Shared Secret Vault for Applications with Single Sign On
First Claim
1. A method comprising:
- generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key, wherein the vault database comprises an unlock key;
receiving, by a first application executing on the computing device, user entropy from a user associated with the shared vault;
decrypting a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key;
accessing, by the first application executing on the computing device and using the first copy of the vault key, the vault database to retrieve the unlock key;
storing, by the first application executing on the computing device, the unlock key in first application memory associated with the first application;
decrypting a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and
accessing, by the first application executing on the computing device and using the second copy of the vault key, the vault database to retrieve the first stored data.
7 Assignments
0 Petitions
Accused Products
Abstract
Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.
76 Citations
30 Claims
-
1. A method comprising:
-
generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key, wherein the vault database comprises an unlock key; receiving, by a first application executing on the computing device, user entropy from a user associated with the shared vault; decrypting a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key; accessing, by the first application executing on the computing device and using the first copy of the vault key, the vault database to retrieve the unlock key; storing, by the first application executing on the computing device, the unlock key in first application memory associated with the first application; decrypting a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and accessing, by the first application executing on the computing device and using the second copy of the vault key, the vault database to retrieve the first stored data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
one or more processors; memory; a first application stored in the memory; and a shared vault comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key, wherein the memory stores computer-executable instructions that, when executed by the one or more processors, cause the system to; receive, via the first application, user entropy from a user associated with the shared vault; decrypt a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key; access, using the first copy of the vault key, the vault database to retrieve an unlock key, wherein the unlock key is operable to decrypt a second vault key record associated with the shared vault to generate a second copy of the vault key; and store the unlock key in first application memory associated with the first application. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system comprising:
-
one or more processors; memory; a shared vault comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key; a first application stored in the memory and comprising instructions that, when executed by the one or more processors, cause the system to; authenticate, via the first application, with a network service using user credentials associated with the user; retrieve first network resource access credentials from the network service; decrypt the vault database using an encrypted vault key record comprising the vault key; and write, via the first application, the first network resource access credentials to the vault database; and a second application stored in the memory and comprising instructions that, when executed by the one or more processors, cause the system to; decrypt, via the second application, the encrypted vault key record using an unlock key to generate a copy of the vault key, wherein the unlock key is stored in application memory associated with the second application; and access, via the second application and using the copy of the vault key, the vault database to retrieve the first network resource access credentials.
-
-
29. One or more non-transitory computer readable media comprising instructions that, when executed by one or more processors, cause a computing device to:
-
receive, by a first application executing on the computing device, first user entropy from a user associated with a shared vault, wherein the shared vault comprises a vault record storage section and a vault database, and wherein the vault database is encrypted using a vault key; decrypt a first vault key record associated with the shared vault using the first user entropy to generate a first copy of the vault key; access, by the first application and using the first copy of the vault key, the vault database to retrieve an unlock key; generate, by the first application, a second vault key record based on the vault key and the unlock key; store, by the first application, the second vault key record in a secured container that is secured using second user entropy other than the first user entropy; receive, by the first application, the second user entropy from the user; access, by the first application, the second vault key record from the secured container using the second user entropy; and decrypt the second vault key record associated with the shared vault using the unlock key to generate a second copy of the vault key. - View Dependent Claims (30)
-
Specification