System and method to provide secure credential

US 9,419,799 B1
Filed: 08/22/2014
Issued: 08/16/2016
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for providing secure credential using a secure credential package stored on a client device and at least one key stored in a corporate network, the computer implemented method comprising:

receiving credentials and a device unique identifier from the client device over a secure link;

obtaining the at least one key from the corporate network, wherein the at least one key is stored in a key store that is located behind a first firewall of the corporate network relative to the client device;

applying the at least one key to the credentials and the device unique identifier to generate the secure credential package including encrypted credentials corresponding to the credentials and an encrypted device unique identifier corresponding to the device unique identifier;

sending the secure credential package to the client device over the secure link;

receiving the secure credential package from the client device in connection with an authenticating of the client;

decrypting the secure credential package using the at least one key to obtain the credentials,validating the credentials against a user directory located in the corporate network;

in the event of a successful validation, sending the credentials to a backend service located in the corporate network for a service authentication; and

authenticating the client using the secure credential package based at least in part on the at least one key obtained from the key store and information stored on a resource of the corporate network, wherein the resource of the corporate network is located behind a second firewall of the corporate network relative to the client device, the second firewall being located behind the first firewall.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is illustrated for providing secure credential using a secure credential package stored on a client device and at least one key stored in a corporate network. In embodiments, an access connector receives credentials and a device unique identifier from the client device over a secure link, obtain the at least one key from the corporate network, apply the at least one key to the credentials and the device unique identifier to generate the secure credential package including the encrypted credential and the device unique identifier, send the secure credential package to the client device over the secure link, upon receiving the secure credential package from the client device, retrieve the at least one key via the key manager, decrypting the secure credential package using the at least one key to obtain the credentials, and validate the credentials against a user directory located in the corporate network.

47 Citations

View as Search Results

19 Claims

1. A computer implemented method for providing secure credential using a secure credential package stored on a client device and at least one key stored in a corporate network, the computer implemented method comprising:
- receiving credentials and a device unique identifier from the client device over a secure link;
  
  obtaining the at least one key from the corporate network, wherein the at least one key is stored in a key store that is located behind a first firewall of the corporate network relative to the client device;
  
  applying the at least one key to the credentials and the device unique identifier to generate the secure credential package including encrypted credentials corresponding to the credentials and an encrypted device unique identifier corresponding to the device unique identifier;
  
  sending the secure credential package to the client device over the secure link;
  
  receiving the secure credential package from the client device in connection with an authenticating of the client;
  
  decrypting the secure credential package using the at least one key to obtain the credentials,validating the credentials against a user directory located in the corporate network;
  
  in the event of a successful validation, sending the credentials to a backend service located in the corporate network for a service authentication; and
  
  authenticating the client using the secure credential package based at least in part on the at least one key obtained from the key store and information stored on a resource of the corporate network, wherein the resource of the corporate network is located behind a second firewall of the corporate network relative to the client device, the second firewall being located behind the first firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - upon receiving the secure credential package from the client device, retrieving the at least one key.
  - 3. The method of claim 1, wherein the credentials include a user name and a password.
  - 4. The method of claim 1, wherein the secure credential packages includes:
    - the encrypted credentials;
      
      the encrypted device unique identifier;
      
      a version of the secure credential package signed using the at least one key; and
      
      a timestamp signed using the at least one key, the timestamp indicates a creation time of the secure credential package.
  - 5. The method of claim 4, further comprising:
    - enforcing a logout by invalidating at least one of the signed version or the signed timestamp.
  - 6. The method of claim 1, wherein obtaining the at least one key from the corporate network includes obtaining the at least one key from a key store located in the corporate network.
  - 7. The method of claim 6, wherein the at least one key is changeable and stored in the key store.
  - 8. The method of claim 1, wherein the client device upon receiving the secure credential package, stores the secure credential package on the client device.
  - 9. The method of claim 1, further comprising:
    - responsive to a backend service located in the corporate network not capable of handling the secure credential package, instructing the client device over the secure link to store the credentials in a secure storage on the client device.

