Securing delegated credentials in third-party networks

US 10,511,575 B2
Filed: 09/18/2017
Issued: 12/17/2019
Est. Priority Date: 09/18/2017
Status: Active Grant

First Claim

Patent Images

1. A method for providing an endpoint device with access to a remote resource, comprising:

establishing, from an intermediate device, a first secure tunnel with the endpoint device, the first secure tunnel terminating within a trusted execution environment (TEE) in a processing unit of the intermediate device, wherein the TEE performs processor-based encryption on instructions and on data used by the instructions during execution of the instructions;

receiving, within the TEE and via the first secure tunnel, at least one credential from the endpoint device;

transmitting the at least one credential from the intermediate device to the remote resource via a second secure tunnel, the second secure tunnel between the remote resource and the intermediate device and originating within the TEE; and

in response to the at least one credential being accepted by the remote resource, enabling communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing an endpoint device with access to a remote resource are disclosed. A first secure tunnel with the endpoint device is established from an intermediate device, the first tunnel terminating within a trusted execution environment (TEE) in the intermediate device. At least one credential is received within the TEE and via the first secure tunnel from the endpoint device. The at least one credential is transmitted from the intermediate device to the remote resource via a second secure tunnel, the second tunnel located between the remote resource and the intermediate device and originating within the TEE. In response to the at least one credential being accepted by the remote resource, communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels are enabled.

Citations

20 Claims

1. A method for providing an endpoint device with access to a remote resource, comprising:
- establishing, from an intermediate device, a first secure tunnel with the endpoint device, the first secure tunnel terminating within a trusted execution environment (TEE) in a processing unit of the intermediate device, wherein the TEE performs processor-based encryption on instructions and on data used by the instructions during execution of the instructions;
  
  receiving, within the TEE and via the first secure tunnel, at least one credential from the endpoint device;
  
  transmitting the at least one credential from the intermediate device to the remote resource via a second secure tunnel, the second secure tunnel between the remote resource and the intermediate device and originating within the TEE; and
  
  in response to the at least one credential being accepted by the remote resource, enabling communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising receiving, at the intermediate device, a request to access the remote resource from the endpoint device prior to establishing the first secure tunnel, and establishing the first secure tunnel in response to the request.
  - 3. The method of claim 2, further comprising constructing the TEE within the intermediate device in response to receiving the request.
  - 4. The method of claim 2, further comprising establishing the second secure tunnel in response to the request to access the remote resource.
  - 5. The method of claim 1, further comprising storing the at least one credential within the TEE.
  - 6. The method of claim 1, further comprising:
    - receiving, at the intermediate device, a request from the endpoint device to terminate the access to the remote resource;
      
      deleting the at least one credential from the TEE; and
      
      terminating at least one of the first secure tunnel and the second secure tunnel.
  - 7. The method of claim 1, wherein the enabling the communications between the endpoint device and the remote resource comprises:
    - receiving, at the intermediate device, plaintext data from the endpoint device within the TEE;
      
      encrypting the plaintext data with a data encryption key within the TEE to produce encrypted data; and
      
      transmitting the encrypted data to the remote resource via the second secure tunnel.
  - 8. The method of claim 7, further comprising deleting the plaintext data from the TEE after encrypting the plaintext data.
  - 9. The method of claim 7, further comprising instructing the endpoint device to delete the plaintext data from the endpoint device after the transmitting the encrypted data to the remote resource.
  - 10. The method of claim 1, wherein establishing the first secure tunnel with the endpoint device comprises establishing a transport-layer security connection between the endpoint device and the TEE.

11. An intermediate device for providing an endpoint device with access to a remote resource, comprising:
- a processing unit comprising a trusted execution environment (TEE); and
  
  a non-transitory computer-readable memory communicatively coupled to the processing unit and comprising computer-readable program instructions executable by the processing unit for;
  
  establishing, from the intermediate device, a first secure tunnel with the endpoint device, the first secure tunnel terminating within the TEE, wherein the TEE performs processor-based encryption on instructions and on data used by the instructions during execution of the instructions;
  
  receiving, within the TEE and via the first secure tunnel, at least one credential from the endpoint device;
  
  transmitting the at least one credential from the intermediate device to the remote resource via a second secure tunnel, the second secure tunnel between the remote resource and the intermediate device and originating within the TEE; and
  
  in response to the at least one credential being accepted by the remote resource, enabling communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The intermediate device of claim 11, wherein the computer-readable program instructions are further executable by the processing unit for receiving, at the intermediate device, a request to access the remote resource from the endpoint device prior to establishing the first secure tunnel, and establishing the first secure tunnel in response to the request.
  - 13. The intermediate device of claim 12, wherein the computer-readable program instructions are further executable by the processing unit for constructing the TEE within the intermediate device in response to receiving the request.
  - 14. The intermediate device of claim 12, wherein the computer-readable program instructions are further executable by the processing unit for establishing the second secure tunnel in response to the request to access the remote resource.
  - 15. The intermediate device of claim 11, wherein the computer-readable program instructions are further executable by the processing unit for storing the at least one credential within the TEE.
  - 16. The intermediate device of claim 11, wherein the computer-readable program instructions are further executable by the processing unit for:
    - receiving, at the intermediate device, a request from the endpoint device to terminate the access to the remote resource;
      
      deleting the at least one credential from the TEE; and
      
      terminating at least one of the first secure tunnel and the second secure tunnel.
  - 17. The intermediate device of claim 11, wherein the enabling the communications between the endpoint device and the remote resource comprises:
    - receiving, at the intermediate device, plaintext data from the endpoint device within the TEE;
      
      encrypting the plaintext data with a data encryption key within the TEE to produce encrypted data; and
      
      transmitting the encrypted data to the remote resource via the second secure tunnel.
  - 18. The intermediate device of claim 17, wherein the computer-readable program instructions are further executable by the processing unit for deleting the plaintext data from the TEE after encrypting the plaintext data.
  - 19. The intermediate device of claim 17, wherein the computer-readable program instructions are further executable by the processing unit for instructing the endpoint device to delete the plaintext data from the endpoint device after the transmitting the encrypted data to the remote resource.
  - 20. The intermediate device of claim 11, wherein establishing the first secure tunnel with the endpoint device comprises establishing a transport-layer security connection between the endpoint device and the TEE.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Gigov, Nikolay, Tan, Yin, Lambert, Robert
Primary Examiner(s)
Chang, Kenneth W

Application Number

US15/707,528
Publication Number

US 20190089676A1
Time in Patent Office

820 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

Securing delegated credentials in third-party networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing delegated credentials in third-party networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links