Authenticating third-party programs for platforms

US 8,954,732 B1
Filed: 06/27/2012
Issued: 02/10/2015
Est. Priority Date: 06/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a platform device manufactured by a platform developer, a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy created by the first software development entity, wherein the first certificate is granted to the first software development entity by a certificate authority of the platform developer, wherein the first certificate comprises a root of the first certificate hierarchy, wherein the first certificate hierarchy conforms to a first hierarchical structure of entities within the first software development entity, and wherein the first software development entity is separate from the platform developer;

executing, by a control unit of the platform device, the first software package only after traversing the first certificate hierarchy to the root of the first certificate hierarchy and verifying that the root of the first certificate hierarchy corresponds to the certificate authority of the platform developer;

receiving, by the platform device, a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy created by the second software development entity, wherein the second certificate is granted to the second software development entity by the certificate authority of the platform developer and wherein the second certificate comprises a root of the second certificate hierarchy, wherein the second certificate hierarchy conforms to a second hierarchical structure of entities within the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, wherein the second software development entity is separate from the first software development entity, and wherein the second software development entity is separate from the platform developer; and

executing, by the control unit of the platform device, the second software package only after traversing the verifying certificate hierarchy to the root of the second certificate hierarchy and verifying that the root of the second certificate hierarchy corresponds to the certificate authority of the platform developer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, a platform device includes a control unit configured to receive a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy associated with the first software development entity, execute the first software package only after determining that a root of the first certificate hierarchy corresponds to a certificate authority of a developer of the platform device, receive a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy associated with the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, and execute the second software package only after determining that a root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.

133 Citations

20 Claims

1. A method comprising:
- receiving, by a platform device manufactured by a platform developer, a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy created by the first software development entity, wherein the first certificate is granted to the first software development entity by a certificate authority of the platform developer, wherein the first certificate comprises a root of the first certificate hierarchy, wherein the first certificate hierarchy conforms to a first hierarchical structure of entities within the first software development entity, and wherein the first software development entity is separate from the platform developer;
  
  executing, by a control unit of the platform device, the first software package only after traversing the first certificate hierarchy to the root of the first certificate hierarchy and verifying that the root of the first certificate hierarchy corresponds to the certificate authority of the platform developer;
  
  receiving, by the platform device, a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy created by the second software development entity, wherein the second certificate is granted to the second software development entity by the certificate authority of the platform developer and wherein the second certificate comprises a root of the second certificate hierarchy, wherein the second certificate hierarchy conforms to a second hierarchical structure of entities within the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, wherein the second software development entity is separate from the first software development entity, and wherein the second software development entity is separate from the platform developer; and
  
  executing, by the control unit of the platform device, the second software package only after traversing the verifying certificate hierarchy to the root of the second certificate hierarchy and verifying that the root of the second certificate hierarchy corresponds to the certificate authority of the platform developer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1,wherein executing the first software package comprises executing the first software package only after determining that the root of the first certificate hierarchy corresponds to a certificate signed by the certificate authority of the developer of the platform device;
    - andwherein executing the second software package comprises executing the second software package only after determining that the root of the second certificate hierarchy corresponds to a certificate signed by the certificate authority of the developer of the platform device.
  - 3. The method of claim 2, further comprising:
    - wherein executing the first software package comprises executing the first software package only after determining that the certificate signed by the certificate authority was used to sign a subsequent certificate of the first certificate hierarchy; and
      
      wherein executing the second software package comprises executing the second software package only after determining that the certificate signed by the certificate authority was used to sign a subsequent certificate of the second certificate hierarchy.
  - 4. The method of claim 1, further comprising:
    - installing the first software package only after determining that the root of the first certificate hierarchy corresponds to the certificate authority of the developer of the platform device; and
      
      installing the second software package only after determining that the root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.
  - 5. The method of claim 1, further comprising:
    - deleting data associated with the first software package after determining that the root of the first certificate hierarchy does not correspond to the certificate authority of the developer of the platform device; and
      
      deleting data associated with the second software package after determining that the root of the second certificate hierarchy does not correspond to the certificate authority of the developer of the platform device.

