at the transport layer

H04L 9/3265   using certificate chains, t...

Policy-based security certificate filtering

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based security certificate filtering

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links