Using resource records for digital certificate validation

US 9,641,516 B2
Filed: 07/01/2015
Issued: 05/02/2017
Est. Priority Date: 07/01/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising:

receiving, by a client computer, a request to retrieve a web page at a uniform resource locator (URL) incorporating a host name;

causing, by the client computer and in response to the receiving the request to retrieve the web page, resource records associated with the host name to be queried for an IP address of a server associated with the host name, a list of certificate authorities, a first digest of a modulus of a digital certificate, and an identifier of an owner of the host name, wherein the IP address of the server, the list of certificate authorities, the first digest of the modulus of the digital certificate, and the identifier of the owner of the host name are stored within the resource records on a Domain Name System (DNS) server;

receiving, by the client computer, from the DNS server, and in response to the causing the resource records to be queried, the IP address of the server, the list of certificate authorities, the first digest of the modulus of the digital certificate, and the identifier of the owner of the host name;

initiating, by the client computer and based on the received IP address, establishment of a secure connection with the server;

receiving, by the client computer, from the server, and in response to the initiating the establishment of the secure connection, the digital certificate incorporated within a communication;

identifying, by the client computer and within the received digital certificate, a certificate authority, the modulus, and a common name of an owner of the digital certificate;

comparing, by the client computer, the identified certificate authority to the received list of certificate authorities;

determining, by the client computer and based on the comparing the identified certificate authority to the received list of certificate authorities, that the identified certificate authority is included in the received list of certificate authorities;

generating, by the client computer, a second digest of the modulus;

comparing, by the client computer, the first digest of the modulus and the second digest of the modulus;

determining, by the client computer and based on the comparing the first digest and the second digest, that the first digest and the second digest match;

comparing, by the client computer, the identifier of the owner of the host name and the common name of the owner of the digital certificate;

determining, by the client computer and based on the comparing the identifier of the owner of the host name and the common name of the owner of the digital certificate, that the owner of the host name and the owner of the digital certificate match;

completing, by the client computer and in response to the determining that the identified certificate authority is included in the received list of certificate authorities, that the first digest and the second digest match, and that the owner of the host name and the owner of the digital certificate match, the establishment of the secure connection with the server; and

retrieving the web page.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital certificate incorporated within a communication is received from a server associated with a host name. Resource records associated with the host name are caused to be queried for a list of certificate authorities. In response to causing the resource records to be queried, the list of certificate authorities is received. A certificate authority is identified within the received digital certificate. The identified certificate authority is compared to the received list of certificate authorities. A determination is made, based on the comparison, that the identified certificate authority is included in the received list of certificate authorities.

Citations

2 Claims

1. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising:
- receiving, by a client computer, a request to retrieve a web page at a uniform resource locator (URL) incorporating a host name;
  
  causing, by the client computer and in response to the receiving the request to retrieve the web page, resource records associated with the host name to be queried for an IP address of a server associated with the host name, a list of certificate authorities, a first digest of a modulus of a digital certificate, and an identifier of an owner of the host name, wherein the IP address of the server, the list of certificate authorities, the first digest of the modulus of the digital certificate, and the identifier of the owner of the host name are stored within the resource records on a Domain Name System (DNS) server;
  
  receiving, by the client computer, from the DNS server, and in response to the causing the resource records to be queried, the IP address of the server, the list of certificate authorities, the first digest of the modulus of the digital certificate, and the identifier of the owner of the host name;
  
  initiating, by the client computer and based on the received IP address, establishment of a secure connection with the server;
  
  receiving, by the client computer, from the server, and in response to the initiating the establishment of the secure connection, the digital certificate incorporated within a communication;
  
  identifying, by the client computer and within the received digital certificate, a certificate authority, the modulus, and a common name of an owner of the digital certificate;
  
  comparing, by the client computer, the identified certificate authority to the received list of certificate authorities;
  
  determining, by the client computer and based on the comparing the identified certificate authority to the received list of certificate authorities, that the identified certificate authority is included in the received list of certificate authorities;
  
  generating, by the client computer, a second digest of the modulus;
  
  comparing, by the client computer, the first digest of the modulus and the second digest of the modulus;
  
  determining, by the client computer and based on the comparing the first digest and the second digest, that the first digest and the second digest match;
  
  comparing, by the client computer, the identifier of the owner of the host name and the common name of the owner of the digital certificate;
  
  determining, by the client computer and based on the comparing the identifier of the owner of the host name and the common name of the owner of the digital certificate, that the owner of the host name and the owner of the digital certificate match;
  
  completing, by the client computer and in response to the determining that the identified certificate authority is included in the received list of certificate authorities, that the first digest and the second digest match, and that the owner of the host name and the owner of the digital certificate match, the establishment of the secure connection with the server; and
  
  retrieving the web page.

2. A system comprising:
- a memory;
  
  a processor in communication with the memory, wherein the processor is configured to perform a method comprising;
  
  receiving, by a client computer, a request to retrieve a web page at a uniform resource locator (URL) incorporating a host name;
  
  causing, by the client computer and in response to the receiving the request to retrieve the web page, resource records associated with the host name to be queried for an IP address of a server associated with the host name, a list of certificate authorities, a first digest of a modulus of a digital certificate, and an identifier of an owner of the host name, wherein the IP address of the server, the list of certificate authorities, the first digest of the modulus of the digital certificate, and the identifier of the owner of the host name are stored within the resource records on a Domain Name System (DNS) server;
  
  receiving, by the client computer, from the DNS server, and in response to the causing the resource records to be queried, the IP address of the server, the list of certificate authorities, the first digest of the modulus of the digital certificate, and the identifier of the owner of the host name;
  
  initiating, by the client computer and based on the received IP address, establishment of a secure connection with the server;
  
  receiving, by the client computer, from the server, and in response to the initiating the establishment of the secure connection, the digital certificate incorporated within a communication;
  
  identifying, by the client computer and within the received digital certificate, a certificate authority, the modulus, and a common name of an owner of the digital certificate;
  
  comparing, by the client computer, the identified certificate authority to the received list of certificate authorities;
  
  determining, by the client computer and based on the comparing the identified certificate authority to the received list of certificate authorities, that the identified certificate authority is included in the received list of certificate authorities;
  
  generating, by the client computer, a second digest of the modulus;
  
  comparing, by the client computer, the first digest of the modulus and the second digest of the modulus;
  
  determining, by the client computer and based on the comparing the first digest and the second digest, that the first digest and the second digest match;
  
  comparing, by the client computer, the identifier of the owner of the host name and the common name of the owner of the digital certificate;
  
  determining, by the client computer and based on the comparing the identifier of the owner of the host name and the common name of the owner of the digital certificate, that the owner of the host name and the owner of the digital certificate match;
  
  completing, by the client computer and in response to the determining that the identified certificate authority is included in the received list of certificate authorities, that the first digest and the second digest match, and that the owner of the host name and the owner of the digital certificate match, the establishment of the secure connection with the server; and
  
  retrieving the web page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Behnken, John F., Doleh, Yaser K., Marzorati, Mauro
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US14/788,841
Publication Number

US 20170006023A1
Time in Patent Office

671 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/123   received data contents, e.g...

Using resource records for digital certificate validation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

2 Claims

Specification

Solutions

Use Cases

Quick Links

Using resource records for digital certificate validation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

2 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links