APPARATUS AND METHODS FOR PROVIDING AUTHORIZED DEVICE ACCESS

US 20100269156A1
Filed: 12/17/2009
Published: 10/21/2010
Est. Priority Date: 12/28/2008
Status: Active Grant

First Claim

Patent Images

1. A method of gaining authorized access to a restricted resource on another device, comprising:

receiving, at an accessor device, an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;

communicating the access credential, a proof of identity, and a request for interaction with at least one device resource on an accessee device; and

receiving a result of an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, and systems are described for providing an accessor device an access credential to interact with a device resource on an accessee device. An authorization entity having a trust relationship with the accessee device, or a linked subordinate authorization entity, generates the access credential. The access credential includes a modification detection indicator, at least one access privilege, and an accessor public key. The at least one access privilege corresponds to at least one device resource on the accessee device. The authorization entity forwards the access credential to the accessor device, which presents the access credential to the accessee device for authentication. Once authenticated, the accessee device grants access to one or more device resources, and controls requests to insure they are within the scope of the at least one access privilege.

292 Citations

66 Claims

1. A method of gaining authorized access to a restricted resource on another device, comprising:
- receiving, at an accessor device, an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  communicating the access credential, a proof of identity, and a request for interaction with at least one device resource on an accessee device; and
  
  receiving a result of an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein receiving the access credential further comprises receiving the access credential granted by a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein receiving the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 3. The method of claim 1, wherein receiving the access credential including the at least one access privilege representation further comprises receiving a representation of a subset of a plurality of access privileges available to a master authorization entity, and further comprising receiving a chain of credentials linking the received access credential to the master authorization entity directly or through any number of other subordinate entities, and wherein receiving the result of the authentication process comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 4. The method of claim 3, wherein receiving the chain of credentials further comprises receiving a master authorization entity credential and at least one subordinate credential, wherein receiving the access credential, the master authorization entity credential and at least one subordinate credential occurs at a same time or at different times.
  - 5. The method of claim 1, wherein receiving the access credential including the at least one access privilege representation further comprises receiving a privilege based on an organizational function associated with the accessor device.
  - 6. The method of claim 1, wherein receiving the access credential including the at least one access privilege representation further comprises receiving at least one of an actual privilege, a privilege greater in scope than an authorization entity privilege corresponding to the authorization entity, or an unknown future privilege.

7. At least one processor configured to gain authorized access to a restricted resource on another device, comprising:
- a first module for receiving an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  a second module for communicating the access credential, a proof of identity, and a request for interaction with at least one device resource on an accessee device; and
  
  a third module for receiving a result of an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

8. A computer program product, comprising:
- a computer-readable medium comprising;
  
  at least one instruction operable to cause a computer to receive an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  at least one instruction operable to cause the computer to communicate the access credential, a proof of identity, and a request for interaction with at least one device resource on an accessee device; and
  
  at least one instruction operable to cause the computer to receive a result of an access authentication that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

9. A communication device, comprising:
- means for receiving an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  means for communicating the access credential, a proof of identity, and a request for interaction with at least one device resource on the accessee device; and
  
  means for receiving a result of an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

10. An accessor device for accessing resources on an accessee device, comprising:
- a processor;
  
  a memory in communication with the processor; and
  
  an access module stored in the memory and executable by the processor, wherein the access module is operable to;
  
  receive an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  initiate communication of the access credential, a proof of identity, and a request for interaction with at least one device resource on the accessee device; and
  
  receive a result of an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The device of claim 10, wherein the access credential is granted by a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 12. The device of claim 10, wherein the at least one access privilege representation further comprises a representation of a subset of a plurality of access privileges available to a master authorization entity, and wherein the access module is operable to receive a chain of credentials linking the received access credential to the master authorization entity directly or through any number of other subordinate entities, and wherein the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 13. The device of claim 12, wherein the chain of credentials further comprises a master authorization entity credential and at least one subordinate credential, wherein the access credential, the master authorization entity credential and at least one subordinate credential are received at a same time or at different times.
  - 14. The device of claim 10, wherein the at least one access privilege representation further comprises a privilege based on an organizational function associated with the accessor device.
  - 15. The device of claim 10, wherein the at least one access privilege representation further comprises at least one of an actual privilege, a privilege greater in scope than an authorization entity privilege corresponding to the authorization entity, or an unknown future privilege.

