Shared secret vault for applications with single sign on
First Claim
1. A method comprising:
- generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key;
receiving, by a first application executing on the computing device, first user entropy from a user associated with the shared vault;
decrypting, by the first application, a first vault key record using the first user entropy to generate a first copy of the vault key;
decrypting, by the first application, the vault database using the first copy of the vault key;
retrieving, by the first application, first network resource access credentials from a network service using user credentials associated with the user;
writing, by the first application, the first network resource access credentials to the vault database;
accessing, by a second application executing on the computing device and using second user entropy, the vault database to retrieve an unlock key by;
receiving, by the second application, the second user entropy from the user associated with the shared vault;
decrypting, by the second application, the first vault key record using the second user entropy to generate a third copy of the vault key;
decrypting, by the second application, the vault database using the third copy of the vault key; and
retrieving, by the second application, the unlock key from the vault database;
decrypting, by the second application, a second vault key record using the unlock key to generate a second copy of the vault key, wherein a copy of the unlock key is stored in application memory associated with the second application; and
accessing, by the second application and using the second copy of the vault key, the vault database to retrieve the first network resource access credentials.
8 Assignments
0 Petitions
Accused Products
Abstract
Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.
-
Citations
19 Claims
-
1. A method comprising:
-
generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key; receiving, by a first application executing on the computing device, first user entropy from a user associated with the shared vault; decrypting, by the first application, a first vault key record using the first user entropy to generate a first copy of the vault key; decrypting, by the first application, the vault database using the first copy of the vault key; retrieving, by the first application, first network resource access credentials from a network service using user credentials associated with the user; writing, by the first application, the first network resource access credentials to the vault database; accessing, by a second application executing on the computing device and using second user entropy, the vault database to retrieve an unlock key by; receiving, by the second application, the second user entropy from the user associated with the shared vault; decrypting, by the second application, the first vault key record using the second user entropy to generate a third copy of the vault key; decrypting, by the second application, the vault database using the third copy of the vault key; and retrieving, by the second application, the unlock key from the vault database; decrypting, by the second application, a second vault key record using the unlock key to generate a second copy of the vault key, wherein a copy of the unlock key is stored in application memory associated with the second application; and accessing, by the second application and using the second copy of the vault key, the vault database to retrieve the first network resource access credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
one or more processors; memory; a shared vault stored in the memory and comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key; a first application stored in the memory and comprising first instructions that, when executed by the one or more processors, cause the system to; receive, by the first application, first user entropy from a user associated with the shared vault; decrypt, by the first application, a first vault key record using the first user entropy to generate a first copy of the vault key; decrypt, by the first application, the vault database using the first copy of the vault key; retrieve, by the first application, first network resource access credentials from a network service using user credentials associated with the user; write, by the first application, the first network resource access credentials to the vault database; and a second application, different from the first application, stored in the memory and comprising second instructions that, when executed by the one or more processors, cause the system to; access, by the second application and using second user entropy, the vault database to retrieve an unlock key by causing the system to; receive, by the second application, the second user entropy from the user associated with the shared vault; decrypt, by the second application, the first vault key record using the second user entropy to generate a third copy of the vault key; decrypt, by the second application, the vault database using the third copy of the vault key; and retrieve, by the second application, the unlock key from the vault database; decrypt, by the second application, a second vault key record using the unlock key to generate a second copy of the vault key, wherein a copy of the unlock key is stored in application memory associated with the second application; and access, by the second application and using the second copy of the vault key, the vault database to retrieve the first network resource access credentials. - View Dependent Claims (13, 14, 15)
-
-
16. One or more non-transitory computer readable media storing instructions that, when executed by one or more processors, cause a computing device to perform steps comprising:
-
generating a shared vault comprising a vault database encrypted using a vault key; receiving, by a first application executing on the computing device, first user entropy from a user associated with the shared vault; decrypting, by the first application, a first vault key record using the first user entropy to generate a first copy of the vault key; decrypting, by the first application, the vault database using the first copy of the vault key; retrieving, by the first application, first network resource access credentials from a network service using user credentials associated with the user; writing, by the first application, the first network resource access credentials to the vault database; accessing, by a second application executing on the computing device and using second user entropy, the vault database to retrieve an unlock key by; receiving, by the second application, the second user entropy from the user associated with the shared vault; decrypting, by the second application, the first vault key record using the second user entropy to generate a third copy of the vault key; decrypting, by the second application, the vault database using the third copy of the vault key; and retrieving, by the second application, the unlock key from the vault database; decrypting, by the second application, a second vault key record using the unlock key to generate a second copy of the vault key, wherein a copy of the unlock key is stored in application memory associated with the second application; and accessing, by the second application and using the second copy of the vault key, the vault database to retrieve the first network resource access credentials. - View Dependent Claims (17, 18, 19)
-
Specification