Resource protection on un-trusted devices

US 9,106,634 B2
Filed: 01/02/2013
Issued: 08/11/2015
Est. Priority Date: 01/02/2013
Status: Active Grant

First Claim

Patent Images

1. In a computing environment comprising one or more hardware processors, a method of authenticating an untrusted device to an enterprise service, the method comprising:

at an enterprise gateway service of an enterprise network, receiving from an untrusted device that is outside of the enterprise network a secondary user credential for access to a plurality of services within the enterprise network,wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network,wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, andwherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential;

at the enterprise gateway service, verifying that the secondary user credential was received from the untrusted device that is associated with the secondary user credential;

at the enterprise gateway service, verifying that the secondary user credential is valid; and

at the enterprise gateway service, based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substituting the primary user credential for the secondary user credential, and forwarding the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticating a user to a first service to allow the user to access a resource provided by the first service. The resource is a protected resource requiring a general purpose credential (e.g. a user name and/or password) to access the resource. The method includes receiving at a second service, from the device, an ad-hoc credential. The ad-hoc credential is a credential that is particular to the device. The ad-hoc credential can be used to authenticate both the user and the device, but cannot be directly used to as authentication at the first service for the user to access the resource. The method further includes, at the second service, substituting the general purpose credential for the ad-hoc credential and forwarding the general purpose credential to the first service. As such the first service can provide the resource to the user at the device.

22 Citations

View as Search Results

20 Claims

1. In a computing environment comprising one or more hardware processors, a method of authenticating an untrusted device to an enterprise service, the method comprising:
- at an enterprise gateway service of an enterprise network, receiving from an untrusted device that is outside of the enterprise network a secondary user credential for access to a plurality of services within the enterprise network,wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network,wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, andwherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential;
  
  at the enterprise gateway service, verifying that the secondary user credential was received from the untrusted device that is associated with the secondary user credential;
  
  at the enterprise gateway service, verifying that the secondary user credential is valid; and
  
  at the enterprise gateway service, based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substituting the primary user credential for the secondary user credential, and forwarding the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the secondary user credential is a credential that is particular to a given communication channel, such that the secondary user credential is invalid if received over a communication channel other than the given communication channel.
  - 3. The method of claim 1, wherein the secondary user credential is temporally limited, such that the secondary user credential expires after a given period of time and is invalid if received after the given period of time.
  - 4. The method of claim 1, wherein the policy limits the use of the secondary user credential by time.
  - 5. The method of claim 1, wherein the policy limits the use of the secondary user credential according to user role.
  - 6. The method of claim 1, wherein the secondary user credential is generated by using the primary user credential and a secret that is maintained by the enterprise gateway service to calculate the secondary user credential.

7. A computer system for authenticating an untrusted device to an enterprise service, the computer system comprising:
- one or more hardware processors; and
  
  one or more hardware storage devices having stored thereon computer-executable instructions that, when executed by the one or more hardware processors, cause the computer system to perform at least the following;
  
  receive, from an untrusted device that is outside of an enterprise network, a secondary user credential for access to a plurality of services within the enterprise network,wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network,wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, andwherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential;
  
  verify that the secondary user credential was received from the untrusted device that is associated with the secondary user credential;
  
  verify that the secondary user credential is valid; and
  
  based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substitute the primary user credential for the secondary user credential, and forward the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The computer system of claim 7, wherein the secondary user credential is a credential that is particular to a given communication channel.
  - 9. The computer system of claim 7, wherein the secondary user credential is temporally limited, such that the secondary user credential expires after a given period of time.
  - 10. The computer system of claim 7, wherein the policy limits the use of the secondary user credential by time.
  - 11. The computer system of claim 7, wherein the policy limits the use of the secondary user credential according to user rote.
  - 12. The computer system of claim 7, wherein the secondary user credential is generated by using the primary user credential and a secret that is maintained by the enterprise gateway service to calculate the secondary user credential.
  - 13. The computer system of claim 7, further comprising a database, wherein the database contains a mapping of the primary user credential to the secondary user credential.
  - 14. The computer system of claim 7, further comprising a management system, wherein the management system is configured to generate the secondary user credential based on the primary user credential.

15. One or more hardware storage devices having stored thereon computer executable instructions that, when executed by one or more processors, cause a computer system to perform at least the following:
- at an enterprise gateway service of an enterprise network, receiving from an untrusted device that is outside of the enterprise network a secondary user credential for access to a plurality of services within the enterprise network,wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network,wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, andwherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential;
  
  at the enterprise gateway service, verifying that the secondary user credential was received from the untrusted device that is associated with the secondary user credential;
  
  at the enterprise gateway service, verifying that the secondary user credential is valid; and
  
  at the enterprise gateway service, based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substituting the primary user credential for the secondary user credential and forwarding the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more hardware storage devices of claim 15, wherein the secondary user credential is generated by using the primary user credential and a secret that is maintained by the enterprise gateway service to calculate the secondary user credential.
  - 17. The one or more hardware storage devices of claim 15, wherein the secondary user credential is a credential that is particular to a given communication channel, such that the secondary user credential is invalid if received over a communication channel other than the given communication channel.
  - 18. The one or more hardware storage devices of claim 15, wherein the secondary user credential is temporally limited, such that the secondary user credential expires after a given period of time and is invalid if received after the given period of time.
  - 19. The one or more hardware storage devices of claim 15, wherein the policy limits the use of the secondary user credential by time.
  - 20. The one or more hardware storage devices of claim 15, wherein the policy limits the use of the secondary user credential according to user role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Mendelovich, Meir, Matchoro, Ron
Primary Examiner(s)
Darrow, Justin T
Assistant Examiner(s)
SONG, HEE K

Application Number

US13/732,526
Publication Number

US 20140189782A1
Time in Patent Office

951 Days
Field of Search

726/6, 726/9, 726 26- 29, 380200-203, 380/227
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/44   Program or device authentic...

H04L 63/08   for authentication of entit...

Resource protection on un-trusted devices

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Resource protection on un-trusted devices

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links