Secure dynamic credential distribution over a network

US 7,546,373 B2
Filed: 07/09/2004
Issued: 06/09/2009
Est. Priority Date: 11/14/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for automatically distributing logon credentials from a first device to a second device over a network, the method comprising:

receiving a secret from the second device at the first device according to at least one trust mechanism that validates that the secret is authentically from the second device;

receiving a request for access to at least one resource of the first device from the second device over the network;

in response to said request, generating by the first device at least one logon credential for use in connection with logging onto the first device and sending the at least one logon credential to the second device over the network for use in automatically logging onto the first device, wherein the at least one logon credential is encrypted by the first device prior to being sent;

decrypting the at least one credential at the second device;

generating, at the second device, a logon request containing the at least one credential without storing the at least one credential;

encrypting the logon request with the at least one credential at the second device and sending the encrypted logon request with the at least one credential to the first device;

at the first device, decrypting the encrypted logon request with the at least one credential and determining the validity of the at least one credential contained in the encrypted logon request received from the second device; and

accepting the logon request if the at least one credential contained in the logon request is determined to be valid.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for enabling secure dynamic credential distribution to a machine over a network are provided. In various embodiments, a computer, into which logging or access is sought, distributes logon credentials automatically to a requestor over the network before logon. Based on pre-existing trust, the computer self-generates and self-distributes logon credentials to the requestor, whereby the logon credentials are not stored on the requestor device.

Citations

35 Claims

1. A method for automatically distributing logon credentials from a first device to a second device over a network, the method comprising:
- receiving a secret from the second device at the first device according to at least one trust mechanism that validates that the secret is authentically from the second device;
  
  receiving a request for access to at least one resource of the first device from the second device over the network;
  
  in response to said request, generating by the first device at least one logon credential for use in connection with logging onto the first device and sending the at least one logon credential to the second device over the network for use in automatically logging onto the first device, wherein the at least one logon credential is encrypted by the first device prior to being sent;
  
  decrypting the at least one credential at the second device;
  
  generating, at the second device, a logon request containing the at least one credential without storing the at least one credential;
  
  encrypting the logon request with the at least one credential at the second device and sending the encrypted logon request with the at least one credential to the first device;
  
  at the first device, decrypting the encrypted logon request with the at least one credential and determining the validity of the at least one credential contained in the encrypted logon request received from the second device; and
  
  accepting the logon request if the at least one credential contained in the logon request is determined to be valid.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1, wherein said secret is a public key of the second device.
  - 3. A method according to claim 1, further including performing said generating and said sending periodically to rotate said at least one logon credential.
  - 4. A method according to claim 1, further including sending acknowledgment of a successful login to the second device.
  - 5. A method according to claim 1, wherein said at least one trust mechanism is based on at least one of a biometric user input, a trust code and a hardware component.
  - 6. A computing device comprising means for carrying out the method of claim 1.

7. A machine that generates its own logon credentials for distribution to a requestor over a network, the machine comprising:
- a secure dynamic logon credential component for handling requests for access to at least one resource of the machine from the requestor, wherein in response to a request for access to at least one resource of the machine, based on a secret received from the requestor according to at least one trust mechanism that validates that the secret is authentically from the requestor, said secure dynamic logon credential component generates at least one logon credential for use in connection with logging onto the machine, encrypts the at least one logon credential based on the secret, and sends the encrypted at least one logon credential to the requestor over the network; and
  
  a second component that receives from the requestor an encrypted logon request containing the at least one logon credential, decrypts the encrypted logon request, and accepts the logon request if the at least one logon credential contained in the logon request is valid.
- View Dependent Claims (8, 9, 10, 11)
- - 8. A machine according to claim 7, wherein said secret is a public key of the requestor.
  - 9. A machine according to claim 7, wherein said secure dynamic logon credential component generates, encrypts, and sends to the requestor a new at least one logon credential periodically to rotate said at least one logon credential.
  - 10. A machine according to claim 7, wherein said second component sends acknowledgment of a successful login to the requestor.
  - 11. A machine according to claim 7, wherein said at least one trust mechanism is based on at least one of a biometric user input, a trust code and a hardware component.

12. A method for automatically obtaining logon credentials from a first device by a second device for the purpose of logging onto the first device over a network, the method comprising:
- transmitting a secret from the second device to the first device according to at least one trust mechanism that validates that the secret is authentically from the second device;
  
  requesting access to at least one resource of the first device by the second device over the network;
  
  in response to said requesting, receiving from the first device at least one logon credential for use in connection with logging onto the first device, wherein the at least one logon credential is encrypted by the first device using the secret before being received from the first device;
  
  without storing the at least one logon credential on the second device, generating, by the second device, a logon request containing the at least one logon credentialencrypting the logon request with the at least one logon credential; and
  
  sending the logon request from the second device to said first device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. A method according to claim 12, wherein said secret is a public key of the second device.
  - 14. A method according to claim 12, further including receiving at least one new logon credential periodically to rotate said at least one logon credential.
  - 15. A method according to claim 12, further comprising decrypting, by the second device, the at least one logon credential based on the secret.
  - 16. A method according to claim 15, wherein the at least one logon credential is decrypted based on a private key corresponding uniquely to a public key.
  - 17. A method according to claim 12, further including, in response to said sending, receiving acknowledgment of a successful login.
  - 18. A method according to claim 12, wherein said at least one trust mechanism is based on at least one of a biometric user input, a trust code and a hardware component.
  - 19. A computing device comprising means for carrying out the method of claim 12.

