Secure domain join for computing devices

US 20050246771A1
Filed: 05/25/2004
Published: 11/03/2005
Est. Priority Date: 04/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

acquiring security domain access credentials on a computing device by;

storing a persistent identity on the computing device, deriving data that includes the security domain access credentials from the persistent identity, and transferring the derived data to a security domain to allow the computing device to join the security domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique is provided for acquiring security domain access credentials on a computing device. The security domain access credentials are acquired by storing a persistent identity on the computing device, and deriving data that includes the security domain access credentials from the persistent identity. The derived data is transferred to a security domain to allow the computing device to join the security domain.

190 Citations

View as Search Results

44 Claims

1. A method comprising:
- acquiring security domain access credentials on a computing device by;
  
  storing a persistent identity on the computing device, deriving data that includes the security domain access credentials from the persistent identity, and transferring the derived data to a security domain to allow the computing device to join the security domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the persistent identity is stored in a secure identity processing area (SIPA), and wherein the SIPA is located in the computing device.
  - 3. The method of claim 2, wherein a trust relationship that allows a secure domain join of the computing device to the security domain is established between a persistent account stored in a security domain and the persistent identity in the SIPA.
  - 4. The method of claim 2, wherein the SIPA and a secure data center allow the computing device to obtain a cryptographically authenticated operating system at least partially in response to the security domain access credentials.
  - 5. The method of claim 2, wherein an operating system of the computing device receives the derived data by communicating with a processor that is located within the SIPA.
  - 6. The method of claim 2, wherein an operating system of the computing system establishes an identity of the computing device to the security domain at least partially in response to the security domain access credentials.
  - 7. The method of claim 1, further comprising at least one operating system executing on the computing device, wherein an identity of the operating system is generated based on the persistent identity.
  - 8. The method of claim 1, wherein the data derived from the persistent identity includes a cryptographic function, and wherein the persistent identity challenges security domain data received from the security domain.
  - 9. The method of claim 8, wherein the data derived from the persistent identity includes data encrypted with a public key that is associated with the persistent identity and the cryptographic functions include decrypting a portion of the challenge data with a private key of the persistent identity.
  - 10. The method of claim 1, further comprising at least one operating system executing on the computing device, wherein the operating system contains an identity associated with the operating system, and wherein the identity is established in a computer account that is contained in the security domain.

11. A method comprising:
- separating a secure and persistent identity that is associated with a computing device from an identity of an operating system executing on the computing device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The method of claim 11, wherein a second operating system is executed on the computing device with a security identity distinct from the secure identity of the computing device and distinct from the secure identity of the first operating system.
  - 13. The method of claim 11, wherein the separating is realized through distinct identities in a directory within the security domain.
  - 14. The method of claim 11, wherein the separating allows an identity in the security domain to be distinguished from an identity that is associated with the operating system, and wherein during start-up there is no operating system executing on the computing device.
  - 15. The method of claim 11, wherein the persistent identity is stored in a secure identity processing area (SIPA), wherein the SIPA is located in the computing device.
  - 16. The method of claim 15, wherein a trust relationship is established between a persistent account stored in a security domain and the persistent identity in the SIPA, wherein the trust relationship allows a secure domain join of the computing device to the security domain.
  - 17. The method of claim 15, wherein the operating system receives the derived data by communicating with a processor that is located within the SIPA.
  - 18. The method of claim 15, wherein an identity of the operating system is generated based on the persistent identity of the SIPA.
  - 19. The method of claim 11, wherein the data derived from the persistent identity includes a cryptographic function, and wherein the persistent identity challenges security domain data received from the security domain.
  - 20. The method of claim 19, wherein the data derived from the persistent identity includes data encrypted with a public key that is associated with the persistent identity and the cryptographic functions include decrypting a portion of the challenge data with a private key of the persistent identity.
  - 21. The method of claim 11, wherein the operating system contains an identity associated with the operating system, wherein the identity is established in a computer account that is contained in the security domain.

22. A method comprising:
- receiving, from a computing device, data derived from a persistent identity on the computing device; and
  
  sending to the computing device security domain access credentials based at least in part on the derived data.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, wherein a trust relationship that allows a secure domain join of the computing device to the security domain is established between a persistent account stored in a security domain and the persistent identity in the computing device.
  - 24. The method of claim 22, wherein the security domain receives the derived data.
  - 25. The method of claim 22, wherein the data derived from the persistent identity includes a cryptographic function, and wherein the persistent identity challenges security domain data received from the security domain.

26. A computer readable media having computer readable instructions that when executed by a processor cause the processor to:
- separate a secure and persistent identity that is associated with a computing device from an identity of at least one operating system that would be executing on the computing device, wherein the separating occurs at least partially in a directory within the security domain.
- View Dependent Claims (27)
- - 27. The computer readable media of claim 26, wherein the computer readable instructions further cause the processor to provide two-way authentication between the computing device and the security domain.

28. An apparatus comprising:
- a computing device acquiring security domain access credentials, wherein the computing device stores a persistent identity, further wherein the computing device derives data that includes the security domain access credentials from the persistent identity, further wherein the computing device transfers the derived data to a security domain that allows the computing device to join the security domain.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 29. The apparatus of claim 28, wherein a secure identity processing area (SIPA) stores the persistent identity, wherein the SIPA is located in the computing device.
  - 30. The apparatus of claim 29, wherein a trust relationship that allows a secure domain join of the computing device to the security domain is established between a persistent account stored in a security domain and the persistent identity in the SIPA.
  - 31. The apparatus of claim 29, wherein the SIPA and the secure data center allow the computing device to obtain a cryptographically authenticated operating system at least partially in response to the security domain access credentials.
  - 32. The apparatus of claim 29, wherein an operating system of the computing device receives the derived data by communicating with a processor that is located within the SIPA.
  - 33. The apparatus of claim 29, wherein an operating system of the computing system establishes an identity of the computing device to the security domain at least partially in response to the security domain access credentials.
  - 34. The apparatus of claim 29, further comprising at least one operating system executing on the computing device, wherein an identity of the operating system is generated based on the persistent identity of the SIPA.
  - 35. The apparatus of claim 28, wherein the data derived from the persistent identity includes a cryptographic function, and wherein the persistent identity challenges security domain data received from the security domain.
  - 36. The apparatus of claim 35, wherein the data derived from the persistent identity includes data encrypted with a public key that is associated with the persistent identity and the cryptographic functions include decrypting a portion of the challenge data with a private key of the persistent identity.
  - 37. The apparatus of claim 28, further comprising at least one operating system executing on the computing device, wherein the operating system contains an identity associated with the operating system, and wherein the identity is established in a computer account that is contained in the security domain.

38. A method comprising:
- maintaining the identity of resources in a security domain wherein the identity of a computing device resource is separate from an identity associated with software-based resource, wherein a computing device resource is a separate member of the security domain from the software-based resource.
- View Dependent Claims (39, 40, 41, 42, 43, 44)
- - 39. The method of claim 38, wherein the computing device resource incorporates a persistent identity within a secure identity processing area (SIPA).
  - 40. The method of claim 39, wherein the software-based resource includes an operating system, a kernel, or a program that is used within the security domain;
    - and wherein the software-based resource derives its identity within the security domain at least in part from the persistent identity.
  - 41. The method of claim 39, wherein the software-based resources emulate or simulate the SIPA.
  - 42. The method of claim 38, wherein two or more of the operating systems, kernels, or programs are layered wherein they execute side-by-side.
  - 43. The method of claim 39, wherein the security domain and a directory of resources of the security domain use cryptographic techniques and cryptographic keys provided through the SIPA to separate resources in the directory of resources of the security domain.
  - 44. The method of claim 38, wherein the software-based resources at least partially include firmware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hunt, Galen C., Simon, Jeff

Granted Patent

US 7,669,235 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/18
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 61/5014   using dynamic host configur...

H04L 63/0823   using certificates cryptogr...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Secure domain join for computing devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

190 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Secure domain join for computing devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

190 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links