Methods for secured SCEP enrollment for client devices and devices thereof

US 10,797,888 B1
Filed: 01/20/2017
Issued: 10/06/2020
Est. Priority Date: 01/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method for secured SCEP enrollment for client devices implemented by a network traffic management system comprising one or more network traffic apparatuses, client devices, or server devices, the method comprising:

receiving an encrypted certificate signing request and an encrypted device key from an enrolled mobile device, the encrypted certificate signing request and the encrypted device key being encrypted separately with different cryptographic keys;

decrypting the received encrypted device key to generate a decrypted device key without decrypting the encrypted certificate signing request;

forwarding the received encrypted certificate signing request to a simple certificate enrollment protocol server upon determining the decrypted device key is present in stored data and is being used only once;

receiving a signed device certificate from the simple certificate enrollment protocol server as a response to the forwarded encrypted certificate signing request; and

completing a secured simple certificate enrollment protocol enrollment by forwarding the signed device certificate to the enrolled mobile device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, non-transitory computer readable media, and mobile application manager apparatus that assists secured SCEP enrollment of client devices includes receiving a certificate signing request and an encrypted device key from an enrolled mobile device. The received certificate signing request is forwarded to a simple certificate enrollment protocol server upon determining a validity of the received encrypted device key. A signed device certificate is received from the simple certificate enrollment protocol server as a response to the forwarded certificate signing request. The secured simple certificate enrollment protocol enrollment is completed forwarding the signed device certificate to the enrolled mobile device.

958 Citations

22 Claims

1. A method for secured SCEP enrollment for client devices implemented by a network traffic management system comprising one or more network traffic apparatuses, client devices, or server devices, the method comprising:
- receiving an encrypted certificate signing request and an encrypted device key from an enrolled mobile device, the encrypted certificate signing request and the encrypted device key being encrypted separately with different cryptographic keys;
  
  decrypting the received encrypted device key to generate a decrypted device key without decrypting the encrypted certificate signing request;
  
  forwarding the received encrypted certificate signing request to a simple certificate enrollment protocol server upon determining the decrypted device key is present in stored data and is being used only once;
  
  receiving a signed device certificate from the simple certificate enrollment protocol server as a response to the forwarded encrypted certificate signing request; and
  
  completing a secured simple certificate enrollment protocol enrollment by forwarding the signed device certificate to the enrolled mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as set forth in claim 1, further comprising sending a simple certificate enrollment protocol uniform resource locator including the encrypted device key to the enrolled mobile device in response to a request for enrollment.
  - 3. The method as set forth in claim 1, further comprising:
    - receiving a request to access a web application or authenticate the enrolled mobile device with the forwarded signed device certificate from the enrolled mobile device;
      
      determining the received signed device certificate to be valid when the device key in the received signed device certificate is present in a list comprising authorized device keys; and
      
      providing access to the requested web application or authenticate the enrolled mobile device when the received signed device certificate is determined to be valid.
  - 4. The method as set forth in claim 1, further comprising:
    - rejecting a subsequent secured simple certificate enrollment protocol enrollment in response to determining encrypted device key is used for a second time.
  - 5. The method as set forth in claim 1, further comprising:
    - updating the stored data to indicate the encrypted device key has been used in response to forwarding the received encrypted certificate signing request.
  - 6. The method as set forth in claim 1, wherein the encrypted certificate signing request and the encrypted device key are sent from the enrolled mobile device using a single request.
  - 7. The method as set forth in claim 6, wherein the encrypted certificate signing request and the encrypted device key are incorporated in a uniform resource locator of the single request.

8. A non-transitory computer readable medium having stored thereon instructions for secured SCEP enrollment for client devices comprising executable code which when executed by one or more processors, causes the processors to:
- receive an encrypted certificate signing request and an encrypted device key from an enrolled mobile device, the encrypted certificate signing request and the encrypted device key being encrypted separately with different cryptographic keys;
  
  decrypt the received encrypted device key to generate a decrypted device key without decrypting the encrypted certificate signing request;
  
  forward the received encrypted certificate signing request to a simple certificate enrollment protocol server upon determining the decrypted device key is present in stored data and is being used only once;
  
  receive a signed device certificate from the simple certificate enrollment protocol server as a response to the forwarded encrypted certificate signing request; and
  
  complete a secured simple certificate enrollment protocol enrollment by forwarding the signed device certificate to the enrolled mobile device.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer readable medium as set forth in claim 8 further comprising send a simple certificate enrollment protocol uniform resource locator including the encrypted device key to the enrolled mobile device in response to a request for enrollment.
  - 10. The computer readable medium as set forth in claim 8, further comprises:
    - receive a request to access a web application or authenticate the enrolled mobile device with the forwarded signed device certificate from the enrolled mobile device;
      
