Secure and automated credential information transfer mechanism

US 9,276,926 B2
Filed: 09/10/2014
Issued: 03/01/2016
Est. Priority Date: 02/05/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

generating, by a central server that has access to credential information, a one-time-use password;

transmitting, by the central server, an instruction to a remote server to activate an application instance, the instruction including the one-time-use password;

receiving, by the central server and from the remote server, a request for the credential information, the request including at least (i) the one-time-use password, and (ii) an unique identifier associated with the application instance;

verifying, by the central server, (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request;

in response to verifying (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request, invalidating, by the central server, the one-time-use password; and

transmitting, by the central server, a secure message that causes the remote server to create a file that includes the credential information in a secure location on the remote server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for securely transmitting credentials to instantiated virtual machines is provided. A central server is used to turn on a virtual machine. When the virtual machine is turned on, the central server sends it a secret text string. The virtual machine requests the credentials from the central server by transmitting the secret string and its instance ID. The central server validates the secret string and source IP to determine whether they are authentic. Once verified, the central server transmits the credentials to the virtual machine in a secure channel and invalidates the secret string. The credentials can now be used to authenticate API calls.

Citations

20 Claims

1. A computer-implemented method comprising:
- generating, by a central server that has access to credential information, a one-time-use password;
  
  transmitting, by the central server, an instruction to a remote server to activate an application instance, the instruction including the one-time-use password;
  
  receiving, by the central server and from the remote server, a request for the credential information, the request including at least (i) the one-time-use password, and (ii) an unique identifier associated with the application instance;
  
  verifying, by the central server, (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request;
  
  in response to verifying (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request, invalidating, by the central server, the one-time-use password; and
  
  transmitting, by the central server, a secure message that causes the remote server to create a file that includes the credential information in a secure location on the remote server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein verifying, by the central server, (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request comprises:
    - determining that the one-time-use password matches the unique identifier.
  - 3. The method of claim 1, wherein the request is received over a Hypertext Transfer Protocol connection.
  - 4. The method of claim 1, comprising:
    - determining, by the central server and based at least on a programmed policy, to activate the application instance on the remote server,where generating, by a central server that has access to credential information, a one-time-use password is in response to determining, by the central server and based at least on a programmed policy, to activate the application instance on the remote server.
  - 5. The method of claim 1, wherein the credential information enables the remote server to activate the application instance.
  - 6. The method of claim 1, wherein the credential information comprises one or more of a secret access key or an access key identifier.
  - 7. The method of claim 1, wherein the secure message comprises a message provided over a Secure Sockets Layer connection.
  - 8. The method of claim 1, comprising:
    - generating, by the central server that has access to credential information, another one-time-use password;
      
      transmitting, by the central server, another instruction to another remote server to activate another application instance, the other instruction including the other one-time-use password;
      
      receiving, by the central server and from the other remote server, another request for the credential information, the other request including at least (i) the other one-time-use password, and (ii) another unique identifier associated with the another application instance;
      
      verifying, by the central server, (i) the other one-time-use password that is included in the other received request, and (ii) the other unique identifier that is included in the other received request;
      
      in response to verifying (i) the other one-time-use password that is included in the other received request, and (ii) the other unique identifier that is included in the other received request, invalidating, by the central server, the other one-time-use password; and
      
      transmitting, by the central server, another secure message that causes the remote server to create another file that includes the other credential information in another secure location on the remote server.

9. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  generating, by a central server that has access to credential information, a one-time-use password;
  
  transmitting, by the central server, an instruction to a remote server to activate an application instance, the instruction including the one-time-use password;
  
  receiving, by the central server and from the remote server, a request for the credential information, the request including at least (i) the one-time-use password, and (ii) an unique identifier associated with the application instance;
  
  verifying, by the central server, (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request;
  
  in response to verifying (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request, invalidating, by the central server, the one-time-use password; and
  
  transmitting, by the central server, a secure message that causes the remote server to create a file that includes the credential information in a secure location on the remote server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein verifying, by the central server, (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request comprises:
    - determining that the one-time-use password matches the unique identifier.
  - 11. The system of claim 9, wherein the request is received over a Hypertext Transfer Protocol connection.
  - 12. The system of claim 9, comprising:
    - determining, by the central server and based at least on a programmed policy, to activate the application instance on the remote server,where generating, by a central server that has access to credential information, a one-time-use password is in response to determining, by the central server and based at least on a programmed policy, to activate the application instance on the remote server.
  - 13. The system of claim 9, wherein the credential information enables the remote server to activate the application instance.
  - 14. The system of claim 9, wherein the credential information comprises one or more of a secret access key or an access key identifier.
  - 15. The system of claim 9, wherein the secure message comprises a message provided over a Secure Sockets Layer connection.
  - 16. The system of claim 9, comprising:
    - generating, by the central server that has access to credential information, another one-time-use password;
      
      transmitting, by the central server, another instruction to another remote server to activate another application instance, the other instruction including the other one-time-use password;
      
      receiving, by the central server and from the other remote server, another request for the credential information, the other request including at least (i) the other one-time-use password, and (ii) another unique identifier associated with the another application instance;
      
      verifying, by the central server, (i) the other one-time-use password that is included in the other received request, and (ii) the other unique identifier that is included in the other received request;
      
      in response to verifying (i) the other one-time-use password that is included in the other received request, and (ii) the other unique identifier that is included in the other received request, invalidating, by the central server, the other one-time-use password; and
      
      transmitting, by the central server, another secure message that causes the remote server to create another file that includes the other credential information in another secure location on the remote server.

17. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising:
- generating, by a central server that has access to credential information, a one-time-use password;
  
  transmitting, by the central server, an instruction to a remote server to activate an application instance, the instruction including the one-time-use password;
  
  receiving, by the central server and from the remote server, a request for the credential information, the request including at least (i) the one-time-use password, and (ii) an unique identifier associated with the application instance;
  
  verifying, by the central server, (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request;
  
  in response to verifying (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request, invalidating, by the central server, the one-time-use password; and
  
  transmitting, by the central server, a secure message that causes the remote server to create a file that includes the credential information in a secure location on the remote server.
- View Dependent Claims (18, 19, 20)
- - 18. The medium of claim 17, wherein verifying, by the central server, (i) the one-time-use password that is included in the received request, and (ii) the unique identifier that is included in the received request comprises:
    - determining that the one-time-use password matches the unique identifier.
  - 19. The medium of claim 17, comprising:
    - determining, by the central server and based at least on a programmed policy, to activate the application instance on the remote server,where generating, by a central server that has access to credential information, a one-time-use password is in response to determining, by the central server and based at least on a programmed policy, to activate the application instance on the remote server.
  - 20. The medium of claim 17, wherein the credential information enables the remote server to activate the application instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Stauth, Sean, Wee, Sewook
Primary Examiner(s)
Shepperd, Eric W

Application Number

US14/482,688
Publication Number

US 20140380441A1
Time in Patent Office

538 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 21/45   Structures or tools for the...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

Secure and automated credential information transfer mechanism

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure and automated credential information transfer mechanism

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links