Using authentication certificates for authorization

US 20030188156A1
Filed: 03/27/2002
Published: 10/02/2003
Est. Priority Date: 03/27/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an authentication certificate from a peer requesting a secure connection to an application, the authentication certificate including a certificate chain having at least one certificate; and

using the authentication certificate to authorize the peer to the application by accessing a peer authorized certificates store (PACS) that stores authorized certificates.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment of the invention is a method to use authentication certificates to authorize peers to particular applications. In addition to using authentication certificates to authenticate the identity and trustworthiness of a peer, authentication certificates are additionally used to authorize peers to particular applications. A list of certificates is maintained in a Peer Authorized Certificate Store (PACS), where the certificates may comprise any combination of root certificates, intermediate certificates, and peer certificates. When an authentication certificate is received from a peer, the peer is authenticated using the authentication certificate; and authorized by checking the authentication certificate against a Peer Authorized Certificate Store (PACS).

90 Citations

View as Search Results

30 Claims

1. A method comprising:
- receiving an authentication certificate from a peer requesting a secure connection to an application, the authentication certificate including a certificate chain having at least one certificate; and
  
  using the authentication certificate to authorize the peer to the application by accessing a peer authorized certificates store (PACS) that stores authorized certificates.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the authentication certificate comprises an SSL (Secure Sockets Layer) digital certificate.
  - 3. The method of claim 1, wherein said accessing a PACS to determine authorization comprises determining if any certificate in the certificate chain exists in the PACS, and for a given certificate that exists in the PACS, determining if the given certificate is authorized to the application, and if at least one of the certificates in the certificate chain exists in the PACS and indicates authorization for the application, then authorizing the peer to the application.

4. A method comprising:
- receiving an authentication certificate from a peer requesting a secure connection to an application, the authentication certificate including a certificate chain that includes at least a root certificate; and
  
  using the authentication certificate to authenticate the peer;
  
  using the authentication certificate to authorize the peer to the application by accessing a peer authorized certificates store (PACS) that stores authorized certificates.
- View Dependent Claims (5, 6)
- - 5. The method of claim 4, wherein said using the authentication certificate to authenticate the peer comprises verifying each certificate signature in the certificate chain and determining if the root certificate exists in a Trusted Root Certification Authorities Store (TRCAS), and if each signature is verified, and the root certificate exists in the TRCAS, then authenticating the peer to establish the secure connection to the application.
  - 6. The method of claim 5, wherein said using the authentication certificate to authorize the peer comprises comparing the certificates in the certificate chain of the authentication certificate to the authorized certificates in the peer authorized certificates store (PACS), and if at least one of the certificates in the certificate chain exists in the PACS and indicates authorization for the application, then authorizing the peer to the application.

7. A machine-readable medium having stored thereon data representing sequences of instructions, the sequences of instructions which, when executed by a processor, cause the processor to perform the following:
- determine if a peer is authentic by authenticating an authentication certificate sent by the peer, the authentication certificate including at least a root certificate in a certificate chain; and
  
  determine if the peer is authorized to an application requested by the peer by using a peer authorized certificate store (PACS).
- View Dependent Claims (8, 9)
- - 8. The machine-readable medium of claim 7, the processor to additionally:
    - authenticate the peer if each signature in the certificate chain is verified, and if the root certificate exists in the TRCAS; and
      
      authorize the peer to the application if any certificate in the certificate chain exists in the PACS and indicates authorization for the application.
  - 9. The machine-readable medium of claim 7, wherein the certificate chain comprises the root certificate and a peer certificate, and the peer is authorized if either one of the root certificate and the peer certificate exists in the PACS and is authorized for the particular application.

10. An apparatus comprising:
- a receiver to receive on a first peer an authentication certificate from a second peer, the authentication certificate having a chain of certificates including at least one certificate, and the authentication certificate associated with a request for a secure connection to an application;
  
  a checker to determine if any certificate in the chain of certificates exists in a peer authorized certification authorities store (PACS), and if at least one certificate exists in the PACS, the checker to additionally determine if the PACS indicates the at least one certificate is authorized to the application; and
  
  a validator to authorize the second peer to the application if at least one certificate in the chain of certificates exists in the PACS, and is authorized for the application.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the chain of certificates comprises at least one root certificate, and the checker determines if any certificate in the chain of certificates exists in the PACS and indicates authorization to the application by determining if the root certificate exists in the PACS and indicates authorization to the application.
  - 12. The apparatus of claim 11, wherein the chain of certificates additionally comprises at least one intermediate certificate, and the checker determines if any certificate in the chain of certificates exists in the PACS and indicates authorization to the application by determining if any of the intermediate certificates exist in the PACS and indicate authorization to the application.
  - 13. The apparatus of claim 12, wherein the checker determines if any of the intermediate certificate exists in the PACS if the root certificate does not exist in the PACS.
  - 14. The apparatus of claim 13, wherein the chain of certificates additionally comprises a peer certificate, and the checker determines if any certificate in the chain of certificates exists in the PACS and indicates authorization to the application by determining if the peer certificate exists in the PACS and indicates authorization to the application.
  - 15. The apparatus of claim 14, wherein the checker determines if the peer certificate exists in the PACS if none of the intermediate certificates exist in the PACS.

