Protecting user credentials from a computing device
First Claim
1. A method implemented by a credential service, the method comprising:
- receiving at the credential service, from a computing device, both a request to provide user credentials associated with a user of the computing device to an identity provider and first secure session parameters for a first secure session previously established between the computing device and the identity provider, the credential service being implemented by one or more additional computing devices separate from the computing device;
receiving, from the computing device, information authenticating the user to the credential service in order for the user credentials to be provided to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device;
negotiating and establishing, using second secure session parameters, a second secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider, the second secure session parameters being unknown to the computing device and agreed based on renegotiation of the first secure session;
providing the user credentials associated with the user to the identity provider via the second secure session;
communicating from the credential service with the identity provider to renegotiate the second secure session and establish, using third secure session parameters determined during the second secure session, a third secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider; and
providing the third secure session parameters to the computing device to allow communication between the computing device and the identity provider using the third secure session parameters.
2 Assignments
0 Petitions
Accused Products
Abstract
Protecting user credentials from a computing device includes establishing a secure session between a computing device and an identity provider (e.g., a Web service). Parameters of the secure session are communicated to a credential service, which renegotiates or resumes the secure session to establish a new secure session between the credential service and the identity provider. User credentials are passed from the credential service to the identity provider via the new secure session, but the computing device does not have the parameters of the new secure session and thus does not have access to the passed user credentials. The credential service then renegotiates or resumes the secure session again to establish an additional secure session between the credential service and the identity provider. Parameters of the additional secure session are communicated to the computing device to allow the computing device to continue communicating securely with the identity provider.
91 Citations
20 Claims
-
1. A method implemented by a credential service, the method comprising:
-
receiving at the credential service, from a computing device, both a request to provide user credentials associated with a user of the computing device to an identity provider and first secure session parameters for a first secure session previously established between the computing device and the identity provider, the credential service being implemented by one or more additional computing devices separate from the computing device; receiving, from the computing device, information authenticating the user to the credential service in order for the user credentials to be provided to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device; negotiating and establishing, using second secure session parameters, a second secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider, the second secure session parameters being unknown to the computing device and agreed based on renegotiation of the first secure session; providing the user credentials associated with the user to the identity provider via the second secure session; communicating from the credential service with the identity provider to renegotiate the second secure session and establish, using third secure session parameters determined during the second secure session, a third secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider; and providing the third secure session parameters to the computing device to allow communication between the computing device and the identity provider using the third secure session parameters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computing device comprising:
-
one or more processors; and one or more computer-readable storage memories having stored thereon multiple instructions that, when executed by the one or more processors, cause the one or more processors to; receive, at the computing device, from an identity provider, a request for user credentials of a user of the computing device; receive, at the computing device, a user request for the user credentials associated with the identity provider to be provided by a credential service, the credential service being implemented by one or more additional computing devices separate from the computing device; receive user input to authenticate the user to the credential service in order for the credential service to provide the user credentials to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device; negotiate and establish, using first secure session parameters, a first secure session between the computing device and the identity provider; provide, by the computing device to the credential service and in response to the user request, the first secure session parameters; facilitate communication between the credential service and the identity provider for a second secure session renegotiated by the credential service from the first secure session; receive, at the computing device from the credential service, the user credentials via the second secure session; communicate, by the computing device to the identity provider via the second secure session, the user credentials; receive, at the computing device from the credential service, third secure session parameters for a third secure session between the credential service and the identity provider, the third secure session parameters having been determined based on renegotiation of the second secure session; and communicate, by the computing device, with the identity provider using the third secure session. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method implemented by a credential service, the method comprising:
-
receiving at the credential service, from a computing device, a request to provide to an identity provider user credentials associated with both a user of the computing device and the identity provider, the user credentials being maintained encrypted by the credential service, the credential service being implemented by one or more additional computing devices separate from the computing device; receiving, at the credential service from the computing device, first secure session parameters, the first secure session parameters received being the same secure session parameters previously used to negotiate and establish a first secure session between the computing device and the identity provider; receiving, from the computing device, information authenticating the user to the credential service in order for the user credentials to be provided to the identity provider, with an amount of information used to authenticate being greater if the computing device is an unknown device than if the computing device is a known device; receiving, from the computing device, a value decrypted based on a computing device key; communicating from the credential service with the identity provider to renegotiate the first secure session to negotiate and establish, using second secure session parameters agreed upon based on renegotiation of the first secure session, a second secure session between the credential service and the identity provider while using the computing device to facilitate communication of data between the credential service and the identity provider, the second secure session parameters being unknown to the computing device; decrypting, based on the value and a credential service key, the user credentials; providing the user credentials associated with the user to the identity provider via the second secure session; communicating from the credential service with the identity provider to resume the first secure session and establish, using third secure session parameters determined during the second secure session, a third secure session between the credential service and the identity provider while using the computing device as an intermediary communicating data between the credential service and the identity provider; and providing, to the computing device, secure session parameters for the third secure session to allow communication between the computing device and the identity provider using the third secure session parameters. - View Dependent Claims (19, 20)
-
Specification