Client architecture for portable device with security policies

US 7,437,752 B2
Filed: 09/23/2002
Issued: 10/14/2008
Est. Priority Date: 09/23/2002
Status: Active Grant

First Claim

Patent Images

1. Logic encoded on a computer-readable medium, the logic executable on a hand-holdable computer to provide a trusted computing environment on the hand-holdable computer, comprising:

a communication module that communicates with a gatekeeper to receive an encrypted policy package from a central server;

an encryption-decryption module that decrypts the encrypted policy package using a policy key, thereby creating an unencrypted policy package;

a user interface module that receives user input including a password from a user of the hand-holdable computer;

an authentication module coupled with the user interface module to receive the user input and to verify that the password authenticates the user as an authorized user of the hand-holdable computer;

a rules engine that enforces an enterprise security policy contained in the unencrypted policy package; and

an audit log module coupled to the rules engine to receive a policy enforcement record, and further coupled to the encryption-decryption module to encrypt the policy enforcement record, and operable to store the encrypted policy enforcement record to an encrypted security log,wherein the rules engine and audit log module interoperate to provide a tamper-resistant trusted computing environment that enforces a centrally managed enterprise security policy on the hand-holdable computer even when the hand-holdable computer is not connected to a network.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a particular embodiment, a client module is deployed on a wireless device. The client module comprises a policy database including a list of authorized devices to which the wireless device may communicate. In another embodiment, the client module comprises a policy database including at least two user profiles on a wireless device, such as a personal profile and a business profile.

235 Citations

9 Claims

1. Logic encoded on a computer-readable medium, the logic executable on a hand-holdable computer to provide a trusted computing environment on the hand-holdable computer, comprising:
- a communication module that communicates with a gatekeeper to receive an encrypted policy package from a central server;
  
  an encryption-decryption module that decrypts the encrypted policy package using a policy key, thereby creating an unencrypted policy package;
  
  a user interface module that receives user input including a password from a user of the hand-holdable computer;
  
  an authentication module coupled with the user interface module to receive the user input and to verify that the password authenticates the user as an authorized user of the hand-holdable computer;
  
  a rules engine that enforces an enterprise security policy contained in the unencrypted policy package; and
  
  an audit log module coupled to the rules engine to receive a policy enforcement record, and further coupled to the encryption-decryption module to encrypt the policy enforcement record, and operable to store the encrypted policy enforcement record to an encrypted security log,wherein the rules engine and audit log module interoperate to provide a tamper-resistant trusted computing environment that enforces a centrally managed enterprise security policy on the hand-holdable computer even when the hand-holdable computer is not connected to a network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The logic of claim 1 wherein the rules engine includes instructions for performing the steps of:
    - intercepting a request for a service, wherein the request is one selected from the group consisting of;
      
      an operating system call and an operating system event;
      
      determining whether the security policy requires an action to be performed in response to the request; and
      
      performing the action if the security policy requires the action to be performed in response to the request.
  - 3. The logic of claim 1 wherein the rules engine includes instructions for performing the steps of:
    - intercepting a request for a service, wherein the request is one selected from the group consisting of;
      
      an operating system call and an operating system event;
      
      determining whether the security policy permits access to the requested service; and
      
      denying the request if the security policy does not permit access to the requested service.
  - 4. The logic of claim 1 wherein the rules engine includes instructions for performing the steps of:
    - receiving a request to communicate with an external device;
      
      determining whether the external device is on a list of approved devices;
      
      determining whether a mechanism for communication with the external device is on a list of approved mechanisms for communication; and
      
      denying the request to communicate if the external device is not on the list of approved devices or if the mechanism for communication is not on the list of approved mechanisms for communication.
  - 5. The logic of claim 4 wherein the mechanism for communication is a network protocol.
  - 6. The logic of claim 4 wherein the mechanism for communication is a hardware communication port on the hand-holdable computer.
  - 7. The logic of claim 1 wherein the rules engine includes instructions for performing the steps of:
    - receiving a request to communicate with an external device;
      
      causing the authentication module to authenticate the external device using a two-way challenge-response mechanism; and
      
      denying the request to communicate with the external device if the authentication module fails to authenticate the external device.
  - 8. The logic of claim 1 wherein the rules engine includes instructions for performing the steps of:
    - intercepting a request to store a datum in a memory;
      
      determining whether the security policy indicates that the datum should be stored in an encrypted format;
      
      automatically creating an encrypted datum by encrypting the datum using a data key associated with the user if the security policy indicates that the datum should be stored in an encrypted format; and
      
      storing the encrypted datum in the memory.
  - 9. The logic of claim 1 wherein the rules engine includes instructions for performing the steps of:
    - intercepting a request to read a datum from a memory;
      
      determining whether the security policy permits the user to access the datum;
      
      denying the request to read the datum if the security policy does not permit the user to access the datum;
      
      reading the datum from the memory;
      
      determining whether the datum is encrypted;
      
      automatically decrypting the datum using a data key associated with the user if the datum is encrypted; and
      
      providing the datum in an unencrypted form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Marketing LP (Dell Technologies Inc.)
Original Assignee
Credant Technologies Incorported (Dell Technologies Inc.)
Inventors
Mann, Dwayne R., Burchett, Christopher D., Gordon, Ian R., Heard, Robert W.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/252,225
Publication Number

US 20060236363A1
Time in Patent Office

2,213 Days
Field of Search

726/1, 726/27, 713/194, 713/182, 380/270
US Class Current

726/1
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 9/083   involving central third par...

H04L 9/3228   One-time or temporary data,...

H04L 9/3271   using challenge-response

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/08   Access security

Client architecture for portable device with security policies

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

235 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

Client architecture for portable device with security policies

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

235 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others