TRANSPORT LAYER SECURITY TOKEN BINDING AND TRUSTED SIGNING

US 20170289197A1
Filed: 11/03/2016
Published: 10/05/2017
Est. Priority Date: 03/31/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing data communications, the method comprising:

establishing a secure communication session between a client device and a server over a network, the secure communication session comprising one or more communication subsessions in which data is exchanged between the client device and the server, wherein establishing the secure communication session comprises;

providing an access token to the server, the access token comprising information for securely binding the one or more communication subsessions to the secure communication session, andproviding attestation information to the server, the attestation information attesting to security of management of the access token by the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing data communications are provided. A method according to these techniques includes establishing a secure communication session between a client device and a server over a network, the secure communication session comprising one or more communication subsessions in which data is exchanged between the client device and the server. Establishing the secure communication session include providing an access token to the server, the access token comprising information for securely binding the one or more communication subsessions to the secure communication session, and providing attestation information to the server, the attestation information attesting to security of management of the access token by the client device.

61 Citations

24 Claims

1. A method for managing data communications, the method comprising:
- establishing a secure communication session between a client device and a server over a network, the secure communication session comprising one or more communication subsessions in which data is exchanged between the client device and the server, wherein establishing the secure communication session comprises;
  
  providing an access token to the server, the access token comprising information for securely binding the one or more communication subsessions to the secure communication session, andproviding attestation information to the server, the attestation information attesting to security of management of the access token by the client device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein providing the attestation information to the server comprises signing at least a portion of the attestation information with an attestation private key associated with a secure component of the client device and providing the attestation information that has been signed to the server.
  - 3. The method of claim 2, further comprising:
    - estimating a lifespan of a communication subsession associated with the secure communication session; and
      
      selecting a technique for signing the access token from a plurality of techniques of which the client device is configured to perform based on the lifespan estimated of the communication sub session and an estimate of a time to perform the technique selected for signing at least the portion of the attestation information.
  - 4. The method of claim 1, further comprising:
    - selecting a technique for signing data to be communicated to the server from a plurality of techniques of which the client device is configured to perform based on policy information received from the server.
  - 5. The method of claim 1, wherein the attestation information comprises at least one of information identifying which encryption algorithms that the client device is configured to support, information indicating whether the access token is stored in a secured memory location, or information indicating whether a private key associated with the client device is stored in the secured memory location.
  - 6. The method of claim 1, wherein providing the attestation information to the server further comprises:
    - providing an indicator that the client device will suppress sending the attestation information for future secure communication sessions between the client device and the server.

7. An apparatus for managing data communications, the apparatus comprising:
- means for establishing a secure communication session between the apparatus and a server over a network, the secure communication session comprising one or more communication subsessions in which data is exchanged between the apparatus and the server, wherein the means for establishing the secure communication session comprises;
  
  means for providing an access token to the server, the access token comprising information for securely binding the one or more communication subsessions to the secure communication session, andmeans for providing attestation information to the server, the attestation information attesting to security of management of the access token by the apparatus.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the means for providing the attestation information to the server comprises means for signing at least a portion of the attestation information with an attestation private key associated with a secure component of the apparatus and providing the attestation information that has been signed to the server.
  - 9. The apparatus of claim 8, further comprising:
    - means for estimating a lifespan of a communication subsession associated with the secure communication session; and
      
      means for selecting a technique for signing the access token from a plurality of techniques of which the apparatus is configured to perform based on the lifespan estimated of the communication subsession and an estimate of a time to perform the technique selected for signing at least the portion of the attestation information.
  - 10. The apparatus of claim 7, further comprising:
    - means for selecting a technique for signing data to be communicated to the server from a plurality of techniques of which the apparatus is configured to perform based on policy information received from the server.
  - 11. The apparatus of claim 7, wherein the attestation information comprises at least one of information identifying which encryption algorithms that the apparatus is configured to support, information indicating whether the access token is stored in a secured memory location, or information indicating whether a private key associated with the apparatus is stored in the secured memory location.
  - 12. The apparatus of claim 7, wherein the means for providing the attestation information to the server further comprises:
    - means for providing an indicator that the apparatus will suppress sending the attestation information for future secure communication sessions between the apparatus and the server.