16. A method of providing access to device resources on an accessee device, comprising:
- receiving an access credential corresponding to an accessor device, a proof of identity, and a request for interaction with at least one device resource on the accessee device, wherein the access credential is associated with an authorization entity having a direct or an indirect trust relationship with the accessee device, and wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  executing an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction; and
  
  transmitting a result of the access authentication process, wherein the result of the access authentication process comprises a grant or a denial of access to the at least one device resource.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein receiving the access credential further comprising receiving the access credential granted by a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein transmitting the result comprising the grant of access further comprises verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 18. The method of claim 17, wherein receiving the access credential including the at least one access privilege representation further comprises receiving a representation of a subset of a plurality of access privileges available to a master authorization entity, and further comprising receiving a chain of credentials linking the received access credential to the master authorization entity directly or through any number of other subordinate entities, and wherein transmitting the result of the authentication process comprising the grant of access further comprises verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 19. The method of claim 18, wherein receiving the chain of credentials further comprises receiving a master authorization entity credential and at least one subordinate credential.
  - 20. The method of claim 16, wherein receiving the access credential including the at least one access privilege representation further comprises receiving a privilege based on an organizational function associated with the accessor device.
  - 21. The method of claim 16, further comprising associating the at least one access privilege representation with at least one communication interface, such that interaction with the accessor device in association with the access privilege representation is limited to the at least one communication interface.
  - 22. The method of claim 16, wherein receiving the access credential including the at least one access privilege representation further comprises receiving at least one of an actual privilege, a privilege greater in scope than an authorization entity privilege corresponding to the authorization entity, or an unknown future privilege.

23. At least one processor configured to provide access to device resources, comprising:
- a first module for receiving an access credential corresponding to an accessor device, a proof of identity, and a request for interaction with at least one device resource on the accessee device, wherein the access credential is associated with an authorization entity having a direct or an indirect trust relationship with the accessee device, and wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  a second module for executing an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction; and
  
  a third module for transmitting a result of the access authentication process, wherein the result of the access authentication process comprises a grant or a denial of access to the at least one device resource.

24. A computer program product, comprising:
- a computer-readable medium comprising;
  
  at least one instruction for causing a computer to receive an access credential corresponding to an accessor device, a proof of identity, and a request for interaction with at least one device resource on the accessee device, wherein the access credential is associated with an authorization entity having a direct or an indirect trust relationship with the accessee device, and wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  at least one instruction for causing the computer to execute an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction; and
  
  at least one instruction for causing the computer to transmit a result of the access authentication process, wherein the result of the access authentication process comprises a grant or a denial of access to the at least one device resource.

25. A communication device, comprising:
- means for receiving an access credential corresponding to an accessor device, a proof of identity, and a request for interaction with at least one device resource on the accessee device, wherein the access credential is associated with an authorization entity having a direct or an indirect trust relationship with the accessee device, and wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  means for executing an access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction; and
  
  means for transmitting a result of the access authentication process, wherein the result of the access authentication process comprises a grant or a denial of access to the at least one device resource.

