US20140282992A1 - Systems and methods for securing the boot process of a device using credentials stored on an authentication token - Google Patents

Systems and methods for securing the boot process of a device using credentials stored on an authentication token Download PDF

Info

Publication number
US20140282992A1
US20140282992A1 US14209950 US201414209950A US2014282992A1 US 20140282992 A1 US20140282992 A1 US 20140282992A1 US 14209950 US14209950 US 14209950 US 201414209950 A US201414209950 A US 201414209950A US 2014282992 A1 US2014282992 A1 US 2014282992A1
Authority
US
Grant status
Application
Patent type
Prior art keywords
authentication
device
user
method
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14209950
Inventor
Thomas Charles Clancy, III
Brian Dougherty
David Alexander Hamrick
Grayson Gates Sharpe
Robert Austin Hanlin
Krzysztof Kamil Zienkiewicz
Christopher Michael Thompson
Christopher Jules White
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Optio Labs Inc
Original Assignee
Optio Labs Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S5/00Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S5/00Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations
    • G01S5/02Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations using radio waves
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0853Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATIONS NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATIONS NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATIONS NETWORKS
    • H04W64/00Locating users or terminals or network equipment for network management purposes, e.g. mobility management
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/10Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT]
    • Y02D70/12Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in 3rd Generation Partnership Project [3GPP] networks
    • Y02D70/122Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in 3rd Generation Partnership Project [3GPP] networks in 2nd generation [2G] networks
    • Y02D70/1224Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in 3rd Generation Partnership Project [3GPP] networks in 2nd generation [2G] networks in General Packet Radio Service [GPRS] networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/10Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT]
    • Y02D70/14Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in Institute of Electrical and Electronics Engineers [IEEE] networks
    • Y02D70/142Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in Institute of Electrical and Electronics Engineers [IEEE] networks in Wireless Local Area Networks [WLAN]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/10Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT]
    • Y02D70/14Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in Institute of Electrical and Electronics Engineers [IEEE] networks
    • Y02D70/144Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in Institute of Electrical and Electronics Engineers [IEEE] networks in Bluetooth and Wireless Personal Area Networks [WPAN]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/10Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT]
    • Y02D70/16Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in other wireless communication networks
    • Y02D70/162Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in other wireless communication networks in Zigbee networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/10Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT]
    • Y02D70/16Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in other wireless communication networks
    • Y02D70/164Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in other wireless communication networks in Satellite Navigation receivers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/10Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT]
    • Y02D70/16Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in other wireless communication networks
    • Y02D70/166Techniques for reducing energy consumption in wireless communication networks according to the Radio Access Technology [RAT] in other wireless communication networks in Radio Frequency Identification [RF-ID] transceivers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/20Techniques for reducing energy consumption in wireless communication networks independent of Radio Access Technologies
    • Y02D70/22Techniques for reducing energy consumption in wireless communication networks independent of Radio Access Technologies in peer-to-peer [P2P], ad hoc and mesh networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THIR OWN ENERGY USE
    • Y02D70/00Techniques for reducing energy consumption in wireless communication networks
    • Y02D70/20Techniques for reducing energy consumption in wireless communication networks independent of Radio Access Technologies
    • Y02D70/26Techniques for reducing energy consumption in wireless communication networks independent of Radio Access Technologies in wearable devices, e.g. watches, glasses

