Shared secret vault for applications with single sign on

US 9,626,525 B2
Filed: 12/30/2015
Issued: 04/18/2017
Est. Priority Date: 12/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key, wherein the vault database comprises an unlock key;

receiving, by a first application executing on the computing device, user entropy from a user associated with the shared vault;

decrypting a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key;

accessing, by the first application executing on the computing device and using the first copy of the vault key, the vault database to retrieve the unlock key;

storing, by the first application executing on the computing device, the unlock key in first application memory associated with the first application;

decrypting a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and

accessing, by the first application executing on the computing device and using the second copy of the vault key, the vault database to retrieve the first stored data.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.

29 Citations

View as Search Results

29 Claims

1. A method comprising:
- generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key, wherein the vault database comprises an unlock key;
  
  receiving, by a first application executing on the computing device, user entropy from a user associated with the shared vault;
  
  decrypting a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key;
  
  accessing, by the first application executing on the computing device and using the first copy of the vault key, the vault database to retrieve the unlock key;
  
  storing, by the first application executing on the computing device, the unlock key in first application memory associated with the first application;
  
  decrypting a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and
  
  accessing, by the first application executing on the computing device and using the second copy of the vault key, the vault database to retrieve the first stored data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein generating the shared vault comprises:
    - generating the first vault key record based on the vault key, wherein the first vault key record is encrypted using the user entropy; and
      
      storing the first vault key record in the shared vault.
  - 3. The method of claim 2, wherein the first vault key record is further encrypted with first application entropy associated with the first application, and wherein the decrypting the first vault key comprises:
    - decrypting the first vault key record using the user entropy and the first application entropy to generate the first copy of the vault key.
  - 4. The method of claim 2, wherein the first vault key record is further encrypted with device entropy associated with the computing device, and wherein the decrypting the first vault key comprises:
    - decrypting the first vault key record using the user entropy and the device entropy to generate the first copy of the vault key.
  - 5. The method of claim 1, further comprising:
    - determining, by the first application and subsequent to decrypting the first vault key record, that the shared vault does not include the second vault key record; and
      
      in response to so determining, generating the second vault key record using the first copy of the vault key and the unlock key and storing the second vault key record in the shared vault.
  - 6. The method of claim 1, further comprising:
    - accessing, by the first application, an inactivity timer stored in the shared vault;
      
      determining, by the first application, whether the inactivity timer indicates that a predetermined amount of time has elapsed since the vault database was last accessed; and
      
      in response to so determining, deleting the second vault key record from the shared vault.
  - 7. The method of claim 1, further comprising:
    - determining, by the first application that the shared vault does not include the second vault key record; and
      
      in response to so determining;
      
      prompting, by the first application, the user to provide the user entropy;
      
      decrypting the first vault key record associated with the shared vault using the user entropy to generate a third copy of the vault key;
      
      generating the second vault key record using the third copy of the vault key and the unlock key; and
      
      storing the second vault key record in the shared vault.
  - 8. The method of claim 1, further comprising:
    - decrypting, by a second application executing on the computing device, the second vault key record using the unlock key to generate a third copy of the vault key, wherein the unlock key is further stored in second application memory associated with the second application; and
      
      accessing, by the second application executing on the computing device and using the third copy of the vault key, the vault database to retrieve the first stored data.
  - 9. The method of claim 8, wherein the second application is a background application executing concurrently with the first application on the computing device.
  - 10. The method of claim 8, further comprising:
    - accessing, by the second application, an inactivity timer stored in the shared vault;
      
      determining, by the second application, whether the inactivity timer indicates that a predetermined amount of time has elapsed since the vault database was last accessed; and
      
      in response to so determining, deleting the second vault key record from the shared vault.
  - 11. The method of claim 1, further comprising:
    - authenticating, by the first application, with a network service using user credentials associated with the user;
      
      retrieving first network resource access credentials from the network service;
      
      writing, by the first application, the first network resource access credentials to the vault database;
      
      decrypting, by a second application executing on the computing device, the second vault key record using the unlock key to generate a third copy of the vault key, wherein the unlock key is further stored in second application memory associated with the second application; and
      
      accessing, by the second application executing on the computing device and using the third copy of the vault key, the vault database to retrieve the first network resource access credentials.
  - 12. The method of claim 1, further comprising:
    - receiving, by the computing device, user credentials associated with the user;
      
