Techniques for implementing a data storage device as a security device for managing access to resources

US 10,154,037 B2
Filed: 03/22/2017
Issued: 12/11/2018
Est. Priority Date: 03/22/2017
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

determining that a user is not authenticated to access a resource requested at a device associated with the user, wherein access to the resource is controlled by an access management system;

identifying, at the device, a storage device that is connected to the device, wherein the storage device is identified to verify registration of the storage device as a security device for authentication of the user;

determining that device information about the storage device is stored at a first location on the storage device, wherein the device information includes an identifier of the storage device;

generating, using a hashing process, an access key for verifying registration of the storage device, wherein the access key is generated based at least in part on the device information;

generating key data based on a first decryption, using the access key, of security data stored at a second location on the storage device, wherein the key data includes a private key and a public key;

transmitting a message to request the access management system to verify registration of the storage device as the security device, wherein the message is encrypted using the private key, and wherein the message includes user information about the user and the device information;

receiving, from an access management system, a response to the request to verify registration of the storage device, wherein the response includes access data to enable access to the resource requested at the device, wherein the access data is generated based on verifying that the storage device is registered with the access management system for the user, and wherein the access data is encrypted using a public key associated with registration of the storage device for the user at the access management system;

generating decrypted access data based on a second decryption of the access data using the private key; and

enabling the device to access the resource using the decrypted access data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for implementation of a data storage device as a security device for managing access to resources. These techniques can be implemented for multi-factor authentication (MFA) to provide multiple layers of security for managing access to resources in an enterprise and/or a cloud computing environments. As a security device, a storage device can be used a portable device to provide a point of trust for multi-factor authentication across any client application or device operated to access resources. A storage device may be configured with security data for authentication with an access management system. After configuration, a portable storage device may be used for authentication of a user without credential information at any client device based on accessibility of the device to the portable storage device. A storage device configured as a security device can ensure that legitimate users have an easy way to authenticate and access the resources.

Citations

20 Claims

1. A computer implemented method comprising:
- determining that a user is not authenticated to access a resource requested at a device associated with the user, wherein access to the resource is controlled by an access management system;
  
  identifying, at the device, a storage device that is connected to the device, wherein the storage device is identified to verify registration of the storage device as a security device for authentication of the user;
  
  determining that device information about the storage device is stored at a first location on the storage device, wherein the device information includes an identifier of the storage device;
  
  generating, using a hashing process, an access key for verifying registration of the storage device, wherein the access key is generated based at least in part on the device information;
  
  generating key data based on a first decryption, using the access key, of security data stored at a second location on the storage device, wherein the key data includes a private key and a public key;
  
  transmitting a message to request the access management system to verify registration of the storage device as the security device, wherein the message is encrypted using the private key, and wherein the message includes user information about the user and the device information;
  
  receiving, from an access management system, a response to the request to verify registration of the storage device, wherein the response includes access data to enable access to the resource requested at the device, wherein the access data is generated based on verifying that the storage device is registered with the access management system for the user, and wherein the access data is encrypted using a public key associated with registration of the storage device for the user at the access management system;
  
  generating decrypted access data based on a second decryption of the access data using the private key; and
  
  enabling the device to access the resource using the decrypted access data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first location is a file system located on the storage device, and wherein the second location is a key store located on the storage device.
  - 3. The method of claim 1, wherein the device information includes one or more attributes about the storage device.
  - 4. The method of claim 1, further comprising:
    - identifying information about the storage device;
      
      generating, using a hashing process, an access key verifying that the device information is stored on the storage device, wherein the access key is generated based at least in part on the information about the storage device; and
      
      obtaining, using the access key, the device information at the first location.
  - 5. The method of claim 1, wherein the device includes a computer, wherein the storage device is included in a computer system, and wherein the storage device is connected to the device via a communication network.
  - 6. The method of claim 1, wherein the device is a mobile communication device, and wherein the storage device is a computer-readable storage media that is physically connected to the device.
  - 7. The method of claim 1, wherein verifying the storage device is registered with the access management system includes determining that the device information is stored in association with the user information.
  - 8. The method of claim 1, further comprising:
    - based on determining that information stored at the first location does not identify the storage device, determining that the storage device is not registered with the access management system for the user; and
      
      denying access to the resource at the device.
  - 9. The method of claim 1, further comprising:
    - performing the first decryption of the security data using the access key;
      
      based on determining that the security data cannot be decrypted using the access key, determining that the storage device is not registered with the access management system for the user; and
      
      denying access to the resource at the device.

