Geo-fencing cryptographic key material

US 9,680,827 B2
Filed: 03/21/2014
Issued: 06/13/2017
Est. Priority Date: 03/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method performed by a geolocation update service for altering the status of cryptographic key material, the method comprising:

accessing a time since a last geo-location update message was received from a system, the last geo-location update message indicating a previous location of the system;

identifying whether the last geo-location update was received within a predetermined length of time;

responsive to determining that the last geo-location update message was not received within the predetermined length of time, setting a validity state associated with cryptographic key material previously deployed to the system to a suspended state indicating that the cryptographic key material will not be honored to authenticate the system in an authenticated session;

receiving, by a processor via a network, a geo-location update message from the system identifying a current location of the system;

accessing a geo-fence attribute set associated with the cryptographic key material, the attribute set comprising geo-fence information that identifies at least one geographic region and a policy that identifies when a status of the cryptographic key material is to be set to either the suspended state where the cryptographic key material will not be honored to validate the system in an authenticated session or a reinstated state where the cryptographic key material will be honored to validate the system in an authenticated session;

evaluating the current location of the system relative to the geo-fence information;

responsive to the evaluation of the current location and the policy, setting the status of the cryptographic key material to the suspended state when the current location is not in compliance with the policy and setting the status of the cryptographic key material to the reinstated state when the current location is in compliance with the policy.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In representative embodiments, a geo-fence cryptographic key material comprising a geo-fence description defining a geographic area and associated cryptographic key material is assigned to an entity for use in authenticated communications. The validity of the cryptographic material changes state based on whether the entity is inside or outside the geographic area. This is accomplished in a representative embodiment by suspending the validity of the cryptographic key material when the entity is outside the geographic area and reinstating the validity of the cryptographic key material when the entity is inside the geographic area. A geographic update service determines the validity of the cryptographic material in part using location updates sent by the entity. Entities that are not geo-aware can delegate the location update to a geo-aware device. Encryption can be used to preserve privacy.

Citations

20 Claims

1. A method performed by a geolocation update service for altering the status of cryptographic key material, the method comprising:
- accessing a time since a last geo-location update message was received from a system, the last geo-location update message indicating a previous location of the system;
  
  identifying whether the last geo-location update was received within a predetermined length of time;
  
  responsive to determining that the last geo-location update message was not received within the predetermined length of time, setting a validity state associated with cryptographic key material previously deployed to the system to a suspended state indicating that the cryptographic key material will not be honored to authenticate the system in an authenticated session;
  
  receiving, by a processor via a network, a geo-location update message from the system identifying a current location of the system;
  
  accessing a geo-fence attribute set associated with the cryptographic key material, the attribute set comprising geo-fence information that identifies at least one geographic region and a policy that identifies when a status of the cryptographic key material is to be set to either the suspended state where the cryptographic key material will not be honored to validate the system in an authenticated session or a reinstated state where the cryptographic key material will be honored to validate the system in an authenticated session;
  
  evaluating the current location of the system relative to the geo-fence information;
  
  responsive to the evaluation of the current location and the policy, setting the status of the cryptographic key material to the suspended state when the current location is not in compliance with the policy and setting the status of the cryptographic key material to the reinstated state when the current location is in compliance with the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the policy further comprises a condition and one of a schedule or a time period and wherein the method of claim 1 further comprises:
    - evaluating the condition at the schedule or time period; and
      
      setting the status of the cryptographic key material to the suspended state if the system does not comply with the condition.
  - 3. The method of claim 1 further comprising determining whether the geo-location update message is valid.
  - 4. The method of claim 1 wherein the geo-fence attribute set and the cryptographic key material are combined into a geo-fence certificate and wherein the method further comprises decrypting the geo-fence information included in the geofence certificate.
  - 5. The method of claim 4 further comprising decrypting information included in the geo-location update message.
  - 6. The method of claim 1, wherein the cryptographic key material and the geo-fence attribute set are included in a certificate.
  - 7. The method of claim 1 wherein the current location of the system is obfuscated to conceal the geo-location coordinates of the client.

8. A system comprising:
- a processor;
  
  memory coupled to the processor;
  
  instructions stored in the memory that, when executed by the processor, cause the system to;
  
  receive, by the processor via a network, a geo-location update message from a device having cryptographic key material used for authenticated communication, the geo;
  
  location update message identifying a current location of the device;
  
  access a policy comprising;
  
  a geo-fence attribute set associated with the cryptographic key material, the geo-fence attribute set comprising a geo-fence that identifies at least one geographic region within which the cryptographic key material can be valid if a set of additional conditions are met; and
  
  the set of additional conditions representing conditions which, when combined with the current location of the device, a status of the cryptographic key material is to be set to either a suspended state where the cryptographic key material will not be honored to validate the device in an authenticated session or a reinstated state where the cryptographic key material will be honored to validate the device in an authenticated session when the device is located within the geographic region;
  
  cause the state of the cryptographic key material to be suspended if the current location of the device is outside the geographic region or if the device is located inside the geographic region and the conditions indicate the state should be suspended; and
  
  cause the state of the cryptographic key material to be reinstated if the current location of the system is within the geographic region and if the conditions indicate the state should be reinstated.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8 wherein the set of additional conditions comprise a schedule indicating times when the cryptographic key material should be reinstated.
  - 10. The system of claim 9 wherein the time comprises at least one of a day of the week, a range of days of the week, an hour of the day, a range of hours of the day, a date, a date range, and combinations thereof.
  - 11. The system of claim 8 wherein the policy further comprises a second geographic area and a second set of additional conditions that apply to the second geographic area and wherein:
    - the state associated with the cryptographic key material is set to reinstated when the device is located within the second geographic area and the second set of additional conditions indicate the state should be set to reinstated.
  - 12. The system of claim 8 further comprising setting the state to a default value if a last geo-location update message was not received within a designated time period.

13. A machine-readable medium having executable instructions encoded thereon, which, when executed by at least one processor of a machine, cause the machine to perform operations comprising:
- setting a validity status associated with cryptographic key material to suspended if a prior geo-location update message comprising a previous location of a system was received longer than a predetermined time period before a current time;
  
  receive, by the processor via a network, a geo-location update message from the system identifying a current location of the system;
  
  access a policy comprising;
  
  a geo-fence attribute set associated with the cryptographic key material, the attribute set comprising a geo-fence that identifies at least one geographic region; and
  
  a set of conditions under which a status of the cryptographic key material is to be set to either a suspended state where the cryptographic key material will not be honored to validate the system in an authenticated session or a reinstated state where the cryptographic key material will be honored to validate the system in an authenticated session;
  
  cause the state of the cryptographic key material to be suspended if the current location of the system relative to the geo-fence or if the conditions indicate the state should be suspended; and
  
  cause the state of the cryptographic key material to be reinstated if the current location of the system relative to the geo-fence or the conditions indicate the state should be reinstated.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The machine-readable medium of claim 13 wherein the geo-location update message further identifies the policy.
  - 15. The machine-readable medium of claim 13 wherein the executable instructions cause the machine to perform operations comprising:
    - cause the state of the cryptographic key material to be reinstated if the current location of the system relative to the geo-fence indicates the state should be reinstated and if the conditions indicate the state should be reinstated.
  - 16. The machine-readable medium of claim 13 wherein the conditions comprise a schedule to indicate when the cryptographic key material state is reinstated or when the cryptographic key material state is suspended.
  - 17. The machine-readable medium of claim 13 wherein the conditions comprise a periodic schedule for the system to send the geo-location update message in order for the cryptographic key material to maintain the state as reinstated.
  - 18. The machine-readable medium of claim 17 wherein the state is set to suspended if the system is outside the geo-fence.
  - 19. The machine-readable medium of claim 13 wherein the executable instructions to cause the state of the cryptographic key material to be suspended cause the machine to perform at least further operations comprising:
    - remove an identifier associated with the cryptographic key material on a second system.
  - 20. The machine-readable medium of claim 13 wherein the executable instructions to cause the state of the cryptographic key material to be reinstated cause the machine to perform at least further operations comprising:
    - replace an identifier associated with the cryptographic key material on a second system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venafi,Inc.
Original Assignee
Venafi,Inc.
Inventors
Ronca, Remo
Primary Examiner(s)
King, John B

Application Number

US14/222,046
Publication Number

US 20150271156A1
Time in Patent Office

1,180 Days
Field of Search

713168
US Class Current
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/107   wherein the security polici...

H04L 9/0872   using geo-location informat...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04W 12/069   using certificates or pre-s...

H04W 4/021   Services related to particu...

Geo-fencing cryptographic key material

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Geo-fencing cryptographic key material

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links