System and method for providing a trust framework using a secondary network

US 9,473,309 B2
Filed: 03/11/2013
Issued: 10/18/2016
Est. Priority Date: 01/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method of initiating secure communication between a mobile device and a web server of a public network, said method comprising:

receiving a certificate at said mobile device from said web server through a primary network path connecting said mobile device to said public network, said primary network path including a firewall configured to interfere with operation of a domain name system (DNS) server of the public network when the DNS server is validating the certificate, wherein the firewall is configured to interfere with operation of the DNS server by at least one of;

modifying the certificate received from the mobile device to change an internet protocol (IP) address of an online certificate status protocol (OSCP) server of the public network;

limiting access to the OCSP server when receiving a request for OCSP validation of the certificate from the DNS server;

limiting access to the DNS server when querying for the IP address of the OSCP server;

modifying a response from the DNS server when querying the DNS server for the IP address of the OSCP server;

orreturning an incorrect IP address for the OSCP server to the mobile device when querying the DNS server for the IP address of the OSCP server;

sending, from said mobile device, a request to a trust and security management server to validate said certificate, wherein said trust and security management server validates said certificate by communicating the DNS server of said public network through a separate secondary network path that is different than the primary network path;

receiving, at said mobile device, a response to said request from said trust and security management server, said response indicating whether said certificate is valid; and

establishing, at said mobile device, secure communications between said mobile device and said web server, through said primary network path, when the response to said request received from said trust and security management server indicates that said certificate is valid.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for providing security services to a mobile device where the mobile device is in communication with a public network through a first network path that is subject to interference by a third party. The system includes a security server and a private network. The security server is operative to communicate with the mobile device through the private network. The security server is also operative to communicate with the public network through a second network path that is less susceptible to the interference by the third party than is the first network path. The security server communicates with the public network through the second network path to provide security services to the mobile device that are delivered over the private network.

35 Citations

View as Search Results

17 Claims

1. A method of initiating secure communication between a mobile device and a web server of a public network, said method comprising:
- receiving a certificate at said mobile device from said web server through a primary network path connecting said mobile device to said public network, said primary network path including a firewall configured to interfere with operation of a domain name system (DNS) server of the public network when the DNS server is validating the certificate, wherein the firewall is configured to interfere with operation of the DNS server by at least one of;
  
  modifying the certificate received from the mobile device to change an internet protocol (IP) address of an online certificate status protocol (OSCP) server of the public network;
  
  limiting access to the OCSP server when receiving a request for OCSP validation of the certificate from the DNS server;
  
  limiting access to the DNS server when querying for the IP address of the OSCP server;
  
  modifying a response from the DNS server when querying the DNS server for the IP address of the OSCP server;
  
  orreturning an incorrect IP address for the OSCP server to the mobile device when querying the DNS server for the IP address of the OSCP server;
  
  sending, from said mobile device, a request to a trust and security management server to validate said certificate, wherein said trust and security management server validates said certificate by communicating the DNS server of said public network through a separate secondary network path that is different than the primary network path;
  
  receiving, at said mobile device, a response to said request from said trust and security management server, said response indicating whether said certificate is valid; and
  
  establishing, at said mobile device, secure communications between said mobile device and said web server, through said primary network path, when the response to said request received from said trust and security management server indicates that said certificate is valid.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - sending, from said mobile device to said trust and security management server, a query for permission to trust an issuer certificate corresponding to said certificate.
  - 3. The method of claim 1, wherein said trust and security management server validates said certificate using at least one of Online Certificate Status Protocol (OCSP), Certificate Revocation Lists (CRL), or Delegated Path Validation (DPV) protocols to validate said certificate.
  - 4. The method of claim 1, wherein said mobile device primarily communicates with said public network through said primary network path.

5. A non-transitory computer-readable medium storing a computer program comprising computer-executable instructions for initiating secure communication between a mobile device and a web server of a public network, wherein the instructions when executed cause a processor of the mobile device to perform operations comprising:
- receiving a certificate at said mobile device from said web server through a primary network path connecting the mobile device to said public network, said primary network path including a firewall configured to interfere with operation of a domain name system (DNS) sever of the public network when the DNS server is validating the certificate, wherein the firewall is configured to interfere with operation of the DNS server by at least one of;
  
  modifying the certificate received from the mobile device to change an internet protocol (IP) address of an online certificate status protocol (OSCP) server of the public network;
  
  limiting access to the OCSP server when receiving a request for OCSP validation of the certificate from the DNS server;
  
  limiting access to the DNS server when querying for the IP address of the OSCP server;
  
  modifying a response from the DNS server when querying the DNS server for the IP address of the OSCP server;
  
