Secure asymmetric key application data sharing

US 10,447,681 B2
Filed: 02/24/2017
Issued: 10/15/2019
Est. Priority Date: 12/07/2016
Status: Active Grant

First Claim

Patent Images

1. A method for secure data sharing between applications of a client device, comprising:

retrieving an encrypted master key from a shared memory of the client device, the shared memory comprising a memory area for secure data sharing among a plurality of single sign on applications;

decrypting the encrypted master key using an access interval key to provide a master key, the access interval key being generated using an access code as a seed to a key derivative function, encrypted by at least one public key of at least one of the plurality of single sign on applications, and stored in the shared memory to establish a current sign on session;

retrieving at least one encrypted shared data element from the shared memory; and

decrypting the at least one encrypted shared data element using the master key, wherein the at least one encrypted shared data element comprises a data element shared between the plurality of single sign on applications.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To establish a sign on session among single sign on (SSO)-enabled applications, a user can be prompted by an application for an access code. An access interval key can be generated using a key derivative function based on the access code. The access interval key can be considered a session key, and it can be used during a valid SSO session to decrypt a master key stored in a shared memory. In turn, the master key can be used to encrypt and decrypt the contents of the shared memory. To securely distribute the access interval key among the SSO-enabled applications during a current session, individual SSO-enabled applications can each store a public key in the shared memory. The access interval key can then be encrypted, respectively, by the public keys of the SSO-enabled applications and stored in the shared memory to be retrieved securely by the SSO-enabled applications.

4 Citations

20 Claims

1. A method for secure data sharing between applications of a client device, comprising:
- retrieving an encrypted master key from a shared memory of the client device, the shared memory comprising a memory area for secure data sharing among a plurality of single sign on applications;
  
  decrypting the encrypted master key using an access interval key to provide a master key, the access interval key being generated using an access code as a seed to a key derivative function, encrypted by at least one public key of at least one of the plurality of single sign on applications, and stored in the shared memory to establish a current sign on session;
  
  retrieving at least one encrypted shared data element from the shared memory; and
  
  decrypting the at least one encrypted shared data element using the master key, wherein the at least one encrypted shared data element comprises a data element shared between the plurality of single sign on applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, further comprising:
    - determining that at least a private key of a key pair is not available; and
      
      based on a determination that at least the private key is not available, at least one of generating the key pair, retrieving the key pair from the shared memory, or retrieving the key pair from a secure enclave processor.
  - 3. The method according to claim 1, further comprising:
    - determining that the current sign on session is valid;
      
      retrieving an encrypted access interval key from the shared memory; and
      
      decrypting the encrypted access interval key using a private key to provide the access interval key.
  - 4. The method according to claim 1, further comprising:
    - determining that the current sign on session is not valid; and
      
      clearing a plurality of encrypted master keys stored, respectively, for the plurality of single sign on applications from the shared memory.
  - 5. The method according to claim 4, further comprising prompting for an access code to establish a new sign on session for the plurality of single sign on applications in response to determining that the current sign on session is not valid.
  - 6. The method according to claim 5, further comprising generating the access interval key using a key generation function based on the access code.
  - 7. The method according to claim 6, further comprising:
    - retrieving a plurality of public keys stored, respectively, for the plurality of single sign on applications from the shared memory;
      
      encrypting the access interval key, respectively, by the plurality of public keys to provide a plurality of encrypted access interval keys; and
      
      storing the plurality of encrypted access interval keys in the shared memory to make the access interval key available to the plurality of single sign on applications for a new sign on session.

8. A non-transitory computer-readable medium embodying program code executable in a client device for secure data sharing between applications of the client device, wherein the program code, when executed by the client device, directs the client device to at least:
- retrieve an encrypted master key from a shared memory local to a client device, the shared memory comprising a memory area for secure data sharing among a plurality of single sign on applications;
  
  decrypt the encrypted master key using an access interval key to provide a master key, the access interval key being generated using an access code as a seed to a key derivative function, encrypted by at least one public key of at least one of the plurality of single sign on applications, and stored in the shared memory to establish a current sign on session;
  
  retrieve at least one encrypted shared data element from the shared memory; and
  
  decrypt the at least one encrypted shared data element using the master key, wherein the at least one encrypted shared data element comprises a data element shared between the plurality of single sign on applications.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium according to claim 8, wherein the client device is further directed to at least:
    - determine that at least a private key of a key pair is not available; and
      
