Patent Grant
10848313
The disclosed implementations generally relate to the field of computer networks, and relate in particular to using cryptographic techniques to secure access to protected network resources.
Computer communication networks have become the de facto method of communication for the modern world. In addition to communication between private citizens, various organizations use computer communication networks to communicate, share information, and share documents. Much of this communication is transmitted over non-private computer networks (such as the Internet).
Organizations, such as corporations and governments, often need to communicate sensitive information over the Internet. As such, being able to securely transmit the information over the Internet is very important. Some organizations use encryption techniques to attempt to secure information crossing the Internet unreadable to non-authorized parties. Some organizations use virtual private networks (VPNs) to secure their computers and system. However, making resources available over a public network also makes organizations more vulnerable to malicious attack and unauthorized access.
Accordingly, there is a need for methods, devices, systems, and interfaces for securing access to protected network resources. By using a security device to employ cryptographic techniques, such as hash generation, based on data received from a client system requesting access to network resources, and based on data retrieved from a trusted device, the security device can effectively and securely grant access only to authorized users and systems, or similarly terminate network connections to unauthorized users and systems.
In accordance with some implementations, a method is performed at a security device (e.g., a cryptographic firewall) having one or more processors and memory storing one or more programs for execution by the one or more processors. The method includes establishing a network connection with a client system (i.e., the client system establishes a network connection with the security device). After establishing the network connection, the security device receives from the client system a first packet. The first packet includes an identifier, a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, and a first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed. Based on the identifier received from the client system, the security device retrieves from a trusted data store the seed and a second counter value. If the first counter value is larger than the second counter value, the security device generates a second one-time password hash based on the identifier, the first counter value, and the seed. The security device then determines whether the first one-time password hash and the second one-time password hash match. In accordance with a determination that the first one-time password hash and the second one-time password hash match, the security device grants, to the client system, access to one or more network resources protected by the security device via the network connection.
In accordance with some implementations, a security device includes one or more processors, memory, and one or more programs; the one or more programs are stored in the memory and configured to be executed by the one or more processors. The one or more programs include instructions for performing the operations of the method described above. In accordance with some implementations, a computer-readable storage medium has stored therein instructions that, when executed by a security device, cause the security device to perform the operations of the method described above.
Devices and systems are therefore provided with faster, more efficient methods and interfaces for securing access to protected network resources. Such methods, devices, systems, and interfaces optionally complement or replace conventional methods for securing access to protected network resources.
For a better understanding of the various described implementations, reference should be made to the Description of Implementations below, in conjunction with the following drawings. Like reference numerals refer to corresponding parts throughout the figures and description.
Reference will now be made to implementations, examples of which are illustrated in the accompanying drawings. In the following description, numerous specific details are set forth in order to provide an understanding of the various described implementations. However, it will be apparent to one of ordinary skill in the art that the various described implementations may be practiced without these specific details. In other instances, well-known methods, procedures, components, circuits, and networks have not been described in detail so as not to unnecessarily obscure aspects of the implementations.
It will also be understood that, although the terms first, second, etc. are, in some instances, used herein to describe various elements, these elements should not be limited by these terms. These terms are used only to distinguish one element from another. For example, a first counter value could be termed a second counter value, and, similarly, a second counter value could be termed a first counter value, without departing from the scope of the various described implementations. The first counter value and the second counter value are both counter values, but they are not the same counter value.
The terminology used in the description of the various implementations described herein is for the purpose of describing particular implementations only and is not intended to be limiting. As used in the description of the various described implementations and the appended claims, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term “and/or” as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. It will be further understood that the terms “includes,” “including,” “comprises,” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
As used herein, the term “if” is, optionally, construed to mean “when” or “upon” or “in response to determining” or “in response to detecting” or “in accordance with a determination that,” depending on the context. Similarly, the phrase “if it is determined” or “if [a stated condition or event] is detected” is, optionally, construed to mean “upon determining” or “in response to determining” or “upon detecting [the stated condition or event]” or “in response to detecting [the stated condition or event]” or “in accordance with a determination that [a stated condition or event] is detected,” depending on the context.
As used herein, the term “exemplary” is used in the sense of “serving as an example, instance, or illustration” and not in the sense of “representing the best of its kind.”
Systems and methods are described herein for improving the security of network assets and network communications performed over the Internet or any other public computer network. In some implementations, the network in question is a corporate network for a large organization with diverse operations—sometimes in multiple countries—and a host of employees who perform a variety of different roles in the organization and who need to access the organization's network—sometimes using a variety of client systems. Securing corporate networks is particularly important because organizations with sensitive information are at risk from malicious attacks that target networked assets (e.g. servers accessible over public computer networks, such as the Internet, or data stored in a network) or target actual communications that are transmitted over the publically accessible network.
