Securing delegated credentials in third-party networks
First Claim
1. A method for providing an endpoint device with access to a remote resource, comprising:
- establishing, from an intermediate device, a first secure tunnel with the endpoint device, the first secure tunnel terminating within a trusted execution environment (TEE) in a processing unit of the intermediate device, wherein the TEE performs processor-based encryption on instructions and on data used by the instructions during execution of the instructions;
receiving, within the TEE and via the first secure tunnel, at least one credential from the endpoint device;
transmitting the at least one credential from the intermediate device to the remote resource via a second secure tunnel, the second secure tunnel between the remote resource and the intermediate device and originating within the TEE; and
in response to the at least one credential being accepted by the remote resource, enabling communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for providing an endpoint device with access to a remote resource are disclosed. A first secure tunnel with the endpoint device is established from an intermediate device, the first tunnel terminating within a trusted execution environment (TEE) in the intermediate device. At least one credential is received within the TEE and via the first secure tunnel from the endpoint device. The at least one credential is transmitted from the intermediate device to the remote resource via a second secure tunnel, the second tunnel located between the remote resource and the intermediate device and originating within the TEE. In response to the at least one credential being accepted by the remote resource, communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels are enabled.
-
Citations
20 Claims
-
1. A method for providing an endpoint device with access to a remote resource, comprising:
-
establishing, from an intermediate device, a first secure tunnel with the endpoint device, the first secure tunnel terminating within a trusted execution environment (TEE) in a processing unit of the intermediate device, wherein the TEE performs processor-based encryption on instructions and on data used by the instructions during execution of the instructions; receiving, within the TEE and via the first secure tunnel, at least one credential from the endpoint device; transmitting the at least one credential from the intermediate device to the remote resource via a second secure tunnel, the second secure tunnel between the remote resource and the intermediate device and originating within the TEE; and in response to the at least one credential being accepted by the remote resource, enabling communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An intermediate device for providing an endpoint device with access to a remote resource, comprising:
-
a processing unit comprising a trusted execution environment (TEE); and a non-transitory computer-readable memory communicatively coupled to the processing unit and comprising computer-readable program instructions executable by the processing unit for; establishing, from the intermediate device, a first secure tunnel with the endpoint device, the first secure tunnel terminating within the TEE, wherein the TEE performs processor-based encryption on instructions and on data used by the instructions during execution of the instructions; receiving, within the TEE and via the first secure tunnel, at least one credential from the endpoint device; transmitting the at least one credential from the intermediate device to the remote resource via a second secure tunnel, the second secure tunnel between the remote resource and the intermediate device and originating within the TEE; and in response to the at least one credential being accepted by the remote resource, enabling communications between the endpoint device and the remote resource via the TEE in the intermediate device through the first and second secure tunnels. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification