Method and apparatus for providing a conditional single sign on

US 9,461,820 B1
Filed: 06/02/2014
Issued: 10/04/2016
Est. Priority Date: 06/05/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for accessing a computer resource comprising:

during a first access sequence;

receiving, at the computer resource, credentials of a user from a device the user is using to access the computer resource, wherein the credentials from the device have bypassed a connection broker;

encrypting the credentials using at least a first credentials key;

storing the encrypted credentials;

communicating the first credentials key to the connection broker for storage;

further encrypting the credentials using a second credentials key and communicating the second credentials key to the device; and

purging, by the computer resource, the first and second credentials keys; and

during a subsequent access sequence;

receiving, at the computer resource, the first credentials key from the connection broker and the second credentials key from the device;

decrypting the encrypted credentials using the first and second credentials keys;

purging at least the first and second credentials keys;

authenticating, by the computer resource, the user using the credentials and purging the credentials after the user is authenticated; and

enabling the device to access the computer resource following the authentication of the user.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for accessing a computer resource, wherein, during a first access sequence, the computer resource receives credentials of a user from a device the user is using to access the computer resource, encrypts the credentials using at least a first credentials key stores the encrypted credentials, communicates the first credentials key to a connection broker or to the device, and purges the first credentials key. The computer resource, during a subsequent access sequence, receives the first credentials key, decrypts the encrypted credentials using the first credentials key, and purges the first credentials key. The computer resource authenticates the user using the credentials and purges the credentials after the user is authenticated and enables the device to access the computer resource following the authentication of the user.

51 Citations

View as Search Results

14 Claims

1. A computer implemented method for accessing a computer resource comprising:
- during a first access sequence;
  
  receiving, at the computer resource, credentials of a user from a device the user is using to access the computer resource, wherein the credentials from the device have bypassed a connection broker;
  
  encrypting the credentials using at least a first credentials key;
  
  storing the encrypted credentials;
  
  communicating the first credentials key to the connection broker for storage;
  
  further encrypting the credentials using a second credentials key and communicating the second credentials key to the device; and
  
  purging, by the computer resource, the first and second credentials keys; and
  
  during a subsequent access sequence;
  
  receiving, at the computer resource, the first credentials key from the connection broker and the second credentials key from the device;
  
  decrypting the encrypted credentials using the first and second credentials keys;
  
  purging at least the first and second credentials keys;
  
  authenticating, by the computer resource, the user using the credentials and purging the credentials after the user is authenticated; and
  
  enabling the device to access the computer resource following the authentication of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the user is validated at the connection broker against a valet key before either the first or second access sequences are performed.
  - 3. The method of claim 1 wherein the first credentials key is received from the connection broker if the device matches a one of a specified device location or a specified network address.
  - 4. The method of claim 1 wherein the first credentials key received during the subsequent access sequence is accompanied by a non-reversible hash code.
  - 5. The method of claim 4 wherein the non-reversible hash code comprises a hash-based message authentication code for a password of the user.
  - 6. The method of claim 5 wherein the non-reversible hash code is salted by a value provided by the computer resource.
  - 7. The method of claim 4 further comprising computing the non-reversible hash code using a cloud authenticator and storing the non-reversible hash code at the connection broker.
  - 8. The method of claim 1 further comprising storing the encrypted credentials in a location accessible to additional computer resources in a trust domain of the computer resource.
  - 9. The method of claim 8 further comprising further encrypting the encrypted credentials in the location using a third credentials key maintained by the computer resource and the additional computer resources in the trust domain.
  - 10. The method of claim 1 further comprising generating an authentication code associated with the first credentials key during the first access sequence and confirming validity of the first credentials key against the authentication code in the subsequent access sequence.

11. A non-transitory computer readable medium for storing software that, when executed by a processor, causes the processor to perform a method for accessing a computer resource comprising:
- during a first access sequence;
  
  receiving credentials of a user from a device the user is using to access the computer resource, wherein the credentials from the device have bypassed a connection broker;
  
  encrypting the credentials using at least a first credentials key;
  
  storing the encrypted credentials;
  
  communicating the first credentials key to the connection broker for storage;
  
  further encrypting the credentials using a second credentials key and communicating the second credentials key to the device; and
  
  purging, by the computer resource, the first and second credentials keys; and
  
  during a subsequent access sequence;
  
  receiving, at the computer resource, the first credentials key from the connection broker and the second credentials key from the device;
  
  decrypting the encrypted credentials using the first and second credentials keys; and
  
  purging at least the first and second credentials keys;
  
  authenticating, by the computer resource, the user using the credentials and purging the credentials after the user is authenticated; and
  
  enabling the device to access the computer resource following the authentication of the user.

12. Apparatus for accessing a computer resource comprising:
- a computer resource for supplying computing services to at least one device being operated by a user;
  
  a connection broker, coupled to the computer resource via a network, for confirming computer resource availability to the at least one device;
  
  wherein during a first access sequence the computer resource;
  
  receives credentials of a user from a device the user is using to access the computer resource, wherein the credentials from the device have bypassed the connection broker;
  
  encrypts the credentials using at least a first credentials key;
  
  stores the encrypted credentials;
  
  communicates the first credentials key to the connection broker for storage;
  
  further encrypting the credentials using a second credentials key and communicating the second credentials key to the device; and
  
  purges, by the computer resource, the first and second credentials keys; and
  
  during a subsequent access sequence;
  
  receives the first credentials key from the connection broker and the second credentials key from the device;
  
  decrypts the encrypted credentials using the first and second credentials keys; and
  
  purges at least the first and second credentials keys; and
  
  the computer resource authenticates the user using the credentials and purges the credentials after the user is authenticated; and
  
  enables the device to access the computer resource following the authentication of the user.
- View Dependent Claims (13, 14)
- - 13. The apparatus of claim 12 wherein the user is validated at the connection broker against a valet key before either the first or second access sequences are performed.
  - 14. The apparatus of claim 13 further comprising a cloud authenticator for generating the valet key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Teradici Corporation (HP Inc.)
Original Assignee
Teradici Corporation (HP Inc.)
Inventors
Dall, William John
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/293,669
Time in Patent Office

855 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

H04L 63/0876   based on the identity of th...

H04L 9/0819   Key transport or distributi...

H04L 9/0863   involving passwords or one-...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for providing a conditional single sign on

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing a conditional single sign on

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links