20. A client device that automatically obtains logon credentials from a host device for the purpose of logging onto the host device over a network, the client device comprising:
- a first component that sends a public key of the client to the host device according to at least one trust mechanism that is based on at least one of a biometric user input, a trust code and a hardware component, the at least one trust mechanism validating that the public key is authentically from the client device;
  
  a second component that requests access to at least one resource of the host device over the network; and
  
  a third component that receives from the host device, in response to requests by said second component, at least one encrypted logon credential for use in connection with logging onto the host device and decrypts the at least one encrypted logon credential, and, without storing the at least one decrypted logon credential on the client device, generates a logon request containing the at least one logon credential, encrypts the logon request with the at least one logon credential, and sends the encrypted logon request to said host device,wherein the third component receives an updated version of at least one logon credential periodically to rotate said at least one logon credential.
- View Dependent Claims (21, 22, 23)
- - 21. A client device according to claim 20, wherein said third component decrypts the at least one encrypted logon credential based on the public key.
  - 22. A client device according to claim 21, wherein said third component decrypts the at least one encrypted logon credential based on a private key corresponding uniquely to the public key.
  - 23. A client device according to claim 20, wherein said third component further receives acknowledgment of a successful login in response to said logon request.

24. A computer readable storage medium comprising computer executable instructions for automatically distributing logon credentials from a first device to a second device over a network, the computer executable instructions comprising instructions for:
- in the first device, obtaining a secret from the second device according to at least one trust mechanism that validates that the secret is authentically from the second device;
  
  receiving a request for access to at least one resource of the first device from the second device over the network;
  
  generating by the first device at least one logon credential in response to the request being received from the second device wherein said at least one logon credential is for logging onto the first device;
  
  in the first device, encrypting the at least one logon credential based on the secret;
  
  sending the at least one logon credential to the second device over the network for use in automatically logging onto the first device;
  
  receiving, in the first device from the second device, an encrypted logon request containing the at least one logon credentialin the first device, decrypting the encrypted logon request with the at least one logon credential;
  
  determining the validity of the at least one logon credential contained in the logon request; and
  
  accepting the logon request if the at least one credential contained in the logon request is determined valid.
- View Dependent Claims (25, 26, 27, 28)
- - 25. A computer readable storage medium according to claim 24, wherein said secret is a public key of the second device.
  - 26. A computer readable storage medium according to claim 24, further comprising computer executable instructions for performing said generating, said encrypting, and said sending periodically to rotate said at least one logon credential.
  - 27. A computer readable storage medium according to claim 24, further comprising computer executable instrustions for sending acknowledgement of a successful login to the second device.
  - 28. A computer readable storage medium according to claim 24, wherein said at least one trust mechanism is based on at least one of a biometric user input, a trust code and a hardware component.

29. A computer readable storage medium comprising computer executable modules having computer executable instructions for automatically obtaining logon credentials from a first device by a second device for the purpose of logging onto the first device over a network, the modules comprising:
- a first module for transmitting a secret from the second device to the first device according to at least one trust mechanism that validates that the secret is authentically from the second device;
  
  a second module for requesting access to at least one resource of the first device over the network;
  
  a third module is for receiving in the second device from the first device at least one logon credential for use in connection with logging onto the second device in response to a request for access made by said means for requesting, wherein the at least one logon credential is encrypted by the first device based on the secret before the at least one logon credential is received in the second device;
  
  a fourth module for decrypting, in the second device, the encrypted at least one logon credential received from the first device; and
  
  a fifth module is for generating a logon request containing the at least one logon credential, encrypting the logon request, and sending the logon request to said first device without storing the at least one logon credential on the second device.
- View Dependent Claims (30, 31, 32, 33, 34, 35)
- - 30. A computer readable storage medium according to claim 29, wherein said secret is a public key of the second device.
  - 31. A computer readable storage medium according to claim 29, wherein said third module periodically receives at one new logon credential to rotate said at least one logon credential.
  - 32. A computer readable storage medium according to claim 29, wherein said fourth module decrypts at least one logon credential based on the secret.
  - 33. A computer readable storage medium according to claim 32, wherein said fourth module decrypts at least one logon credential based on a private key corresponding uniquely to a public key.
  - 34. A computer readable storage medium according to claim 29, further including a sixth module for receiving acknowledgment of a successful login in response to the logon request.
  - 35. A computer readable storage medium according to claim 29, wherein said at least one trust mechanism is based on at least one of a biometric user input,a trust code and a hardware component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Pyle, Harry S., Lehew, Christian R., Fang, Nicholas Jie
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Fields; Courtney D

Application Number

US10/888,190
Publication Number

US 20050108546A1
Time in Patent Office

1,796 Days
Field of Search

713/182, 713/184, 726/5, 726/8, 726/2, 709/229
US Class Current

709/229
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/126   the source of the received ...

Secure dynamic credential distribution over a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Secure dynamic credential distribution over a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links