PROTECTING USER CREDENTIALS FROM A COMPUTING DEVICE

US 20130205360A1
Filed: 02/08/2012
Published: 08/08/2013
Est. Priority Date: 02/08/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a credential service, the method comprising:

receiving, from a computing device, a request to provide user credentials associated with a user of the computing device to an identity provider;

receiving, from the computing device, secure session parameters for a first secure session between the computing device and the identity provider;

renegotiating or resuming, from the credential service, the first secure session, resulting in a second secure session between the credential service and the identity provider; and

providing the user credentials associated with the user to the identity provider via the second secure session.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protecting user credentials from a computing device includes establishing a secure session between a computing device and an identity provider (e.g., a Web service). Parameters of the secure session are communicated to a credential service, which renegotiates or resumes the secure session to establish a new secure session between the credential service and the identity provider. User credentials are passed from the credential service to the identity provider via the new secure session, but the computing device does not have the parameters of the new secure session and thus does not have access to the passed user credentials. The credential service then renegotiates or resumes the secure session again to establish an additional secure session between the credential service and the identity provider. Parameters of the additional secure session are communicated to the computing device to allow the computing device to continue communicating securely with the identity provider.

Citations

20 Claims

1. A method implemented by a credential service, the method comprising:
- receiving, from a computing device, a request to provide user credentials associated with a user of the computing device to an identity provider;
  
  receiving, from the computing device, secure session parameters for a first secure session between the computing device and the identity provider;
  
  renegotiating or resuming, from the credential service, the first secure session, resulting in a second secure session between the credential service and the identity provider; and
  
  providing the user credentials associated with the user to the identity provider via the second secure session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1, further comprising:
    - renegotiating the second or subsequent secure session, resulting in a third or subsequent secure session between the credential service and the identity provider; and
      
      providing, to the computing device, secure session parameters for the third or subsequent secure session.
  - 3. A method as recited in claim 1, the identity provider being one of multiple identity providers, the method further comprising:
    - maintaining multiple different user credentials associated with the user, each of the multiple different user credentials being associated with a different one of the multiple identity providers; and
      
      identifying, based on the identity provider, which of the multiple different user credentials to provide as the user credentials.
  - 4. A method as recited in claim 1, the secure session parameters for the first secure session comprising a Secure Sockets Layer (SSL) keys, one or more sequence numbers, and a channel binding token.
  - 5. A method as recited in claim 1, the user credentials comprising a user name and password.
  - 6. A method as recited in claim 1, the computing device being an intermediary in the second secure session without knowledge of secure session parameters for the second secure session.
  - 7. A method as recited in claim 1, further comprising:
    - maintaining the user credentials encrypted;
      
      receiving, from the computing device, a value decrypted based on a key of the computing device; and
      
      decrypting, based on both the key of the credential service and the value decrypted based on the key of the computing device, the user credentials prior to providing the user credentials to the identity provider.
  - 8. A method as recited in claim 1, further comprising:
    - obtaining, from an additional identity provider in response to a user request for a temporary credit card number, a temporary credit card number associated with the identity provider; and
      
      providing the temporary credit card number to the identity provider without the computing device having knowledge of the temporary credit card number.
  - 9. A method as recited in claim 1, further comprising receiving, from the computing device, information authenticating the user to the credential service in order for the user credentials to be provided to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device.
  - 10. A method as recited in claim 9, further comprising maintaining a record of which devices are known devices for the user, and allowing a known status of any one or more of the known devices to be revoked.
  - 11. A method as recited in claim 1, further comprising:
    - maintaining, associated with the user credentials, a policy indicating one or more conditions that are to be satisfied in order for the user credentials to be provided to the identity provider; and
      
      providing the user credentials to the identity provider only if the one or more conditions are satisfied.

12. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
- receive, from an identity provider, a request for user credentials of a user of the computing device;
  
  receive a user request for the user credentials associated with the identity provider to be provided by a credential service;
  
  provide, to the credential service and in response to the user request, secure session parameters for a first secure session between the computing device and the identity provider; and
  
  communicate, to the identity provider via a second secure session between the credential service and the identity provider, the user credentials received from the credential service.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. One or more computer storage media as recited in claim 12, the instructions causing the one or more processors to receive the request for user credentials and to receive the user request being included in a Web browser of the computing device.
  - 14. One or more computer storage media as recited in claim 13, the identity provider comprising a Web service, and the instructions causing the one or more processors to receive the request for user credentials comprising instructions causing the one or more processors to automatically detect a Web page, received from the Web service, that is requesting user credentials of the user.
  - 15. One or more computer storage media as recited in claim 12, the multiple instructions further causing the one or more processors to:
    - receive, from the credential service, an indication of at least part of each of multiple user credentials associated with both the user and the identity provider;
      
      display the at least part of each of multiple user credentials associated with both the user and the identity provider; and
      
      receive, as the user request, a user selection of one of the at least part of each of multiple user credentials associated with both the user and the identity provider.
  - 16. One or more computer storage media as recited in claim 12, the computing device being an intermediary in the second secure session without knowledge of the secure session parameters for the second secure session.
  - 17. One or more computer storage media as recited in claim 12, the multiple instructions further causing the one or more processors to receive user input to authenticate the user to the credential service in order for the credential service to provide the user credentials to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device.
  - 18. One or more computer storage media as recited in claim 12, the instructions causing the one or more processors to communicate the user credentials received from the credential service comprising instructions causing the one or more processors to communicate the user credentials received from the credential service to the identity provider without knowledge on the part of the identity provider that the second secure session is between the identity provider and the credential service.
  - 19. One or more computer storage media as recited in claim 12, the multiple instructions further causing the one or more processors to:
    - receive, from the credential service, a value;
      
      receive a user request confirming that the credential service is to provide the user credentials to the identity provider; and
      
      in response to the user request confirming that the credential service is to provide the user credentials to the identity provider, decrypt the value and return the decrypted value to the credential service.

20. A method implemented by a credential service, the method comprising:
- receiving, from a computing device, a request to provide to an identity provider user credentials associated with both a user of the computing device and the identity provider, the user credentials being maintained encrypted by the credential service;
  
  receiving, from the computing device, secure session parameters for a first secure session between the computing device and the identity provider;
  
  receiving, from the computing device, a value decrypted based on a computing device key;
  
  renegotiating or resuming, from the credential service, the first secure session, resulting in a second secure session between the credential service and the identity provider, the computing device having no knowledge of the secure session parameters for the second secure session;
  
  decrypting, based on the value and a credential service key, the user credentials;
  
  providing the user credentials to the identity provider via the second secure session;
  
  renegotiating or resuming the second secure session, resulting in a third secure session between the credential service and the identity provider; and
  
  providing, to the computing device, secure session parameters for the third secure session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Novak, Mark F., Layman, Andrew J.

Granted Patent

US 9,191,394 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04W 12/068   using credential vaults, e....

PROTECTING USER CREDENTIALS FROM A COMPUTING DEVICE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING USER CREDENTIALS FROM A COMPUTING DEVICE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links