Epoch-based management of security credentials
First Claim
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a credential system, cause the credential system to:
- generate a temporary security credential, the temporary security credential specifying an epoch identifier and a version of the epoch identifier, the temporary security credentials valid while the version of the epoch identifier matches a current version for the epoch identifier;
send the temporary security credential to an electronic device; and
after sending the temporary security credential to the electronic device, send, to an epoch system, a request to change a previous version for the epoch identifier that is stored by the epoch system to the current version for the epoch identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
Technologies are disclosed herein for epoch-based expiration of temporary security credentials. A temporary security credential is issued that identifies one or more epochs and that specifies one or more versions of the identified epochs during which the temporary security credential is valid. The temporary security credential may then be utilized to request access to another system, service or component. In order to determine whether such a request may be granted, current epoch versions for the epochs identified in the temporary security credential are obtained. The current epoch versions for the identified epochs are then compared to epoch versions specified in the temporary security credential to determine if the request can be granted. The current epoch versions may be periodically modified in order to expire previously issued temporary security credentials. A temporary security credential might also specify an expiration time after which the temporary security credential is no longer valid.
-
Citations
20 Claims
-
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a credential system, cause the credential system to:
-
generate a temporary security credential, the temporary security credential specifying an epoch identifier and a version of the epoch identifier, the temporary security credentials valid while the version of the epoch identifier matches a current version for the epoch identifier; send the temporary security credential to an electronic device; and after sending the temporary security credential to the electronic device, send, to an epoch system, a request to change a previous version for the epoch identifier that is stored by the epoch system to the current version for the epoch identifier. - View Dependent Claims (2, 3, 4, 5, 19)
-
-
6. A system for managing a lifetime of a temporary security credential, the system comprising:
-
at least one computer system executing a credential service configured to generate a temporary security credential, the temporary security credential identifying an epoch and a version of the epoch; and at least one computer system executing a called service configured to; receive, from a host computer system, information based, at least in part, on a service request that includes the temporary security credential; send, to at least one computer system executing an epoch service, a request for a current version for the epoch; receive, from the at least one computer system executing the epoch service, an indication of the current version for the epoch; and determine to grant the service request based, at least in part, on the version of the epoch identified in the temporary security credential and the current version for the epoch. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 20)
-
-
14. A computer-implemented method for managing a lifetime of a temporary security credential, the method comprising:
-
receiving, at a computing system, and from a host computing system, a first request that includes the temporary security credential, the temporary security credential associated with at least an epoch identifier and at least an epoch version of the epoch identifier; sending, by the computing system, and to an epoch system, a second request for a current version for the epoch identifier; receiving, at the computing system, and from the epoch system, a message indicating the current version for the epoch identifier; determining, at the computing system, that the epoch version of the epoch identifier corresponds to the current version for the epoch identifier; and determining, at the computing system, to grant the first request based, at least in part, on the epoch version of the epoch identifier corresponding to the current version for the epoch identifier. - View Dependent Claims (15, 16, 17, 18)
-
Specification