26. An accessee device for providing access to resources, comprising:
- a processor;
  
  at least one device resource in communication with the processor;
  
  a memory in communication with the processor; and
  
  an access authorization module stored in the memory and executable by the processor, wherein the access authorization module comprises an access authorization process, and wherein the access authorization module is operable to;
  
  receive an access credential corresponding to an accessor device, a proof of identity, and a request for interaction with at least one device resource on the accessee device, wherein the access credential is associated with an authorization entity having a direct or an indirect trust relationship with the accessee device, and wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity;
  
  execute the access authentication process that verifies an authenticity of the access credential based on the modification detection indicator, that verifies the proof of identity provided based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction; and
  
  transmit a result of the access authentication process, wherein the result of the access authentication process comprises a grant or a denial of access to the at least one device resource.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The device of claim 26, wherein the access credential is granted by a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein receiving the result comprising the grant of access is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 28. The device of claim 26, wherein the at least one access privilege representation further comprises a representation of a subset of a plurality of access privileges available to a master authorization entity directly or through any number of other subordinate entities, and wherein transmitting the result of the authentication process comprising the grant of access is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 29. The device of claim 26, wherein the access credential further comprises a chain of credentials further comprising a master authorization entity credential and at least one subordinate credential.
  - 30. The device of claim 26, wherein the at least one access privilege representation comprises a privilege based on an organizational function associated with the accessor device.
  - 31. The device of claim 26, wherein the access authorization module is further operable to associate the at least one access privilege representation with at least one communication interface, such that interaction with the accessor device in association with the at least one access privilege representation is limited to the at least one communication interface.
  - 32. The device of claim 26, wherein the access credential restricts the at least one access privilege representation for use in association with the at least one device resources and for use via at least one communication interface, such that access to the at least one device resource is limited to the corresponding at least one communication interface.
  - 33. The device of claim 26, wherein the access authorization module is further operable to communicate with the accessor device over a predetermined communication channel.
  - 34. The device of claim 26, wherein the at least one access privilege representation comprises at least one of an actual privilege, a privilege greater in scope than an authorization entity privilege corresponding to the authorization entity, or an unknown future privilege.

35. A method for authorizing an accessor device to interact with resources on an accessee device, comprising:
- generating an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity; and
  
  communicating the access credential, wherein the access credential is operable to authorize the accessor device to the accessee device and allow interaction with at least one device resource on the accessee device in accordance with the at least one access privilege representation based on an access authentication process executed by the accessee device that verifies an authenticity of the access credential based on the modification detection indicator, that verifies a proof of identity of the accessor device based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. The method of claim 35, wherein generating the access credential further comprises generating the access credential at a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 37. The method of claim 35, wherein generating the access credential including the at least one access privilege representation further comprises generating based on a subset of a plurality of access privileges available to a master authorization entity, and further comprising attaching a chain of credentials linking the received access credential to the master authorization entity directly or through any number of other subordinate entities, and wherein the result of the authentication process comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 38. The method of claim 37, further comprising receiving a master authorization entity credential and at least one subordinate credential.
  - 39. The method of claim 38, wherein generating the access credential further comprises generating a validity indicator corresponding to the at least one access privilege representation, wherein the validity indicator is operable to define at least one of a time period for which the at least one access privilege representation is valid, a use-based restriction, a location-based restriction, a device state-based restriction, or a communications interface restriction.
  - 40. The method of claim 35, wherein generating the access credential including the at least one access privilege representation further comprises including the one or more of the access privileges based on an organizational function associated with the accessor device.
  - 41. The method of claim 35, further comprising restricting usage of the access credential based on an association between at least one accessee device communication interface and at least one of the at least one access privilege representation or the at least one device resource.

42. At least one processor configured to authorize an accessor device to interact with resources on an accessee device, comprising:
- a first module for generating an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity; and
  
  a second module for communicating the access credential, wherein the access credential is operable to authorize the accessor device to the accessee device and allow interaction with at least one device resource on the accessee device in accordance with the at least one access privilege representation based on an access authentication process executed by the accessee device that verifies an authenticity of the access credential based on the modification detection indicator, that verifies a proof of identity of the accessor device based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

43. A computer program product, comprising:
- a computer-readable medium comprising;
  
  at least one instruction for causing a computer to generate an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity; and
  
  at least one instruction for causing a computer to communicate the access credential, wherein the access credential is operable to authorize the accessor device to the accessee device and allow interaction with at least one device resource on the accessee device in accordance with the at least one access privilege representation based on an access authentication process executed by the accessee device that verifies an authenticity of the access credential based on the modification detection indicator, that verifies a proof of identity of the accessor device based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

