USRE48821EActiveUtility

Apparatus and methods for protecting network resources

39
Assignee: POWERCLOUD SYSTEMS INCPriority: Oct 12, 2009Filed: Oct 7, 2015Granted: Nov 16, 2021
Est. expiryOct 12, 2029(~3.3 yrs left)· nominal 20-yr term from priority
H04L 9/006H04L 9/3263G06F 21/57H04L 63/0823H04L 2209/80
39
PatentIndex Score
0
Cited by
62
References
60
Claims

Abstract

Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization's network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of protecting an organization's network resources of an organization, comprising:
 maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations; 
 maintaining, by an authentication server, a second first root certificate of a second first cryptographic infrastructure associated with the organization, wherein the second first root certificate facilitates issuing other certificates associated with the organization to the organization's a plurality of authenticators associated with the organization; 
 issuing, to each of the organization's plurality of authenticators, an initial intermediate CA certificate authority (CA) certificate within the second first cryptographic infrastructure, wherein a respective authenticator's each intermediate CA certificate is signed by the second first root certificate, and wherein the each respective authenticator, in the plurality of authenticators, is configured to provision devices for the organization using the corresponding an intermediate CA certificate corresponding to the respective authenticator; and 
 responsive to the respective determining that a first authenticatorissuing, in the plurality of authenticators, issued a client certificate to a new client computing device a to provision the new client computing device, wherein the client certificate which is signed by the corresponding initial intermediate CA certificate, corresponding to the first authenticator; and 
 after the first authenticator provisions the new client computing device, and in response to determining that the first authenticator issued the client certificate to the new client computing device, issuingto the respective authenticator, to the first authenticator, a replacement intermediate CA certificate which that is signed by the second first root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate. 
 
     
     
       2. The method of  claim 1 , further comprising:
 maintaining, by the authentication server, a second root certificate of a second cryptographic infrastructure associated with a plurality of organizations; and  
 issuing, to each of one or more client device enabler enablers configured to provision a client computing device devices within the an organization network utilized by the organization, an initial client certificate within the first second cryptographic infrastructure. 
 
     
     
       3. The method of  claim 2 , further comprising:
 after a givenissuing, to a first client device enabler is operated to provisionin the one or more client device enablers and based on determining that the first client device enabler provisioned a first client computing device, issuing a replacement client certificate within the first second cryptographic infrastructureto the given client device enabler. 
 
     
     
       4. The method of  claim 2 , further comprising:
 recording identifiers of the plurality of authenticators and the one or more client device enablers authorized to operate in the organization network. 
 
     
     
       5. The method of  claim 4 , further comprising:
 disseminating the recorded identifiers to all authenticators operating in the organization network. 
 
     
     
       6. The method of  claim 1 , further comprising:
 recording identifiers of client computing devices authorized to access the an organization network utilized by the organization. 
 
     
     
       7. The method of  claim 6 , further comprising:
 disseminating the recorded identifiers to all authenticators operating in the organization network. 
 
     
     
       8. The method of  claim 7 , wherein the identifiers comprise digital certificates issued to the client computing devices. 
     
     
       9. The method of  claim 7 , wherein the identifiers comprise fingerprints of digital certificates issued to the client computing devices. 
     
     
       10. The method of  claim 1 , wherein an the first authenticator is configured to:
 authenticate a client device enablerprior to provisioning of, wherein the client device enabler is configured to provision a first client computing deviceby the client device enabler. 
 
     
     
       11. The method of  claim 10 , wherein an the first authenticator is further configured to:
 authenticate, based on determining that the first client computing device has been provisioned, the first client computing deviceafter said provisioning. 
 
     
     
       12. The method of claim  1  2, further comprising:
 issuing, to the plurality of authenticators, server certificates within the first second cryptographic infrastructureto all authenticators operating in the organization network. 
 
     
     
       13. A non-transitory computer-readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of protecting an organization's network resources of an organization, the method comprising:
 maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations; 
 maintaining a second first root certificate of a second first cryptographic infrastructure associated with the organization, wherein the second first root certificate facilitates issuing other certificates associated with the organization to the organization's a plurality of authenticators associated with the organization; 
 issuing, to each of the organization's plurality of authenticators, an initial intermediate CA certificate authority (CA) certificate within the second first cryptographic infrastructure, wherein a respective authenticator's each intermediate CA certificate is signed by the second first root certificate, and wherein the each respective authenticator, in the plurality of authenticators, is configured to provision devices for the organization using the corresponding an intermediate CA certificate corresponding to the respective authenticator; and 
 responsive to the respective determining that a first authenticatorissuing, in the plurality of authenticators, issued a client certificate to a new client computing device a to provision the new client computing device, wherein the client certificate which is signed by the corresponding initial intermediate CA certificate, corresponding to the first authenticator; and 
 after the first authenticator provisions the new client computing device, and in response to determining that the first authenticator issued the client certificate to the new client computing device, issuingto the respective authenticator, to the first authenticator, a replacement intermediate CA certificate which that is signed by the second first root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate. 
 
