Password encryption for hybrid cloud services

US 10,432,592 B2
Filed: 05/09/2016
Issued: 10/01/2019
Est. Priority Date: 05/10/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a gateway server, associated with an internal cloud, configured to receive messages from a user device and to forward the messages to a computing device associated with an external cloud different from the internal cloud; and

a workspace cloud connector computing device associated with the internal cloud, wherein the workspace cloud connector computing device is communicatively coupled to the gateway server and different from the user device, the workspace cloud connector computing device configured to;

prevent a first message of the messages being forwarded to the computing device associated with the external cloud, from being delivered to the computing device associated with the external cloud based on detecting that the first message includes plaintext user identity credentials for an internal application;

generate an encryption key;

encrypt the plaintext user identity credentials using the encryption key;

generate a first hash of the encryption key;

transmit a second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud;

in response to transmitting the second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud, receive a routing address of a virtual delivery agent computing device from the computing device associated with the external cloud; and

transmit a third message including the encryption key and the routing address of the virtual delivery agent computing device to the user device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, computer-readable media, and apparatuses may provide password encryption for hybrid cloud services. A workspace cloud connector internally residing with an entity may intercept user credentials associated with an internal application being transmitted to an external cloud service. The workspace cloud connector may generate an encryption key and encrypt the user credentials via a reversible encryption methodology. The workspace cloud connector may encrypt the encryption key using an irreversible encryption methodology (e.g., use a hashing function to produce a first hash). The workspace cloud connector may transmit the encrypted user credentials and the first hash to a virtual delivery agent via a first path (e.g., via the external cloud service). In response, the workspace cloud connector may receive an address of the virtual delivery agent and, using the address, may send the encryption key to the virtual delivery agent via a second path different from the first path.

9 Citations

View as Search Results

20 Claims

1. A system comprising:
- a gateway server, associated with an internal cloud, configured to receive messages from a user device and to forward the messages to a computing device associated with an external cloud different from the internal cloud; and
  
  a workspace cloud connector computing device associated with the internal cloud, wherein the workspace cloud connector computing device is communicatively coupled to the gateway server and different from the user device, the workspace cloud connector computing device configured to;
  
  prevent a first message of the messages being forwarded to the computing device associated with the external cloud, from being delivered to the computing device associated with the external cloud based on detecting that the first message includes plaintext user identity credentials for an internal application;
  
  generate an encryption key;
  
  encrypt the plaintext user identity credentials using the encryption key;
  
  generate a first hash of the encryption key;
  
  transmit a second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud;
  
  in response to transmitting the second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud, receive a routing address of a virtual delivery agent computing device from the computing device associated with the external cloud; and
  
  transmit a third message including the encryption key and the routing address of the virtual delivery agent computing device to the user device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, further comprising:
    - the virtual delivery agent computing device, the virtual delivery agent computing device configured to;
      
      receive the second message including the encrypted user identity credentials and the first hash of the encryption key from the computing device associated with the external cloud;
      
      store the encrypted user identity credentials and the first hash of the encryption key in a map; and
      
      send the routing address of the virtual delivery agent computing device to the computing device associated with the external cloud.
  - 3. The system of claim 2, wherein the virtual delivery agent computing device is further configured to:
    - receive the encryption key from the user device;
      
      generate a second hash of the encryption key; and
      
      identify the first hash of the encryption key stored in the map using the second hash of the encryption key.
  - 4. The system of claim 3, wherein the virtual delivery agent computing device is further configured to:
    - perform the identifying of the first hash of the encryption key stored in the map using the second hash of the encryption key by comparing the second hash of the encryption key with each of a plurality of hashes stored in the map.
  - 5. The system of claim 4, wherein the virtual delivery agent computing device is further configured to:
    - in response to determining that the second hash of the encryption key does not match any hash of the plurality of hashes stored in the map, prevent access to the internal application and send a rejection message to the user device.
  - 6. The system of claim 4, wherein the virtual delivery agent computing device is further configured to:
    - in response to determining that the second hash of the encryption key matches the first hash of the encryption key, decrypt the encrypted user identity credentials using the encryption key and provide the user identity credentials to the internal application.
  - 7. The system of claim 1, wherein the internal application is further configured to authenticate user identity credentials having a particular form and not to authenticate user identity credentials having a different form.
  - 8. The system of claim 7, wherein the user identity credentials having the particular form is a user password and the user identity credentials having the different form is one of a security assertion markup language (SAML) assertion or an open standard for authorization (OAuth) assertion.
  - 9. The system of claim 1, further comprising:
    - the user device, the user device further configured to;
      