6. A platform device manufactured by a platform developer, the platform device comprising a control unit configured to:
- receive a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy created by the first software development entity, wherein the first certificate is granted to the first software development entity by a certificate authority of the platform developer and wherein the first certificate comprises a root of the first certificate hierarchy, wherein the first certificate hierarchy conforms to a first hierarchical structure of entities within the first software development entity, and wherein the first software development entity is separate from the platform developer,execute the first software package only after traversing the first certificate hierarchy to the root of the first certificate hierarchy and verifying that the root of the first certificate hierarchy corresponds to the certificate authority of the platform developer,receive a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy created by the second software development entity, wherein the second certificate is granted to the second software development entity by the certificate authority of the platform developer and wherein the second certificate comprises a root of the second certificate hierarchy, wherein the second certificate hierarchy conforms to a second hierarchical structure of entities within the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, wherein the second software development entity is separate from the first software development entity, and wherein the second software development entity is separate from the platform developer, andexecute the second software package only after traversing the second certificate hierarchy to the root of the second certificate hierarchy and verifying that the root of the second certificate hierarchy corresponds to the certificate authority of the platform developer.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The platform device of claim 6, wherein the control unit is further configured to execute the first software package only after determining that the root of the first certificate hierarchy corresponds to a certificate signed by the certificate authority of the developer of the platform device, and execute the second software package only after determining that the root of the second certificate hierarchy corresponds to a certificate signed by the certificate authority of the developer of the platform device.
  - 8. The platform device of claim 7, wherein the control unit is further configured to execute the first software package only after determining that the certificate signed by the certificate authority was used to sign a subsequent certificate of the first certificate hierarchy, and execute the second software package only after determining that the certificate signed by the certificate authority was used to sign a subsequent certificate of the second certificate hierarchy.
  - 9. The platform device of claim 6, wherein the control unit is further configured to install the first software package only after determining that the root of the first certificate hierarchy corresponds to the certificate authority of the developer of the platform device, and install the second software package only after determining that the root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.
  - 10. The platform device of claim 6, wherein the control unit is further configured to delete data associated with the first software package after determining that the root of the first certificate hierarchy does not correspond to the certificate authority of the developer of the platform device, and delete data associated with the second software package after determining that the root of the second certificate hierarchy does not correspond to the certificate authority of the developer of the platform device.

11. A computer-readable storage medium comprising instructions that, when executed, cause a processor of a platform device manufactured by a platform developer to:
- receive a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy created by the first software development entity, wherein the first certificate is granted to the first software development entity by a certificate authority of the platform developer and wherein the first certificate comprises a root of the first certificate hierarchy, wherein the first certificate hierarchy conforms to a first hierarchical structure of entities within the first software development entity, and wherein the first software development entity is separate from the platform developer;
  
  execute the first software package only after traversing the first certificate hierarchy to the root of the first certificate hierarchy and verifying that the root of the first certificate hierarchy corresponds to the certificate authority of the platform developer;
  
  receive a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy created by the second software development entity, wherein the second certificate is granted to the second software development entity by the certificate authority of the platform developer and wherein the second certificate comprises a root of the second certificate hierarchy, wherein the second certificate hierarchy conforms to a second hierarchical structure of entities within the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, wherein the second software development entity is separate from the first software development entity, and wherein the second software development entity is separate from the platform developer; and
  
  execute the second software package only after traversing the second certificate hierarchy to the root of the second certificate hierarchy and verifying that the root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device, wherein the developer of the platform device is separate from the second software development entity.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-readable storage medium of claim 11, further comprising instructions that cause the processor to:
    - execute the first software package only after determining that the root of the first certificate hierarchy corresponds to a certificate signed by the certificate authority of the developer of the platform device; and
      
