Method and system for distributing secrets

US 9,384,362 B2
Filed: 10/14/2013
Issued: 07/05/2016
Est. Priority Date: 10/14/2013
Status: Active Grant

First Claim

Patent Images

1. A system for distributing credentials comprising:

at least one processor; and

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for distributing credentials, the process for distributing credentials including;

receiving request data from a requesting virtual asset, the request data including a request for one or more credentials required in order for the requesting virtual asset to be allowed to access one or more resources, the requested credentials being of a first type of a plurality of credential types, the one or more resources being cloud-accessible resources;

responsive to receiving the request data, obtaining profile data associated with the requesting virtual asset;

responsive to receiving the request data, authenticating, by a secrets distribution management system, the requesting virtual asset;

responsive to authenticating the requesting virtual asset and obtaining profile data associated with the requesting virtual asset, analyzing, by the secrets distribution management system, the profile data using one or more distribution factors to determine one or more credentials of the first type that the requesting virtual asset is authorized to receive, the determination being at least partly based on a role assigned to the requesting virtual asset, the requesting virtual asset being assigned at least two different roles;

determining a first source from which the first type of credential is available, wherein a plurality of credential sources are available each having different types of credentials, wherein credentials of a first type are only available from a first source, and credentials of a second type are only available from a second source; and

providing, from the first source, credentials data representing the determined one or more credentials to the requesting virtual asset, the provided credentials data including data representing one or more of the credentials associated with the request data, the providing being accomplished through at least;

encrypting set data;

assigning identification data to the encrypted set data;

storing the encrypted set data in a credentials store;

providing the requesting virtual asset the identification data and an encryption key for identifying and decrypting the encrypted set data; and

providing the requesting virtual asset access to the credentials store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secrets data representing one or more secrets required to access associated resources is provided along with secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of the secrets. When a requesting virtual asset submits secrets request data, virtual asset profile data associated with the requesting virtual asset is obtained. The requesting virtual asset profile data is then analyzed using at least one of the secrets distribution factors to authenticate the requesting virtual asset. The requesting virtual asset profile data is then analyzed using one or more of secrets distribution factors to determine what secrets the requesting virtual asset legitimately needs. Authorized secrets data for the requesting virtual asset representing one or more authorized secrets is then generated. The requesting virtual asset is then provided access to the authorized secrets data.

77 Citations

View as Search Results

50 Claims

1. A system for distributing credentials comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for distributing credentials, the process for distributing credentials including;
  
  receiving request data from a requesting virtual asset, the request data including a request for one or more credentials required in order for the requesting virtual asset to be allowed to access one or more resources, the requested credentials being of a first type of a plurality of credential types, the one or more resources being cloud-accessible resources;
  
  responsive to receiving the request data, obtaining profile data associated with the requesting virtual asset;
  
  responsive to receiving the request data, authenticating, by a secrets distribution management system, the requesting virtual asset;
  
  responsive to authenticating the requesting virtual asset and obtaining profile data associated with the requesting virtual asset, analyzing, by the secrets distribution management system, the profile data using one or more distribution factors to determine one or more credentials of the first type that the requesting virtual asset is authorized to receive, the determination being at least partly based on a role assigned to the requesting virtual asset, the requesting virtual asset being assigned at least two different roles;
  
  determining a first source from which the first type of credential is available, wherein a plurality of credential sources are available each having different types of credentials, wherein credentials of a first type are only available from a first source, and credentials of a second type are only available from a second source; and
  
  providing, from the first source, credentials data representing the determined one or more credentials to the requesting virtual asset, the provided credentials data including data representing one or more of the credentials associated with the request data, the providing being accomplished through at least;
  
  encrypting set data;
  
  assigning identification data to the encrypted set data;
  
  storing the encrypted set data in a credentials store;
  
  providing the requesting virtual asset the identification data and an encryption key for identifying and decrypting the encrypted set data; and
  
  providing the requesting virtual asset access to the credentials store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system for distributing credentials of claim 1 wherein at least one of the one or more credentials is selected from the group of credentials consisting of:
    - database access credentials;
      
      external services access credentials;
      
      internal services access data;
      
      passwords;
      
      passphrases;
      
      biometric data;
      
      digital certificates;
      
      encryption keys; and
      
      SSL certificates.
  - 3. The system for distributing credentials of claim 1 wherein at least one of the one or more resources is selected from the group of resources consisting of:
    - databases and data;
      
      external services;
      
      internal services;
      
      cloud-based services;
      
      data center-based services;
      
      the Internet;
      
      a cloud;
      
      applications;
      
      encrypted data;
      
      authenticated SSL communication channels;
      
