Secure identification of intranet network
First Claim
1. A method performed on a first computing device, the method comprising generating a signature of a network based on an identifier of a second computing device and a name, where the name is selected from a first name and a second name in response to a first condition, where the identifier is selected from a single identifier and a combination of identifiers in response to a second condition, where the first computing device and the second computing device are each coupled to the network, where the generated network signature is not obtainable from outside the network, where the generated network signature is configured to preclude spoofing of the network, where the first condition comprises determining whether or not a root domain identifier is available from the network, and in response to determining that the root domain identifier is available from the network, then selecting the first name as the name, and in response to determining that the root domain identifier is not available from the network, then selecting the second name as the name, and where the second condition comprises determining whether or not the first computing device is authenticated to the second computing device, and in response to determining that the first device is authenticated to the second device, then selecting the single identifier as the identifier, and in response to determining that the first device is not authenticated to the second device, then further determining whether or not the first computing device was previously authenticated to the second computing device, and in response to determining that the first computing device was previously authenticated to the second computing device, then selecting the combination of identifiers as the identifier, and in response to determining that the first computing device was not previously authenticated to the second computing device, then selecting the single identifier as the identifier.
2 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for network identification based on high entropy data on a network which are not easily guessed or obtained outside the network, which can prevent an attacker from “spoofing” the network. A component in a client computer connected to a network may obtain over the network a network data block including device identification information of a device controlling the network. Upon parsing the network data block, such high entropy data as unique device identifiers may be obtained from the device identification information. Depending on availability of the unique device identifiers and authentication history of the client computer, different combinations of the unique device identifiers and/or other identification information may be used to generate a unique network identifier such as a network signature. The component may provide the network signature to applications within the client computer.
23 Citations
18 Claims
- 1. A method performed on a first computing device, the method comprising generating a signature of a network based on an identifier of a second computing device and a name, where the name is selected from a first name and a second name in response to a first condition, where the identifier is selected from a single identifier and a combination of identifiers in response to a second condition, where the first computing device and the second computing device are each coupled to the network, where the generated network signature is not obtainable from outside the network, where the generated network signature is configured to preclude spoofing of the network, where the first condition comprises determining whether or not a root domain identifier is available from the network, and in response to determining that the root domain identifier is available from the network, then selecting the first name as the name, and in response to determining that the root domain identifier is not available from the network, then selecting the second name as the name, and where the second condition comprises determining whether or not the first computing device is authenticated to the second computing device, and in response to determining that the first device is authenticated to the second device, then selecting the single identifier as the identifier, and in response to determining that the first device is not authenticated to the second device, then further determining whether or not the first computing device was previously authenticated to the second computing device, and in response to determining that the first computing device was previously authenticated to the second computing device, then selecting the combination of identifiers as the identifier, and in response to determining that the first computing device was not previously authenticated to the second computing device, then selecting the single identifier as the identifier.
- 7. At least one computer storage device storing computer-executable instructions that, when executed by a first computing device, cause the first computing device to perform actions comprising generating a signature of a network based on an identifier of a second computing device and a name, where the name is selected from a first name and a second name in response to a first condition, where the identifier is selected from a single identifier and a combination of identifiers in response to a second condition, where the first computing device and the second computing device are each coupled to the network, where the generated network signature is not obtainable from outside the network, where the generated network signature is configured to preclude spoofing of the network, where the first condition comprises determining whether or not a root domain identifier is available from the network, and in response to determining that the root domain identifier is available from the network, then selecting the first name as the name, and in response to determining that the root domain identifier is not available from the network, then selecting the second name as the name, and where the second condition comprises determining whether or not the first computing device is authenticated to the second computing device, and in response to determining that the first device is authenticated to the second device, then selecting the single identifier as the identifier, and in response to determining that the first device is not authenticated to the second device, then further determining whether or not the first computing device was previously authenticated to the second computing device, and in response to determining that the first computing device was previously authenticated to the second computing device, then selecting the combination of identifiers as the identifier, and in response to determining that the first computing device was not previously authenticated to the second computing device, then selecting the single identifier as the identifier.
- 13. A first computing device and at least one program module together configured for generating a signature of a network based on an identifier of a second computing device and a name, where the name is selected from a first name and a second name in response to a first condition, where the identifier is selected from a single identifier and a combination of identifiers in response to a second condition, where the first computing device and the second computing device are each coupled to the network, where the generated network signature is not obtainable from outside the network, where the generated network signature is configured to preclude spoofing of the network, where the first condition comprises determining whether or not a root domain identifier is available from the network, and in response to determining that the root domain identifier is available from the network, then selecting the first name as the name, and in response to determining that the root domain identifier is not available from the network, then selecting the second name as the name, and where the second condition comprises determining whether or not the first computing device is authenticated to the second computing device, and in response to determining that the first device is authenticated to the second device, then selecting the single identifier as the identifier, and in response to determining that the first device is not authenticated to the second device, then further determining whether or not the first computing device was previously authenticated to the second computing device, and in response to determining that the first computing device was previously authenticated to the second computing device, then selecting the combination of identifiers as the identifier, and in response to determining that the first computing device was not previously authenticated to the second computing device, then selecting the single identifier as the identifier.
Specification
-
- Resources
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsBegorre, Bill, Brewis, Deon C.
-
Primary Examiner(s)SHAW, BRIAN F
-
Application NumberUS11/788,210Publication NumberTime in Patent Office2,469 DaysField of Search709/223, 709/222, 709/220, 726/6, 707/102, 713/170US Class Current726/6CPC Class CodesH04L 61/30 Managing network names, e.g...H04L 63/0876 based on the identity of th...H04L 63/126 the source of the received ...H04L 63/1466 Active attacks involving in...
