Securing communication over a network using client integrity verification

US 9,282,120 B2
Filed: 03/11/2013
Issued: 03/08/2016
Est. Priority Date: 02/01/2013
Status: Active Grant

First Claim

Patent Images

1. A method for securing communication over a network, comprising:

at a trust broker system having one or more processors and memory storing one or more programs for execution by the one or more processors;

receiving a request from a user agent computer application associated with a client system remote from the trust broker system to connect to network applications and resources associated with the trust broker system, wherein the user agent computer application is an application program that executes on the client system, and wherein the client system is a stateless client device that retains no network access information from a prior online session;

in response to the request to connect with the server system;

verifying the hardware and/or software integrity of the client system; and

verifying the identity of a user of the client system, including;

receiving, from the user agent computer application, a unique user identifier that is encrypted with a one-time session-based key that is changed for each communication session;

in response to verifying the identity of the user and the integrity of the client system;

determining a network access level permitted to the identified user;

based on the network access level, determining which network applications and resources the identified user is authorized to access;

in accordance with a determination that the user is authorized to access the requested network applications and resources;

establishing a connection with the user agent computer application;

transmitting session information to the server system that hosts the requested network applications and resources, wherein the transmitted session information identifies the requesting user agent computer application; and

sending the user agent the network access information, wherein the network access information enables the requesting user agent computer application to connect to the requested server system for one session, and enables the client system to download, from the server system, instructions for performing one or more tasks associated with the requested network data and services, wherein the downloaded instructions are not permanently stored on the client system and are only retained for the one session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting application servers from network-based attacks and verifying the security posture of end client systems is disclosed. A trust broker system receives a request from a user agent associated with a client system remote from the trust broker to connect to applications and resources associated with the trust broker. The trust broker system verifies the integrity of the client system and verifies the identity of a user of the client system. The trust broker system then determines the access level permitted to the identified user and based on the access level. The trust broker system establishes a connection with the user agent and transmits session information to the server system. The trust broker system sends the user agent connection information, wherein the connection information enables the requesting user agent to connect to the requested server system.

102 Citations

View as Search Results

20 Claims

1. A method for securing communication over a network, comprising:
- at a trust broker system having one or more processors and memory storing one or more programs for execution by the one or more processors;
  
  receiving a request from a user agent computer application associated with a client system remote from the trust broker system to connect to network applications and resources associated with the trust broker system, wherein the user agent computer application is an application program that executes on the client system, and wherein the client system is a stateless client device that retains no network access information from a prior online session;
  
  in response to the request to connect with the server system;
  
  verifying the hardware and/or software integrity of the client system; and
  
  verifying the identity of a user of the client system, including;
  
  receiving, from the user agent computer application, a unique user identifier that is encrypted with a one-time session-based key that is changed for each communication session;
  
  in response to verifying the identity of the user and the integrity of the client system;
  
  determining a network access level permitted to the identified user;
  
  based on the network access level, determining which network applications and resources the identified user is authorized to access;
  
  in accordance with a determination that the user is authorized to access the requested network applications and resources;
  
  establishing a connection with the user agent computer application;
  
  transmitting session information to the server system that hosts the requested network applications and resources, wherein the transmitted session information identifies the requesting user agent computer application; and
  
  sending the user agent the network access information, wherein the network access information enables the requesting user agent computer application to connect to the requested server system for one session, and enables the client system to download, from the server system, instructions for performing one or more tasks associated with the requested network data and services, wherein the downloaded instructions are not permanently stored on the client system and are only retained for the one session.
- View Dependent Claims (2, 3, 4, 5, 6, 18)
- - 2. The method of claim 1, wherein verifying the identity of the user of a client system further includes:
    - determining, based on the unique user identifier, the identity of the requesting user.
  - 3. The method of claim 2, wherein verifying the identity of the client system includes:
    - receiving, from the user agent computer application, a generated system fingerprint for the client system; and
      