In some implementations, the one or more networks 110 include a public communication network (e.g., the Internet and/or a cellular data network), a private communications network (e.g., a private LAN or leased lines), or a combination of such communication networks. In some implementations, the one or more networks 110 use the HyperText Transport Protocol (HTTP) and the Transmission Control Protocol/Internet Protocol (TCP/IP) to transmit information between devices or systems. HTTP permits client systems to access various resources available via the one or more networks 110. In some implementations, the one or more networks 110 are wireless communications channels based on various custom or standard wireless communications protocols (e.g., IEEE 802.15.4, IEEE 802.11 Wi-Fi, ZigBee, 6LoWPAN, Thread, Z-Wave, Bluetooth Smart, ISA100.11a, WirelessHART, MiWi, etc.), or any other suitable communication protocol, including communication protocols not yet developed as of the filing date of this document. Alternatively, in some implementations, at least a portion of the one or more networks 110 comprise physical interfaces based on wired communications protocols (e.g., Ethernet, USB, etc.). Although all devices and systems are illustrated as being interconnected through the network 110, in some implementations, any of the aforementioned devices or systems are communicably connected with each other either directly (i.e., device-to-device) or through a network device (e.g., a router represented by network 110), or with only a subset of the other devices and systems of the client-server environment 100, via any combination of the aforementioned networks 110 (e.g., the client system 102 and the security device 104 are each communicably connected to the trusted data store 106, but only the security device 104 is communicably connected to the server system 108, and thus access to network resources provided by the server system 108 is controlled by the security device 104). The various implementations of the invention, however, are not limited to the use of any particular communication protocol.
In some implementations, the client-server environment 100 includes one or more client systems 102. In some implementations, client systems 102 are computing devices such as smart watches, personal digital assistants, portable media players, smart phones, tablet computers, 2D gaming devices, 3D (e.g., virtual reality) gaming devices, laptop computers, desktop computers, televisions with one or more processors embedded therein or coupled thereto, in-vehicle information systems (e.g., an in-car computer system that provides navigation, entertainment, and/or other information), and/or other appropriate computing devices that can be used to communicate with one or more devices or systems of the client-server environment 100.
Users employ client systems 102 to access the resources and services provided by the server system 108. For example, in some implementations, the client system 102 executes a web browser application that can be used to access the server system 108. As another example, in some implementations, the client system 102 executes one or more software application that are specific to the server system 108 (e.g., “apps” running on smart phones or tablets for accessing services and resources provided by the server system 108). In some implementations, the server system 108 stores data (e.g., the work product of attorneys) and provide services (e.g., an email service or a document backup service) that is accessible over the network 110. In some implementation, access to system resources or services is controlled by dividing various resources into a plurality of virtual domains. Virtual domains are logical, not physical, groupings of related network data and resources to which some users have access to and others do not. In some implementations, a particular virtual domain represents a respective set of services and information distinct from those provided by other virtual domains.
In some implementations, the role of a user or a client system 102 determines which virtual domains they are permitted to access.
The security device 104 manages secure communication of the client systems 102 or associated users of the client systems with resources and services provided by the server system 108. The security device both sends and receives data (e.g., data packets including identifiers, counter values, password hashes, etc.) to and from various devices/systems of the server-client environment 100 (e.g., receiving data from/sending data to the client system 102, the server system 108, etc.). In some implementations, the security device 104 moderates incoming and outgoing network traffic (e.g., grants/terminates access by permitting or denying the sending or receiving of data to or from the client systems 102) based on predetermined security protocols (e.g., using cryptographic techniques, such as generating and comparing password hash values; comparing counter values; etc.).
In some implementations, the client system 102 is not communicably connected to the server system 108 through the network 110, and must pass to and/or receive from the server system all data through the security device 104 via channel 112-1 (i.e., the security device 104 acts as a firewall). Once a network connection is established between the client system 102 and the security device 104, and access to network resources and services provided by the server system 108 is granted, channel 112-1 is established and the client system 102 is able to request data or services from the server system 108. In some embodiments, channel 112-1 may be a channel in a network distinct from the network(s) 110, which may be a public communication network (e.g., the Internet and/or a cellular data network), a private communications network (e.g., a private LAN or leased lines), or a combination of such communication networks.
