Rule-based validity of cryptographic key material

US 9,531,533 B2
Filed: 04/17/2014
Issued: 12/27/2016
Est. Priority Date: 03/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method for altering the validity status of cryptographic key material, the method comprising:

storing a rules based attribute set comprising a rule set defining conditions under which a validity state associated with cryptographic key material will be set to a valid or invalid state, the rule set comprising at least one of;

times at which the cryptographic key material should be valid and/or invalid;

quorum information; and

geo-fence information describing a geographic region that a system attempting to use the cryptographic key material must be located within or outside of for the cryptographic key material to be valid and/or invalid;

associating the rules based attribute set with cryptographic key material used for authenticated communications;

creating a rules evaluation message comprising information allowing compliance with the rule set to be determined; and

sending the rules evaluation message to a rules compliance service.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In representative embodiments, a rule-based certificate cryptographic key material comprising containing a rule set defining validity conditions is associated with cryptographic key material assigned to an entity for use in authenticated communications. The validity of the cryptographic material changes state based on whether the entity is compliant or non-compliant with the rule set. This is accomplished in a representative embodiment by suspending the validity of the cryptographic key material when the entity is non-compliant with the rules and reinstating the validity of the cryptographic key material when the entity becomes compliant. A rules compliance service determines the validity of the cryptographic material in part using updates sent by the entity. Entities can delegate the update to a delegate device. Encryption can be used to preserve privacy.

40 Citations

View as Search Results

20 Claims

1. A method for altering the validity status of cryptographic key material, the method comprising:
- storing a rules based attribute set comprising a rule set defining conditions under which a validity state associated with cryptographic key material will be set to a valid or invalid state, the rule set comprising at least one of;
  
  times at which the cryptographic key material should be valid and/or invalid;
  
  quorum information; and
  
  geo-fence information describing a geographic region that a system attempting to use the cryptographic key material must be located within or outside of for the cryptographic key material to be valid and/or invalid;
  
  associating the rules based attribute set with cryptographic key material used for authenticated communications;
  
  creating a rules evaluation message comprising information allowing compliance with the rule set to be determined; and
  
  sending the rules evaluation message to a rules compliance service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising evaluating at least one rule of the rule set and including the results of the evaluation in the rules evaluation message.
  - 3. The method of claim 2 wherein the rules evaluation message comprises information to determine the validity of the evaluation.
  - 4. The method of claim 1 wherein the rules based attribute set further comprises at least one of:
    - an identifier to identify a delegate for at least one of;
      
      decryption of various items;
      
      delegation of rule evaluation;
      
      service where rule evaluation messages should be sent; and
      
      /or delegation of validation of rule evaluation;
      
      policy information; and
      
      key instance(s) and/or identifier(s) of associated cryptographic key material.
  - 5. The method of claim 1 further comprising opening a secure connection to the rules compliance service.
  - 6. The method of claim 1 further comprising delegating creating the rules evaluation message to a device.
  - 7. The method of claim 1, further comprising causing a device to create the rules evaluation message using a short range wireless technology.

8. A system comprising:
- a processor;
  
  memory coupled to the processor;
  
  instructions stored in the memory that, when executed by the processor, cause the system to;
  
  store a rules based key material comprising;
  
  a rules based attribute set comprising a rule set defining conditions under which cryptographic key material will be honored for authenticated communications, the rule set comprising at least one of;
  
  times at which the cryptographic key material should be valid and/or invalid;
  
  quorum information specifying a minimum number of key instances in a set of key instances that must be in a designated state for the cryptographic key material to be valid and/or invalid; and
  
  geo-fence information describing a geographic region that a system attempting to use the cryptographic key material must be located within or outside of for the cryptographic key material to be valid and/or invalid; and
  
  associated cryptographic key material used for authenticated communications;
  
  identify a triggering event to trigger determination of whether the rules based key material is valid or invalid;
  