Abstract

Methods and systems are provided for securing devices in which a secure external authentication token is used to verify user credentials prior to enabling the operating system of the device by loading or decrypting the operating system. Suitable external authentication tokens can include smartcards such as a common access card and may be verified by cryptographic processes either at a local server or via a remote credentials processor.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • Some of the aspects of the methods and systems described herein have been described in U.S. Provisional Application Nos. 61/780,408 entitled “Systems And Methods To Synchronize Data To A Mobile Device Based On A Device Usage Context”, filed Mar. 13, 2013; 61/781,252 entitled “Systems And Methods To Secure Short-Range Proximity Signals”, filed Mar. 14, 2013; 61/781,509 entitled “Systems And Methods For Securing And Locating Computing Devices”, filed Mar. 14, 2013; 61/779,931 entitled “Systems And Methods For Securing The Boot Process Of A Device Using Credentials Stored On An Authentication Token”, filed Mar. 13, 2013; 61/790,728 entitled “Systems And Methods For Enforcing Security In Mobile Computing”, filed Mar. 15, 2013; and U.S. Non-Provisional application Ser. No. 13/735,885 entitled “Systems and Methods for Enforcing Security in Mobile Computing”, filed Jan. 7, 2013, each of which is hereby incorporated by reference herein in its entirety.
  • BACKGROUND OF THE INVENTION
  • The present invention is in the technical field of computer security. More particularly, the present invention is in the technical field of securing the boot process of a device using credentials stored on an authentication token.
  • As mobile devices, such as smartphones and tablet computers, become more powerful and ubiquitous, it becomes advantageous to use them for an increasing number of applications. In some instances, these applications may require that sensitive information be stored in nonvolatile memory on the device. It is therefore important to be able to protect said information stored on the device both while the device is running and while the device is powered off. Regardless, it is imperative that the identity of the user be verified before granting access to the information stored on the device. Current solutions to this problem involve using a password to protect the device once the operating system has been started. However, passwords may still be a point of insecurity, since the passwords may be shared, stolen, sniffed, cracked, and/or have poor password strength. Such vulnerabilities relating to password security present a broad attack surface to malicious users. A need exists for improved solutions.
  • SUMMARY OF THE INVENTION
  • To provide the greatest level of security, methods and systems are provided herein to prevent unauthorized users from even turning on a device, including without limitation reducing the exposure to attacks by requiring a user to authenticate himself or herself prior to loading the operating system into memory.
  • Embodiments of the present invention include a system for securing the boot process of a device using credentials stored on an authentication token. Other embodiments include a method for securing the boot process of a device by reading an external authentication token, determining whether a user is authorized to access a device, based on the external authentication token, enabling an operating system of the device if the user is determined to be authorized, and processing a password from the user to access the operating system of the device. Another embodiment includes a method wherein first authentication data is received via a short range wireless signal, second authentication data is generated from the first authentication data, the second authentication data is transmitted to an in-location access point, third authentication data is received from the in-location access point, wherein the third authentication data is based on the second authentication data, and a fourth authentication data is communicated to a server, wherein the fourth authentication data includes at least a portion of the first, second, and third authentication data.
  • In various embodiments of the invention, the authentication token may be read from a common access card or from one or more proximity signals. A public key may be involved in determining if the token indicates the user is authorized to access the device. In an embodiment of the invention, user access permissions are obtained from a network resource before authentication to determine what data, hardware, or software components can be accessed by the user. In some embodiments, updated user access permissions are obtained from a network resource after the authentication. Enabling the operating system may include decrypting a root filesystem, decrypting a subset of the root filesystem, or loading an operating system. In some embodiments, the subset of the root filesystem that is decrypted is determined based on the external authentication token. In an embodiment of the invention, the authentication process is varied based on the device's location indoors or outdoors. In another embodiment of the invention, the determination of whether a user is authorized involves decrypting the external authorization token and comparing the external authorization token to a stored authentication credential for the user. In some embodiments, the stored authentication credential is obtained from a remote credential server. In some embodiments, the stored authentication credential is obtained from a public key server.
  • The present disclosure may provide greater security than just password protection by requiring users of a device to authenticate with an external authentication token before the device allows the users to access the operating system.
  • BRIEF DESCRIPTION OF THE FIGURES
  • FIG. 1 depicts certain components of a system for providing a secure device.
  • FIG. 2 depicts a workflow for securing a device.
  • DETAILED DESCRIPTION
  • This disclosure may increase the security of a mobile device by preventing access to the operating system at system boot using an external authentication token.
  • Referring to FIG. 1, a device 102 may comprise an operating system 104, an authentication token reading facility 108 and a credential processing facility 110. The device 102 may be a mobile device, such as a mobile phone, a smartphone, a tablet, a laptop or some other device. The operating system 104 may be Android, bada, BlackBerry OS, iOS, Series40, Symbian OS, Windows Phone or some other operating system.
  • The device may also include one or more of a processor, a memory, and a network interface. Network interface may provide an input and/or output mechanism to communicate with other network devices such as a router or server. The network interface may also provide communication with, for example, other gateways, wireless access nodes, and application servers to send and receive data such as packets and messages. The network interface may provide connectivity to 3G, 4G, WiFi, or other network types. Processor may run software which uses the network interface and the memory such as a tangible, non-transitory computer readable medium, a programmable read only memory (PROM), or flash memory. Processor may be any computer chip that is capable of executing program instruction streams that are part of a software program. Processor may have multiple cores for executing multiple streams of program instructions simultaneously. The processor may also have multiple sub-processors which are optimized for executing particular categories of program instructions and are controlled by the processor. The memory is capable of storing and retrieving program instructions, program data, or any other data that is used by the processor. The processor may store and retrieve data from the memory as a software program is executed. Memory may include or store one or more of an authentication token reading facility 108 and or a credential processing facility. Memory may also include associated policies and configurations. The processor may optionally access and update a authentication token reading facility 108 and/or a credential processing facility and associated policies and configurations.
  • The user equipment (e.g., mobile device) described above can be a smart phone offering advanced capabilities including, but not limited to word processing, web browsing, gaming, e-book capabilities, an operating system, a user interface, and a full keyboard. The user equipment may run an operating system such as SYMBIAN OS, APPLE IOS, RIM's BLACKBERRY, WINDOWS MOBILE, Linux, PALM WEBOS, and ANDROID. The screen may be a touch screen that can be used to input data to the mobile device and the screen can be used instead of a full keyboard. The user equipment may have the capability to run applications or communicate with applications that are provided by servers in the communication network. The user equipment can receive updates and other information from these applications on the network.
  • In embodiments, a user may be required to authenticate on the device 102 using an external authentication token 112 in order to use the operating system 104 on the device 102. When the device 102 is powered up, the credential processing facility 110 may instruct the user of the device 102 to provide authentication information via the authentication token reading facility 108. The authentication token reading facility 108 may read authentication information from a physical device. The information may be an authentication token 112. The authentication token 112 may be stored on a Common Access Card, a smartcard, a USB token, an SD card, a key fob, or some other physical device. The authentication token 112 may be a cryptographic key, such as a public key certificate, a digital signature, biometric data, a user id, or some other authentication information. In some embodiments, the authentication token reading facility 108 may be an external device connected to the device 102. In such embodiments, the authentication token reading facility 108 may be configured to communicate with the device 102 using the network interface of the device. Communication may occur via a communications medium, such as Bluetooth, near field communication (“NFC”), Wi-Fi, or other wired or wireless communications medium. For example, the authentication token reading facility 108 may be a smartcard reader connected to the network interface of device 102 via Bluetooth.
  • In some embodiments, the boot loader for the device, which is a piece of software responsible for initiating the boot process of the operating system, may include or communicate with the credential processing facility. The boot loader, upon loading into memory, may use its internal or communicate with an external credential processing facility as part of a boot verification process. The boot loader may selectively perform one or more operating system boot steps as a result of token reading, authentication, permission, or other determinations in the credential processing facility. The boot verification steps may include, but are not limited to: selecting the operating system kernel to boot, identifying a master boot record, loading one or more operating system kernel components into memory, executing one or more operating system components, validating one or more operating system components in memory or on a storage medium, verifying a master boot record or operating system kernel or kernel component, writing to an input/output device, displaying one or more user interface or informational components on a device user interface component, displaying one or more interactive user interface components to acquire additional information from the user relevant to one or more boot process steps, or initializing one or more hardware components. In some embodiments, the boot loader may require user input to be provided via one or more user interface components, including, but not limited to, a display, microphone, accelerometer, touch input, keyboard, trackball, external device, or other sensor/input mechanism. The user input, token, sensor data, location of the device, or wireless signals in proximity, such as Bluetooth Low Energy, infrared, or acoustic signals, can be used to aid in determining the boot process components run by the boot loader.
  • In embodiments, the device 102 may be enabled to connect to a network 114. For example, device 102 may connect to network 114 via the network interface of the device. In such embodiments, authenticating the user on the device 102 may include communicating first, second, and third authentication data over a short-range wireless signal between the device 102 and an in-location access point, wherein the second authentication data from the device 102 is based on the first authentication data from the in-location access point and the third authentication data from the in-location access point is based on the second authentication data; communicating a fourth authentication data between the mobile device and a web-based information system, wherein the fourth authentication data comprises at least a portion of at least one of the first, second, and third authentication data; and authenticating access to network accessible content by the mobile device with the web-based information system. The first authentication data may be the authentication token 112 data. The web-based information system may be a proxy 118. For example, the authentication token reading facility 108 associated with the device 102 may receive the authentication token 112 via NFC, send the second authentication data to the in-location access point via Bluetooth heartbeat messages, receive the third authentication data as responses to the Bluetooth heartbeat messages, send a request to a web proxy 118 that includes the third authentication data (e.g. in the form of hypertext transport protocol (HTTP) request with such data in the HTTP headers), and receive access to the device if the proxy 118 determines that the user is authorized, based on the third authentication data.
  • The credential processing facility 110 may determine whether the authentication token 112 data is valid and whether the user is permitted to access the operating system 104, based on the user provided authentication token 112. Credential processing may include local or distributed processing, using processing and storage capabilities of the authentication token device 112 or using remote (e.g., server-based) processing capabilities. In embodiments, local credential processing may include one or more of decrypting, reviewing and comparing the user provided authentication token 112 by the credential processing facility 110. In embodiments, distributed credential processing may include one or more of decrypting, reviewing and comparing the user provided authentication token 112 by the credential processing facility 110 in connection with some authentication facility, such as a private key or public key service. Comparing the user provided authentication token 112 may include looking up the user provided authentication token 112 in a database or file for a match or for a permission. Credential processing may be performed using private or public key authentication.
  • Upon determining that the authentication token 112 data is valid and the user is permitted to access the operating system 104, the device 102 may begin the operating system 104 boot process. Upon determining that the authentication token 112 data is invalid and/or the user is not permitted to access the operating system 104, the credential processing facility 110 prevents the operating system 104 from beginning the boot process. In some embodiments, the credential processing facility 110 may erase part or all of the data stored on the device 102 upon a predetermined number of failed authentication attempts, which may be, but is not limited to, 3 attempts.
  • For example, the user of the device 102 may provide a smartcard to be read by the authentication token reading facility 108 associated with the device 102, where the smartcard includes the user's authentication token 112. The authentication token 112 data could be one or more X.509 certificates. In this example, the authentication token reading facility 108 may read the authentication token 112 from the smartcard and provide the authentication token 112 information to the credential processing facility 110. The credential processing facility 110 may, then, determine whether the user is authorized to access the operating system 104, based on the authentication token 112 information.
  • A determination that the user is authorized may form an event suitable for use in determining a device context as described in U.S. Provisional Patent Application No. 61/780,408, at pages 3-4, which is incorporated herein by reference. Some embodiments of the invention may be used by incorporating location-based authorization into credential processing, as described in U.S. Provisional Patent Application No. 61/785,109 at paragraphs [0020]-[0025], which is incorporated herein by reference. In some embodiments, reading of the authentication token and credential processing may be performed in a trusted zone of a processor as described in U.S. Provisional Patent Application No. 61/790,728 at paragraphs [0091]-[0095], which is incorporated herein by reference. The credential processing of some embodiments of the invention may incorporate a secure location determination, as described in U.S. Provisional Patent Application No. 61/781,252 at pages 2-4, which is incorporated herein by reference.
  • Referring now to FIG. 2, the process for authenticating the user may comprise powering on a device 202; prompting a user to provide an authentication token 204; reading, by the device, the authentication token 208; determining, by a credential processing facility, whether the user is authorized to access the device, based on the authentication token 210; and granting a user access to the device. In embodiments, if the user is unauthorized to access the device by the credential processing facility based on the authentication token 210, the user may be prohibited from accessing the device 212. In some embodiments, granting the user access to the device may include decrypting the root filesystem if the user is determined to be authorized by the credential processing facility. In some embodiments, granting the user access to the device may include booting an operating system if the user is determined to be authorized by the credential processing facility 214. In some embodiments, granting the user access to the device may include both decrypting the root filesystem and booting the operating system. Additional security may be required at the operating system level, after the user has been authenticated. Therefore, in some embodiments, authenticating the user may also comprise processing a password from the user to access the operating system 218. For example, several users may be authorized to use a device and may be authorized to access the device, but may each such user may have a different account at the operating system level. In this example, such users may be required to provide additional credentials at an operating system login in order to access their operating system account.
  • While the foregoing written description of the invention enables one of ordinary skill to make and use what is considered presently to be the best mode thereof, those of ordinary skill will understand and appreciate the existence of variations, combinations, and equivalents of the specific embodiment, method, and examples herein. The invention should therefore not be limited by the above described embodiment, method, and examples, but by all embodiments and methods within the scope and spirit of the invention.

Claims (20)

  1. 1. An apparatus for providing a secure device, comprising:
    an operating system, for operating the device;
    an authentication token reading facility for reading an external authentication token; and
    a credential processing facility for determining whether a user is authorized to access the device and to load the operating system, based on the external authentication token.
  2. 2. The apparatus of claim 1, wherein the authentication token reading facility comprises a common access card reader.
  3. 3. The apparatus of claim 1, wherein the credential processing facility comprises a remote credential processing facility.
  4. 4. The apparatus of claim 1, wherein the external authentication token comprises one or more of a cryptographic key, a public key certificate, a digital signature, biometric data, or a user id.
  5. 5. A method for securing a device, comprising:
    reading an external authentication token;
    determining whether a user is authorized to access a device, based on the external authentication token;
    enabling an operating system of the device if the user is determined to be authorized; and
    processing a password from the user to access the operating system of the device.
  6. 6. The method of claim 5, wherein the authentication token reading facility reads the token from a common access card.
  7. 7. The method of claim 5, wherein a public key is involved in the determination if the token indicates that the user is authorized to use the device.
  8. 8. The method of claim 5, wherein the external authentication token or a component of the token is read in full or part from one or more proximity signals.
  9. 9. The method of claim 5, wherein one or more user access permissions are obtained from a network resource before the authentication to determine what data, hardware, or software components can be accessed by the user.
  10. 10. The method of claim 9, wherein one or more updated user access permissions are obtained from the network resource after the authentication to determine what data, hardware, or software components can be accessed by the user.
  11. 11. The method of claim 5, wherein enabling the operating system comprises decrypting a root filesystem.
  12. 12. The method of claim 11, wherein the entire root filesystem is not decrypted and instead a subset of the data on the root filesystem is decrypted.
  13. 13. The method of claim 12, wherein the subset of the data decrypted is determined based on the external authentication token.
  14. 14. The method of claim 5, wherein the authentication process varies based on the device's indoor or outdoor location.
  15. 15. The method of claim 5, wherein enabling the operating system comprises loading an operating system.
  16. 16. The method of claim 5, wherein determining whether a user is authorized further comprises:
    decrypting the external authentication token; and
    comparing the external authentication token to a stored authentication credential for the user.
  17. 17. The method of claim 16, wherein the stored authentication credential is obtained from a remote credential server.
  18. 18. The method of claim 16, wherein the stored authentication credential is obtained from a public key server.
  19. 19. A method for authenticating a device, comprising:
    receiving a first authentication data via a short range wireless signal;
    generating a second authentication data from the first authentication data;
    transmitting the second authentication data to an in-location access point;
    receiving a third authentication data from the in-location access point, wherein the third authentication data is based on the second authentication data;
    communicating a fourth authentication data to a server, wherein the fourth authentication data comprises at least a portion of the first, second, and third authentication data.
  20. 20. The method of claim 19, further comprising granting the device access to a network resource based on the fourth authentication data.
US14209950 2013-03-13 2014-03-13 Systems and methods for securing the boot process of a device using credentials stored on an authentication token Abandoned US20140282992A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US201361780408 true 2013-03-13 2013-03-13
US201361779931 true 2013-03-13 2013-03-13
US201361781252 true 2013-03-14 2013-03-14
US201361785109 true 2013-03-14 2013-03-14
US201361790728 true 2013-03-15 2013-03-15
US14209950 US20140282992A1 (en) 2013-03-13 2014-03-13 Systems and methods for securing the boot process of a device using credentials stored on an authentication token

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14209950 US20140282992A1 (en) 2013-03-13 2014-03-13 Systems and methods for securing the boot process of a device using credentials stored on an authentication token

Publications (1)

Publication Number Publication Date
US20140282992A1 true true US20140282992A1 (en) 2014-09-18

Family

ID=51529248

Family Applications (4)

Application Number Title Priority Date Filing Date
US14209950 Abandoned US20140282992A1 (en) 2013-03-13 2014-03-13 Systems and methods for securing the boot process of a device using credentials stored on an authentication token
US14210397 Abandoned US20140283136A1 (en) 2013-03-13 2014-03-13 Systems and methods for securing and locating computing devices
US14210240 Abandoned US20140273857A1 (en) 2013-03-13 2014-03-13 Systems and methods to secure short-range proximity signals
US14210376 Active US9578445B2 (en) 2013-03-13 2014-03-13 Systems and methods to synchronize data to a mobile device based on a device usage context

Family Applications After (3)

Application Number Title Priority Date Filing Date
US14210397 Abandoned US20140283136A1 (en) 2013-03-13 2014-03-13 Systems and methods for securing and locating computing devices
US14210240 Abandoned US20140273857A1 (en) 2013-03-13 2014-03-13 Systems and methods to secure short-range proximity signals
US14210376 Active US9578445B2 (en) 2013-03-13 2014-03-13 Systems and methods to synchronize data to a mobile device based on a device usage context

Country Status (1)

Country Link
US (4) US20140282992A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104320265A (en) * 2014-11-21 2015-01-28 北京奇虎科技有限公司 Authentication method and device for software platform
US9363670B2 (en) 2012-08-27 2016-06-07 Optio Labs, Inc. Systems and methods for restricting access to network resources via in-location access point protocol
US9578445B2 (en) 2013-03-13 2017-02-21 Optio Labs, Inc. Systems and methods to synchronize data to a mobile device based on a device usage context
US9609020B2 (en) 2012-01-06 2017-03-28 Optio Labs, Inc. Systems and methods to enforce security policies on the loading, linking, and execution of native code by mobile applications running inside of virtual machines
US9712530B2 (en) 2012-01-06 2017-07-18 Optio Labs, Inc. Systems and methods for enforcing security in mobile computing
US9773107B2 (en) 2013-01-07 2017-09-26 Optio Labs, Inc. Systems and methods for enforcing security in mobile computing
US9787681B2 (en) 2012-01-06 2017-10-10 Optio Labs, Inc. Systems and methods for enforcing access control policies on privileged accesses for mobile devices

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9853864B2 (en) * 2010-09-17 2017-12-26 Printeron Inc. System and method for updating printer location information field
JP5974907B2 (en) * 2013-01-17 2016-08-23 株式会社デンソー Vehicle equipment
US9491033B1 (en) * 2013-04-22 2016-11-08 Amazon Technologies, Inc. Automatic content transfer
JP2015194698A (en) * 2014-03-20 2015-11-05 カシオ計算機株式会社 Display device, display system, and program
JP6314595B2 (en) * 2014-03-28 2018-04-25 日本電気株式会社 Positioning device, a positioning system, positioning method, and positioning program
US20150326617A1 (en) * 2014-05-06 2015-11-12 DoNotGeoTrack, Inc. Privacy Control Processes for Mobile Devices, Wearable Devices, other Networked Devices, and the Internet of Things
US9246913B2 (en) 2014-06-19 2016-01-26 Verizon Patent And Licensing Inc. Sharing content using a dongle device
US9514589B2 (en) 2014-08-25 2016-12-06 Accenture Global Services Limited Secure short-distance-based communication and access control system
US9633493B2 (en) 2014-08-25 2017-04-25 Accenture Global Services Limited Secure short-distance-based communication and validation system for zone-based validation
US9589402B2 (en) 2014-08-25 2017-03-07 Accenture Global Services Limited Restricted area access control system
US10009745B2 (en) 2014-08-25 2018-06-26 Accenture Global Services Limited Validation in secure short-distance-based communication and enforcement system according to visual objects
US9922294B2 (en) 2014-08-25 2018-03-20 Accenture Global Services Limited Secure short-distance-based communication and enforcement system
US20170012964A1 (en) * 2014-09-29 2017-01-12 Identity Over Ip Providing authentication of control instructions from a control device to a remotely-controllable physical interaction device using a remote control authentication token
KR101539292B1 (en) * 2014-10-28 2015-07-27 주식회사 퍼플즈 Method of transmitting and receiving data in a wireless communication system using bluetooth low energy beacon and apparatus thereof
US9608999B2 (en) * 2014-12-02 2017-03-28 Accenture Global Services Limited Smart beacon data security
US20160337353A1 (en) * 2015-05-11 2016-11-17 Interactive Intelligence Group, Inc. System and method for multi-factor authentication
WO2016183263A1 (en) 2015-05-12 2016-11-17 D&M Holdings, Inc. System and method for negotiating group membership for audio controllers
US9743252B2 (en) * 2015-06-11 2017-08-22 Honeywell International Inc. System and method for locating devices in predetermined premises
KR20170001429A (en) * 2015-06-26 2017-01-04 삼성전자주식회사 A service providing method using a beacon and electronic apparatus thereof
US10074225B2 (en) 2016-04-18 2018-09-11 Accenture Global Solutions Limited Validation in secure short-distance-based communication and enforcement system according to visual object flow

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030194094A1 (en) * 1998-10-26 2003-10-16 Lampson Butler W. System and method for secure storage data using a key
US20040255145A1 (en) * 2003-05-06 2004-12-16 Jerry Chow Memory protection systems and methods for writable memory
US20060020821A1 (en) * 2004-07-24 2006-01-26 International Business Machines Corp. System and method for data processing system planar authentication
US20080025503A1 (en) * 2006-07-27 2008-01-31 Samsung Electronics Co., Ltd. Security method using self-generated encryption key, and security apparatus using the same
US20100153697A1 (en) * 2008-12-17 2010-06-17 Jeremy Ford Methods and systems for embedded user authentication and/or providing computing services using an information handling system configured as a flexible computing node
US20110258426A1 (en) * 2010-04-19 2011-10-20 Apple Inc. Booting and configuring a subsystem securely from non-local storage
US20120254602A1 (en) * 2011-03-01 2012-10-04 Softex Incorporated Methods, Systems, and Apparatuses for Managing a Hard Drive Security System
US20130124840A1 (en) * 2011-11-11 2013-05-16 International Business Machines Corporation Secure boot up of a computer based on a hardware based root of trust
US8874891B2 (en) * 2010-05-20 2014-10-28 Hewlett-Packard Development Company, L.P. Systems and methods for activation of applications using client-specific data
US8898481B1 (en) * 2012-07-18 2014-11-25 Dj Inventions, Llc Auditable cryptographic protected cloud computing communications system
US9191382B1 (en) * 2012-06-14 2015-11-17 Google Inc. User authentication using swappable user authentication services

Family Cites Families (95)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6317868B1 (en) 1997-10-24 2001-11-13 University Of Washington Process for transparently enforcing protection domains and access control as well as auditing operations in software components
US20080278408A1 (en) * 1999-05-04 2008-11-13 Intellimat, Inc. Floor display systems and additional display systems, and methods and computer program products for using floor display systems and additional display system
US6467086B1 (en) 1999-07-20 2002-10-15 Xerox Corporation Aspect-oriented programming
US6901429B2 (en) 2000-10-27 2005-05-31 Eric Morgan Dowling Negotiated wireless peripheral security systems
US7461144B1 (en) 2001-02-16 2008-12-02 Swsoft Holdings, Ltd. Virtual private server with enhanced security
US7207041B2 (en) 2001-06-28 2007-04-17 Tranzeo Wireless Technologies, Inc. Open platform architecture for shared resource access management
GB0123403D0 (en) 2001-09-28 2001-11-21 Tamesis Ltd Publish subscribe system
US20050060365A1 (en) * 2002-01-24 2005-03-17 Robinson Scott L. Context-based information processing
US20030140088A1 (en) * 2002-01-24 2003-07-24 Robinson Scott H. Context-based information processing
US20030149874A1 (en) 2002-02-06 2003-08-07 Xerox Corporation Systems and methods for authenticating communications in a network medium
US7135635B2 (en) 2003-05-28 2006-11-14 Accentus, Llc System and method for musical sonification of data parameters in a data stream
US8136155B2 (en) 2003-04-01 2012-03-13 Check Point Software Technologies, Inc. Security system with methodology for interprocess communication control
US7751829B2 (en) 2003-09-22 2010-07-06 Fujitsu Limited Method and apparatus for location determination using mini-beacons
US8880893B2 (en) 2003-09-26 2014-11-04 Ibm International Group B.V. Enterprise information asset protection through insider attack specification, monitoring and mitigation
US20050138416A1 (en) 2003-12-19 2005-06-23 Microsoft Corporation Object model for managing firewall services
US7574709B2 (en) 2004-04-30 2009-08-11 Microsoft Corporation VEX-virtual extension framework
US20050246453A1 (en) 2004-04-30 2005-11-03 Microsoft Corporation Providing direct access to hardware from a virtual environment
US7530093B2 (en) 2004-04-30 2009-05-05 Microsoft Corporation Securing applications and operating systems
US7584502B2 (en) 2004-05-03 2009-09-01 Microsoft Corporation Policy engine and methods and systems for protecting data
US20060048226A1 (en) 2004-08-31 2006-03-02 Rits Maarten E Dynamic security policy enforcement
US7768420B2 (en) 2004-10-29 2010-08-03 Intel Corporation Operation and control of wireless appliance networks
US7681226B2 (en) 2005-01-28 2010-03-16 Cisco Technology, Inc. Methods and apparatus providing security for multiple operational states of a computerized device
WO2006093917A3 (en) * 2005-02-28 2009-04-30 Majid Shahbazi Mobile data security system and methods
US8836580B2 (en) * 2005-05-09 2014-09-16 Ehud Mendelson RF proximity tags providing indoor and outdoor navigation and method of use
US8266232B2 (en) 2005-10-15 2012-09-11 International Business Machines Corporation Hardware processing of commands within virtual client computing environment
US9864752B2 (en) 2005-12-29 2018-01-09 Nextlabs, Inc. Multilayer policy language structure
US20070186274A1 (en) 2006-02-07 2007-08-09 Matsushita Electric Industrial Co., Ltd. Zone based security model
US8151323B2 (en) 2006-04-12 2012-04-03 Citrix Systems, Inc. Systems and methods for providing levels of access and action control via an SSL VPN appliance
US8387048B1 (en) 2006-04-25 2013-02-26 Parallels IP Holdings GmbH Seamless integration, migration and installation of non-native application into native operating system
US7865934B2 (en) 2006-05-18 2011-01-04 Microsoft Corporation Access-control permissions with inter-process message-based communications
JP5054768B2 (en) 2006-06-21 2012-10-24 ヴィーブ−システムズ アクチエンゲゼルシャフトWibu−Systems Ag Method and apparatus for intrusion detection
US7917963B2 (en) 2006-08-09 2011-03-29 Antenna Vaultus, Inc. System for providing mobile data security
US7966599B1 (en) 2006-08-29 2011-06-21 Adobe Systems Incorporated Runtime library including a virtual file system
US7774599B2 (en) 2006-09-15 2010-08-10 Panasonic Corporation Methodologies to secure inter-process communication based on trust
US8533530B2 (en) 2006-11-15 2013-09-10 Qualcomm Incorporated Method and system for trusted/untrusted digital signal processor debugging operations
GB0623101D0 (en) * 2006-11-20 2006-12-27 British Telecomm Secure network architecture
WO2008077628A3 (en) 2006-12-22 2009-01-15 Virtuallogix Sa System for enabling multiple execution environments to share a device
US20080235587A1 (en) * 2007-03-23 2008-09-25 Nextwave Broadband Inc. System and method for content distribution
DE102007018096A1 (en) 2007-04-17 2008-10-23 Rohde & Schwarz Gmbh & Co. Kg Method for determining time differences between measured by at least two measuring devices coupled signals and measuring system, and corresponding switching device
US20090025011A1 (en) 2007-07-17 2009-01-22 Tim Neil Inter-process communication at a mobile device
US8626867B2 (en) * 2007-07-27 2014-01-07 Blackberry Limited Apparatus and methods for operation of a wireless server
US8965992B2 (en) * 2007-07-27 2015-02-24 Blackberry Limited Apparatus and methods for coordination of wireless systems
US8225329B1 (en) 2007-09-13 2012-07-17 Juniper Networks, Inc. Tail synchronized FIFO for fast user space packet access
US8505029B1 (en) 2007-11-26 2013-08-06 Adobe Systems Incorporated Virtual machine communication
US8584229B2 (en) 2007-12-21 2013-11-12 Intel Corporation Methods and apparatus supporting access to physical and virtual trusted platform modules
US9185123B2 (en) 2008-02-12 2015-11-10 Finsphere Corporation System and method for mobile identity protection for online user authentication
US9058483B2 (en) 2008-05-08 2015-06-16 Google Inc. Method for validating an untrusted native code module
US8516095B2 (en) * 2008-05-23 2013-08-20 Research In Motion Limited Remote administration of mobile wireless devices
US8335931B2 (en) 2008-06-20 2012-12-18 Imation Corp. Interconnectable personal computer architectures that provide secure, portable, and persistent computing environments
US8151349B1 (en) 2008-07-21 2012-04-03 Google Inc. Masking mechanism that facilitates safely executing untrusted native code
US20100031252A1 (en) 2008-07-29 2010-02-04 Compuware Corporation Method And System For Monitoring The Performance Of An Application And At Least One Storage Device For Storing Code Which Performs The Method
US8607224B2 (en) 2009-05-28 2013-12-10 Yahoo! Inc. System for packaging native program extensions together with virtual machine applications
US20110055890A1 (en) 2009-08-25 2011-03-03 Gaulin Pascal Method and system to configure security rights based on contextual information
US8413241B2 (en) 2009-09-17 2013-04-02 Oracle America, Inc. Integrated intrusion deflection, detection and introspection
US20110151955A1 (en) * 2009-12-23 2011-06-23 Exent Technologies, Ltd. Multi-player augmented reality combat
KR101640767B1 (en) 2010-02-09 2016-07-29 삼성전자주식회사 Real-time virtual reality input/output system and method based on network for heterogeneous environment
US8938782B2 (en) 2010-03-15 2015-01-20 Symantec Corporation Systems and methods for providing network access control in virtual environments
US8533860B1 (en) 2010-03-21 2013-09-10 William Grecia Personalized digital media access system—PDMAS part II
US8887308B2 (en) 2010-03-21 2014-11-11 William Grecia Digital cloud access (PDMAS part III)
EP2572277A1 (en) 2010-05-19 2013-03-27 Hughes Systique India Private Limited Method and system for efficient inter- process communication in a high availability system
KR101618417B1 (en) * 2010-06-04 2016-05-04 보오드 오브 리젠츠, 더 유니버시티 오브 텍사스 시스템 Methods and apparatuses for relaying data in a wireless communications system
US8582423B2 (en) 2010-08-04 2013-11-12 Alcatel Lucent Multi-chassis inter-process communication
US20120215637A1 (en) * 2010-09-13 2012-08-23 Hermann Mark E System and method for performing social networking and loyalty program functions at a venue
US8613052B2 (en) 2010-09-17 2013-12-17 Universal Secure Registry, Llc Apparatus, system and method employing a wireless user-device
US8849941B2 (en) 2010-09-30 2014-09-30 Microsoft Corporation Virtual desktop configuration and operation techniques
US8726294B2 (en) 2010-10-01 2014-05-13 Z124 Cross-environment communication using application space API
US9961550B2 (en) 2010-11-04 2018-05-01 Itron Networked Solutions, Inc. Physically secured authorization for utility applications
US8359016B2 (en) 2010-11-19 2013-01-22 Mobile Iron, Inc. Management of mobile applications
US20120258730A1 (en) * 2010-11-29 2012-10-11 Qualcomm Incorporated Estimating access terminal location based on beacon signals from femto cells
US9350809B2 (en) * 2011-01-31 2016-05-24 Nokia Technologies Oy Method and apparatus for automatically determining communities of interest, for use over an ad-hoc mesh network, based on context information
US8612744B2 (en) 2011-02-10 2013-12-17 Varmour Networks, Inc. Distributed firewall architecture using virtual machines
US8769305B2 (en) 2011-03-21 2014-07-01 Moncana Corporation Secure execution of unsecured apps on a device
US20120255014A1 (en) 2011-03-29 2012-10-04 Mcafee, Inc. System and method for below-operating system repair of related malware-infected threads and resources
US8099596B1 (en) 2011-06-30 2012-01-17 Kaspersky Lab Zao System and method for malware protection using virtualization
US8763112B2 (en) 2011-07-02 2014-06-24 Intel Corporation Systems and methods for power-on user authentication
US20130054812A1 (en) 2011-08-22 2013-02-28 Don DeCoteau System and method for dynamically assembling an application on a client device
US8521181B2 (en) * 2011-09-19 2013-08-27 Qualcomm Incorporated Time of arrival based positioning system
US8966004B2 (en) 2011-09-29 2015-02-24 Comcast Cable Communications, LLC. Multiple virtual machines in a mobile virtualization platform
US8695060B2 (en) 2011-10-10 2014-04-08 Openpeak Inc. System and method for creating secure applications
US9936351B2 (en) 2011-10-26 2018-04-03 Sling Media Pvt Ltd Apparatus systems and methods for proximity-based service discovery and session sharing
US9317702B2 (en) 2011-11-29 2016-04-19 Sony Corporation System and method for providing secure inter-process communications
US8863129B2 (en) 2011-12-06 2014-10-14 International Business Machines Corporation Automated caching and mirroring of immutable data in distributed virtual machines via native interface components
WO2013103989A1 (en) 2012-01-06 2013-07-11 Optio Labs, LLC Systems and meathods for enforcing secutity in mobile computing
US9773107B2 (en) 2013-01-07 2017-09-26 Optio Labs, Inc. Systems and methods for enforcing security in mobile computing
US20130312058A1 (en) 2012-01-06 2013-11-21 Optio Labs, Inc. Systems and methods for enhancing mobile security via aspect oriented programming
US9787681B2 (en) 2012-01-06 2017-10-10 Optio Labs, Inc. Systems and methods for enforcing access control policies on privileged accesses for mobile devices
US9609020B2 (en) 2012-01-06 2017-03-28 Optio Labs, Inc. Systems and methods to enforce security policies on the loading, linking, and execution of native code by mobile applications running inside of virtual machines
US8844032B2 (en) 2012-03-02 2014-09-23 Sri International Method and system for application-based policy monitoring and enforcement on a mobile device
US9572029B2 (en) 2012-04-10 2017-02-14 Imprivata, Inc. Quorum-based secure authentication
US9398519B2 (en) * 2012-06-22 2016-07-19 Apple Inc. Beacon frame monitoring
US9584528B2 (en) * 2012-09-06 2017-02-28 Qualcomm Incorporated Securing databases against piracy attacks
US9507653B2 (en) 2012-09-12 2016-11-29 Microsoft Technology Licensing, Llc Inter-process communication channel
US8655307B1 (en) * 2012-10-26 2014-02-18 Lookout, Inc. System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security
US20140256251A1 (en) 2013-03-11 2014-09-11 Cellco Partnership D/B/A Verizon Wireless Secure nfc data authentication
US20140282992A1 (en) 2013-03-13 2014-09-18 Optio Labs, Inc. Systems and methods for securing the boot process of a device using credentials stored on an authentication token

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030194094A1 (en) * 1998-10-26 2003-10-16 Lampson Butler W. System and method for secure storage data using a key
US20040255145A1 (en) * 2003-05-06 2004-12-16 Jerry Chow Memory protection systems and methods for writable memory
US20060020821A1 (en) * 2004-07-24 2006-01-26 International Business Machines Corp. System and method for data processing system planar authentication
US20080025503A1 (en) * 2006-07-27 2008-01-31 Samsung Electronics Co., Ltd. Security method using self-generated encryption key, and security apparatus using the same
US20100153697A1 (en) * 2008-12-17 2010-06-17 Jeremy Ford Methods and systems for embedded user authentication and/or providing computing services using an information handling system configured as a flexible computing node
US20110258426A1 (en) * 2010-04-19 2011-10-20 Apple Inc. Booting and configuring a subsystem securely from non-local storage
US8874891B2 (en) * 2010-05-20 2014-10-28 Hewlett-Packard Development Company, L.P. Systems and methods for activation of applications using client-specific data
US20120254602A1 (en) * 2011-03-01 2012-10-04 Softex Incorporated Methods, Systems, and Apparatuses for Managing a Hard Drive Security System
US20130124840A1 (en) * 2011-11-11 2013-05-16 International Business Machines Corporation Secure boot up of a computer based on a hardware based root of trust
US9191382B1 (en) * 2012-06-14 2015-11-17 Google Inc. User authentication using swappable user authentication services
US8898481B1 (en) * 2012-07-18 2014-11-25 Dj Inventions, Llc Auditable cryptographic protected cloud computing communications system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9787681B2 (en) 2012-01-06 2017-10-10 Optio Labs, Inc. Systems and methods for enforcing access control policies on privileged accesses for mobile devices
US9609020B2 (en) 2012-01-06 2017-03-28 Optio Labs, Inc. Systems and methods to enforce security policies on the loading, linking, and execution of native code by mobile applications running inside of virtual machines
US9712530B2 (en) 2012-01-06 2017-07-18 Optio Labs, Inc. Systems and methods for enforcing security in mobile computing
US9363670B2 (en) 2012-08-27 2016-06-07 Optio Labs, Inc. Systems and methods for restricting access to network resources via in-location access point protocol
US9773107B2 (en) 2013-01-07 2017-09-26 Optio Labs, Inc. Systems and methods for enforcing security in mobile computing
US9578445B2 (en) 2013-03-13 2017-02-21 Optio Labs, Inc. Systems and methods to synchronize data to a mobile device based on a device usage context
CN104320265A (en) * 2014-11-21 2015-01-28 北京奇虎科技有限公司 Authentication method and device for software platform
CN104320265B (en) * 2014-11-21 2017-10-24 北京奇虎科技有限公司 A method and apparatus for authenticating the authentication software platform

Also Published As

Publication number Publication date Type
US20140282857A1 (en) 2014-09-18 application
US20140273857A1 (en) 2014-09-18 application
US20140283136A1 (en) 2014-09-18 application
US9578445B2 (en) 2017-02-21 grant

Similar Documents

Publication Publication Date Title
US8595810B1 (en) Method for automatically updating application access security
US20150089621A1 (en) Secure login for subscriber devices
US20070300063A1 (en) Pairing to a Wireless Peripheral Device at the Lock-Screen
US20120321087A1 (en) Controlling access to protected objects
US20100257578A1 (en) Data access programming model for occasionally connected applications
US20140047510A1 (en) Wireless multi-factor authentication with captive portals
US20130198822A1 (en) Authentication Management Services
US20140007213A1 (en) Systems and methods for push notification based application authentication and authorization
US20130185210A1 (en) Method and System for Making Digital Payments
US20080155268A1 (en) Secure data verification via biometric input
US20120252405A1 (en) Connecting mobile devices, internet-connected hosts, and cloud services
US20130347089A1 (en) Out-of-band remote authentication
US20130198824A1 (en) Recovery of Managed Security Credentials
US20140181925A1 (en) Privacy Enhanced Key Management For A Web Service Provider Using A Converged Security Engine
US20140282945A1 (en) Technologies for secure storage and use of biometric authentication information
US20110030040A1 (en) Application authentication system and method
US20140096179A1 (en) System and method for performing secure communications
US20130160144A1 (en) Entity verification via third-party
US20130198818A1 (en) Logout From Multiple Network Sites
US20140337937A1 (en) Methods and devices for detecting unauthorized access to credentials of a credential store
US20140282894A1 (en) Delegating authorization to applications on a client device in a networked environment
US20130174252A1 (en) Secure User Authentication for Bluetooth Enabled Computer Storage Devices
US20100281252A1 (en) Alternate authentication
US20140230078A1 (en) Managing basic input/output system (bios) access
US20120159172A1 (en) Secure and private location

Legal Events

Date Code Title Description
AS Assignment

Owner name: OPTIO LABS, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CLANCY, THOMAS CHARLES, III;DOUGHERTY, BRIAN;HAMRICK, DAVID ALEXANDER;AND OTHERS;SIGNING DATES FROM 20140530 TO 20140703;REEL/FRAME:033271/0068