Device theft protection associating a device identifier and a user identifier

US 9,762,396 B2
Filed: 12/02/2016
Issued: 09/12/2017
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computing device, the method comprising:

determining that theft protection is to be enabled on the computing device;

sending, to an identity service over a network, user credentials of a user of the computing device;

receiving, from the identity service, a ticket indicating that the user credentials have been verified by the identity service;

sending, to a key service over the network, the ticket;

receiving, from the key service, a data value having been generated by the key service based on both a recovery key for the computing device and a device identifier that identifies the computing device;

saving the data value as an authenticated variable on the computing device by writing the data value to an authenticated variable storage system of the computing device;

receiving user input that is the recovery key of the computing device;

generating an additional data value based on the user input as well as the device identifier that identifies the computing device;

determining whether the data value and the additional data value are the same value;

changing the computing device to an unprotected state in response to the data value and the additional data value being the same value;

allowing the user to access the computing device in the unprotected state in response to the data value and the additional data value being the same value; and

denying the user access to the computing device in response to the data value and the additional data value not being the same value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When theft protection of a computing device is initiated, credentials of the user are provided to one or more services that verify the credentials and generate a recovery key. A data value is generated based on the recovery key and an identifier of the computing device (e.g., by applying a cryptographic hash function to the recovery key and the computing device identifier), and the data value is provided to the computing device, which stores the data value at the computing device. When a user is prompted to prove his or her ownership of the device, the owner can prove his or her ownership of the device in different manners by accessing the one or more services via a network (e.g., the Internet), or by providing the recovery key (e.g., obtained using another computing device) to the computing device.

28 Citations

20 Claims

1. A method implemented in a computing device, the method comprising:
- determining that theft protection is to be enabled on the computing device;
  
  sending, to an identity service over a network, user credentials of a user of the computing device;
  
  receiving, from the identity service, a ticket indicating that the user credentials have been verified by the identity service;
  
  sending, to a key service over the network, the ticket;
  
  receiving, from the key service, a data value having been generated by the key service based on both a recovery key for the computing device and a device identifier that identifies the computing device;
  
  saving the data value as an authenticated variable on the computing device by writing the data value to an authenticated variable storage system of the computing device;
  
  receiving user input that is the recovery key of the computing device;
  
  generating an additional data value based on the user input as well as the device identifier that identifies the computing device;
  
  determining whether the data value and the additional data value are the same value;
  
  changing the computing device to an unprotected state in response to the data value and the additional data value being the same value;
  
  allowing the user to access the computing device in the unprotected state in response to the data value and the additional data value being the same value; and
  
  denying the user access to the computing device in response to the data value and the additional data value not being the same value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, the recovery key having been generated by the key service.
  - 3. The method as recited in claim 1, further comprising preventing rollback of an operating system of the computing device to a previous version of the operating system that does not support the theft protection.
  - 4. The method as recited in claim 3, the preventing including:
    - checking whether an operating system version identifier list included in the authenticated variable storage system of the computing device includes an identifier of an operating system being booted on the computing device; and
      
      preventing the operating system from booting on the computing device if the operating system version identifier list includes the identifier of the operating system being booted on the computing device.
  - 5. The method as recited in claim 1, further comprising:
    - determining that ownership of the computing device is to be verified;
      
      obtaining, in response to access to the key service over the network being available, an indication from the key service whether the user is the owner of the computing device, the indication being based on user credentials input to the computing device;
      
      allowing the user to access the computing device in response to the user being determined to be the owner of the computing device; and
      
      denying the user access to the computing device in response to the user being determined to not be the owner of the computing device.
  - 6. The method as recited in claim 1, the authenticated variable storage system implementing the unified extensible firmware interface specification.
  - 7. The method as recited in claim 1, the data value having been generated based on a concatenation of the recovery key and the device identifier.

8. A computing device comprising:
- one or more hardware processors; and
  
  one or more computer-readable storage media having stored thereon multiple instructions that, responsive to execution by the one or more processors, cause the one or more processors to perform acts including;
  
  determining that theft protection is to be enabled on the computing device;
  
  sending, to an identity service over a network, user credentials of a user of the computing device;
  
  receiving, from the identity service, a data structure indicating that the user credentials have been verified by the identity service;
  
  sending, to a key service over the network, the data structure;
  
  receiving, from the key service, a first data value having been generated by the key service based on both a recovery key for the computing device and a device identifier that identifies the computing device;
  
  saving the first data value as an authenticated variable on the computing device by writing the first data value to an authenticated variable storage system of the computing device;
  
