TRUSTWORTHY DEVICE CLAIMS FOR ENTERPRISE APPLICATIONS

US 20120084850A1
Filed: 01/27/2011
Published: 04/05/2012
Est. Priority Date: 09/30/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

(A) receiving, by an application from a client device via at least one network, one or more device claims each describing an attribute of the client device;

(B) employing at least one processor to process the one or more device claims, the processing comprising performing a function that depends on the attribute of the client device described by each of the one or more device claims.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention enable a client device to procure trustworthy device claims describing one or more attributes of the client device, have those device claims included in a data structure having a format suitable for processing by an application, and use the data structure which includes the device claims in connection with a request to access the application. The application may use the device claims to drive any of numerous types of application functionality, such as security-related and/or other functionality.

52 Citations

View as Search Results

20 Claims

1. A method, comprising:
- (A) receiving, by an application from a client device via at least one network, one or more device claims each describing an attribute of the client device;
  
  (B) employing at least one processor to process the one or more device claims, the processing comprising performing a function that depends on the attribute of the client device described by each of the one or more device claims.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the application is a web application, and io wherein (A) comprises receiving a Security Assertion Markup Language (SAML) token that includes the one or more device claims.
  - 3. The method of claim 1, wherein, prior to (A), each of the one or more device claims are generated for the client device by a remote attestation facility to provide a trustworthy representation of the attribute of the client device.
  - 4. The method of claim 1, wherein each device claim received in (A) describes an attribute of the client device selected from a group of attributes consisting of:
    - whether the client device is equipped with security software,whether the client device employs a firewall,whether a firewall employed by the client device is operational,whether anti-virus signatures on the client device are up-to-date,a role performed by the client device,an organization to which the client device is affiliated,an owner of the client device, anda geographic location of the device.
  - 5. The method of claim 1, wherein (B) comprises performing a security-related function.
  - 6. The method of claim 5, wherein performing the security-related function comprises one or more of determining that a security component is implemented on the client device before granting access to data or application functionality, and determining that malicious software does not execute on the client device before granting access to data or application functionality.
  - 7. The method of claim 1, wherein (B) comprises generating an output tailored to an attribute of the client device described by the one or more device claims.

8. A computer-readable storage medium having instructions encoded thereon which, when executed, perform a method comprising:
- (A) receiving, from a client device via at least one network, one or more device claims each describing an attribute of the client device;
  
  (B) generating a data structure which includes the one or more device claims, the data structure having a format suitable for processing by an application; and
  
  (C) providing the data structure to the client device for use in connection with a request by the client device to access the application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein (A) comprises receiving a certificate which includes the one or more device claims each describing an attribute of the client device.
  - 10. The computer-readable storage medium of claim 8, wherein (A) comprises receiving a Kerberos ticket which includes the one or more device claims each describing an attribute of the client device, the Kerberos ticket having been generated based on a certificate which includes the one or more device claims.
  - 11. The computer-readable storage medium of claim 8, wherein (B) comprises generating a SAML token which includes the one or more device claims.
  - 12. The computer-readable storage medium of claim 8, wherein the instructions are executed by a security token service (STS) having a trust relationship with the application or with an entity having a trust relationship with the application.
  - 13. The computer-readable storage medium of claim 12, wherein the instructions are executed by the STS upon the client device being redirected to the STS after attempting to access the application.
  - 14. The computer-readable storage medium of claim 8, wherein (A) further comprises receiving one or more user claims each describing an attribute of a user of the client device, and (B) further comprises generating the data structure to also include the one or more user claims.

15. A client device, comprising at least one processor programmed to:
- request, from an attestation facility accessible to the client device via at least one network, a certificate which includes one or more trustworthy device claims, each device claim describing an attribute of the client device;
  
  provide, to a security token service (STS), the certificate or a Kerberos ticket generated using the certificate, the certificate or a Kerberos ticket including the one or more trustworthy device claims;
  
  receive, from the STS, a Security Assertion Markup Language (SAML) token including the one or more trustworthy device claims;
  
  employing the SAML token including the one or more trustworthy device claims in connection with a request to access a web application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The client device of claim 15, wherein the processor is further programmed to enable the client device to function as a desktop computer, laptop computer, mobile telephone, personal digital assistant, content reproduction device, television, or gaming console.
  - 17. The client device of claim 15, wherein each of the one or more trustworthy device claims describes an attribute of the client device selected from a group of attributes consisting ofwhether the client device is equipped with security software,whether the client device employs a firewall,whether a firewall employed by the client device is operational,whether anti-virus signatures on the client device are up-to-date,a role performed by the client device,an organization to which the client device is affiliated,an owner of the client device, anda geographic location of the device.
  - 18. The client device of claim 15, further comprising a web-enabled component, and wherein the at least one processor is programmed to enable the web-enabled component to employ the SAML token in connection with a request to access the web application.
  - 19. The client device of claim 17, wherein the web-enabled component comprises a browser application.
  - 20. The client device of claim 15, wherein the at least one processor is further programmed to receive, from the web application, output tailored to at least one attribute of the client device described by the one or more trustworthy device claims.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Novak, Mark, Tor, Yair, Neystadt, Eugene (John), Yassour, Yoav, Ortal, Amos, Alon, Daniel, Efron, Alexey, Didi, Ran

Granted Patent

US 8,528,069 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/51   at application loading time...

G06F 21/575   Secure boot

H04L 2209/127   Trusted platform modules [TPM]

H04L 9/3234   involving additional secure...

TRUSTWORTHY DEVICE CLAIMS FOR ENTERPRISE APPLICATIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTWORTHY DEVICE CLAIMS FOR ENTERPRISE APPLICATIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links