16. An apparatus comprising:
- means for receiving on a first peer an authentication certificate from a second peer, the authentication certificate having a chain of certificates including at least one certificate, and the authentication certificate associated with a request for a secure connection to an application;
  
  means for determining if any certificate in the chain of certificates exists in a peer authorized certification authorities store (PACS), and if at least one certificate exists in the PACS, the checker to additionally determine if the PACS indicates the at least one certificate is authorized to the application; and
  
  means for authorizing the second peer to the application if the peer distinguished name exists on the PACS, and is authorized to the application.
- View Dependent Claims (17, 18, 19)
- - 17. The apparatus of claim 16, wherein the chain of certificates comprises at least one root certificate, and the means for determining if any certificate in the chain of certificates exists in the PACS and indicates authorization to the application comprises means for determining if the root certificate exists in the PACS and indicates authorization to the application.
  - 18. The apparatus of claim 17, wherein the chain of certificates additionally comprises at least one intermediate certificate, and the means for determining if any certificate in the chain of certificates exists in the PACS and indicates authorization to the application comprises means for determining if any of the intermediate certificates exist in the PACS and indicate authorization to the application.
  - 19. The apparatus of claim 18, wherein the chain of certificates additionally comprises a peer certificate, and the means for determining if any certificate in the chain of certificates exists in the PACS and indicates authorization to the application comprises means for determining if the peer certificate exists in the PACS and indicates authorization to the application.

20. A system comprising:
- a receiver to receive an authentication certificate having a certificate chain including at least one certificate that is a root certificate;
  
  an authenticator to determine if a peer is authentic; and
  
  an authorizer to determine if a peer is authorized to a given application on the system by determining if any certificate in the certificate chain exists in a peer authorized certification authorities store (PACS) and indicates authorization to the application.
- View Dependent Claims (21, 22)
- - 21. The system of claim 20, wherein the authenticator determines if the peer is authentic by:
    - verifying each certificate signature in the certificate chain; and
      
      determining if the root certificate exists in a trusted root certification authorities store (TRCAS).
  - 22. The system of claim 20, wherein the authentication certificate comprises an SSL (Secure Sockets Layer) digital certificate.

23. A system comprising:
- a second peer in a network of systems to send an authentication certificate to a first peer, the authentication certificate having a certificate chain that includes at least one certificate that is a root certificate; and
  
  in response to the second peer sending the authentication certificate, the first peer to determine if the second peer is authorized to an application on a system corresponding to the first peer by determining if any certificate in the certificate chain exists in a peer authorized certification authorities store (PACS) and indicates authorization for the application.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23, additionally comprising the first peer to:
    - authorize the first peer to the application if any of the certificates in the certificate chain exist in the PACS, and is authorized to the application.
  - 25. The system of claim 24, the first peer to additionally determine if the second peer is authentic.
  - 26. The system of claim 25, the first peer to determine if the second peer is authentic by determining:
    - if each certificate signature in the certificate chain can be verified; and
      
      if the root certificate exists in a trusted root certification authorities store (TRCAS).

27. An apparatus comprising:
- at least one processor; and
  
  a machine-readable medium having instructions encoded thereon, which when executed by the processor, are capable of directing the processor to;
  
  determine if a peer is authentic by authenticating an authentication certificate sent by the peer, the authentication certificate including at least a root certificate in a certificate chain; and
  
  determine if the peer is authorized to an application requested by the peer by using a peer authorized certificate store (PACS).
- View Dependent Claims (28, 29, 30)
- - 28. The apparatus of claim 27, wherein the code causes the processor to authenticate the peer by verifying each signature in the certificate chain and finding the root certificate in a trusted root certification authorities store (TRCAS).
  - 29. The apparatus of claim 27, wherein the code causes the processor to authorize the peer by determining that at least one certificate in the certificate chain exists in a PACS.
  - 30. The apparatus of claim 27, wherein the authentication certificate comprises an SSL (Secure Sockets Layer) digital certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Brickell, Ernie F., Eckardt, Donald J., Yasala, Raju

Granted Patent

US 7,130,999 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 9/3265   using certificate chains, t...

H04L 9/3271   using challenge-response

Using authentication certificates for authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

90 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Using authentication certificates for authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others