Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key

US 9,350,556 B1
Filed: 04/20/2015
Issued: 05/24/2016
Est. Priority Date: 04/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method of controlling sharing of data between entities, comprising:

by a processor associated with a client device;

identifying a target entity server that provides a service;

identifying a third party device to which the client device will delegate access rights to the service;

sending, to a target entity server, a request for a service;

receiving, from the target entity server, a server credential comprising a server public key and a server certificate chain that is bound to the server public key and that comprises a chain of human-readable names for a plurality of certificates;

saving the server public key and server certificate chain to a memory sector of the client device;

based on the server certificate chain, selecting a client credential comprising a client public key and the client certificate chain;

saving the client certificate chain to a memory sector of the client device;

by the processor associated with the client device, after saving the client certificate chain to the memory sector;

creating a delegate certificate chain bound to a public key for the third party device so that the delegate certificate chain comprises;

a certificate that comprises a human-readable name with an extension selected for the third party device, anda client certificate chain that ends in a certificate bound to a public key for the client device; and

presenting the delegate certificate chain to the third party device; and

sending the client certificate chain and client public key to the target entity server as a request for a service; and

by the target entity server;

receiving the client certificate chain,extracting and analyzing a prefix of the human readable names from the client certificate chain to identify an identity for the client device, and a restraint for the client device,using the identity and authorization to determine whether the client device is authorized to access the service and whether the request satisfies the restraint, andgranting the client device access to the service if the client device is authorized and the request satisfies the restraint, otherwise denying the request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client device communicates with a target entity server and one or more third party devices. The client device has a client credential that includes a client public key and a client certificate chain. The client certificate chain includes a chain of human-readable names. The client device delegates a third party device access to a service on the server by creating a delegate certificate chain for the third party device. The delegate certificate chain is bound to a public key for the third party device and includes a human-readable name with an extension selected for the third party device. The delegate certificate chain also may include a section of the human-readable name that identifies the client device. The client device transmits or otherwise presents the delegate certificate chain to the third party device.

Citations

16 Claims

1. A method of controlling sharing of data between entities, comprising:
- by a processor associated with a client device;
  
  identifying a target entity server that provides a service;
  
  identifying a third party device to which the client device will delegate access rights to the service;
  
  sending, to a target entity server, a request for a service;
  
  receiving, from the target entity server, a server credential comprising a server public key and a server certificate chain that is bound to the server public key and that comprises a chain of human-readable names for a plurality of certificates;
  
  saving the server public key and server certificate chain to a memory sector of the client device;
  
  based on the server certificate chain, selecting a client credential comprising a client public key and the client certificate chain;
  
  saving the client certificate chain to a memory sector of the client device;
  
  by the processor associated with the client device, after saving the client certificate chain to the memory sector;
  
  creating a delegate certificate chain bound to a public key for the third party device so that the delegate certificate chain comprises;
  
  a certificate that comprises a human-readable name with an extension selected for the third party device, anda client certificate chain that ends in a certificate bound to a public key for the client device; and
  
  presenting the delegate certificate chain to the third party device; and
  
  sending the client certificate chain and client public key to the target entity server as a request for a service; and
  
  by the target entity server;
  
  receiving the client certificate chain,extracting and analyzing a prefix of the human readable names from the client certificate chain to identify an identity for the client device, and a restraint for the client device,using the identity and authorization to determine whether the client device is authorized to access the service and whether the request satisfies the restraint, andgranting the client device access to the service if the client device is authorized and the request satisfies the restraint, otherwise denying the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - by the client device, sending the client certificate chain to the target entity server as a request for a service; and
      
      by the target entity server;
      
      receiving the client certificate chain,analyzing human readable names in the client certificate chain to identify an identity for the client device, and an authorization for the client device,using the identity and authorization to determine whether the client device is authorized to access the service, andgranting the client device access to the service if the client device is authorized, otherwise denying the request.
  - 3. The method of claim 2, in which the client device does not send all of its available client certificate chain credentials to the target entity server, and client device does not receive all of the target entity server'"'"'s available server certificate chains from the target entity server.
  - 4. The method of claim 1, further comprising, by the target entity server:
    - receiving the delegate certificate chain from the third party device;
      
      analyzing the human readable names in the delegate certificate chain to identify an identity for the client device; and
      
      granting the third party device access to the service if delegates of the client device are authorized, otherwise denying the request.
  - 5. The method of claim 1, further comprising imposing a restraint on the third party device'"'"'s authority to access the service by:
    - generating a caveat comprising a contextual restraint on the third party device'"'"'s authority to access the service; and
      
      adding the caveat to the delegate certificate chain created for the third party device.
  - 6. The method of claim 5, wherein generating the caveat comprises associating the caveat with an identity of the third party device, but not including with the caveat an identity of the client device.
  - 7. The method of claim 1, in which the client certificate chain also comprises a contextual restraint on the client device'"'"'s authority to access the service.
  - 8. The method of claim 1, further comprising, by the target entity server:
    - receiving the delegate certificate chain from the third party device;
      
      extracting and analyzing a prefix of the human readable names in the delegate certificate to identify an identity for the client device; and
      
      granting the third party device access to the service if the client device'"'"'s delegates are authorized, otherwise denying the third party device access to the service.