Additionally and/or alternatively, the client system 102 is communicably connected to the server system 108 through network(s) 110 and may receive data via channel 112-2 (i.e., through networks 110) once access to network resources and services provided by the server system 108 is granted (e.g., by security device 104, in accordance with any of the implementations described throughout).
In some implementations, the security device 104 is configured to send and receive packets in accordance with one or more network protocols (e.g., establishing and moderating network connections by sending/receiving SYN, SYN-ACK, ACK, RST, FIN, etc. packets in accordance with TCP/IP). In some implementations, the security device 104 additionally performs any combination of known functions or operations of a typical firewall device, implemented as hardware and/or software components of the security device 104.
The trusted data store 106 facilitates the execution of predetermined security protocols by providing security credentials or data for use in cryptographic processes executed by the security device 104 (or other devices/systems of the client-server environment 100). The trusted data store 106 may be communicably connected to the client system 102, the security device 104, and/or other devices or systems of the client-server environment. In some implementations, the trusted data store 106 provides identifiers, seeds (e.g., randomly generated), counter values (e.g., generated by an internal system counter), and/or other generated credentials for facilitating one or more cryptographic processes. In some implementations, seeds are randomly generated or predefined values (e.g., number, vector, etc.) for use in one or more cryptographic process (e.g., generating a one-time password hash). The trusted data store 106 may include a seed distributor 414 (e.g., for providing identifiers, seeds, counter values, etc. in response to access requests), a seed storage 416 (e.g., table for managing distributed identifier/seed pairs), and/or other components not illustrated (e.g., a system counter for maintaining counter values).
In some implementations, any combination of the security device 104, the trusted data store 106, and/or the server system 108 comprise a single security system to which access requests by the client system 102 are directed. In some implementations, functionality associated with any one of the security device 104, the trusted data store 106, and/or the server system 108 is implemented at a single computing device such as a computer server, or alternatively, is implemented by multiple computing devices working together to perform respective operations and actions (e.g., cloud computing).
Memory 206 includes high-speed random-access memory, such as DRAM, SRAM, DDR RAM, or other random-access solid-state memory devices; and may include non-volatile memory, such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, and/or other non-volatile solid-state storage devices. Memory 206 may optionally include one or more storage devices remotely located from the processor(s) 202. Memory 206, or alternately the non-volatile memory device(s) within memory 206, includes a non-transitory computer-readable storage medium. In some implementations, memory 206 or the computer-readable storage medium of memory 206 stores the following programs, modules and data structures, or a subset or superset thereof:
The server data module(s) 222 store data in one or more types of databases, such as graph, dimensional, flat, hierarchical, network, object-oriented, relational, and/or XML databases. Data stored in the server data module(s) 222 may include text (e.g., ASCII, SGML, HTML), images (e.g., jpeg, tif and gif), graphics (e.g., vector-based or bitmap), audio, video (e.g., mpeg), other multimedia, and/or combinations thereof.
The client system 102 includes one or more optional components. For example, in some implementations, the client system 102 includes an optional user interface 310. The user interface 310 typically includes a display device 312. In some implementations, the client system 102 includes inputs such as a keyboard, mouse, and/or other input buttons 316. Alternatively or in addition, in some implementations, the display device 312 includes a touch-sensitive surface 314, in which case the display device 312 is a touch-sensitive display. In client systems that have a touch-sensitive display 312, a physical keyboard is optional (e.g., a soft keyboard may be displayed when keyboard entry is needed). The user interface 310 also includes an audio output device 318, such as speakers or an audio output connection connected to speakers, earphones, or headphones. Furthermore, some client systems 102 use a microphone and voice recognition to supplement or replace the keyboard. Optionally, the client system 102 includes an audio input device 320 (e.g., a microphone) to capture audio (e.g., speech from a user). Optionally, the client system 102 includes a location detection device 322, such as a GPS (global positioning satellite) or other geo-location receiver, for determining the location of the client system 102. The client system 102 also optionally includes an image/video capture device 324, such as a camera or webcam.
Memory 306 includes high-speed random-access memory, such as DRAM, SRAM, DDR RAM or other random-access solid-state memory devices; and may include non-volatile memory, such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. Memory 306 may optionally include one or more storage devices remotely located from the processor(s) 302. Memory 306, or alternately the non-volatile memory device(s) within memory 306, includes a non-transitory computer-readable storage medium. In some implementations, memory 306 or the computer-readable storage medium of memory 306 stores the following programs, modules and data structures, or a subset or superset thereof:
In some implementations, the client system 102 includes none (or only some) of the optional components or modules described above. The client system 102 may, for example, be any intelligent, multi-sensing, network-connected device without a user interface (e.g., smart lightbulb, smoke detector, etc.).
Memory 406 includes high-speed random-access memory, such as DRAM, SRAM, DDR RAM, or other random-access solid-state memory devices; and may include non-volatile memory, such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, and/or other non-volatile solid-state storage devices. Memory 406 may optionally include one or more storage devices remotely located from the processor(s) 402. Memory 406, or alternately the non-volatile memory device(s) within memory 406, includes a non-transitory computer-readable storage medium. In some implementations, memory 406 or the computer-readable storage medium of memory 406 stores the following programs, modules and data structures, or a subset or superset thereof:
Each of the above identified modules and applications correspond to a set of executable instructions for performing one or more functions as described above and/or in the methods described in this application (e.g., the computer-implemented methods and other information processing methods described herein). These modules (i.e., sets of instructions) need not be implemented as separate software programs, procedures or modules, and thus various subsets of these modules are, optionally, combined or otherwise re-arranged in various implementations. In some implementations, memory 206, 306, and/or 406 store a subset of the modules and data structures identified above. Furthermore, memory 206, 306, and/or 406 optionally store additional modules and data structures not described above.
In some implementations, the functions of any of the devices and systems described herein (e.g., client system 102, security device 104, trusted data store 106, server system 108, etc.) are interchangeable with one another and may be performed by any other devices or systems, where the corresponding sub-modules of these functions may additionally and/or alternatively be located within and executed by any of the devices and systems. As an example, although the memory 306 of the client system 102 includes a cryptographic module 338 for generating cryptographic information, the trusted data store 106 may include the same or a similar module for performing the same or similar functions. The devices and systems shown in and described with respect to
As an overview of the method 500, a security device (e.g., security device 104,
In some implementations, prior to the security device (e.g., security device 104) establishing (step 506) the network connection with the client system (e.g., client system 102), the client system sends (502) to a trusted data store (e.g., trusted data store 106) (and the trusted data store receives from the client system) a request for an identifier and seed pair (e.g., as, or included with, a request for access to network resources and services provided by a server system 108). In response to the request, the trusted data store provides to the client system (and the client system receives from the trusted data store) an identifier and a seed.
Identifiers may identify a user session (i.e., a session in which access to network resources or services is requested) and/or a client system requesting initiation of the user session. For example, in some implementations, the identifier is data uniquely identifying a user session associated with the client system's request for the identifier and seed pair (e.g., timestamp in combination with a username, system ID, etc.). In some implementations, the identifier is a random number that is used for only one user session. In some implementations, the identifier is a name or password associated with an associated user that has been encrypted (e.g., username/password submitted for retrieving the identifier/seed pair). The encryption may be performed using a key that is stored at the trusted data store.
Seeds may be randomly generated or predefined values (e.g., number, vector, etc.) for use in a cryptographic process (e.g., generating a one-time password hash), as described in greater detail below. In some implementations, the trusted data store manages a plurality of identifier and seed pairs (e.g., stored in seed storage 416 of the trusted data store 106,
In some implementations, in response to receiving the request for the identifier and seed pair, and in addition to providing the identifier and seed, the trusted data store also provides to the client system a first counter value. The first counter value is one of a plurality of incremental counts generated by a system counter. In some implementations, the system counter is a component of the trusted data store (e.g., system counter 418,
Alternatively, the client system itself generates the first counter value in response to receiving the identifier and seed from the trusted data store. In some implementations, a system counter of the client system (rather than the trusted data store or other device) is incremented such that the first counter value is greater than a previous counter value that was generated for a previous request.
In some implementations, the identifier, the seed, and/or the first counter value are provided to the client system by the trusted data store in response to authenticating the client system. As an example, the trusted data store provides the identifier/seed/first counter value to the client system only after valid user credentials are provided by the client system (e.g., username/password that are verified against a trusted user database stored at the trusted data store, USB token, RSA token number, or any other secure identification method). Other methods of authenticating the client system include verifying information identifying the client system (e.g., IP address, MAC address, geographical location, etc. of the client system 102).
In some implementations, after receiving the identifier, the first counter value, and the seed, the client system generates a first one-time password hash based on the identifier, the first counter value, and the seed. Cryptographic processes may employ a variety of cryptographic hash algorithms/functions (e.g., MD4, MD5, SHA-1, SHA-2, HMAC, GMAC, etc.) to generate hash values of different sizes (e.g., digests of varying sizes, such as 128-bit, 160-bit, etc.). In some implementations, data input to the hash algorithms may include any combination of data stored in the client system and/or retrieved from the trusted data store, including but not limited to the identifier, the first counter value, the seed, and/or other additional variables for generating the hash.
The client system and the security device establish (506) a network connection. In some implementations, the network connection is established over one or more networks (e.g., networks 110) based on wireless communications protocols (e.g., IEEE 802.11, cellular network, etc.) or wired communications protocols (e.g., Ethernet). In some implementations, the network connection is a Transmission Control Protocol (TCP) connection. Here, establishing the network connection with the client system prior to receiving a first packet from the client system (step 508) includes the security device receiving from the client system (and the client system sending to the security device) a SYN packet. In response to the security device receiving (or the client system sending) the SYN packet, the security device sends to the client system (and the client system receives from the security device) a SYN-ACK packet. After the security device sending (or the client system receiving) the SYN-ACK packet, the security device receives from the client system (and the client system sends to the security device) an ACK packet, thereby establishing the network connection and permitting the receipt of data from the client system (e.g., the first packet).
After establishing the network connection, the security device receives (508) from the client system (and the client system sends to the security device) a first packet. The first packet includes the identifier (received by the client system at 504), a first counter value (received or alternatively generated by the client system at 504), and a first one-time password hash (e.g., generated by the client system/trusted data store). In some implementations, receiving the first packet includes receiving the first packet embedded in a body of an HTTP POST. In some implementations, receiving the first packet includes receiving the first packet embedded within an HTTP GET URL. In some implementations, receiving the first packet includes receiving the first packet in a TLS Client Hello message, wherein the first packet is placed within the “random” field of the TLS Client Hello message.
Based on the identifier received from the client system, the security device retrieves (510) from the trusted data store (and the trusted data store provides to the security device) the seed and a second counter value. That is, the security device sends, to the trust data store, the identifier received from the client system, and in return, the security device receives a corresponding seed and a second counter value. Although the security device and the client system may individually retrieve the seed from the trusted data store, the security device and the client system never exchange the seed directly between each other, thus ensuring that the seeds being used have not been compromised. In some implementations, the second counter value is a previous counter value maintained by the trusted data store (e.g., a previous count which reflects the system counter before the trusted data store provided the first counter value to the client system). The seed retrieved using the identifier provided by the client system, as well as the second counter value, provide security mechanisms for verifying the authenticity of the client system requesting access to the protected network resources. As described in greater detail below, in some implementations, granting access to protected network resources requires the satisfaction of at least two security conditions, namely that: (1) the hash generated by the security device based on the seed retrieved from the trusted data store matches the hash received from the client system (which is generated using the seed received from the trusted data store by the client system), and (2) the previous counter value obtained from the trusted data store (i.e., the second counter value) is less than the counter value provided by the client system (i.e., the first counter value). Therefore, in some implementations, unless valid security credentials were somehow illegitimately obtained, unauthorized users seeking to access protected network resources would need to successfully satisfy both conditions with respect to data contained within the first packet (provided to the security device at step 508).
After retrieving the seed and the second counter value, the security device determines (512) if the first counter value is larger than the second counter value. If the first counter value is less than or equal to the second counter value, the security device terminates (e.g., sends a reset packet to the client system) the network connection with the client system (various implementations for terminating the network connection are described in greater detail below). However, if the first counter value is larger than the second counter value, the security device generates (514) a second one-time password hash based on the identifier (received from the client system), the first counter value (received from the client system), and the seed (retrieved from the trusted data store). Comparing the first and second counter values provides a preliminary security mechanism for determining the authenticity of the client system.
Time values (e.g., date, time of day, etc.) may be used additionally and/or alternatively to counter values. For example, in some implementations, for a given access request, the client system sends the security device a first time value and also generates a first one-time password hash based on the first time value (step 508). The security device then compares (step 512) the first time value with a current time value (e.g., a current time maintained by a system clock of the security device, trusted data store, etc.). If the first time value falls within a predefined range of the current time value (e.g., within 1 minute), the security device generates (step 514) a second one-time password hash based on the identifier (received from the client system), the first time value (received from the client system), and the seed (retrieved from the trusted data store). However, if the first time value does not fall within the predefined range of the current time value, the security device terminates (e.g., sends a reset packet to the client system) the network connection with the client system.
After generating the second one-time password hash (e.g., generated if first counter value is larger than the second counter value), the security device determines whether the first one-time password hash and the second one-time password hash match. In accordance with a determination that the first one-time password hash and the second one-time password hash match, the security device grants (518), to the client system, access to one or more network resources protected by the security device via the network connection. That is, if the first and second one-time password hashes match, the security device maintains the network connection (e.g., TCP) and permits the exchange of data between the client system and a device/server system that provides the requested network sources (e.g., the security device 104 receives data from the client system 102, and passes the data to the server system 108,
In some embodiments, rather than retrieving the second counter value from the trusted data store (step 510), the security device identifies the second counter value based on a system counter that the security device itself maintains. The system counter of the security device may be updated (e.g., incremented to match the first counter value) each time it receives a packet from a client system (step 508). Alternatively, the system counter of the security device may be updated (e.g., incremented to match the first counter value) in accordance with a determination that the first one-time password hash and the second one-time password hash match.
In some implementations, in accordance with a determination that the first one-time password hash and the second one-time password hash do not match, the security device terminates (520) the network connection with the client system. In some implementations, the first and second one-time password hashes fail to match as a result of different seeds used in generating the first one-time password hash and in generating the second one-time password hash. This may occur, for example, if the client system (e.g., suspected of attempting unauthorized access) provides in the first packet a valid identifier, but an invalid corresponding seed.
In addition to terminating the network connection if the first and second one-time password hashes do not match, as described previously, the network connection may also be terminated if the first counter value is less than or equal to the second counter value (determined at step 512). In any case, the network connection (e.g., TCP connection) may be terminated using a variety of techniques. For example, in some implementations, terminating the network connection with the client system includes the security device sending a reset packet (e.g., RST packet) to the client system (or alternatively, the client system sends a RST packet to the security device). Accordingly, all further communications from the client system (or the security device) are ignored. In some implementations, the security device sends to the client system (and the client system receives from the security device) a FIN packet. In return, the client system sends to the security device (and the security device receives from the client system) a FIN-ACK packet. Finally, the security device sends to the client system (and the client system receives from the security device) an ACK packet, thereby terminating the network connection. In some implementations, terminating the network connection with the client system includes foregoing acknowledgment of packets received from the client system that are associated with the user session or the established network connection (e.g., no additional information or packets are sent by the security device to the client system). In some implementations, terminating the network connection with the client system further includes clearing table entries associated with the connection request (e.g., entries stored in the memory 206 of the security device 104,
