System for the distribution and deployment of applications, with provisions for security and policy conformance

US 9,443,067 B1
Filed: 08/01/2014
Issued: 09/13/2016
Est. Priority Date: 09/07/2010
Status: Active Grant

First Claim

Patent Images

1. A method for deploying applications to endpoint devices, the method comprising:

launching an application on an endpoint device, wherein a user-binding token and a device-binding token are embedded in the application, and wherein the endpoint device includes a device ID and a user ID of a user of the device;

determining whether the application is bound to the endpoint device by comparing the device-binding token to the device ID, and terminating the application if the device-binding token does not match the device ID;

determining whether the application is bound to the user by comparing the user-binding token to the user ID to determine if the user-binding token matches the user ID, and terminating the application if the user-binding token does not match the user ID;

wherein the application holds cryptographic keys for enabling a decryption of encrypted data on the endpoint device; and

erasing any cryptographic keys held by the application when the device-binding token does not match the device ID or the user-binding token does not match the user ID.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for deploying applications to end point devices. The applications are obtained from a marketplace that checks the applications and packages them for endpoint use according to certain policies. Packaging an application includes compiling or assembling and linking the application, possibly with a framework and possibly with a binding token, which can be a device binding token and/or a user binding token. The application is loaded onto an endpoint device and if the application is bound to the device and the user is allowed to use the application, the application is enabled to be used on the endpoint device. A gateway between the endpoint device and an authentication server helps to authenticate the user. The gateway also manages data transfers between the endpoint device and a data server according to a selected protocol.

68 Citations

View as Search Results

20 Claims

1. A method for deploying applications to endpoint devices, the method comprising:
- launching an application on an endpoint device, wherein a user-binding token and a device-binding token are embedded in the application, and wherein the endpoint device includes a device ID and a user ID of a user of the device;
  
  determining whether the application is bound to the endpoint device by comparing the device-binding token to the device ID, and terminating the application if the device-binding token does not match the device ID;
  
  determining whether the application is bound to the user by comparing the user-binding token to the user ID to determine if the user-binding token matches the user ID, and terminating the application if the user-binding token does not match the user ID;
  
  wherein the application holds cryptographic keys for enabling a decryption of encrypted data on the endpoint device; and
  
  erasing any cryptographic keys held by the application when the device-binding token does not match the device ID or the user-binding token does not match the user ID.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, comprising:
    - connecting the application to a gateway, wherein the gateway connects to an authorization server; and
      
      disconnecting the application from the gateway if the user-binding token does not match the user ID.
  - 3. The method of claim 2, comprising:
    - determining an authenticity of the user, wherein determining the authenticity of the user includes;
      
      sending a request from the endpoint device to an authorization unit in the authorization server via the gateway; and
      
      receiving a positive or negative response from the authorization unit in the authorization server via the gateway.
  - 4. The method of claim 3, wherein the gateway includes the authorization unit;
    - andwherein the step of determining the authenticity of the user includes;
      
      relaying a request from the endpoint device to the authorization unit of the gateway; and
      
      receiving a positive or negative response from the authorization unit of the gateway.
  - 5. The method of claim 4,wherein the step of receiving the positive or negative response from the authorization unit of the gateway includes receiving a plurality of negative responses;
    - andcomprising erasing the cryptographic keys held by the application when the authorization unit receives the plurality of negative responses.
  - 6. The method of claim 2, comprising:
    - receiving cryptographic key material from the gateway after authenticating the user, the key material enabling the application to access any stored data on the endpoint device.
  - 7. The method of claim 2, comprising:
    - erasing all cryptographic keys held by the application prior to disconnecting the application from the gateway to cause any encrypted data on the endpoint device to be unreadable.
  - 8. The method of claim 1,wherein the endpoint device contains local data storage for holding data relating to operation of the application;
    - andcomprising encrypting data held in the local data storage.
  - 9. The method of claim 2, comprising transferring data to or from the endpoint device and the gateway,wherein the step of transferring data occurs via one or more application interfaces (APIs) in the endpoint device;
    - andwherein at least one API ensures that any data transferred is securely transferred.
  - 10. The method of claim 9, wherein the step of transferring data includes encrypting the data transferred to or from the endpoint device, and wherein the step of encrypting the data transferred to or from the endpoint device includes preventing leakage of data from or the injection of data into the transferred data.
  - 11. The method of claim 9,wherein the gateway includes a bus unit and a data interface unit that determines whether a data access is permitted;
    - andwherein the step of transferring data includes routing a data transfer request to the data interface unit to determine that the data access is permitted and if so, forwarding the request to the bus unit.
  - 12. The method of claim 11,wherein the gateway includes the bus unit that handles data access requests;
    - andwherein the step of transferring data includes requesting the bus unit to transfer the data, the bus unit mapping the request, based on an address of the data, to a protocol implementation.
  - 13. The method of claim 12, wherein the protocol implementation transferring the data to or from a data server in accordance with the protocol implementation to which the request is mapped.
  - 14. The method of claim 1, comprising:
    - authenticating a troubleshooting routine; and
      
