Peer-to-peer authentication and authorization

US 7,350,074 B2
Filed: 04/20/2005
Issued: 03/25/2008
Est. Priority Date: 04/20/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer storage medium having computer-executable instructions for authenticating a first computing device at a second computing device, the computer-readable instructions performing steps comprising:

creating a root store and a trusted people store on the second computing device wherein the trusted people store comprises certificates different from certificates in the root store;

receiving one or more certificates from the first computing device at the second computing device;

determining if any of the certificates of the one or more certificates contains an identifier corresponding to a certificate contained in the trusted people store;

authenticating the first computing device if any of the certificates of the trusted people store identifies the first computing device, otherwisedetermining if a last certificate of the one or more certificates is signed by a trusted root store entity, wherein the trusted root store entity is identified by a signed certificate placed in a trusted root store of the second computing device;

determining if a first certificate of the one or more certificates identifies the first computing device;

determining if each certificate of the one or more certificates is authenticated by a preceding certificate of the one or more certificates; and

authenticating the first computing device if the last certificate of the one or more certificates is signed by the trusted root store entity, if the first certificate of the one or more certificates identifies the first computing device, and if each certificate of the one or more certificates is authenticated by the preceding certificate of the one or more certificates.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication mechanism uses a trusted people store that can be populated on an individual basis by users of computing devices, and can comprise certificates of entities that the user wishes to allow to act as certification authorities. Consequently, peer-to-peer connections can be made even if neither device presents a certificate or certificate chain signed by a third-party certificate authority, so long as each device present a certificate or certificate chain signed by a device present in the trusted people store. Once authenticated, a remote user can access trusted resources on a host device by having local processes mimic the user and create an appropriate token by changing the user'"'"'s password or password type to a hash of the user'"'"'s certificate and then logging the user on. The token can be referenced in a standard manner to determine whether the remote user is authorized to access the trusted resource.

63 Citations

View as Search Results

20 Claims

1. A computer storage medium having computer-executable instructions for authenticating a first computing device at a second computing device, the computer-readable instructions performing steps comprising:
- creating a root store and a trusted people store on the second computing device wherein the trusted people store comprises certificates different from certificates in the root store;
  
  receiving one or more certificates from the first computing device at the second computing device;
  
  determining if any of the certificates of the one or more certificates contains an identifier corresponding to a certificate contained in the trusted people store;
  
  authenticating the first computing device if any of the certificates of the trusted people store identifies the first computing device, otherwisedetermining if a last certificate of the one or more certificates is signed by a trusted root store entity, wherein the trusted root store entity is identified by a signed certificate placed in a trusted root store of the second computing device;
  
  determining if a first certificate of the one or more certificates identifies the first computing device;
  
  determining if each certificate of the one or more certificates is authenticated by a preceding certificate of the one or more certificates; and
  
  authenticating the first computing device if the last certificate of the one or more certificates is signed by the trusted root store entity, if the first certificate of the one or more certificates identifies the first computing device, and if each certificate of the one or more certificates is authenticated by the preceding certificate of the one or more certificates.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer storage medium of claim 1, wherein the trusted people store of the second computing device comprises signed certificates of entities deemed by a user of the second computing device to be trustworthy, the signed certificates having been placed in the trusted people store of the second computing device under the direction of the user of the second computing device.
  - 3. The computer storage medium of claim 1, wherein the one or more certificates comprises a certificate chain ending with a group certificate, wherein the group certificate is provided as a root certificate on an individual basis without being stored in either the trusted root store or the trusted people store.
  - 4. The computer storage medium of claim 1, wherein the trusted people store of the second computing device is a logged-on user'"'"'s trusted people store corresponding to a user currently logged onto the second computing device, and wherein further each user of the second computing device has a corresponding trusted people store.
  - 5. The computer storage medium of claim 1, wherein each entity identified by a signed certificate in the trusted people store of the second computing device has a corresponding account on the second computing device.
  - 6. The computer storage medium of claim 1, wherein the computer-executable instructions perform further steps comprising:
    - receiving, from a user of the first computing device, a request to access a trusted resource on the second computing device;
      
      changing a password element of an account of the user on the second computing device;
      
      logging into the user'"'"'s account using the changed password element, wherein the logging into the user'"'"'s account generates a token;
      
      accessing the trusted resource with the token; and
      
      providing the results of the accessing to the user at the first computing device.
  - 7. The computer storage medium of claim 6, wherein the logging into the user'"'"'s account comprises providing credentials and the changed password element to a kernel mode process via a remote procedure call.

