SECURELY OPERATING A PROCESS USING USER-SPECIFIC AND DEVICE-SPECIFIC SECURITY CONSTRAINTS
First Claim
1. A method, comprising:
- determining that a user has initiated an installation of a secure application on a device owned by the user, the secure application comprising a rich application (RA) part and a trusted application (TA) part, wherein the rich application part operates using resources shared with other applications, and wherein the trusted application part operates in an isolated execution environment with functionality to provide security services to the rich application part;
installing the RA part of the secure application on the device;
triggering, by the RA executing on the device, a trusted user interface (UI) session, upon realization that the TA part of the secure application is not installed in the isolated execution environment on the device, wherein the trusted UI session is initiated to enforce user-specific and device-specific security criteria;
receiving, via the trusted UI session, user credentials for authenticating the user;
combining the user credentials with a unique identifier of the isolated execution environment in which the TA part of the secure application operates to obtain combined user credentials;
cryptographically signing the combined user credentials with a cryptographic signature to obtain an authentication object, wherein the authentication object facilitates the enforcement of the user-specific and the device-specific security criteria;
passing the authentication object to a service provider associated with the secure application for extraction of the user credentials; and
generating, by an authorization entity, an authorization token permitting the installation of the TA part of the secure application, upon verification of the cryptographically signed authentication object.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for enforcing secure processes between a user and a device involves determining that the user has initiated installation of a secure application, installing the RA part of the secure application, triggering a trusted UI session upon realization that the TA part of the secure application is not installed, receiving, via the trusted UI session, user credentials for authenticating the user and enforcing user-specific and device-specific security, cryptographically signing combined user credentials with a cryptographic signature to obtain an authentication object, passing the authentication object to a service provider associated with the secure application for extraction of the user credentials, and generating an authorization token permitting the installation of the TA part of the secure application upon verification of the cryptographically signed authentication object.
53 Citations
22 Claims
-
1. A method, comprising:
-
determining that a user has initiated an installation of a secure application on a device owned by the user, the secure application comprising a rich application (RA) part and a trusted application (TA) part, wherein the rich application part operates using resources shared with other applications, and wherein the trusted application part operates in an isolated execution environment with functionality to provide security services to the rich application part; installing the RA part of the secure application on the device; triggering, by the RA executing on the device, a trusted user interface (UI) session, upon realization that the TA part of the secure application is not installed in the isolated execution environment on the device, wherein the trusted UI session is initiated to enforce user-specific and device-specific security criteria; receiving, via the trusted UI session, user credentials for authenticating the user; combining the user credentials with a unique identifier of the isolated execution environment in which the TA part of the secure application operates to obtain combined user credentials; cryptographically signing the combined user credentials with a cryptographic signature to obtain an authentication object, wherein the authentication object facilitates the enforcement of the user-specific and the device-specific security criteria; passing the authentication object to a service provider associated with the secure application for extraction of the user credentials; and generating, by an authorization entity, an authorization token permitting the installation of the TA part of the secure application, upon verification of the cryptographically signed authentication object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
a device on which the installation of a secure application is initiated by a user, wherein the device is owned by the user; a service provider configured to provide the secure application to be installed on the device, the secure application comprising a rich application (RA) part and a trusted application (TA) part, wherein the rich application part operates using resources shared with other applications, and wherein the trusted application part operates in an isolated execution environment with functionality to provide security services to the rich application part; and a back-end server comprising an authorization entity configured to generate an authorization token permitting installation of the TA part of the secure application, upon verification of an authentication object, wherein, when installation of the secure application is initiated by the user, the RA is configured to request a user-binding TA in the isolated execution environment to initiate a trusted user interface (UI) session by which user credentials are obtained from the user, wherein the authentication object is generated by;
combining the user credentials obtained via the trusted UI session with a unique identifier of the isolated execution environment on the device to obtain combined user credentials, and cryptographically signing the combined user credentials using a cryptographic signature to obtain the authentication object,wherein the service provider is further configured to receive the authentication object from the RA part of the secure application to check the user credentials, and wherein the back-end server is configured to verify the cryptographically signed authentication object, and, using the verified authentication object, generate the authorization token authorizing the installation of the TA part of the secure application. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer readable medium comprising instructions that, when executed by a computer processor, perform a method comprising:
-
determining that a user has initiated an installation of a secure application on a device owned by the user, the secure application comprising a rich application (RA) part and a trusted application (TA) part, wherein the rich application part operates using resources shared with other applications, and wherein the trusted application part operates in an isolated execution environment with functionality to provide security services to the rich application part; installing the RA part of the secure application on the device; triggering, by the RA executing on the device, a trusted user interface (UI) session, upon realization that the TA part of the secure application is not installed in the isolated execution environment on the device, wherein the trusted UI session is initiated to enforce user-specific and device-specific security criteria; receiving, via the trusted UI session, user credentials for authenticating the user; combining the user credentials with a unique identifier of the isolated execution environment in which the TA part of the secure application operates to obtain combined user credentials; cryptographically signing the combined user credentials with a cryptographic signature to obtain an authentication object, wherein the authentication object facilitates the enforcement of the user-specific and the device-specific security criteria; passing the authentication object to a service provider associated with the secure application for extraction of the user credentials; and generating, by an authorization entity, an authorization token permitting the installation of the TA part of the secure application, upon verification of the cryptographically signed authentication object. - View Dependent Claims (20, 21, 22)
-
Specification