      wireless accessible services; and
      
      any communication channels.
  - 4. The system for distributing credentials of claim 1 wherein at least one of the one or more distribution factors is selected from the group of distribution factors consisting of:
    - a determination as to whether owner identification data associated with the owner of the requesting virtual asset is included in a registry of trusted owners'"'"' owner identification data;
      
      a determination as to whether the requesting virtual asset is in compliance with one or more security policies;
      
      a determination as to how long the requesting virtual asset has currently been operating;
      
      a determination of the number or resources associated with the requesting virtual asset;
      
      a determination of modules or capabilities associated with the requesting virtual asset;
      
      a determination of the type of requesting virtual asset and the legitimate access requirements of that type of requesting virtual asset; and
      
      any combination thereof.
  - 5. The system for distributing credentials of claim 1 wherein the request data is received from the requesting virtual asset through a resource services gateway.
  - 6. The system for distributing credentials of claim 5 wherein the requesting virtual asset is communicatively coupled to the resource services gateway via a secure communications channel.
  - 7. The system for distributing credentials of claim 6 wherein the secure communications channel is an authenticated Secure Sockets Layer (SSL) communications channel.
  - 8. The system for distributing credentials of claim 1 wherein the request data is received from the requesting virtual asset through a resource services gateway proxy.
  - 9. The system for distributing credentials of claim 8 wherein the requesting virtual asset is communicatively coupled to the resource services gateway proxy via a secure communications channel.
  - 10. The system for distributing credentials of claim 9 wherein the secure communications channel is an authenticated Secure Sockets Layer (SSL) communications channel.
  - 11. The system for distributing credentials of claim 9 wherein the secure communications channel is any private communications channel.
  - 12. The system for distributing credentials of claim 1 wherein the requesting virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      an instance in a cloud infrastructure;
      
      a cloud infrastructure access system;
      
      mobile devices;
      
      remote sensors;
      
      laptops;
      
      desktops;
      
      point-of-sale devices;
      
      ATMs;
      
      electronic voting machines; and
      
      a database.
  - 13. The system for distributing credentials of claim 1 wherein authenticating the requesting virtual asset includes determining whether owner identification data associated with the owner of the requesting virtual asset is included in a registry of trusted owners'"'"' owner identification data.
  - 14. The system for distributing credentials of claim 13 wherein owner identification data is an account number associated with the owner of the requesting virtual asset.
  - 15. The system for distributing credentials of claim 1 wherein a number and type of distribution factors used to analyze the profile data is determined by the type of requesting virtual asset.
  - 16. The system for distributing credentials of claim 1 wherein a number and type of distribution factors used to analyze the profile data is determined by the capabilities of the requesting virtual asset.
  - 17. The system for distributing credentials of claim 1 wherein the number and type of distribution factors used to analyze the profile data is determined by the reputation profile of the requesting virtual asset.
  - 18. The system for distributing credentials of claim 1 wherein the number and type of distribution factors used to analyze the profile data is determined by the resources associated with the requesting virtual asset.

19. A system for distributing credentials comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for distributing credentials, the process for distributing credentials including;
  
  receiving request data from a requesting virtual asset, the request data including a request for one or more credentials required in order for the requesting virtual asset to be allowed to access one or more resources, the requested credentials being of a first type of a plurality of credential types, the one or more resources being cloud-accessible resources;
  
  responsive to receiving the request data, obtaining profile data associated with the requesting virtual asset;
  
  responsive to receiving the request data, authenticating, by a secrets distribution management system, the requesting virtual asset;
  
  responsive to authenticating the requesting virtual asset and obtaining profile data associated with the requesting virtual asset, analyzing, by a secrets distribution management system, the profile data using one or more distribution factors to determine one or more classes of credentials the requesting virtual asset is authorized to receive, the determination being at least partly based on a role assigned to the requesting virtual asset, the virtual asset being assigned at least two different roles;
  
  determining a first source from which the first type of credential is available, wherein a plurality of credential sources are available each having different types of credentials, wherein credentials of a first type are only available from a first source, and credentials of a second type are only available from a second source;
  
  obtaining set data for the requesting virtual asset, the set data representing a set of credentials for the requesting virtual asset of the classes of credentials the requesting virtual asset is authorized to receive; and
  
  providing the set data to the requesting virtual asset by at least;
  
  encrypting the set data;
  
  assigning identification data to the encrypted set data;
  
  storing the encrypted set data in a credentials store;
  
  providing the requesting virtual asset the identification data and an encryption key for identifying and decrypting the encrypted set data; and
  
  providing the requesting virtual asset access to the credentials store.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The system for distributing credentials of claim 19 wherein at least one of the one or more classes of credentials is selected from the group of classes of credentials consisting of:
    - database access credentials;
      
