US20140282992A1 - Systems and methods for securing the boot process of a device using credentials stored on an authentication token - Google Patents
Systems and methods for securing the boot process of a device using credentials stored on an authentication tokenDownload PDFInfo
- Publication number
- US20140282992A1 US20140282992A1US14/209,950US201414209950AUS2014282992A1US 20140282992 A1US20140282992 A1US 20140282992A1US 201414209950 AUS201414209950 AUS 201414209950AUS 2014282992 A1US2014282992 A1US 2014282992A1
- Authority
- US
- United States
- Prior art keywords
- authentication
- user
- data
- token
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S5/00—Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations
- G01S5/01—Determining conditions which influence positioning, e.g. radio environment, state of motion or energy consumption
- G01S5/012—Identifying whether indoors or outdoors
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S5/00—Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations
- G01S5/01—Determining conditions which influence positioning, e.g. radio environment, state of motion or energy consumption
- G01S5/017—Detecting state or type of motion
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/029—Location-based management or tracking services
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W64/00—Locating users or terminals or network equipment for network management purposes, e.g. mobility management
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2111—Location-sensitive, e.g. geographical location, GPS
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W64/00—Locating users or terminals or network equipment for network management purposes, e.g. mobility management
- H04W64/006—Locating users or terminals or network equipment for network management purposes, e.g. mobility management with additional information processing, e.g. for direction or speed determination
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Definitions
- the present inventionis in the technical field of computer security. More particularly, the present invention is in the technical field of securing the boot process of a device using credentials stored on an authentication token.
- Embodiments of the present inventioninclude a system for securing the boot process of a device using credentials stored on an authentication token.
- Other embodimentsinclude a method for securing the boot process of a device by reading an external authentication token, determining whether a user is authorized to access a device, based on the external authentication token, enabling an operating system of the device if the user is determined to be authorized, and processing a password from the user to access the operating system of the device.
- Another embodimentincludes a method wherein first authentication data is received via a short range wireless signal, second authentication data is generated from the first authentication data, the second authentication data is transmitted to an in-location access point, third authentication data is received from the in-location access point, wherein the third authentication data is based on the second authentication data, and a fourth authentication data is communicated to a server, wherein the fourth authentication data includes at least a portion of the first, second, and third authentication data.
- the authentication tokenmay be read from a common access card or from one or more proximity signals.
- a public keymay be involved in determining if the token indicates the user is authorized to access the device.
- user access permissionsare obtained from a network resource before authentication to determine what data, hardware, or software components can be accessed by the user.
- updated user access permissionsare obtained from a network resource after the authentication. Enabling the operating system may include decrypting a root filesystem, decrypting a subset of the root filesystem, or loading an operating system. In some embodiments, the subset of the root filesystem that is decrypted is determined based on the external authentication token.
- the authentication processis varied based on the device's location indoors or outdoors.
- the determination of whether a user is authorizedinvolves decrypting the external authorization token and comparing the external authorization token to a stored authentication credential for the user.
- the stored authentication credentialis obtained from a remote credential server.
- the stored authentication credentialis obtained from a public key server.
- the present disclosuremay provide greater security than just password protection by requiring users of a device to authenticate with an external authentication token before the device allows the users to access the operating system.
- FIG. 1depicts certain components of a system for providing a secure device.
- FIG. 2depicts a workflow for securing a device.
- This disclosuremay increase the security of a mobile device by preventing access to the operating system at system boot using an external authentication token.
- a device 102may comprise an operating system 104 , an authentication token reading facility 108 and a credential processing facility 110 .
- the device 102may be a mobile device, such as a mobile phone, a smartphone, a tablet, a laptop or some other device.
- the operating system 104may be Android, bada, BlackBerry OS, iOS, Series40, Symbian OS, Windows Phone or some other operating system.
- the devicemay also include one or more of a processor, a memory, and a network interface.
- Network interfacemay provide an input and/or output mechanism to communicate with other network devices such as a router or server.
- the network interfacemay also provide communication with, for example, other gateways, wireless access nodes, and application servers to send and receive data such as packets and messages.
- the network interfacemay provide connectivity to 3G, 4G, WiFi, or other network types.
- Processormay run software which uses the network interface and the memory such as a tangible, non-transitory computer readable medium, a programmable read only memory (PROM), or flash memory.
- PROMprogrammable read only memory
- Processormay be any computer chip that is capable of executing program instruction streams that are part of a software program. Processor may have multiple cores for executing multiple streams of program instructions simultaneously.
- the processormay also have multiple sub-processors which are optimized for executing particular categories of program instructions and are controlled by the processor.
- the memoryis capable of storing and retrieving program instructions, program data, or any other data that is used by the processor.
- the processormay store and retrieve data from the memory as a software program is executed.
- Memorymay include or store one or more of an authentication token reading facility 108 and or a credential processing facility.
- Memorymay also include associated policies and configurations.
- the processormay optionally access and update a authentication token reading facility 108 and/or a credential processing facility and associated policies and configurations.
- the user equipmente.g., mobile device
- the user equipmentcan be a smart phone offering advanced capabilities including, but not limited to word processing, web browsing, gaming, e-book capabilities, an operating system, a user interface, and a full keyboard.
- the user equipmentmay run an operating system such as SYMBIAN OS, APPLE IOS, RIM's BLACKBERRY, WINDOWS MOBILE, Linux, PALM WEBOS, and ANDROID.
- the screenmay be a touch screen that can be used to input data to the mobile device and the screen can be used instead of a full keyboard.
- the user equipmentmay have the capability to run applications or communicate with applications that are provided by servers in the communication network. The user equipment can receive updates and other information from these applications on the network.
- a usermay be required to authenticate on the device 102 using an external authentication token 112 in order to use the operating system 104 on the device 102 .
- the credential processing facility 110may instruct the user of the device 102 to provide authentication information via the authentication token reading facility 108 .
- the authentication token reading facility 108may read authentication information from a physical device.
- the informationmay be an authentication token 112 .
- the authentication token 112may be stored on a Common Access Card, a smartcard, a USB token, an SD card, a key fob, or some other physical device.
- the authentication token 112may be a cryptographic key, such as a public key certificate, a digital signature, biometric data, a user id, or some other authentication information.
- the authentication token reading facility 108may be an external device connected to the device 102 .
- the authentication token reading facility 108may be configured to communicate with the device 102 using the network interface of the device. Communication may occur via a communications medium, such as Bluetooth, near field communication (“NFC”), Wi-Fi, or other wired or wireless communications medium.
- the authentication token reading facility 108may be a smartcard reader connected to the network interface of device 102 via Bluetooth.
- the boot loader for the devicewhich is a piece of software responsible for initiating the boot process of the operating system, may include or communicate with the credential processing facility.
- the boot loaderupon loading into memory, may use its internal or communicate with an external credential processing facility as part of a boot verification process.
- the boot loadermay selectively perform one or more operating system boot steps as a result of token reading, authentication, permission, or other determinations in the credential processing facility.
- the boot verification stepsmay include, but are not limited to: selecting the operating system kernel to boot, identifying a master boot record, loading one or more operating system kernel components into memory, executing one or more operating system components, validating one or more operating system components in memory or on a storage medium, verifying a master boot record or operating system kernel or kernel component, writing to an input/output device, displaying one or more user interface or informational components on a device user interface component, displaying one or more interactive user interface components to acquire additional information from the user relevant to one or more boot process steps, or initializing one or more hardware components.
- the boot loadermay require user input to be provided via one or more user interface components, including, but not limited to, a display, microphone, accelerometer, touch input, keyboard, trackball, external device, or other sensor/input mechanism.
- user inputtoken, sensor data, location of the device, or wireless signals in proximity, such as Bluetooth Low Energy, infrared, or acoustic signals, can be used to aid in determining the boot process components run by the boot loader.
