Bi-directionally verifying measurable aspects associated with modules, pre-computing solutions to configuration challenges, and using configuration challenges along with other authentication mechanisms

US 20050235150A1
Filed: 04/19/2004
Published: 10/20/2005
Est. Priority Date: 04/19/2004
Status: Abandoned Application

First Claim

Patent Images

1. At a requesting computing system that is communicatively connectable to a providing computing system, the requesting computing system including requesting instructions that can attempt to interact with a providing application at the providing computing system, a method for providing information that can used to verify measurable aspects of the requesting computing system, the method comprising:

an act of performing at least one of determining that the providing computing system is appropriately configured to issue challenges to components included in the requesting computing system and determining that the providing application is appropriately configured to issue challenges to the requesting instructions;

an act of subsequently accepting a challenge that was initiated by the providing application based at least in part on the providing computing system and the providing application being appropriately configured to issue challenges to the requesting instructions; and

an act of submitting an assertion that that can be used to verify that the requesting instructions are configured in accordance with one or more measurable aspects that are appropriate for interacting with the providing application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to validating measurable aspects of computing system. A provider causes a challenge to be issued to the requester, the challenge requesting proof that the requester is appropriately configured to access the resource. The requester accesses information that indicates how the requester is to prove an appropriate configuration for accessing the resource. The requester formulates and sends proof that one or more measurable aspects of the requester'"'"'s configuration are appropriate. The provider receives proof that one or more measurable aspects of the requester'"'"'s configuration are appropriate and authorizes the requester to access the resource. Proof of one more measurable aspects of a requester can be used along with other types of authentication to authorize a requester to access a resource of a provider. Solutions to challenges can be pre-computed and stored in a location accessible to a provider.

Citations

33 Claims

1. At a requesting computing system that is communicatively connectable to a providing computing system, the requesting computing system including requesting instructions that can attempt to interact with a providing application at the providing computing system, a method for providing information that can used to verify measurable aspects of the requesting computing system, the method comprising:
- an act of performing at least one of determining that the providing computing system is appropriately configured to issue challenges to components included in the requesting computing system and determining that the providing application is appropriately configured to issue challenges to the requesting instructions;
  
  an act of subsequently accepting a challenge that was initiated by the providing application based at least in part on the providing computing system and the providing application being appropriately configured to issue challenges to the requesting instructions; and
  
  an act of submitting an assertion that that can be used to verify that the requesting instructions are configured in accordance with one or more measurable aspects that are appropriate for interacting with the providing application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein determining that the providing computing system is appropriately configured to issue challenges to components included in the requesting computing system comprises an act of establishing an SSL connection between the requesting computing system and the providing computer system.
  - 3. The method as recited in claim 1, wherein the act of determining that the providing application is appropriately configured to issue challenges to the requesting instructions comprises receiving proof that the providing application complies with one or more security and trust policies of the requesting computing system.
  - 4. The method as recited in claim 1, wherein the act of subsequently accepting a challenge that was initiated by the providing application comprises an act of subsequently accepting a request for proof of the values of one or more measurable aspects of the requesting computer system.
  - 5. The method as recited in claim 1, wherein the submitted assertion includes the values of one or more measurable aspects of the requesting computer system.
  - 6. The method as recited in claim 1, wherein the submitted assertion indicates the identity of one or more portions of the requesting instructions.
  - 7. The method as recited in claim 1, wherein the act of submitted assertion indicates an execution environment of the requesting code.

8. At a providing computing system that is communicatively connectable to a requesting computing system, the providing computing system including a providing application that can attempt to interact with a requesting instructions at the requesting computing system, a method for verifying measurable aspects of the requesting computing system, the method comprising:
- an act of performing at least one of proving that the providing computing system is appropriately configured to issue challenges to components of the requesting computing system and proving that the providing application is appropriately configured to issue challenges to the requesting instructions;
  
  an act of subsequently causing a configuration challenge to be issued to the requesting instructions;
  
  an act of receiving an assertion that can be used to verify that the requesting instructions are configured in accordance with one or more measurable aspects that are appropriate for interacting with the providing application; and
  
  an act of validating the assertion.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method as recited in claim 8, wherein the act of proving that the providing computing system is appropriately configured to issue challenges comprises an act of establishing an SSL connection between the providing computing system and the requesting computing system.
  - 10. The method as recited in claim 8, wherein the act of proving that the providing application is appropriately configured to issue challenges to the requesting instructions comprises an act of sending proof that the providing application complies with one or more security and trust policies of the requesting computing system.
  - 11. The method as recited in claim 8, wherein the act of subsequently causing a challenge to be issued to the requesting computing system comprises an act of requesting proof of the values of one or more measurable aspects of the requesting computer system.
  - 12. The method as recited in claim 8, wherein the act of receiving proof that the requesting instructions are appropriately configured for accessing the resource comprises an act of receiving proof of the identity of one or more portions of the requesting instructions.
  - 13. The method as recited in claim 8, wherein the act of receiving proof that the requesting instructions are appropriately configured for accessing the resource comprises an act of receiving proof of the values of one or more measurable aspects of an execution environment at the requesting computer system.

14. At a computing system that is communicatively connectable to a network, a method for generating a challenge and pre-computing answers to the challenge, the method comprising:
- an act of accessing a first random value;
  
  an act of accessing a secret value;
  
  an act of using the first random value and the secret value as input to a first hash algorithm to generate a second random value;
  
  an act of using the first random value and the second random value as input to a second hash algorithm to identify one or more regions within a portion instructions;
  
  an act of retrieving values from the identified regions; and
  
  an act of pre-computing an answer to the challenge based on the retrieved values.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method as recited in claim 14, wherein the act of accessing a first random value comprises an act of accessing a seed nonce.
  - 16. The method as recited in claim 14, wherein the act using the first random value and the secret value as input to a first hash algorithm to generate a second random value comprises using a seed nonce and the secret to generate a challenge nonce.
  - 17. The method as recited in claim 14, wherein the act of using the first random value and the second random value as input to a second hash algorithm to identify one or more regions within a portion instructions comprises an act of using a seed nonce and a challenge nonce as input to the second hash algorithm to generate a random bit stream.
  - 18. The method as recited in claim 14, wherein the portion of instructions comprises a plurality of identified regions.
  - 19. The method as recited in claim 14, wherein the computing system includes a challenge service, further comprising:
    - an act of receiving a request for a challenge that a provider can subsequently issue to a requester; and
      
      an act of returning the identified one or more regions within a portion instructions and the values retrieved from the identified regions to the provider.
  - 20. The method as recited in claim 14, wherein the computing system includes a challenge service, further comprising:
    - an act of receiving a response that was submitted to a provider as a response to a challenge generated by the challenge service, reception of the response indicating that the response was not a pre-computed answer to the challenge;
      
      an act of verifying the response; and
      
      an act of indicating to the provider that the response is valid.

21. At a requester that is communicatively connectable to a provider, a method for authorizing the requester to interact with the provider, the method comprising:
- an act of sending a request to the provider;
  
  an act of receiving a configuration challenge from the provider, the configuration challenge indicating how the requester is to prove that the requester is appropriately configured to interact with the provider;
  
  an act of sending proof of the values of one or more measurable aspects of the requester to the provider; and
  
  an act of receiving a token that can be used to prove that the requester is appropriately configured.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method as recited in claim 21, wherein the act sending a request to the provider comprises an act of sending a challenge along with the request, the challenge indicating how the provider is to prove that the provider is appropriately configured to issue configuration challenges to the requester.
  - 23. The method as recited in claim 21, wherein the act of receiving a configuration challenge from the provider comprises an act receiving a configuration challenge along with proof that the provider is appropriately configured to issue configuration challenges to the requester.
  - 24. The method as recited in claim 21, wherein the act of sending proof of the values of one or more measurable aspects of the requester to the provider comprises an act of sending a challenge along with the proof of the values of one or more measurable aspects, the challenge indicating how the provider is to prove that the provider is appropriately configured to issue configuration challenges to the requester.
  - 25. The method as recited in claim 21, wherein an act of receiving a token comprises an act of receiving a token along with proof that the provider is appropriately configured to issue configuration challenges to the requester.

26. At a provider that is communicatively connectable to a requester, a method for authorizing the requester and the provider to interact with the provider, the method comprising:
- an act of receiving a request from the requester;
  
  an act of causing a configuration challenge to be issued to the requester, the configuration challenge requesting proof that the requester is appropriately configured to interact with the provider;
  
  an act of receiving proof of the values of one or more measurable aspects of the requester'"'"'s configuration; and
  
  an act of sending a token that can subsequently be used to prove that the requester is appropriately configured.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method as recited in claim 26, wherein the an act of receiving a request comprises an act of receiving a challenge along with the request, the challenge requesting proof that the provider is appropriately configured to issue configuration challenges to the requester.
  - 28. The method as recited in claim 26, wherein the act of causing a configuration challenge to be issued to the requester comprises an act of sending a configuration challenge along with proof that the provider is appropriately configured to issue configuration challenges to the requester.
  - 29. The method as recited in claim 26, wherein the act of receiving proof of the values of one or more measurable aspects of the requester'"'"'s configuration comprises an act of receiving a challenge along with the proof of the values of the one or more measurable aspects, the challenge requesting proof that the provider is appropriately configured to issue configuration challenges to the requester.
  - 30. The method as recited in claim 26, wherein that act of sending a token comprises sending a token along with proof that the provider is appropriately configured to issue configuration challenges to the requester.

31. A computer program product for use in a computing system that is communicatively connectable to a network, the computer program product for implementing a method for generating a challenge and pre-computing answers to the challenge, the computer program product comprising one or more computer-readable media having stored thereon computer-executable instructions that, when executed by a processed, cause the computing system to perform the following:
- access a first random value;
  
  access a secret value;
  
  use the first random value and the secret value as input to a first hash algorithm to generate a second random value;
  
  use the first random value and the second random value as input to a second hash algorithm to identify one or more regions within a portion instructions;
  
  retrieve values from the identified regions; and
  
  pre-compute an answer to the challenge based on the retrieved values.

32. A computer program product for use in a computing system having a requester that is communicatively connectable to a provider, the computer program product for implementing a method for authorizing the requester to interact with the provider, the computer program product comprising one or more computer-readable media having stored thereon computer-executable instructions that, when executed by a processed, cause the computing system to perform the following:
- send a request to the provider;
  
  receive a configuration challenge from the provider, the configuration challenge indicating how the requester is to prove that the requester is appropriately configured to interact with the provider;
  
  send proof of the values of one or more measurable aspects of the requester to the provider; and
  
  receive a token that can be used to prove that the requester is appropriately configured.

33. A computer program product for use in a computing system having a provider that is communicatively connectable to a requester, the computer program product for implementing a method for authorizing the requester and the provider to interact with the provider, the computer program product comprising one or more computer-readable media having stored thereon computer-executable instructions that, when executed by a processed, cause the computing system to perform the following:
- receive a request from the requester;
  
  cause a configuration challenge to be issued to the requester, the configuration challenge requesting proof that the requester is appropriately configured to interact with the provider;
  
  receive proof of the values of one or more measurable aspects of the requester'"'"'s configuration; and
  
  send a token that can subsequently be used to prove that the requester is appropriately configured.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Shewchuk, John P., Kaler, Christopher G., Simon, Daniel R., Lovering, Bradford H.

Application Number

US10/827,082
Publication Number

US 20050235150A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

H04L 63/0869   for achieving mutual authen...

Bi-directionally verifying measurable aspects associated with modules, pre-computing solutions to configuration challenges, and using configuration challenges along with other authentication mechanisms

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Bi-directionally verifying measurable aspects associated with modules, pre-computing solutions to configuration challenges, and using configuration challenges along with other authentication mechanisms

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links