      external services access credentials;
      
      internal services access data;
      
      passwords;
      
      passphrases;
      
      biometric data;
      
      digital certificates;
      
      encryption keys; and
      
      SSL certificates.
  - 21. The system for distributing credentials of claim 19 wherein at least one of the resources is selected from the group of resource types consisting of:
    - databases and data;
      
      external services;
      
      internal services;
      
      cloud-based services;
      
      data center-based services;
      
      the Internet;
      
      a cloud;
      
      applications;
      
      encrypted data;
      
      authenticated SSL communication channels;
      
      wireless accessible services; and
      
      any communication channels.
  - 22. The system for distributing credentials of claim 19 wherein at least one of the one or more distribution factors is selected from the group of distribution factors consisting of:
    - a determination as to whether owner identification data associated with the owner of the requesting virtual asset is included in a registry of trusted owners'"'"' owner identification data;
      
      a determination as to whether the requesting virtual asset is in compliance with one or more security policies;
      
      a determination as to how long the requesting virtual asset has currently been operating;
      
      a determination of the number or resources associated with the requesting virtual asset;
      
      a determination of modules or capabilities associated with the requesting virtual asset;
      
      a determination of the type of requesting virtual asset and the legitimate access requirements of that type of requesting virtual asset; and
      
      any combination thereof.
  - 23. The system for distributing credentials of claim 19 wherein the request data is received from the requesting virtual asset through a resource services gateway.
  - 24. The system for distributing credentials of claim 23 wherein the requesting virtual asset is communicatively coupled to the resource services gateway via a secure communications channel.
  - 25. The system for distributing credentials of claim 24 wherein the secure communications channel is an authenticated Secure Sockets Layer (SSL) communications channel.
  - 26. The system for distributing credentials of claim 24 wherein the secure communications channel is any private communications channel.
  - 27. The system for distributing credentials of claim 19 wherein the request data is received from the requesting virtual asset through a resource services gateway proxy.
  - 28. The system for distributing credentials of claim 27 wherein the requesting virtual asset is communicatively coupled to the resource services gateway proxy via a secure communications channel.
  - 29. The system for distributing credentials of claim 28 wherein the secure communications channel is a Secure Sockets Layer an authenticated communications channel.
  - 30. The system for distributing credentials of claim 19 wherein the requesting virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      an instance in a cloud infrastructure;
      
      a cloud infrastructure access system;
      
      mobile devices;
      
      remote sensors;
      
      laptops;
      
      desktops;
      
      point-of-sale devices;
      
      ATMs;
      
      electronic voting machines; and
      
      a database.
  - 31. The system for distributing credentials of claim 19 wherein authenticating the requesting virtual asset includes determining whether owner identification data associated with the owner of the requesting virtual asset is included in a registry of trusted owners'"'"' owner identification data.
  - 32. The system for distributing credentials of claim 31 wherein owner identification data is an account number associated with the owner of the requesting virtual asset.
  - 33. The system for distributing credentials of claim 19 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the type of requesting virtual asset.
  - 34. The system for distributing credentials of claim 19 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the reputation profile of the requesting virtual asset.
  - 35. The system for distributing credentials of claim 19 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the capabilities of the requesting virtual asset.
  - 36. The system for distributing credentials of claim 19 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the resources associated with the requesting virtual asset.

37. A system for distributing credentials comprising:
- one or more resources potentially accessible by one or more virtual assets, the one or more resources being of two or more resource types;
  
  two or more credentials databases, each credentials database including credentials data representing one or more credentials, the one or more credentials being required to access associated ones of the one or more resources, the one or more credentials being of one or more credential classes, each of the credential classes being associated with one of the one or more resource types;
  
  a credentials distribution management system, the credentials distribution management system having access to the one or more credentials in the one or more credentials databases, the credentials distribution management system further having access to credentials distribution policy data representing one or more distribution factors used to control the distribution of the one or more credentials;
  
  a requesting virtual asset;
  
  a services gateway, the services gateway being communicatively coupled to the requesting virtual asset, the services gateway being communicatively coupled to the credentials distribution management system;
  
  at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for distributing credentials, the process for distributing credentials including;
  
  receiving request data at the service gateway from the requesting virtual asset for credentials required in order for the requesting virtual asset to be allowed to access one or more resources, the requested credentials including a first type of a plurality of credential types, the one or more resources being cloud-accessible resources;
  
  responsive to receiving the request data, the credentials distribution management system authenticating the requesting virtual asset;
  