      authenticating, by the computing device, with an enterprise management server using the user credentials; and
      
      responsive to the authenticating, prompting the user to modify the user entropy associated with the user.
  - 13. The method of claim 1, further comprising:
    - receiving, by the computing device and from an enterprise management server, the vault key, wherein the computing device encrypts the shared vault using the vault key received from the enterprise management server.
  - 14. The method of claim 1, further comprising:
    - generating, by the computing device, the vault key, wherein the computing device encrypts the shared vault using the generated vault key.
  - 15. The method of claim 1, wherein the first stored data is stored within a first application vault associated with the first application, and wherein the first application vault resides in the vault database.
  - 16. The method of claim 15, wherein a second application that has access to the shared vault is unable to access the first application vault associated with the first application.
  - 17. The method of claim 1, wherein the first stored data is stored within a shared portion of the vault database and is accessible to a second application that has access to the shared vault.

18. A system comprising:
- one or more processors;
  
  memory;
  
  a first application stored in the memory; and
  
  a shared vault comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key,wherein the memory stores computer-executable instructions that, when executed by the one or more processors, cause the system to;
  
  receive, via the first application, user entropy from a user associated with the shared vault;
  
  decrypt a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key;
  
  access, using the first copy of the vault key, the vault database to retrieve an unlock key, wherein the unlock key is operable to decrypt a second vault key record associated with the shared vault to generate a second copy of the vault key; and
  
  store the unlock key in first application memory associated with the first application.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The system of claim 18, wherein the instructions, when executed by the one or more processors, further cause the system to:
    - decrypt a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and
      
      access, using the second copy of the vault key, the vault database to write first stored data.
  - 20. The system of claim 18, wherein the instructions, when executed by the one or more processors, further cause the system to:
    - decrypt a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and
      
      access, using the second copy of the vault key, the vault database to retrieve first stored data.
  - 21. The system of claim 18, wherein the first vault key record is stored in the shared vault.
  - 22. The system of claim 18, wherein the second vault key record is stored in the shared vault.
  - 23. The system of claim 18, wherein the second vault key record is stored in a secured container that is secured using second entropy other than the user entropy.
  - 24. The system of claim 23, wherein the second entropy comprises biometric data associated with the user.
  - 25. The system of claim 18, wherein the user entropy is a personal identification number (PIN) provided by the user.
  - 26. The system of claim 18, wherein the user entropy is a password provided by the user.
  - 27. The system of claim 18, wherein the vault database comprises:
    - a shared portion accessible by a plurality of applications that have access to the vault; and
      
      a first application portion accessible to the first application and encrypted using first application entropy associated with the first application.

28. One or more non-transitory computer readable media comprising instructions that, when executed by one or more processors, cause a computing device to:
- receive, by a first application executing on the computing device, first user entropy from a user associated with a shared vault, wherein the shared vault comprises a vault record storage section and a vault database, and wherein the vault database is encrypted using a vault key;
  
  decrypt a first vault key record associated with the shared vault using the first user entropy to generate a first copy of the vault key;
  
  access, by the first application and using the first copy of the vault key, the vault database to retrieve an unlock key;
  
  generate, by the first application, a second vault key record based on the vault key and the unlock key;
  
  store, by the first application, the second vault key record in a secured container that is secured using second user entropy other than the first user entropy;
  
  receive, by the first application, the second user entropy from the user;
  
  access, by the first application, the second vault key record from the secured container using the second user entropy; and
  
  decrypt the second vault key record associated with the shared vault using the unlock key to generate a second copy of the vault key.
- View Dependent Claims (29)
- - 29. The computer readable media of claim 28, wherein the secured container is logically distinct from the shared vault, wherein the first user entropy comprises a passcode associated with the user, and wherein the second user entropy comprises biometric data associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Momchilov, Georgy, Nordstrom, Ola
Primary Examiner(s)
Lanier, Benjamin

Application Number

US14/983,961
Publication Number

US 20160191499A1
Time in Patent Office

475 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

G06F 9/544   Buffers; Shared memory; Pipes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 9/0822   using key encryption key

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/068   using credential vaults, e....

Shared secret vault for applications with single sign on

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Shared secret vault for applications with single sign on

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links