Multifactor device authentication

US 20050278775A1
Filed: 06/09/2004
Published: 12/15/2005
Est. Priority Date: 06/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method for authentication, comprising:

scanning an electronic system for compliance with a policy to produce a compliance scan result; and

presenting the compliance scan result and an attestation code to an authenticator for authentication of the electronic system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for device authentication with multiple factors. In one embodiment a combination of attributes and/or identifying values known by the device and the authenticator are presented for authentication. The combination of attributes may be presented together, or separately. Invalidity of one of the combination of attributes may result in a more restricted than may be granted for validity of all factors of the authentication.

Citations

55 Claims

1. A method for authentication, comprising:
- scanning an electronic system for compliance with a policy to produce a compliance scan result; and
  
  presenting the compliance scan result and an attestation code to an authenticator for authentication of the electronic system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, wherein scanning for compliance with the policy comprises scanning the electronic system for compliance with an access security policy.
  - 3. A method according to claim 2, wherein scanning for compliance with the security policy comprises determining if virus protection is enabled.
  - 4. A method according to claim 3, wherein determining if virus protection is enabled comprises determining if a software virus scanner is enabled and has an updated virus definition.
  - 5. A method according to claim 3, wherein determining if virus protection is enabled comprises determining if a hardware virus protection is operational.
  - 6. A method according to claim 2, wherein scanning for compliance with the security policy comprises determining if a security monitoring agent is operational on the electronic system.
  - 7. A method according to claim 1, wherein presenting the compliance scan result and the attestation code comprises presenting the compliance scan result and the attestation code as a single credential message for authentication.
  - 8. A method according to claim 1, wherein presenting the compliance scan result and the attestation code comprises presenting system credentials in response to a request for system credentials by the authenticator.
  - 9. A method according to claim 1, further comprising receiving an access assignment, an access granted by the assignment based at least in part on validity of the attestation code and the compliance scan result.

10. A method for authentication, comprising:
- receiving from a remote system an indicator of a level of compliance with security rules, and a system identifier for the remote system corresponding to an access request; and
  
  providing an access assignment for the remote system based at least in part on the indicator and validity of the system identifier.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. A method according to claim 10, wherein receiving the indicator of the level of compliance comprises receiving an indicator of an extent to which the remote system has implemented operating system updates.
  - 12. A method according to claim 10, wherein receiving the indicator of the level of compliance comprises receiving an indicator of a type of host applications are executing on the remote system.
  - 13. A method according to claim 10, wherein receiving the system identifier comprises receiving a digital certificate for the remote system.
  - 14. A method according to claim 10, wherein providing the access assignment based on the validity of the system identifier further comprises comparing the system identifier to one or more values in a database.
  - 15. A method according to claim 10, wherein providing the access assignment based on the system identifier comprises providing a limited access to the remote system if the system identifier is not valid.
  - 16. A method according to claim 10, wherein providing the access assignment based on the indicator comprises providing full access to the remote system if the indicator indicates full observance of the security rules.
  - 17. A method according to claim 10, wherein providing the access assignment based on the indicator comprises providing reduced access to the remote system if the indicator indicates less than full observance of the security rules.

18. An article of manufacture comprising a machine accessible medium having content to provide instructions to cause a machine to perform operations including:
- scanning an electronic system for compliance with a policy to produce a compliance scan result; and
  
  presenting the compliance scan result and an attestation code to an authenticator for authentication of the electronic system.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. An article of manufacture according to claim 18, wherein the content to provide instructions to cause the machine to perform operations including scanning for compliance with the policy comprises the content to provide instructions to cause the machine to perform operations including scanning the electronic system for compliance with an access security policy.
  - 20. An article of manufacture according to claim 19, wherein the content to provide instructions to cause the machine to perform operations including scanning for compliance with the security policy comprises the content to provide instructions to cause the machine to perform operations including determining if virus protection is enabled.
  - 21. An article of manufacture according to claim 19, wherein the content to provide instructions to cause the machine to perform operations including scanning for compliance with the security policy comprises the content to provide instructions to cause the machine to perform operations including determining if a security monitoring agent is operational on the electronic system.
  - 22. An article of manufacture according to claim 18, wherein the content to provide instructions to cause the machine to perform operations including presenting the compliance scan result and the attestation code comprises the content to provide instructions to cause the machine to perform operations including presenting the compliance scan result and the attestation code as a single credential message for authentication.
  - 23. An article of manufacture according to claim 18, further comprising the content to provide instructions to cause the machine to perform operations including receiving an access assignment, an access granted by the assignment based at least in part on validity of the attestation code and the compliance scan result.

24. An article of manufacture comprising a machine accessible medium having content to provide instructions to cause a machine to perform operations including:
- receiving from a remote system an indicator of a level of compliance with security rules, and a system identifier for the remote system corresponding to an access request; and
  
  providing an access assignment for the remote system based at least in part on the indicator and validity of the system identifier.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. An article of manufacture according to claim 24, wherein the content to provide instructions to cause the machine to perform operations including receiving the indicator of the level of compliance comprises the content to provide instructions to cause the machine to perform operations including receiving an indicator of an extent to which the remote system has implemented operating system updates.
  - 26. An article of manufacture according to claim 24, wherein the content to provide instructions to cause the machine to perform operations including receiving the indicator of the level of compliance comprises the content to provide instructions to cause the machine to perform operations including receiving an indicator of a type of host applications are executing on the remote system.
  - 27. An article of manufacture according to claim 24, wherein the content to provide instructions to cause the machine to perform operations including receiving the system identifier comprises the content to provide instructions to cause the machine to perform operations including receiving a digital certificate for the remote system.
  - 28. An article of manufacture according to claim 24, wherein the content to provide instructions to cause the machine to perform operations including providing the access assignment based on the indicator further comprises the content to provide instructions to cause the machine to perform operations including determining from the indicator the level of compliance of the remote system.
  - 29. An article of manufacture according to claim 28, wherein the content to provide instructions to cause the machine to perform operations including providing the access assignment based on the indicator comprises the content to provide instructions to cause the machine to perform operations including providing reduced access to the remote system if the indicator indicates less than full observance of the security rules.