      at least one of generate the key pair, retrieve the key pair from the shared memory, or retrieve the key pair from a secure enclave processor.
  - 10. The non-transitory computer-readable medium according to claim 8, wherein the client device is further directed to at least:
    - determine that the current sign on session is valid;
      
      retrieve an encrypted access interval key from the shared memory; and
      
      decrypt the encrypted access interval key using a private key to provide the access interval key.
  - 11. The non-transitory computer-readable medium according to claim 8, wherein the client device is further directed to at least:
    - determine that the current sign on session is not valid; and
      
      clear a plurality of encrypted master keys stored, respectively, for the plurality of single sign on applications from the shared memory.
  - 12. The non-transitory computer-readable medium according to claim 11, wherein the at least one computing client device is further directed to at least prompt for an access code to establish a new sign on session for the plurality of single sign on applications.
  - 13. The non-transitory computer-readable medium according to claim 12, wherein the client device is further directed to at least generate the access interval key using a key generation function based on the access code.
  - 14. The non-transitory computer-readable medium according to claim 13, wherein the client device is further directed to at least:
    - retrieve a plurality of public keys stored, respectively, for the plurality of single sign on applications from the shared memory;
      
      encrypt the access interval key, respectively, by the plurality of public keys to provide a plurality of encrypted access interval keys; and
      
      store the plurality of encrypted access interval keys in the shared memory to make the access interval key available to the plurality of single sign on applications for a new sign on session.

15. A system for secure data sharing between applications of a client device, the system comprising:
- a memory device configured to store computer-readable instructions thereon; and
  
  at least one processing device configured, through execution of the computer-readable instructions, to;
  
  retrieve an encrypted master key from a shared memory of the client device, the shared memory comprising a memory area for secure data sharing among a plurality of single sign on applications;
  
  decrypt the encrypted master key using an access interval key to provide a master key, the access interval key being generated using an access code as a seed to a key derivative function, encrypted by at least one public key of at least one of the plurality of single sign on applications, and stored in the shared memory to establish a current sign on session;
  
  retrieve at least one encrypted shared data element from the shared memory; and
  
  decrypt the at least one encrypted shared data element using the master key, wherein the at least one encrypted shared data element comprises a data element shared between the plurality of single sign on applications.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system according to claim 15, wherein the at least one processing device is further configured to at least:
    - determine that at least a private key of a key pair is not available; and
      
      at least one of generate the key pair, retrieve the key pair from the shared memory, or retrieve the key pair from a secure enclave processor.
  - 17. The system according to claim 15, wherein the at least one processing device is further configured to at least:
    - determine that the current sign on session is valid;
      
      retrieve an encrypted access interval key from the shared memory; and
      
      decrypt the encrypted access interval key using a private key to provide the access interval key.
  - 18. The system according to claim 15, wherein the at least one processing device is further configured to at least:
    - determine that the current sign on session is not valid; and
      
      clear a plurality of encrypted master keys stored, respectively, for the plurality of single sign on applications from the shared memory.
  - 19. The system according to claim 18, wherein the at least one processing device is further configured to at least prompt for an access code to establish a new sign on session for the plurality of single sign on applications.
  - 20. The system according to claim 19, wherein the at least one processing device is further configured to at least:
    - generate the access interval key using a key generation function based on the access code;
      
      retrieve a plurality of public keys stored, respectively, for the plurality of single sign on applications from the shared memory;
      
      encrypt the access interval key, respectively, by the plurality of public keys to provide a plurality of encrypted access interval keys; and
      
      store the plurality of encrypted access interval keys in the shared memory to make the access interval key available to the plurality of single sign on applications for a new sign on session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Sajja, Kishore, Chen, Lucas, Rajan, Raghuram, Panwar, Anuj, Naga Kaipu, Sandeep, Singh, Rajiv
Primary Examiner(s)
Lipman, Jacob

Application Number

US15/442,175
Publication Number

US 20180159843A1
Time in Patent Office

963 Days
Field of Search

713168
US Class Current
CPC Class Codes

G06F 3/0622   in relation to access

G06F 3/0659   Command handling arrangemen...

G06F 3/067   Distributed or networked st...

H04L 63/0442   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

Secure asymmetric key application data sharing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

4 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure asymmetric key application data sharing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links