Communication channel claim dependent security precautions

US 8,914,874 B2
Filed: 07/21/2009
Issued: 12/16/2014
Est. Priority Date: 07/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computing device, the method comprising:

responsive to the computing device desiring access to a communication channel device and prior to determining security precautions for use by the computing device and the communication channel device during a data transfer;

obtaining a set of security claims for the communication channel device, the set of security claims including one or more security claims each identifying a security characteristic of the communication channel device;

comparing the set of security claims for the communication channel device to a security policy of the computing device;

identifying an entity that has digitally signed the set of security claims; and

determining one or more security precautions that the computing device is to use in transferring data to and/or from the communication channel device, the determining being based at least in part on the comparing, the entity that has digitally signed the set of security claims, and a communication channel class identifier that has been digitally signed by the entity, the communication channel class identifier identifying a class of the communication channel device such that different communication channels of a same class share a same communication channel class identifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A set of security claims for a communication channel are obtained, the set of security claims including one or more security claims each identifying a security characteristic of the communication channel. The security claims are stored, as is a digital signature generated over the set of security claims by an entity. The security claims and digital signature are subsequently accessed when a computing device is to transfer data to and/or from the communication channel. The set of security claims is compared to a security policy of the computing device, and the entity that digitally signed the set of security claims is identified. One or more security precautions that the computing device is to use in transferring data to and/or from the communication channel are determined based at least in part on the comparing and the entity that has digitally signed the set of security claims.

34 Citations

20 Claims

1. A method implemented in a computing device, the method comprising:
- responsive to the computing device desiring access to a communication channel device and prior to determining security precautions for use by the computing device and the communication channel device during a data transfer;
  
  obtaining a set of security claims for the communication channel device, the set of security claims including one or more security claims each identifying a security characteristic of the communication channel device;
  
  comparing the set of security claims for the communication channel device to a security policy of the computing device;
  
  identifying an entity that has digitally signed the set of security claims; and
  
  determining one or more security precautions that the computing device is to use in transferring data to and/or from the communication channel device, the determining being based at least in part on the comparing, the entity that has digitally signed the set of security claims, and a communication channel class identifier that has been digitally signed by the entity, the communication channel class identifier identifying a class of the communication channel device such that different communication channels of a same class share a same communication channel class identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, wherein the security policy of the computing device indicates that data on the communication channel device is to be encrypted using a particular type of encryption, wherein the set of security claims indicates whether the communication channel device encrypts data using the particular type of encryption, and the determining comprises:
    - determining that data transferred to the communication channel device is to be encrypted using the particular type of encryption if the communication channel device does not encrypt data using the particular type of encryption; and
      
      determining that data transferred to the communication channel device need not be encrypted if the communication channel device does encrypt data using the particular type of encryption as indicated by the set of security claims.
  - 3. The method as recited in claim 1, wherein the security policy indicates that data on the communication channel device is to be encrypted using a particular type of encryption unless a particular entity is responsible for controlling the communication channel device, wherein the set of security claims indicates whether the particular entity is responsible for controlling the communication channel device, and the determining comprises:
    - determining that data transferred to the communication channel device is to be encrypted using the particular type of encryption if an entity responsible for controlling the communication channel device is not the particular entity; and
      
      determining that data transferred to the communication channel device need not be encrypted if the entity responsible for controlling the communication channel device is the particular entity.
  - 4. The method as recited in claim 1, wherein the security policy indicates that the communication channel device is to enforce a particular agreement in allowing data to be transferred to the communication channel device, wherein the set of security claims indicates whether the communication channel device enforces the particular agreement, and the determining comprises:
    - determining that data can be transferred from the communication channel device if the communication channel device enforces the particular agreement; and
      
      determining that data is not to be transferred from the communication channel device if the communication channel device does not enforce the particular agreement.
  - 5. The method as recited in claim 1, further comprising:
    - repeating the obtaining, comparing, and identifying for an additional set of security claims, the additional set of security claims and the set of security claims having been digitally signed by different entities; and
      
      wherein the determining is based at least in part on comparing the set of security claims to the security policy, comparing the additional set of security claims to the security policy, the entity that has digitally signed the set of security claims, and the entity that has digitally signed the additional set of security claims.
  - 6. The method as recited in claim 5, wherein the set of security claims includes a security characteristic identifying a type of encryption that the communication channel device uses to encrypt data the communication channel device receives, and the additional set of security claims includes a security characteristic identifying a source of a key the communication channel device uses to encrypt data the communication channel device receives.
  - 7. The method as recited in claim 1, wherein the determining is further based at least in part on verifying that the communication channel identifier that has been digitally signed by the entity with the set of security claims is the same as a communication channel identifier of the communication channel device.
  - 8. The method as recited in claim 1, wherein security precautions satisfied by the set of security claims need not be included in the one or more security precautions that the computing device is to use in transferring data to and/or from the communication channel device.

