×

Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key

  • US 9,350,556 B1
  • Filed: 04/20/2015
  • Issued: 05/24/2016
  • Est. Priority Date: 04/20/2015
  • Status: Active Grant
First Claim
Patent Images

1. A method of controlling sharing of data between entities, comprising:

  • by a processor associated with a client device;

    identifying a target entity server that provides a service;

    identifying a third party device to which the client device will delegate access rights to the service;

    sending, to a target entity server, a request for a service;

    receiving, from the target entity server, a server credential comprising a server public key and a server certificate chain that is bound to the server public key and that comprises a chain of human-readable names for a plurality of certificates;

    saving the server public key and server certificate chain to a memory sector of the client device;

    based on the server certificate chain, selecting a client credential comprising a client public key and the client certificate chain;

    saving the client certificate chain to a memory sector of the client device;

    by the processor associated with the client device, after saving the client certificate chain to the memory sector;

    creating a delegate certificate chain bound to a public key for the third party device so that the delegate certificate chain comprises;

    a certificate that comprises a human-readable name with an extension selected for the third party device, anda client certificate chain that ends in a certificate bound to a public key for the client device; and

    presenting the delegate certificate chain to the third party device; and

    sending the client certificate chain and client public key to the target entity server as a request for a service; and

    by the target entity server;

    receiving the client certificate chain,extracting and analyzing a prefix of the human readable names from the client certificate chain to identify an identity for the client device, and a restraint for the client device,using the identity and authorization to determine whether the client device is authorized to access the service and whether the request satisfies the restraint, andgranting the client device access to the service if the client device is authorized and the request satisfies the restraint, otherwise denying the request.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×