Providing on-demand vpn connectivity on a per-application basis
US-2017078336-A1 · Mar 16, 2017 · US
Using domain name system for verifying integrity of application packages
US10447482B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10447482-B2 |
| Application number | US-201715605109-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 25, 2017 |
| Priority date | May 25, 2017 |
| Publication date | Oct 15, 2019 |
| Grant date | Oct 15, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An example method includes obtaining a first public key associated with a private key of an application vendor of an application package signed with the private key. The first public key includes metadata including an identifier of the first public key. The method also includes transforming, via a processing device, the identifier into a Domain Name System (DNS) name, sending the DNS name to a DNS server to determine that the DNS name corresponds to a trustworthy source, in response to receiving, from the DNS server, a second public key associated with the DNS name in a DNS data store, confirming that the DNS name corresponds to the trustworthy source, and determining whether the second public key matches the first public key to verify whether the first public key and the associated private key used to sign the application package are authentic.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: obtaining a first public key associated with a private key of an application vendor of an application package signed with the private key, wherein the first public key comprises metadata including an identifier of the first public key; transforming, via a processing device, the identifier into a Domain Name System (DNS) name, wherein the transforming the identifier into the DNS name comprises mapping the first public key to the DNS name by replacing a first symbol of the first public key with a second symbol to form the DNS name; sending the DNS name to a DNS server to determine that the DNS name corresponds to a trustworthy source, wherein the DNS server stores a second public key associated with the DNS name in a DNS data store, the second public key and associated DNS name being received from a server as DNS metadata associated with the application package prior to publication of the application package; and in response to receiving, from the DNS server, the second public key associated with the DNS name in the DNS data store, confirming whether the DNS name corresponds to the trustworthy source by determining whether the second public key matches the first public key to verify whether the first public key and the associated private key used to sign the application package are authentic. 2. The method of claim 1 , further comprising determining whether the first public key matches a signature of the application package to verify that the application package was signed by the private key associated with the first public key. 3. The method of claim 1 , wherein confirming that the DNS name corresponds to the trustworthy source comprises verifying that the second public key was not tampered with in transit from the DNS server by verifying that the second public key is secure according to standards of a cryptographic mechanism that provides a chain of trust and verifies authenticity of DNS responses using the chain of trust. 4. The method of claim 1 , further comprising, in response to a determination that the second public key matches the first public key and verification that the first public key and the associated private key used to sign the application package are authentic, displaying a notification indicating that the application package is signed with the private key and the first public key was not modified in transit with the application package. 5. The method of claim 1 , further comprising, in response to a determination that the second public key does not match the first public key, determining that the first public key and the associated private key used to sign the application package are not authentic and displaying a notification indicating that the first public key is not trusted. 6. The method of claim 1 , further comprising, in response to receiving, from the DNS server, a full revocation record in metadata included with the second public key associated with the DNS name in the DNS data store, discarding any application packages signed with the private key associated with the first public key that are obtained during an application update process. 7. The method of claim 1 , further comprising, in response to receiving, from the DNS server, a partial revocation record in metadata included with the second public key associated with the DNS name in the DNS data store, determining whether a first application signature included with the partial revocation record matches a second application signature of the application package to identify that the application package is not authentic. 8. The method of claim 7 , wherein the second application signature of the application package is determined by hashing the application package. 9. A system, comprising: a memory; and a processing device operatively coupled to the memory, the processing device to: obtain a first public key associated with a private key of an application vendor of an application package signed with the private key, wherein the first public key comprises metadata including an identifier of the first public key; transform the identifier into a Domain Name System (DNS) name, wherein, to transform the identifier, the processing device is to map the first public key to the DNS name by replacing a first symbol of the first public key with a second symbol to form the DNS name; send the DNS name to a DNS server to determine that the DNS name corresponds to a trustworthy source, wherein the DNS server stores a second public key associated with the DNS name in a DNS data store, the second public key and associated DNS name being received from a server as DNS metadata associated with the application package prior to publication of the application package; and in response to receiving, from the DNS server, the second public key associated with the DNS name in the DNS data store, confirm whether the DNS name corresponds to the trustworthy source by determining whether the second public key matches the first public key to verify whether the first public key and the associated private key used to sign the application package are authentic. 10. The system of claim 9 , wherein the processing device is further to determine whether the first public key matches a signature of the application package to verify that the application package was signed by the private key associated with the first public key. 11. The system of claim 9 , wherein the processing device is further to verify that the second public key was not tampered with in transit from the DNS server by verifying that the second public key is secure according to standards of a cryptographic mechanism that provides a chain of trust and verifies authenticity of DNS responses using the chain of trust. 12. A non-transitory machine-readable storage medium storing instructions that cause a processing device to: obtain a first public key associated with a private key of an application vendor of an application package signed with the private key, wherein the first public key comprises metadata including an identifier of the first public key; transform the identifier into a Domain Name System (DNS) name, wherein to transform the identifier, the processing device is to map the first public key to the DNS name by replacing a first symbol of the first public key with a second symbol to form the DNS name; send the DNS name to a DNS server to determine that the DNS name corresponds to a trustworthy source, wherein the DNS server stores a second public key associated with the DNS name in a DNS data store, the second public key and associated DNS name being received from a server as DNS metadata associated with the application package prior to publication of the application package; and in response to receiving, from the DNS server, the second public key associated with the DNS name in the DNS data store, confirm whether the DNS name corresponds to the trustworthy source by determining whether the second public key matches the first public key to verify whether the first public key and the associated private key used to sign the application package are authentic. 13. The non-transitory machine-readable storage medium of claim 12 , wherein, to confirm that the DNS name corresponds to the trustworthy source, the instructions cause the processing device to verify that the second public key was not tampered with in transit from the DNS server by verifying that the second public key is secure according to standards of a cryptographic mechanism that provides a chain of trust and verifies authenticity of DNS responses using the chain of trust. 14. The non-transitory machine-readable storage medi
Assignees
Inventors
Classifications
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
- H04L9/3247Primary
involving digital signatures · CPC title
using a plurality of keys or algorithms · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
Electricity · mapped topic
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10447482B2 cover?
- An example method includes obtaining a first public key associated with a private key of an application vendor of an application package signed with the private key. The first public key includes metadata including an identifier of the first public key. The method also includes transforming, via a processing device, the identifier into a Domain Name System (DNS) name, sending the DNS name to a …
- Who is the assignee on this patent?
- Red Hat Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3247. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 15 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).