PROTECTING USER CREDENTIALS FROM A COMPUTING DEVICE
First Claim
1. A method implemented by a credential service, the method comprising:
- receiving, from a computing device, a request to provide user credentials associated with a user of the computing device to an identity provider;
receiving, from the computing device, secure session parameters for a first secure session between the computing device and the identity provider;
renegotiating or resuming, from the credential service, the first secure session, resulting in a second secure session between the credential service and the identity provider; and
providing the user credentials associated with the user to the identity provider via the second secure session.
2 Assignments
0 Petitions
Accused Products
Abstract
Protecting user credentials from a computing device includes establishing a secure session between a computing device and an identity provider (e.g., a Web service). Parameters of the secure session are communicated to a credential service, which renegotiates or resumes the secure session to establish a new secure session between the credential service and the identity provider. User credentials are passed from the credential service to the identity provider via the new secure session, but the computing device does not have the parameters of the new secure session and thus does not have access to the passed user credentials. The credential service then renegotiates or resumes the secure session again to establish an additional secure session between the credential service and the identity provider. Parameters of the additional secure session are communicated to the computing device to allow the computing device to continue communicating securely with the identity provider.
-
Citations
20 Claims
-
1. A method implemented by a credential service, the method comprising:
-
receiving, from a computing device, a request to provide user credentials associated with a user of the computing device to an identity provider; receiving, from the computing device, secure session parameters for a first secure session between the computing device and the identity provider; renegotiating or resuming, from the credential service, the first secure session, resulting in a second secure session between the credential service and the identity provider; and providing the user credentials associated with the user to the identity provider via the second secure session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
-
receive, from an identity provider, a request for user credentials of a user of the computing device; receive a user request for the user credentials associated with the identity provider to be provided by a credential service; provide, to the credential service and in response to the user request, secure session parameters for a first secure session between the computing device and the identity provider; and communicate, to the identity provider via a second secure session between the credential service and the identity provider, the user credentials received from the credential service. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A method implemented by a credential service, the method comprising:
-
receiving, from a computing device, a request to provide to an identity provider user credentials associated with both a user of the computing device and the identity provider, the user credentials being maintained encrypted by the credential service; receiving, from the computing device, secure session parameters for a first secure session between the computing device and the identity provider; receiving, from the computing device, a value decrypted based on a computing device key; renegotiating or resuming, from the credential service, the first secure session, resulting in a second secure session between the credential service and the identity provider, the computing device having no knowledge of the secure session parameters for the second secure session; decrypting, based on the value and a credential service key, the user credentials; providing the user credentials to the identity provider via the second secure session; renegotiating or resuming the second secure session, resulting in a third secure session between the credential service and the identity provider; and providing, to the computing device, secure session parameters for the third secure session.
-
Specification