Rule-based validity of cryptographic key material

US 9,686,244 B2
Filed: 04/17/2014
Issued: 06/20/2017
Est. Priority Date: 03/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method for altering the status of cryptographic key material, the method comprising:

receiving, by a processor via a network, a rule evaluation message from a system having presently deployed cryptographic key material used for authenticated communication, the rule evaluation message including information to allow the recipient to determine compliance with at least one rule included in a rule based attribute set associated with the presently deployed cryptographic key material;

accessing the rule based attribute set associated with the presently deployed cryptographic key material;

evaluating compliance of the system with the at least one rule;

responsive to the evaluation of the at least one rule, setting a status of the cryptographic key material to either a suspended state when the system is not in compliance with the at least one rule where the cryptographic key material will not be honored to validate the system in an authenticated session or a reinstated state when the system is in compliance with the at least one rule where the cryptographic key material will be honored to validate the system in an authenticates session.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In representative embodiments, a rule-based certificate cryptographic key material comprising containing a rule set defining validity conditions is associated with cryptographic key material assigned to an entity for use in authenticated communications. The validity of the cryptographic material changes state based on whether the entity is compliant or non-compliant with the rule set. This is accomplished in a representative embodiment by suspending the validity of the cryptographic key material when the entity is non-compliant with the rules and reinstating the validity of the cryptographic key material when the entity becomes compliant. A rules compliance service determines the validity of the cryptographic material in part using updates sent by the entity. Entities can delegate the update to a delegate device. Encryption can be used to preserve privacy.

38 Citations

20 Claims

1. A method for altering the status of cryptographic key material, the method comprising:
- receiving, by a processor via a network, a rule evaluation message from a system having presently deployed cryptographic key material used for authenticated communication, the rule evaluation message including information to allow the recipient to determine compliance with at least one rule included in a rule based attribute set associated with the presently deployed cryptographic key material;
  
  accessing the rule based attribute set associated with the presently deployed cryptographic key material;
  
  evaluating compliance of the system with the at least one rule;
  
  responsive to the evaluation of the at least one rule, setting a status of the cryptographic key material to either a suspended state when the system is not in compliance with the at least one rule where the cryptographic key material will not be honored to validate the system in an authenticated session or a reinstated state when the system is in compliance with the at least one rule where the cryptographic key material will be honored to validate the system in an authenticates session.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the at least one rule comprises one of a schedule or a time period and conditions related to the schedule or the time period wherein the method of claim 1 further comprises setting the status of the cryptographic key material to the suspended state if the system does not comply with the conditions related to the schedule or the time period.
  - 3. The method of claim 2 wherein the policy comprises a time period and wherein the status of the cryptographic key material is set to suspended if the rule evaluation message was not received during the time period.
  - 4. The method of claim 1 further comprising determining whether the rule evaluation message is valid.
  - 5. The method of claim 1 further comprising decrypting information included in the rule evaluation message.
  - 6. The method of claim 5 wherein the decrypted information comprises information measured by the system and included in the rule evaluation message.
  - 7. The method of claim 1, wherein the cryptographic key material and the rule based attribute set are included in a certificate.

8. A system comprising:
- a processor;
  
  memory coupled to the processor;
  
  instructions stored in the memory that, when executed by the processor, cause the system to;
  
  receive, by a processor via a network, a rule evaluation message from a device having presently deployed cryptographic key material used for authenticated communication;
  
  access a rule based attribute set associated with the cryptographic key material comprising;
  
  a first rule set including a first rule;
  
  a second rule set a second rule;
  
  conditions under which the device is in compliance with the first rule; and
  
  conditions under which the device is in compliance with the second rule;
  
  evaluate compliance of the device with at least the first rule or the second rule; and
  
  responsive to the evaluation, causing the status of the cryptographic key material to be set to either a suspended state or a reinstated state.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the state is set to suspended if the device is not in compliance with either the first rule or the second rule.
  - 10. The system of claim 8 wherein the state is suspended if the device is not in compliance with both the first rule and the second rule.
  - 11. The system of claim 8 wherein the first rule set is an update dependent rule set and where evaluation of compliance with the first rule set is performed based on information contained in the rule evaluation message.
  - 12. The system of claim 8 wherein the second rule set is an update independent rule set and where evaluation of compliance with the second rule set is performed independent of information contained in the rule evaluation message.

13. A machine-readable medium having executable instructions encoded thereon, which, when executed by at least one processor of a machine, cause the machine to perform operations comprising:
- access a rule based attribute set associated with presently deployed rule based key material comprising the attribute set and related cryptographic key information, the rule based attribute set comprising a first rule set comprising at least one of a timing schedule, quorum information and geo-fence information, the first rule set defining conditions under which the cryptographic key information will be honored for authenticated communication by a first system with a second system;
  
  evaluate compliance of the first system with the first rule set; and
  
  responsive to the evaluation, cause the status of the cryptographic key material to be set to either a suspended state or a reinstated state such that the first system can initiate authenticated communications when the first system is in compliance with the first rule set and the first system cannot initiate authenticated communications when the first system is not in compliance with the first rule set.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The machine-readable medium of claim 13 wherein the first rules set is update independent.
  - 15. The machine-readable medium of claim 13 wherein executable instructions further cause the machine to perform operations comprising:
    - receive a rule evaluation message and wherein the first rules set is update dependent and wherein evaluating compliance of the first system with the first rules set comprises evaluating the first rules set in light of information received in the rule evaluation message.
  - 16. The machine-readable medium of claim 14 wherein:
    - the rule based attribute set further comprises a second rules set, the first rules set including update independent rules and the second rules set including update dependent rules;
      
      the rule based attribute set further comprises logic to identify how evaluation of the first rules set and evaluation of the second rules set should be combined to indicate compliance;
      
      the executable instructions further cause the machine to perform operations comprising;
      
      receive a rule evaluation message;
      
      evaluate compliance of the first system to the second rules set based on information received in the rule evaluation message; and
      
      causing the status of the cryptographic key material to be set to either a suspended state or a reinstated state is based on the compliance evaluation of the first system to the first rules set and the second rules set and based on the logic to identify how evaluation of the first rules set and evaluation of the second rules set should be combined to indicate compliance.
  - 17. The machine-readable medium of claim 13 wherein the first rules set comprises at least one of:
    - times at which the cryptographic key material should be valid and/or invalid;
      
      quorum information; and
      
      geo-fence information.
  - 18. The machine-readable medium of claim 17 wherein the state is set to suspended if the first system is outside the geo-fence.
  - 19. The machine-readable medium of claim 13 wherein the executable instructions to cause the state of the cryptographic key material to be suspended cause machine to perform at least further operations comprising:
    - remove an identifier associated with the cryptographic key material on the second system.
  - 20. The machine-readable medium of claim 13 wherein the executable instructions to cause the state of the cryptographic key material to be reinstated cause machine to perform at least further operations comprising:
    - replace an identifier associated with the cryptographic key material on the second system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venafi,Inc.
Original Assignee
Venafi,Inc.
Inventors
Ronca, Remo
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/255,762
Publication Number

US 20150271144A1
Time in Patent Office

1,160 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0428   wherein the data content is...

H04L 63/0876   based on the identity of th...

H04L 9/0819   Key transport or distributi...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/3268   using certificate validatio...

H04W 12/041   Key generation or derivation

Rule-based validity of cryptographic key material

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based validity of cryptographic key material

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links