      execute the second software package only after determining that the root of the second certificate hierarchy corresponds to a certificate signed by the certificate authority of the developer of the platform device.
  - 13. The computer-readable storage medium of claim 12, further comprising instructions that cause the processor to:
    - execute the first software package only after determining that the certificate signed by the certificate authority was used to sign a subsequent certificate of the first certificate hierarchy; and
      
      execute the second software package only after determining that the certificate signed by the certificate authority was used to sign a subsequent certificate of the second certificate hierarchy.
  - 14. The computer-readable storage medium of claim 11, further comprising instructions that cause the processor to:
    - install the first software package only after determining that the root of the first certificate hierarchy corresponds to the certificate authority of the developer of the platform device; and
      
      install the second software package only after determining that the root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.
  - 15. The computer-readable storage medium of claim 11, further comprising instructions that cause the processor to:
    - delete data associated with the first software package after determining that the root of the first certificate hierarchy does not correspond to the certificate authority of the developer of the platform device; and
      
      delete data associated with the second software package after determining that the root of the second certificate hierarchy does not correspond to the certificate authority of the developer of the platform device.

16. A method comprising:
- receiving, by one or more hardware-based processors of a computing device of a software development entity, a certificate from a certificate authority associated with a developer of a platform device;
  
  constructing, by the one or more hardware-based processors using the certificate from the certificate authority, a certificate hierarchy including a plurality of hierarchically arranged certificates including, as a root of the certificate hierarchy, the certificate from the certificate authority associated with the developer of the platform device, wherein the certificate hierarchy conforms to a hierarchical structure of entities within the software development entity, and wherein the software development entity is separate from the developer of the platform device;
  
  after determining that a software package was developed for the platform device by one or more of the entities within the software development entity, signing, by the one or more hardware-based processors, data of the software package using the certificate from the certificate authority; and
  
  providing, by the one or more hardware-based processors, the signed software package and data for the certificate hierarchy to one or more platform devices of the platform device developed by the developer.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein constructing the certificate hierarchy comprises:
    - causing individual ones of the entities within the software development entity to construct individual public key and private key pairs; and
      
      signing certificate signing requests from the actors using a certificate of the certificate hierarchy to issue certificates authenticating the respective public key and private key pairs for the individual actors from whom the certificate signing requests are signed.
  - 18. The method of claim 17, further comprising:
    - issuing a certificate to a build server of the software development entity, wherein the certificate issued to the build server is signed by at least one other certificate of the certificate hierarchy;
      
      receiving, by the build server, data for the software package from one of the individual actors;
      
      incorporating the data for the software package with other data for the software package; and
      
      signing a version of the software package including the incorporated data using the certificate issued to the build server.
  - 19. The method of claim 16, wherein constructing the certificate hierarchy comprises:
    - signing certificates for department-level actors using the certificate received from the certificate authority associated with the developer of the platform device;
      
      signing certificates for actors within each department using the respective certificates of the department; and
      
      including the department-level actor certificates and the certificates for actors within each department in the certificate hierarchy.
  - 20. The method of claim 16,wherein the certificate hierarchy comprises a plurality of certificates each at a particular level of the hierarchy such that the certificate at the root of the hierarchy corresponds to level 1 and, for any level N of the hierarchy where N>
    - 1, a certificate at level N is signed by a certificate at level N−
      
      1, andwherein providing data for the certificate hierarchy comprises providing a signed certificate used to sign the software package and providing signed certificates along a path of the certificate hierarchy from the root of the certificate hierarchy to the signed certificate used to sign the software package.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Watsen, Kent A., Kolchinsky, Alex
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US13/534,268
Time in Patent Office

958 Days
Field of Search

713/157, 713/176, 726/1, 726/2, 726/17, 726/30, 717/164
US Class Current

713/157
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

H04L 63/0823   using certificates cryptogr...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3265   using certificate chains, t...

Authenticating third-party programs for platforms

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

133 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticating third-party programs for platforms

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links