      determining, based on the generated system fingerprint, the specific device that is currently executing the user agent computer application.
  - 4. The method of claim 3, wherein the trust broker system includes a user device database that associates specific users with devices and wherein verifying the identity of the user further includes:
    - determining whether the identified user is associated with the determined specific device currently executing the user agent computer application.
  - 5. The method of claim 1, wherein verifying the identity of the client system includes:
    - determining a geographic location of the client system;
      
      retrieving a list of authorized regions within which the client system is authorized to operate; and
      
      determining whether the list of authorized regions includes the geographic location of the client system,wherein sending the user agent the network access information is in accordance with a determination that the list of authorized regions includes the geographic location of the client system.
  - 6. The method of claim 1, wherein the server system and the trust broker system are components in a secure network.
  - 18. The method of claim 1, further including:
    - identifying a first virtual domain of a plurality of virtual domains, wherein;
      
      each virtual domain provides a respective logical set of network applications and resources, distinct from other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system, andthe first virtual domain provides the requested network applications and services;
      
      wherein determining which network applications and resources the identified user is authorized to access includes;
      
      retrieving stored permissions of the user associated with the client system; and
      
      determining, based on the stored permissions associated with the user, that the user is permitted to access the first virtual domain.

7. An electronic device for securing communication over a network, wherein the electronic device comprises a trust broker system, comprising:
- one or more processors;
  
  memory storing one or more programs to be executed by the one or more processors;
  
  the one or more programs comprising instructions for;
  
  receiving a request from a user agent computer application associated with a client system remote from the trust broker system to connect to network applications and resources associated with the trust broker system, wherein the user agent computer application is an application program that executes on the client system, and wherein the client system is a stateless client device that retains no network access information from a prior online session;
  
  in response to the request to connect with the server system;
  
  verifying the hardware and/or software integrity of the client system; and
  
  verifying the identity of a user of the client system, including;
  
  receiving, from the user agent computer application, a unique user identifier that is encrypted with a one-time session-based key that is changed for each communication session;
  
  in response to verifying the identity of the user and the integrity of the client system;
  
  determining a network access level permitted to the identified user;
  
  based on the network access level, determining which network applications and resources the identified user is authorized to access;
  
  in accordance with a determination that the user is authorized to access the requested network applications and resources;
  
  establishing a connection with the user agent computer application;
  
  transmitting session information to the server system that hosts the requested network applications and resources, wherein the transmitted session information identifies the requesting user agent computer application; and
  
  sending the user agent the network access information, wherein the network access information enables the requesting user agent computer application to connect to the requested server system for one session, and enables the client system to download, from the server system, instructions for performing one or more tasks associated with the requested network data and services, wherein the downloaded instructions are not permanently stored on the client system and are only retained for the one session.
- View Dependent Claims (8, 9, 10, 11, 12, 19)
- - 8. The device of claim 7, wherein the instructions for verifying the identity of the user of a client system further include instructions for:
    - determining, based on the unique user identifier, the identity of the requesting user.
  - 9. The device of claim 8, wherein the instructions for verifying the identity of the client system includes instructions for:
    - receiving, from the user agent computer application, a generated system fingerprint for the client system; and
      
      determining, based on the generated system fingerprint, the specific device that is currently executing the user agent computer application.
  - 10. The device of claim 9, wherein the trust broker system includes a user device database that associates specific users with devices and wherein the instructions for verifying the identity of the user further include instructions for:
    - determining whether the identified user is associated with the determined specific device currently executing the user agent computer application.
  - 11. The device of claim 7, wherein verifying the identity of the client system includes:
    - determining a geographic location of the client system;
      
      retrieving a list of authorized regions within which the client system is authorized to operate; and
      
      determining whether the list of authorized regions includes the geographic location of the client system,wherein sending the user agent the network access information is in accordance with a determination that the list of authorized regions includes the geographic location of the client system.
  - 12. The device of claim 7, wherein the server system and the trust broker system are components in a secure network.
  - 19. The device of claim 7, further including instructions for:
    - identifying a first virtual domain of a plurality of virtual domains, wherein;
      
      each virtual domain provides a respective logical set of network applications and resources, distinct from other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system, andthe first virtual domain provides the requested network applications and services;
      
      wherein determining which network applications and resources the identified user is authorized to access includes;
      
      retrieving stored permissions of the user associated with the client system; and
      
      determining, based on the stored permissions associated with the user, that the user is permitted to access the first virtual domain.

