Protecting user credentials from a computing device

US 9,191,394 B2
Filed: 02/08/2012
Issued: 11/17/2015
Est. Priority Date: 02/08/2012
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a credential service, the method comprising:

receiving at the credential service, from a computing device, both a request to provide user credentials associated with a user of the computing device to an identity provider and first secure session parameters for a first secure session previously established between the computing device and the identity provider, the credential service being implemented by one or more additional computing devices separate from the computing device;

receiving, from the computing device, information authenticating the user to the credential service in order for the user credentials to be provided to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device;

negotiating and establishing, using second secure session parameters, a second secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider, the second secure session parameters being unknown to the computing device and agreed based on renegotiation of the first secure session;

providing the user credentials associated with the user to the identity provider via the second secure session;

communicating from the credential service with the identity provider to renegotiate the second secure session and establish, using third secure session parameters determined during the second secure session, a third secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider; and

providing the third secure session parameters to the computing device to allow communication between the computing device and the identity provider using the third secure session parameters.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protecting user credentials from a computing device includes establishing a secure session between a computing device and an identity provider (e.g., a Web service). Parameters of the secure session are communicated to a credential service, which renegotiates or resumes the secure session to establish a new secure session between the credential service and the identity provider. User credentials are passed from the credential service to the identity provider via the new secure session, but the computing device does not have the parameters of the new secure session and thus does not have access to the passed user credentials. The credential service then renegotiates or resumes the secure session again to establish an additional secure session between the credential service and the identity provider. Parameters of the additional secure session are communicated to the computing device to allow the computing device to continue communicating securely with the identity provider.

91 Citations

View as Search Results

20 Claims

1. A method implemented by a credential service, the method comprising:
- receiving at the credential service, from a computing device, both a request to provide user credentials associated with a user of the computing device to an identity provider and first secure session parameters for a first secure session previously established between the computing device and the identity provider, the credential service being implemented by one or more additional computing devices separate from the computing device;
  
  receiving, from the computing device, information authenticating the user to the credential service in order for the user credentials to be provided to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device;
  
  negotiating and establishing, using second secure session parameters, a second secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider, the second secure session parameters being unknown to the computing device and agreed based on renegotiation of the first secure session;
  
  providing the user credentials associated with the user to the identity provider via the second secure session;
  
  communicating from the credential service with the identity provider to renegotiate the second secure session and establish, using third secure session parameters determined during the second secure session, a third secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider; and
  
  providing the third secure session parameters to the computing device to allow communication between the computing device and the identity provider using the third secure session parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, the identity provider being one of multiple identity providers, the method further comprising:
    - maintaining multiple different user credentials associated with the user, each of the multiple different user credentials being associated with a different one of the multiple identity providers; and
      
      identifying, based on the identity provider, which of the multiple different user credentials to provide as the user credentials.
  - 3. The method as recited in claim 1, the secure session parameters for the first secure session comprising a Secure Sockets Layer (SSL) key, one or more sequence numbers, and a channel binding token.
  - 4. The method as recited in claim 1, the user credentials comprising a user name and password.
  - 5. The method as recited in claim 1, further comprising:
    - maintaining the user credentials encrypted;
      
      receiving, from the computing device, a value decrypted based on a key of the computing device; and
      
      decrypting, based on both the key of the credential service and the value decrypted based on the key of the computing device, the user credentials prior to providing the user credentials to the identity provider.
  - 6. The method as recited in claim 1, further comprising:
    - obtaining, from an additional identity provider in response to a user request for a temporary credit card number, a temporary credit card number associated with the identity provider; and
      
      providing the temporary credit card number to the identity provider without the computing device having knowledge of the temporary credit card number.
  - 7. The method as recited in claim 1, further comprising maintaining a record of which devices are known devices for the user, and allowing a known status of any one or more of the known devices to be revoked.
  - 8. The method as recited in claim 1, further comprising receiving one or more of a shipping address and a credit card number from the user, and providing the shipping address or credit card number to the identity provider.
  - 9. The method as recited in claim 1, further comprising:
    - maintaining, associated with the user credentials, a policy indicating one or more conditions that are to be satisfied in order for the user credentials to be provided to the identity provider; and
      
      providing the user credentials to the identity provider only if the one or more conditions are satisfied.
  - 10. The method as recited in claim 9, wherein the conditions included in the policy include one or more of an indication of which devices are known devices of the user and an indication that a value is to be decrypted by the computing device.
  - 11. The method as recited in claim 9, wherein the conditions included in the policy include one or more of an indication that the computing device is to prove to the credential service that the computing device is free from known malware, restrictions on a number of times user credentials can be used, restrictions on times of day that user credentials can be used, and restrictions on locations of the computing device.