  orreturning an incorrect IP address for the OSCP server to the mobile device when querying the DNS server for the IP address of the OSCP server;
  
  sending, from said mobile device, a request to a trust and security management server to validate said certificate, wherein said trust and security management server is configured to validate said certificate by communicating with a DNS server of said public network through a separate secondary network path that is different than the primary network path;
  
  receiving, at said mobile device, a response to said request from said trust and security management server, said response indicating whether said certificate is valid; and
  
  establishing, at said mobile device, secure communications between said mobile device and said web server, through said primary network path, when the response to said request received from said trust and security management server indicates that said certificate is valid.
- View Dependent Claims (6, 7, 12)
- - 6. The non-transitory computer-readable medium of claim 5, wherein the operations further comprises sending, from said mobile device, a query to said trust and security management server for permission to trust an issuer certificate corresponding to said certificate.
  - 7. The non-transitory medium of claim 5, wherein said trust and security management server validates said certificate using at least one of Online Certificate Status Protocol (OCSP), Certificate Revocation Lists (CRL), or Delegated Path Validation (DPV) protocols to validate said certificate.
  - 12. The system of claim 5, wherein the trust and security management server is configured to remotely manage root certificates stored in the certificate store of the mobile device by periodically communicating updates to root certificates stored the certificate store of the mobile device.

8. A system comprising:
- a public network comprising a web server, a domain name system (DNS) server, and an online certificate status protocol (OCPS) server;
  
  a mobile device in communication with the web server and the DNS server of the public network through a primary network path to receive a certificate, the primary network path including a firewall configured to interfere with operation of the DNS server when the DNS server is validating the certificate, wherein the firewall is configured to interfere with operation of the DNS server by at least one of;
  
  modifying the certificate received from the mobile device to change an internet protocol (IP) address of an online certificate status protocol (OSCP) server of the public network;
  
  limiting access to the OCSP server when receiving a request for OCSP validation of the certificate from the DNS server;
  
  limiting access to the DNS server when querying for the IP address of the OSCP server;
  
  modifying a response from the DNS server when querying the DNS server for the IP address of the OSCP server;
  
  orreturning an incorrect IP address for the OSCP server to the mobile device when querying the DNS server for the IP address of the OSCP server;
  
  a private network comprising a trust and security management server, the trust and security management server in communication with the public network through a separate secondary network path that is different than the primary network path and in communication with the mobile device through a wireless network, wherein the trust and security management server is configured to;
  
  receive a request from the mobile device through the wireless network to validate the certificate;
  
  communicate with the DNS server of public network through the secondary network path to validate the certificate; and
  
  send to the mobile device, a response to said request, said response indicating whether said certificate is valid;
  
  wherein the mobile device is configured to establish secure communications between said mobile device and said web server, through said primary network path, when the response to said request received from said trust and security management server indicates that said certificate is valid.
- View Dependent Claims (9, 10, 11, 13, 14, 15, 16, 17)
- - 9. The system of claim 8, wherein the public network is the Internet.
  - 10. The system of claim 8, wherein the firewall is located in a jurisdiction in which a government controls the firewall to interfere with the operation of the DNS server when validating the certificate received from the mobile device.
  - 11. The system of claim 8, wherein the firewall is located in a jurisdiction in which a government controls the firewall to interfere with the operation the OCSP server when validating the certificate received from the mobile device.
  - 13. The system of claim 8, wherein public network further comprises a certificate authority server configured to transmit a root certificate to the web server for storage on the web server.
  - 14. The system of claim 13, wherein the trust and security management server is configured to send trusted certificates to the mobile device for storage in a certificate store of the mobile device.
  - 15. The system of claim 8, wherein the trust and security management server is configured to remotely manage root certificates stored in a certificate store of the mobile device.
  - 16. The system of claim 8, wherein the trust and security management server is configured to remotely manage root certificates stored in the certificate store of the mobile device by removing root certificates from the certificate store of the mobile device.
  - 17. The system of claim 8, wherein the primary network path further comprises a wireless connection between the wireless network and the mobile device and a connection between the wireless network and the public network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited, Certicom Corporation (Blackberry Limited)
Inventors
Courtney, Sean Alexander, Campagna, Matthew John, Staikos, George Ross, Truskovsky, Alexander
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US13/793,166
Publication Number

US 20140215206A1
Time in Patent Office

1,317 Days
Field of Search

713156-153, 726/1, 726/5, 726/28, 709/200
US Class Current

1/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/18   using different networks or...

H04L 9/3268   using certificate validatio...

H04W 12/04   Key management, e.g. using ...

H04W 12/043   using a trusted network nod...

H04W 12/66   Trust-dependent, e.g. using...

System and method for providing a trust framework using a secondary network

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing a trust framework using a secondary network

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links