Secure dynamic credential distribution over a network
First Claim
Patent Images
1. A method for automatically distributing logon credentials from a first device to a second device over a network, the method comprising:
- receiving a secret from the second device at the first device according to at least one trust mechanism that validates that the secret is authentically from the second device;
receiving a request for access to at least one resource of the first device from the second device over the network;
in response to said request, generating by the first device at least one logon credential for use in connection with logging onto the first device and sending the at least one logon credential to the second device over the network for use in automatically logging onto the first device, wherein the at least one logon credential is encrypted by the first device prior to being sent;
decrypting the at least one credential at the second device;
generating, at the second device, a logon request containing the at least one credential without storing the at least one credential;
encrypting the logon request with the at least one credential at the second device and sending the encrypted logon request with the at least one credential to the first device;
at the first device, decrypting the encrypted logon request with the at least one credential and determining the validity of the at least one credential contained in the encrypted logon request received from the second device; and
accepting the logon request if the at least one credential contained in the logon request is determined to be valid.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for enabling secure dynamic credential distribution to a machine over a network are provided. In various embodiments, a computer, into which logging or access is sought, distributes logon credentials automatically to a requestor over the network before logon. Based on pre-existing trust, the computer self-generates and self-distributes logon credentials to the requestor, whereby the logon credentials are not stored on the requestor device.
-
Citations
35 Claims
-
1. A method for automatically distributing logon credentials from a first device to a second device over a network, the method comprising:
-
receiving a secret from the second device at the first device according to at least one trust mechanism that validates that the secret is authentically from the second device; receiving a request for access to at least one resource of the first device from the second device over the network; in response to said request, generating by the first device at least one logon credential for use in connection with logging onto the first device and sending the at least one logon credential to the second device over the network for use in automatically logging onto the first device, wherein the at least one logon credential is encrypted by the first device prior to being sent; decrypting the at least one credential at the second device; generating, at the second device, a logon request containing the at least one credential without storing the at least one credential; encrypting the logon request with the at least one credential at the second device and sending the encrypted logon request with the at least one credential to the first device; at the first device, decrypting the encrypted logon request with the at least one credential and determining the validity of the at least one credential contained in the encrypted logon request received from the second device; and accepting the logon request if the at least one credential contained in the logon request is determined to be valid. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A machine that generates its own logon credentials for distribution to a requestor over a network, the machine comprising:
-
a secure dynamic logon credential component for handling requests for access to at least one resource of the machine from the requestor, wherein in response to a request for access to at least one resource of the machine, based on a secret received from the requestor according to at least one trust mechanism that validates that the secret is authentically from the requestor, said secure dynamic logon credential component generates at least one logon credential for use in connection with logging onto the machine, encrypts the at least one logon credential based on the secret, and sends the encrypted at least one logon credential to the requestor over the network; and a second component that receives from the requestor an encrypted logon request containing the at least one logon credential, decrypts the encrypted logon request, and accepts the logon request if the at least one logon credential contained in the logon request is valid. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method for automatically obtaining logon credentials from a first device by a second device for the purpose of logging onto the first device over a network, the method comprising:
-
transmitting a secret from the second device to the first device according to at least one trust mechanism that validates that the secret is authentically from the second device; requesting access to at least one resource of the first device by the second device over the network; in response to said requesting, receiving from the first device at least one logon credential for use in connection with logging onto the first device, wherein the at least one logon credential is encrypted by the first device using the secret before being received from the first device; without storing the at least one logon credential on the second device, generating, by the second device, a logon request containing the at least one logon credential encrypting the logon request with the at least one logon credential; and sending the logon request from the second device to said first device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A client device that automatically obtains logon credentials from a host device for the purpose of logging onto the host device over a network, the client device comprising:
-
a first component that sends a public key of the client to the host device according to at least one trust mechanism that is based on at least one of a biometric user input, a trust code and a hardware component, the at least one trust mechanism validating that the public key is authentically from the client device; a second component that requests access to at least one resource of the host device over the network; and a third component that receives from the host device, in response to requests by said second component, at least one encrypted logon credential for use in connection with logging onto the host device and decrypts the at least one encrypted logon credential, and, without storing the at least one decrypted logon credential on the client device, generates a logon request containing the at least one logon credential, encrypts the logon request with the at least one logon credential, and sends the encrypted logon request to said host device, wherein the third component receives an updated version of at least one logon credential periodically to rotate said at least one logon credential. - View Dependent Claims (21, 22, 23)
-
-
24. A computer readable storage medium comprising computer executable instructions for automatically distributing logon credentials from a first device to a second device over a network, the computer executable instructions comprising instructions for:
-
in the first device, obtaining a secret from the second device according to at least one trust mechanism that validates that the secret is authentically from the second device; receiving a request for access to at least one resource of the first device from the second device over the network; generating by the first device at least one logon credential in response to the request being received from the second device wherein said at least one logon credential is for logging onto the first device; in the first device, encrypting the at least one logon credential based on the secret; sending the at least one logon credential to the second device over the network for use in automatically logging onto the first device; receiving, in the first device from the second device, an encrypted logon request containing the at least one logon credential in the first device, decrypting the encrypted logon request with the at least one logon credential; determining the validity of the at least one logon credential contained in the logon request; and accepting the logon request if the at least one credential contained in the logon request is determined valid. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A computer readable storage medium comprising computer executable modules having computer executable instructions for automatically obtaining logon credentials from a first device by a second device for the purpose of logging onto the first device over a network, the modules comprising:
-
a first module for transmitting a secret from the second device to the first device according to at least one trust mechanism that validates that the secret is authentically from the second device; a second module for requesting access to at least one resource of the first device over the network; a third module is for receiving in the second device from the first device at least one logon credential for use in connection with logging onto the second device in response to a request for access made by said means for requesting, wherein the at least one logon credential is encrypted by the first device based on the secret before the at least one logon credential is received in the second device; a fourth module for decrypting, in the second device, the encrypted at least one logon credential received from the first device; and a fifth module is for generating a logon request containing the at least one logon credential, encrypting the logon request, and sending the logon request to said first device without storing the at least one logon credential on the second device. - View Dependent Claims (30, 31, 32, 33, 34, 35)
-
Specification