12. A computing device comprising:
- one or more processors; and
  
  one or more computer-readable storage memories having stored thereon multiple instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive, at the computing device, from an identity provider, a request for user credentials of a user of the computing device;
  
  receive, at the computing device, a user request for the user credentials associated with the identity provider to be provided by a credential service, the credential service being implemented by one or more additional computing devices separate from the computing device;
  
  receive user input to authenticate the user to the credential service in order for the credential service to provide the user credentials to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device;
  
  negotiate and establish, using first secure session parameters, a first secure session between the computing device and the identity provider;
  
  provide, by the computing device to the credential service and in response to the user request, the first secure session parameters;
  
  facilitate communication between the credential service and the identity provider for a second secure session renegotiated by the credential service from the first secure session;
  
  receive, at the computing device from the credential service, the user credentials via the second secure session;
  
  communicate, by the computing device to the identity provider via the second secure session, the user credentials;
  
  receive, at the computing device from the credential service, third secure session parameters for a third secure session between the credential service and the identity provider, the third secure session parameters having been determined based on renegotiation of the second secure session; and
  
  communicate, by the computing device, with the identity provider using the third secure session.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computing device as recited in claim 12, the instructions causing the one or more processors to receive the request for user credentials and to receive the user request being included in a Web browser of the computing device.
  - 14. The computing device as recited in claim 13, the identity provider comprising a Web service, and the instructions causing the one or more processors to receive the request for user credentials comprising instructions causing the one or more processors to automatically detect a Web page, received from the Web service, that is requesting user credentials of the user.
  - 15. The computing device as recited in claim 12, the multiple instructions further causing the one or more processors to:
    - receive, from the credential service, an indication of at least part of each of multiple user credentials associated with both the user and the identity provider;
      
      display the at least part of each of multiple user credentials associated with both the user and the identity provider; and
      
      receive, as the user request, a user selection of one of the at least part of each of multiple user credentials associated with both the user and the identity provider.
  - 16. The computing device as recited in claim 12, the instructions causing the one or more processors to communicate the user credentials received from the credential service to the identity provider without knowledge on the part of the identity provider that the second secure session is between the identity provider and the credential service.
  - 17. The computing device as recited in claim 12, the multiple instructions further causing the one or more processors to:
    - receive, from the credential service, a value;
      
      receive a user request confirming that the credential service is to provide the user credentials to the identity provider; and
      
      in response to the user request confirming that the credential service is to provide the user credentials to the identity provider, decrypt the value and return the decrypted value to the credential service.

18. A method implemented by a credential service, the method comprising:
- receiving at the credential service, from a computing device, a request to provide to an identity provider user credentials associated with both a user of the computing device and the identity provider, the user credentials being maintained encrypted by the credential service, the credential service being implemented by one or more additional computing devices separate from the computing device;
  
  receiving, at the credential service from the computing device, first secure session parameters, the first secure session parameters received being the same secure session parameters previously used to negotiate and establish a first secure session between the computing device and the identity provider;
  
  receiving, from the computing device, information authenticating the user to the credential service in order for the user credentials to be provided to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device;
  
  receiving, from the computing device, a value decrypted based on a computing device key;
  
  communicating from the credential service with the identity provider to renegotiate the first secure session to negotiate and establish, using second secure session parameters agreed upon based on renegotiation of the first secure session, a second secure session between the credential service and the identity provider while using the computing device to facilitate communication of data between the credential service and the identity provider, the second secure session parameters being unknown to the computing device;
  
  decrypting, based on the value and a credential service key, the user credentials;
  
  providing the user credentials associated with the user to the identity provider via the second secure session;
  
  communicating from the credential service with the identity provider to resume the first secure session and establish, using third secure session parameters determined during the second secure session, a third secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider; and
  
  providing, to the computing device, secure session parameters for the third secure session to allow communication between the computing device and the identity provider using the third secure session parameters.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, the secure session parameters for the first secure session comprising a Secure Sockets Layer (SSL) key, one or more sequence numbers, and a channel binding token.
  - 20. The method of claim 18, the user credentials comprising a user name and password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Novak, Mark F., Layman, Andrew J.
Primary Examiner(s)
Brown, Christopher
Assistant Examiner(s)
Baum, Ronald

Application Number

US13/368,731
Publication Number

US 20130205360A1
Time in Patent Office

1,378 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04W 12/068   using credential vaults, e....

Protecting user credentials from a computing device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting user credentials from a computing device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links