Flexible electronic message security mechanism

US 7,536,712 B2
Filed: 10/23/2003
Issued: 05/19/2009
Est. Priority Date: 10/16/2001
Status: Active Grant

First Claim

Patent Images

1. In a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, a method for a source computing system constructing an electronic message, the method comprising the following:

an act of designating at least one destination address in the electronic message, the destination address corresponding to one or more recipient computing devices;

an act of including a first security token in a header portion of the electronic message, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope in which the header portion is the header portion of the SOAP envelope, the first security token being at least derived from a first credential of a first credential type; and

an act of including a second security token in the header portion of the electronic message, the second security token being at least derived from a second credential of a second credential type.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Multiple different credentials and/or signatures based on different credentials may be included in a header portion of a single electronic message. Different recipients of intermediary computing systems may use the different credentials/signatures to identify the signer. The electronic message may include an encoding algorithm and a type identification of a credential included in the electronic message, allowing the recipient to decode and process the credential as appropriate given the type of credential. Also, the electronic message may include a pointer that references a credential associated with a signature included in the electronic message. That referenced credential may be accessed from the same electronic message, or from some other location. The recipient may then compare the references credential from the credentials used to generate the signature. If a match occurs, the integrity of the electronic message has more likely been preserved.

129 Citations

53 Claims

1. In a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, a method for a source computing system constructing an electronic message, the method comprising the following:
- an act of designating at least one destination address in the electronic message, the destination address corresponding to one or more recipient computing devices;
  
  an act of including a first security token in a header portion of the electronic message, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope in which the header portion is the header portion of the SOAP envelope, the first security token being at least derived from a first credential of a first credential type; and
  
  an act of including a second security token in the header portion of the electronic message, the second security token being at least derived from a second credential of a second credential type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method in accordance with claim 1, wherein the first security token is biometric data.
  - 3. The method in accordance with claim 1, further comprising the following:
    - an act of including an encryption manifest in the header portion to thereby designate portions of a body portion of the electronic message that are encrypted.
  - 4. The method in accordance with claim 1, further comprising the following:
    - an act of transmitting the electronic message with the first security token and the second security token in the header portion to the one or more recipient computing devices.
  - 5. The method in accordance with claim 1, wherein the first security token is the first credential.
  - 6. The method in accordance with claim 1, wherein the first security token is a first signature that was generated using the first credential.
  - 7. The method in accordance with claim 6, further comprising the following:
    - an act of including the first credential in the electronic message.
  - 8. The method in accordance with claim 1, wherein the second security token is the second credential.
  - 9. The method in accordance with claim 1, wherein the second security token is a second signature that was generated using the second credential.
  - 10. The method in accordance with claim 9, further comprising the following:
    - an act of including the second credential in the electronic message.
  - 11. The method in accordance with claim 1, wherein the at least one destination address corresponds to at least a first and a second recipient computing system, the first computing system using the first credential to identify the source computing system, and the second computing system using the second credential to identify the source computing system.
  - 12. The method in accordance with claim 11, further comprising the following:
    - an act of determining that the first recipient computing system uses the first credential to identify the source computing system; and
      
      an act of determining that the second recipient computing system uses the second credential to identify the source computing system.
  - 13. The method in accordance with claim 1, wherein the at least one destination address corresponds to at least a first recipient computing system that uses both of the first credential and the second credential to identify the source computing system.
  - 14. The method in accordance with claim 13, further comprising the following:
    - an act of determining that the first recipient computing system uses both of the first credential and the second credential to identify the source computing system.
  - 15. The method in accordance with claim 1, wherein the at least one destination address corresponds to at least a first recipient computing system that uses the first credential and the second credential to identify the source computing system, the electronic message also traversing through an intermediary computing system that uses the second credential to identify the source computing system.
  - 16. The method in accordance with claim 15, further comprising the following:
    - an act of determining that the first recipient computing system uses the first credential to identify the source computing system; and
      
      an act of determining that the intermediary computing system uses the second credential to identify the source computing system.
  - 17. The method in accordance with claim 15, further comprising:
    - an act of designating an intermediary address that corresponds to the intermediary computing device.
  - 18. The method in accordance with claim 1, further comprisingan act of encoding the first security token;
    - an act of including, in the header portion, an identification of an encoding format of the first security token; and
      
      an act of including, in the header portion, an identification of a type of the security token.
  - 19. The method in accordance with claim 18, wherein the security token comprises a credential.
  - 20. The method in accordance with claim 1, wherein the first security token is a signature generated by a user, the method further comprising:
    - an act of generating a reference indicating where a credential associated with the user may be found;
      
      an act of including the reference in the header portion of the electronic message.
  - 21. The method in accordance with claim 1, wherein the electronic message is a HyperText Transport Protocol (HTTP) message, and wherein the header portion is a header portion of the HTTP message.