- the device 102may be enabled to connect to a network 114 .
- device 102may connect to network 114 via the network interface of the device.
- authenticating the user on the device 102may include communicating first, second, and third authentication data over a short-range wireless signal between the device 102 and an in-location access point, wherein the second authentication data from the device 102 is based on the first authentication data from the in-location access point and the third authentication data from the in-location access point is based on the second authentication data; communicating a fourth authentication data between the mobile device and a web-based information system, wherein the fourth authentication data comprises at least a portion of at least one of the first, second, and third authentication data; and authenticating access to network accessible content by the mobile device with the web-based information system.
- the first authentication datamay be the authentication token 112 data.
- the web-based information systemmay be a proxy 118 .
- the authentication token reading facility 108 associated with the device 102may receive the authentication token 112 via NFC, send the second authentication data to the in-location access point via Bluetooth heartbeat messages, receive the third authentication data as responses to the Bluetooth heartbeat messages, send a request to a web proxy 118 that includes the third authentication data (e.g. in the form of hypertext transport protocol (HTTP) request with such data in the HTTP headers), and receive access to the device if the proxy 118 determines that the user is authorized, based on the third authentication data.
- HTTPhypertext transport protocol
- the credential processing facility 110may determine whether the authentication token 112 data is valid and whether the user is permitted to access the operating system 104 , based on the user provided authentication token 112 .
- Credential processingmay include local or distributed processing, using processing and storage capabilities of the authentication token device 112 or using remote (e.g., server-based) processing capabilities.
- local credential processingmay include one or more of decrypting, reviewing and comparing the user provided authentication token 112 by the credential processing facility 110 .
- distributed credential processingmay include one or more of decrypting, reviewing and comparing the user provided authentication token 112 by the credential processing facility 110 in connection with some authentication facility, such as a private key or public key service.
- Comparing the user provided authentication token 112may include looking up the user provided authentication token 112 in a database or file for a match or for a permission. Credential processing may be performed using private or public key authentication.
- the device 102may begin the operating system 104 boot process.
- the credential processing facility 110prevents the operating system 104 from beginning the boot process.
- the credential processing facility 110may erase part or all of the data stored on the device 102 upon a predetermined number of failed authentication attempts, which may be, but is not limited to, 3 attempts.
- the user of the device 102may provide a smartcard to be read by the authentication token reading facility 108 associated with the device 102 , where the smartcard includes the user's authentication token 112 .
- the authentication token 112 datacould be one or more X.509 certificates.
- the authentication token reading facility 108may read the authentication token 112 from the smartcard and provide the authentication token 112 information to the credential processing facility 110 .
- the credential processing facility 110may, then, determine whether the user is authorized to access the operating system 104 , based on the authentication token 112 information.
- a determination that the user is authorizedmay form an event suitable for use in determining a device context as described in U.S. Provisional Patent Application No. 61/780,408, at pages 3-4, which is incorporated herein by reference.
- Some embodiments of the inventionmay be used by incorporating location-based authorization into credential processing, as described in U.S. Provisional Patent Application No. 61/785,109 at paragraphs [0020]-[0025], which is incorporated herein by reference.
- reading of the authentication token and credential processingmay be performed in a trusted zone of a processor as described in U.S. Provisional Patent Application No. 61/790,728 at paragraphs [0091]-[0095], which is incorporated herein by reference.
- the credential processing of some embodiments of the inventionmay incorporate a secure location determination, as described in U.S. Provisional Patent Application No. 61/781,252 at pages 2-4, which is incorporated herein by reference.
- the process for authenticating the usermay comprise powering on a device 202 ; prompting a user to provide an authentication token 204 ; reading, by the device, the authentication token 208 ; determining, by a credential processing facility, whether the user is authorized to access the device, based on the authentication token 210 ; and granting a user access to the device.
- the usermay be prohibited from accessing the device 212 .
- granting the user access to the devicemay include decrypting the root filesystem if the user is determined to be authorized by the credential processing facility.
- granting the user access to the devicemay include booting an operating system if the user is determined to be authorized by the credential processing facility 214 .
- granting the user access to the devicemay include both decrypting the root filesystem and booting the operating system. Additional security may be required at the operating system level, after the user has been authenticated. Therefore, in some embodiments, authenticating the user may also comprise processing a password from the user to access the operating system 218 . For example, several users may be authorized to use a device and may be authorized to access the device, but may each such user may have a different account at the operating system level. In this example, such users may be required to provide additional credentials at an operating system login in order to access their operating system account.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Radar, Positioning & Navigation (AREA)
- Remote Sensing (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
- Information Transfer Between Computers (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
- Some of the aspects of the methods and systems described herein have been described in U.S. Provisional Application Nos. 61/780,408 entitled “Systems And Methods To Synchronize Data To A Mobile Device Based On A Device Usage Context”, filed Mar. 13, 2013; 61/781,252 entitled “Systems And Methods To Secure Short-Range Proximity Signals”, filed Mar. 14, 2013; 61/781,509 entitled “Systems And Methods For Securing And Locating Computing Devices”, filed Mar. 14, 2013; 61/779,931 entitled “Systems And Methods For Securing The Boot Process Of A Device Using Credentials Stored On An Authentication Token”, filed Mar. 13, 2013; 61/790,728 entitled “Systems And Methods For Enforcing Security In Mobile Computing”, filed Mar. 15, 2013; and U.S. Non-Provisional application Ser. No. 13/735,885 entitled “Systems and Methods for Enforcing Security in Mobile Computing”, filed Jan. 7, 2013, each of which is hereby incorporated by reference herein in its entirety.
- The present invention is in the technical field of computer security. More particularly, the present invention is in the technical field of securing the boot process of a device using credentials stored on an authentication token.
- As mobile devices, such as smartphones and tablet computers, become more powerful and ubiquitous, it becomes advantageous to use them for an increasing number of applications. In some instances, these applications may require that sensitive information be stored in nonvolatile memory on the device. It is therefore important to be able to protect said information stored on the device both while the device is running and while the device is powered off. Regardless, it is imperative that the identity of the user be verified before granting access to the information stored on the device. Current solutions to this problem involve using a password to protect the device once the operating system has been started. However, passwords may still be a point of insecurity, since the passwords may be shared, stolen, sniffed, cracked, and/or have poor password strength. Such vulnerabilities relating to password security present a broad attack surface to malicious users. A need exists for improved solutions.
- To provide the greatest level of security, methods and systems are provided herein to prevent unauthorized users from even turning on a device, including without limitation reducing the exposure to attacks by requiring a user to authenticate himself or herself prior to loading the operating system into memory.
- Embodiments of the present invention include a system for securing the boot process of a device using credentials stored on an authentication token. Other embodiments include a method for securing the boot process of a device by reading an external authentication token, determining whether a user is authorized to access a device, based on the external authentication token, enabling an operating system of the device if the user is determined to be authorized, and processing a password from the user to access the operating system of the device. Another embodiment includes a method wherein first authentication data is received via a short range wireless signal, second authentication data is generated from the first authentication data, the second authentication data is transmitted to an in-location access point, third authentication data is received from the in-location access point, wherein the third authentication data is based on the second authentication data, and a fourth authentication data is communicated to a server, wherein the fourth authentication data includes at least a portion of the first, second, and third authentication data.
- In various embodiments of the invention, the authentication token may be read from a common access card or from one or more proximity signals. A public key may be involved in determining if the token indicates the user is authorized to access the device. In an embodiment of the invention, user access permissions are obtained from a network resource before authentication to determine what data, hardware, or software components can be accessed by the user. In some embodiments, updated user access permissions are obtained from a network resource after the authentication. Enabling the operating system may include decrypting a root filesystem, decrypting a subset of the root filesystem, or loading an operating system. In some embodiments, the subset of the root filesystem that is decrypted is determined based on the external authentication token. In an embodiment of the invention, the authentication process is varied based on the device's location indoors or outdoors. In another embodiment of the invention, the determination of whether a user is authorized involves decrypting the external authorization token and comparing the external authorization token to a stored authentication credential for the user. In some embodiments, the stored authentication credential is obtained from a remote credential server. In some embodiments, the stored authentication credential is obtained from a public key server.