10. A system comprising:
- one or more processors; and
  
  a memory accessible to the one or more processors, the memory storing one or more instructions that, upon execution by the one or more processors, causes the one or more processors to;
  
  determine that a user associated with a device is not authenticated to access a resource requested at the device, wherein access to the resource is controlled by an access management system;
  
  identify a storage device that is connected to the device, wherein the storage device is identified to verify registration of the storage device as a security device for authentication of the user;
  
  determine that device information about the storage device is stored at a first location on the storage device, wherein the device information includes an identifier of the storage device;
  
  generate, using a hashing process, an access key for verifying registration of the storage device, wherein the access key is generated based at least in part on the device information;
  
  generate key data based on a first decryption, using the access key, of security data stored at a second location on the storage device, wherein the key data includes a private key;
  
  transmit a message to request the access management system to verify registration of the storage device as the security device, wherein the message is encrypted using the private key, and wherein the message includes user information about the user and the device information;
  
  receive, from an access management system, a response to the request to verify registration of the storage device, wherein the response includes access data to enable access to the resource requested at the device, wherein the access data is generated based on verifying that the storage device is registered with the access management system for the user, and wherein the access data is encrypted using a public key associated with registration of the storage device for the user at the access management system;
  
  generate decrypted access data based on a second decryption of the access data using the private key; and
  
  enable access the resource using the decrypted access data.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the first location is a key store located on the storage device, and wherein the second location is a file system located on the storage device.
  - 12. The system of claim 10, wherein the one or more instructions that, upon execution by the one or more processors, further causes the one or more processors to:
    - identify information about the storage device;
      
      generate, using a hashing process, an access key verifying that the device information is stored on the storage device, wherein the access key is generated based at least in part on the information about the storage device; and
      
      obtain, using the access key, the device information at the first location.
  - 13. The system of claim 10, wherein the one or more processors and the memory are included in the device.
  - 14. The system of claim 10, wherein the storage device is included in a computer system, and wherein the storage device is connected to the device via a communication network.
  - 15. The system of claim 10, wherein the storage device is a computer-readable storage media that is physically connected to the device.

16. A computer implemented method comprising:
- identifying, at a device associated with a user, one or more storage devices that are connected to the device;
  
  generating a graphical interface that is displayed at the device, wherein the graphical interface displays information about each of the one or more storage devices that are identified as connected to the device, and wherein the graphical interface includes an element that is interactive to select at least one of the one or more storage devices for registration as a security device;
  
  receiving an input for an interaction with the element, wherein the input corresponds to a selection of a storage device from the one or more storage devices to register as the security device associated with a user;
  
  identifying device information about the storage device corresponding to the selection, wherein the device information includes an identifier of the storage device;
  
  generating key data for the storage device, wherein the key data includes a private key and a public key;
  
  generating, using a hashing process, an access key for configuring the storage device, wherein the access key is generated based at least in part on the device information;
  
  generating encrypted key data by encryption of the key data using the access key;
  
  storing the encrypted key data at a first location on the storage device;
  
  storing the device information at a second location on the storage device;
  
  transmitting, to an access management system, a request to register the storage device for the user, the request including the public key and device information, wherein based on the request, the public key and device information are stored at the access management system in association with user information about the user for registration of the storage device; and
  
  receiving, from the access management system, a response indicating registration of the storage device as the security device for the user, wherein the response includes access data to enable access to one or more resources requested at the device by the user.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the storage device is included in a computer system, and wherein the storage device is connected to the device via a communication network.
  - 18. The method of claim 16, wherein the storage device is a computer-readable storage media that is physically connected to the device.
  - 19. The method of claim 16, wherein the first location is a key store located on the storage device, and wherein the second location is a file system located on the storage device.
  - 20. The method of claim 16, wherein the device information includes one or more attributes about the storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Pattar, Nagaraj, Maheshwari, Harsh
Primary Examiner(s)
Jamshidi, Ghodrat

Application Number

US15/466,512
Publication Number

US 20180278612A1
Time in Patent Office

629 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

Techniques for implementing a data storage device as a security device for managing access to resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for implementing a data storage device as a security device for managing access to resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links