      receive the third message including the encryption key and the routing address of the virtual delivery agent computing device from the workspace cloud connector computing device; and
      
      transmit the encryption key to the virtual delivery agent computing device using the routing address of the virtual delivery agent computing device.
  - 10. The system of claim 1, wherein the computing device associated with the external cloud is configured to:
    - receive the second message including the encrypted user identity credentials and the first hash of the encryption key from the workspace cloud connector computing device;
      
      determine which of a plurality of virtual delivery agent computing devices to send the second message including the encrypted user identity credentials and the first hash of the encryption key; and
      
      send the second message including the encrypted user identity credentials and the first hash of the encryption key to the virtual delivery agent computing device.
  - 11. The system of claim 1, wherein the internal cloud is administratively managed by a first entity and the external cloud is administratively managed by a second entity different from the first entity.
  - 12. The system of claim 1, wherein the internal cloud is further configured to:
    - transmit the encrypted user identity credentials and the first hash of the encryption key to the virtual delivery agent computing device via a first path; and
      
      transmit the encryption key to the virtual delivery agent computing device via a second path different from the first path.

13. An apparatus, within an internal cloud, comprising:
- a hardware processor; and
  
  a hardware computer readable medium storing instructions that, when executed by the hardware processor, configure the apparatus to;
  
  prevent a first message received from a user device from being delivered to a computing device associated with an external cloud different from the internal cloud, said preventing based on detecting that the first message includes plaintext user identity credentials associated with an application, wherein the apparatus is different from the user device;
  
  generate an encryption key;
  
  encrypt the plaintext user identity credentials using the encryption key;
  
  generate a first hash of the encryption key;
  
  transmit a second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud;
  
  in response to transmitting the second message including the encrypted user identity credentials and the first hash of the encryption key to the computing device associated with the external cloud, receive a routing address of a virtual delivery agent computing device from the computing device associated with the external cloud; and
  
  transmit a third message including the encryption key and the routing address of the virtual delivery agent computing device to the user device.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus of claim 13, wherein the encryption key is a random logon ticket.
  - 15. The apparatus of claim 13, wherein the internal cloud is administratively managed by a first entity and the external cloud is administratively managed by a second entity different from the first entity.
  - 16. The apparatus of claim 13, wherein the instructions, when executed by the hardware processor, further configure the apparatus to:
    - inspect each message being sent to the external cloud for user identity credentials.

17. A method comprising:
- preventing, by a computing device associated with an internal cloud and different from a user device, a first message received from the user device from being delivered to a computing device associated with an external cloud different from the internal cloud, said preventing being based on detecting that the first message includes plaintext user identity credentials associated with an internal application;
  
  extracting, by the computing device associated with the internal cloud, the plaintext user identity credentials included in the first message;
  
  generating, by the computing device associated with the internal cloud, a random logon ticket;
  
  encrypting, by the computing device associated with the internal cloud, the plaintext user identity credentials using the random logon ticket;
  
  generating, by the computing device associated with the internal cloud, a first hash of the random logon ticket;
  
  transmitting, by the computing device associated with the internal cloud and to the computing device associated with the external cloud, a second message including the encrypted user identity credentials and the first hash of the random logon ticket;
  
  in response to the transmitting, receiving, by the computing device associated with the internal cloud and from the computing device associated with the external cloud, a routing address of a virtual delivery agent computing device; and
  
  transmitting, from the computing device associated with the internal cloud and to the user device, a third message including the random logon ticket and the routing address of the virtual delivery agent computing device.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the random logon ticket is encrypted using a reversible encryption technique.
  - 19. The method of claim 17, wherein the internal cloud is administratively managed by a first entity and the external cloud is administratively managed by a second entity different from the first entity.
  - 20. The method of claim 17, further comprising:
    - receiving, by the virtual delivery agent computing device and from the user device, the random logon ticket;
      
      generating, by the virtual delivery agent computing device, a second hash of the random logon ticket;
      
      comparing, by the virtual delivery agent computing device, the first hash of the random logon ticket with the second hash of the random logon ticket; and
      
      in response to determining that the first hash of the random logon ticket matches the second hash of the random logon ticket, decrypting the encrypted user identity credentials using the random logon ticket and providing the user identity credentials to the internal application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Singleton, IV, Leo C, Cooper, Andy
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US15/149,707
Publication Number

US 20160330177A1
Time in Patent Office

1,240 Days
Field of Search

713153
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/554   involving event detection a...

G06F 21/6209   to a single file or object,...

H04L 63/0435   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 9/0827   involving distinctive inter...

Password encryption for hybrid cloud services

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Password encryption for hybrid cloud services

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links