44. An authorization device, comprising:
- means for generating an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity; and
  
  means for communicating the access credential, wherein the access credential is operable to authorize the accessor device to the accessee device and allow interaction with at least one device resource on the accessee device in accordance with the at least one access privilege representation based on an access authentication process executed by the accessee device that verifies an authenticity of the access credential based on the modification detection indicator, that verifies a proof of identity of the accessor device based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

45. A device for authorizing an accessor device to access resources on an accessee device, comprising:
- a processor;
  
  a memory in communication with the processor;
  
  a credential management module stored in the memory, executable by the processor and including a privilege establishment module operable to generate an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device, wherein the access credential includes a modification detection indicator, at least one access privilege representation, and an accessor public key, wherein the modification detection indicator was created by the authorization entity; and
  
  a communication module in communication with the processor and operable to communicate the access credential, wherein the access credential is operable to authorize the accessor device to the accessee device and allow interaction with at least one device resource on the accessee device in accordance with the at least one access privilege representation based on an access authentication process executed by the accessee device that verifies an authenticity of the access credential based on the modification detection indicator, that verifies a proof of identity of the accessor device based on the accessor public key, and that verifies that the at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.
- View Dependent Claims (46, 47, 48, 49, 50, 51)
- - 46. The device of claim 45, wherein the privilege establishment module is further operable to generate the access credential at a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 47. The device of claim 45, wherein the access credential including the at least one access privilege representation comprises a subset of a plurality of access privileges available to a master authorization entity, and wherein the privilege establishment module is further operable to generate the access credential including a chain of credentials linking the access credential to the master authorization entity directly or through any number of other subordinate entities, and wherein the result of the authentication process comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 48. The device of claim 47, wherein the chain of credentials further comprises a master authorization entity credential and at least one subordinate credential.
  - 49. The device of claim 45, wherein the access credential further comprises a validity indicator corresponding to the at least one access privilege representation, wherein the validity indicator is operable to define at least one of a time period for which the at least one access privilege representation is valid, a use-based restriction, a location-based restriction, a device state-based restriction, or a communications interface restriction.
  - 50. The device of claim 45, wherein the at least one access privilege representation is based on an organizational function associated with the accessor device.
  - 51. The device of claim 45, wherein the privilege establishment module further includes an association between an accessee device communication interface and at least one of the at least one access privilege representation and the at least one device resource, wherein the access credential including the at least one access privilege representation is generated based on the association.

52. A method of gaining authorized access to a restricted resource on another device, comprising:
- receiving, at an accessor device, an access credential identifier of an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device;
  
  communicating the access credential identifier, a proof of identity, and a request for interaction with at least one device resource on an accessee device; and
  
  receiving a result of an access authentication process that verifies an authenticity of the access credential based on a corresponding modification detection indicator, that verifies the proof of identity provided based on a corresponding accessor public key, and that verifies that at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.
- View Dependent Claims (53, 54, 55, 56, 57)
- - 53. The method of claim 52, wherein receiving the access credential identifier further comprises receiving the access credential granted by a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein receiving the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 54. The method of claim 52, wherein the access credential identifier corresponds to a representation of a subset of a plurality of access privileges available to a master authorization entity, and further comprising receiving a chain identifier of a chain of credentials linking the access credential to the master authorization entity directly or through any number of other subordinate entities, and wherein receiving the result of the authentication process comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 55. The method of claim 54, wherein receiving the chain identifier further comprises receiving a master authorization entity credential identifier and at least one subordinate credential identifier, wherein receiving the access credential identifier, the master authorization entity credential identifier and at least one subordinate credential identifier occurs at a same time or at different times.
  - 56. The method of claim 52, wherein the access credential identifier further corresponds to a privilege based on an organizational function associated with the accessor device.
  - 57. The method of claim 52, wherein the access credential identifier further corresponds to at least one of an actual privilege, a privilege greater in scope than an authorization entity privilege corresponding to the authorization entity, or an unknown future privilege.

