Validating a certificate chain in a dispersed storage network

US 8,627,065 B2
Filed: 11/03/2011
Issued: 01/07/2014
Est. Priority Date: 11/09/2010
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a certificate chain within a dispersed storage network (DSN) by one or more computing devices of the DSN, wherein the method comprises:

receiving, by the one or more computing devices, the certificate chain from a requesting entity, wherein the certificate chain includes one or more signed certificates;

determining whether at least one of the one or more signed certificates has a valid signature by;

verifying signature of the requesting entity on a certificate of the certificate chain by at least one of;

instructing the requesting entity to decrypt an encrypted message using a private key of the requesting entity to produce a decrypted message;

receiving the decrypted message from the requesting entity; and

verifying the decrypted message; and

instructing the requesting entity to encrypt a message using the private key to produce a second encrypted message;

receiving the second encrypted message from the requesting entity; and

verifying the second encrypted message using a public key;

when the signature of the requesting entity is verified, verifying signature of another certificate of the certificate chain; and

when the signature of the other certificate is verified, indicating that the at least one of the one or more signed certificates has a valid signature; and

when the at least one of the one or more signed certificates has a valid signature;

identifying one or more certificate authorities (CA) from the one or more signed certificates to produce identified CAs;

accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted certificate authority (CA) IDs;

determining whether one or more of the identified CAs is a trusted CA based on the registry information;

when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid;

identifying a realm ID of the one or more realm IDs based on a trusted CA ID of the one or more of the identified CAs that is a trusted CA, wherein the realm ID identifies a predetermined grouping of entities associated with the DSN; and

generating certificate chain validation information to include the realm ID, the one or more of the identified CAs that is the trusted CA, and the indication of the validity of the certificate chain.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module receiving a certificate chain and determining whether at least one of one or more signed certificates of the chain has a valid signature. When the at least one of the one or more signed certificates has a valid signature, the method continues with the processing module identifying one or more certificate authorities (CA) to produce identified CAs, accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted CA IDs, determining whether one or more of the identified CAs is a trusted CA, and when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid, identifying a realm ID based on a trusted CA ID, and generating certificate chain validation information to include the realm ID, trusted CAs, and the indication of the validity of the certificate chain.

85 Citations

View as Search Results

14 Claims

1. A method for authenticating a certificate chain within a dispersed storage network (DSN) by one or more computing devices of the DSN, wherein the method comprises:
- receiving, by the one or more computing devices, the certificate chain from a requesting entity, wherein the certificate chain includes one or more signed certificates;
  
  determining whether at least one of the one or more signed certificates has a valid signature by;
  
  verifying signature of the requesting entity on a certificate of the certificate chain by at least one of;
  
  instructing the requesting entity to decrypt an encrypted message using a private key of the requesting entity to produce a decrypted message;
  
  receiving the decrypted message from the requesting entity; and
  
  verifying the decrypted message; and
  
  instructing the requesting entity to encrypt a message using the private key to produce a second encrypted message;
  
  receiving the second encrypted message from the requesting entity; and
  
  verifying the second encrypted message using a public key;
  
  when the signature of the requesting entity is verified, verifying signature of another certificate of the certificate chain; and
  
  when the signature of the other certificate is verified, indicating that the at least one of the one or more signed certificates has a valid signature; and
  
  when the at least one of the one or more signed certificates has a valid signature;
  
  identifying one or more certificate authorities (CA) from the one or more signed certificates to produce identified CAs;
  
  accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted certificate authority (CA) IDs;
  
  determining whether one or more of the identified CAs is a trusted CA based on the registry information;
  
  when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid;
  
  identifying a realm ID of the one or more realm IDs based on a trusted CA ID of the one or more of the identified CAs that is a trusted CA, wherein the realm ID identifies a predetermined grouping of entities associated with the DSN; and
  
  generating certificate chain validation information to include the realm ID, the one or more of the identified CAs that is the trusted CA, and the indication of the validity of the certificate chain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the determining whether the at least one of the one or more signed certificates has the valid signature comprises:
    - extracting a public key from a certificate of the certificate chain;
      
      validating a signature of another certificate in accordance with a signature algorithm of the other certificate utilizing the public key; and
      
      when the validating is favorable, indicating that the at least one of the one or more signed certificates has a valid signature.
  - 3. The method of claim 1 further comprises:
    - identifying a set of CA IDs associated with the realm ID; and
      
      indicating that the set of CA IDs are trusted for the realm ID.
  - 4. The method of claim 1, wherein the determining whether the one or more of the identified CAs is the trusted CA comprises at least one of:
    - determining whether a signed certificate of the certificate chain was generated by the trusted CA; and
      
      determining whether the signed certificate was signed by the trusted CA.
  - 5. The method of claim 4, wherein the determining whether the signed certificate was generated by the trusted CA comprises:
    - indicating that the signed certificate was generated by the trusted CA when a CA ID of the signed certificate matches a CA ID of the trusted CA.
  - 6. The method of claim 4, wherein the determining whether the signed certificate was signed by the trusted CA comprises:
    - indicating that the signed certificate was signed by the trusted CA when a CA ID of a signature of the signed certificate matches a CA ID of the trusted CA.
  - 7. The method of claim 1 further comprises:
    - indicating that the certificate chain is invalid when;
      
      each of the one or more signed certificates does not include a valid signature;
      
      oreach of the one or more of the identified CAs is not a trusted CA.

8. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operable to;
  
  receive, via the interface, the certificate chain from a requesting entity, wherein the certificate chain includes one or more signed certificates;
  
  determine whether at least one of the one or more signed certificates has a valid signature by;
  
  verifying signature of the requesting entity on a certificate of the certificate chain by at least one of;
  
  instructing the requesting entity to decrypt an encrypted message using a private key of the requesting entity to produce a decrypted message;
  
  receiving the decrypted message from the requesting entity; and
  
  verifying the decrypted message; and
  
  instructing the requesting entity to encrypt a message using the private key to produce a second encrypted message;
  
  receiving the second encrypted message from the requesting entity; and
  
  verifying the second encrypted message using a public key;
  
  when the signature of the requesting entity is verified, verifying signature of another certificate of the certificate chain; and
  
  when the signature of the other certificate is verified, indicating that the at least one of the one or more signed certificates has a valid signature; and
  
  when the at least one of the one or more signed certificates has a valid signature;
  
  identify one or more certificate authorities (CA) from the one or more signed certificates to produce identified CAs;
  
  access registry information that includes one or more realm identifiers (IDs) and a plurality of trusted certificate authority (CA) IDs;
  
  determine whether one or more of the identified CAs is a trusted CA based on the registry information;
  
  when the one or more of the identified CAs is a trusted CA, indicate that the certificate chain is valid;
  
  identify a realm ID of the one or more realm IDs based on a trusted CA ID of the one or more of the identified CAs that is a trusted CA, wherein the realm ID identifies a predetermined grouping of entities associated with the DSN; and
  
  generate certificate chain validation information to include the realm ID, the one or more of the identified CAs is the trusted CA, and the indication of the validity of the certificate chain.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer of claim 8, wherein the processing module functions to determine whether the at least one of the one or more signed certificates has the valid signature by:
    - extracting a public key from a certificate of the certificate chain;
      
      validating a signature of another certificate in accordance with a signature algorithm of the other certificate utilizing the public key; and
      
      when the validating is favorable, indicating that the at least one of the one or more signed certificates has a valid signature.
  - 10. The computer of claim 8, wherein the processing module further functions to:
    - identify a set of CA IDs associated with the realm ID; and
      
      indicate that the set of CA IDs are trusted for the realm ID.
  - 11. The computer of claim 8, wherein the processing module functions to determine whether one or more of the identified CAs is a trusted CA by at least one of:
    - determining whether a signed certificate of the certificate chain was generated by a trusted CA; and
      
      determining whether the signed certificate was signed by the trusted CA.
  - 12. The computer of claim 11, wherein the processing module functions to determine whether the signed certificate was generated by the trusted CA by:
    - indicating that the signed certificate was generated by the trusted CA when a CA ID of the signed certificate matches a CA ID of the trusted CA.
  - 13. The computer of claim 11, wherein the processing module functions to determine whether the signed certificate was signed by the trusted CA by:
    - indicating that the signed certificate was signed by the trusted CA when a CA ID of a signature of the signed certificate matches a CA ID of the trusted CA.
  - 14. The computer of claim 8, wherein the processing module further functions to:
    - indicate that the certificate chain is invalid when;
      
      each of the one or more signed certificates does not include a valid signature;
      
      oreach of the one or more of the identified CAs is not a trusted CA.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Leggette, Wesley, Resch, Jason K., Cilfone, Bart
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
WANG, HARRIS C

Application Number

US13/288,076
Publication Number

US 20120216035A1
Time in Patent Office

796 Days
Field of Search

713/157
US Class Current

713/157
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 12/06   Addressing a physical block...

G06F 2211/1057   Parity-multiple bits-RAID6,...

G06F 3/0605   by facilitating the interac...

G06F 3/0614   Improving the reliability o...

G06F 3/0643   Management of files

G06F 3/0647   Migration mechanisms

G06F 3/067   Distributed or networked st...

H04L 63/0823   using certificates cryptogr...

Validating a certificate chain in a dispersed storage network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Validating a certificate chain in a dispersed storage network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links