      determine the received signed device certificate to be valid when the device key in the received signed device certificate is present in a list comprising authorized device keys; and
      
      provide access to the requested web application or authenticate the enrolled mobile device when the received signed device certificate is determined to be valid.
  - 11. The computer readable medium as set forth in claim 8, further comprising:
    - reject a subsequent secured simple certificate enrollment protocol enrollment in response to determining the encrypted device key is used for a second time.
  - 12. The computer readable medium as set forth in claim 8, wherein the instructions further comprise executable code which when executed by one or more processors, causes the processors to:
    - update the stored data to indicate the encrypted device key has been used in response to forwarding the received encrypted certificate signing request.

13. A mobile application manager apparatus, comprising memory comprising programmed instructions stored in the memory and one or more processors configured to be capable of executing the programmed instructions stored in the memory to:
- receive an encrypted certificate signing request and an encrypted device key from an enrolled mobile device, the encrypted certificate signing request and the encrypted device key being encrypted separately with different cryptographic keys;
  
  decrypt the received encrypted device key to generate a decrypted device key without decrypting the encrypted certificate signing request;
  
  forward the received encrypted certificate signing request to a simple certificate enrollment protocol server upon determining the decrypted device key is present in stored data and is being used only once;
  
  receive a signed device certificate from the simple certificate enrollment protocol server as a response to the forwarded encrypted certificate signing request; and
  
  complete a secured simple certificate enrollment protocol enrollment by forwarding the signed device certificate to the enrolled mobile device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus as set forth in claim 13, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to send a simple certificate enrollment protocol uniform resource locator including the encrypted device key to the enrolled mobile device in response to a request for enrollment.
  - 15. The apparatus as set forth in claim 13, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to:
    - receive a request to access a web application or authenticate the enrolled mobile device with the forwarded signed device certificate from the enrolled mobile device;
      
      determine the received signed device certificate to be valid when the device key in the received signed device certificate is present in a list comprising authorized device keys; and
      
      provide access to the requested web application or authenticate the enrolled mobile device when the received signed device certificate is determined to be valid.
  - 16. The apparatus as set forth in claim 13, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to:
    - reject a subsequent secured simple certificate enrollment protocol enrollment in response to determining the encrypted device key is used for a second time.
  - 17. The apparatus as set forth in claim 13, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to:
    - update the stored data to indicate the encrypted device key has been used in response to forwarding the received encrypted certificate signing request.

18. A network traffic management system, comprising one or more traffic management apparatuses, client devices, or server devices, the network traffic management system comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to:
- receive an encrypted certificate signing request and an encrypted device key from an enrolled mobile device, the encrypted certificate signing request and the encrypted device key being encrypted separately with different cryptographic keys;
  
  decrypt the received encrypted device key to generate a decrypted device key without decrypting the encrypted certificate signing request;
  
  forward the received encrypted certificate signing request to a simple certificate enrollment protocol server upon determining the decrypted device key is present in stored data and is being used only once;
  
  receive a signed device certificate from the simple certificate enrollment protocol server as a response to the forwarded encrypted certificate signing request; and
  
  complete a secured simple certificate enrollment protocol enrollment by forwarding the signed device certificate to the enrolled mobile device.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The network traffic management system of claim 18, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to send a simple certificate enrollment protocol uniform resource locator including the encrypted device key to the enrolled mobile device in response to a request for enrollment.
  - 20. The network traffic management system of claim 18, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to:
    - receive a request to access a web application or authenticate the enrolled mobile device with the forwarded signed device certificate from the enrolled mobile device;
      
      determine the received signed device certificate to be valid when the device key in the received signed device certificate is present in a list comprising authorized device keys; and
      
      provide access to the requested web application or authenticate the enrolled mobile device when the received signed device certificate is determined to be valid.
  - 21. The network traffic management system of claim 18, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to:
    - reject a subsequent secured simple certificate enrollment protocol enrollment in response to determining the encrypted device key is used for a second time.
  - 22. The network traffic management system of claim 18, wherein the one or more processors are further configured to be capable of executing the programmed instructions stored in the memory to:
    - update the stored data to indicate the encrypted device key has been used in response to forwarding the received encrypted certificate signing request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Natarajan, Ravi, Lie, Wui Chung, Amdahl, Saxon, Treat, Nicholas
Primary Examiner(s)
Chen, Shin-Hon (Eric)
Assistant Examiner(s)
South, Jessica J

Application Number

US15/411,404
Time in Patent Office

1,355 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Methods for secured SCEP enrollment for client devices and devices thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

958 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for secured SCEP enrollment for client devices and devices thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

958 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links