Trusted container
First Claim
Patent Images
1. At least one storage device or storage disk comprising instructions that, when executed on at least one processor, cause the at least one processor to, at least:
- establish a secure connection between a domain and a client computing device;
receive, from the client computing device, a secure identifier corresponding to the client computing device, the secure identifier including a one-time password unique to a pairing of the client computing device and the domain, the secure identifier derived based at least in part on seed data received from the domain, the seed data separate from a domain identifier corresponding to the domain and unique to the pairing of the client computing device and the domain;
receive, from the client computing device, a container including security posture data corresponding to the client computing device bound to the secure identifier, the security posture data to identify attributes of the client computing device; and
perform a security task relating to an interaction of the client computing device with the domain, the security task including identification of a driver corresponding to the client computing device, the identification of the driver based on the security posture data.
11 Assignments
0 Petitions
Accused Products
Abstract
A secure identifier is derived, using a secured microcontroller of a computing device, that is unique to a pairing of the computing device and a particular domain. Secure posture data corresponding to attributes of the computing device is identified in secured memory of the computing device. The secure identifier and security posture is sent in a secured container to a management device of the particular domain. The particular domain can utilize the information in the secured container to authenticate the computing device and determine a security task to be performed relating to interactions of the computing device with the particular domain.
-
Citations
9 Claims
-
1. At least one storage device or storage disk comprising instructions that, when executed on at least one processor, cause the at least one processor to, at least:
-
establish a secure connection between a domain and a client computing device; receive, from the client computing device, a secure identifier corresponding to the client computing device, the secure identifier including a one-time password unique to a pairing of the client computing device and the domain, the secure identifier derived based at least in part on seed data received from the domain, the seed data separate from a domain identifier corresponding to the domain and unique to the pairing of the client computing device and the domain; receive, from the client computing device, a container including security posture data corresponding to the client computing device bound to the secure identifier, the security posture data to identify attributes of the client computing device; and perform a security task relating to an interaction of the client computing device with the domain, the security task including identification of a driver corresponding to the client computing device, the identification of the driver based on the security posture data.
-
-
2. At least one storage device or storage disk comprising instructions that, when executed on at least one processor, cause the at least one processor to, at least:
-
establish a secure connection between a domain and a client computing device; receive, from the client computing device, a secure identifier corresponding to the client computing device, the secure identifier including a one-time password unique to (a) a pairing of the client computing device and (b) the domain, the one-time password derived based at least in part on seed data received from the domain, the seed data separate from a domain identifier corresponding to the domain and unique to the pairing of the client computing device and the domain; receive, from the client computing device, a container including security posture data corresponding to the client computing device bound to the secure identifier, the security posture data to identify attributes of the client computing device; and perform a security task relating to an interaction of the client computing device with the domain, the security task including a load of an agent onto the client computing device.
-
-
3. A system comprising:
-
at least one processor; memory in circuit with the at least one processor; a controller manager isolated from the at least one processor and to interact with a client computing device, the controller manager to; negotiate a secure session with a client computing device; provision seed data to the client computing device in response to the negotiation of the secure session, the seed data (a) separate from a domain identifier of a domain, (b) unique to a pairing of the client computing device and the domain, and (c) to be stored in a secure memory of the client computing device; receive, from the client computing device, a secure identifier including a one-time password unique to the pairing of the client computing device and the domain, the secure identifier derived based at least in part on the seed data; authenticate the client computing device using the one-time password; and receive a secured container including the secure identifier and security posture data from the client computing device; and an agent manager to load an agent onto the client computing device via a cloud connection.
-
-
4. A system comprising:
-
at least one processor; memory in circuit with the at least one processor; and a controller manager isolated from the at least one processor and to interact with a client computing device, the controller manager to; negotiate a secure session with a client computing device; provision seed data to the client computing device in response to the negotiation of the secure session, the seed data (a) separate from a domain identifier of a domain, (b) unique to a pairing of the client computing device and the domain, and (c) to be stored in a secure memory of the client computing device; receive, from the client computing device, a secure identifier including a one-time password unique to the pairing of the client computing device and the domain, the secure identifier derived based at least in part on the seed data; authenticate the client computing device using the one-time password; and receive a secured container including the secure identifier and security posture data from the client computing device, wherein the system is to receive the secured container over a secure communication channel, the secure communication channel including an out-of-band communication channel between the client computing device and the domain independent from an in-band communication channel between a central processing unit of the client computing device and the domain.