      troubleshooting the application via the authenticated troubleshooting routine.

15. A computing device configured for deploying applications to endpoint devices, comprising:
- a processor;
  
  memory in electronic communication with the processor, wherein the memory stores computer executable instructions that when executed by the processor cause the processor to perform the steps of;
  
  launching an application on an endpoint device, wherein a user-binding token and a device-binding token are embedded in the application, and wherein the endpoint device includes a device ID and a user ID of a user of the device;
  
  determining whether the application is bound to the endpoint device by comparing the device-binding token to the device ID, and terminating the application if the device-binding token does not match the device ID;
  
  determining whether the application is bound to the user by comparing the user-binding token to the user ID to determine if the user-binding token matches the user ID, and terminating the application if the user-binding token does not match the user ID;
  
  wherein the application holds cryptographic keys for enabling a decryption of encrypted data on the endpoint device; and
  
  erasing any cryptographic keys held by the application when the device-binding token does not match the device ID or the user-binding token does not match the user ID.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computing device of claim 15, wherein the instructions executed by the processor cause the processor to perform the steps of:
    - connecting the application to a gateway, wherein the gateway connects to an authorization server; and
      
      disconnecting the application from the gateway if the user-binding token does not match the user ID.
  - 17. The computing device of claim 16, wherein the instructions executed by the processor cause the processor to perform the steps of:
    - determining an authenticity of the user, wherein determining the authenticity of the user includes;
      
      sending a request from the endpoint device to an authorization unit in the authorization server via the gateway; and
      
      receiving a positive or negative response from the authorization unit in the authorization server via the gateway.
  - 18. The computing device of claim 17,wherein the gateway includes the authorization unit;
    - andwherein the step of determining the authenticity of the user includes;
      
      relaying a request from the endpoint device to the authorization unit of the gateway; and
      
      receiving the positive or negative response from the authorization unit of the gateway.
  - 19. The computing device of claim 18,wherein the step of receiving the positive or negative response from the authorization unit of the gateway includes receiving a plurality of negative responses;
    - andcomprising erasing the any cryptographic keys held by the application when the authorization unit receives the plurality of negative responses.

20. A non-transitory computer-readable storage medium storing computer executable instructions that when executed by a processor cause the processor to perform the steps of:
- launching an application on an endpoint device, wherein a user-binding token and a device-binding token are embedded in the application, and wherein the endpoint device includes a device ID and a user ID of a user of the device;
  
  determining whether the application is bound to the endpoint device by comparing the device-binding token to the device ID, and terminating the application if the device-binding token does not match the device ID;
  
  determining whether the application is bound to the user by comparing the user-binding token to the user ID to determine if the user-binding token matches the user ID, and terminating the application if the user-binding token does not match the user ID;
  
  wherein the application holds cryptographic keys for enabling a decryption of encrypted data on the endpoint device; and
  
  erasing any cryptographic keys held by the application when the device-binding token does not match the device ID or the user-binding token does not match the user ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Enderwick, Thomas Jeffrey, Perret, Christopher Edward
Primary Examiner(s)
Schwartz, Darren B

Application Number

US14/450,179
Time in Patent Office

774 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/121   Restricting unauthorised ex...

G06F 21/30   Authentication, i.e. establ...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 2221/2149   Restricted operating enviro...

G06F 8/60   Software deployment

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

System for the distribution and deployment of applications, with provisions for security and policy conformance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System for the distribution and deployment of applications, with provisions for security and policy conformance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others