Secure credential storage
First Claim
Patent Images
1. A method for securing a credential, comprising:
- storing in a credential store a reference to the credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential;
storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment;
providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential;
storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications;
executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store;
obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store;
determining whether the request is from execution of some application code within the application execution platform;
in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code;
determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and
providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code.
3 Assignments
0 Petitions
Accused Products
Abstract
Securing a credential is disclosed. A reference to the credential that will provide access to a service is stored in a credential store. The credential from the credential store is provided to an application execution platform having access to the credential store. The application execution platform includes an interface to access the service using the credential. Application code that references the credential stored in the credential store is stored in a code repository.
-
Citations
20 Claims
-
1. A method for securing a credential, comprising:
-
storing in a credential store a reference to the credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential; storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment; providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential; storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications; executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store; obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store; determining whether the request is from execution of some application code within the application execution platform; in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code; determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store; identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store; decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising; storing in a credential store a reference to a credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential; storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment; providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential; storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications; executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store; obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store; determining whether the request is from execution of some application code within the application execution platform; in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code; determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store; identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store; decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising:
-
storing in a credential store a reference to a credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential; storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment; providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential; storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications; executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store; obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store; determining whether the request is from execution of some application code within the application execution platform; in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code; determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store; identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store; decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code.
-
Specification