WO2015089318A2 - Secure communication channels - Google Patents

Secure communication channels Download PDF

Info

Publication number
WO2015089318A2
WO2015089318A2 PCT/US2014/069823 US2014069823W WO2015089318A2 WO 2015089318 A2 WO2015089318 A2 WO 2015089318A2 US 2014069823 W US2014069823 W US 2014069823W WO 2015089318 A2 WO2015089318 A2 WO 2015089318A2
Authority
WO
WIPO (PCT)
Prior art keywords
secure
computing device
communications channel
data
connection request
Prior art date
Application number
PCT/US2014/069823
Other languages
French (fr)
Other versions
WO2015089318A3 (en
Inventor
Phillip RISCOMBE-BURTON
Siavash James Joorabchian Hawkins
Sean Quinlan
Haniff Somani
Sanjiv Maurya
Original Assignee
Good Technology Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB1322033.0A external-priority patent/GB2521196B/en
Priority claimed from GB1322032.2A external-priority patent/GB2521195B/en
Application filed by Good Technology Corporation filed Critical Good Technology Corporation
Priority to US15/103,998 priority Critical patent/US10397202B2/en
Priority to EP14868833.6A priority patent/EP3080948B1/en
Publication of WO2015089318A2 publication Critical patent/WO2015089318A2/en
Publication of WO2015089318A3 publication Critical patent/WO2015089318A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Definitions

  • the present invention relates to methods and apparatus for negotiating a secure device-to-device communication channel.
  • Secure platforms provide an architecture for deployment and management of secure applications running on computing devices.
  • a secure application enables an enterprise to deploy sensitive data to the respective computing device, and to remotely manage the sensitive data in a secure manner. For example, such management may include remote deletion of the sensitive data in the event that the computing device is compromised or in the event that the user of the computing device leaves the employment of the enterprise.
  • the secure application also provides secure access to data and services provided by an enterprise network, such as enterprise e-mail services for storing, sending and receiving e-mail; enterprise file sharing services for storing and retrieving files; enterprise database services for accessing and modifying an enterprise database; enterprise Personal Information Management (PEVI) services for accessing and modifying personal information such as contact lists, calendars and task lists; and other services including enterprise resource planning, customer relationship management, field/support force automation, and consumer data content storage, etc.
  • enterprise network such as enterprise e-mail services for storing, sending and receiving e-mail; enterprise file sharing services for storing and retrieving files; enterprise database services for accessing and modifying an enterprise database; enterprise Personal Information Management (PEVI) services for accessing and modifying personal information such as contact lists, calendars and task lists; and other services including enterprise resource planning, customer relationship management, field/support force automation, and consumer data content storage, etc.
  • enterprise network such as enterprise e-mail services for storing, sending and receiving e-mail; enterprise file sharing services for storing and retrieving files
  • At least some of the data managed by the secure application running on the mobile device is stored in encrypted format.
  • the data maybe encrypted using methods as known in the art.
  • the encryption may employ "containerisation", according to which the data is encrypted and "wrapped" in a container to which various access policies can be applied to control which users can access the data within the container.
  • the access policies can for example be determined and varied if desired by a remote user, such as an administrator of an enterprise network.
  • a first aspect provides a method of negotiating a secure device-to-device communications channel between a first computing device and a second computing device the first computing device being associated with a first user and the second computing device being associated with a second user, the method comprising: receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel; receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; determining, on the basis of an identity of the first user and an identity of the second user, that the secure device-to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted: sending, from the server, first connection data to the first computing device over the first secure communications channel; and sending, from the server, second connection data to the second computing device over the second secure communications channel;
  • the address data and the cryptographic keys necessary to establish the secure device-to-device communication channel are exchanged "out of band" using pre-established secure communications channels, thereby obviating the need to negotiate the secure device-to-device connection over a potentially insecure and untrusted communications channel.
  • the first connection request comprises an indication of the second user
  • the method comprises, responsive to receipt of the first connection request, sending a connection notification indicative of a pending connection request to one or more computing devices associated with the second user, wherein the one or more computing devices includes the second computing device.
  • the first user can ensure that the connection request is sent to the second computing device based on an identifier associated with the second user.
  • the method may comprise determining the one or more computing devices associated with the second user using the indication of the second user in the first connection request.
  • the second connection request is sent to the server by the second computing device responsive to receipt of the connection notification at the second computing device.
  • the first connection request comprises a first session identifier and the second connection request includes a second session identifier, and wherein the sending of the first connection data and the sending of the second connection data is conditional on the first session identifier corresponding to the second session identifier.
  • the identity of the first and second computing devices can be authenticated.
  • the first session identifier and the second session identifier may correspond to a user identity associated with the first computing device or the second computing device.
  • the first session identifier and the second session identifier may correspond to a predetermined challenge exchanged between the first computing device and the second computing device prior to receipt of the first connection request and the second connection request.
  • the first connection request indicates an intended use of the secure device-to-device communications channel. This enables the server to enforce usage policies on the secure device-to-device communications channel based on the intended use.
  • the first connection request may identify data to be transferred from the first computing device to the second computing device using the secure device-to-device communications channel.
  • the first connection request may indicate a specified service running on the first computing device to be shared with the second computing device using the secure device-to-device communications channel.
  • sending the first connection data and the second connection data may be dependent on a determination that the secure device-to-device communications channel is permitted on the basis of the intended use of the secure device-to-device communications channel.
  • the first connection request indicates a communications medium for establishment of the secure device-to-device communications channel.
  • the communications medium may be BluetoothTM, a local area network, Near Field Communication (NFC), or Wi-FiTM.
  • the communications medium for establishment of the secure device-to-device communications channel is different from the communications medium associated with the first secure communications channel and the communications medium associated with the second secure communications channel.
  • the first computing device and the second computing device are authenticated by the server.
  • the computing device is a portable computing device.
  • a second aspect provides a server system for negotiating a secure device-to- device communications channel between a first computing device and a second computing device the first computing device being associated with a first user and the second computing device being associated with a second user, wherein the server system is configured to: receive a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel; receive a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; determine, on the basis of an identity of the first user and an identity of the second user, that the secure device- to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted: send first connection data to the first computing device over the first secure communications channel; and send second connection data to the second computing device over the second secure communications channel; wherein the first connection data comprises the second address data and second cryptographic key, and
  • a third aspect provides a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method for negotiating a secure device-to-device communications channel between a first computing device and a second computing device the first computing device being associated with a first user and the second computing device being associated with a second user, the method comprising: receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel; receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; determine, on the basis of an identity of the first user and an identity of the second user, that the secure device- to-device communication channel is permitted and, dependent on a determination that the secure device-to-dev
  • a fourth aspect provides method of initiating a secure device-to-device communications channel between a first computing device and a second computing device, the method comprising: sending, to a server from a first computing device, a connection request comprising a first cryptographic key and first address data associated with the first computing device, the connection request being sent over a first secure communications channel; receiving, at the first computing over the first secure communications channel, connection data associated with a second computing device, the connection data comprising permission data, second address data and a second cryptographic key; establishing a secure device-to-device communications channel with the second computing device using the connection data; and selectively transmitting the application data to the second computing device over the secure device-to- device communications channel based on the permission data.
  • the address data and the cryptographic keys necessary to establish the secure device-to- device communication channel are exchanged "out of band" using pre-established secure communications channels, thereby obviating the need to negotiate the secure device-to-device connection over a potentially insecure and untrusted communications channel.
  • the method comprises receiving, at the first computing device, a connection notification indicative of a pending connection request from the second computing device, and sending of the first connection request is responsive to receipt of the connection notification at the first computing device.
  • the first connection request comprises an indication of a second user associated with the second computing device. In this manner, the identity of the first and second computing devices can be authenticated.
  • the first connection request comprises a first session identifier.
  • the identity of the first and second computing devices can be authenticated.
  • the session identifier corresponds to a user identity associated with the first computing device or the second computing device.
  • the session identifier may correspond to a predetermined challenge exchanged between the first computing device and the second computing device prior to sending of the first connection request.
  • the connection request indicates an intended use of the secure device-to-device communications channel. This enables the server to enforce usage policies on the secure device-to-device communications channel based on the intended use.
  • the connection request may identify data to be transferred from the first computing device to the second computing device using the secure device-to-device communications channel.
  • the connection request may indicate a specified service running on the first computing device to be shared with the second computing device using the secure device-to-device communications channel.
  • sending the first connection data and the second connection data may be dependent on a determination that the secure device-to-device communications channel is permitted on the basis of the intended use of the secure device-to-device communications channel.
  • the connection request indicates a communications medium for establishment of the secure device-to-device communications channel.
  • the communications medium may be BluetoothTM, a local area network, Near Field Communication (NFC) or Wi-FiTM.
  • the first computing device comprises a secure application and the secure device-to-device communications channel is established between the secure application and the second computing device.
  • the secure application may control data transmitted over the secure device-to-device communications channel. In this manner, the secure application can enforce polices related to the use of the secure device-to-device communications channel.
  • the first and second computing devices are portable computing devices.
  • a fifth aspect provides a computing device for secure management of application data, the computing device being provided with a secure application for controlling transmission of the application data over a secure device-to-device communications channel, wherein the secure application is configured to: establish a first secure communications channel to a server; send, to the server, a connection request comprising a cryptographic key and address data associated with the computing device, the connection request being sent over the first secure communications channel; receiving, from the server, connection data comprising permission data and address data and a cryptographic key associated with a recipient computing device, the connection data being received over the first secure communications channel; establish a secure device-to-device communications channel with the recipient computing device using the connection data; and selectively transmit the application data to the recipient computing device over the secure device-to-device communications channel based on the permission data.
  • the secure application can enforce polices related to the use of the secure device-to-device communications channel as specified by the permission data provided by the server.
  • the secure application stores the application data in a secure container on the computing device.
  • the application data relates to a service provided by the secure application.
  • the computing device is a portable computing device.
  • a sixth aspect provides a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method for initiating a secure device-to-device communications channel between a first computing device and a second computing device, the method comprising: sending, to a server from a first computing device, a connection request comprising a first cryptographic key and first address data associated with the first computing device, the connection request being sent over a first secure communications channel; receiving, at the first computing over the first secure communications channel, connection data associated with a second computing device, the connection data comprising permission data, second address data and a second cryptographic key; establishing a secure device-to-device communications channel with the second computing device using the connection data; and selectively transmitting the application data to the second computing device over the secure device-to- device communications channel based on the permission data.
  • Figure 1 is a schematic diagram showing a system for negotiating a secure device- to-device communications channel between a first computing device and a second computing device according to an embodiment.
  • Figure 2 is a schematic diagram showing a portable computing device according to an embodiment.
  • Figure 3 is a schematic diagram showing the high-level data exchanges involved in establishment of a secure device-to-device connection between a first computing device and a second computing device according to an embodiment.
  • Figure 4 is a signaling diagram showing a method of negotiating a device-to- device communications channel between a first computing device and a second computing device according to a "receptive mode" embodiment.
  • Figure 5 is a signaling diagram showing a method of negotiating a device-to- device communications channel between a first computing device and a second computing device according to a "challenge mode" embodiment.
  • Figure 6 is a flow diagram showing a method performed by a computing device of initiating a device-to-device communications channel between the computing device and a further computing device according to an embodiment.
  • Figure 7 is a flow diagram showing a method performed by a server for negotiating a device-to-device communications channel between a first computing device and a second computing device according to an embodiment.
  • Figure 8 is a schematic diagram showing a proxy server according to an embodiment.
  • a user may wish to securely share or distribute sensitive data managed by a secure application configured on their computing device with the one or more parties located in the vicinity of the user.
  • the user may wish to share a confidential presentation, stored or managed by the secure application, with one or more participants in a meeting or seminar.
  • the user may wish to ensure that the sensitive data does not "leave" a particular domain, such as a particular meeting room, a particular building, or a particular corporate computer network.
  • it is desirable to establish a device-to-device communications channel i.e. a device-to-device connection
  • a device-to-device communications channel is a communication channel which is established between two devices which are directly addressable with respect to each other.
  • a device-to-device communications channel may be established over Local Area Network (LAN) by using the private Internet Protocol (IP) addresses (i.e. a routable IP address) assigned to the respective computing devices.
  • IP Internet Protocol
  • a device-to-device communications channel may in some circumstances be undesirable in situations where one or both of the computing devices is "hidden" behind a network appliance, such as a Network Address Translator (NAT), and thus may not be associated with a routable IP address.
  • NAT Network Address Translator
  • a device-to-device communications channel can be further characterized as either a "direct" device-to-device communications channel, where data is exchanged directly between the parties without involvement of a third party, or an "indirect" device-to-device communications channel where data is exchanged via a third party.
  • Examples of technologies suitable for establishing a direct device-to-device communications channel are BluetoothTM, NFC, Wi-Fi DirectTM, Infrared (e.g. IrDATM), and the proposed device-to-device (D2D) protocols for the Long Term Evolution (LTE) mobile communications standard.
  • a direct device-to-device communications channel may be established using an ad-hoc wireless network based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (Wi-FiTM).
  • IEEE Institute of Electrical and Electronics Engineers
  • Wi-FiTM Institute of Electrical and Electronics Engineers
  • transmission of the data is restricted to a geographical domain associated with the physical capabilities of the respective interface (i.e. the wireless range of the computing devices party to the connection).
  • Use of a direct device-to-device communications channel may be preferred in situations where the party initiating the communications channel desires some certainty with respect to the physical domain over which the associated data will be transmitted.
  • Examples of indirect device-to-device communications channels are communications channels established over a private network, such as a Local Area Network (LAN) or a Wireless Local Area Network (WLAN) based on Wi-FiTM, according to which data is transmitted via one or more third parties (e.g. a wireless access point and/or a network switch).
  • a private network such as a Local Area Network (LAN) or a Wireless Local Area Network (WLAN) based on Wi-FiTM
  • third parties e.g. a wireless access point and/or a network switch.
  • transmission of the data may be restricted to the geographical domain associated with the physical extent of the private network, and is not necessarily restricted by the capabilities of the computing devices themselves.
  • Use of an indirect device-to- device communications channel may be preferred in situations where the parties involved are relatively remote (e.g. located in different rooms of a particular building) but the party initiating the communications channel desires to restrict the domain over with the associated data will be transmitted to a private network or similar.
  • the data to be shared or distributed via the device-to-device communications channel may be the property of an enterprise or an organization, and may therefore relate to confidential business information (hereinafter termed "enterprise data"). It is therefore desirable to ensure that this enterprise data is shared in a secure manner and that safeguards are employed to prevent the enterprise data from being shared with an unauthorized party or a compromised device.
  • the device-to-device connection involves a number of considerations: (i) the user or users with which the enterprise data is to be shared must be authenticated by the enterprise and their associated computing devices must be uncompromised; (ii) users must be restricted to only sharing enterprise data that they are permitted to share and the enterprise data should only be shared with parties who are permitted to receive the data; and (iii) the device-to-device communications channel used to exchange the enterprise data must be secured (ei.ge. encrypted) to prevent third parties from intercepting the enterprise data in transit.
  • the device-to-device communications channel must be a secure device-to-device communications channel.
  • FIG. 1 An example of a system 100 for negotiating a secure device-to-device communications channel according to an embodiment is shown schematically in Figure 1.
  • the system includes a first computing device 102 and a second computing device 104 which are connected to a private network 106 which in turn provides access to a communications network 110.
  • the communications network 110 may, for example, be or include the Internet, a Public Land Mobile Network (PLMN) and/or a Public Switched Telephone Network (PSTN).
  • PLMN Public Land Mobile Network
  • PSTN Public Switched Telephone Network
  • the private network 106 may for example be or include a Local Area Network (LAN) and/or a Wireless Local Area Network (WLAN) which interfaces with the communications network 106 via a router 108.
  • LAN Local Area Network
  • WLAN Wireless Local Area Network
  • one or both of the first and second computing devices 102, 104 may access the communications network 110 using one or more of a number of radio access technologies (not shown) including, for example, Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS) and Long Term Evolution (LTE).
  • GSM Global System for Mobile Communications
  • UMTS Universal Mobile Telecommunications System
  • LTE Long Term Evolution
  • the first and second computing devices 102, 104 are configured with respective secure applications 103, 105, which are configured to securely manage enterprise data and to provide secure and authenticated access to one or more services provided by an enterprise network 116.
  • the enterprise network 116 comprises a plurality of enterprise servers, such as a control server 118, a proxy server 120, and an application server 122.
  • the control server 118 provides functionality for provisioning and management of the secure applications 103, 105 running on the first and second computing devices 102, 104 respectively.
  • the control server 118 is configured to authenticate the users of the first and second computing devices 102, 104 prior to provisioning the secure applications 103, 105.
  • the provisioning process may require the users of the computing devices 102, 104 to set a password (i.e. a secret) which is securely stored in the secure applications 103, 105 and used to authenticate the users when subsequently accessing or running the secure applications 103, 105.
  • the control server 118 may also be configured to provide remote management of the secure applications 103, 105, such as remote locking or remote deletion of the enterprise data in the event that the associated computing device 102, 104 has been compromised in some way (e.g. stolen).
  • the application server 122 provides services and data to the secure applications 103, 105 running on the first and second computing devices 102, 104.
  • the application server 122 may be an enterprise document management server which provides the users with secure access to documents, such as product specifications, financial statements and/or sales presentations, etc.
  • the secure applications 103, 105 are configured to securely access the application server 122 to retrieve the documents which may then be securely stored locally in the computing devices 102, 104 and managed by the secure applications 103, 105.
  • the proxy server 120 provides secure and authenticated access to the application server 122 from the secure applications 103, 105 running on computing devices 102, 104.
  • the secure applications 103, 105 typically establish a secure communication channel with the proxy server 120, which in turn only allows the secure applications 103, 105 to access the application server 122 if permission to do so has been granted by an administrator.
  • Access to the enterprise network 116 is monitored and controlled by a Network Operations Centre (NOC) 112 and a firewall 114.
  • NOC Network Operations Centre
  • the NOC 112 monitors incoming requests to access services provided by the enterprise network 116 and controls access to the enterprise using the firewall 114.
  • the NOC 112 comprises a relay server 124 and a push server 126.
  • the relay server 124 facilitates establishment of secure and authenticated communication channels between the secure applications 103, 105 and the proxy server 120 over the communications network 110.
  • the secure communications channels between the secure applications 103, 105 and the proxy server 120 are typically used to access services and data provided, for example, by the application server 122 as discussed above.
  • Authentication of the client devices 102, 104 and/or the respective secure applications 103, 105 is typically performed using a network authentication protocol, such as the KerberosTM protocol developed by the Massachusetts Institute of Technology, Cambridge, Massachusetts, United States.
  • the push server 126 maintains an "always on" connection to the secure applications 103, 105 for delivery of push notifications to the computing devices 102, 104 on behalf of the enterprise servers 118, 120, 122.
  • the push server 126 may deliver push notifications to the secure applications 103, 105 to notify them of new data available via the application server 122 or new a new e-mail message received at an enterprise e-mail server (not shown).
  • the first and second computing devices 102, 104 take the form of a portable computing device or a non-portable computing device, such as a desktop computer.
  • a portable computing device 200 An example of a portable computing device 200 according to an embodiment is shown schematically in Figure 2.
  • the portable computing device 200 may, for example, take the form of a smart phone, a personal digital assistance (PDA), a tablet computer or a notebook computer, etc.
  • the portable computing device 200 includes a screen 202, which may be a touch screen for receipt of input from a user.
  • the portable computing device 200 may include a physical keyboard (not shown), which may be integral to the portable computing device 200 or connected wirelessly or by wired connection to the portable computing device 200.
  • the computing device further includes a processor 204, a non-volatile storage device 206 (such as a hard disk drive or a solid-state drive) and a random access memory (RAM) 208.
  • the processor executes instructions stored in the random access memory 208 that have been loaded from the non-volatile storage device 206. These instructions are in the form of one or more programs that implement an operating system (not shown) and a secure application 210.
  • the random access memory 208 is also used by programs running on the processor 204 as a means of storing and accessing data in the form of electronic signals where the data is used during the execution of the programs.
  • the operating system provides a file system for storing, modifying and accessing files held in the non-volatile storage device 206. The file system may be accessible to other programs running on the processor 204 via the operating system. Programs running on the processor 204 also process user input obtained via the screen 202 or keyboard (not shown), etc.
  • the portable computing device 200 also includes a network interface 214 (or a plurality of network interfaces) which allows programs running on the processor 204 to transmit and receive data to and from other devices and/or servers via a communications, using wired and/or wireless connections.
  • the network interface 214 is implemented in a combination of software and hardware (e.g. a network interface controller) to provide the necessary network connectivity to the programs running on the processor 204.
  • Examples of network interface 214 include a Wi-FiTM interface and/or a cellular radio interface utilizing standards such as GSM, UMTS and/or LTE.
  • the portable computing device 200 also includes a local communication interface 216 (or a plurality of local communication interfaces) for establishing direct device-to-device communication channels with other computing devices in the vicinity of portable computing device 200.
  • local communication interfaces include BluetoothTM, IrDATM and NFC, etc.
  • the secure application 210 manages enterprise data 212 stored in encrypted form in the storage device 206.
  • the enterprise data 212 may be encrypted and "wrapped" in a data container to which various access policies can be applied by the secure application 210 to control which users and/or applications can access the enterprise data and how the enterprise data can be used.
  • the access policies may be stored locally on the portable computing device 200, remotely in the application server 122, or distributed between the two.
  • the access policies can for example be determined, and varied if desired, by an administrator of the enterprise network 116.
  • the secure application 210 is configured to utilize the network interface 214 to establish secure connections with the various servers in the NOC 112 and the enterprise network 116 in the manner described above with reference to Figure 1.
  • the secure application is also able to access the network interface 214 and/or local interface 216 to establish one or more secure device-to-device connections with other computing devices in the vicinity of the portable computing device 200, as will now be described.
  • Figure 3 shows schematically the high-level data exchanges involved in establishment of a secure device-to-device connection between a first computing device 302 (hereinafter termed the “initiating device”) and a second computing device 304 (hereinafter termed the “receiving device”) according to an embodiment.
  • the first and second computing devices 302, 304 are portable computing devices of the type described above with reference to Figure 2, but it will be understood that the one or both of the computing devices 302, 304 may be a non-portable computing device, such as a desktop computer.
  • the user of the initiating device 302 wishes to send enterprise data, such as a confidential presentation, to a user of the receiving device 304 (hereinafter termed “receiving user") a using a secure device-to-device communication channel.
  • the initiating device 302 and the receiving device 304 are in relatively close proximity to each other (e.g. the same room 306).
  • the initiating user and receiving user are trusted by the enterprise network 116 (e.g. an employee, trusted client or trusted supplier) and their respective computing devices 302, 304 have been provisioned with secure applications 303, 305 which have been authenticated by the NOC 112 in the manner described above with reference to Figure 1.
  • the secure application 303 running on the initiating device 302 requires address information for the receiving device 304
  • the secure application 305 running on the receiving device 304 requires address information for the initiating device 302.
  • the address information for the initiating device 302 and the receiving device 304 typically includes the IP address and a port number for the respective devices 302, 304.
  • the address information typically includes the 48-bit BluetoothTM device address assigned to the respective devices 302, 304.
  • the secure applications 303, 305 running on the initiating device 302 and the receiving device 304 send their associated public key and address information to the proxy server using respective communication channels 308, 310.
  • Communication channels 308, 310 are pre-established via the NOC 112 in the manner described above and are therefore authenticated and secure.
  • the proxy server 120 determines whether the computing devices 302, 304 are permitted to establish a secure device-to-device communications session.
  • the proxy server 120 may query a Global Address List (GAL) and/or a policy database 316 to determine whether the initiating user and the receiving user are permitted to establish the device-to-device communications channel and any restrictions on the data that is permitted to be exchanged (e.g. file type, file name, etc.). In some embodiments, the proxy server 120 may delegate this determination to the application server 122 associated with the secure applications 303, 305 running on the computing devices 302, 304 using communication channel 312.
  • GAL Global Address List
  • policy database 316 may be used to determine whether the initiating user and the receiving user are permitted to establish the device-to-device communications channel and any restrictions on the data that is permitted to be exchanged (e.g. file type, file name, etc.).
  • the proxy server 120 may delegate this determination to the application server 122 associated with the secure applications 303, 305 running on the computing devices 302, 304 using communication channel 312.
  • the proxy server 120 proceeds to send the public key data and address data for the initiating device 302 to the receiving device 304 over secure communication channel 310, and to send the public key data and address data for the receiving device 304 to the initiating device 302 over secure communication channel 308.
  • the secure applications 303, 305 use the received public key data and address data of the counterpart computing device to establish a secure device-to-device communication channel 314 for sending the enterprise information. This process is referred to herein as negotiation of a device-to-device communication channel.
  • negotiation of the device-to-device communication channel in this manner ensures that the public key data and the address data for the computing devices 302, 304 is exchanged over secure and authenticated communication channels established with the NOC 112 and the proxy server 120.
  • key exchange methods such as the Diffie-Hellman key exchange algorithm employed by some versions of the BluetoothTM in its Secure Simple Pairing (SSP) process.
  • Figure 4 is a signaling diagram showing a method 400 for negotiating a secure device-to-device communication channel between the secure applications 303, 305 running on the initiating device 302 and the receiving device 304 according to an embodiment.
  • the method of Figure 4 is an example of a "receptive mode" for establishing a device-to-device connection between the computing devices 302, 304 shown in Figure 3.
  • the initiating user Before initiating the device-to-device communications channel, the initiating user informs the receiving user that they wish to share enterprise data, such as a confidential presentation. If the receiving user agrees to receive the confidential presentation, they provide the initiating user with an identifier which uniquely identifies the receiving user to the enterprise (e.g. the receiving user's enterprise e-mail address or username). Typically, the receiving user informs the initiating user of the unique identifier verbally, but it will be appreciated that the unique identifier may alternatively be exchanged electronically using a secure Web portal, Instant Messaging, a QR code, or similar.
  • the initiating user uses the secure application 303 running on the initiating device 302 to perform a lookup operation using the unique identifier provided by the receiving user.
  • the secure application 303 running on the initiating device 302 sends a lookup request, including the unique identifier for the receiving user, to the proxy server 120 using secure communication channel 308 (step 402).
  • the proxy server 120 queries the GAL using the identifier and retrieves information regarding the receiving user (step 404) which it returns to the secure application 303 running on the initiating device 302 over secure communication channel 308 (step 406).
  • the information returned by the proxy server 120 may, for example, include the receiving user's full name, job title and/or identification photograph, etc.
  • the secure application 303 running on the initiating device 302 Upon receipt of the information relating to the receiving user, the secure application 303 running on the initiating device 302 displays the information for review by the initiating user. The initiating user reviews the information, for example to determine whether the receiving user matches his or her identification photograph, and selects whether they wish to proceed with establishment of the secure device-to-device communications channel.
  • the secure application 303 running on the initiating device 304 generates and sends a connection request to the proxy server 120 via secure communications channel 308 (step 408).
  • this connection request includes capability information and cryptographic information for use in establishing the secure device-to-device communications channel.
  • the capability information indicates one or more communication interfaces or media available to the initiating device 302 for establishing the device-to-device communications channel (e.g. BluetoothTM and/or NFC etc.) and the associated addressing information as discussed above.
  • This information may be retrieved from an operating system running on the initiating device 302 (e.g. via an Application Programming Interface (API)), or pre-configured within the secure application 303 (e.g.
  • API Application Programming Interface
  • the cryptographic information typically includes a public key associated with a public -private key pair generated by secure application 303 for the purpose of securing the device-to-device communications channel.
  • the public -private key pair is typically generated on a per-connection basis using a public key algorithm, thereby ensuring that each device-to-device connection is established using a different public-private key pair and preventing potential eavesdropping by unauthorized parties.
  • the connection request also includes an identifier for the initiating user which uniquely identifies them to the enterprise (e.g. the initiating user's enterprise e-mail address or username), together with the identifier for the receiving user.
  • the proxy server 120 may retain some or all of this information from step 402 in respect of a particular session with the initiating device 302, thereby avoiding the need for the information to be sent again at step 408.
  • the proxy server 120 Upon receipt of the connection request from the secure application 303 running on the initiating device 302, the proxy server 120 registers the request as a pending connection request (step 410) and optionally returns an acknowledgement to the initiating device 302 (step 412). Upon receipt of the acknowledgement, the initiating user informs the receiving user that a connection request is pending and provides the receiving user with the identifier for the initiating user. Next, the receiving user opens the secure application 305 running on the receiving device
  • the secure application 305 sends a lookup request, including the identifier for the initiating user to the proxy server 120 using secure communication channel 310 (step 414).
  • the proxy server 120 queries the GAL using the identifier and retrieves information regarding the initiating user (step 416) which it returns to the secure application 305 over secure and authenticated communication channel 310 (step 418).
  • the information returned by the proxy server may, for example, include the initiating user's full name, job title and/or identification photograph, etc.
  • the secure application 305 running on the receiving device 304 displays the information for review by the receiving user. The receiving user reviews the information, for example to determine whether the initiating user matches their identification photograph, and confirms whether they want to proceed with establishment of the secure device-to-device communications channel.
  • the complementary connection request includes capability information and cryptographic information for the receiving device 304.
  • the capability information indicates one or more communication interfaces or media over which the receiving device is able or willing to establish the device-to-device connection and appropriate addressing information for the indicated interfaces or media as discussed above.
  • the cryptographic information typically includes a public key associated with a public-private key pair generated by secure application 305 for the purpose of securing the device-to-device communications session. As discussed above, the public -private key pair is typically generated by the secure application 305 on a per-connection basis using a public key algorithm.
  • the complementary connection request also includes the identifiers associated with the initiating user and the receiving user, or alternatively, the proxy server 120 may retain some or all of this information from step 414 in respect of a particular session with the receiving device 304, thereby avoiding the need to it to be sent again at step 420.
  • the proxy server 120 Upon receipt of the complementary connection request, the proxy server 120 determines that the initiating device 302 and the receiving device 304 wish to establish a device- to-device communications channel. For example, the proxy server 120 may perform a lookup or correlation operation, based on one or both of the identifiers associated with the initiating and receiving users, to "match" the connection request received from the secure application 303 running on the initiating device 302 with the complementary connection request received from the secure application 305 running on the receiving device 304 (step 422).
  • the proxy server 120 has determined that the secure applications 303, 305 running on the initiating and receiving devices 302, 304 wish to establish a secure device-to- device communications channel, and is also in receipt of capability information, address information and cryptographic information for both the initiating device 302 and the receiving device 304.
  • the proxy server 120 proceeds to send appropriate connection data to the secure application 303 running on the initiating device 302 and the secure application 305 running on the receiving device 304 to enable the secure device-to-device communications channel to be established (steps 424 and 426).
  • connection data sent to the initiating device 302 at step 424 includes the addressing information and cryptographic information received from the receiving device 304
  • connection information sent to the receiving device 304 at step 426 includes the addressing information and cryptographic information received from the initiating device 302.
  • the proxy server 120 may be configured to determine one or more "common" communication interfaces which were indicated as available or acceptable to both devices 302, 304. In this case, the connection information sent from the proxy server 120 will only include relevant address information for the determined "common" communication interfaces.
  • the connection data sent from the proxy server 120 in steps 424 and 426 will include address information for initiating the secure device-to- device communications channel using BluetoothTM only.
  • the proxy server 120 may send address information for each of the common interfaces, thereby enabling selection by the initiating and receiving users.
  • the initiating and receiving users may negotiate which communication interface to use verbally, or a negotiation process may be facilitated electronically by the proxy server 120 over secure and authenticated communication channels 308, 310.
  • the proxy server 120 sends a notification to this effect to the secure applications 303, 305 running on the devices 302, 304 (not shown) and the process is terminated.
  • the secure applications running on each device may display a prompt to their respective users requesting confirmation that they wish to proceed with establishment of a secure device-to-device communications channel.
  • the secure application running on the initiating device 302 may display a prompt such as "Press OK if you wish to proceed with securely sending data "presentation.pptx” to user B using a secure channel established over BluetoothTM”
  • the secure application running on the receiving device 302 may display a prompt such as "Press OK if you wish to proceed with securely receiving data "presentation.pptx” from user B using a secure channel established over BluetoothTM”.
  • the respective secure applications 303, 305 access the appropriate interfaces (e.g. local interface 216) in the respective devices 302, 304 to establish the connection using the received address data and to send exchange the enterprise data securely using the received cryptographic data.
  • appropriate interfaces e.g. local interface 216
  • the secure application 303 running on the initiating device 302 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 305 running on the receiving device 304 (received from the proxy server 120 at step 424), and the secure application 305 running on the receiving device 304 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 303 running on the initiating device 302 (received from the proxy server 120 at step 426).
  • the direct interactions between the initiating device 302 and the receiving device 304 are typically performed over an ad-hoc connection established using the local interfaces 216 of the initiating and receiving devices 302, 304 (indicated by 434 in Figure 4).
  • Figure 5 is a signaling diagram showing a method 500 of negotiating a secure device-to-device communication channel between the initiating device 302 and the receiving device 304 according to a further embodiment.
  • the method of Figure 5 is an example of a "challenge mode" for establishing a device-to-device connection between the computing devices 302, 304 shown in Figure 3.
  • the initiating user and the receiving user agree upon a challenge, such as a PIN or password, to identify the request to establish a secure device-to-device communications session.
  • a challenge such as a PIN or password
  • the challenge is agreed by the initiating and receiving users "out of band" (e.g. by means of a verbal exchange) but in some embodiments the challenge may be exchanged by means of a QR code or similar, using functionality provided by the secure applications 303,
  • the QR code is also used to send an identifier which uniquely identifies the receiving user to the enterprise (e.g. the receiving user's enterprise e-mail address or username) from the secure application 305 running on the receiving device 304 to the secure application 303 running on the initiating device 302.
  • the secure application running on the initiating computing device 302 or the receiving computing device 304 may generate the challenge using, for example, a pseudo random number generator, and encode the generated challenge in the QR or similar.
  • the secure application 303 running on the initiating device 302 generates and sends a lookup request based on the identifier for the receiving user to the proxy server 120 using secure communications channel 308 (step 502).
  • the proxy server 120 queries the GAL using the identifier and retrieves information regarding the receiving user (step 504), which it returns to the secure application 303 running on the initiating device 302 (step 506).
  • the information may, for example, include the receiving user's full name, job title and/or identification photograph, etc.
  • the secure application 303 running on the initiating device 302 Upon receipt of this information, the secure application 303 running on the initiating device 302 displays the information for review by the initiating user. The initiating user reviews the information, for example to confirm that the receiving user matches their identification photograph, and confirms that they wish to proceed with establishment of the secure device-to-device communications channel.
  • the secure application 303 Upon receiving confirmation that the initiating user wishes to proceed, the secure application 303 generates and sends a connection request to the proxy server 120 via secure communications channel 308 (step 508).
  • this connection request includes the challenge agreed between the initiating and receiving users, and capability information and cryptographic information for use in establishing the secure device-to-device communications channel.
  • the capability information indicates one or more communication technologies or media available to the initiating device 302 for establishing the device-to-device communications channel (e.g. BluetoothTM and/or NFC etc.) and the associated addressing information as discussed above.
  • the cryptographic information typically includes a public key of a public- private key pair generated by secure application running on the initiating device 302 for the purpose of securing the device-to-device communications session.
  • the public-private key pair is generated on a per- connection basis using a public key algorithm, as is known in the art. In this manner, each device-to-device connection is established using a different public-private key pair, thus preventing eavesdropping by unauthorized parties.
  • the connection request also includes an identifier which uniquely identifies the initiating user to the enterprise (e.g. the initiating user's enterprise e-mail address or username) and the identifier previously received for the receiving user.
  • the proxy server 120 may retain some or all of this information from step 502 in respect of a particular session with the initiating device 302, thereby avoiding the need to it to be sent again at step 508.
  • the proxy server 120 Upon receipt of the connection request, the proxy server 120 registers the request as a pending connection request in associated with the received challenge, and optionally returns an acknowledgement to the initiating device (not shown). Once the connection request has been registered, the proxy server 120 performs a GAL operation to identify all registered devices associated with the receiving user based on their associated identifier (step 510). Typically, the receiving user may be registered with several computing devices, such as a smart phone, a tablet computer and/or a laptop computer, etc. Once the proxy server 120 has identified the computing devices associated with the receiving user, it proceeds to generate and send a push notification identifying the pending connection request (e.g.
  • the devices associated with the receiving user as identified by the proxy server 120 includes receiving device 304.
  • the push notification received by the secure application 305 running on the receiving device 304 includes, for example, a unique identifier for the initiating user (e.g. their enterprise e-mail address or username), their full name and/or their identification photograph, etc.
  • the secure application 305 running on the receiving device 304 displays the information for review by the receiving user. The initiating user reviews the information, for example to confirm that the receiving user matches their identification photograph, and confirms that they wish to proceed with establishment of the secure device-to-device communications channel by entering the challenge agreed between the initiating and receiving parties.
  • the secure application 305 Responsive to input of the challenge agreed between the initiating and receiving parties, the secure application 305 generates and sends a message to the proxy server 120 which includes the challenge using secure communications channel 310 (step 514).
  • the proxy server 120 compares the challenge received from the receiving device at step 514 with the challenge received from the initiating device at step 508 to determine whether they match (step 516). This comparison step ensures that the user of the receiving device 304 is indeed the user with which the challenge was originally agreed, and prevents an unauthorized user in possession of one of the devices identified at step 510 from establishing a device-to-device communication channel without permission.
  • the proxy server 120 determines a match at step 516 it sends an appropriate notification to the secure application 305 running on the receiving device 304 (step 518). Responsive to receipt of this notification, the secure application 305 generates a complementary connection request which is also sent to the proxy server using secure communications channel 310 (step 520).
  • the complementary connection request includes capability information and cryptographic information. As discussed above in relation to Figure 4, the capability information indicates one or more communication technologies or media over which the secure application 305 running on the receiving device 304 is able or willing to establish the device-to-device connection, and appropriate address information.
  • the cryptographic information typically includes a public key of a public-private key pair generated by the secure application 305 running on the receiving device 304 and for use in securing the device-to-device communications channel.
  • the proxy server 120 determines that the secure application 303 running on the initiating device 302 and the secure application 305 running on the receiving device 304 wish to establish a device-to-device communications channel, and proceeds to send appropriate connection data to enable the secure device-to-device communications channel to be established (steps 524 and 526). More specifically, the connection data sent to the secure application 303 running on the initiating device 302 at step 524 includes the addressing information and cryptographic information associated with the receiving device 304, and the connection information sent to the secure application 305 running on the receiving device 304 at step 526 includes the addressing information and cryptographic information associated with the initiating device 302.
  • the secure applications running on each device may display a prompt to their respective users requesting confirmation that they wish to proceed with establishment of a secure device-to-device communications channel in the manner described above in relation to Figure 4.
  • the respective secure applications 303, 305 access the appropriate interfaces (e.g. local interface 216) in the respective devices 302, 304 to establish the connection using the received address data (step 528) and exchange the enterprise data securely using the received cryptographic data (step 530).
  • the secure application 303 running on the initiating device 302 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 305 running on the receiving device 304 (received from the proxy server 120 at step 524), and the secure application 305 running on the receiving device 304 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 303 running on the initiating device 302 (received from the proxy server 120 at step 526).
  • the connection request sent from the secure application 303 running on the initiating device 302 includes an indication of the enterprise data to be sent to the receiving device over the requested secure device-to-device communication channel. Based on this indication, the proxy server 120 is able to determine whether transfer of the enterprise data is allowed, and whether to permit establishment of a secure device-to-device communications channel between the initiating 302 and receiving devices 304. This determination may be delegated to the application server 122, which typically stores and manages access policies in respect of the enterprise data stored in or by the secure applications 303, 305 running on the initiating and receiving devices 302, 304.
  • the proxy server 120 may send a policy query to the application server 122 indicating the identity of the initiating user, the identity of the receiving user, and the enterprise data to be exchanged. If the application server 122 responds by indicating that such an exchange is permitted, the proxy server 120 proceeds to negotiate the device-to-device connection in the manner described above with respect to Figure 4 or Figure 5. Conversely, if the application server 122 responds by indicating that the exchange is not permitted, the proxy server 120 may terminate the negotiation process and inform the secure application 303 running on the initiating device 302 as appropriate.
  • the application server 122 may respond to the policy query from the proxy server 120 by returning one or more rules in respect of the enterprise data to be exchanged.
  • the one or more rules may specify that the exchange between the initiating device 302 and the receiving device 304 is permitted but that the connection must be established within a particular time period (e.g. ten minutes) or using a particular communication interface or medium (e.g. BluetoothTM).
  • the one or more rules may specify restrictions on the use of the enterprise data once received by the receiving device 304.
  • the one or more rules may specify that the enterprise data may be displayed by the secure application 305 running on the receiving device 304, but that is not permitted to edit, print, copy or send the enterprise data to a further user.
  • the proxy server 120 will include the rules, or a subset thereof, in the connection data that it sends to the secure applications 303, 305 (e.g. steps 424 and/or 426 of Figure 4 and steps 524 and/or 526 of Figure 5).
  • the secure applications 303, 305 are configured to enforce any rules received in the connection data from the proxy server 120 to ensure that the enterprise data is managed in accordance with the policies maintained by the application server 122.
  • the application server 122 may be configured to keep a record (e.g. in a database) of which secure applications have received the enterprise data and, if a respective policy is changed or updated by an administrator, to push any new or modified rules to those secure applications.
  • a record e.g. in a database
  • the applications server 122 may track the dissemination of the enterprise data and ensure that it is managed according to policy on all relevant devices.
  • Figure 6 shows a method 600 performed by the secure application 303 running on initiating device 302 for initiating a secure device-to-device communications channel between with the receiving device 304 according to an embodiment.
  • the secure application 303 receives the identifier associated with the receiving user and sends a lookup request including the identifier to the proxy server 120 over the secure communications channel 308 (step 602).
  • the secure application 303 receives information associated with the receiving user from the proxy server 120 and displays it to the initiating user for confirmation (step 604).
  • the secure application 303 receives an input from the initiating user as to whether they wish to proceed with establishing the secure device-to-device communication channel (step 606). If the input indicates that the initiating user wishes to terminate the connection request ("no" at step 606) the method is terminated. Conversely, if the input indicates that the initiating user wishes to proceed with the connection request ("yes" at step 606), the secure application 303 proceeds to determine which interfaces are available for establishment of the device-to-device communications channel (step 608). As discussed above, such a determination may involve aspects of the operating system running on the initiating device, and/or may involve displaying a list of available interfaces for selection by the initiating user.
  • the secure application generates a connection request, including capability data and cryptographic data in the manner described above with reference to Figures 4 and 5, and sends the connection request to the proxy server 120 over the secure communication channel 308 (step 610).
  • the connection request generated at step 610 will indicate whether the device-to-device communications channel is to be established according to the "receptive mode" or "challenge mode” methods discussed above with reference to Figures 4 and 5, and, in the latter case, the connection request will include the challenge agreed between the initiating and receiving users.
  • the secure application 303 receives, from the proxy server 120, the connection data associated with the receiving device 304 (step 612) and, if the connection data associated with the receiving device 304 indicates several available or acceptable interfaces for establishment of the device-to-device communications channel, the secure application 303 displays a list of the interfaces to the initiating user for selection (step 614). Once the interface for the device-to-device communications channel has been selected or otherwise determined, the secure application 303 establishes a secure device-to- device communication channel with the secure application 305 running on the receiving device 304 using the received connection data (step 614), and proceeds to send the enterprise data over the established device-to-device connection in encrypted format (step 616). Once the enterprise data has been sent, the secure device-to-device communications channel may be terminated immediately, or after a predetermined time period.
  • FIG. 7 shows a method 700 performed by the proxy server 120 for negotiating a secure device-to-device communications channel between the initiating device 302 and the receiving device 304 according to an embodiment.
  • the proxy server 120 receives a lookup request from the secure application 303 running on the initiating device 302 and, in response, the proxy server 120 retrieves information regarding the receiving user (step 702) which it returns to the secure application 303 over the secure communications channel 308 (step 704). If the initiating user decides to proceed with the connection request based on the information regarding the receiving user, the proxy server receives a connection request from the secure application 303 running on the initiating device 302 (step 706).
  • the proxy server 120 Responsive to receipt of the connection request, the proxy server 120 registers a pending connection request and performs one or more checks to determine whether the requested connection is permitted, as discussed above with reference to Figures 4 and 5 (step 708). Next, the proxy server 120 determines whether the device-to-device communications channel is to be established according to the "receptive mode" or "challenge mode" methods discussed above with reference to Figures 4 and 5 (step 710). For example, the proxy server 120 may determine whether the connection request received at step 706 includes a challenge (agreed by the initiating user and receiving user), thus indicating that the "challenge mode" is to be followed.
  • the proxy server waits to receive a lookup request from the secure application 305 running on the receiving device 304 and, on receipt of the connection request, retrieves the information regarding the initiating user (step 712) and returns it to the secure application 305 (step 714).
  • the proxy server 120 receives the complementary connection request from the secure application 305 running on the receiving device (step 716) and, based on the included capability data, determines one or more common communication interfaces for establishing the device-to- device communications channels (step 718).
  • the proxy server 120 generates and sends connection data necessary to establish the secure device-to-device communications channel to the secure applications 303, 305 in the manner described above with reference to Figures 4 and 5 (step 720).
  • the proxy server proceeds to perform a lookup operation to identify one or more devices associated with the receiving user (step 722).
  • the proxy server 120 generates and sends a push notification to the secure applications running on each of the identified devices (step 724).
  • the proxy server 120 receives a response including a challenge from the secure application 305 running on the receiving device 304 (step 726) and compares the challenge to the challenge received in the connection request from the secure application 303 running on the initiating device 302 at step 706.
  • the proxy server 120 sends confirmation to the secure application 305 running on the receiving device 304 (step 730) and subsequently receives the complementary connection request from the secure application 305 (step 716); the method then proceeds according to steps 718 and 720 as described above in relation to the "receptive mode".
  • GUIs Graphical User Interfaces
  • the one or more GUIs provide functionality that enables the secure applications 303, 305 to display information and prompts to the users, and also to receive user input via the screen 202 (in the case of a touchscreen), a keyboard or other suitable input device.
  • the secure applications 303, 305 may interact with the users using a voice or audio based interface, using techniques which are known in the art.
  • an embodiment of a computer program product includes a computer useable storage medium to store a computer readable program that, when executed on a computing device, causes the computing device to perform operations, as described hereinbefore.
  • embodiments of the invention can be embodied in the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computing device or any instruction execution system.
  • a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
  • the apparatus may be a transitory or a non- transitory computer-readable medium.
  • the computer-useable or computer-readable medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device), or a propagation medium.
  • Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk, and an optical disk. Current examples of optical disks include a compact disk with read only memory (CD-ROM), a compact disk with read/write (CD-R/W), and a digital versatile disk (DVD).
  • Embodiments of the proxy server 120 described above with reference to Figures 1 to 7 is typically performed by a computer that executes computer readable instructions.
  • Figure 8 depicts schematically an example of a suitable computer 800 that includes a processor 802, a memory 804, a storage device 806 and a network interface 808.
  • the processor 802 may include a multifunction processor and/or an application-specific processor, examples of which include the PowerPCTM family of processors by IBMTM and the x86 and x86-64 family of processors by IntelTM.
  • the memory 804 within the computer is typically RAM and storage device 806 is typically a large capacity permanent storage device such as a magnetic hard disk drive or solid state memory device.
  • the network interface 808 enables communications with other computers in a network using as suitable protocol, such as the Internet Protocol (IP) and the processor 802 executes computer readable instructions stored in storage 806 to implement embodiments of the invention as described hereinbefore.
  • IP Internet Protocol
  • the embodiments described hereinbefore relate to secure device-to-device communication channel for exchange of enterprise data from an initiating device to a receiving device
  • the established communications channel may also be used to provide secure access to one or more services hosted by the secure applications running on the devices.
  • the above embodiments are not restricted to a particular type of enterprise data but instead encompass any type of data or service provided or managed by the secure applications.
  • FIG. 1 relates to a secure communications channel established between an initiating device and a receiving device (i.e. in a client-server arrangement), it will be understood that further embodiments may invoice more than two devices.
  • further embodiments may relate to an initiating device establishing several secure device-to-device communication channels to several respective receiving devices, for example, to implement a peer-to-peer network or Personal Area Network (PAN).
  • PAN Personal Area Network
  • secure communication channels may be established using HTTPS over TCP and/or SSL or other secure protocols that are known in the art.
  • proprietary protocols may be used, such as the Good Relay Protocol (GRP) developed by Good TechnologyTM of Sunnyvale, California, United States.
  • GRP Good Relay Protocol
  • proxy server 120 in the embodiments described hereinbefore may also be provided by one or more of the other servers in the NOC 112 and/or the enterprise network 116.
  • some of the functionality provided by the proxy server 120 may be delegated to a server in the NOC 112. Such delegation may be advantageous in situations where it is deemed unnecessary to check user permissions (e.g. by reference to the application server 122), thereby obviating the need to route connection requests via the enterprise network 116 and enabling the device-to-device communication channel to be negotiated with minimal time delay.
  • embodiments of the present invention are widely applicable to many scenarios where two or more users establish a secure device-to-device communications channel to exchange data or services.
  • the methods described above may be used to establish a secure communications channel between devices of users associated with different enterprises; in this case, the functionality relating to the negotiation of secure device-to-device communications described above may be provided by the NOC 112, as described above, or by another server.
  • NOC 112 the functionality relating to the negotiation of secure device-to-device communications described above
  • a secure communications channel may be used to transmit data in the discovery and/or delegation of services in systems in which services are delegated from an application on one device to an application on another device, for example as described in WO2014/014879.
  • a document viewing application on one device may delegate printing of a document to a printing application on another device; an application cryptography may provide a service for decrypting data (or example, e-mail data) on behalf of another application (for example, an e-mail application); or an application on one device may delegate a document or video viewing service to an application on one or more other devices, in order to share information with the user or users of same.
  • a communications channel may be established according to the challenge mode described above, in order that services available for delegation by an application on one device may be discovered by an application on another device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Communication Control (AREA)

Abstract

A method and system for negotiating a secure device-to-device communications channel between a first computing device and a second computing device, wherein the first computing device is associated with a first user and the second computing device is associated with a second user. The method comprises receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with the first computing device, the first connection request being received over a first secure communications channel, and receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with the second computing device, the second connection request being received over a second secure communications channel. After receipt of the first and second connection requests, the server determines, on the basis of an identity of the first user and an identity of the second user, whether the secure device-to-device communication channel is permitted and, if permitted, sends, from the server, first connection data to the first computing device over the first secure communications channel, and second connection data to the second computing device over the second secure communications channel. In order to facilitate establishment of the secure device-to-device communications channel, the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key.

Description

SECURE COMMUNICATION CHANNELS
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims priority under 35 U.S.C. § 119(a) to U.K. Application No. GB1322032.2, filed on December 12, 2013, and U.K. Application No. GB1322033.0, filed on December 12, 2013, the entire contents of each of which are hereby incorporated by reference.
BACKGROUND OF THE INVENTION
Field of the Invention
[0002] The present invention relates to methods and apparatus for negotiating a secure device-to-device communication channel.
Description of the Related Technolo y
[0003] Secure platforms provide an architecture for deployment and management of secure applications running on computing devices. A secure application enables an enterprise to deploy sensitive data to the respective computing device, and to remotely manage the sensitive data in a secure manner. For example, such management may include remote deletion of the sensitive data in the event that the computing device is compromised or in the event that the user of the computing device leaves the employment of the enterprise.
[0004] Typically, the secure application also provides secure access to data and services provided by an enterprise network, such as enterprise e-mail services for storing, sending and receiving e-mail; enterprise file sharing services for storing and retrieving files; enterprise database services for accessing and modifying an enterprise database; enterprise Personal Information Management (PEVI) services for accessing and modifying personal information such as contact lists, calendars and task lists; and other services including enterprise resource planning, customer relationship management, field/support force automation, and consumer data content storage, etc.
[0005] At least some of the data managed by the secure application running on the mobile device is stored in encrypted format. The data maybe encrypted using methods as known in the art. For example, the encryption may employ "containerisation", according to which the data is encrypted and "wrapped" in a container to which various access policies can be applied to control which users can access the data within the container. The access policies can for example be determined and varied if desired by a remote user, such as an administrator of an enterprise network.
[0006] An example of a secure platform which employs secure applications in this manner is the Good Dynamics™ mobile platform developed by Good Technology™ of Sunnyvale, California, United States.
SUMMARY
[0007] A first aspect provides a method of negotiating a secure device-to-device communications channel between a first computing device and a second computing device the first computing device being associated with a first user and the second computing device being associated with a second user, the method comprising: receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel; receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; determining, on the basis of an identity of the first user and an identity of the second user, that the secure device-to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted: sending, from the server, first connection data to the first computing device over the first secure communications channel; and sending, from the server, second connection data to the second computing device over the second secure communications channel; wherein the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key, the first and second connection data being for use in enabling establishment of a secure device-to-device communications channel between the first computing device and the second computing device. Thus, according to this first aspect, the address data and the cryptographic keys necessary to establish the secure device-to-device communication channel are exchanged "out of band" using pre-established secure communications channels, thereby obviating the need to negotiate the secure device-to-device connection over a potentially insecure and untrusted communications channel. Once this first connection data and the second connection data has been exchanged between the devices according to the first aspect, a direct secure device-to-device communications channel between the first computing device and the second computing device can be established.
[0008] This enables the server to enforce user polices on the secure device-to-device communications channel based on the users associated with the first and second computing devices. For example, the server may retrieve permission data associated with the first user and the second user, and the determination that the secure device-to-device communications channel between the first computing device and the second computing device is permitted may be based on the retrieved permission data.
[0009] In some embodiments, the first connection request comprises an indication of the second user, and the method comprises, responsive to receipt of the first connection request, sending a connection notification indicative of a pending connection request to one or more computing devices associated with the second user, wherein the one or more computing devices includes the second computing device. In this manner, the first user can ensure that the connection request is sent to the second computing device based on an identifier associated with the second user. For example, the method may comprise determining the one or more computing devices associated with the second user using the indication of the second user in the first connection request. In some embodiments, the second connection request is sent to the server by the second computing device responsive to receipt of the connection notification at the second computing device.
[0010] In some embodiments, the first connection request comprises a first session identifier and the second connection request includes a second session identifier, and wherein the sending of the first connection data and the sending of the second connection data is conditional on the first session identifier corresponding to the second session identifier. In this manner, the identity of the first and second computing devices can be authenticated. For example, the first session identifier and the second session identifier may correspond to a user identity associated with the first computing device or the second computing device. Alternatively, the first session identifier and the second session identifier may correspond to a predetermined challenge exchanged between the first computing device and the second computing device prior to receipt of the first connection request and the second connection request. [0011] In some embodiments, the first connection request indicates an intended use of the secure device-to-device communications channel. This enables the server to enforce usage policies on the secure device-to-device communications channel based on the intended use. For example, the first connection request may identify data to be transferred from the first computing device to the second computing device using the secure device-to-device communications channel. Alternatively or additionally, the first connection request may indicate a specified service running on the first computing device to be shared with the second computing device using the secure device-to-device communications channel. Thus, according to these embodiments, sending the first connection data and the second connection data may be dependent on a determination that the secure device-to-device communications channel is permitted on the basis of the intended use of the secure device-to-device communications channel.
[0012] In some embodiments, the first connection request indicates a communications medium for establishment of the secure device-to-device communications channel. For example, the communications medium may be Bluetooth™, a local area network, Near Field Communication (NFC), or Wi-Fi™. Moreover, in some embodiments, the communications medium for establishment of the secure device-to-device communications channel is different from the communications medium associated with the first secure communications channel and the communications medium associated with the second secure communications channel.
[0013] In some embodiments the first computing device and the second computing device are authenticated by the server.
[0014] In some embodiments the computing device is a portable computing device.
[0015] A second aspect provides a server system for negotiating a secure device-to- device communications channel between a first computing device and a second computing device the first computing device being associated with a first user and the second computing device being associated with a second user, wherein the server system is configured to: receive a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel; receive a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; determine, on the basis of an identity of the first user and an identity of the second user, that the secure device- to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted: send first connection data to the first computing device over the first secure communications channel; and send second connection data to the second computing device over the second secure communications channel; wherein the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key, the first and second connection data being for use in enabling establishment of a secure device-to-device communications channel between the first computing device and the second computing device.
[0016] A third aspect provides a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method for negotiating a secure device-to-device communications channel between a first computing device and a second computing device the first computing device being associated with a first user and the second computing device being associated with a second user, the method comprising: receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel; receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; determine, on the basis of an identity of the first user and an identity of the second user, that the secure device- to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted: sending, from the server, first connection data to the first computing device over the first secure communications channel; and sending, from the server, second connection data to the second computing device over the second secure communications channel; wherein the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key, the first and second connection data being for use in enabling establishment of a secure device-to-device communications channel between the first computing device and the second computing device. [0017] A fourth aspect provides method of initiating a secure device-to-device communications channel between a first computing device and a second computing device, the method comprising: sending, to a server from a first computing device, a connection request comprising a first cryptographic key and first address data associated with the first computing device, the connection request being sent over a first secure communications channel; receiving, at the first computing over the first secure communications channel, connection data associated with a second computing device, the connection data comprising permission data, second address data and a second cryptographic key; establishing a secure device-to-device communications channel with the second computing device using the connection data; and selectively transmitting the application data to the second computing device over the secure device-to- device communications channel based on the permission data. Thus, according to this first aspect, the address data and the cryptographic keys necessary to establish the secure device-to- device communication channel are exchanged "out of band" using pre-established secure communications channels, thereby obviating the need to negotiate the secure device-to-device connection over a potentially insecure and untrusted communications channel.
[0018] In some embodiments, the method comprises receiving, at the first computing device, a connection notification indicative of a pending connection request from the second computing device, and sending of the first connection request is responsive to receipt of the connection notification at the first computing device.
[0019] In some embodiments, the first connection request comprises an indication of a second user associated with the second computing device. In this manner, the identity of the first and second computing devices can be authenticated.
[0020] In some embodiments, the first connection request comprises a first session identifier. In this manner, the identity of the first and second computing devices can be authenticated. For example, the session identifier corresponds to a user identity associated with the first computing device or the second computing device. Alternatively, the session identifier may correspond to a predetermined challenge exchanged between the first computing device and the second computing device prior to sending of the first connection request.
[0021] In some embodiments, the connection request indicates an intended use of the secure device-to-device communications channel. This enables the server to enforce usage policies on the secure device-to-device communications channel based on the intended use. For example, the connection request may identify data to be transferred from the first computing device to the second computing device using the secure device-to-device communications channel. Alternatively or additionally the connection request may indicate a specified service running on the first computing device to be shared with the second computing device using the secure device-to-device communications channel. Thus, according to these embodiments, sending the first connection data and the second connection data may be dependent on a determination that the secure device-to-device communications channel is permitted on the basis of the intended use of the secure device-to-device communications channel.
[0022] In some embodiments, the connection request indicates a communications medium for establishment of the secure device-to-device communications channel. For example, the communications medium may be Bluetooth™, a local area network, Near Field Communication (NFC) or Wi-Fi™.
[0023] In some embodiments, the first computing device comprises a secure application and the secure device-to-device communications channel is established between the secure application and the second computing device. The secure application may control data transmitted over the secure device-to-device communications channel. In this manner, the secure application can enforce polices related to the use of the secure device-to-device communications channel.
[0024] In some embodiments, the first and second computing devices are portable computing devices.
[0025] A fifth aspect provides a computing device for secure management of application data, the computing device being provided with a secure application for controlling transmission of the application data over a secure device-to-device communications channel, wherein the secure application is configured to: establish a first secure communications channel to a server; send, to the server, a connection request comprising a cryptographic key and address data associated with the computing device, the connection request being sent over the first secure communications channel; receiving, from the server, connection data comprising permission data and address data and a cryptographic key associated with a recipient computing device, the connection data being received over the first secure communications channel; establish a secure device-to-device communications channel with the recipient computing device using the connection data; and selectively transmit the application data to the recipient computing device over the secure device-to-device communications channel based on the permission data.
[0026] In this manner, the secure application can enforce polices related to the use of the secure device-to-device communications channel as specified by the permission data provided by the server.
[0027] In some embodiments the secure application stores the application data in a secure container on the computing device.
[0028] In some embodiments, the application data relates to a service provided by the secure application.
[0029] In some embodiments, the computing device is a portable computing device.
[0030] A sixth aspect provides a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method for initiating a secure device-to-device communications channel between a first computing device and a second computing device, the method comprising: sending, to a server from a first computing device, a connection request comprising a first cryptographic key and first address data associated with the first computing device, the connection request being sent over a first secure communications channel; receiving, at the first computing over the first secure communications channel, connection data associated with a second computing device, the connection data comprising permission data, second address data and a second cryptographic key; establishing a secure device-to-device communications channel with the second computing device using the connection data; and selectively transmitting the application data to the second computing device over the secure device-to- device communications channel based on the permission data.
[0031] Further features and advantages of the invention will become apparent from the following description of preferred embodiments of the invention, given by way of example only, which is made with reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0032] Figure 1 is a schematic diagram showing a system for negotiating a secure device- to-device communications channel between a first computing device and a second computing device according to an embodiment. [0033] Figure 2 is a schematic diagram showing a portable computing device according to an embodiment.
[0034] Figure 3 is a schematic diagram showing the high-level data exchanges involved in establishment of a secure device-to-device connection between a first computing device and a second computing device according to an embodiment.
[0035] Figure 4 is a signaling diagram showing a method of negotiating a device-to- device communications channel between a first computing device and a second computing device according to a "receptive mode" embodiment.
[0036] Figure 5 is a signaling diagram showing a method of negotiating a device-to- device communications channel between a first computing device and a second computing device according to a "challenge mode" embodiment.
[0037] Figure 6 is a flow diagram showing a method performed by a computing device of initiating a device-to-device communications channel between the computing device and a further computing device according to an embodiment.
[0038] Figure 7 is a flow diagram showing a method performed by a server for negotiating a device-to-device communications channel between a first computing device and a second computing device according to an embodiment.
[0039] Figure 8 is a schematic diagram showing a proxy server according to an embodiment.
DETAILED DESCRIPTION OF CERTAIN INVENTIVE EMBODIMENTS
[0040] In some situations, a user may wish to securely share or distribute sensitive data managed by a secure application configured on their computing device with the one or more parties located in the vicinity of the user. For example, the user may wish to share a confidential presentation, stored or managed by the secure application, with one or more participants in a meeting or seminar. Thus, in order to minimize the risk that the data may be intercepted or otherwise obtained by an unauthorized party, the user may wish to ensure that the sensitive data does not "leave" a particular domain, such as a particular meeting room, a particular building, or a particular corporate computer network. In such circumstances, it is desirable to establish a device-to-device communications channel (i.e. a device-to-device connection) between the user's device and the devices belonging to the one or more parties, such that the sensitive data can be exchanged locally and without leaving the particular domain in question.
[0041] In this context, a device-to-device communications channel is a communication channel which is established between two devices which are directly addressable with respect to each other. For example, a device-to-device communications channel may be established over Local Area Network (LAN) by using the private Internet Protocol (IP) addresses (i.e. a routable IP address) assigned to the respective computing devices. In contrast, a device-to-device communications channel may in some circumstances be undesirable in situations where one or both of the computing devices is "hidden" behind a network appliance, such as a Network Address Translator (NAT), and thus may not be associated with a routable IP address.
[0042] A device-to-device communications channel can be further characterized as either a "direct" device-to-device communications channel, where data is exchanged directly between the parties without involvement of a third party, or an "indirect" device-to-device communications channel where data is exchanged via a third party.
[0043] Examples of technologies suitable for establishing a direct device-to-device communications channel are Bluetooth™, NFC, Wi-Fi Direct™, Infrared (e.g. IrDA™), and the proposed device-to-device (D2D) protocols for the Long Term Evolution (LTE) mobile communications standard. Similarly, a direct device-to-device communications channel may be established using an ad-hoc wireless network based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (Wi-Fi™). According to each of these technologies, transmission of the data is restricted to a geographical domain associated with the physical capabilities of the respective interface (i.e. the wireless range of the computing devices party to the connection). Use of a direct device-to-device communications channel may be preferred in situations where the party initiating the communications channel desires some certainty with respect to the physical domain over which the associated data will be transmitted.
[0044] Examples of indirect device-to-device communications channels are communications channels established over a private network, such as a Local Area Network (LAN) or a Wireless Local Area Network (WLAN) based on Wi-Fi™, according to which data is transmitted via one or more third parties (e.g. a wireless access point and/or a network switch). According to these technologies, transmission of the data may be restricted to the geographical domain associated with the physical extent of the private network, and is not necessarily restricted by the capabilities of the computing devices themselves. Use of an indirect device-to- device communications channel may be preferred in situations where the parties involved are relatively remote (e.g. located in different rooms of a particular building) but the party initiating the communications channel desires to restrict the domain over with the associated data will be transmitted to a private network or similar.
[0045] The data to be shared or distributed via the device-to-device communications channel may be the property of an enterprise or an organization, and may therefore relate to confidential business information (hereinafter termed "enterprise data"). It is therefore desirable to ensure that this enterprise data is shared in a secure manner and that safeguards are employed to prevent the enterprise data from being shared with an unauthorized party or a compromised device. From this perspective, establishment of the device-to-device connection involves a number of considerations: (i) the user or users with which the enterprise data is to be shared must be authenticated by the enterprise and their associated computing devices must be uncompromised; (ii) users must be restricted to only sharing enterprise data that they are permitted to share and the enterprise data should only be shared with parties who are permitted to receive the data; and (iii) the device-to-device communications channel used to exchange the enterprise data must be secured (ei.ge. encrypted) to prevent third parties from intercepting the enterprise data in transit. In other words, the device-to-device communications channel must be a secure device-to-device communications channel.
[0046] An example of a system 100 for negotiating a secure device-to-device communications channel according to an embodiment is shown schematically in Figure 1. The system includes a first computing device 102 and a second computing device 104 which are connected to a private network 106 which in turn provides access to a communications network 110. The communications network 110 may, for example, be or include the Internet, a Public Land Mobile Network (PLMN) and/or a Public Switched Telephone Network (PSTN). The private network 106 may for example be or include a Local Area Network (LAN) and/or a Wireless Local Area Network (WLAN) which interfaces with the communications network 106 via a router 108. In alternative embodiments, one or both of the first and second computing devices 102, 104 may access the communications network 110 using one or more of a number of radio access technologies (not shown) including, for example, Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS) and Long Term Evolution (LTE).
[0047] The first and second computing devices 102, 104 are configured with respective secure applications 103, 105, which are configured to securely manage enterprise data and to provide secure and authenticated access to one or more services provided by an enterprise network 116. In turn, the enterprise network 116 comprises a plurality of enterprise servers, such as a control server 118, a proxy server 120, and an application server 122.
[0048] The control server 118 provides functionality for provisioning and management of the secure applications 103, 105 running on the first and second computing devices 102, 104 respectively. Typically, the control server 118 is configured to authenticate the users of the first and second computing devices 102, 104 prior to provisioning the secure applications 103, 105. Similarly, the provisioning process may require the users of the computing devices 102, 104 to set a password (i.e. a secret) which is securely stored in the secure applications 103, 105 and used to authenticate the users when subsequently accessing or running the secure applications 103, 105. The control server 118 may also be configured to provide remote management of the secure applications 103, 105, such as remote locking or remote deletion of the enterprise data in the event that the associated computing device 102, 104 has been compromised in some way (e.g. stolen).
[0049] The application server 122 provides services and data to the secure applications 103, 105 running on the first and second computing devices 102, 104. For example, the application server 122 may be an enterprise document management server which provides the users with secure access to documents, such as product specifications, financial statements and/or sales presentations, etc. In this example, the secure applications 103, 105 are configured to securely access the application server 122 to retrieve the documents which may then be securely stored locally in the computing devices 102, 104 and managed by the secure applications 103, 105.
[0050] The proxy server 120 provides secure and authenticated access to the application server 122 from the secure applications 103, 105 running on computing devices 102, 104. To access the application server 122, the secure applications 103, 105 typically establish a secure communication channel with the proxy server 120, which in turn only allows the secure applications 103, 105 to access the application server 122 if permission to do so has been granted by an administrator.
[0051] Access to the enterprise network 116 is monitored and controlled by a Network Operations Centre (NOC) 112 and a firewall 114. The NOC 112 monitors incoming requests to access services provided by the enterprise network 116 and controls access to the enterprise using the firewall 114. The NOC 112 comprises a relay server 124 and a push server 126.
[0052] The relay server 124 facilitates establishment of secure and authenticated communication channels between the secure applications 103, 105 and the proxy server 120 over the communications network 110. The secure communications channels between the secure applications 103, 105 and the proxy server 120 are typically used to access services and data provided, for example, by the application server 122 as discussed above. Authentication of the client devices 102, 104 and/or the respective secure applications 103, 105 is typically performed using a network authentication protocol, such as the Kerberos™ protocol developed by the Massachusetts Institute of Technology, Cambridge, Massachusetts, United States.
[0053] The push server 126 maintains an "always on" connection to the secure applications 103, 105 for delivery of push notifications to the computing devices 102, 104 on behalf of the enterprise servers 118, 120, 122. For example, the push server 126 may deliver push notifications to the secure applications 103, 105 to notify them of new data available via the application server 122 or new a new e-mail message received at an enterprise e-mail server (not shown).
[0054] Typically, the first and second computing devices 102, 104 take the form of a portable computing device or a non-portable computing device, such as a desktop computer. An example of a portable computing device 200 according to an embodiment is shown schematically in Figure 2. The portable computing device 200 may, for example, take the form of a smart phone, a personal digital assistance (PDA), a tablet computer or a notebook computer, etc. The portable computing device 200 includes a screen 202, which may be a touch screen for receipt of input from a user. Alternatively or additionally, the portable computing device 200 may include a physical keyboard (not shown), which may be integral to the portable computing device 200 or connected wirelessly or by wired connection to the portable computing device 200. The computing device further includes a processor 204, a non-volatile storage device 206 (such as a hard disk drive or a solid-state drive) and a random access memory (RAM) 208. The processor executes instructions stored in the random access memory 208 that have been loaded from the non-volatile storage device 206. These instructions are in the form of one or more programs that implement an operating system (not shown) and a secure application 210. The random access memory 208 is also used by programs running on the processor 204 as a means of storing and accessing data in the form of electronic signals where the data is used during the execution of the programs. The operating system provides a file system for storing, modifying and accessing files held in the non-volatile storage device 206. The file system may be accessible to other programs running on the processor 204 via the operating system. Programs running on the processor 204 also process user input obtained via the screen 202 or keyboard (not shown), etc.
[0055] The portable computing device 200 also includes a network interface 214 (or a plurality of network interfaces) which allows programs running on the processor 204 to transmit and receive data to and from other devices and/or servers via a communications, using wired and/or wireless connections. Typically, the network interface 214 is implemented in a combination of software and hardware (e.g. a network interface controller) to provide the necessary network connectivity to the programs running on the processor 204. Examples of network interface 214 include a Wi-Fi™ interface and/or a cellular radio interface utilizing standards such as GSM, UMTS and/or LTE.
[0056] In some embodiments, the portable computing device 200 also includes a local communication interface 216 (or a plurality of local communication interfaces) for establishing direct device-to-device communication channels with other computing devices in the vicinity of portable computing device 200. Examples of local communication interfaces include Bluetooth™, IrDA™ and NFC, etc.
[0057] The secure application 210 manages enterprise data 212 stored in encrypted form in the storage device 206. For example, the enterprise data 212 may be encrypted and "wrapped" in a data container to which various access policies can be applied by the secure application 210 to control which users and/or applications can access the enterprise data and how the enterprise data can be used. Typically, the access policies may be stored locally on the portable computing device 200, remotely in the application server 122, or distributed between the two. The access policies can for example be determined, and varied if desired, by an administrator of the enterprise network 116. The secure application 210 is configured to utilize the network interface 214 to establish secure connections with the various servers in the NOC 112 and the enterprise network 116 in the manner described above with reference to Figure 1. The secure application is also able to access the network interface 214 and/or local interface 216 to establish one or more secure device-to-device connections with other computing devices in the vicinity of the portable computing device 200, as will now be described.
[0058] Figure 3 shows schematically the high-level data exchanges involved in establishment of a secure device-to-device connection between a first computing device 302 (hereinafter termed the "initiating device") and a second computing device 304 (hereinafter termed the "receiving device") according to an embodiment. Typically, the first and second computing devices 302, 304 are portable computing devices of the type described above with reference to Figure 2, but it will be understood that the one or both of the computing devices 302, 304 may be a non-portable computing device, such as a desktop computer. Specifically, the user of the initiating device 302 (hereinafter termed "initiating user") wishes to send enterprise data, such as a confidential presentation, to a user of the receiving device 304 (hereinafter termed "receiving user") a using a secure device-to-device communication channel. In this example, the initiating device 302 and the receiving device 304 are in relatively close proximity to each other (e.g. the same room 306). The initiating user and receiving user are trusted by the enterprise network 116 (e.g. an employee, trusted client or trusted supplier) and their respective computing devices 302, 304 have been provisioned with secure applications 303, 305 which have been authenticated by the NOC 112 in the manner described above with reference to Figure 1.
[0059] In order to secure the device-to-device communications channel between the initiating device 302 and the receiving device 304, thereby preventing unauthorized interception of the enterprise data, public -private key cryptographic techniques are utilized. Thus, in order to secure the device-to-device communications channel, the secure application 303 running on the initiating device 302 and the secure application 305 running on the receiving device 304 must exchange their respective a public keys in a secure manner which is resistant to so called "man- in-the-middle attacks". Typically, the public -private key pairs for the computing devices 302, 304 are generated by the secure applications 303, 305 on a per-connection basis, thus preventing reuse to previously generated key pairs by unauthorized third parties. In order to establish the device-to-device communications channel, the secure application 303 running on the initiating device 302 requires address information for the receiving device 304, and the secure application 305 running on the receiving device 304 requires address information for the initiating device 302. For example, where the device-to-device communications channel is to be established over a LAN or WAN, the address information for the initiating device 302 and the receiving device 304 typically includes the IP address and a port number for the respective devices 302, 304. Similarly, where the device-to-device communications channel is to be established over Bluetooth™ the address information typically includes the 48-bit Bluetooth™ device address assigned to the respective devices 302, 304. Exchange of the public key information and address information of the respective devices is facilitated by the NOC 112 and the proxy server 120 as will now be described.
[0060] To achieve the exchange of address data and public key data, the secure applications 303, 305 running on the initiating device 302 and the receiving device 304 send their associated public key and address information to the proxy server using respective communication channels 308, 310. Communication channels 308, 310 are pre-established via the NOC 112 in the manner described above and are therefore authenticated and secure. Upon receipt of the public keys and address information from the initiating and receiving devices 302, 304, the proxy server 120 determines whether the computing devices 302, 304 are permitted to establish a secure device-to-device communications session. For example, the proxy server 120 may query a Global Address List (GAL) and/or a policy database 316 to determine whether the initiating user and the receiving user are permitted to establish the device-to-device communications channel and any restrictions on the data that is permitted to be exchanged (e.g. file type, file name, etc.). In some embodiments, the proxy server 120 may delegate this determination to the application server 122 associated with the secure applications 303, 305 running on the computing devices 302, 304 using communication channel 312. If it is determined that a secure device-to-device communication channel between the secure applications 303, 305 running on the computing devices 302, 304 is permitted, the proxy server 120 proceeds to send the public key data and address data for the initiating device 302 to the receiving device 304 over secure communication channel 310, and to send the public key data and address data for the receiving device 304 to the initiating device 302 over secure communication channel 308. Once this has data exchange has been completed, the secure applications 303, 305 use the received public key data and address data of the counterpart computing device to establish a secure device-to-device communication channel 314 for sending the enterprise information. This process is referred to herein as negotiation of a device-to-device communication channel.
[0061] It will be appreciated that negotiation of the device-to-device communication channel in this manner ensures that the public key data and the address data for the computing devices 302, 304 is exchanged over secure and authenticated communication channels established with the NOC 112 and the proxy server 120. Thus, it is not necessary to send information directly between the initiating device 302 and the receiving device 304 using an insecure communications channel, thereby avoiding the inherent security vulnerabilities associated with key exchange methods such as the Diffie-Hellman key exchange algorithm employed by some versions of the Bluetooth™ in its Secure Simple Pairing (SSP) process.
[0062] Figure 4 is a signaling diagram showing a method 400 for negotiating a secure device-to-device communication channel between the secure applications 303, 305 running on the initiating device 302 and the receiving device 304 according to an embodiment. Specifically, the method of Figure 4 is an example of a "receptive mode" for establishing a device-to-device connection between the computing devices 302, 304 shown in Figure 3.
[0063] Before initiating the device-to-device communications channel, the initiating user informs the receiving user that they wish to share enterprise data, such as a confidential presentation. If the receiving user agrees to receive the confidential presentation, they provide the initiating user with an identifier which uniquely identifies the receiving user to the enterprise (e.g. the receiving user's enterprise e-mail address or username). Typically, the receiving user informs the initiating user of the unique identifier verbally, but it will be appreciated that the unique identifier may alternatively be exchanged electronically using a secure Web portal, Instant Messaging, a QR code, or similar.
[0064] Next, the initiating user uses the secure application 303 running on the initiating device 302 to perform a lookup operation using the unique identifier provided by the receiving user. Typically, the secure application 303 running on the initiating device 302 sends a lookup request, including the unique identifier for the receiving user, to the proxy server 120 using secure communication channel 308 (step 402). Upon receipt of the lookup request, the proxy server 120 queries the GAL using the identifier and retrieves information regarding the receiving user (step 404) which it returns to the secure application 303 running on the initiating device 302 over secure communication channel 308 (step 406). The information returned by the proxy server 120 may, for example, include the receiving user's full name, job title and/or identification photograph, etc. Upon receipt of the information relating to the receiving user, the secure application 303 running on the initiating device 302 displays the information for review by the initiating user. The initiating user reviews the information, for example to determine whether the receiving user matches his or her identification photograph, and selects whether they wish to proceed with establishment of the secure device-to-device communications channel.
[0065] If the initiating user confirms that they wish to proceed, the secure application 303 running on the initiating device 304 generates and sends a connection request to the proxy server 120 via secure communications channel 308 (step 408). Typically, this connection request includes capability information and cryptographic information for use in establishing the secure device-to-device communications channel. The capability information indicates one or more communication interfaces or media available to the initiating device 302 for establishing the device-to-device communications channel (e.g. Bluetooth™ and/or NFC etc.) and the associated addressing information as discussed above. This information may be retrieved from an operating system running on the initiating device 302 (e.g. via an Application Programming Interface (API)), or pre-configured within the secure application 303 (e.g. in accordance with a policy set by an administrator of the enterprise network). The cryptographic information typically includes a public key associated with a public -private key pair generated by secure application 303 for the purpose of securing the device-to-device communications channel. As discussed above in relation to Figure 3, the public -private key pair is typically generated on a per-connection basis using a public key algorithm, thereby ensuring that each device-to-device connection is established using a different public-private key pair and preventing potential eavesdropping by unauthorized parties. In some embodiments the connection request also includes an identifier for the initiating user which uniquely identifies them to the enterprise (e.g. the initiating user's enterprise e-mail address or username), together with the identifier for the receiving user. Alternatively or additionally, the proxy server 120 may retain some or all of this information from step 402 in respect of a particular session with the initiating device 302, thereby avoiding the need for the information to be sent again at step 408.
[0066] Upon receipt of the connection request from the secure application 303 running on the initiating device 302, the proxy server 120 registers the request as a pending connection request (step 410) and optionally returns an acknowledgement to the initiating device 302 (step 412). Upon receipt of the acknowledgement, the initiating user informs the receiving user that a connection request is pending and provides the receiving user with the identifier for the initiating user. Next, the receiving user opens the secure application 305 running on the receiving device
304 and performs a lookup operation using the identifier for the initiating user. The secure application 305 sends a lookup request, including the identifier for the initiating user to the proxy server 120 using secure communication channel 310 (step 414). Upon receipt of the lookup request, the proxy server 120 queries the GAL using the identifier and retrieves information regarding the initiating user (step 416) which it returns to the secure application 305 over secure and authenticated communication channel 310 (step 418). The information returned by the proxy server may, for example, include the initiating user's full name, job title and/or identification photograph, etc. Upon receipt of this information, the secure application 305 running on the receiving device 304 displays the information for review by the receiving user. The receiving user reviews the information, for example to determine whether the initiating user matches their identification photograph, and confirms whether they want to proceed with establishment of the secure device-to-device communications channel.
[0067] If the receiving user confirms that they wish to proceed, the secure application
305 generates a complementary connection request which is sent to the proxy server 120 using secure communications channel 310 (step 420). Similar to the connection request sent at step 408, the complementary connection request includes capability information and cryptographic information for the receiving device 304. The capability information indicates one or more communication interfaces or media over which the receiving device is able or willing to establish the device-to-device connection and appropriate addressing information for the indicated interfaces or media as discussed above. The cryptographic information typically includes a public key associated with a public-private key pair generated by secure application 305 for the purpose of securing the device-to-device communications session. As discussed above, the public -private key pair is typically generated by the secure application 305 on a per-connection basis using a public key algorithm. In some embodiments the complementary connection request also includes the identifiers associated with the initiating user and the receiving user, or alternatively, the proxy server 120 may retain some or all of this information from step 414 in respect of a particular session with the receiving device 304, thereby avoiding the need to it to be sent again at step 420.
[0068] Upon receipt of the complementary connection request, the proxy server 120 determines that the initiating device 302 and the receiving device 304 wish to establish a device- to-device communications channel. For example, the proxy server 120 may perform a lookup or correlation operation, based on one or both of the identifiers associated with the initiating and receiving users, to "match" the connection request received from the secure application 303 running on the initiating device 302 with the complementary connection request received from the secure application 305 running on the receiving device 304 (step 422). At this stage, it will be appreciated that the proxy server 120 has determined that the secure applications 303, 305 running on the initiating and receiving devices 302, 304 wish to establish a secure device-to- device communications channel, and is also in receipt of capability information, address information and cryptographic information for both the initiating device 302 and the receiving device 304. Thus, the proxy server 120 proceeds to send appropriate connection data to the secure application 303 running on the initiating device 302 and the secure application 305 running on the receiving device 304 to enable the secure device-to-device communications channel to be established (steps 424 and 426). More specifically, the connection data sent to the initiating device 302 at step 424 includes the addressing information and cryptographic information received from the receiving device 304, and the connection information sent to the receiving device 304 at step 426 includes the addressing information and cryptographic information received from the initiating device 302.
[0069] Where the capability information received at the proxy server 120 from one or both of the initiating device 302 and the receiving device 304 indicate more than one communication interface of medium available for establishing the device-to-device communications channel, the proxy server 120 may be configured to determine one or more "common" communication interfaces which were indicated as available or acceptable to both devices 302, 304. In this case, the connection information sent from the proxy server 120 will only include relevant address information for the determined "common" communication interfaces. For example, if the connection request received from initiating device 302 indicates Bluetooth™ and NFC as available interfaces but the connection request received from the receiving device 304 indicates only Bluetooth™, the connection data sent from the proxy server 120 in steps 424 and 426 will include address information for initiating the secure device-to- device communications channel using Bluetooth™ only. Similarly, where the capability information indicates more than one common communication interfaces, the proxy server 120 may send address information for each of the common interfaces, thereby enabling selection by the initiating and receiving users. In this case, the initiating and receiving users may negotiate which communication interface to use verbally, or a negotiation process may be facilitated electronically by the proxy server 120 over secure and authenticated communication channels 308, 310. In the event that the connection requests from the initiating device 302 and receiving devices 304 do not indicate a common or mutually acceptable communication interface, such that a device-to-device communications channel cannot be established, the proxy server 120 sends a notification to this effect to the secure applications 303, 305 running on the devices 302, 304 (not shown) and the process is terminated.
[0070] Once the connection information has been sent to the initiating and receiving devices 302, 304 at steps 424 and 426 respectively, the secure applications running on each device may display a prompt to their respective users requesting confirmation that they wish to proceed with establishment of a secure device-to-device communications channel. For example, the secure application running on the initiating device 302 may display a prompt such as "Press OK if you wish to proceed with securely sending data "presentation.pptx" to user B using a secure channel established over Bluetooth™", whereas the secure application running on the receiving device 302 may display a prompt such as "Press OK if you wish to proceed with securely receiving data "presentation.pptx" from user B using a secure channel established over Bluetooth™". Once the initiating and receiving users have confirmed that they wish to proceed with establishment of the secure device-to-device communication channel, the respective secure applications 303, 305 access the appropriate interfaces (e.g. local interface 216) in the respective devices 302, 304 to establish the connection using the received address data and to send exchange the enterprise data securely using the received cryptographic data. In other words, the secure application 303 running on the initiating device 302 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 305 running on the receiving device 304 (received from the proxy server 120 at step 424), and the secure application 305 running on the receiving device 304 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 303 running on the initiating device 302 (received from the proxy server 120 at step 426).
[0071] It will be appreciated that all interactions between the initiating device 302 and the proxy server 120, and the receiving device 304 and the proxy server 120, are performed over communication channels 308, 310 (indicated by 432 in Figure 4) which are secured and authenticated (e.g. via the NOC). These interactions are typically performed at least in part of the Internet and utilize the network interfaces 214 of the initiating and receiving devices 302,
304. In contrast, the direct interactions between the initiating device 302 and the receiving device 304 are typically performed over an ad-hoc connection established using the local interfaces 216 of the initiating and receiving devices 302, 304 (indicated by 434 in Figure 4).
[0072] Figure 5 is a signaling diagram showing a method 500 of negotiating a secure device-to-device communication channel between the initiating device 302 and the receiving device 304 according to a further embodiment. Specifically, the method of Figure 5 is an example of a "challenge mode" for establishing a device-to-device connection between the computing devices 302, 304 shown in Figure 3.
[0073] First, the initiating user and the receiving user agree upon a challenge, such as a PIN or password, to identify the request to establish a secure device-to-device communications session. Typically, the challenge is agreed by the initiating and receiving users "out of band" (e.g. by means of a verbal exchange) but in some embodiments the challenge may be exchanged by means of a QR code or similar, using functionality provided by the secure applications 303,
305. In some embodiments, the QR code is also used to send an identifier which uniquely identifies the receiving user to the enterprise (e.g. the receiving user's enterprise e-mail address or username) from the secure application 305 running on the receiving device 304 to the secure application 303 running on the initiating device 302. In further embodiments, the secure application running on the initiating computing device 302 or the receiving computing device 304 may generate the challenge using, for example, a pseudo random number generator, and encode the generated challenge in the QR or similar.
[0074] Once the challenge has been agreed and exchanged, the secure application 303 running on the initiating device 302 generates and sends a lookup request based on the identifier for the receiving user to the proxy server 120 using secure communications channel 308 (step 502). Upon receipt of the lookup request, the proxy server 120 queries the GAL using the identifier and retrieves information regarding the receiving user (step 504), which it returns to the secure application 303 running on the initiating device 302 (step 506). As explained above in relation to the "challenge mode" of Figure 4, the information may, for example, include the receiving user's full name, job title and/or identification photograph, etc. Upon receipt of this information, the secure application 303 running on the initiating device 302 displays the information for review by the initiating user. The initiating user reviews the information, for example to confirm that the receiving user matches their identification photograph, and confirms that they wish to proceed with establishment of the secure device-to-device communications channel.
[0075] Upon receiving confirmation that the initiating user wishes to proceed, the secure application 303 generates and sends a connection request to the proxy server 120 via secure communications channel 308 (step 508). Typically, this connection request includes the challenge agreed between the initiating and receiving users, and capability information and cryptographic information for use in establishing the secure device-to-device communications channel. The capability information indicates one or more communication technologies or media available to the initiating device 302 for establishing the device-to-device communications channel (e.g. Bluetooth™ and/or NFC etc.) and the associated addressing information as discussed above. The cryptographic information typically includes a public key of a public- private key pair generated by secure application running on the initiating device 302 for the purpose of securing the device-to-device communications session. As discussed above in relation to Figures 3 and 4, generally speaking, the public-private key pair is generated on a per- connection basis using a public key algorithm, as is known in the art. In this manner, each device-to-device connection is established using a different public-private key pair, thus preventing eavesdropping by unauthorized parties. In some embodiments the connection request also includes an identifier which uniquely identifies the initiating user to the enterprise (e.g. the initiating user's enterprise e-mail address or username) and the identifier previously received for the receiving user. Alternatively, the proxy server 120 may retain some or all of this information from step 502 in respect of a particular session with the initiating device 302, thereby avoiding the need to it to be sent again at step 508.
[0076] Upon receipt of the connection request, the proxy server 120 registers the request as a pending connection request in associated with the received challenge, and optionally returns an acknowledgement to the initiating device (not shown). Once the connection request has been registered, the proxy server 120 performs a GAL operation to identify all registered devices associated with the receiving user based on their associated identifier (step 510). Typically, the receiving user may be registered with several computing devices, such as a smart phone, a tablet computer and/or a laptop computer, etc. Once the proxy server 120 has identified the computing devices associated with the receiving user, it proceeds to generate and send a push notification identifying the pending connection request (e.g. sent via the push server 126 of the NOC 112) to secure applications installed on each of the identified devices (step 512). In the present example, the devices associated with the receiving user as identified by the proxy server 120 includes receiving device 304. Typically, the push notification received by the secure application 305 running on the receiving device 304 includes, for example, a unique identifier for the initiating user (e.g. their enterprise e-mail address or username), their full name and/or their identification photograph, etc. Upon receipt of the information regarding the initiating user at the receiving device, the secure application 305 running on the receiving device 304 displays the information for review by the receiving user. The initiating user reviews the information, for example to confirm that the receiving user matches their identification photograph, and confirms that they wish to proceed with establishment of the secure device-to-device communications channel by entering the challenge agreed between the initiating and receiving parties.
[0077] Responsive to input of the challenge agreed between the initiating and receiving parties, the secure application 305 generates and sends a message to the proxy server 120 which includes the challenge using secure communications channel 310 (step 514). The proxy server 120 compares the challenge received from the receiving device at step 514 with the challenge received from the initiating device at step 508 to determine whether they match (step 516). This comparison step ensures that the user of the receiving device 304 is indeed the user with which the challenge was originally agreed, and prevents an unauthorized user in possession of one of the devices identified at step 510 from establishing a device-to-device communication channel without permission. If the proxy server 120 determines a match at step 516 it sends an appropriate notification to the secure application 305 running on the receiving device 304 (step 518). Responsive to receipt of this notification, the secure application 305 generates a complementary connection request which is also sent to the proxy server using secure communications channel 310 (step 520). The complementary connection request includes capability information and cryptographic information. As discussed above in relation to Figure 4, the capability information indicates one or more communication technologies or media over which the secure application 305 running on the receiving device 304 is able or willing to establish the device-to-device connection, and appropriate address information. The cryptographic information typically includes a public key of a public-private key pair generated by the secure application 305 running on the receiving device 304 and for use in securing the device-to-device communications channel.
[0078] Upon receipt of the complementary connection request, the proxy server 120 determines that the secure application 303 running on the initiating device 302 and the secure application 305 running on the receiving device 304 wish to establish a device-to-device communications channel, and proceeds to send appropriate connection data to enable the secure device-to-device communications channel to be established (steps 524 and 526). More specifically, the connection data sent to the secure application 303 running on the initiating device 302 at step 524 includes the addressing information and cryptographic information associated with the receiving device 304, and the connection information sent to the secure application 305 running on the receiving device 304 at step 526 includes the addressing information and cryptographic information associated with the initiating device 302.
[0079] Once the connection information has been sent to the initiating and receiving devices 302, 304 at steps 524 and 526 respectively, the secure applications running on each device may display a prompt to their respective users requesting confirmation that they wish to proceed with establishment of a secure device-to-device communications channel in the manner described above in relation to Figure 4. Once the initiating and receiving users have confirmed that they wish to proceed with establishment of the secure device-to-device communication channel, the respective secure applications 303, 305 access the appropriate interfaces (e.g. local interface 216) in the respective devices 302, 304 to establish the connection using the received address data (step 528) and exchange the enterprise data securely using the received cryptographic data (step 530). In other words, the secure application 303 running on the initiating device 302 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 305 running on the receiving device 304 (received from the proxy server 120 at step 524), and the secure application 305 running on the receiving device 304 encrypts data to be sent over the device-to-device communications channel using the public key generated by the secure application 303 running on the initiating device 302 (received from the proxy server 120 at step 526).
[0080] In some embodiments, the connection request sent from the secure application 303 running on the initiating device 302 includes an indication of the enterprise data to be sent to the receiving device over the requested secure device-to-device communication channel. Based on this indication, the proxy server 120 is able to determine whether transfer of the enterprise data is allowed, and whether to permit establishment of a secure device-to-device communications channel between the initiating 302 and receiving devices 304. This determination may be delegated to the application server 122, which typically stores and manages access policies in respect of the enterprise data stored in or by the secure applications 303, 305 running on the initiating and receiving devices 302, 304. For example, responsive to receipt of a connection request indicating that the initiating user wishes to share a file named "presentation.pptx", the proxy server 120 may send a policy query to the application server 122 indicating the identity of the initiating user, the identity of the receiving user, and the enterprise data to be exchanged. If the application server 122 responds by indicating that such an exchange is permitted, the proxy server 120 proceeds to negotiate the device-to-device connection in the manner described above with respect to Figure 4 or Figure 5. Conversely, if the application server 122 responds by indicating that the exchange is not permitted, the proxy server 120 may terminate the negotiation process and inform the secure application 303 running on the initiating device 302 as appropriate.
[0081] In further embodiments, the application server 122 may respond to the policy query from the proxy server 120 by returning one or more rules in respect of the enterprise data to be exchanged. For example, the one or more rules may specify that the exchange between the initiating device 302 and the receiving device 304 is permitted but that the connection must be established within a particular time period (e.g. ten minutes) or using a particular communication interface or medium (e.g. Bluetooth™). Moreover, the one or more rules may specify restrictions on the use of the enterprise data once received by the receiving device 304. For example, the one or more rules may specify that the enterprise data may be displayed by the secure application 305 running on the receiving device 304, but that is not permitted to edit, print, copy or send the enterprise data to a further user. If the application server 122 responds with one or more rules in this manner, the proxy server 120 will include the rules, or a subset thereof, in the connection data that it sends to the secure applications 303, 305 (e.g. steps 424 and/or 426 of Figure 4 and steps 524 and/or 526 of Figure 5). In turn, the secure applications 303, 305 are configured to enforce any rules received in the connection data from the proxy server 120 to ensure that the enterprise data is managed in accordance with the policies maintained by the application server 122.
[0082] In some embodiments, the application server 122 may be configured to keep a record (e.g. in a database) of which secure applications have received the enterprise data and, if a respective policy is changed or updated by an administrator, to push any new or modified rules to those secure applications. Thus, in this manner the applications server 122 may track the dissemination of the enterprise data and ensure that it is managed according to policy on all relevant devices.
[0083] The methods 400, 500 discussed above with reference to Figures 4 and 5 are shown from the perspective of the initiating device 302 in Figure 6. Specifically, Figure 6 shows a method 600 performed by the secure application 303 running on initiating device 302 for initiating a secure device-to-device communications channel between with the receiving device 304 according to an embodiment. In a first step, the secure application 303 receives the identifier associated with the receiving user and sends a lookup request including the identifier to the proxy server 120 over the secure communications channel 308 (step 602). Next, the secure application 303 receives information associated with the receiving user from the proxy server 120 and displays it to the initiating user for confirmation (step 604). The secure application 303 receives an input from the initiating user as to whether they wish to proceed with establishing the secure device-to-device communication channel (step 606). If the input indicates that the initiating user wishes to terminate the connection request ("no" at step 606) the method is terminated. Conversely, if the input indicates that the initiating user wishes to proceed with the connection request ("yes" at step 606), the secure application 303 proceeds to determine which interfaces are available for establishment of the device-to-device communications channel (step 608). As discussed above, such a determination may involve aspects of the operating system running on the initiating device, and/or may involve displaying a list of available interfaces for selection by the initiating user. Next, the secure application generates a connection request, including capability data and cryptographic data in the manner described above with reference to Figures 4 and 5, and sends the connection request to the proxy server 120 over the secure communication channel 308 (step 610). Typically, the connection request generated at step 610 will indicate whether the device-to-device communications channel is to be established according to the "receptive mode" or "challenge mode" methods discussed above with reference to Figures 4 and 5, and, in the latter case, the connection request will include the challenge agreed between the initiating and receiving users. Following this, the secure application 303 receives, from the proxy server 120, the connection data associated with the receiving device 304 (step 612) and, if the connection data associated with the receiving device 304 indicates several available or acceptable interfaces for establishment of the device-to-device communications channel, the secure application 303 displays a list of the interfaces to the initiating user for selection (step 614). Once the interface for the device-to-device communications channel has been selected or otherwise determined, the secure application 303 establishes a secure device-to- device communication channel with the secure application 305 running on the receiving device 304 using the received connection data (step 614), and proceeds to send the enterprise data over the established device-to-device connection in encrypted format (step 616). Once the enterprise data has been sent, the secure device-to-device communications channel may be terminated immediately, or after a predetermined time period.
[0084] Figure 7 shows a method 700 performed by the proxy server 120 for negotiating a secure device-to-device communications channel between the initiating device 302 and the receiving device 304 according to an embodiment. In a first step, the proxy server 120 receives a lookup request from the secure application 303 running on the initiating device 302 and, in response, the proxy server 120 retrieves information regarding the receiving user (step 702) which it returns to the secure application 303 over the secure communications channel 308 (step 704). If the initiating user decides to proceed with the connection request based on the information regarding the receiving user, the proxy server receives a connection request from the secure application 303 running on the initiating device 302 (step 706). Responsive to receipt of the connection request, the proxy server 120 registers a pending connection request and performs one or more checks to determine whether the requested connection is permitted, as discussed above with reference to Figures 4 and 5 (step 708). Next, the proxy server 120 determines whether the device-to-device communications channel is to be established according to the "receptive mode" or "challenge mode" methods discussed above with reference to Figures 4 and 5 (step 710). For example, the proxy server 120 may determine whether the connection request received at step 706 includes a challenge (agreed by the initiating user and receiving user), thus indicating that the "challenge mode" is to be followed.
[0085] If, at step 710, it is identified that the "receptive mode" is to be followed, the proxy server waits to receive a lookup request from the secure application 305 running on the receiving device 304 and, on receipt of the connection request, retrieves the information regarding the initiating user (step 712) and returns it to the secure application 305 (step 714). Next, the proxy server 120 receives the complementary connection request from the secure application 305 running on the receiving device (step 716) and, based on the included capability data, determines one or more common communication interfaces for establishing the device-to- device communications channels (step 718). Finally, the proxy server 120 generates and sends connection data necessary to establish the secure device-to-device communications channel to the secure applications 303, 305 in the manner described above with reference to Figures 4 and 5 (step 720).
[0086] If, at step 710, it is identified that the "challenge mode" is to be followed, the proxy server proceeds to perform a lookup operation to identify one or more devices associated with the receiving user (step 722). Next, the proxy server 120 generates and sends a push notification to the secure applications running on each of the identified devices (step 724). Subsequently, the proxy server 120 receives a response including a challenge from the secure application 305 running on the receiving device 304 (step 726) and compares the challenge to the challenge received in the connection request from the secure application 303 running on the initiating device 302 at step 706. If the respective challenges match, the proxy server 120 sends confirmation to the secure application 305 running on the receiving device 304 (step 730) and subsequently receives the complementary connection request from the secure application 305 (step 716); the method then proceeds according to steps 718 and 720 as described above in relation to the "receptive mode".
[0087] Various aspects of the methods described hereinbefore with reference to Figures 4 to 7 involve interactions between the users and the secure applications 303, 305 running on their associated devices. Typically, these interactions are facilitated by one or more Graphical User Interfaces (GUIs) which are provided by the secure applications 303, 305. The one or more GUIs provide functionality that enables the secure applications 303, 305 to display information and prompts to the users, and also to receive user input via the screen 202 (in the case of a touchscreen), a keyboard or other suitable input device. Additionally or alternatively, the secure applications 303, 305 may interact with the users using a voice or audio based interface, using techniques which are known in the art.
[0088] It will be appreciated that at least parts of the methods discussed above with reference to Figures 4 to 7 may be implemented using software instructions stored on a computer useable storage medium for execution by a computing device. As an example, an embodiment of a computer program product includes a computer useable storage medium to store a computer readable program that, when executed on a computing device, causes the computing device to perform operations, as described hereinbefore. Furthermore, embodiments of the invention can be embodied in the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computing device or any instruction execution system. For the purposes of this description, a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The apparatus may be a transitory or a non- transitory computer-readable medium. For example, the computer-useable or computer-readable medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device), or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk, and an optical disk. Current examples of optical disks include a compact disk with read only memory (CD-ROM), a compact disk with read/write (CD-R/W), and a digital versatile disk (DVD).
[0089] Embodiments of the proxy server 120 described above with reference to Figures 1 to 7 is typically performed by a computer that executes computer readable instructions. Figure 8 depicts schematically an example of a suitable computer 800 that includes a processor 802, a memory 804, a storage device 806 and a network interface 808. The processor 802 may include a multifunction processor and/or an application-specific processor, examples of which include the PowerPC™ family of processors by IBM™ and the x86 and x86-64 family of processors by Intel™. The memory 804 within the computer is typically RAM and storage device 806 is typically a large capacity permanent storage device such as a magnetic hard disk drive or solid state memory device. The network interface 808 enables communications with other computers in a network using as suitable protocol, such as the Internet Protocol (IP) and the processor 802 executes computer readable instructions stored in storage 806 to implement embodiments of the invention as described hereinbefore.
[0090] Whilst the embodiments described hereinbefore relate to secure device-to-device communication channel for exchange of enterprise data from an initiating device to a receiving device, it will be appreciated that the established communications channel may also be used to provide secure access to one or more services hosted by the secure applications running on the devices. Thus, it will be appreciated that the above embodiments are not restricted to a particular type of enterprise data but instead encompass any type of data or service provided or managed by the secure applications.
[0091] Moreover, although the above embodiments relate to a secure communications channel established between an initiating device and a receiving device (i.e. in a client-server arrangement), it will be understood that further embodiments may invoice more than two devices. For example, further embodiments may relate to an initiating device establishing several secure device-to-device communication channels to several respective receiving devices, for example, to implement a peer-to-peer network or Personal Area Network (PAN).
[0092] Much of the above description is in terms of secure communication channels and the like. Typically, the secure communication channels may be established using HTTPS over TCP and/or SSL or other secure protocols that are known in the art. Alternatively, proprietary protocols may be used, such as the Good Relay Protocol (GRP) developed by Good Technology™ of Sunnyvale, California, United States.
[0093] It will be further appreciated that some or all of the functionality provided by the proxy server 120 in the embodiments described hereinbefore may also be provided by one or more of the other servers in the NOC 112 and/or the enterprise network 116. For example, where it is desired to negotiate the secure device-to-device communications channel with minimal time delay, some of the functionality provided by the proxy server 120 may be delegated to a server in the NOC 112. Such delegation may be advantageous in situations where it is deemed unnecessary to check user permissions (e.g. by reference to the application server 122), thereby obviating the need to route connection requests via the enterprise network 116 and enabling the device-to-device communication channel to be negotiated with minimal time delay. [0094] The above embodiments are to be understood as illustrative examples of the invention. Further embodiments of the invention are envisaged. For example, whilst much of the above description is in terms of "enterprise" servers and data providing enterprise services for users, embodiments of the present invention are widely applicable to many scenarios where two or more users establish a secure device-to-device communications channel to exchange data or services. For example, the methods described above may be used to establish a secure communications channel between devices of users associated with different enterprises; in this case, the functionality relating to the negotiation of secure device-to-device communications described above may be provided by the NOC 112, as described above, or by another server. In the case of communications between users associated with different enterprises, it may be particularly advantageous to use the challenge mode described above in order to establish a trust relationship between the parties.
[0095] A secure communications channel according to the methods and systems described herein may be used to transmit data in the discovery and/or delegation of services in systems in which services are delegated from an application on one device to an application on another device, for example as described in WO2014/014879. For example, a document viewing application on one device may delegate printing of a document to a printing application on another device; an application cryptography may provide a service for decrypting data (or example, e-mail data) on behalf of another application (for example, an e-mail application); or an application on one device may delegate a document or video viewing service to an application on one or more other devices, in order to share information with the user or users of same. For example, a communications channel may be established according to the challenge mode described above, in order that services available for delegation by an application on one device may be discovered by an application on another device.
[0096] It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not described above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims.

Claims

WHAT IS CLAIMED IS:
1. A method of negotiating a secure device-to-device communications channel between a first computing device and a second computing device, the first computing device being associated with a first user and the second computing device being associated with a second user, the method comprising:
receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel;
receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel; determining, on the basis of an identity of the first user and an identity of the second user, that the secure device-to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted:
sending, from the server, first connection data to the first computing device over the first secure communications channel; and
sending, from the server, second connection data to the second computing device over the second secure communications channel;
wherein the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key, the first and second connection data being for use in enabling establishment of a secure device-to-device communications channel between the first computing device and the second computing device.
2. A method according to claim 1, comprising establishing a direct secure device-to- device communications channel between the first computing device and the second computing device using the first connection data and the second connection data.
3. A method according to claim 1 or 2, wherein the first connection request comprises an indication of the second user, and the method comprises, responsive to receipt of the first connection request, sending a connection notification indicative of a pending connection request to one or more computing devices associated with the second user, wherein the one or more computing devices includes the second computing device.
4. A method according to claim 3, comprising determining the one or more computing devices associated with the second user using the indication of the second user in the first connection request.
5. A method according to claim 3 or 4, wherein the second connection request is sent to the server by the second computing device responsive to receipt of the connection notification at the second computing device.
6. A method according to any one of the preceding claims, wherein the first connection request comprises a first session identifier and the second connection request includes a second session identifier, and wherein the sending of the first connection data and the sending of the second connection data is conditional on the first session identifier corresponding to the second session identifier.
7. A method according to claim 6, wherein the first session identifier and the second session identifier correspond to a user identity associated with the first computing device or the second computing device.
8. A method according to claim 6, wherein the first session identifier and the second session identifier correspond to a predetermined challenge exchanged between the first computing device and the second computing device prior to receipt of the first connection request and the second connection request.
9. A method according to any one of the preceding claims, wherein the first connection request indicates an intended use of the secure device-to-device communications channel.
10. A method according to any one of the preceding claims, wherein the first connection request identifies data to be transferred from the first computing device to the second computing device using the secure device-to-device communications channel.
11. A method according to any one of the preceding claims, wherein the first connection request indicates a specified service running on the first computing device to be shared with the second computing device using the secure device-to-device communications channel.
12. A method according to any one of claims 9 to 11, wherein sending the first connection data and the second connection data is dependent on a determination that the secure device-to-device communications channel is permitted on the basis of the intended use of the secure device-to-device communications channel.
13. A method according to claim 1, comprising retrieving, at the server, permission data associated with the first user and the second user, wherein the determination that the secure device-to-device communications channel between the first computing device and the second computing device is permitted is based on the retrieved permission data.
14. A method according to any one of the preceding claims, wherein the first connection request indicates a communications medium for establishment of the secure device- to-device communications channel.
15. A method according to claim 14, wherein the communications medium is one of Bluetooth™, a local area network, Near Field Communication and Wi-Fi™.
16. A method according to claim 14, wherein the communications medium for establishment of the secure device-to-device communications channel is different from the communications medium associated with the first secure communications channel and the communications medium associated with the second secure communications channel.
17. A method according to any one of the preceding claims, wherein the first computing device and the second computing device are authenticated by the server.
18. A method according to any one of the preceding claims, wherein the computing device is a portable computing device.
19. A server system for negotiating a secure device-to-device communications channel between a first computing device and a second computing device, the first computing device being associated with a first user and the second computing device being associated with a second user, wherein the server system is configured to:
receive a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel;
receive a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel;
determine, on the basis of an identity of the first user and an identity of the second user, that the secure device-to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted:
send first connection data to the first computing device over the first secure communications channel; and
send second connection data to the second computing device over the second secure communications channel;
wherein the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key, the first and second connection data being for use in enabling establishment of a secure device-to-device communications channel between the first computing device and the second computing device.
20. A computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method for negotiating a secure device-to-device communications channel between a first computing device and a second computing device, the first computing device being associated with a first user and the second computing device being associated with a second user, the method comprising:
receiving, at a server, a first connection request comprising first address data and a first cryptographic key associated with a first computing device, the first connection request being received over a first secure communications channel;
receiving, at the server, a second connection request comprising second address data and a second cryptographic key associated with a second computing device, the second connection request being received over a second secure communications channel;
determining, on the basis of an identity of the first user and an identity of the second user, that the secure device-to-device communication channel is permitted and, dependent on a determination that the secure device-to-device communication channel is permitted:
sending, from the server, first connection data to the first computing device over the first secure communications channel; and
sending, from the server, second connection data to the second computing device over the second secure communications channel;
wherein the first connection data comprises the second address data and second cryptographic key, and the second connection data comprises the first address data and first cryptographic key, the first and second connection data being for use in enabling establishment of a secure device-to-device communications channel between the first computing device and the second computing device.
21. A method of initiating a secure device-to-device communications channel between a first computing device and a second computing device, the method comprising:
sending, to a server from a first computing device, a connection request comprising a first cryptographic key and first address data associated with the first computing device, the connection request being sent over a first secure communications channel;
receiving, at the first computing device over the first secure communications channel, connection data associated with a second computing device, the connection data comprising permission data, second address data and a second cryptographic key;
establishing a secure device-to-device communications channel with the second computing device using the connection data; and
selectively transmitting the application data to the second computing device over the secure device-to-device communications channel based on the permission data.
22. A method according to claim 21, comprising receiving, at the first computing device, a connection notification indicative of a pending connection request from the second computing device, wherein sending of the first connection request is responsive to receipt of the connection notification at the first computing device.
23. A method according to claim 21, wherein the first connection request comprises an indication of a second user associated with the second computing device.
24. A method according to claim 21, wherein the first connection request comprises a first session identifier.
25. A method according to claim 24, wherein the session identifier corresponds to a user identity associated with the first computing device or the second computing device.
26. A method according to claim 24, wherein the session identifier corresponds to a predetermined challenge exchanged between the first computing device and the second computing device prior to sending of the first connection request.
27. A method according to any one of claims 21 to 26, wherein the connection request indicates an intended use of the secure device-to-device communications channel.
28. A method according to any one of claims 21 to 27, wherein the connection request identifies data to be transferred from the first computing device to the second computing device using the secure device-to-device communications channel.
29. A method according to any one of claims 21 to 28, wherein the connection request indicates a specified service running on the first computing device to be shared with the second computing device using the secure device-to-device communications channel.
30. A method according to any one of claims 21 to 29, wherein the connection request indicates a communications medium for establishment of the secure device-to-device communications channel.
31. A method according to claim 30, wherein the communications medium is one of Bluetooth™, a local area network, Near Field Communication (NFC) and Wi-Fi™.
32. A method according to any one of claims 21 to 31, wherein the first computing device comprises a secure application and the secure device-to-device communications channel is established between the secure application and the second computing device.
33. A method according to claim 32, wherein the secure application controls data transmitted over the secure device-to-device communications channel.
34. A method according to any one of claims 21 to 33, wherein the first and second computing devices are portable computing devices.
35. A computing device for secure management of application data, the computing device being provided with a secure application for controlling transmission of the application data over a secure device-to-device communications channel, wherein the secure application is configured to:
establish a first secure communications channel to a server;
send, to the server, a connection request comprising a cryptographic key and address data associated with the computing device, the connection request being sent over the first secure communications channel;
receiving, from the server, connection data comprising permission data and address data and a cryptographic key associated with a recipient computing device, the connection data being received over the first secure communications channel;
establish a secure device-to-device communications channel with the recipient computing device using the connection data; and
selectively transmit the application data to the recipient computing device over the secure device-to-device communications channel based on the permission data.
36. A computing device according to claim 35, wherein secure application stores the application data in a secure container on the computing device.
37. A computing device according to claim 35 or 36, wherein the application data relates to a service provided by the secure application.
38. A computing device according to any one of claims 35 to 37, wherein the computing device is a portable computing device.
39. A computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method for initiating a secure device-to-device communications channel between a first computing device and a second computing device, the method comprising: sending, to a server from a first computing device, a connection request comprising a first cryptographic key and first address data associated with the first computing device, the connection request being sent over a first secure communications channel;
receiving, at the first computing over the first secure communications channel, connection data associated with a second computing device, the connection data comprising permission data, second address data and a second cryptographic key;
establishing a secure device-to-device communications channel with the second computing device using the connection data; and
selectively transmitting the application data to the second computing device over the secure device-to-device communications channel based on the permission data.
PCT/US2014/069823 2013-12-12 2014-12-11 Secure communication channels WO2015089318A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/103,998 US10397202B2 (en) 2013-12-12 2014-12-11 Secure communication channels
EP14868833.6A EP3080948B1 (en) 2013-12-12 2014-12-11 Secure communication channels

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB1322033.0A GB2521196B (en) 2013-12-12 2013-12-12 Secure communication channels
GB1322032.2 2013-12-12
GB1322032.2A GB2521195B (en) 2013-12-12 2013-12-12 Secure communication channels
GB1322033.0 2013-12-12

Publications (2)

Publication Number Publication Date
WO2015089318A2 true WO2015089318A2 (en) 2015-06-18
WO2015089318A3 WO2015089318A3 (en) 2015-09-17

Family

ID=53371966

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/069823 WO2015089318A2 (en) 2013-12-12 2014-12-11 Secure communication channels

Country Status (3)

Country Link
US (1) US10397202B2 (en)
EP (1) EP3080948B1 (en)
WO (1) WO2015089318A2 (en)

Families Citing this family (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9838858B2 (en) 2014-07-08 2017-12-05 Rapidsos, Inc. System and method for call management
EP3195563B1 (en) 2014-09-19 2021-12-15 Rapidsos Inc. Method for emergency call management
TWI569618B (en) * 2014-10-31 2017-02-01 黃能富 Communication method of hiding privacy and system thereof
JP6570355B2 (en) * 2015-07-21 2019-09-04 キヤノン株式会社 COMMUNICATION DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP6532333B2 (en) 2015-07-21 2019-06-19 キヤノン株式会社 Communication device, communication method and program
DE102015214267A1 (en) 2015-07-28 2017-02-02 Siemens Aktiengesellschaft Method and system for creating a secure communication channel for terminals
US10103879B2 (en) * 2015-09-30 2018-10-16 Verizon Patent And Licensing Inc. Secure data upload/download service
WO2017057941A1 (en) * 2015-10-01 2017-04-06 Samsung Electronics Co., Ltd. User equipment and method for handling public land mobile network selection involving prose communication
MX2018005568A (en) 2015-11-02 2018-11-09 Rapidsos Inc Method and system for situational awareness for emergency response.
WO2017106775A1 (en) 2015-12-17 2017-06-22 Rapidsos, Inc. Devices and methods for efficient emergency calling
US10129218B2 (en) * 2016-01-08 2018-11-13 Nicolaas Gustav Temme Method and system for receiving, processing, storing and sending data of internet connected devices
US10200369B1 (en) * 2016-02-16 2019-02-05 Symantec Corporation Systems and methods for dynamically validating remote requests within enterprise networks
US9986404B2 (en) 2016-02-26 2018-05-29 Rapidsos, Inc. Systems and methods for emergency communications amongst groups of devices based on shared data
US10404663B1 (en) * 2016-02-29 2019-09-03 Parallels International Gmbh File sharing over secure connections
AU2017257781A1 (en) 2016-04-26 2018-11-29 RapidsSOS, Inc. Systems and methods for emergency communications
CA3023982A1 (en) 2016-05-09 2017-11-16 Rapidsos, Inc. Systems and methods for emergency communications
EP3300331B1 (en) * 2016-07-14 2019-11-20 Huawei Technologies Co., Ltd. Response method, apparatus and system in virtual network computing authentication, and proxy server
EP3491775A4 (en) * 2016-07-27 2020-02-26 Akamai Technologies, Inc. Cryptographic material sharing among entities with no direct trust relationship or connectivity
WO2018039142A1 (en) 2016-08-22 2018-03-01 Rapidsos, Inc. Predictive analytics for emergency detection and response management
KR101921275B1 (en) * 2017-06-16 2019-02-13 라인 가부시키가이샤 Method and system of file transfer using device-to-device communication technique in messenger
EP3721402A4 (en) 2017-12-05 2021-08-04 Rapidsos Inc. Social media content for emergency management
US11483323B2 (en) * 2017-12-28 2022-10-25 Verizon Patent And Licensing Inc. Techniques and/or systems to manage secure network connections
US20190238511A1 (en) * 2018-01-30 2019-08-01 Stephen Murrell Methods and apparatus for managing risk in digital communications of the industrial internet of things
US11044323B2 (en) * 2018-01-30 2021-06-22 Stephen Murrell Methods and apparatus for managing risk in digital communications of the industrial internet of things
US10820181B2 (en) 2018-02-09 2020-10-27 Rapidsos, Inc. Emergency location analysis system
US10936276B2 (en) * 2018-03-22 2021-03-02 Lenovo (Singapore) Pte. Ltd. Confidential information concealment
WO2019204228A1 (en) 2018-04-16 2019-10-24 Rapidsos, Inc. Emergency data management and access system
EP3803774A4 (en) 2018-06-11 2022-03-09 Rapidsos, Inc. Systems and user interfaces for emergency data integration
US11917514B2 (en) 2018-08-14 2024-02-27 Rapidsos, Inc. Systems and methods for intelligently managing multimedia for emergency response
US10977927B2 (en) 2018-10-24 2021-04-13 Rapidsos, Inc. Emergency communication flow management and notification system
US11218584B2 (en) 2019-02-22 2022-01-04 Rapidsos, Inc. Systems and methods for automated emergency response
US10902146B2 (en) * 2019-03-19 2021-01-26 Workiva Inc. Method and computing device for gating data between workspaces
US11182766B2 (en) * 2019-03-22 2021-11-23 Verizon Patent And Licensing Inc. Initiating a transaction based on a real-time kinematics assisted location of a device
EP3949467A4 (en) 2019-03-29 2023-01-25 Rapidsos Inc. Systems and methods for emergency data integration
US11146680B2 (en) 2019-03-29 2021-10-12 Rapidsos, Inc. Systems and methods for emergency data integration
EP3731480B1 (en) * 2019-04-25 2022-03-02 Mastercard International Incorporated Systems and methods for secure communication
US11228891B2 (en) 2019-07-03 2022-01-18 Rapidsos, Inc. Systems and methods for emergency medical communications
US11368535B2 (en) 2019-11-18 2022-06-21 Connectify, Inc. Apparatus and method for client connection establishment
US11438316B2 (en) * 2020-01-16 2022-09-06 360 It, Uab Sharing encrypted items with participants verification
US11330664B1 (en) 2020-12-31 2022-05-10 Rapidsos, Inc. Apparatus and method for obtaining emergency data and providing a map view

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040193722A1 (en) 1999-08-30 2004-09-30 Donovan Kevin Remington Joseph Bartholomew Universal instant messaging system for the internet
US7120692B2 (en) * 1999-12-02 2006-10-10 Senvid, Inc. Access and control system for network-enabled devices
US20030065941A1 (en) * 2001-09-05 2003-04-03 Ballard Clinton L. Message handling with format translation and key management
AU2002326280A1 (en) * 2002-08-14 2004-03-19 Agency For Science, Technology And Research A method of generating an authentication
US7386878B2 (en) 2002-08-14 2008-06-10 Microsoft Corporation Authenticating peer-to-peer connections
GB0623101D0 (en) * 2006-11-20 2006-12-27 British Telecomm Secure network architecture
CA2571891C (en) * 2006-12-21 2015-11-24 Bce Inc. Device authentication and secure channel management for peer-to-peer initiated communications
US8635440B2 (en) 2007-12-13 2014-01-21 Microsoft Corporation Proxy with layer 3 security
KR100953095B1 (en) 2007-12-18 2010-04-19 한국전자통신연구원 Super peer based peer-to-peer network system and peer authentication method therefor
US10380573B2 (en) 2008-09-30 2019-08-13 Apple Inc. Peer-to-peer financial transaction devices and methods
US8683574B2 (en) 2008-12-15 2014-03-25 Novell, Inc. Identity driven peer-to-peer (P2P) virtual private network (VPN)
KR20100074463A (en) * 2008-12-24 2010-07-02 삼성전자주식회사 Method for securing media independent handover message transportation
US9197616B2 (en) * 2010-03-19 2015-11-24 Cisco Technology, Inc. Out-of-band session key information exchange
US9292248B2 (en) 2011-06-22 2016-03-22 Microsoft Technology Licensing, Llc Span out load balancing model
US8831568B2 (en) * 2011-09-27 2014-09-09 Qualcomm Incorporated Automatic configuration of a wireless device
US9286471B2 (en) * 2011-10-11 2016-03-15 Citrix Systems, Inc. Rules based detection and correction of problems on mobile devices of enterprise users
US9232391B2 (en) * 2012-05-07 2016-01-05 Industrial Technology Research Institute Authentication system for device-to-device communication and authentication method therefor

Also Published As

Publication number Publication date
US10397202B2 (en) 2019-08-27
WO2015089318A3 (en) 2015-09-17
EP3080948A2 (en) 2016-10-19
US20160315923A1 (en) 2016-10-27
EP3080948A4 (en) 2017-08-30
EP3080948B1 (en) 2019-03-20

Similar Documents

Publication Publication Date Title
US10397202B2 (en) Secure communication channels
US9935767B2 (en) Secure storage
US10284532B2 (en) Managing access to resources
US9385996B2 (en) Method of operating a computing device, computing device and computer program
US9356994B2 (en) Method of operating a computing device, computing device and computer program
EP2687036B1 (en) Permitting access to a network
EP2820585B1 (en) Method of operating a computing device, computing device and computer program
US20120266217A1 (en) Permitting Access To A Network
US20120226905A1 (en) Method and System for Discovering, Authenticating and Accessing Multiple Computing Devices
US9100390B1 (en) Method and system for enrolling and authenticating computing devices for data usage accounting
EP2741465B1 (en) Method and device for managing secure communications in dynamic network environments
GB2532903A (en) Secure communication channels
US10756899B2 (en) Access to software applications
GB2521195A (en) Secure communication channels
JP2022103134A (en) Internet of Things system based on security orientation and group sharing
JP2015230520A (en) Authentication device, authentication method, authentication program and authentication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14868833

Country of ref document: EP

Kind code of ref document: A2

REEP Request for entry into the european phase

Ref document number: 2014868833

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014868833

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 15103998

Country of ref document: US

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14868833

Country of ref document: EP

Kind code of ref document: A2