-
-
5. A system comprising:
-
at least one processor; memory in circuit with the at least one processor; and a controller manager isolated from the at least one processor and to interact with a client computing device, the controller manager to; negotiate a secure session with a client computing device; provision seed data to the client computing device in response to the negotiation of the secure session, the seed data (a) separate from a domain identifier of a domain, (b) unique to a pairing of the client computing device and the domain, and (c) to be stored in a secure memory of the client computing device; receive, from the client computing device, a secure identifier including a one-time password unique to the pairing of the client computing device and the domain, the secure identifier derived based at least in part on the seed data; authenticate the client computing device using the one-time password; and
receive a secured container including the secure identifier and security posture data from the client computing device, wherein the system is to establish a second secure communication channel with the client computing device according to a second secure identifier including a second one-time password.
-
-
6. A system comprising:
-
at least one processor; memory in circuit with the at least one processor; and a controller manager isolated from the at least one processor and to interact with a client computing device, the controller manager to; negotiate a secure session with a client computing device; provision seed data to the client computing device in response to the negotiation of the secure session, the seed data (a) separate from a domain identifier of a domain, (b) unique to a pairing of the client computing device and the domain, and (c) to be stored in a secure memory of the client computing device; receive, from the client computing device, a secure identifier including a one-time password unique to the pairing of the client computing device and the domain, the secure identifier derived based at least in part on the seed data; authenticate the client computing device using the one-time password; receive a secured container including the secure identifier and security posture data from the client computing device; and validate the client computing device based at least in part on a certificate from a trusted authority.
-
-
7. A system comprising:
-
at least one processor; memory in circuit with the at least one processor; and a controller manager isolated from the at least one processor and to interact with a client computing device, the controller manager to; negotiate a secure session with a client computing device; provision seed data to the client computing device in response to the negotiation of the secure session, the seed data (a) separate from a domain identifier of a domain, (b) unique to a pairing of the client computing device and the domain, and (c) to be stored in a secure memory of the client computing device; receive, from the client computing device, a secure identifier including a one-time password unique to the pairing of the client computing device and the domain, the secure identifier derived based at least in part on the seed data; authenticate the client computing device using the one-time password; receive a secured container including the secure identifier and security posture data from the client computing device; and negotiate a form of the secure identifier via a combination of the seed data and the domain identifier.
-
-
8. A method comprising:
-
establishing, by executing an instruction with at least one processor, a secure connection between a domain and a client computing device; receiving from the client computing device, by executing an instruction with the at least one processor, a secure identifier corresponding to the client computing device, the secure identifier including a one-time password unique to a pairing of the client computing device and the domain, the secure identifier derived based at least in part on seed data received from the domain, the seed data separate from a domain identifier corresponding to the domain and unique to the pairing of the client computing device and the domain; receiving from the client computing device, by executing an instruction with the at least one processor, a container including security posture data corresponding to the client computing device bound to the secure identifier, the security posture data to identify attributes of the client computing device; and performing a security task relating to an interaction of the client computing device with the domain, wherein the security task includes identification of a driver corresponding to the client computing device based on the security posture data.
-
-
9. A method comprising:
-
establishing, by executing an instruction with at least one processor, a secure connection between a domain and a client computing device; receiving from the client computing device, by executing an instruction with the at least one processor, a secure identifier corresponding to the client computing device, the secure identifier including a one-time password unique to a pairing of the client computing device and the domain, the secure identifier derived based at least in part on seed data received from the domain, the seed data separate from a domain identifier corresponding to the domain and unique to the pairing of the client computing device and the domain; receiving from the client computing device, by executing an instruction with the at least one processor, a container including security posture data corresponding to the client computing device bound to the secure identifier, the security posture data to identify attributes of the client computing device; and performing a security task relating to an interaction of the client computing device with the domain, wherein the security task includes a load of an agent onto the client computing device.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeMcAfee, LLC
-
Original AssigneeMcAfee, LLC
-
InventorsVon Bokern, Vincent Edward, Goel, Purushottam, Schrecker, Sven, Smith, Ned McArthur
-
Primary Examiner(s)Henning, Matthew T
-
Application NumberUS15/207,568Publication NumberTime in Patent Office1,078 DaysField of Search726 1, 726 3, 726 7US Class CurrentCPC Class CodesH04L 41/046 comprising network manageme...H04L 41/28 Restricting access to netwo...H04L 63/061 for key exchange, e.g. in p...H04L 63/0823 using certificates cryptogr...H04L 63/0838 using one-time-passwordsH04L 63/18 using different networks or...H04L 63/20 for managing network securi...
