DEVICE AUTHENTICATION WITHIN DEPLOYABLE COMPUTING ENVIRONMENT

US 20100093310A1
Filed: 10/09/2008
Published: 04/15/2010
Est. Priority Date: 10/09/2008
Status: Active Grant

First Claim

Patent Images

1. A method of representing a relationship between a device and a user claiming the device in a deployable computing environment, comprising:

receiving from the device a device identification ticket and a user identification ticket;

upon receiving the device identification ticket and the user identification ticket;

authenticating the device identification ticket and the user identification ticket; and

upon authenticating the device identification ticket and the user identification ticket;

representing a device claim regarding a relationship between the device and the user in the deployable computing environment; and

issuing to at least one of the device and the user a device claim ticket associated with the device claim.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user'"'"'s credentials (e.g., user identification ticket).

Citations

20 Claims

1. A method of representing a relationship between a device and a user claiming the device in a deployable computing environment, comprising:
- receiving from the device a device identification ticket and a user identification ticket;
  
  upon receiving the device identification ticket and the user identification ticket;
  
  authenticating the device identification ticket and the user identification ticket; and
  
  upon authenticating the device identification ticket and the user identification ticket;
  
  representing a device claim regarding a relationship between the device and the user in the deployable computing environment; and
  
  issuing to at least one of the device and the user a device claim ticket associated with the device claim.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1:
    - at least one ticket comprising a ticket validity period; and
      
      authenticating the ticket comprising;
      
      validating the ticket validity period of the ticket.
  - 3. The method of claim 1:
    - the representing comprising;
      
      creating a device claim resource comprising at least one of;
      
      a link to the device that is claimed;
      
      a link to the user claiming the device;
      
      a set of device claim data;
      
      a device claim ticket; and
      
      a device identification ticket.
  - 4. The method of claim 1, comprising:
    - creating an identity resource representing the user within the deployable computing environment; and
      
      associating with the identity resource at least one of;
      
      a set of private user data;
      
      a link to one or more device claims; and
      
      a user identification ticket.
  - 5. The method of claim 1, comprising:
    - creating a device resource representing the device within the deployable computing environment; and
      
      associating with the device resource at least one of;
      
      a set of device data;
      
      one or more links to device related resources; and
      
      a device identification ticket.
  - 6. The method of claim 1, comprising:
    - the representing comprising;
      
      terminating an established relationship of the user with the device in the deployable computing environment; and
      
      the method comprising;
      
      upon authenticating the user identification ticket, canceling the representation of the device claim in the deployable computing environment.
  - 7. The method of claim 1, comprising:
    - upon failing to authenticate the user identification ticket, requesting from the user a user authentication token issued by an authentication service; and
      
      upon receiving a user authentication token;
      
      authenticating the user authentication token, andupon authenticating the user authentication token, issuing to the user a user identification ticket.
  - 8. The method of claim 1, receiving from the device a device operation to be performed and device identification ticket corresponding to authorized device operations.
  - 9. The method of claim 8, the device operations comprising at least one of:
    - synchronizing at least one user resource in the deployable computing environment with at least one resource representation of the at least one resource stored on the device;
      
      subscribing the device to at least one resource notification for at least one resource in the deployable computing environment; and
      
      receiving at least one resource update notification allocated for the device.
  - 10. The method of claim 1, receiving from the device a user operation to be performed and a device claim ticket corresponding with authorized user operations delegated by the user.
  - 11. The method of claim 10, the authorized user operations comprising at least one of:
    - create a relationship between a device and the user within the deployable computing environment;
      
      enumerate user resources;
      
      modify user properties; and
      
      modify a user resource associated with the user within the deployable computing environment.