9. A method implemented in a computing device, the method comprising:
- obtaining a channel identifier of a communication channel, the communication channel comprising a communication channel device;
  
  obtaining a set of security claims of the communication channel, the set of security claims including one or more security claims each identifying a security characteristic of the communication channel;
  
  obtaining, from a trust authority, a digital signature over the set of security claims and the channel identifier;
  
  generating a channel security descriptor including the channel identifier, the set of security claims, the digital signature, and a communication channel class identifier that has been digitally signed, the communication channel class identifier identifying a class of the communication channel device such that different communication channels of a same class share a same communication channel class identifier, the channel security descriptor available for analysis by the computing device when access to the communication channel is desired by the computing device; and
  
  storing the channel security descriptor.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The method as recited in claim 9, wherein storing the channel security descriptor comprises storing the channel security descriptor on the communication channel device.
  - 11. The method as recited in claim 9, wherein the communication channel device is a removable storage device and the channel class identifier is an identifier of a class of removable storage devices.
  - 12. The method as recited in claim 9, wherein the trust authority comprises the computing device.
  - 13. The method as recited in claim 9, further comprising:
    - obtaining one or more additional sets of security claims of the communication channel;
      
      obtaining, for each of the one or more additional sets of security claims, a digital signature over the additional set of security claims and the channel identifier; and
      
      wherein generating the channel security descriptor comprises generating the channel security descriptor including the channel identifier, the set of security claims, each of the additional sets of security claims, and the digital signatures.
  - 14. The method as recited in claim 13, wherein the set of security claims includes a first security characteristic indicating a type of encryption the communication channel uses to encrypt data received by the communication channel, and wherein one of the additional sets of security claims includes a second security characteristic indicating a source of a key used by the communication channel to encrypt data received by the communication channel.
  - 15. The method as recited in claim 9, wherein the set of security claims includes a security characteristic indicating a type of encryption the communication channel uses to encrypt data received by the communication channel.
  - 16. The method as recited in claim 9, wherein the set of security claims includes a security characteristic indicating a particular entity that is responsible for controlling the communication channel.
  - 17. The method as recited in claim 9, wherein the set of security claims includes a security characteristic indicating a particular agreement that the communication channel enforces in allowing data to be transferred to the communication channel.
  - 18. The method as recited in claim 9, the set of security claims including a first security claim that indicates a particular group that controls the communication channel and a second security claim that indicates a type of encryption the communication channel uses to encrypt data received by the communication channel, and further comprising transferring data to the communication channel without encrypting the data.
  - 19. The method as recited in claim 9, further comprising analyzing the channel security descriptor to determine a security precaution that the computing device is to use when the computing device accesses the communication channel.

20. One or more computer storage memories having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
- responsive to the computing device desiring access to a communication channel device and prior to determining security precautions for use by the computing device and the communication channel device during a data transfer;
  
  obtain a set of security claims for the communication channel device, the set of security claims including one or more security claims each identifying a security characteristic of the communication channel device;
  
  compare the set of security claims for the communication channel device to a security policy of the computing device;
  
  identify an entity that has digitally signed the set of security claims; and
  
  determine one or more security precautions that the computing device is to use in transferring data to and/or from the communication channel device, the determining being based at least in part on the comparing, the entity that has digitally signed the set of security claims, and a communication channel class identifier that has been digitally signed by the entity, the communication channel class identifier identifying a class of the communication channel device such that different communication channels of a same class share a same communication channel class identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ureche, Octavian T., Semenko, Alex M., Vinayak, Sai, Ellison, Carl M.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
KANAAN, SIMON P

Application Number

US12/506,568
Publication Number

US 20110019820A1
Time in Patent Office

1,974 Days
Field of Search

None
US Class Current

726/17
CPC Class Codes

G06F 21/606   by securing the transmissio...

H04L 2209/80   Wireless network architectu...

H04L 63/205   involving negotiation or de...

H04L 9/3247   involving digital signatures

Communication channel claim dependent security precautions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Communication channel claim dependent security precautions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links