Rule-based validity of cryptographic key material

US 9,577,823 B2
Filed: 04/17/2014
Issued: 02/21/2017
Est. Priority Date: 03/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method for creating rule based cryptographic key material, the method comprising:

receiving a request to create a rule based cryptographic key material;

creating a rule based attribute set comprising at least one rule set defining conditions under which an associated state of the rule based cryptographic key material will be set to valid so that the rule based cryptographic key material will be honored for authenticated communications or set to invalid so that the rule based cryptographic key material will not be honored for authenticated communications, the at least one rule set comprising at least one of;

times at which the rule based cryptographic key material should be valid and/or invalid;

quorum information; and

geo-fence information;

causing an association between the rule based attribute set and cryptographic key material to create the rule based key material;

deploying the rule based key material to a system.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In representative embodiments, a rule-based certificate cryptographic key material comprising containing a rule set defining validity conditions is associated with cryptographic key material assigned to an entity for use in authenticated communications. The validity of the cryptographic material changes state based on whether the entity is compliant or non-compliant with the rule set. This is accomplished in a representative embodiment by suspending the validity of the cryptographic key material when the entity is non-compliant with the rules and reinstating the validity of the cryptographic key material when the entity becomes compliant. A rules compliance service determines the validity of the cryptographic material in part using updates sent by the entity. Entities can delegate the update to a delegate device. Encryption can be used to preserve privacy.

38 Citations

View as Search Results

20 Claims

1. A method for creating rule based cryptographic key material, the method comprising:
- receiving a request to create a rule based cryptographic key material;
  
  creating a rule based attribute set comprising at least one rule set defining conditions under which an associated state of the rule based cryptographic key material will be set to valid so that the rule based cryptographic key material will be honored for authenticated communications or set to invalid so that the rule based cryptographic key material will not be honored for authenticated communications, the at least one rule set comprising at least one of;
  
  times at which the rule based cryptographic key material should be valid and/or invalid;
  
  quorum information; and
  
  geo-fence information;
  
  causing an association between the rule based attribute set and cryptographic key material to create the rule based key material;
  
  deploying the rule based key material to a system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the rule based attribute set further comprises:
    - an identifier to identify a delegate for at least one of;
      
      decryption of various items;
      
      delegation of rule evaluation;
      
      service where rule evaluation messages should be sent; and
      
      /ordelegation of validation of rule evaluation;
      
      policy information; and
      
      a key instance and/or identifier of associated cryptographic key material.
  - 3. The method of claim 1 wherein rule based attribute set further comprises logic to define how the rules of the rules based attribute set should be combined to evaluate a validity state of the rule based key material.
  - 4. The method of claim 1 further comprising receiving a request to determine compliance with at least one rule in the at least one rules set in order to identify whether a state of the rule based key material should be suspended or reinstated.
  - 5. The method of claim 4 wherein determining compliance with the at least one rules set comprises evaluating a plurality of rules in the at least one rule set and combining the results of the evaluation of each rule according to logic included in the rule based attribute set in order to identify when a state of rule based key material should be suspended and when the state of the rule based key material should be reinstated.
  - 6. The method of claim 4 wherein the at least one rule set comprises update dependent rules, update independent rules, or both update dependent rules and update independent rules.
  - 7. The method of claim 1, wherein causing the association between the cryptographic key material and the rules based attribute set comprises creating a certificate.
  - 8. The method of claim 1, wherein causing the association between the cryptographic key material and the rules based attribute set comprises causing storage of the rules based key material on the system.

9. A system comprising:
- a processor and executable instructions accessible on a machine-readable medium that, when executed, cause the system to perform operations comprising;
  
  receive a request to create a rule based cryptographic key material;
  
  create a rule based attribute set comprising at least one rule set defining conditions under which an associated state of the rule based cryptographic key material is set to valid so that the rule based cryptographic key material is honored for authenticated communications or set to invalid so that the rule based cryptographic key material is not honored for authenticated communications, the at least one rule set comprising at least one of;
  
  times at which the rule based cryptographic key material should be valid and/or invalid;
  
  quorum information; and
  
  geo-fence information;
  
  cause an association between the rule based attribute set and cryptographic key material to create the rule based key material;
  
  deploy the rule based key material to a system.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein at least part of the rules based attribute set comes from a template.
  - 11. The system of claim 9 wherein the rules based attribute set further comprises logic to combine the at least one rule of the at least one rule set to determine when a state of the rule based key material is set to suspended and/or when the state of the rule based key material is set to reinstated.
  - 12. The system of claim 9 wherein the instructions further cause the system to receive a request to set a state of the rule based key material to suspended or to set the state of the rule based key material to reinstated.
  - 13. The system of claim 9 wherein the instructions further cause the system to:
    - receive a message that triggers;
      
      evaluation of a state of the rule based key material; and
      
      responsive to the evaluation, sets the state to suspended or to reinstated.

14. A machine-readable medium having executable instructions encoded thereon, which, when executed by at least one processor of a machine, cause the machine to perform operations comprising:
- receive a request to create a rule based cryptographic key material;
  
  create a rule based attribute set comprising at least one rule set defining conditions under which a state associated with the rule based cryptographic key material will be set to valid so that the rule based cryptographic key material is honored for authenticated communications or set to invalid so that the rule based cryptographic key material is not honored for authenticated communications, the at least one rule set comprising at least one of;
  
  times at which the rule based cryptographic key material should be valid and/or invalid;
  
  quorum information; and
  
  geo-fence information;
  
  cause an association between the rule based attribute set and cryptographic key material to create the rule based key material;
  
  deploy the rule based key material to a system.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The machine-readable medium of claim 14 wherein rule based attribute set further comprises delegate information authorizing delegation of at least one function.
  - 16. The machine-readable medium of claim 14 wherein to deploy the rule based key material to the system, the executable instructions cause the machine to perform operations comprising cause storage of the geo-fence attribute set on the system at least one of either an SSH private use header or as part of SSH key options.
  - 17. The machine-readable medium of claim 14 wherein to cause the association between the rule based attribute set and the cryptographic key material, the executable instructions cause the machine to perform operations comprising create a certificate comprising the rule based attribute set and at least a portion of the cryptographic key material.
  - 18. The machine-readable medium of claim 14 wherein the executable instructions cause the machine to perform further operations comprising:
    - receive a request to change the validity status of the rule based key material to a state indicating the cryptographic key material will not be honored to validate the system in an authenticated session.
  - 19. The machine-readable medium of claim 17 wherein the executable instructions cause the machine to perform further operations comprising:
    - receive a request to change the validity status of the rule based key material to a state indicating the cryptographic key material will be honored to validate the system in an authenticated session.
  - 20. The machine-readable medium of claim 18 wherein the executable instructions cause the machine to perform at least one further operations comprising:
    - remove an identifier associated with the cryptographic key material on a second system;
      
      orreplace the identifier associated with the cryptographic key material on the second system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venafi,Inc.
Original Assignee
Venafi,Inc.
Inventors
Ronca, Remo
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/255,745
Publication Number

US 20150271158A1
Time in Patent Office

1,041 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 9/0819   Key transport or distributi...

H04L 9/3268   using certificate validatio...

Rule-based validity of cryptographic key material

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based validity of cryptographic key material

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links