Apparatus and methods for protecting network resources

US 8,555,054 B2
Filed: 10/12/2009
Issued: 10/08/2013
Est. Priority Date: 10/12/2009
Status: Active Grant

First Claim

Patent Images

1. A method of protecting an organization'"'"'s network resources, comprising:

maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations;

maintaining a second root certificate of a second cryptographic infrastructure associated with the organization, wherein the second root certificate facilitates issuing other certificates associated with the organization to the organization'"'"'s authenticators;

issuing, to each of the organization'"'"'s authenticators, an initial intermediate CA certificate within the second cryptographic infrastructure, wherein a respective authenticator'"'"'s intermediate CA certificate is signed by the second root certificate, and wherein the respective authenticator is configured to provision devices for the organization using the corresponding intermediate CA certificate; and

responsive to the respective authenticator issuing to a new client computing device a client certificate which is signed by the corresponding initial intermediate CA certificate, issuing to the respective authenticator a replacement intermediate CA certificate which is signed by the second root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization'"'"'s network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network.

14 Citations

View as Search Results

19 Claims

1. A method of protecting an organization'"'"'s network resources, comprising:
- maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations;
  
  maintaining a second root certificate of a second cryptographic infrastructure associated with the organization, wherein the second root certificate facilitates issuing other certificates associated with the organization to the organization'"'"'s authenticators;
  
  issuing, to each of the organization'"'"'s authenticators, an initial intermediate CA certificate within the second cryptographic infrastructure, wherein a respective authenticator'"'"'s intermediate CA certificate is signed by the second root certificate, and wherein the respective authenticator is configured to provision devices for the organization using the corresponding intermediate CA certificate; and
  
  responsive to the respective authenticator issuing to a new client computing device a client certificate which is signed by the corresponding initial intermediate CA certificate, issuing to the respective authenticator a replacement intermediate CA certificate which is signed by the second root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - issuing, to each client device enabler configured to provision a client computing device within the organization network, an initial client certificate within the first cryptographic infrastructure.
  - 3. The method of claim 2, further comprising:
    - after a given client device enabler is operated to provision a client computing device, issuing a replacement client certificate within the first cryptographic infrastructure to the given client device enabler.
  - 4. The method of claim 2, further comprising:
    - recording identifiers of authenticators and client device enablers authorized to operate in the organization network.
  - 5. The method of claim 4, further comprising:
    - disseminating the recorded identifiers to all authenticators operating in the organization network.
  - 6. The method of claim 1, further comprising:
    - recording identifiers of client computing devices authorized to access the organization network.
  - 7. The method of claim 6, further comprising:
    - disseminating the recorded identifiers to all authenticators operating in the organization network.
  - 8. The method of claim 7, wherein the identifiers comprise digital certificates issued to the client computing devices.
  - 9. The method of claim 7, wherein the identifiers comprise fingerprints of digital certificates issued to the client computing devices.
  - 10. The method of claim 1, wherein an authenticator is configured to:
    - authenticate a client device enabler prior to provisioning of a client computing device by the client device enabler.
  - 11. The method of claim 10, wherein an authenticator is further configured to:
    - authenticate the client computing device after said provisioning.
  - 12. The method of claim 1, further comprising:
    - issuing server certificates within the first cryptographic infrastructure to all authenticators operating in the organization network.

13. A non-transitory computer-readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of protecting an organization'"'"'s network resources, the method comprising:
- maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations;
  
  maintaining a second root certificate of a second cryptographic infrastructure associated with the organization, wherein the second root certificate facilitates issuing other certificates associated with the organization to the organization'"'"'s authenticators;
  
  issuing, to each of the organization'"'"'s authenticators, an initial intermediate CA certificate within the second cryptographic infrastructure, wherein a respective authenticator'"'"'s intermediate CA certificate is signed by the second root certificate, and wherein the respective authenticator is configured to provision devices for the organization using the corresponding intermediate CA certificate; and
  
  responsive to the respective authenticator issuing to a new client computing device a client certificate which is signed by the corresponding initial intermediate CA certificate, issuing to the respective authenticator a replacement intermediate CA certificate which is signed by the second root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The storage medium of claim 13, wherein the method further comprises:
    - issuing, to each client device enabler configured to provision a client computing device within the organization network, an initial client certificate within the first cryptographic infrastructure.
  - 15. The storage medium of claim 14, wherein the method further comprises:
    - after a given client device enabler is operated to provision a client computing device, issuing a replacement client certificate within the first cryptographic infrastructure to the given client device enabler.
  - 16. The storage medium of claim 14, wherein the method further comprises:
    - recording identifiers of authenticators and client device enablers authorized to operate in the organization network.
  - 17. The storage medium of claim 16, wherein the method further comprises:
    - disseminating the recorded identifiers to all authenticators operating in the organization network.
  - 18. The storage medium of claim 13, wherein the method further comprises:
    - recording identifiers of client computing devices authorized to access the organization network.
  - 19. The storage medium of claim 18, wherein the method further comprises:
    - disseminating the recorded identifiers to all authenticators operating in the organization network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PowerCloud Systems, Inc. (Comcast Corporation)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Kuo, Ted T., Wang, Li-Jen, Yang, Bo-chieh, Barber, Simon E. M., Smetters, Diana K., Abramowitz, Jeffrey D., Peiro, Andrea
Primary Examiner(s)
Gee, Jason

Application Number

US12/577,684
Publication Number

US 20110087882A1
Time in Patent Office

1,457 Days
Field of Search

713/156, 713/157
US Class Current

713/156
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 9/006   involving public key infras...

H04L 9/3263   involving certificates, e.g...

Apparatus and methods for protecting network resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and methods for protecting network resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links