  responsive to the occurrence of the triggering event;
  
  create a rules evaluation message comprising information allowing compliance with the rule set to be determined; and
  
  send the rules evaluation message to a rules compliance service for evaluation in order to allow the rules compliance service to identify whether the rules based key material is set to a valid state or an invalid state.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the rules based attribute set further comprises a URI of the rules compliance service.
  - 10. The system of claim 8 wherein the rules evaluation message contains at least one piece of encrypted data and wherein the rules based attribute set further comprises the identity of a delegate to decrypt the encrypted information.
  - 11. The system of claim 8 wherein the system lacks the ability to determine its geographic location and wherein the creation of the rules evaluation message is delegated to an associated geo-aware device.
  - 12. The system of claim 11 wherein the associated geo-aware device utilizes a short range wireless communication technology to communicate with the system and wherein the creation of the rules evaluation message is only delegated while the geo-aware device and the system are in communication using the short range wireless communication technology.

13. A machine-readable medium having executable instructions encoded thereon, which, when executed by at least one processor of a machine, cause the machine to perform operations comprising:
- access a rules based key material comprising;
  
  a rules based attribute set comprising a rule set defining conditions under which cryptographic key material will be honored for authenticated communications, the rule set comprising at least one of;
  
  times at which the cryptographic key material should be valid and/or invalid;
  
  quorum information specifying a minimum number of key instances in a set of key instances that must be in a designated state for the cryptographic key material to be valid and/or invalid; and
  
  geo-fence information describing a geographic region that a system attempting to use the cryptographic key material must be located within or outside of for the cryptographic key material to be valid and/or invalid; and
  
  associated cryptographic key material used for authenticated communications;
  
  identify a triggering event to trigger determination of whether the rules based key material is valid or invalid;
  
  responsive to the occurrence of the triggering event;
  
  create a rules evaluation message comprising information allowing compliance with the rule set to be determined; and
  
  send the rules evaluation message to a rules compliance service for evaluation in order to allow the rules compliance service to identify whether the rules based key material is set to a valid state or an invalid state.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The machine-readable medium of claim 13 wherein rule set comprises at least one time schedule that identifies when the revocation status of the cryptographic key material is to be set to either a suspended state where the cryptographic key material will not be honored to validate the system in an authenticated session or a reinstated state where the cryptographic key material will be honored to validate the system in an authenticates session.
  - 15. The machine-readable medium of claim 14 wherein the rule set comprises a geo-fence defining a geographic area within which the state should be reinstated.
  - 16. The machine-readable medium of claim 13 wherein to associate the rules based attribute set and the cryptographic key material, the executable instructions cause the machine to perform operations comprising:
    - initiate creation of a certificate comprising the rules based attribute set and at least a portion of the cryptographic key material.
  - 17. The machine-readable medium of claim 13 to associate the rules based attribute set and the cryptographic key material, the executable instructions cause the machine to perform operations comprising:
    - initiate storage of the rules based attribute set on the system in at least one of either as part of an SSH private use header or as part of SSH key options.
  - 18. The machine-readable medium of claim 17 wherein the rules evaluation message comprises results of an evaluation of the geographic location of the machine relative to a geo-fence.
  - 19. The machine-readable medium of claim 17 wherein the rules evaluation message comprises information to allow the recipient of the rules evaluation message to evaluate whether a quorum rule is met.
  - 20. The machine-readable medium of claim 13 wherein the executable instructions cause the machine to perform further operations comprising:
    - delegate creation of the rules evaluation message to a second machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venafi,Inc.
Original Assignee
Venafi,Inc.
Inventors
Ronca, Remo
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/255,710
Publication Number

US 20150271157A1
Time in Patent Office

985 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 9/0819   Key transport or distributi...

H04L 9/088   Usage controlling of secret...

H04L 9/3268   using certificate validatio...

Rule-based validity of cryptographic key material

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based validity of cryptographic key material

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links