Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key
First Claim
1. A method of controlling sharing of data between entities, comprising:
- by a processor associated with a client device;
identifying a target entity server that provides a service;
identifying a third party device to which the client device will delegate access rights to the service;
sending, to a target entity server, a request for a service;
receiving, from the target entity server, a server credential comprising a server public key and a server certificate chain that is bound to the server public key and that comprises a chain of human-readable names for a plurality of certificates;
saving the server public key and server certificate chain to a memory sector of the client device;
based on the server certificate chain, selecting a client credential comprising a client public key and the client certificate chain;
saving the client certificate chain to a memory sector of the client device;
by the processor associated with the client device, after saving the client certificate chain to the memory sector;
creating a delegate certificate chain bound to a public key for the third party device so that the delegate certificate chain comprises;
a certificate that comprises a human-readable name with an extension selected for the third party device, anda client certificate chain that ends in a certificate bound to a public key for the client device; and
presenting the delegate certificate chain to the third party device; and
sending the client certificate chain and client public key to the target entity server as a request for a service; and
by the target entity server;
receiving the client certificate chain,extracting and analyzing a prefix of the human readable names from the client certificate chain to identify an identity for the client device, and a restraint for the client device,using the identity and authorization to determine whether the client device is authorized to access the service and whether the request satisfies the restraint, andgranting the client device access to the service if the client device is authorized and the request satisfies the restraint, otherwise denying the request.
2 Assignments
0 Petitions
Accused Products
Abstract
A client device communicates with a target entity server and one or more third party devices. The client device has a client credential that includes a client public key and a client certificate chain. The client certificate chain includes a chain of human-readable names. The client device delegates a third party device access to a service on the server by creating a delegate certificate chain for the third party device. The delegate certificate chain is bound to a public key for the third party device and includes a human-readable name with an extension selected for the third party device. The delegate certificate chain also may include a section of the human-readable name that identifies the client device. The client device transmits or otherwise presents the delegate certificate chain to the third party device.
-
Citations
16 Claims
-
1. A method of controlling sharing of data between entities, comprising:
by a processor associated with a client device; identifying a target entity server that provides a service; identifying a third party device to which the client device will delegate access rights to the service; sending, to a target entity server, a request for a service; receiving, from the target entity server, a server credential comprising a server public key and a server certificate chain that is bound to the server public key and that comprises a chain of human-readable names for a plurality of certificates; saving the server public key and server certificate chain to a memory sector of the client device; based on the server certificate chain, selecting a client credential comprising a client public key and the client certificate chain; saving the client certificate chain to a memory sector of the client device; by the processor associated with the client device, after saving the client certificate chain to the memory sector; creating a delegate certificate chain bound to a public key for the third party device so that the delegate certificate chain comprises; a certificate that comprises a human-readable name with an extension selected for the third party device, and a client certificate chain that ends in a certificate bound to a public key for the client device; and presenting the delegate certificate chain to the third party device; and sending the client certificate chain and client public key to the target entity server as a request for a service; and by the target entity server; receiving the client certificate chain, extracting and analyzing a prefix of the human readable names from the client certificate chain to identify an identity for the client device, and a restraint for the client device, using the identity and authorization to determine whether the client device is authorized to access the service and whether the request satisfies the restraint, and granting the client device access to the service if the client device is authorized and the request satisfies the restraint, otherwise denying the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A communication system, comprising:
-
a client processor associated with a client device; a target entity server; and a non-transitory computer-readable medium containing client programming instructions that are configured to cause the client processor to; identify a target entity server that provides a service, identify a third party device to which the client device will delegate access rights to the service, send a request for a service to a target entity server, receive, from the target entity server, a server credential comprising a server public key and a server certificate chain that is bound to the server public key and that comprises a chain of human-readable names for a plurality of certificates, save the server public key and server certificate chain to a memory sector of the client device, based on the server certificate chain, select a client credential comprising a client public key and the client certificate chain, save the client certificate chain to a memory sector of the client device; after saving the client certificate chain to the memory sector; create a delegate certificate chain bound to a public key for the third party device so that the delegate certificate chain comprises a certificate that comprises a human-readable name with an extension selected for the third party device, and a client certificate chain that ends in a certificate bound to a public key for the client device, and present the delegate certificate chain to the third party device; and send the client certificate chain and client public key to the target entity server as a request for a service; and a non-transitory computer-readable medium containing client programming instructions that are configured to cause the target entity server to; receive the client certificate chain, extract and analyze a prefix of the human readable names from the client certificate chain to identify an identity for the client device, and a restraint for the client device, use the identity and authorization to determine whether the client device is authorized to access the service and whether the request satisfies the restraint, and grant the client device access to the service if the client device is authorized and the request satisfies the restraint, otherwise deny the request. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification