公开(公告)号：US20170220793A1

公开(公告)日：2017-08-03

申请号：US15387776

申请日：2016-12-22

Applicant: Google Inc.

Inventor： Arnar Birgisson ,  Yevgeniy Gutnik

IPC: G06F21/45 ,  H04L29/06

CPC classification number: G06F21/45 ,  G06F21/62 ,  H04L63/0807 ,  H04L63/083 ,  H04L63/101 ,  H04L63/102 ,  H04W12/08

Abstract: In some implementations, after one or more users have each been granted a respective access token allowing access to a resource device, revocation data is received by the resource device. The revocation data indicates that the previously granted access to the resource device should be revoked. For example, the revocation data may indicate (i) a user, role, or permission level for which access is revoked and (ii) a duration that access to the resource device was allowed. After receiving the revocation data, the resource device receives token data derived from an access token that allows access to the resource device. The resource device determines that the access token relies on authorization of the user, role, or permission level indicated by the revocation data, and in response, the resource device denies access.

公开(公告)号：US20170223005A1

公开(公告)日：2017-08-03

申请号：US15392316

申请日：2016-12-28

Applicant: Google Inc.

Inventor： Arnar Birgisson ,  Yevgeniy Gutnik ,  Bo Zhu ,  Vitaly Buka ,  Jason Reid Ederle ,  Alexey Semenov ,  Mackenzie Lee Jacoby ,  Vikas Gupta

IPC: H04L29/06

CPC classification number: H04L63/083 ,  G07C9/00174 ,  G07C2009/00769 ,  G07C2209/04 ,  H04L63/0807 ,  H04L63/101 ,  H04L2012/2841 ,  H04W4/70 ,  H04W4/80 ,  H04W12/08

Abstract: The disclosed embodiments include computerized methods, systems, and devices, including computer programs encoded on a computer storage medium, for device authentication. For example, the resource device may generate and maintain master access tokens, which may be transmitted to a computing system. The computing system may receive, from a device of an owner of the resource device, data granting a client device limited access to the resource device in accordance with various access restrictions. The computing system may generate and provide to the client device a limited version of the master access token that specifies the access restrictions. The client device may present the local access token to the resource device over a direct wireless connection, and the resource device may verify the token and grant the requested access without communication with the computing system.

公开(公告)号：US20170214664A1

公开(公告)日：2017-07-27

申请号：US15413762

申请日：2017-01-24

Applicant: Google Inc.

Inventor： Arnar Birgisson ,  Bo Zhu ,  Yevgeniy Gutnik

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L63/0428 ,  H04L9/0869 ,  H04L9/3247 ,  H04L63/10 ,  H04L2209/24 ,  H04W12/06 ,  H04W12/08 ,  Y02D70/142 ,  Y02D70/144 ,  Y02D70/164 ,  Y02D70/166 ,  Y02D70/26

Abstract: The disclosed embodiments include computerized methods, systems, and devices, including computer programs encoded on a computer storage medium, for establishing secure wireless communications sessions involving low-power devices. A client device may discover a low-power resource device operating within a wireless network. Upon discovery, the client and resource devices may establish mutual randomness, and establish mutual possession of a shared cryptographic key. The resource device may, in some aspects, provide data proving its knowledge of an authentication tag of a local authentication token held confidentially by the client device. If the resource device proves its knowledge of the client device's authentication tag, the client and resource device may establish a secure communication session and generate session keys for subsequent communications.

公开(公告)号：US09397990B1

公开(公告)日：2016-07-19

申请号：US14074941

申请日：2013-11-08

Applicant: Google Inc.

Inventor： Ankur Taly ,  Ulfar Erlingsson ,  Arnar Birgisson ,  Joseph Gibbs Politz ,  Mark Lentczner

IPC: G06F21/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/0807 ,  H04L63/10

Abstract: A method of controlling the sharing of data between entities that are in electronic communication with each other may include generating an authentication credential comprising an identifier for the target service and a unique signature, attenuating the authentication credential, and determining whether a client device is authorized to access the target service, and, only if so, providing the authentication credential to the client device. In an embodiment, the method may include receiving an access request from the client device, identifying that the authentication credential includes the unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determining whether the request also comprises a discharge credential for the third party caveat, and if the request includes the discharge credential, providing the client device with the requested service, otherwise denying the request.

Abstract translation: 控制彼此进行电子通信的实体之间的数据共享的方法可以包括生成包括目标服务的标识符和唯一签名的认证证书，衰减认证证书，以及确定客户端设备是否被授权 访问目标服务，并且只有在此情况下，向客户端设备提供验证凭据。 在一个实施例中，该方法可以包括从客户端设备接收访问请求，识别认证证书包括唯一签名和与第三方验证服务相关联的第三方注意事项，以响应于识别，确定是否 请求还包括用于第三方警告的排出凭证，并且如果请求包括排出凭证，则向客户端设备提供所请求的服务，否则拒绝该请求。