12. A method of authenticating at least one operation by a device in a deployable computing environment, comprising:
- requesting from the device a device claim ticket; and
  
  upon receiving the device claim ticket;
  
  authenticating the device claim ticket;
  
  verifying permission of the device to perform at least one authorized user operation; and
  
  upon authenticating the device claim ticket and verifying permission, performing the at least one authorized user operation.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12:
    - at least one ticket comprising a ticket validity period; and
      
      authenticating the ticket comprising;
      
      validating the ticket validity period of the ticket.
  - 14. The method of claim 12, the authenticating comprising:
    - determining whether a representation of a relationship exists between the device and a user associated with a resource that the operation is to be performed on;
      
      upon determining a representation exists, determining whether the user delegated authority for the device to perform the operation; and
      
      upon determining the authority is delegated, performing the at least one authorized user operation.
  - 15. The method of claim 12, the authorized user operation comprising at least one of:
    - enumerating at least one resource in the deployable computing environment;
      
      mapping at least one resource in the deployable computing environment to at least one local resource representation of the at least one resource stored on the device;
      
      updating at least one resource in the deployable computing environment managed by the device comprising;
      
      identifying at least one other device subscribed to the at least one resource; and
      
      upon identifying at least one other device subscribed to the at least one resource, allocating at least one resource update notification for the at least one other device.
  - 16. The method of claim 12, comprising:
    - requesting from the device a device identification ticket; and
      
      upon receiving the device identification ticket;
      
      authenticating the device identification ticket;
      
      verifying permission of the device to perform at least one authorized device operation; and
      
      upon authenticating the device claim ticket and verifying permission, performing the at least one authorized device operation.
  - 17. The method of claim 16, the authorized device operation comprising at least one of:
    - synchronizing at least one user resource in the deployable computing environment with at least one resource representation of the at least one resource stored on the device;
      
      subscribing the device to at least one resource notification for at least one resource in the deployable computing environment; and
      
      receiving at least one resource update notification allocated for the device.
  - 18. The method of claim 12:
    - the operation specifying a request to update at least one resource managed by a second device represented in the deployable computing environment; and
      
      the method comprising;
      
      upon determining that the operation specifies the at least one resource managed by the second device;
      
      verifying a second device access permission of the device; and
      
      upon verifying the second device access permission, issuing to the device a second device connecting ticket.
  - 19. The method of claim 12:
    - the operation specifying a request to connect to a second device represented in the deployable computing environment to update a resource managed by the second device; and
      
      the method comprising;
      
      requesting from the device a second device connecting ticket; and
      
      upon receiving from the device a second device connecting ticket;
      
      authenticating the second device connecting ticket; and
      
      upon authenticating the second device connecting ticket, allocating for the second device a device connecting request notification.

20. A system for representing and authenticating a relationship between a device and a user within a deployable computing environment, comprising:
- an authenticator comprising;
  
  a representation generating component configured to perform at least one of;
  
  upon authenticating a user credential, generate a representation of the user within the deployable computing environment;
  
  upon authenticating a device credential, generate a representation of the device within the deployable computing environment; and
  
  upon authenticating the user credential and the device credential, generate a representation of the relationship between the device and the user within the deployable computing environment;
  
  a ticket generating component configured to perform at least one of;
  
  upon authenticating the user credential, issue a user identification ticket to the user;
  
  upon authenticating a device credential, issue a device identification ticket to the device; and
  
  upon authenticating the user credential and the device credential, issue a device claim ticket representing the relationship of the device and the user to the device; and
  
  a ticket authentication component configured to perform at least one of;
  
  authenticate at least one ticket received from the user regarding access to the deployable computing environment;
  
  authenticate at least one ticket received from the device regarding access to the deployable computing environment; and
  
  authenticate at least one ticket received from the device regarding a relationship between the device and the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Reed, David R., Batoukov, Roman, Fleischman, Eric, Smolyanskiy, Nikolay, Gbadegesin, Abolade, Shukla, Dharma K., Galvin, Thomas A.

Granted Patent

US 8,412,930 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

DEVICE AUTHENTICATION WITHIN DEPLOYABLE COMPUTING ENVIRONMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DEVICE AUTHENTICATION WITHIN DEPLOYABLE COMPUTING ENVIRONMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links