Trust information delivery scheme for certificate validation

US 8,433,898 B2
Filed: 09/29/2011
Issued: 04/30/2013
Est. Priority Date: 06/11/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving a trust information object (TIO), wherein the TIO comprises a plurality of hash values and associated trust bits, wherein the plurality of hash values are generated from hashing a public key portion of a plurality of trust entity certificates and the associated trust bits for each hash value indicate a level of trust for an entity associated with the corresponding trust entity certificate;

attempting to load first data from a computing device;

receiving a plurality of unverified certificates from the computing device;

hashing a public key portion of each of the plurality of unverified certificates to generate a plurality of digests;

comparing each of the generated digests against the plurality of hash values found within the TIO to determine if each of the generated digests is found in the TIO; and

when each of the generated digests is found in the TIO and a first associated trust bit of each of the plurality of unverified certificates indicates that the computing device has a predetermined level of trust for an intended operation, loading the first data and executing a script from the first data related to the intended operation.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically.

210 Citations

20 Claims

1. A method comprising:
- receiving a trust information object (TIO), wherein the TIO comprises a plurality of hash values and associated trust bits, wherein the plurality of hash values are generated from hashing a public key portion of a plurality of trust entity certificates and the associated trust bits for each hash value indicate a level of trust for an entity associated with the corresponding trust entity certificate;
  
  attempting to load first data from a computing device;
  
  receiving a plurality of unverified certificates from the computing device;
  
  hashing a public key portion of each of the plurality of unverified certificates to generate a plurality of digests;
  
  comparing each of the generated digests against the plurality of hash values found within the TIO to determine if each of the generated digests is found in the TIO; and
  
  when each of the generated digests is found in the TIO and a first associated trust bit of each of the plurality of unverified certificates indicates that the computing device has a predetermined level of trust for an intended operation, loading the first data and executing a script from the first data related to the intended operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first data comprises a webpage.
  - 3. The method of claim 1, wherein the intended operation comprises an update of information stored in memory.
  - 4. The method of claim 1, further comprising:
    - when at least one of the plurality of unverified certificates indicates that the computing device does not have the predetermined level of trust for the intended operation, rejecting access to the first data.
  - 5. The method of claim 1, further comprising:
    - storing the TIO in a memory.
  - 6. The method of claim 1, further comprising:
    - periodically updating the TIO from a TIO provider at boot time.
  - 7. The method of claim 1, wherein the TIO is received via a Hypertext Transfer Protocol (HTTP) or other transmission channel.
  - 8. The method of claim 1, further comprising:
    - receiving a signing certificate along with the received TIO.
  - 9. The method of claim 1, wherein the TIO is received through a Hypertext Transfer Protocol (HTTP) channel over Secure Socket Layer (SSL).
  - 10. The method of claim 1, wherein the TIO further comprisesa value indicating a number of signatures required for a next update;
    - a timestamp of when the TIO was created; and
      
      a digital signature of all information including the plurality of hash values, the associated trust bits, the number of signatures, and the timestamp included in the TIO.

11. An apparatus comprising:
- a first computing device comprising a memory, wherein the first computing device is configured to;
  
  connect to a second computing device, via an unsecure transmission channel, to update an old trust information object (TIO) stored in the memory with a new TIO, the old TIO and new TIO each comprising;
  
  a plurality of hash values and a plurality of trust bit vectors, wherein the plurality of hash values represent hashes generated from a public key portion of a plurality of trust entity certificates and the plurality of trust bit vectors indicate a level of trust associated with each of a plurality of entities associated with the plurality of trust entity certificates;
  
  hash a public key portion of a signing certificate certifying the second computing device to generate a first hash value;
  
  perform a first check to ensure that the generated first hash value matches a verified hash value from the plurality of hash values in the old TIO;
  
  perform a second check to ensure that a predetermined trust bit within one of the plurality of trust bit vectors in the old TIO indicates that a level of trust associated with the second computing device is adequate;
  
  perform a third check to ensure that a first timestamp associated with the new TIO is later than a second timestamp associated with the old TIO; and
  
  when the first, second, and third checks pass, overwrite the old TIO with the new TIO within the memory.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein the signing certificate is received through a secure transmission channel that comprises a Secure Socket Layer (SSL) channel.
  - 13. The apparatus of claim 11, wherein the old TIO and the new TIO each further comprise:
    - a value indicating a number of signatures required for a next update.
  - 14. The apparatus of claim 11, wherein the signing certificate is received from one of a certificate authority, software provider, and a content provider.
  - 15. The apparatus of claim 11, wherein the hash is performed via an MD5 or SHA-1 algorithm.
  - 16. The apparatus of claim 11, wherein the old and the new TIO conform to the PKCS#7 standard.

17. A method comprising:
- receiving a trust information object (TIO), said TIO comprising;
  
  a plurality of hash values, wherein the plurality of hash values represent hashes generated from a public key portion of a plurality of trust entity certificates, said TIO further comprising associated trust information of the plurality of trust entity certificates, said associated trust information indicating a level of trust for each of trusted entities associated with each of said plurality of trust entity certificates;
  
  receiving a certificate chain that comprises a plurality of unverified certificates from a server, wherein the plurality of unverified certificates includes a first unverified root certificate of a certificate authority issuing the plurality of unverified certificates;
  
  hashing the first unverified root certificate to generate a digest;
  
  comparing the resulting digest against the plurality of hash values obtained from said TIO;
  
  when the resulting digest and a first corresponding trust bit of the first unverified root certificate are found in said TIO, thereby producing a first match;
  
  validating said certificate chain; and
  
  having a session with the server.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the receiving the certificate chain occurs during a Secure Socket Layer (SSL) handshake with the server.
  - 19. The method of claim 17, wherein each of the plurality of trust entity certificates in the TIO are pre-verified certificates.
  - 20. The method of claim 17, wherein the server comprises a web server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Comcast Cable Communications Management LLC (Comcast Corporation)
Original Assignee
TVWorks LLC (Comcast Corporation)
Inventors
Xiao, Sihai
Primary Examiner(s)
Zee, Edward

Application Number

US13/248,744
Publication Number

US 20120023328A1
Time in Patent Office

579 Days
Field of Search

713155-158, 713/150, 713/176, 713/177
US Class Current

713/157
CPC Class Codes

G06F 21/33   using certificates

G06F 21/604   Tools and structures for ma...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2151   Time stamp

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0823   using certificates cryptogr...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3265   using certificate chains, t...

H04L 9/3268   using certificate validatio...

Trust information delivery scheme for certificate validation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

210 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Trust information delivery scheme for certificate validation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

210 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others