9. A communication system, comprising:
- a client processor associated with a client device;
  
  a target entity server; and
  
  a non-transitory computer-readable medium containing client programming instructions that are configured to cause the client processor to;
  
  identify a target entity server that provides a service,identify a third party device to which the client device will delegate access rights to the service,send a request for a service to a target entity server,receive, from the target entity server, a server credential comprising a server public key and a server certificate chain that is bound to the server public key and that comprises a chain of human-readable names for a plurality of certificates,save the server public key and server certificate chain to a memory sector of the client device,based on the server certificate chain, select a client credential comprising a client public key and the client certificate chain,save the client certificate chain to a memory sector of the client device;
  
  after saving the client certificate chain to the memory sector;
  
  create a delegate certificate chain bound to a public key for the third party device so that the delegate certificate chain comprises a certificate that comprises a human-readable name with an extension selected for the third party device, and a client certificate chain that ends in a certificate bound to a public key for the client device, andpresent the delegate certificate chain to the third party device; and
  
  send the client certificate chain and client public key to the target entity server as a request for a service; and
  
  a non-transitory computer-readable medium containing client programming instructions that are configured to cause the target entity server to;
  
  receive the client certificate chain,extract and analyze a prefix of the human readable names from the client certificate chain to identify an identity for the client device, and a restraint for the client device,use the identity and authorization to determine whether the client device is authorized to access the service and whether the request satisfies the restraint, andgrant the client device access to the service if the client device is authorized and the request satisfies the restraint, otherwise deny the request.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - the target entity server; and
      
      a non-transitory computer-readable medium containing server programming instructions that are configured to cause the target entity server to;
      
      receive the client certificate chain,extract and analyze human readable names from the client certificate chain to identify an identity for the client device, and an authorization for the client device,use the identity and authorization to determine whether the client device is authorized to access the service, andgrant the client device access to the service if the client device is authorized, otherwise deny the request.
  - 11. The system of claim 10, wherein:
    - the client programming instructions are configured to cause the client device to not send all of its available client certificate chain credentials to the target entity server; and
      
      the server programming instructions are configured to cause the target entity server to not send all of its available server certificate chain credentials to the client device.
  - 12. The system of claim 9, further comprising:
    - the target entity server; and
      
      a non-transitory computer-readable medium containing server programming instructions that are configured to cause the target entity server to;
      
      receive the delegate certificate chain from the third party device,analyze the human readable names in the delegate certificate chain to identify an identity for the client device, andgrant the third party device access to the service if delegates of the client device are authorized, otherwise denying the request.
  - 13. The system of claim 9, wherein the client programming instructions are further configured to cause the client processor to impose a restraint on the third party device'"'"'s authority to access the service by:
    - generating a caveat comprising a contextual restraint on the third party device'"'"'s authority to access the service; and
      
      adding the caveat to the delegate certificate chain created for the third party device.
  - 14. The system of claim 13, wherein the instructions for generating the caveat comprise instructions to associate the caveat with an identity of the third party device, but not include with the caveat an identity of the client device.
  - 15. The system of claim 9, wherein the instructions for creating the delegate certificate chain that comprises the human-readable name with an extension selected for the third party device also comprise instructions to include in the human-readable name component an identity of the client device.
  - 16. The system of claim 9, further comprising the target entity server with a non-transitory computer-readable medium containing server programming instructions that are configured to cause the target entity server to:
    - receive the delegate certificate chain;
      
      extract and analyze a prefix of the human readable names in the delegate certificate chain to identify an identity for the client device and the caveat; and
      
      grant the delegate access to the service if the client device'"'"'s delegates are authorized and the request satisfies the caveat, otherwise deny the delegate access to the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Taly, Ankur, Thambidorai, Gautham, Presotto, David, Shankar, Asim
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/691,138
Time in Patent Office

400 Days
Field of Search

726/26, 726/27, 726/4, 713/176
US Class Current

1/1
CPC Class Codes

H04L 2209/64   Self-signed certificates

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0823   using certificates cryptogr...

H04L 9/321   involving a third party or ...

H04L 9/3265   using certificate chains, t...

Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links