Shared secret vault for applications with single sign on
First Claim
1. A method comprising:
- generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key, wherein the vault database comprises an unlock key;
receiving, by a first application executing on the computing device, user entropy from a user associated with the shared vault;
decrypting a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key;
accessing, by the first application executing on the computing device and using the first copy of the vault key, the vault database to retrieve the unlock key;
storing, by the first application executing on the computing device, the unlock key in first application memory associated with the first application;
decrypting a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and
accessing, by the first application executing on the computing device and using the second copy of the vault key, the vault database to retrieve the first stored data.
7 Assignments
0 Petitions
Accused Products
Abstract
Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.
29 Citations
29 Claims
-
1. A method comprising:
-
generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key, wherein the vault database comprises an unlock key; receiving, by a first application executing on the computing device, user entropy from a user associated with the shared vault; decrypting a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key; accessing, by the first application executing on the computing device and using the first copy of the vault key, the vault database to retrieve the unlock key; storing, by the first application executing on the computing device, the unlock key in first application memory associated with the first application; decrypting a second vault key record associated with the shared vault using the unlock key stored in the first application memory to generate a second copy of the vault key; and accessing, by the first application executing on the computing device and using the second copy of the vault key, the vault database to retrieve the first stored data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
one or more processors; memory; a first application stored in the memory; and a shared vault comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key, wherein the memory stores computer-executable instructions that, when executed by the one or more processors, cause the system to; receive, via the first application, user entropy from a user associated with the shared vault; decrypt a first vault key record associated with the shared vault using the user entropy to generate a first copy of the vault key; access, using the first copy of the vault key, the vault database to retrieve an unlock key, wherein the unlock key is operable to decrypt a second vault key record associated with the shared vault to generate a second copy of the vault key; and store the unlock key in first application memory associated with the first application. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. One or more non-transitory computer readable media comprising instructions that, when executed by one or more processors, cause a computing device to:
-
receive, by a first application executing on the computing device, first user entropy from a user associated with a shared vault, wherein the shared vault comprises a vault record storage section and a vault database, and wherein the vault database is encrypted using a vault key; decrypt a first vault key record associated with the shared vault using the first user entropy to generate a first copy of the vault key; access, by the first application and using the first copy of the vault key, the vault database to retrieve an unlock key; generate, by the first application, a second vault key record based on the vault key and the unlock key; store, by the first application, the second vault key record in a secured container that is secured using second user entropy other than the first user entropy; receive, by the first application, the second user entropy from the user; access, by the first application, the second vault key record from the secured container using the second user entropy; and decrypt the second vault key record associated with the shared vault using the unlock key to generate a second copy of the vault key. - View Dependent Claims (29)
-
Specification