Communication channel access based on channel identifier and use policy

US 8,296,564 B2
Filed: 02/17/2009
Issued: 10/23/2012
Est. Priority Date: 02/17/2009
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computing device, the method comprising:

obtaining an identifier of a communication channel;

obtaining a use policy identifying how an owner of the communication channel indicates the communication channel is used;

generating, using a private key of a public/private key pair of the owner, a digital signature over the identifier and the use policy;

associating the identifier, the use policy, and the digital signature with the communication channel;

retrieving, from a communication channel authenticator of an additional communication channel, an additional identifier of the additional communication channel and an additional use policy identifying how an owner of the additional communication channel indicates the additional communication channel is used;

verifying the additional identifier and the additional use policy;

checking whether a current security policy of the computing device is satisfied by the additional use policy; and

determining, based at least in part on both whether the current security policy is satisfied by the additional use policy and whether the additional identifier and the additional use policy are verified, an access that the computing device is allowed to have to the additional communication channel.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.

Citations

20 Claims

1. A method implemented in a computing device, the method comprising:
- obtaining an identifier of a communication channel;
  
  obtaining a use policy identifying how an owner of the communication channel indicates the communication channel is used;
  
  generating, using a private key of a public/private key pair of the owner, a digital signature over the identifier and the use policy;
  
  associating the identifier, the use policy, and the digital signature with the communication channel;
  
  retrieving, from a communication channel authenticator of an additional communication channel, an additional identifier of the additional communication channel and an additional use policy identifying how an owner of the additional communication channel indicates the additional communication channel is used;
  
  verifying the additional identifier and the additional use policy;
  
  checking whether a current security policy of the computing device is satisfied by the additional use policy; and
  
  determining, based at least in part on both whether the current security policy is satisfied by the additional use policy and whether the additional identifier and the additional use policy are verified, an access that the computing device is allowed to have to the additional communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1, wherein the communication channel comprises a removable storage device.
  - 3. A method as recited in claim 2, wherein the use policy identifies how the owner indicates data stored on the removable storage device will be used.
  - 4. A method as recited in claim 2, wherein the use policy identifies an entity that originated protection of the removable storage device.
  - 5. A method as recited in claim 2, the associating comprising storing the use policy and the digital signature on the removable storage device.
  - 6. A method as recited in claim 2, wherein the additional communication channel comprises an additional removable storage device.
  - 7. A method as recited in claim 1, the obtaining an identifier comprising obtaining the identifier from the communication channel.
  - 8. A method as recited in claim 1, the associating comprising storing the identifier, the use policy, and the digital signature on the communication channel.
  - 9. A method as recited in claim 1, wherein the communication channel comprises a communication conduit.
  - 10. A method as recited in claim 1, wherein the additional communication channel comprises a removable storage device, and wherein the determining comprises allowing read-write access to the removable storage device only if an entity that originated protection of the removable storage device is a same entity as an entity that implements the current security policy protecting the computing device, the entity that originated protection of the removable storage device being identified in the additional use policy.

11. One or more computer storage media devices having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to perform acts comprising:
- obtaining a first identifier of a first communication channel;
  
  obtaining a first use policy identifying how an owner of the first communication channel indicates the first communication channel is used;
  
  generating, using a private key of a public/private key pair of the owner, a first digital signature over the first identifier and the first use policy;
  
  associating the first identifier, the first use policy, and the first digital signature with the first communication channel;
  
  retrieving, from a communication channel authenticator of a second communication channel, a second identifier of the second communication channel and a second use policy identifying how an owner of the second communication channel indicates the second communication channel is used;
  
  verifying the second identifier and the second use policy;
  
  checking whether a current security policy of the computing device is satisfied by the second use policy; and
  
  determining, based at least in part on both whether the current security policy is satisfied by the second use policy and whether the second identifier and the second use policy are verified, an access that the computing device is allowed to have to the second communication channel.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. One or more computer storage media devices as recited in claim 11, wherein the second communication channel comprises a removable storage device.
  - 13. One or more computer storage media devices as recited in claim 12, the determining comprising allowing read-write access to the removable storage device only if an entity that originated protection of the removable storage device is a same entity as an entity that implements the current security policy protecting the computing device, the entity that originated protection of the removable storage device being identified in the second use policy.
  - 14. One or more computer storage media devices as recited in claim 11, wherein the access is read-only access if one or more of the current security policy is not satisfied, the second identifier is not verified, or the second use policy is not verified.
  - 15. One or more computer storage media devices as recited in claim 14, wherein the access is read-write access if the current security policy is satisfied, the second identifier is verified, and the second use policy is verified.
  - 16. One or more computer storage media devices as recited in claim 11, the verifying comprising using a second digital signature in the communication channel authenticator to verify that the second identifier and the second use policy have not been changed since the second digital signature was generated.
  - 17. One or more computer storage media devices as recited in claim 16, the determining being further based at least in part on a trust level that the computing device has for the owner of the second communication channel.
  - 18. One or more computer storage media devices as recited in claim 11, wherein the communication channel comprises a communication conduit.

19. A system, implemented at least in part in hardware, comprising:
- one or more modules to;
  
  obtain an identifier of a communication channel;
  
  obtain a use policy identifying how an owner of the communication channel indicates the communication channel is used;
  
  generate, using a private key of a public/private key pair of the owner, a digital signature over the identifier and the use policy; and
  
  associate the identifier, the use policy, and the digital signature with the communication channel; and
  
  one or more modules to;
  
  retrieve, from a communication channel authenticator of an additional communication channel, an additional identifier of the additional communication channel and an additional use policy identifying how an owner of the additional communication channel indicates the additional communication channel is used;
  
  verify the additional identifier and the additional use policy;
  
  check whether a current security policy of the computing device is satisfied by the additional use policy; and
  
  determine, based at least in part on both whether the current security policy is satisfied by the additional use policy and whether the additional identifier and the additional use policy are verified, an access that the computing device is allowed to have to the additional communication channel.
- View Dependent Claims (20)
- - 20. A system as recited in claim 19, wherein the communication channel and the additional communication channel comprise removable storage devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ureche, Octavian T., Semenko, Alex M., Vinayak, Sai, Ellison, Carl M.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Hailu, Teshome

Application Number

US12/372,476
Publication Number

US 20100211792A1
Time in Patent Office

1,344 Days
Field of Search

713/168, 726/1
US Class Current

713/168
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/126   the source of the received ...

H04L 9/3247   involving digital signatures

Communication channel access based on channel identifier and use policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Communication channel access based on channel identifier and use policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links