10. An access connector located in a corporate network used for providing secure credential, the access connector comprising:
- a receiver configured to use at least one processor to receive credentials and a device unique identifier from a client device over a secure link;
  
  a key manager configured to use at least one processor to obtain at least one key from the corporate network, wherein the at least one key is stored in a key store that is located behind a first firewall of the corporate network relative to the client device;
  
  a secure package creator configured to use at least one processor to apply the at least one key to the credentials and the device unique identifier to generate a secure credential package including encrypted credentials corresponding to the credentials and an encrypted device unique identifier corresponding to the device unique identifier;
  
  a secure package validator configured to decrypt the secure credential package using the at least one key to obtain the credentials, validate the credentials against a user directory located in the corporate network, and upon a successful validation, send the credentials to a backend service located in the corporate network for a service authentication, and authenticate the client using at least one processor to receive the secure credential package from the client device in connection with an authenticating of the client, wherein the resource of the corporate network is located behind a second firewall of the corporate network relative to the client device, the second firewall being located behind the first firewall; and
  
  a sender configured to use at least one processor to send the secure credential package to the client device over the secure link,wherein the receiver is further configured use at least one processor to receive the secure credential package from the client device in connection with the authentication of the client.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, further comprising:
    - a secure package validator, upon receiving the secure credential package from the client device via the receiver, configured to retrieve the at least one key via the key manager.
  - 12. The system of claim 10, wherein the credentials include a user name and a password.
  - 13. The system of claim 10, wherein the secure credential packages includes:
    - the encrypted credentials;
      
      the encrypted device unique identifier;
      
      a version of the secure credential package signed using the at least one key; and
      
      a timestamp signed using the at least one key, the timestamp indicates a creation time of the secure credential package.
  - 14. The system of claim 13, wherein the access connector enforces a logout by invalidating at least one of the signed version or the signed timestamp.
  - 15. The system of claim 10, wherein the key manager obtains the at least one key from a key store operatively coupled to the access connector.
  - 16. The system of claim 15, wherein the key manager changes the at least one key and stores the at least one key in the key store.
  - 17. The system of claim 10, wherein the client device upon receiving the secure credential package, stores the secure credential package on the client device.
  - 18. The system of claim 10, wherein the secure package creator, via the sender, responsive to a backend service not capable of handling the secure credential package, instructs the client device over the secure link to store the credentials in a secure storage on the client device.

19. A system for providing secure credential using a secure credential package stored on a client device and at least one key stored in a corporate network, comprising:
- at least one processor configured to;
  
  receive credentials and a device unique identifier from the client device over a secure link;
  
  obtain the at least one key from the corporate network, wherein the at least one key is stored in a key store that is located behind a first firewall of the corporate network relative to the client device;
  
  apply the at least one key to the credentials and the device unique identifier to generate the secure credential package including the encrypted credential and the encrypted device unique identifier;
  
  send the secure credential package to the client device over the secure link;
  
  receive the secure credential package from the client device in connection with an authenticating of the client;
  
  decrypt the secure credential package using the at least one key to obtain the credentials;
  
  validate the credentials against a user directory located in the corporate network;
  
  in the event of a successful validation, send the credentials to a backend service located in the corporate network for a service authentication; and
  
  authenticate the client using the secure credential package based at least in part on the at least one key obtained from the key store and information stored on a resource of the corporate network, wherein the resource of the corporate network is located behind a second firewall of the corporate network relative to the client device, the second firewall being located behind the first firewall; and
  
  at least one memory coupled to the at least one processor and configured to provide the at least one processor with instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Chung, Leonard C
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Baum, Ronald

Application Number

US14/466,950
Time in Patent Office

725 Days
Field of Search

713/155
US Class Current

1/1
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04L 9/3247   involving digital signatures

H04L 9/3297   involving time stamps, e.g....

System and method to provide secure credential

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to provide secure credential

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links