  receiving user input that is the recovery key of the computing device;
  
  generating a second data value based on the user input as well as the device identifier that identifies the computing device;
  
  determining whether the first data value and the second data value are the same value;
  
  changing the computing device to an unprotected state in response to the first data value and the second data value being the same value;
  
  allowing the user to access the computing device in the unprotected state in response to the first data value and the second data value being the same value; and
  
  denying the user access to the computing device in response to the first data value and the second data value not being the same value.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computing device as recited in claim 8, the recovery key having been generated by the key service.
  - 10. The computing device as recited in claim 8, the acts further comprising preventing rollback of an operating system of the computing device to a previous version of the operating system that does not support the theft protection.
  - 11. The computing device as recited in claim 10, the preventing including:
    - checking whether an operating system version identifier list included in the authenticated variable storage system of the computing device includes an identifier of an operating system being booted on the computing device; and
      
      preventing the operating system from booting on the computing device if the operating system version identifier list includes the identifier of the operating system being booted on the computing device.
  - 12. The computing device as recited in claim 8, the acts further comprising:
    - determining that ownership of the computing device is to be verified;
      
      obtaining, in response to access to the key service over the network being available, an indication from the key service whether the user is the owner of the computing device, the indication being based on user credentials input to the computing device;
      
      allowing the user to access the computing device in response to the user being determined to be the owner of the computing device; and
      
      denying the user access to the computing device in response to the user being determined to not be the owner of the computing device.
  - 13. The computing device as recited in claim 8, the authenticated variable storage system implementing the unified extensible firmware interface specification.

14. A system with a computing device comprising:
- an authenticated variable storage device; and
  
  a theft protection system, implemented at least in part by a processor, configured to;
  
  determine that theft protection is to be enabled on the computing device;
  
  send, to an identity service over a network, user credentials of a user of the computing device;
  
  receive, from the identity service, a ticket indicating that the user credentials have been verified by the identity service;
  
  send, to a key service over the network, the ticket;
  
  receive, from the key service, a data value having been generated by the key service based on both a recovery key for the computing device and a device identifier that identifies the computing device;
  
  save the data value as an authenticated variable on the computing device by writing the data value to the authenticated variable storage system;
  
  receive user input that is the recovery key of the computing device;
  
  generate an additional data value based on the user input as well as the computing device identifier that identifies the device;
  
  determine whether the data value and the additional data value are the same value;
  
  change the computing device to an unprotected state in response to the data value and the additional data value being the same value;
  
  allow the user to access the computing device in the unprotected state in response to the data value and the additional data value being the same value; and
  
  deny the user access to the computing device in response to the data value and the additional data value not being the same value.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system as recited in claim 14, wherein the recovery key having been generated by the key service.
  - 16. The system as recited in claim 14, wherein the theft protection system is further configured to prevent rollback of an operating system of the computing device to a previous version of the operating system that does not support the theft protection.
  - 17. The system as recited in claim 16, wherein to prevent rollback includes to:
    - check whether an operating system version identifier list of the computing device includes an identifier of an operating system being booted on the computing device; and
      
      prevent the operating system from booting on the computing device if the operating system version identifier list includes the identifier of the operating system being booted on the computing device.
  - 18. The system as recited in claim 17, wherein the operating system version identifier list being included in the authenticated variable storage device.
  - 19. The system as recited in claim 14, wherein the theft protection system is further configured to:
    - determine that ownership of the computing device is to be verified;
      
      obtain, in response to access to the key service over the network being available, an indication from the key service whether the user is the owner of the computing device, the indication being based on user credentials input to the computing device;
      
      allow the user to access the computing device in response to the user being determined to be the owner of the computing device; and
      
      deny the user access to the computing device in response to the user being determined to not be the owner of the computing device.
  - 20. The system as recited in claim 14, wherein the authenticated variable storage device implementing the unified extensible firmware interface specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Susan, Mihai Irinel, Andreiu, Bogdan, Shell, Scott R., Bragg, Scott Michael, Chen, Ling Tony
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/368,069
Publication Number

US 20170085386A1
Time in Patent Office

284 Days
Field of Search
US Class Current
CPC Class Codes

G06F 9/4405   Initialisation of multiproc...

H04L 63/0435   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3242   involving keyed hash functi...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/12   Detection or prevention of ...

H04W 12/126   Anti-theft arrangements, e....

Device theft protection associating a device identifier and a user identifier

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Device theft protection associating a device identifier and a user identifier

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links