8. A computer storage medium having computer-executable instructions for authorizing a user at a first computing device to access a trusted resource at a second computing device, the computer-readable instructions performing steps comprising:
- receiving, from the user, a request to access the trusted resource on the second computing device;
  
  changing a password element of a user account on the second computing device based on a certificate of the first computing device stored in a trusted people store of the second computing device;
  
  logging into the user account using the changed password element, thereby generating a token;
  
  accessing the trusted resource with the token; and
  
  providing the results of the accessing to the user at the first computing device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer storage medium of claim 8, wherein the changing the password element of the user'"'"'s account comprises changing a password protocol so as to use a hash of a certificate of the user to log into the user'"'"'s account.
  - 10. The computer storage medium of claim 8, wherein the logging into the user'"'"'s account comprises providing credentials and the changed password element to a high privilege process via a remote procedure call.
  - 11. The computer storage medium of claim 8, wherein the providing the results comprises providing a failure indication to the user at the first computing device if the accessing of the trusted resource with the token was not successful, and providing data from the trusted resource to the user at the first computing device if the accessing of the trusted resource with the token was successful, the data being obtained via a send-bytes-type command.
  - 12. The computer storage medium of claim 8, wherein the computer-executable instructions perform further steps comprising:
    - receiving one or more certificates from the first computing device at the second computing device;
      
      determining if a last certificate of the one or more certificates is signed by a trusted people store entity, wherein the trusted people store entity is identified by a signed certificate placed in the trusted people store of the second computing device, and wherein further the trusted people store of the second computing device comprises different certificates than certificates in a trusted root store of the second computing device;
      
      determining if a first certificate of the one or more certificates identifies the first computing device;
      
      determining if each certificate of the one or more certificates is authenticated by a preceding certificate of the one or more certificates; and
      
      authenticating the first computing device if the last certificate of the one or more certificates is signed by the trusted people store entity, if the first certificate of the one or more certificates identifies the first computing device, and if each certificate of the one or more certificates is authenticated by the preceding certificate of the one or more certificates.
  - 13. The computer storage medium of claim 12, wherein the trusted people store of the second computing device comprises signed certificates of entities deemed by a user of the second computing device to be trustworthy, the signed certificates having been placed in the trusted people store of the second computing device under the direction of the user of the second computing device.
  - 14. The computer storage medium of claim 12, wherein the trusted people store of the second computing device is a logged-on user'"'"'s trusted people store corresponding to a user currently logged onto the second computing device, and wherein further each user of the second computing device has a corresponding trusted people store.

15. A computing device comprising:
- a trusted root store comprising signed certificates different from certificates in a trusted people store;
  
  the trusted people store comprising signed certificates of entities deemed by a user of the computing device to be trustworthy, the signed certificates having been placed in the trusted people store under the direction of the user;
  
  a network interface, the network interface performing steps comprising;
  
  receiving one or more certificates from another computing device; and
  
  a processing unit, the processing unit performing steps comprising;
  
  determining if any of the certificates of the one or more certificates contains an identifier corresponding to a certificate contained in the trusted people store, authenticating the first computing device if any of the certificates of the trusted people store identifies the first computing device, and otherwise authenticating the other computing device if a last certificate of the one or more certificates is signed by a trusted root store entity, wherein the trusted root store entity is identified by a signed certificate in the trusted root store, if a first certificate of the one or more certificates identifies the other computing device, and if each certificate of the one or more certificates is authenticated by a preceding certificate of the one or more certificates.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing device of claim 15, wherein the network interface performs further steps comprising:
    - receiving, from a user on the other computing device, a request to access a trusted resource on the computing device; and
      
      wherein the processing unit performs further steps comprising;
      
      changing a password element of an account of the user on the computing device, logging into the user'"'"'s account using the changed password element, wherein the logging into the user'"'"'s account generates a token, accessing the trusted resource with the token, and providing the results of the accessing to the user at the other computing device.
  - 17. The computing device of claim 16, wherein the changing the password element of the user'"'"'s account comprises changing a password protocol so as to use a hash of a certificate of the user to log into the user'"'"'s account.
  - 18. The computing device of claim 16, wherein the logging into the user'"'"'s account comprises providing credentials and the changed password element to a kernel mode process on the computing device via a remote procedure call.
  - 19. The computing device of claim 15, wherein the trusted people store is specific to a user account of the computing device.
  - 20. The computing device of claim 15, wherein each entity identified by a signed certificate in the trusted people store has a corresponding account on the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Singhal, Sandeep K., Rao, Ravi T., Manion, Todd R., Gupta, Rohit
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
DAVIS, ZACHARY A

Application Number

US11/110,592
Publication Number

US 20060242405A1
Time in Patent Office

1,070 Days
Field of Search

713/156, 713/157, 713/168, 713/175, 713/182, 726/5, 726/10
US Class Current

713/157
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 9/321   involving a third party or ...

H04L 9/3265   using certificate chains, t...

Peer-to-peer authentication and authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Peer-to-peer authentication and authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links