     
     
       14. The storage medium of  claim 13 , wherein the method further comprises:
 maintaining, by an authentication server, a second root certificate of a second cryptographic infrastructure associated with a plurality of organizations; and  
 issuing, to each of one or more client device enabler enablers configured to provision a client computing device devices within the an organization network utilized by the organization, an initial client certificate within the first second cryptographic infrastructure. 
 
     
     
       15. The storage medium of  claim 14 , wherein the method further comprises:
 after a given client device enabler is operated to provision a client computing device,first issuing, based on determining that a first client device enabler, in the one or more client device enablers, provisioned a first computing device and to the first client device enabler, a replacement client certificate within the firstsecond cryptographic infrastructureto the given client device enabler. 
 
     
     
       16. The storage medium of  claim 14 , wherein the method further comprises:
 recording identifiers of authenticators and client device enablers authorized to operate in the organization network. 
 
     
     
       17. The storage medium of  claim 16 , wherein the method further comprises:
 disseminating the recorded identifiers to all authenticators operating in the organization network. 
 
     
     
       18. The storage medium of  claim 13 , wherein the method further comprises:
 recording identifiers of client computing devices authorized to access the an organization network utilized by the organization. 
 
     
     
       19. The storage medium of  claim 18 , wherein the method further comprises:
 disseminating the recorded identifiers to all authenticators operating in the organization network. 
 
     
     
       20. The storage medium of claim 14, wherein the method further comprises:
 issuing server certificates within the second cryptographic infrastructure to all authenticators operating in an organization network utilized by the organization.   
     
     
       21. A method comprising:
 maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with an organization, wherein the first root certificate facilitates issuing other certificates associated with the organization to a plurality of authenticators associated with the organization;   issuing, to an authenticator in the plurality of authenticators associated with the organization, an initial intermediate certificate authority (CA) certificate within the first cryptographic infrastructure and signed by the first root certificate, wherein the authenticator is configured to provision devices for the organization using the initial intermediate CA certificate;   receiving, based on the authenticator issuing, to a new client computing device, a new client certificate that is signed by the initial intermediate CA certificate to provision the new client computing device, a request for a replacement intermediate CA certificate; and   after the authenticator provisions the new client computing device, and in response to determining that the authenticator issued the new client certificate to the new client computing device, issuing, to the authenticator, a replacement intermediate CA certificate that is signed by the first root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate.   
     
     
       22. The method of claim 21, further comprising:
 maintaining, by the authentication server, a second root certificate of a second cryptographic infrastructure associated with a plurality of organizations.   
     
     
       23. The method of claim 22, further comprising:
 issuing server certificates within the second cryptographic infrastructure to all authenticators operating in an organization network utilized by the organization.   
     
     
       24. The method of claim 22, further comprising:
 issuing, to a client device enabler associated with the organization, an initial client certificate within the second cryptographic infrastructure, wherein the client device enabler is configured to provision client computing devices within the organization;   receiving, based on the client device enabler provisioning a first client computing device using the initial client certificate, a request for a replacement client certificate; and   issuing, based on the request for the replacement client certificate, the client device enabler a replacement client certificate within the second cryptographic infrastructure, wherein the replacement client certificate replaces the initial client certificate.   
     
     
       25. The method of claim 24, wherein the authenticator is configured to:
 authenticate the client device enabler, wherein the client device enabler is configured to provision the first client computing device.   
     
     
       26. The method of claim 25, wherein the authenticator is further configured to:
 authenticate, based on determining that the first client computing device has been provisioned, the first client computing device.   
     
     
       27. The method of claim 24, further comprising:
 recording identifiers of a plurality of authenticators and a plurality of client device enablers authorized to operate in an organization network utilized by the organization.   
     
     
       28. The method of claim 27, further comprising:
 disseminating the recorded identifiers to the plurality of authenticators operating in the organization network.   
     
     
       29. The method of claim 24, wherein the client device enabler is a removable storage medium. 
     
     
       30. The method of claim 21, further comprising:
 recording identifiers of a plurality of client computing devices authorized to access an organization network utilized by the organization.   
     
     
       31. The method of claim 30, further comprising:
 disseminating the recorded identifiers to a plurality of authenticators operating in the organization network.   
     
     
       32. The method of claim 30, wherein the identifiers comprise digital certificates issued to individual client computing devices of the plurality of client computing devices. 
     
     
       33. The method of claim 30, wherein the identifiers comprise fingerprints of digital certificates issued to individual client computing devices of the plurality of client computing devices. 
     
     
       34. The method of claim 21, wherein each of the plurality of authenticators is issued an initial intermediate CA certificate within the first cryptographic infrastructure. 
     
     
       35. The method of claim 21, wherein the initial intermediate CA certificate has a limited number of uses. 
     
     
       36. The method of claim 21, further comprising:
 maintaining a whitelist of valid intermediate CA certificates associated with each authenticator within an organization network utilized by the organization.   
     
     
       37. The method of claim 36, further comprising:
 updating the whitelist to include the replacement intermediate CA certificate.   
     
     
       38. The method of claim 36, further comprising:
 removing one or more intermediate CA certificates associated with the authenticator based on determining that the authenticator has been compromised.   
     
     
       39. The method of claim 21, wherein the authenticator is an access point in an organization network utilized by the organization. 
     
     
       40. The method of claim 21, wherein the replacement intermediate CA certificate comprises an updated counter value different from a counter value of the initial intermediate CA certificate. 
     
     
       41. A method comprising:
 receiving, by an authenticator, an initial intermediate certificate authority (CA) certificate within a first cryptographic infrastructure associated with an organization, wherein the initial intermediate CA certificate is signed by a first root certificate within the first cryptographic infrastructure, wherein the first root certificate facilitates issuing other certificates associated with the organization to a plurality of authenticators associated with the organization, and wherein the authenticator is configured to provision, using the initial intermediate CA certificate, devices for the organization;   issuing a new client certificate to a client computing device to provision the client computing device, wherein the new client certificate is signed by the initial intermediate CA certificate;   after provisioning the client computing device, and in response to issuing the new client certificate to the client computing device, sending, to an authentication server that maintains the first root certificate, a request for a replacement intermediate CA certificate; and   receiving, based on the request, a replacement intermediate CA certificate that is signed by the first root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate.   
     
     
       42. The method of claim 41, further comprising:
 receiving, by the authenticator, a server certificate within a second cryptographic infrastructure, wherein the server certificate is signed by a second root certificate maintained by the authentication server.   
     
     
       43. The method of claim 42, further comprising:
 authenticating, by the authenticator, a client device enabler operating on an organization network utilized by the organization, wherein the client device enabler is configured to provision the client computing device.   
     
     
       44. The method of claim 43, wherein the authenticator authenticates the client device enabler using one or more certificates issued within the second cryptographic infrastructure. 
     
     
       45. The method of claim 43, wherein the authenticator authenticates the client computing device after the client computing device has been provisioned by the client device enabler. 
     
     
       46. The method of claim 42, further comprising:
 receiving a whitelist comprising identifiers associated with a plurality of authenticators operating in an organization network utilized by the organization.   
     
     
       47. The method of claim 42, further comprising:
 receiving a whitelist comprising identifiers associated with a plurality of client computing devices operating in an organization network utilized by the organization.   
     
     
       48. The method of claim 42, further comprising:
 receiving a whitelist comprising identifiers associated with a plurality of client device enablers operating in an organization network utilized by the organization.   
     
     
       49. The method of claim 41, wherein the initial intermediate CA certificate has a limited number of uses. 
     
     
       50. The method of claim 41, wherein the authenticator is an access point in an organization network utilized by the organization. 
     
     
       51. A method comprising:
 maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations, wherein the first root certificate facilitates issuing other certificates associated with the plurality of organizations to a plurality of authenticators associated with the plurality of organizations;   issuing, to a client device enabler associated with an organization of the plurality of organizations, an initial client certificate within the first cryptographic infrastructure, wherein the initial client certificate is signed by the first root certificate, and wherein the client device enabler is configured to provision client computing devices within an organization network utilized by the organization;   determining that an authenticator of the organization authenticated the client device enabler after provisioning, by the client device enabler and using the initial client certificate, of a first client computing device; and   after the client device enabler provisions the first client computing device, and in response to determining that the client device enabler used the initial client certificate to provision the first client computing device, receiving, from the client device enabler, a request for a replacement client certificate; and   issuing, to the client device enabler and based on the request, a replacement client certificate signed by the first root certificate, wherein the replacement client certificate replaces the initial client certificate.   
     
     
       52. The method of claim 51, wherein the client device enabler has a limited number of allowed uses. 
     
     
       53. The method of claim 52, further comprising:
 tracking, by the authentication server, a number of uses of the client device enabler; and   adding the client device enabler to a blacklist based on determining that the tracked number of uses exceeds the limited number of allowed uses.   
     
     
       54. The method of claim 51, wherein the client device enabler is configured to provision the first client computing device by configuring a network connection and security parameters of the first client computing device. 
     
     
       55. The method of claim 51, wherein the client device enabler is a removable storage medium. 
     
     
       56. A method comprising:
 receiving, by a client device enabler associated with an organization, an initial client certificate within a first cryptographic infrastructure, wherein the initial client certificate is signed by a first root certificate within the first cryptographic infrastructure, and wherein the first root certificate facilitates issuing other certificates associated with the organization;   provisioning, using the initial client certificate, a client computing device within an organization network utilized by the organization;   after the client device enabler provisions the client computing device, and in response to determining that the client device enabler used the initial client certificate to provision the client computing device, sending, to an authentication server, a request for a replacement client certificate; and   receiving, based on the request, a replacement client certificate that is signed by the first root certificate, wherein the replacement client certificate replaces the initial client certificate.   
     
     
       57. The method of claim 56, further comprising:
 receiving, based on sending the request for the replacement client certificate, a request for authentication; and   authenticating, by the client device enabler, using the initial client certificate.   
     
     
       58. The method of claim 56, wherein the client device enabler has a limited number of allowed uses. 
     
     
       59. The method of claim 56, wherein the client device enabler is a removable storage medium. 
     
     
       60. The method of claim 56, wherein the client device enabler is configured to provision the client computing device by configuring a network connection and security parameters of the client computing device.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.