22. A computer program product for use in a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, the computer program product for implementing a method for a source computing system constructing an electronic message, the computer program product comprising one or more computer-readable physical storage media have thereon the following:
- computer-executable instructions for designating at least one destination address in the electronic message, the destination address corresponding to one or more recipient computing devices;
  
  computer-executable instructions for including a first security token in a header portion of the electronic message, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope in which the header portion is the header portion of the SOAP envelope, the first security token being at least derived from a first credential of a first credential type; and
  
  computer-executable instructions for including a second security token in the header portion of the electronic message, the second security token being at least derived from a second credential of a second credential type.
- View Dependent Claims (23, 24, 25)
- - 23. The computer program product in accordance with claim 22, wherein the one or more computer-readable media further have thereon the following:
    - computer-executable instructions for determining that a first recipient computing system uses the first credential to identify the source computing system; and
      
      computer-executable instructions for determining that a second recipient computing system uses the second credential to identify the source computing system.
  - 24. The computer program product in accordance with claim 22, wherein the one or more computer-readable media further have thereon the following:
    - computer-executable instructions for determining that a first recipient computing system uses both of the first credential and the second credential to identify the source computing system.
  - 25. The computer program product in accordance with claim 22, wherein the one or more computer-readable media further have thereon the following:
    - computer-executable instructions for determining that a first recipient computing system uses the first credential to identify the source computing system; and
      
      computer-executable instructions for determining that an intermediary computing system uses the second credential to identify the source computing system.

26. A computer program product for use in a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, a method for identifying a source computing system of an electronic message, the computer program product comprising one or more physical computer-readable storage media having stored thereon the following:
- computer-executable instructions for detecting the receipt of an electronic message, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope, and wherein the credential is included in a header portion of the SOAP envelope;
  
  computer-executable instructions for reading a credential from the electronic message;
  
  computer-executable instructions for determining how to handle the credential and the electronic message based on a position of the credential within a logical hierarchical tree of credentials;
  
  computer-executable instructions for handling the credential and the electronic message as determined.
- View Dependent Claims (27, 28, 29)
- - 27. A computer program product in accordance with claim 26, wherein the computer-executable instructions for determining how to handle the credential and the electronic message comprise the following:
    - computer-executable instructions for consulting handling rules of at least one ancestral credential in the logical hierarchical tree;
      
      computer-executable instructions for consulting extended handling rules specific to the credential included in the electronic message; and
      
      computer-executable instruction for determining handling rules for the credential included in the electronic message by using the handling rules for the at least one ancestral credential as well as the extended handling rules specific to the credential included in the electronic message.
  - 28. The computer program product in accordance with claim 26, wherein the credential includes biometric data.
  - 29. The computer program product in accordance with claim 26, wherein the electronic message is a HyperText Transport Protocol (HTTP) message, and wherein the credential is included in a header portion of the HTTP message.

30. In a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, a method for a source computing system constructing an electronic message, the method comprising the following:
- an act of encoding a credential that identifies the source computing device;
  
  an act of including the credential in a header portion of an electronic message, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope, and wherein the header portion is a header portion of the SOAP envelope; and
  
  an act of including, in the header portion, information indicative of a type of the credential.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. A method in accordance with claim 30, wherein the information indicative of a type of the credential comprises a human-readable expression of the type of the credential.
  - 32. A method in accordance with claim 30, wherein the information indicative of a type of the credential comprises information that is not a human-readable expression of the type of the credential, but nonetheless is information from which the type of credential may be derived.
  - 33. A method in accordance with claim 30, further comprising the following:
    - an act of including in the header portion, an identification of an encoding format of the credential.
  - 34. A method in accordance with claim 30, wherein an identification of an encoding format of the credential is not included in the header portion thereby indicating that a default encoding format has been applied.
  - 35. The method in accordance with claim 30, further comprising the following:
    - an act of including an encryption manifest in the header portion to thereby designate portions of a body portion of the electronic message that are encrypted.
  - 36. The method in accordance with claim 30, wherein the credential includes biometric data.
  - 37. The method in accordance with claim 30, wherein the electronic message is a HyperText Transport Protocol (HTTP) message, and wherein the header portion is a header portion of the HTTP message.
  - 38. A method in accordance with claim 30, wherein the credential is a license.
  - 39. A method in accordance with claim 38, wherein the credential is in a binary format, wherein the act of including, in the header portion, an identification of a type of the credential comprises an act of including, in the header portion, an indication that the credential has the binary format.
  - 40. A method in accordance with claim 30, wherein the credential is in a binary format, wherein the act of including, in the header portion, an identification of a type of the credential comprises an act of including, in the header portion, an indication that the credential has the binary format.

41. A computer program product for use in a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, the computer program product for implementing a method for a source computing system constructing an electronic message, the computer program product comprising one or more physical computer-readable storage media having stored thereon the following:
- a first software module that, when executed by one or more processors, is adapted to encode a credential that identifies the source computing device, wherein the credential is a license;
  
  a second software module that, when executed by one or more processors, is adapted to include the credential in a header portion of the electronic message, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope, and wherein the header portion is a header portion of the SOAP envelope;
  
  a third software module that, when executed by one or more processors, is adapted to include, in the header portion, an identification of an encoding format of the credential; and
  
  a fourth software module that, when executed by one or more processors, is adapted to include, in the header portion, an identification of a type of the credential.

42. In a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, a method for a source computing system constructing an electronic message, the method comprising the following:
- an act of including an electronic signature in a header portion of an electronic message, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope, and wherein the header portion is a header portion of the SOAP envelope, the electronic signature generated by a user;
  
  an act of generating a reference indicating where a credential associated with the electronic signature may be found;
  
  an act of including the reference in the header portion of the electronic message.
- View Dependent Claims (43, 44, 45, 46, 47)
- - 43. The method in accordance with claim 42, further comprising the following:
    - an act of including an encryption manifest in the header portion to thereby designate portions of a body portion of the electronic message that are encrypted.
  - 44. A method in accordance with claim 42, wherein the reference indicates that the associated credential may be found at a location that is internal to the electronic message.
  - 45. A method in accordance with claim 42, wherein the reference indicates that the associated credential may be found at a location that is external to the electronic message.
  - 46. The method in accordance with claim 42, wherein the credential includes biometric data.
  - 47. The method in accordance with claim 42, wherein the electronic message is a HyperText Transport Protocol (HTTP) message, and wherein the header portion is a header portion of the HTTP message.

48. In a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, a method for a recipient computing system to verify the identity of a sender of an electronic message, the method comprising the following:
- an act of receiving the electronic message;
  
  an act of reading an electronic signature from a header portion of the electronic message, the electronic signature generated by a user, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope, and wherein the header portion is a header portion of the SOAP envelope;
  
  an act of reading a reference from the header portion, the reference indicating where a credential associated with the user may be found;
  
  an act of using the reference to find the credential; and
  
  an act of determining if the credential corresponds with the electronic signature.
- View Dependent Claims (49, 50)
- - 49. A method in accordance with claim 48, wherein the reference indicates that the associated credential may be found at a location that is internal to the electronic message.
  - 50. A method in accordance with claim 48, wherein the reference indicates that the associated credential may be found at a location that is external to the electronic message.

51. A computer program product for use in a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, the computer program product for implementing a method for a recipient computing system to verify the identity of a sender of an electronic message, the computer program product comprising one or more physical computer-readable storage media having thereon the following:
- computer-executable instructions for detecting the receipt of the electronic message;
  
  computer-executable instructions for reading an electronic signature from a header portion of the electronic message, the electronic signature generated by a user, wherein the electronic message is a Simple Object Access Protocol (SOAP) envelope, and wherein the header portion is a header portion of the SOAP envelope;
  
  computer-executable instructions for reading a reference from the header portion, the reference indicating where a credential associated with the user may be found;
  
  computer-executable instructions for using the reference to find the credential; and
  
  computer-executable instructions for determining if the credential corresponds with the electronic signature.

52. In a network environment that includes a plurality of computing systems capable of communicating using electronic messaging, a method for a source computing system constructing a Simple Object Access Protocol envelope, the method comprising the following:
- an act of designating at least one destination address in the SOAP envelope, the destination address corresponding to one or more recipient computing devices; and
  
  an act of including a first security token in a header portion of the SOAP envelope, the first security token being at least derived from a first credential of a first credential type.
- View Dependent Claims (53)
- - 53. The method in accordance with claim 52, further comprising the following:
    - an act of including a second security token in the header portion of the SOAP envelope, the second security token being at least derived from a second credential of a second credential type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kaler, Christopher J., Shewchuk, John P., Della-Libera, Giovanni M.
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Fields; Courtney D

Application Number

US10/693,290
Publication Number

US 20040088585A1
Time in Patent Office

2,035 Days
Field of Search

726/5, 726/6, 713/186
US Class Current

726/5
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 51/222   using geographical location...

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

H04L 67/561   Adding application-function...

Flexible electronic message security mechanism

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Flexible electronic message security mechanism

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links