13. A non-transitory computer readable storage medium storing one or more programs configured for execution by an electronic device with a camera, wherein the electronic device comprises a trust broker system, the one or more programs comprising instructions for:
- receiving a request from a user agent computer application associated with a client system remote from the trust broker system to connect to network applications and resources associated with the trust broker system, wherein the user agent computer application is an application program that executes on the client system, and wherein the client system is a stateless client device that retains no network access information from a prior online session;
  
  in response to the request to connect with the server system;
  
  verifying the hardware and/or software integrity of the client system; and
  
  verifying the identity of a user of the client system, including;
  
  receiving, from the user agent computer application, a unique user identifier that is encrypted with a one-time session-based key that is changed for each communication session;
  
  in response to verifying the identity of the user and the integrity of the client system;
  
  determining a network access level permitted to the identified user;
  
  based on the network access level, determining which network applications and resources the identified user is authorized to access;
  
  in accordance with a determination that the user is authorized to access the requested network applications and resources;
  
  establishing a connection with the user agent computer application;
  
  transmitting session information to the server system that hosts the requested network applications and resources, wherein the transmitted session information identifies the requesting user agent computer application; and
  
  sending the user agent the network access information, wherein the network access information enables the requesting user agent computer application to connect to the requested server system for one session, and enables the client system to download, from the server system, instructions for performing one or more tasks associated with the requested network data and services, wherein the downloaded instructions are not permanently stored on the client system and are only retained for the one session.
- View Dependent Claims (14, 15, 16, 17, 20)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the instructions for verifying the identity of the user of a client system further include instruction for:
    - determining, based on the unique user identifier, the identity of the requesting user.
  - 15. The non-transitory computer readable storage medium of claim 14, wherein the instructions for verifying the identity of the client system include instruction for:
    - receiving, from the user agent computer application, a generated system fingerprint for the client system; and
      
      determining, based on the generated system fingerprint, the specific device that is currently executing the user agent computer application.
  - 16. The non-transitory computer readable storage medium of claim 15, wherein the trust broker system includes a user device database that associates specific users with devices and wherein the instructions for verifying the identity of the user further include instructions for:
    - determining whether the identified user is associated with the determined specific device currently executing the user agent computer application.
  - 17. The non-transitory computer readable storage medium of claim 13, wherein verifying the identity of the client system includes:
    - determining a geographic location of the client system;
      
      retrieving a list of authorized regions within which the client system is authorized to operate; and
      
      determining whether the list of authorized regions includes the geographic location of the client system,wherein sending the user agent the network access information is in accordance with a determination that the list of authorized regions includes the geographic location of the client system.
  - 20. The non-transitory computer readable storage medium of claim 13, further including instructions for:
    - identifying a first virtual domain of a plurality of virtual domains, wherein;
      
      each virtual domain provides a respective logical set of network applications and resources, distinct from other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system, andthe first virtual domain provides the requested network applications and services;
      
      wherein determining which network applications and resources the identified user is authorized to access includes;
      
      retrieving stored permissions of the user associated with the client system; and
      
      determining, based on the stored permissions associated with the user, that the user is permitted to access the first virtual domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Vidder, Inc. (Verizon Communications Inc.)
Inventors
Islam, Junaid, Bilger, Brent, Schroeder, Ted
Primary Examiner(s)
Wang, Harris C

Application Number

US13/794,532
Publication Number

US 20140223513A1
Time in Patent Office

1,093 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 2101/69   using geographic informatio...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/562   Brokering proxy services

Securing communication over a network using client integrity verification

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Securing communication over a network using client integrity verification

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others