  responsive to authenticating the requesting virtual asset, the credentials distribution management system analyzing profile data of the requesting virtual asset using one or more of the one or more distribution factors to determine classes of credentials the requesting virtual asset is authorized to receive, the determination being at least partly based on a role assigned to the requesting virtual asset, the virtual asset being assigned at least two different roles;
  
  determining a first source from which the first type of credential is available, wherein a plurality of credential sources are available each having different types of credentials, wherein credentials of a first type are only available from a first source, and credentials of a second type are only available from a second source;
  
  the credentials distribution management system obtaining set data for the requesting virtual asset, the set data including the requested credential and representing a set of credentials for the requesting virtual asset of the classes of credentials the requesting virtual asset is authorized to receive, the set data being obtained from the one or more credentials databases; and
  
  providing the set data to the requesting virtual asset by at least;
  
  encrypting the set data;
  
  assigning identification data to the encrypted set data;
  
  storing the encrypted set data in a credentials store;
  
  providing the requesting virtual asset the identification data and an encryption key for identifying and decrypting the encrypted set data; and
  
  providing the requesting virtual asset access to the credentials store.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 38. The system for distributing credentials of claim 37 wherein at least one of the one or more classes of credentials is selected from the group of classes of credentials consisting of:
    - database access credentials;
      
      external services access credentials;
      
      internal services access credentialspasswords;
      
      passphrases;
      
      biometric data;
      
      digital certificates;
      
      encryption keys; and
      
      SSL certificates.
  - 39. The system for distributing credentials of claim 37 wherein at least one of the one or more resources is selected from the group of resources consisting of:
    - databases and data;
      
      external services;
      
      internal services;
      
      cloud-based services;
      
      data center-based services;
      
      the Internet;
      
      a cloud;
      
      applications;
      
      encrypted data;
      
      authenticated SSL communication channels;
      
      wireless accessible services; and
      
      any communication channels.
  - 40. The system for distributing credentials of claim 37 wherein at least one of the one or more distribution factors is selected from the group of distribution factors consisting of:
    - a determination as to whether owner identification data associated with the owner of the requesting virtual asset is included in a registry of trusted owners'"'"' owner identification data;
      
      a determination as to whether the requesting virtual asset is in compliance with one or more security policies;
      
      a determination as to how long the requesting virtual asset has currently been operating;
      
      a determination of the number or resources associated with the requesting virtual asset;
      
      a determination of modules or capabilities associated with the requesting virtual asset;
      
      a determination of the type of requesting virtual asset and the legitimate access requirements of that type of requesting virtual asset; and
      
      any combination thereof.
  - 41. The system for distributing credentials of claim 37 wherein the requesting virtual asset is communicatively coupled to the resource services gateway via a secure communications channel.
  - 42. The system for distributing credentials of claim 41 wherein the secure communications channel is an authenticated Secure Sockets Layer (SSL) communications channel.
  - 43. The system for distributing credentials of claim 41 wherein the secure communications channel is any private communications channel.
  - 44. The system for distributing credentials of claim 37 wherein the requesting virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      an instance in a cloud infrastructure;
      
      a cloud infrastructure access system;
      
      mobile devices;
      
      remote sensors;
      
      laptops;
      
      desktops;
      
      point-of-sale devices;
      
      ATMs;
      
      electronic voting machines; and
      
      a database.
  - 45. The system for distributing credentials of claim 37 wherein authenticating the requesting virtual asset includes determining whether owner identification data associated with the owner of the requesting virtual asset is included in a registry of trusted owners'"'"' owner identification data.
  - 46. The system for distributing credentials of claim 40 wherein owner identification data is an account number associated with the owner of the requesting virtual asset.
  - 47. The system for distributing credentials of claim 37 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the type of requesting virtual asset.
  - 48. The system for distributing credentials of claim 37 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the reputation profile of the requesting virtual asset.
  - 49. The system for distributing credentials of claim 37 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the capabilities of the requesting virtual asset.
  - 50. The system for distributing credentials of claim 37 wherein the number and type of distribution factors used to analyze the requesting virtual asset profile data is determined by the resources associated with the requesting virtual asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Cabrera, Luis Felipe, Lietz, M. Shannon, Armitage, James, Gryb, Oleg, Shanmugam, Elangovan, Philip, Sabu Kuruvila, Weaver, Brett, Bishop, Thomas, Otillio, Troy, Whitehouse, Jinglei, Wolfe, Jeffrey M., Jain, Ankur
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Naghdali, Khalil

Application Number

US14/053,488
Publication Number

US 20150106869A1
Time in Patent Office

995 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0884   by delegation of authentica...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04W 12/04   Key management, e.g. using ...

H04W 12/068   using credential vaults, e....

Method and system for distributing secrets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

77 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for distributing secrets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links