- The present disclosure may provide greater security than just password protection by requiring users of a device to authenticate with an external authentication token before the device allows the users to access the operating system.
FIG. 1 depicts certain components of a system for providing a secure device.FIG. 2 depicts a workflow for securing a device.- This disclosure may increase the security of a mobile device by preventing access to the operating system at system boot using an external authentication token.
- Referring to
FIG. 1 , adevice 102 may comprise anoperating system 104, an authenticationtoken reading facility 108 and acredential processing facility 110. Thedevice 102 may be a mobile device, such as a mobile phone, a smartphone, a tablet, a laptop or some other device. Theoperating system 104 may be Android, bada, BlackBerry OS, iOS, Series40, Symbian OS, Windows Phone or some other operating system. - The device may also include one or more of a processor, a memory, and a network interface. Network interface may provide an input and/or output mechanism to communicate with other network devices such as a router or server. The network interface may also provide communication with, for example, other gateways, wireless access nodes, and application servers to send and receive data such as packets and messages. The network interface may provide connectivity to 3G, 4G, WiFi, or other network types. Processor may run software which uses the network interface and the memory such as a tangible, non-transitory computer readable medium, a programmable read only memory (PROM), or flash memory. Processor may be any computer chip that is capable of executing program instruction streams that are part of a software program. Processor may have multiple cores for executing multiple streams of program instructions simultaneously. The processor may also have multiple sub-processors which are optimized for executing particular categories of program instructions and are controlled by the processor. The memory is capable of storing and retrieving program instructions, program data, or any other data that is used by the processor. The processor may store and retrieve data from the memory as a software program is executed. Memory may include or store one or more of an authentication
token reading facility 108 and or a credential processing facility. Memory may also include associated policies and configurations. The processor may optionally access and update a authenticationtoken reading facility 108 and/or a credential processing facility and associated policies and configurations. - The user equipment (e.g., mobile device) described above can be a smart phone offering advanced capabilities including, but not limited to word processing, web browsing, gaming, e-book capabilities, an operating system, a user interface, and a full keyboard. The user equipment may run an operating system such as SYMBIAN OS, APPLE IOS, RIM's BLACKBERRY, WINDOWS MOBILE, Linux, PALM WEBOS, and ANDROID. The screen may be a touch screen that can be used to input data to the mobile device and the screen can be used instead of a full keyboard. The user equipment may have the capability to run applications or communicate with applications that are provided by servers in the communication network. The user equipment can receive updates and other information from these applications on the network.
- In embodiments, a user may be required to authenticate on the
device 102 using anexternal authentication token 112 in order to use theoperating system 104 on thedevice 102. When thedevice 102 is powered up, thecredential processing facility 110 may instruct the user of thedevice 102 to provide authentication information via the authenticationtoken reading facility 108. The authenticationtoken reading facility 108 may read authentication information from a physical device. The information may be anauthentication token 112. Theauthentication token 112 may be stored on a Common Access Card, a smartcard, a USB token, an SD card, a key fob, or some other physical device. Theauthentication token 112 may be a cryptographic key, such as a public key certificate, a digital signature, biometric data, a user id, or some other authentication information. In some embodiments, the authenticationtoken reading facility 108 may be an external device connected to thedevice 102. In such embodiments, the authenticationtoken reading facility 108 may be configured to communicate with thedevice 102 using the network interface of the device. Communication may occur via a communications medium, such as Bluetooth, near field communication (“NFC”), Wi-Fi, or other wired or wireless communications medium. For example, the authenticationtoken reading facility 108 may be a smartcard reader connected to the network interface ofdevice 102 via Bluetooth. - In some embodiments, the boot loader for the device, which is a piece of software responsible for initiating the boot process of the operating system, may include or communicate with the credential processing facility. The boot loader, upon loading into memory, may use its internal or communicate with an external credential processing facility as part of a boot verification process. The boot loader may selectively perform one or more operating system boot steps as a result of token reading, authentication, permission, or other determinations in the credential processing facility. The boot verification steps may include, but are not limited to: selecting the operating system kernel to boot, identifying a master boot record, loading one or more operating system kernel components into memory, executing one or more operating system components, validating one or more operating system components in memory or on a storage medium, verifying a master boot record or operating system kernel or kernel component, writing to an input/output device, displaying one or more user interface or informational components on a device user interface component, displaying one or more interactive user interface components to acquire additional information from the user relevant to one or more boot process steps, or initializing one or more hardware components. In some embodiments, the boot loader may require user input to be provided via one or more user interface components, including, but not limited to, a display, microphone, accelerometer, touch input, keyboard, trackball, external device, or other sensor/input mechanism. The user input, token, sensor data, location of the device, or wireless signals in proximity, such as Bluetooth Low Energy, infrared, or acoustic signals, can be used to aid in determining the boot process components run by the boot loader.
- In embodiments, the
device 102 may be enabled to connect to anetwork 114. For example,device 102 may connect to network114 via the network interface of the device. In such embodiments, authenticating the user on thedevice 102 may include communicating first, second, and third authentication data over a short-range wireless signal between thedevice 102 and an in-location access point, wherein the second authentication data from thedevice 102 is based on the first authentication data from the in-location access point and the third authentication data from the in-location access point is based on the second authentication data; communicating a fourth authentication data between the mobile device and a web-based information system, wherein the fourth authentication data comprises at least a portion of at least one of the first, second, and third authentication data; and authenticating access to network accessible content by the mobile device with the web-based information system. The first authentication data may be theauthentication token 112 data. The web-based information system may be aproxy 118. For example, the authenticationtoken reading facility 108 associated with thedevice 102 may receive theauthentication token 112 via NFC, send the second authentication data to the in-location access point via Bluetooth heartbeat messages, receive the third authentication data as responses to the Bluetooth heartbeat messages, send a request to aweb proxy 118 that includes the third authentication data (e.g. in the form of hypertext transport protocol (HTTP) request with such data in the HTTP headers), and receive access to the device if theproxy 118 determines that the user is authorized, based on the third authentication data. - The
credential processing facility 110 may determine whether theauthentication token 112 data is valid and whether the user is permitted to access theoperating system 104, based on the user providedauthentication token 112. Credential processing may include local or distributed processing, using processing and storage capabilities of the authenticationtoken device 112 or using remote (e.g., server-based) processing capabilities. In embodiments, local credential processing may include one or more of decrypting, reviewing and comparing the user providedauthentication token 112 by thecredential processing facility 110. In embodiments, distributed credential processing may include one or more of decrypting, reviewing and comparing the user providedauthentication token 112 by thecredential processing facility 110 in connection with some authentication facility, such as a private key or public key service. Comparing the user providedauthentication token 112 may include looking up the user providedauthentication token 112 in a database or file for a match or for a permission. Credential processing may be performed using private or public key authentication. - Upon determining that the
authentication token 112 data is valid and the user is permitted to access theoperating system 104, thedevice 102 may begin theoperating system 104 boot process. Upon determining that theauthentication token 112 data is invalid and/or the user is not permitted to access theoperating system 104, thecredential processing facility 110 prevents theoperating system 104 from beginning the boot process. In some embodiments, thecredential processing facility 110 may erase part or all of the data stored on thedevice 102 upon a predetermined number of failed authentication attempts, which may be, but is not limited to,3 attempts. - For example, the user of the
device 102 may provide a smartcard to be read by the authenticationtoken reading facility 108 associated with thedevice 102, where the smartcard includes the user'sauthentication token 112. Theauthentication token 112 data could be one or more X.509 certificates. In this example, the authenticationtoken reading facility 108 may read theauthentication token 112 from the smartcard and provide theauthentication token 112 information to thecredential processing facility 110. Thecredential processing facility 110 may, then, determine whether the user is authorized to access theoperating system 104, based on theauthentication token 112 information. - A determination that the user is authorized may form an event suitable for use in determining a device context as described in U.S. Provisional Patent Application No. 61/780,408, at pages 3-4, which is incorporated herein by reference. Some embodiments of the invention may be used by incorporating location-based authorization into credential processing, as described in U.S. Provisional Patent Application No. 61/785,109 at paragraphs [0020]-[0025], which is incorporated herein by reference. In some embodiments, reading of the authentication token and credential processing may be performed in a trusted zone of a processor as described in U.S. Provisional Patent Application No. 61/790,728 at paragraphs [0091]-[0095], which is incorporated herein by reference. The credential processing of some embodiments of the invention may incorporate a secure location determination, as described in U.S. Provisional Patent Application No. 61/781,252 at pages 2-4, which is incorporated herein by reference.
- Referring now to
FIG. 2 , the process for authenticating the user may comprise powering on adevice 202; prompting a user to provide an authentication token204; reading, by the device, theauthentication token 208; determining, by a credential processing facility, whether the user is authorized to access the device, based on the authentication token210; and granting a user access to the device. In embodiments, if the user is unauthorized to access the device by the credential processing facility based on the authentication token210, the user may be prohibited from accessing the device212. In some embodiments, granting the user access to the device may include decrypting the root filesystem if the user is determined to be authorized by the credential processing facility. In some embodiments, granting the user access to the device may include booting an operating system if the user is determined to be authorized by the credential processing facility214. In some embodiments, granting the user access to the device may include both decrypting the root filesystem and booting the operating system. Additional security may be required at the operating system level, after the user has been authenticated. Therefore, in some embodiments, authenticating the user may also comprise processing a password from the user to access theoperating system 218. For example, several users may be authorized to use a device and may be authorized to access the device, but may each such user may have a different account at the operating system level. In this example, such users may be required to provide additional credentials at an operating system login in order to access their operating system account. - While the foregoing written description of the invention enables one of ordinary skill to make and use what is considered presently to be the best mode thereof, those of ordinary skill will understand and appreciate the existence of variations, combinations, and equivalents of the specific embodiment, method, and examples herein. The invention should therefore not be limited by the above described embodiment, method, and examples, but by all embodiments and methods within the scope and spirit of the invention.
Claims (20)
1. An apparatus for providing a secure device, comprising:
an operating system, for operating the device;
an authentication token reading facility for reading an external authentication token; and
a credential processing facility for determining whether a user is authorized to access the device and to load the operating system, based on the external authentication token.
2. The apparatus ofclaim 1 , wherein the authentication token reading facility comprises a common access card reader.
3. The apparatus ofclaim 1 , wherein the credential processing facility comprises a remote credential processing facility.
4. The apparatus ofclaim 1 , wherein the external authentication token comprises one or more of a cryptographic key, a public key certificate, a digital signature, biometric data, or a user id.
5. A method for securing a device, comprising:
reading an external authentication token;
determining whether a user is authorized to access a device, based on the external authentication token;
enabling an operating system of the device if the user is determined to be authorized; and
processing a password from the user to access the operating system of the device.
6. The method ofclaim 5 , wherein the authentication token reading facility reads the token from a common access card.
7. The method ofclaim 5 , wherein a public key is involved in the determination if the token indicates that the user is authorized to use the device.
8. The method ofclaim 5 , wherein the external authentication token or a component of the token is read in full or part from one or more proximity signals.
9. The method ofclaim 5 , wherein one or more user access permissions are obtained from a network resource before the authentication to determine what data, hardware, or software components can be accessed by the user.
10. The method ofclaim 9 , wherein one or more updated user access permissions are obtained from the network resource after the authentication to determine what data, hardware, or software components can be accessed by the user.
11. The method ofclaim 5 , wherein enabling the operating system comprises decrypting a root filesystem.
12. The method ofclaim 11 , wherein the entire root filesystem is not decrypted and instead a subset of the data on the root filesystem is decrypted.
13. The method ofclaim 12 , wherein the subset of the data decrypted is determined based on the external authentication token.
14. The method ofclaim 5 , wherein the authentication process varies based on the device's indoor or outdoor location.
15. The method ofclaim 5 , wherein enabling the operating system comprises loading an operating system.
16. The method ofclaim 5 , wherein determining whether a user is authorized further comprises:
decrypting the external authentication token; and
comparing the external authentication token to a stored authentication credential for the user.
17. The method ofclaim 16 , wherein the stored authentication credential is obtained from a remote credential server.
18. The method ofclaim 16 , wherein the stored authentication credential is obtained from a public key server.
19. A method for authenticating a device, comprising:
receiving a first authentication data via a short range wireless signal;
generating a second authentication data from the first authentication data;
transmitting the second authentication data to an in-location access point;
receiving a third authentication data from the in-location access point, wherein the third authentication data is based on the second authentication data;
communicating a fourth authentication data to a server, wherein the fourth authentication data comprises at least a portion of the first, second, and third authentication data.
20. The method ofclaim 19 , further comprising granting the device access to a network resource based on the fourth authentication data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/209,950US20140282992A1 (en) | 2013-03-13 | 2014-03-13 | Systems and methods for securing the boot process of a device using credentials stored on an authentication token |
Applications Claiming Priority (6)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201361780408P | 2013-03-13 | 2013-03-13 | |
| US201361779931P | 2013-03-13 | 2013-03-13 | |
| US201361781252P | 2013-03-14 | 2013-03-14 | |
| US201361785109P | 2013-03-14 | 2013-03-14 | |
| US201361790728P | 2013-03-15 | 2013-03-15 | |
| US14/209,950US20140282992A1 (en) | 2013-03-13 | 2014-03-13 | Systems and methods for securing the boot process of a device using credentials stored on an authentication token |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US20140282992A1true US20140282992A1 (en) | 2014-09-18 |
Family
ID=51529248
Family Applications (4)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/210,376Expired - Fee RelatedUS9578445B2 (en) | 2013-03-13 | 2014-03-13 | Systems and methods to synchronize data to a mobile device based on a device usage context |
| US14/209,950AbandonedUS20140282992A1 (en) | 2013-03-13 | 2014-03-13 | Systems and methods for securing the boot process of a device using credentials stored on an authentication token |
| US14/210,240AbandonedUS20140273857A1 (en) | 2013-03-13 | 2014-03-13 | Systems and methods to secure short-range proximity signals |
| US14/210,397AbandonedUS20140283136A1 (en) | 2013-03-13 | 2014-03-13 | Systems and methods for securing and locating computing devices |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/210,376Expired - Fee RelatedUS9578445B2 (en) | 2013-03-13 | 2014-03-13 | Systems and methods to synchronize data to a mobile device based on a device usage context |
Family Applications After (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/210,240AbandonedUS20140273857A1 (en) | 2013-03-13 | 2014-03-13 | Systems and methods to secure short-range proximity signals |
| US14/210,397AbandonedUS20140283136A1 (en) | 2013-03-13 | 2014-03-13 | Systems and methods for securing and locating computing devices |
Country Status (1)
| Country | Link |
|---|---|
| US (4) | US9578445B2 (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104320265A (en)* | 2014-11-21 | 2015-01-28 | 北京奇虎科技有限公司 | Authentication method and device for software platform |
| US9363670B2 (en) | 2012-08-27 | 2016-06-07 | Optio Labs, Inc. | Systems and methods for restricting access to network resources via in-location access point protocol |
| US9578445B2 (en) | 2013-03-13 | 2017-02-21 | Optio Labs, Inc. | Systems and methods to synchronize data to a mobile device based on a device usage context |
| US9609020B2 (en) | 2012-01-06 | 2017-03-28 | Optio Labs, Inc. | Systems and methods to enforce security policies on the loading, linking, and execution of native code by mobile applications running inside of virtual machines |
| US9712530B2 (en) | 2012-01-06 | 2017-07-18 | Optio Labs, Inc. | Systems and methods for enforcing security in mobile computing |
| US9773107B2 (en) | 2013-01-07 | 2017-09-26 | Optio Labs, Inc. | Systems and methods for enforcing security in mobile computing |
| US9787681B2 (en) | 2012-01-06 | 2017-10-10 | Optio Labs, Inc. | Systems and methods for enforcing access control policies on privileged accesses for mobile devices |
| US11546443B2 (en)* | 2020-09-11 | 2023-01-03 | Microsoft Technology Licensing, Llc | Connected focus time experience that spans multiple devices |
Families Citing this family (52)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9853864B2 (en)* | 2010-09-17 | 2017-12-26 | Printeron Inc. | System and method for updating printer location information field |
| US8837728B2 (en)* | 2012-10-16 | 2014-09-16 | The Boeing Company | Server algorithms to improve space based authentication |
| JP5974907B2 (en)* | 2013-01-17 | 2016-08-23 | 株式会社デンソー | Vehicle equipment |
| US9491033B1 (en)* | 2013-04-22 | 2016-11-08 | Amazon Technologies, Inc. | Automatic content transfer |
| JP6459491B2 (en)* | 2014-03-20 | 2019-01-30 | カシオ計算機株式会社 | Display device, display system, and program |
| JP6314595B2 (en)* | 2014-03-28 | 2018-04-25 | 日本電気株式会社 | POSITIONING DEVICE, POSITIONING SYSTEM, POSITIONING METHOD, AND POSITIONING PROGRAM |
| US10430779B2 (en)* | 2014-04-08 | 2019-10-01 | Capital One Services Llc | Systems and methods for transacting at an ATM using a mobile device |
| US20150326617A1 (en)* | 2014-05-06 | 2015-11-12 | DoNotGeoTrack, Inc. | Privacy Control Processes for Mobile Devices, Wearable Devices, other Networked Devices, and the Internet of Things |
| US9246913B2 (en)* | 2014-06-19 | 2016-01-26 | Verizon Patent And Licensing Inc. | Sharing content using a dongle device |
| US10009745B2 (en) | 2014-08-25 | 2018-06-26 | Accenture Global Services Limited | Validation in secure short-distance-based communication and enforcement system according to visual objects |
| US9633493B2 (en) | 2014-08-25 | 2017-04-25 | Accenture Global Services Limited | Secure short-distance-based communication and validation system for zone-based validation |
| US9589402B2 (en) | 2014-08-25 | 2017-03-07 | Accenture Global Services Limited | Restricted area access control system |
| US9922294B2 (en) | 2014-08-25 | 2018-03-20 | Accenture Global Services Limited | Secure short-distance-based communication and enforcement system |
| US9514589B2 (en) | 2014-08-25 | 2016-12-06 | Accenture Global Services Limited | Secure short-distance-based communication and access control system |
| US10198586B1 (en)* | 2014-09-17 | 2019-02-05 | Securus Technologies, Inc. | Provisioning of digital media files to resident media devices in controlled-environment facilities |
| US20170012964A1 (en)* | 2014-09-29 | 2017-01-12 | Identity Over Ip | Providing authentication of control instructions from a control device to a remotely-controllable physical interaction device using a remote control authentication token |
| KR101539292B1 (en)* | 2014-10-28 | 2015-07-27 | 주식회사 퍼플즈 | Method of transmitting and receiving data in a wireless communication system using bluetooth low energy beacon and apparatus thereof |
| US9608999B2 (en)* | 2014-12-02 | 2017-03-28 | Accenture Global Services Limited | Smart beacon data security |
| US10325294B2 (en)* | 2014-12-10 | 2019-06-18 | Meijer, Inc. | System and method for notifying customers of checkout queue activity |
| US10114351B2 (en) | 2015-03-05 | 2018-10-30 | Google Llc | Smart-home automation system that suggests or autmatically implements selected household policies based on sensed observations |
| US20160337353A1 (en)* | 2015-05-11 | 2016-11-17 | Interactive Intelligence Group, Inc. | System and method for multi-factor authentication |
| US11209972B2 (en) | 2015-09-02 | 2021-12-28 | D&M Holdings, Inc. | Combined tablet screen drag-and-drop interface |
| US11113022B2 (en) | 2015-05-12 | 2021-09-07 | D&M Holdings, Inc. | Method, system and interface for controlling a subwoofer in a networked audio system |
| EP3295577A4 (en) | 2015-05-12 | 2018-10-10 | D&M Holdings, Inc. | System and method for negotiating group membership for audio controllers |
| US9743252B2 (en)* | 2015-06-11 | 2017-08-22 | Honeywell International Inc. | System and method for locating devices in predetermined premises |
| KR102300583B1 (en) | 2015-06-26 | 2021-09-09 | 삼성전자주식회사 | A service providing method using a beacon and electronic apparatus thereof |
| US11354683B1 (en) | 2015-12-30 | 2022-06-07 | Videomining Corporation | Method and system for creating anonymous shopper panel using multi-modal sensor fusion |
| US10262331B1 (en) | 2016-01-29 | 2019-04-16 | Videomining Corporation | Cross-channel in-store shopper behavior analysis |
| US10963893B1 (en) | 2016-02-23 | 2021-03-30 | Videomining Corporation | Personalized decision tree based on in-store behavior analysis |
| US10074225B2 (en) | 2016-04-18 | 2018-09-11 | Accenture Global Solutions Limited | Validation in secure short-distance-based communication and enforcement system according to visual object flow |
| US10387896B1 (en) | 2016-04-27 | 2019-08-20 | Videomining Corporation | At-shelf brand strength tracking and decision analytics |
| US10354262B1 (en) | 2016-06-02 | 2019-07-16 | Videomining Corporation | Brand-switching analysis using longitudinal tracking of at-shelf shopper behavior |
| US11206223B2 (en) | 2016-06-30 | 2021-12-21 | Microsoft Technology Licensing, Llc | Signal upload optimization |
| US10713355B2 (en)* | 2016-10-21 | 2020-07-14 | Qatar University | Method and system for adaptive security in cloud-based services |
| GB201619580D0 (en)* | 2016-11-18 | 2017-01-04 | Blancco Tech Group Ip Oy | System and method for repurposing or disposing of an it asset |
| KR101763904B1 (en)* | 2016-12-30 | 2017-08-14 | (주)엠더블유스토리 | System and method for synchronizing and centralizing of the file |
| US11284256B2 (en)* | 2019-03-25 | 2022-03-22 | Nanning Fugui Precision Industrial Co., Ltd. | Method and system for automatic access to WI-FI network |
| US11283781B2 (en)* | 2019-04-09 | 2022-03-22 | Visa International Service Association | Proximity interaction system including secure encryption scheme |
| US11509642B2 (en)* | 2019-08-21 | 2022-11-22 | Truist Bank | Location-based mobile device authentication |
| WO2021060894A1 (en)* | 2019-09-24 | 2021-04-01 | Samsung Electronics Co., Ltd. | Method for generating diagrammatic representation of area and electronic device thereof |
| CN110853657B (en)* | 2019-11-18 | 2022-05-13 | 北京小米智能科技有限公司 | Space division method, device and storage medium |
| US11343292B2 (en)* | 2019-11-29 | 2022-05-24 | Ricoh Company, Ltd. | Information processing apparatus, information processing system, and remote sharing method |
| US11080733B2 (en)* | 2019-12-18 | 2021-08-03 | Visa International Service Association | Methods and systems for harnessing location based data for making market recommendations |
| US12170659B1 (en)* | 2020-04-28 | 2024-12-17 | United Services Automobile Association (Usaa) | Multi-factor authentication |
| US12210608B2 (en)* | 2020-12-03 | 2025-01-28 | Lenovo (Singapore) Pte. Ltd. | Vehicle device authorization via secondary device |
| US11470162B2 (en)* | 2021-01-30 | 2022-10-11 | Zoom Video Communications, Inc. | Intelligent configuration of personal endpoint devices |
| US12238091B1 (en)* | 2021-03-29 | 2025-02-25 | Oura Health Oy | Methods and apparatus for facilitating distribution of authenticated data with reduced hardware requirements |
| US12200134B2 (en)* | 2021-05-03 | 2025-01-14 | Brex Inc. | Multifactor authentication through cryptography-enabled smart cards |
| US20230096370A1 (en)* | 2021-09-24 | 2023-03-30 | Apple Inc. | Cross platform credential sharing |
| US12149555B2 (en) | 2021-12-28 | 2024-11-19 | SecureX.AI, Inc. | Systems and methods for vulnerability assessment for cloud assets using imaging methods |
| US12299133B2 (en) | 2021-12-28 | 2025-05-13 | SecureX.AI, Inc. | Systems and methods for prioritizing security findings using machine learning models |
| US12166785B2 (en)* | 2021-12-28 | 2024-12-10 | SecureX.AI, Inc. | Systems and methods for predictive analysis of potential attack patterns based on contextual security information |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030194094A1 (en)* | 1998-10-26 | 2003-10-16 | Lampson Butler W. | System and method for secure storage data using a key |
| US20040255145A1 (en)* | 2003-05-06 | 2004-12-16 | Jerry Chow | Memory protection systems and methods for writable memory |
| US20060020821A1 (en)* | 2004-07-24 | 2006-01-26 | International Business Machines Corp. | System and method for data processing system planar authentication |
| US20080025503A1 (en)* | 2006-07-27 | 2008-01-31 | Samsung Electronics Co., Ltd. | Security method using self-generated encryption key, and security apparatus using the same |
| US20100153697A1 (en)* | 2008-12-17 | 2010-06-17 | Jeremy Ford | Methods and systems for embedded user authentication and/or providing computing services using an information handling system configured as a flexible computing node |
| US20110258426A1 (en)* | 2010-04-19 | 2011-10-20 | Apple Inc. | Booting and configuring a subsystem securely from non-local storage |
| US20120254602A1 (en)* | 2011-03-01 | 2012-10-04 | Softex Incorporated | Methods, Systems, and Apparatuses for Managing a Hard Drive Security System |
| US20130124840A1 (en)* | 2011-11-11 | 2013-05-16 | International Business Machines Corporation | Secure boot up of a computer based on a hardware based root of trust |
| US8874891B2 (en)* | 2010-05-20 | 2014-10-28 | Hewlett-Packard Development Company, L.P. | Systems and methods for activation of applications using client-specific data |
| US8898481B1 (en)* | 2012-07-18 | 2014-11-25 | Dj Inventions, Llc | Auditable cryptographic protected cloud computing communications system |
| US9191382B1 (en)* | 2012-06-14 | 2015-11-17 | Google Inc. | User authentication using swappable user authentication services |
Family Cites Families (95)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6317868B1 (en) | 1997-10-24 | 2001-11-13 | University Of Washington | Process for transparently enforcing protection domains and access control as well as auditing operations in software components |
| US20080278408A1 (en)* | 1999-05-04 | 2008-11-13 | Intellimat, Inc. | Floor display systems and additional display systems, and methods and computer program products for using floor display systems and additional display system |
| US6467086B1 (en) | 1999-07-20 | 2002-10-15 | Xerox Corporation | Aspect-oriented programming |
| US6901429B2 (en) | 2000-10-27 | 2005-05-31 | Eric Morgan Dowling | Negotiated wireless peripheral security systems |
| US7461144B1 (en) | 2001-02-16 | 2008-12-02 | Swsoft Holdings, Ltd. | Virtual private server with enhanced security |
| US7207041B2 (en) | 2001-06-28 | 2007-04-17 | Tranzeo Wireless Technologies, Inc. | Open platform architecture for shared resource access management |
| US8726294B2 (en) | 2010-10-01 | 2014-05-13 | Z124 | Cross-environment communication using application space API |
| GB0123403D0 (en) | 2001-09-28 | 2001-11-21 | Tamesis Ltd | Publish subscribe system |
| US20030140088A1 (en)* | 2002-01-24 | 2003-07-24 | Robinson Scott H. | Context-based information processing |
| US20050060365A1 (en)* | 2002-01-24 | 2005-03-17 | Robinson Scott L. | Context-based information processing |
| US20030149874A1 (en) | 2002-02-06 | 2003-08-07 | Xerox Corporation | Systems and methods for authenticating communications in a network medium |
| US8136155B2 (en) | 2003-04-01 | 2012-03-13 | Check Point Software Technologies, Inc. | Security system with methodology for interprocess communication control |
| US7135635B2 (en) | 2003-05-28 | 2006-11-14 | Accentus, Llc | System and method for musical sonification of data parameters in a data stream |
| US7751829B2 (en)* | 2003-09-22 | 2010-07-06 | Fujitsu Limited | Method and apparatus for location determination using mini-beacons |
| US8880893B2 (en) | 2003-09-26 | 2014-11-04 | Ibm International Group B.V. | Enterprise information asset protection through insider attack specification, monitoring and mitigation |
| US20050138416A1 (en) | 2003-12-19 | 2005-06-23 | Microsoft Corporation | Object model for managing firewall services |
| US20050246453A1 (en) | 2004-04-30 | 2005-11-03 | Microsoft Corporation | Providing direct access to hardware from a virtual environment |
| US7574709B2 (en) | 2004-04-30 | 2009-08-11 | Microsoft Corporation | VEX-virtual extension framework |
| US7530093B2 (en) | 2004-04-30 | 2009-05-05 | Microsoft Corporation | Securing applications and operating systems |
| US7584502B2 (en) | 2004-05-03 | 2009-09-01 | Microsoft Corporation | Policy engine and methods and systems for protecting data |
| US20060048226A1 (en) | 2004-08-31 | 2006-03-02 | Rits Maarten E | Dynamic security policy enforcement |
| US7768420B2 (en)* | 2004-10-29 | 2010-08-03 | Intel Corporation | Operation and control of wireless appliance networks |
| US7681226B2 (en) | 2005-01-28 | 2010-03-16 | Cisco Technology, Inc. | Methods and apparatus providing security for multiple operational states of a computerized device |
| WO2006093917A2 (en)* | 2005-02-28 | 2006-09-08 | Trust Digital | Mobile data security system and methods |
| US8836580B2 (en)* | 2005-05-09 | 2014-09-16 | Ehud Mendelson | RF proximity tags providing indoor and outdoor navigation and method of use |
| US8266232B2 (en) | 2005-10-15 | 2012-09-11 | International Business Machines Corporation | Hardware processing of commands within virtual client computing environment |
| US8150816B2 (en) | 2005-12-29 | 2012-04-03 | Nextlabs, Inc. | Techniques of optimizing policies in an information management system |
| US20070186274A1 (en) | 2006-02-07 | 2007-08-09 | Matsushita Electric Industrial Co., Ltd. | Zone based security model |
| US8151323B2 (en) | 2006-04-12 | 2012-04-03 | Citrix Systems, Inc. | Systems and methods for providing levels of access and action control via an SSL VPN appliance |
| US8387048B1 (en) | 2006-04-25 | 2013-02-26 | Parallels IP Holdings GmbH | Seamless integration, migration and installation of non-native application into native operating system |
| US7865934B2 (en) | 2006-05-18 | 2011-01-04 | Microsoft Corporation | Access-control permissions with inter-process message-based communications |
| US8490191B2 (en) | 2006-06-21 | 2013-07-16 | Wibu-Systems Ag | Method and system for intrusion detection |
| US7917963B2 (en) | 2006-08-09 | 2011-03-29 | Antenna Vaultus, Inc. | System for providing mobile data security |
| US7966599B1 (en) | 2006-08-29 | 2011-06-21 | Adobe Systems Incorporated | Runtime library including a virtual file system |
| US7774599B2 (en) | 2006-09-15 | 2010-08-10 | Panasonic Corporation | Methodologies to secure inter-process communication based on trust |
| US8533530B2 (en) | 2006-11-15 | 2013-09-10 | Qualcomm Incorporated | Method and system for trusted/untrusted digital signal processor debugging operations |
| GB0623101D0 (en)* | 2006-11-20 | 2006-12-27 | British Telecomm | Secure network architecture |
| EP2126694A2 (en) | 2006-12-22 | 2009-12-02 | VirtualLogix SA | System for enabling multiple execution environments to share a device |
| US9185123B2 (en) | 2008-02-12 | 2015-11-10 | Finsphere Corporation | System and method for mobile identity protection for online user authentication |
| US20080235587A1 (en)* | 2007-03-23 | 2008-09-25 | Nextwave Broadband Inc. | System and method for content distribution |
| DE102007018096A1 (en) | 2007-04-17 | 2008-10-23 | Rohde & Schwarz Gmbh & Co. Kg | Method for determining time differences between signals measured by at least two coupled measuring devices and measuring system and corresponding switching device |
| US20090025011A1 (en) | 2007-07-17 | 2009-01-22 | Tim Neil | Inter-process communication at a mobile device |
| US8626867B2 (en)* | 2007-07-27 | 2014-01-07 | Blackberry Limited | Apparatus and methods for operation of a wireless server |
| ATE495622T1 (en)* | 2007-07-27 | 2011-01-15 | Research In Motion Ltd | DEVICE AND METHOD FOR COORDINATION OF WIRELESS SYSTEMS |
| US8225329B1 (en) | 2007-09-13 | 2012-07-17 | Juniper Networks, Inc. | Tail synchronized FIFO for fast user space packet access |
| US8505029B1 (en) | 2007-11-26 | 2013-08-06 | Adobe Systems Incorporated | Virtual machine communication |
| US8584229B2 (en) | 2007-12-21 | 2013-11-12 | Intel Corporation | Methods and apparatus supporting access to physical and virtual trusted platform modules |
| US9058483B2 (en) | 2008-05-08 | 2015-06-16 | Google Inc. | Method for validating an untrusted native code module |
| US8516095B2 (en)* | 2008-05-23 | 2013-08-20 | Research In Motion Limited | Remote administration of mobile wireless devices |
| US8335931B2 (en) | 2008-06-20 | 2012-12-18 | Imation Corp. | Interconnectable personal computer architectures that provide secure, portable, and persistent computing environments |
| US8151349B1 (en) | 2008-07-21 | 2012-04-03 | Google Inc. | Masking mechanism that facilitates safely executing untrusted native code |
| US20100031252A1 (en) | 2008-07-29 | 2010-02-04 | Compuware Corporation | Method And System For Monitoring The Performance Of An Application And At Least One Storage Device For Storing Code Which Performs The Method |
| US8607224B2 (en) | 2009-05-28 | 2013-12-10 | Yahoo! Inc. | System for packaging native program extensions together with virtual machine applications |
| US20110055890A1 (en) | 2009-08-25 | 2011-03-03 | Gaulin Pascal | Method and system to configure security rights based on contextual information |
| US8413241B2 (en) | 2009-09-17 | 2013-04-02 | Oracle America, Inc. | Integrated intrusion deflection, detection and introspection |
| US20110151955A1 (en) | 2009-12-23 | 2011-06-23 | Exent Technologies, Ltd. | Multi-player augmented reality combat |
| KR101640767B1 (en) | 2010-02-09 | 2016-07-29 | 삼성전자주식회사 | Real-time virtual reality input/output system and method based on network for heterogeneous environment |
| US8938782B2 (en) | 2010-03-15 | 2015-01-20 | Symantec Corporation | Systems and methods for providing network access control in virtual environments |
| US8533860B1 (en) | 2010-03-21 | 2013-09-10 | William Grecia | Personalized digital media access system—PDMAS part II |
| US8887308B2 (en) | 2010-03-21 | 2014-11-11 | William Grecia | Digital cloud access (PDMAS part III) |
| US20130067488A1 (en) | 2010-05-19 | 2013-03-14 | Hughes Systique India Private Limited | Method and system for efficient inter- process communication in a high availability system |
| KR101618417B1 (en) | 2010-06-04 | 2016-05-04 | 보오드 오브 리젠츠, 더 유니버시티 오브 텍사스 시스템 | Methods and apparatuses for relaying data in a wireless communications system |
| US8582423B2 (en) | 2010-08-04 | 2013-11-12 | Alcatel Lucent | Multi-chassis inter-process communication |
| US20120215637A1 (en)* | 2010-09-13 | 2012-08-23 | Hermann Mark E | System and method for performing social networking and loyalty program functions at a venue |
| US8613052B2 (en) | 2010-09-17 | 2013-12-17 | Universal Secure Registry, Llc | Apparatus, system and method employing a wireless user-device |
| US8849941B2 (en) | 2010-09-30 | 2014-09-30 | Microsoft Corporation | Virtual desktop configuration and operation techniques |
| US9961550B2 (en) | 2010-11-04 | 2018-05-01 | Itron Networked Solutions, Inc. | Physically secured authorization for utility applications |
| US8359016B2 (en) | 2010-11-19 | 2013-01-22 | Mobile Iron, Inc. | Management of mobile applications |
| US20120258730A1 (en)* | 2010-11-29 | 2012-10-11 | Qualcomm Incorporated | Estimating access terminal location based on beacon signals from femto cells |
| US9350809B2 (en)* | 2011-01-31 | 2016-05-24 | Nokia Technologies Oy | Method and apparatus for automatically determining communities of interest, for use over an ad-hoc mesh network, based on context information |
| US8612744B2 (en) | 2011-02-10 | 2013-12-17 | Varmour Networks, Inc. | Distributed firewall architecture using virtual machines |
| US8769305B2 (en) | 2011-03-21 | 2014-07-01 | Moncana Corporation | Secure execution of unsecured apps on a device |
| US20120255014A1 (en) | 2011-03-29 | 2012-10-04 | Mcafee, Inc. | System and method for below-operating system repair of related malware-infected threads and resources |
| US8099596B1 (en) | 2011-06-30 | 2012-01-17 | Kaspersky Lab Zao | System and method for malware protection using virtualization |
| US8763112B2 (en) | 2011-07-02 | 2014-06-24 | Intel Corporation | Systems and methods for power-on user authentication |
| US20130054812A1 (en) | 2011-08-22 | 2013-02-28 | Don DeCoteau | System and method for dynamically assembling an application on a client device |
| US8521181B2 (en)* | 2011-09-19 | 2013-08-27 | Qualcomm Incorporated | Time of arrival based positioning system |
| US8966004B2 (en) | 2011-09-29 | 2015-02-24 | Comcast Cable Communications, LLC. | Multiple virtual machines in a mobile virtualization platform |
| US8695060B2 (en) | 2011-10-10 | 2014-04-08 | Openpeak Inc. | System and method for creating secure applications |
| US9936351B2 (en) | 2011-10-26 | 2018-04-03 | Sling Media Pvt Ltd | Apparatus systems and methods for proximity-based service discovery and session sharing |
| WO2013080096A1 (en) | 2011-11-29 | 2013-06-06 | Sony Mobile Communications Ab | System and method for providing secure inter-process communications |
| US8863129B2 (en) | 2011-12-06 | 2014-10-14 | International Business Machines Corporation | Automated caching and mirroring of immutable data in distributed virtual machines via native interface components |
| US20130312058A1 (en) | 2012-01-06 | 2013-11-21 | Optio Labs, Inc. | Systems and methods for enhancing mobile security via aspect oriented programming |
| US9787681B2 (en) | 2012-01-06 | 2017-10-10 | Optio Labs, Inc. | Systems and methods for enforcing access control policies on privileged accesses for mobile devices |
| JP2015508540A (en) | 2012-01-06 | 2015-03-19 | オプティオ ラブス リミテッド ライアビリティ カンパニー | System and method for enhancing security in mobile computing |
| US9609020B2 (en) | 2012-01-06 | 2017-03-28 | Optio Labs, Inc. | Systems and methods to enforce security policies on the loading, linking, and execution of native code by mobile applications running inside of virtual machines |
| US8844032B2 (en) | 2012-03-02 | 2014-09-23 | Sri International | Method and system for application-based policy monitoring and enforcement on a mobile device |
| US9572029B2 (en)* | 2012-04-10 | 2017-02-14 | Imprivata, Inc. | Quorum-based secure authentication |
| US9398519B2 (en)* | 2012-06-22 | 2016-07-19 | Apple Inc. | Beacon frame monitoring |
| US9584528B2 (en)* | 2012-09-06 | 2017-02-28 | Qualcomm Incorporated | Securing databases against piracy attacks |
| US9507653B2 (en) | 2012-09-12 | 2016-11-29 | Microsoft Technology Licensing, Llc | Inter-process communication channel |
| US8655307B1 (en)* | 2012-10-26 | 2014-02-18 | Lookout, Inc. | System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security |
| US9773107B2 (en) | 2013-01-07 | 2017-09-26 | Optio Labs, Inc. | Systems and methods for enforcing security in mobile computing |
| US10152706B2 (en)* | 2013-03-11 | 2018-12-11 | Cellco Partnership | Secure NFC data authentication |
| US9578445B2 (en) | 2013-03-13 | 2017-02-21 | Optio Labs, Inc. | Systems and methods to synchronize data to a mobile device based on a device usage context |
- 2014
- 2014-03-13USUS14/210,376patent/US9578445B2/ennot_activeExpired - Fee Related
- 2014-03-13USUS14/209,950patent/US20140282992A1/ennot_activeAbandoned
- 2014-03-13USUS14/210,240patent/US20140273857A1/ennot_activeAbandoned
- 2014-03-13USUS14/210,397patent/US20140283136A1/ennot_activeAbandoned
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030194094A1 (en)* | 1998-10-26 | 2003-10-16 | Lampson Butler W. | System and method for secure storage data using a key |
| US20040255145A1 (en)* | 2003-05-06 | 2004-12-16 | Jerry Chow | Memory protection systems and methods for writable memory |
| US20060020821A1 (en)* | 2004-07-24 | 2006-01-26 | International Business Machines Corp. | System and method for data processing system planar authentication |
| US20080025503A1 (en)* | 2006-07-27 | 2008-01-31 | Samsung Electronics Co., Ltd. | Security method using self-generated encryption key, and security apparatus using the same |
| US20100153697A1 (en)* | 2008-12-17 | 2010-06-17 | Jeremy Ford | Methods and systems for embedded user authentication and/or providing computing services using an information handling system configured as a flexible computing node |
| US20110258426A1 (en)* | 2010-04-19 | 2011-10-20 | Apple Inc. | Booting and configuring a subsystem securely from non-local storage |
| US8874891B2 (en)* | 2010-05-20 | 2014-10-28 | Hewlett-Packard Development Company, L.P. | Systems and methods for activation of applications using client-specific data |
| US20120254602A1 (en)* | 2011-03-01 | 2012-10-04 | Softex Incorporated | Methods, Systems, and Apparatuses for Managing a Hard Drive Security System |
| US20130124840A1 (en)* | 2011-11-11 | 2013-05-16 | International Business Machines Corporation | Secure boot up of a computer based on a hardware based root of trust |
| US9191382B1 (en)* | 2012-06-14 | 2015-11-17 | Google Inc. | User authentication using swappable user authentication services |
| US8898481B1 (en)* | 2012-07-18 | 2014-11-25 | Dj Inventions, Llc | Auditable cryptographic protected cloud computing communications system |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9609020B2 (en) | 2012-01-06 | 2017-03-28 | Optio Labs, Inc. | Systems and methods to enforce security policies on the loading, linking, and execution of native code by mobile applications running inside of virtual machines |
| US9712530B2 (en) | 2012-01-06 | 2017-07-18 | Optio Labs, Inc. | Systems and methods for enforcing security in mobile computing |
| US9787681B2 (en) | 2012-01-06 | 2017-10-10 | Optio Labs, Inc. | Systems and methods for enforcing access control policies on privileged accesses for mobile devices |
| US9363670B2 (en) | 2012-08-27 | 2016-06-07 | Optio Labs, Inc. | Systems and methods for restricting access to network resources via in-location access point protocol |
| US9773107B2 (en) | 2013-01-07 | 2017-09-26 | Optio Labs, Inc. | Systems and methods for enforcing security in mobile computing |
| US9578445B2 (en) | 2013-03-13 | 2017-02-21 | Optio Labs, Inc. | Systems and methods to synchronize data to a mobile device based on a device usage context |
| CN104320265A (en)* | 2014-11-21 | 2015-01-28 | 北京奇虎科技有限公司 | Authentication method and device for software platform |
| CN104320265B (en)* | 2014-11-21 | 2017-10-24 | 北京奇虎科技有限公司 | Authentication method and authentication device for software platform |
| US11546443B2 (en)* | 2020-09-11 | 2023-01-03 | Microsoft Technology Licensing, Llc | Connected focus time experience that spans multiple devices |
Also Published As
| Publication number | Publication date |
|---|---|
| US20140282857A1 (en) | 2014-09-18 |
| US9578445B2 (en) | 2017-02-21 |
| US20140283136A1 (en) | 2014-09-18 |
| US20140273857A1 (en) | 2014-09-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20140282992A1 (en) | Systems and methods for securing the boot process of a device using credentials stored on an authentication token | |
| US11233630B2 (en) | Module with embedded wireless user authentication | |
| US10783232B2 (en) | Management system for self-encrypting managed devices with embedded wireless user authentication | |
| US11212283B2 (en) | Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications | |
| AU2014235174B2 (en) | Controlling physical access to secure areas via client devices in a networked environment | |
| KR101699733B1 (en) | Barcode authentication for resource requests | |
| US10445487B2 (en) | Methods and apparatus for authentication of joint account login | |
| US9613205B2 (en) | Alternate authentication | |
| US9401915B2 (en) | Secondary device as key for authorizing access to resources | |
| US9723003B1 (en) | Network beacon based credential store | |
| EP2973188B1 (en) | Secondary device as key for authorizing access to resources | |
| CN104584023B (en) | Method and apparatus for hardware-enforced access protection | |
| WO2017197974A1 (en) | Biometric characteristic-based security authentication method, device and electronic equipment | |
| US10129299B1 (en) | Network beacon management of security policies | |
| KR20160097323A (en) | Near field communication authentication mechanism | |
| TW201737151A (en) | Data security system with encryption | |
| EP3788538B1 (en) | Self-encrypting module with embedded wireless user authentication | |
| US10063592B1 (en) | Network authentication beacon |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment | Owner name:OPTIO LABS, INC., MASSACHUSETTS Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CLANCY, THOMAS CHARLES, III;DOUGHERTY, BRIAN;HAMRICK, DAVID ALEXANDER;AND OTHERS;SIGNING DATES FROM 20140530 TO 20140703;REEL/FRAME:033271/0068 | |
| STCB | Information on status: application discontinuation | Free format text:ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |