Controlling access to protected objects

US 10,333,711 B2
Filed: 06/17/2011
Issued: 06/25/2019
Est. Priority Date: 06/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method of regulating access, by a server having a processor and a key store that stores a key, to an object encrypted with the key and stored on a device operated by a user, the method comprising:

executing, on the processor, instructions that cause the server to;

receive a request of a user to establish an assignment, to a particular device of a user, of an access privilege authorizing the particular device to access the object;

store a record of the assignment of the access privilege to the particular device of the user of the access privilege to access the object;

receive a request from the particular device to access the key;

verify that the access privilege requested by the user authorizes the particular device to access the object; and

responsive to verifying the access privilege;

generate a ticket granting access to the key and indicating the access privilege assigned to the particular device for access to the object, andsend the ticket to the particular device; and

responsive to receiving the ticket from the particular device;

verify the ticket, andresponsive to verifying the ticket, send the key to the particular device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device operated by a user may store an object to which access is to be regulated, which may be achieved by encrypting the object with an encryption key and sending the key to a server having a key store. When a user of the device requests access to the object, the server may authenticate the user (e.g., according to a credential submitted by the user) and verify a trust identifier of the device (e.g., authorization to access the object through the device, and/or the integrity of the device), before sending to the device a ticket granting access to the key. The device may send the ticket to the server, receive the key from the server, decrypt the stored encrypted object, and provide the object to the user. This mechanism promotes rapid access upon request and efficient use of the server, and enables remote revocation of access.

Citations

20 Claims

1. A method of regulating access, by a server having a processor and a key store that stores a key, to an object encrypted with the key and stored on a device operated by a user, the method comprising:
- executing, on the processor, instructions that cause the server to;
  
  receive a request of a user to establish an assignment, to a particular device of a user, of an access privilege authorizing the particular device to access the object;
  
  store a record of the assignment of the access privilege to the particular device of the user of the access privilege to access the object;
  
  receive a request from the particular device to access the key;
  
  verify that the access privilege requested by the user authorizes the particular device to access the object; and
  
  responsive to verifying the access privilege;
  
  generate a ticket granting access to the key and indicating the access privilege assigned to the particular device for access to the object, andsend the ticket to the particular device; and
  
  responsive to receiving the ticket from the particular device;
  
  verify the ticket, andresponsive to verifying the ticket, send the key to the particular device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1:
    - the server configured to store at least one credential of the user; and
      
      wherein the instructions further cause the server to authenticate the user by;
      
      receiving a submitted credential from the user, andcomparing the submitted credential with the at least one credential of the user.
  - 3. The method of claim 2, at least one credential of the user selected from a credential set comprising:
    - a secret known by the user;
      
      a token possessed by the user;
      
      a contact identifier whereby the user may be contacted; and
      
      a biometric identifier identifying at least one physiological feature of the user.
  - 4. The method of claim 1, comprising:
    - generating the key, andinstructing the device to encrypt at least one object with the key.
  - 5. The method of claim 1, comprising:
    - receiving from the device a key generated by the device and with which at least one object has been encrypted.
  - 6. The method of claim 1, wherein:
    - the access privilege further specifies a component identifier establishing a component integrity of at least one component of the device; and
      
      verifying the access specifically by the device to the object further comprising;
      
      verifying the component identifier establishing the component integrity of the at least one component of the device.
  - 7. The method of claim 1:
    - the ticket having a duration; and
      
      verifying the ticket comprising;
      
      verifying the duration of the ticket.
  - 8. The method of claim 1:
    - the device having at least one device identifier;
      
      the ticket specifying at least one device identifier of the device to which the ticket is issued; and
      
      verifying the ticket comprising;
      
      receiving at least one device identifier of the device, andverifying that the ticket specifies at least one device identifier received from the device.
  - 9. The method of claim 1, wherein executing the instructions further causes the server to, responsive to failing to identify the ticket received from the device:
    - re-authenticate the user;
      
      re-verify that the access privilege establishes that the device is authorized to access the object; and
      
      responsive to re-authenticating the user and re-verifying the access privilege;
      
      generate a renewed ticket granting access to the key, andsend the renewed ticket to the device.
  - 10. The method of claim 1, wherein executing the instructions further causes the server to, responsive to detecting an unauthorized access attempt relating to the object:
    - send to the device a request to encrypt the object with a second key; and
      
      responsive to receiving the second key from the device, replace the first key in the key store with the second key.

11. A method of accessing objects on a device operated by a user and having a processor and a data store using a server having a key store, the method comprising:
- executing on the processor instructions that cause the device to;
  
  receive a key;
  
  encrypt at least one object with the key to generate an encrypted object;
  
  store the encrypted object in the data store;
  
  send the key to the server;
  
  responsive to a request to access the object;
  
  submit to the server;
  
  at least one credential authenticating the user, andan identifier device identifier of the device; and
  
  receiving a ticket from the server indicating an access privilege that has been assigned particularly to the device for accessing the object responsive to a request of the user of the device to establish an assignment of an access privilege, particular to the device, to authorize the device to access the object;
  
  sending the ticket to the server; and
  
  responsive to receiving a key from the server;
  
  decrypting the encrypted object with the key to generate an unencrypted object, andpresenting the unencrypted object in response to the request.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, receiving the key comprising:
    - receiving the key from the server.
  - 13. The method of claim 11:
    - the device comprising a biometric sensor configured to detect at least one biometric identifier of a user;
      
      the at least one credential authenticating the user comprising a biometric identifier stored by the server and representing the user; and
      
      submitting the at least one credential authenticating the user to the server comprising;
      
      using the biometric sensor, detecting at least one biometric of the user, andsubmitting the at last one biometric to the server for comparison with a corresponding biometric identifier of the user.
  - 14. The method of claim 11:
    - the device configured to test at least one device component of the device to generate a component integrity credential identifying a component integrity of the device component;
      
      the access privilege assigned to the device further comprising a verified component integrity credential of the device stored by the server and representing a component integrity of the device component; and
      
      submitting the access request of the device to the server comprising;
      
      detecting at least one component integrity credential of at least one device component, andsubmitting the at least one component integrity credential to the server for comparison with a corresponding verified component integrity credential.
  - 15. The method of claim 11:
    - the device comprising a secured data store; and
      
      wherein executing the instructions further causes the device to;
      
      responsive to receiving a key, store the key in the secured data store;
      
      responsive to generating the unencrypted object, store the unencrypted object in the secured data store; and
      
      responsive to receiving a request to perform an operation on the object;
      
      verify the ticket, andresponsive to verifying the ticket, perform the operation on the object.
  - 16. The method of claim 11, the instructions configured to, after decrypting an encrypted object:
    - re-verify the ticket, andresponsive to failing to re-verify the ticket;
      
      discard the key, anddiscard the unencrypted object.
  - 17. The method of claim 16, wherein executing the instructions further causes the device to, responsive to failing to re-verify the ticket:
    - resubmit at least one credential authenticating the user to the server, andreceive a renewed ticket from the server.
  - 18. The method of claim 11, wherein executing the instructions further causes the device to, responsive to detecting an unauthorized access attempt related to an object:
    - discard tickets, keys, and unencrypted objects associated with the object, andreport the unauthorized access attempt to the server.
  - 19. The method of claim 11, wherein executing the instructions further causes the device to, responsive to receiving from the server a request to encrypt the object with a second key:
    - generate a second key;
      
      decrypt the object using the key;
      
      encrypt the object using the second key to generate a second encrypted object;
      
      store the second encrypted object in the data store; and
      
      send the second key to the server.

20. A server that regulates access to an object encrypted with a key, the server comprising:
- a processor; and
  
  a memory storing;
  
  a key store for the key; and
  
  instructions that, when executed by the processor, cause the server to fulfill a request from a device of a user to access the key, wherein the request includes a trust identifier establishing that the user has authorized the device to access the object by;
  
  receiving a request of a user to establish an assignment, to a particular device of the user, of an access privilege authorizing the particular device to access the object;
  
  storing a record of the assignment of the access privilege to the particular device of the user of the access privilege to access the object;
  
  verifying that the access privilege requested by the user authorizes the particular device to access the object;
  
  responsive to verifying the access privilege;
  
  generating a ticket granting access to the key and indicating the access privilege requested by the user for the particular device to access to the object, andsending the ticket to the device; and
  
  responsive to receiving the ticket from the device;
  
  verifying the ticket, andresponsive to verifying the ticket, sending the key to the particular device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Fleischman, Eric, Kamel, Tarek, Rouskov, Yordan
Primary Examiner(s)
Kyle, Tamara T

Application Number

US13/162,831
Publication Number

US 20120321087A1
Time in Patent Office

2,930 Days
Field of Search

726 10, 726 26- 29, 380277
US Class Current
CPC Class Codes

H04L 9/3213   using tickets or tokens, e....

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

Controlling access to protected objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to protected objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links