13. A non-transitory, computer-readable medium, having stored thereon computer-readable instructions for managing data communications, comprising instructions configured to cause at least one processor to:
- establish a secure communication session between a client device and a server over a network, the secure communication session comprising one or more communication subsessions in which data is exchanged between the client device and the server, wherein the instructions configured to cause the at least one processor to establish the secure communication session comprises instructions to cause the at least one processor to;
  
  provide an access token to the server, the access token comprising information for securely binding the one or more communication subsessions to the secure communication session, andprovide attestation information to the server, the attestation information attesting to security of management of the access token by the client device.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory, computer-readable medium of claim 13, wherein the instructions configured to cause the at least one processor to provide the attestation information to the server comprise instructions configured to cause the at least one processor to sign at least a portion of the attestation information with an attestation private key associated with a secure component of the client device and providing the attestation information that has been signed to the server.
  - 15. The non-transitory, computer-readable medium of claim 14, further comprising instructions configured to cause the at least one processor to:
    - estimate a lifespan of a communication subsession associated with the secure communication session; and
      
      select a technique for signing the access token from a plurality of techniques of which the client device is configured to perform based on the lifespan estimated of the communication sub session and an estimate of a time to perform the technique selected for signing at least the portion of the attestation information.
  - 16. The non-transitory, computer-readable medium of claim 13, further comprising instructions configured to cause the at least one processor to:
    - select a technique for signing data to be communicated to the server from a plurality of techniques of which the client device is configured to perform based on policy information received from the server.
  - 17. The non-transitory, computer-readable medium of claim 13, wherein the attestation information comprises at least one of information identifying which encryption algorithms that the client device is configured to support, information indicating whether the access token is stored in a secured memory location, or information indicating whether a private key associated with the client device is stored in the secured memory location.
  - 18. The non-transitory, computer-readable medium of claim 13, further comprising instructions configured to cause the at least one processor to:
    - provide an indicator that the client device will suppress sending the attestation information for future secure communication sessions between the client device and the server.

19. A client device comprising:
- a processor configured to;
  
  establish a secure communication session between the client device and a server over a network, the secure communication session comprising one or more communication subsessions in which data is exchanged between the client device and the server, wherein the processor is configured to;
  
  provide an access token to the server, the access token comprising information for securely binding the one or more communication subsessions to the secure communication session, andprovide attestation information to the server, the attestation information attesting to security of management of the access token by the client device.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The client device of claim 19, wherein the processor is configured to sign at least a portion of the attestation information with an attestation private key associated with a secure component of the client device and providing the attestation information that has been signed to the server.
  - 21. The client device of claim 20, wherein the processor is further configured to:
    - estimate a lifespan of a communication subsession associated with the secure communication session; and
      
      select a technique for signing the access token from a plurality of techniques of which the client device is configured to perform based on the lifespan estimated of the communication sub session and an estimate of a time to perform the technique selected for signing at least the portion of the attestation information.
  - 22. The client device of claim 19, wherein the processor is further configured to:
    - select a technique for signing data to be communicated to the server from a plurality of techniques of which the client device is configured to perform based on policy information received from the server.
  - 23. The client device of claim 19, wherein the attestation information comprises at least one of information identifying which encryption algorithms that the client device is configured to support, information indicating whether the access token is stored in a secured memory location, or information indicating whether a private key associated with the client device is stored in the secured memory location.
  - 24. The client device of claim 19, wherein the processor is further configured to:
    - provide to the server an indicator that the client device will suppress sending the attestation information for future secure communication sessions between the client device and the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
MANDYAM, Giridhar, AZEN, Jon, LUNDBLADE, Laurence

Application Number

US15/342,859
Publication Number

US 20170289197A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/141   Setup of application sessio...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/32   including means for verifyi...

TRANSPORT LAYER SECURITY TOKEN BINDING AND TRUSTED SIGNING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

TRANSPORT LAYER SECURITY TOKEN BINDING AND TRUSTED SIGNING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links