Although some of various drawings illustrate a number of logical stages in a particular order, stages which are not order dependent may be reordered and other stages may be combined or broken out. While some reordering or other groupings are specifically mentioned, others will be apparent to those of ordinary skill in the art, so the ordering and groupings presented herein are not an exhaustive list of alternatives. Moreover, it should be recognized that the stages could be implemented in hardware, firmware, software or any combination thereof.
The foregoing description, for purpose of explanation, has been described with reference to specific implementations. However, the illustrative discussions above are not intended to be exhaustive or to limit the scope of the claims to the precise forms disclosed. Many modifications and variations are possible in view of the above teachings. The implementations were chosen in order to best explain the principles underlying the claims and their practical applications, to thereby enable others skilled in the art to best use the implementations with various modifications as are suited to the particular uses contemplated.
This application is a continuation of U.S. patent application Ser. No. 15/266,980, filed Sep. 15, 2016, which claims priority to U.S. Provisional Patent Application No. 62/287,790 filed Jan. 27, 2016, both of which are hereby incorporated by reference in their entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6226750 | Trieger | May 2001 | B1 |
| 6366577 | Donovan | Apr 2002 | B1 |
| 6687822 | Jakobsson | Feb 2004 | B1 |
| 7131000 | Bradee | Oct 2006 | B2 |
| 7155738 | Zhu et al. | Dec 2006 | B2 |
| 7428750 | Dunn et al. | Sep 2008 | B1 |
| 7536544 | Xiao | May 2009 | B2 |
| 7562382 | Hinton et al. | Jul 2009 | B2 |
| 7596530 | Glasberg | Sep 2009 | B1 |
| 7644446 | Strom et al. | Jan 2010 | B2 |
| 7657639 | Hinton | Feb 2010 | B2 |
| 7673046 | Lehew et al. | Mar 2010 | B2 |
| 7814531 | Khosravi et al. | Oct 2010 | B2 |
| 7831047 | Rowe | Nov 2010 | B2 |
| 7900046 | Baliga et al. | Mar 2011 | B2 |
| 7996631 | Bender et al. | Aug 2011 | B1 |
| 8141139 | Hinton et al. | Mar 2012 | B2 |
| 8196177 | Hinton et al. | Jun 2012 | B2 |
| 8214394 | Krishnaprasad et al. | Jul 2012 | B2 |
| 8214634 | Steele et al. | Jul 2012 | B1 |
| 8255984 | Ghostine et al. | Aug 2012 | B1 |
| 8359360 | Logue et al. | Jan 2013 | B2 |
| 8375430 | Grewal et al. | Feb 2013 | B2 |
| 8382593 | Edgren et al. | Feb 2013 | B2 |
| 8396949 | Bubolz et al. | Mar 2013 | B2 |
| 8443435 | Schroeder | May 2013 | B1 |
| 8447976 | Jain et al. | May 2013 | B2 |
| 8522019 | Michaelis | Aug 2013 | B2 |
| 8590029 | Vitaletti | Nov 2013 | B2 |
| 8667593 | Shnitzer | Mar 2014 | B1 |
| 8707451 | Ture et al. | Apr 2014 | B2 |
| 8732452 | Byrum et al. | May 2014 | B2 |
| 8782759 | Hinton et al. | Jul 2014 | B2 |
| 8793769 | Marcia et al. | Jul 2014 | B2 |
| 8843997 | Hare | Sep 2014 | B1 |
| 8856957 | Roth et al. | Oct 2014 | B1 |
| 8875249 | Ture et al. | Oct 2014 | B2 |
| 8903315 | Pering et al. | Dec 2014 | B2 |
| 9069869 | Quinn | Jun 2015 | B1 |
| 9398050 | Islam et al. | Jul 2016 | B2 |
| 9705678 | Wang | Jul 2017 | B1 |
| 20020095571 | Bradee | Jul 2002 | A1 |
| 20020156965 | Gusler et al. | Oct 2002 | A1 |
| 20020184507 | Makower et al. | Dec 2002 | A1 |
| 20030023689 | Brown et al. | Jan 2003 | A1 |
| 20030130960 | Fraser et al. | Jul 2003 | A1 |
| 20030140131 | Chandrashekhar et al. | Jul 2003 | A1 |
| 20030167308 | Schran | Sep 2003 | A1 |
| 20030220880 | Lao et al. | Nov 2003 | A1 |
| 20040098620 | Shay | May 2004 | A1 |
| 20040128392 | Blakley et al. | Jul 2004 | A1 |
| 20040187031 | Liddle | Sep 2004 | A1 |
| 20040220878 | Lao et al. | Nov 2004 | A1 |
| 20040259633 | Gentles et al. | Dec 2004 | A1 |
| 20050015586 | Brickell | Jan 2005 | A1 |
| 20050097321 | Zhu et al. | May 2005 | A1 |
| 20050213584 | Donovan | Sep 2005 | A1 |
| 20050223217 | Howard et al. | Oct 2005 | A1 |
| 20050223413 | Duggan et al. | Oct 2005 | A1 |
| 20050238034 | Gillespie et al. | Oct 2005 | A1 |
| 20060020679 | Hinton et al. | Jan 2006 | A1 |
| 20060059544 | Guthrie et al. | Mar 2006 | A1 |
| 20060090074 | Matoba | Apr 2006 | A1 |
| 20060156026 | Utin | Jul 2006 | A1 |
| 20060212931 | Shull et al. | Sep 2006 | A1 |
| 20060236382 | Hinton et al. | Oct 2006 | A1 |
| 20070006282 | Durham et al. | Jan 2007 | A1 |
| 20070101400 | Freeman et al. | May 2007 | A1 |
| 20070143629 | Hardjono et al. | Jun 2007 | A1 |
| 20070208745 | Ture et al. | Sep 2007 | A1 |
| 20070208755 | Bhatkar et al. | Sep 2007 | A1 |
| 20070226784 | Ueda | Sep 2007 | A1 |
| 20080005359 | Khosravi et al. | Jan 2008 | A1 |
| 20080010665 | Hinton et al. | Jan 2008 | A1 |
| 20080034420 | Chang | Feb 2008 | A1 |
| 20080046984 | Bohmer et al. | Feb 2008 | A1 |
| 20080109904 | In et al. | May 2008 | A1 |
| 20080112551 | Forbes et al. | May 2008 | A1 |
| 20080222174 | Lyman | Sep 2008 | A1 |
| 20080229427 | Ramirez | Sep 2008 | A1 |
| 20080320567 | Shulman et al. | Dec 2008 | A1 |
| 20090070863 | Shimizu et al. | Mar 2009 | A1 |
| 20090083403 | Xu et al. | Mar 2009 | A1 |
| 20090150297 | Richard | Jun 2009 | A1 |
| 20090182592 | Ballaro et al. | Jul 2009 | A1 |
| 20090217033 | Costa et al. | Aug 2009 | A1 |
| 20090259753 | Hinton et al. | Oct 2009 | A1 |
| 20090319781 | Byrum et al. | Dec 2009 | A1 |
| 20090328186 | Pollutro et al. | Dec 2009 | A1 |
| 20100054480 | Schneider | Mar 2010 | A1 |
| 20100058072 | Teow | Mar 2010 | A1 |
| 20100122333 | Noe | May 2010 | A1 |
| 20100174810 | Cain et al. | Jul 2010 | A1 |
| 20100189260 | Ramanathan et al. | Jul 2010 | A1 |
| 20100242083 | Begum et al. | Sep 2010 | A1 |
| 20100242099 | Tsao | Sep 2010 | A1 |
| 20100313016 | Zhang et al. | Dec 2010 | A1 |
| 20100313276 | Banti et al. | Dec 2010 | A1 |
| 20100325710 | Etchegoyen | Dec 2010 | A1 |
| 20110013637 | Xue et al. | Jan 2011 | A1 |
| 20110047381 | Ganesan et al. | Feb 2011 | A1 |
| 20110061103 | Salkewicz | Mar 2011 | A1 |
| 20110078775 | Yan | Mar 2011 | A1 |
| 20110145565 | Kol et al. | Jun 2011 | A1 |
| 20110320617 | Annamalaisami | Dec 2011 | A1 |
| 20120022928 | Wu | Jan 2012 | A1 |
| 20120084570 | Kuzin et al. | Apr 2012 | A1 |
| 20120144464 | Fakhrai et al. | Jun 2012 | A1 |
| 20120164982 | Klein | Jun 2012 | A1 |
| 20120254957 | Fork et al. | Oct 2012 | A1 |
| 20120331532 | Walters et al. | Dec 2012 | A1 |
| 20130107889 | Barabash et al. | May 2013 | A1 |
| 20130185799 | Pfeifer et al. | Jul 2013 | A1 |
| 20130191494 | Sidhu et al. | Jul 2013 | A1 |
| 20130219164 | Hamid | Aug 2013 | A1 |
| 20130275376 | Hudlow et al. | Oct 2013 | A1 |
| 20130276086 | Yu | Oct 2013 | A1 |
| 20130318577 | Bulusu et al. | Nov 2013 | A1 |
| 20130326228 | Utin | Dec 2013 | A1 |
| 20140006598 | Uola | Jan 2014 | A1 |
| 20140007229 | Smith et al. | Jan 2014 | A1 |
| 20140013396 | Field-Eliot et al. | Jan 2014 | A1 |
| 20140075184 | Gorbach et al. | Mar 2014 | A1 |
| 20140090033 | Lerner et al. | Mar 2014 | A1 |
| 20140096199 | Dave et al. | Apr 2014 | A1 |
| 20140122873 | Deutsch et al. | May 2014 | A1 |
| 20140133656 | Wurster | May 2014 | A1 |
| 20140157370 | Plattner et al. | Jun 2014 | A1 |
| 20140222955 | Islam et al. | Aug 2014 | A1 |
| 20140223178 | Islam et al. | Aug 2014 | A1 |
| 20150237035 | Islam et al. | Aug 2015 | A1 |
| Number | Date | Country |
|---|---|---|
| 1514569 | Nov 2010 | CN |
| 2367725 | Apr 2002 | GB |
| 2008021454 | Feb 2008 | WO |
| 2009136795 | Nov 2009 | WO |
| 2012091810 | Jul 2012 | WO |
| Entry |
|---|
| International Preliminary Report on Patentability for Application No. PCT/US2014/013235, dated Aug. 4, 2015, 10 pages. |
| International Search Report and Written Opinion for Application No. PCT/US2014/013235 dated Nov. 6, 2014, 15 pages. |
| Invitation to pay additional fees and Partial Search Report for Application No. PCT/US2014/013235, 5 pages. |
| Olson L., et al., “Trust Negotiation as an Authorization Service for Web Services,” 29th International Conference on Data Engineering Workshops 2013 (ICDEW), 2006, pp. 21. |
| Reimer T., et al., “Federated Identity Access Broker Pattern for Cloud Computing,” Network-Based Information System (NBIS), 2013 16th International Conference on IEEE, 2013, 9 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20200028685 A1 | Jan 2020 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62287790 | Jan 2016 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 15266980 | Sep 2016 | US |
| Child | 16585340 | US |