30. An apparatus to present credentials for authentication to obtain network access, comprising:
- a persistent storage to store a value associated with the device;
  
  a network interface to transmit the value to an authenticating entity in response to a request for authentication credentials; and
  
  a security verification module communicatively coupled with the network interface to determine compliance of a device platform with an integrity policy and report the compliance to the authenticating entity in response to the request for authentication credentials.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 31. An apparatus according to claim 30, wherein the storage to store the value comprises the storage to store a password-based identifier.
  - 32. An apparatus according to claim 30, wherein the storage to store the value comprises the storage to store a digital certificate.
  - 33. An apparatus according to claim 30, wherein the storage to store the value comprises the storage to store a system identification number.
  - 34. An apparatus according to claim 30, wherein the network interface to transmit the value to the authenticating entity comprises the network interface to transmit the value to an 802.1x-compliant authenticator.
  - 35. An apparatus according to claim 30, wherein the security verification module to determine compliance of the device platform with the integrity policy comprises the security verification module to determine whether an operating system on the platform has an update installed.
  - 36. An apparatus according to claim 30, wherein the security verification module to determine compliance of the device platform with the integrity policy comprises the security verification module to determine a number and type of host applications executing on the platform.
  - 37. An apparatus according to claim 30, wherein the security verification module to determine compliance of the device platform with the integrity policy comprises the security verification module to determine a quality of virus protection operational on the remote system.
  - 38. An apparatus according to claim 30, wherein the security verification module to report the compliance comprises the security verification module to send a compliance vector to indicate a level of compliance.
  - 39. An apparatus according to claim 30, wherein the security verification module to report the compliance comprises the security verification module to indicate a level of compliance and a timestamp to indicate when compliance was determined.
  - 40. An apparatus according to claim 30, wherein the security verification module to determine the compliance and report the compliance further comprises the security verification module to store an indicator of the level of compliance determined, and wherein report the compliance comprises transmit the stored indicator.
  - 41. An apparatus according to claim 30, wherein the security verification module to report the compliance comprises the security verification module to send compliance data to the authenticating entity over a private link.
  - 42. An apparatus according to claim 30, wherein the security verification module to report the compliance comprises the security verification module to send compliance data to the network interface to cause the network interface to transmit the compliance data to the authenticating entity concurrently with the value.

43. An apparatus to authenticate, comprising:
- a receiver to receive from a device a digital identifier to indicate a user identity associated with the device, and a policy compliance report for the device;
  
  a processor coupled with the receiver to verify validity of the digital identifier and determine a level of compliance based at least in part on the report; and
  
  a policy enforcement module to determine an access assignment for the device based at least in part on the validity of the digital identifier and the level of compliance determined.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51)
- - 44. An apparatus according to claim 43, wherein the receiver to receive the digital identifier comprises the receiver to receive a password-based bit sequence from the device.
  - 45. An apparatus according to claim 43, wherein the receiver to receive the policy compliance report comprises the receiver to receive a compliance indicator and an indication of a version of a policy associated with the compliance report.
  - 46. An apparatus according to claim 43, wherein the receiver to receive the policy compliance report comprises the receiver to receive a compliance indicator and a timestamp associated with the compliance report.
  - 47. An apparatus according to claim 43, wherein the receiver to receive the digital identifier and the compliance report comprises the receiver to receive the digital identifier in response to a request for device credentials, and separately receive the compliance report in response to a request for a device compliance indicator.
  - 48. An apparatus according to claim 43, wherein the processor to verify the validity of the digital identifier comprises the processor to determine whether the digital identifier corresponds to a database entry indicating a device with a number of access violation below a threshold.
  - 49. An apparatus according to claim 43, wherein the policy enforcement module to determine the access assignment comprises the enforcement module to assign full access to the device if the compliance report indicates complete compliance.
  - 50. An apparatus according to claim 43, wherein the policy enforcement module to determine the access assignment comprises the enforcement module to assign limited access to the device if the compliance report less than complete compliance.
  - 51. An apparatus according to claim 43, wherein the policy enforcement module to determine the access assignment comprises the enforcement module to deny access to the device with a valid digital identifier if the compliance report indicates less than complete compliance.

52. A system comprising:
- a network interface circuit having a compliance scanning module to determine observance of a computing platform on the system of a security policy; and
  
  a transceiver to present system credentials and the determination of the observance in response to a request for credentials associated with authentication of the system; and
  
  a Trusted Platform Module (TPM) coupled with the network interface circuit to store the system credentials to be presented.
- View Dependent Claims (53, 54, 55)
- - 53. A system according to claim 52, wherein the compliance scanning module to determine observance of the security policy comprises the scanning module to determine security measures active on the system.
  - 54. An apparatus according to claim 52, wherein the transceiver to present the credentials comprises the transceiver to send the credentials over a communication link transparent to an operating system of the system.
  - 55. An apparatus according to claim 52, wherein the transceiver to present the credentials comprises the transceiver to present the credentials and the compliance determination at separate times.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Ross, Alan D.

Granted Patent

US 7,774,824 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06Q 20/382   insuring higher security of...

H04L 63/08   for authentication of entit...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Multifactor device authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Multifactor device authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links