Secure network address provisioning

US 8,661,252 B2
Filed: 06/20/2008
Issued: 02/25/2014
Est. Priority Date: 06/20/2008
Status: Active Grant

First Claim

Patent Images

1. A method of operating a networked device coupled to a network comprising a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the method comprising:

sending a first message of the plurality of messages, the first message comprising at least a first field in the second portion of the plurality of fields, the first field containing an indication of a set of encryption mechanisms supported by the device;

receiving a second message of the plurality of messages, the second message comprising a second field in the second portion of the plurality of fields, the second field containing an indication of a selected encryption mechanism from the set of encryption mechanisms; and

sending a third message of the plurality of messages, the third message comprising at least a third field in the second portion of the plurality of fields containing content encrypted with the selected encryption mechanism, wherein the content of the third field comprises a statement of health concerning the device,wherein;

the second message comprises a server certificate; and

the method further comprises validating the certificate as corresponding to a server authorized by an administrator of the network to provide network credentials.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network in which a client receives a network credential, such as a valid network address, following an exchange of messages with a credential server that includes security information. The security information may validate the credential, avoiding rogue devices inadvertently or maliciously distributing credential information that can interfere with clients attempting to connect to the network or with the network itself. If obtaining a network credential requires an exchange of information about the configuration of the client that could reveal security vulnerabilities, the security information may be used to ensure the confidentiality of that configuration information. The security information may be incorporated into messages according to a known protocol, such as by incorporating it into options fields of DHCP messages.

26 Citations

View as Search Results

20 Claims

1. A method of operating a networked device coupled to a network comprising a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the method comprising:
- sending a first message of the plurality of messages, the first message comprising at least a first field in the second portion of the plurality of fields, the first field containing an indication of a set of encryption mechanisms supported by the device;
  
  receiving a second message of the plurality of messages, the second message comprising a second field in the second portion of the plurality of fields, the second field containing an indication of a selected encryption mechanism from the set of encryption mechanisms; and
  
  sending a third message of the plurality of messages, the third message comprising at least a third field in the second portion of the plurality of fields containing content encrypted with the selected encryption mechanism, wherein the content of the third field comprises a statement of health concerning the device,wherein;
  
  the second message comprises a server certificate; and
  
  the method further comprises validating the certificate as corresponding to a server authorized by an administrator of the network to provide network credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the statement of health comprises information concerning configuration information relating to anti-virus capabilities of the device.
  - 3. The method of claim 1, wherein the first message comprises a field in the first portion having content identifying the message as a discover message in the protocol.
  - 4. The method of claim 1, wherein the second message comprises a field in the first portion having content identifying the message as an offer message in the protocol.
  - 5. The method of claim 1, further comprising, selectively in response to the validating, requesting a network address from a server associated with the server security token.
  - 6. The method of claim 1, further comprising:
    - receiving a message comprising remediation information; and
      
      decrypting the remediation information.
  - 7. The method of claim 1, wherein the protocol is Dynamic Host Configuration Protocol (DHCP) such that the first portion of the plurality of fields have content prescribed by the DHCP and the second portion of the plurality of fields having content that is optional under the DHCP.
  - 8. The method of claim 1, wherein the third message further comprises a replay detection token.

9. A tangible computer-readable storage medium comprising computer-executable instructions adapted for execution on a networked device coupled to a network comprising a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the computer-executable instructions, when executed, for:
- sending a first message of the plurality of messages, the first message comprising at least a first field in the second portion of the plurality of fields, the first field containing an indication of a set of encryption mechanisms supported by the device;
  
  receiving a second message of the plurality of messages, the second message comprising a second field in the second portion of the plurality of fields, the second field containing an indication of a selected encryption mechanism from the set of encryption mechanisms; and
  
  sending a third message of the plurality of messages, the third message comprising at least a third field in the second portion of the plurality of fields containing content encrypted with the selected encryption mechanism, wherein the content of the third field comprises a statement of health concerning the device,wherein;
  
  the second message comprises a server certificate; and
  
  the method further comprises validating the certificate as corresponding to a server authorized by an administrator of the network to provide network credentials.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The tangible computer-readable storage medium of claim 9, wherein:
    - the protocol is Dynamic Host Configuration Protocol (DHCP) such that the first portion of the plurality of fields have content prescribed by the DHCP and the second portion of the plurality of fields having content that is optional under the DHCP.
  - 11. The tangible computer-readable storage medium of claim 10, wherein the third message further comprises, in the second portion of the plurality of fields, a shared key, the computer-readable storage medium further comprising computer-executable instructions for:
    - receiving a fourth message of the plurality of messages, the fourth message comprising at least a fourth field in the second portion of the plurality of fields, the fourth field containing content encrypted with the shared key; and
      
      with the shared key, decrypting content of the fourth field.
  - 12. The tangible computer-readable storage medium of claim 11, wherein the content of the fourth field comprises a network address and the computer-readable medium further comprises computer-executable instructions for accessing the network using the network address.
  - 13. The tangible computer-readable storage medium of claim 12, further comprising computer-executable instructions for:
    - storing the server certificate; and
      
      renewing the network address by sending a fifth message of the plurality of messages, the fifth message comprising a fifth field in the second portion comprising content encrypted with a server key associated with the stored server certificate.
  - 14. The tangible computer-readable storage medium of claim 10, further comprising computer-executable instructions for:
    - collecting information about security software on the device.
  - 15. The tangible computer-readable storage medium of claim 14, wherein the computer-executable instructions for collecting information about security software on the device comprise computer-executable instructions for collecting information about a firewall.
  - 16. The tangible computer-readable storage medium of claim 14, wherein the computer-executable instructions for collecting information about security software on the device comprise computer-executable instructions for collecting information about at least one of anti-virus software and a state of operating system patches.

17. A method of operating a network comprising a networked device and a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the method comprising:
- sending from the networked device to the credential server a first message of the plurality of messages, the first message comprising, in the second portion of the plurality of fields, a certificate of the networked device, wherein the device certificate has an associated device public key;
  
  sending, from the credential server to the networked device a second message of the plurality of messages, the second message comprising, in the second portion of the plurality of fields, a server certificate;
  
  at the networked device;
  
  validating the identity of the server using the server certificate; and
  
  obtaining a server public key based on the identity of the server; and
  
  sending from the networked device a third message of the plurality of messages, the third message comprising, in the second portion of the plurality of fields, content encrypted with the server public key, the content including configuration information about the networked device.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - at the credential server;
      
      validating, based on the configuration information, that the networked device has a security configuration in compliance with a network access policy; and
      
      sending a fourth message of the plurality of messages to the networked device, the fourth message comprising, in the first portion of the plurality of fields, a network address and related access information, and, in the second portion of the plurality of fields, information received from the networked device encrypted with the device public key.
  - 19. The method of claim 17, wherein:
    - the method further comprises, at the credential server;
      
      determining, based on the configuration information, that the networked device has a security configuration that is out of compliance with a network access policy; and
      
      sending a fourth message of the plurality of messages to the networked device, the fourth message comprising, in the second portion of the plurality of fields, remediation information encrypted with the device public key.
  - 20. The method of claim 19, further comprising:
    - at the network device;
      
      decrypting the encrypted remediation information; and
      
      upgrading security software based on the remediation information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chandwani, Santosh
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US12/143,655
Publication Number

US 20100017597A1
Time in Patent Office

2,076 Days
Field of Search

726/6
US Class Current

713/168
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 61/5092   by self-assignment, e.g. pi...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

Secure network address provisioning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure network address provisioning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links