58. At least one processor configured to gain authorized access to a restricted resource on another device, comprising:
- a first module for receiving an access credential identifier of an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device;
  
  a second module for communicating the access credential identifier, a proof of identity, and a request for interaction with at least one device resource on an accessee device; and
  
  a third module for receiving a result of an access authentication process that verifies an authenticity of the access credential based on a modification detection indicator, that verifies the proof of identity provided based on an accessor public key, and that verifies that at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

59. A computer program product, comprising:
- a computer-readable medium comprising;
  
  at least one instruction operable to cause a computer to receive an access credential identifier of an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device;
  
  at least one instruction operable to cause the computer to communicate the access credential identifier, a proof of identity, and a request for interaction with at least one device resource on an accessee device; and
  
  at least one instruction operable to cause the computer to receive a result of an access authentication that verifies an authenticity of the access credential based on a modification detection indicator, that verifies the proof of identity provided based on an accessor public key, and that verifies that at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

60. A communication device, comprising:
- means for receiving an access credential identifier of an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device;
  
  means for communicating the access credential identifier, a proof of identity, and a request for interaction with at least one device resource on the accessee device; and
  
  means for receiving a result of an access authentication process that verifies an authenticity of the access credential based on a modification detection indicator, that verifies the proof of identity provided based on an accessor public key, and that verifies that at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.

61. An accessor device for accessing resources on an accessee device, comprising:
- a processor;
  
  a memory in communication with the processor; and
  
  an access module stored in the memory and executable by the processor, wherein the access module is operable to;
  
  receive an access credential identifier of an access credential associated with an authorization entity having a direct or an indirect trust relationship with an accessee device;
  
  initiate communication of the access credential identifier, a proof of identity, and a request for interaction with at least one device resource on the accessee device; and
  
  receive a result of an access authentication process that verifies an authenticity of the access credential based on a modification detection indicator, that verifies the proof of identity provided based on an accessor public key, and that verifies that at least one access privilege representation in the access credential corresponds to a privilege to access the at least one device resource in the request for interaction, wherein the result of the access authentication process comprises being granted or denied access to the at least one device resource.
- View Dependent Claims (62, 63, 64, 65, 66)
- - 62. The device of claim 61, wherein the access credential identifier is granted by a subordinate authorization entity having a subordinate credential linked directly or through any number of other subordinate credentials to a master authorization entity credential, and wherein the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials from the subordinate credential up to and including the master authorization entity credential.
  - 63. The device of claim 61, wherein the access credential identifier corresponds to a subset of a plurality of access privileges available to a master authorization entity, and wherein the access module is operable to receive a chain identifier of a chain of credentials linking the access credential to the master authorization entity directly or through any number of other subordinate entities, and wherein the result comprising access being granted is based on the access authentication process verifying that access to the at least one device resource is allowed by all of the linked credentials.
  - 64. The device of claim 63, wherein the chain identifier further comprises a master authorization entity credential identifier and at least one subordinate credential identifier, wherein the access credential identifier, the master authorization entity credential identifier and at least one subordinate credential identifier are received at a same time or at different times.
  - 65. The device of claim 61, wherein the access credential identifier corresponds to a privilege based on an organizational function associated with the accessor device.
  - 66. The device of claim 61, wherein the access credential identifier corresponds to at least one of an actual privilege, a privilege greater in scope than an authorization entity privilege corresponding to the authorization entity, or an unknown future privilege.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
HOHLFELD, Matthew W., LUNDBLADE, Laurence G.

Granted Patent

US 8,505,078 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2209/603   Digital right managament [DRM]

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 9/32   including means for verifyi...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

H04W 12/084   using delegated authorisati...

APPARATUS AND METHODS FOR PROVIDING AUTHORIZED DEVICE ACCESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

292 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHODS FOR PROVIDING AUTHORIZED DEVICE ACCESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

292 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links