Secure credential storage

US 9,910,997 B1
Filed: 12/23/2014
Issued: 03/06/2018
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method for securing a credential, comprising:

storing in a credential store a reference to the credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential;

storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment;

providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential;

storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications;

executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store;

obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store;

determining whether the request is from execution of some application code within the application execution platform;

in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code;

determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;

identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;

decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and

providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing a credential is disclosed. A reference to the credential that will provide access to a service is stored in a credential store. The credential from the credential store is provided to an application execution platform having access to the credential store. The application execution platform includes an interface to access the service using the credential. Application code that references the credential stored in the credential store is stored in a code repository.

20 Citations

View as Search Results

20 Claims

1. A method for securing a credential, comprising:
- storing in a credential store a reference to the credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential;
  
  storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment;
  
  providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential;
  
  storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications;
  
  executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store;
  
  obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store;
  
  determining whether the request is from execution of some application code within the application execution platform;
  
  in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code;
  
  determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
  
  identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
  
  decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and
  
  providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the credential interface to provide the credential is configured to only provide the credential to the application execution platform.
  - 3. The method of claim 1, wherein the application execution platform has exclusive access to the credential store.
  - 4. The method of claim 1, wherein the application execution platform has a physically secure access to the credential store.
  - 5. The method of claim 1, wherein the application code cannot access the service without having access to the credential store.
  - 6. The method of claim 1, wherein the application code that references the credential stored in the credential store references the credential using an Application Programming Interface of the application execution platform.
  - 7. The method of claim 1, wherein the system includes a storage interface for receiving the credential for storage in the credential store.
  - 8. The method of claim 1, wherein an encryption key utilized to encrypt the encrypted version of the credential is exclusive to a specific organization.
  - 9. The method of claim 1, wherein the code repository stores and hosts application code that interacts with external program code via an Application Programming Interface to allow the external program code to access a backend service.
  - 10. The method of claim 1, wherein the key storage stores a plurality of different decryption keys that are encrypted using a master key.
  - 11. The method of claim 1, wherein the hardware security module is a dedicated physical crypto processing device.
  - 12. The method of claim 1, wherein the credential includes a password.
  - 13. The method of claim 1, wherein the application execution platform hosts an API of a backend service of a user application.
  - 14. The method of claim 1, wherein the service is a database.

15. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  storing in a credential store a reference to a credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential;
  
  storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment;
  
  providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential;
  
  storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications;
  
  executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store;
  
  obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store;
  
  determining whether the request is from execution of some application code within the application execution platform;
  
  in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code;
  
  determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
  
  identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
  
  decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and
  
  providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the credential interface to provide the credential is configured to only provide the credential to the application execution platform.
  - 17. The system of claim 15, wherein the application execution platform has exclusive access to the credential store.
  - 18. The system of claim 15, wherein the application execution platform has a physically secure access to the credential store.
  - 19. The system of claim 15, wherein the application code cannot access the service without having access to the credential store.

20. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising:
- storing in a credential store a reference to a credential that is to be utilized to prove an authorization to provide access to a service and, in association with the reference, an encrypted version of the credential, wherein the reference is used to identify the credential;
  
  storing in a key storage an encrypted version of a decryption key of the encrypted version of the credential, wherein the key storage includes a hardware security module and the decryption key is used to decrypt the encrypted version of the credential, and wherein an encryption key utilized to encrypt the encrypted version of the credential is either exclusive to a specific organization or exclusive to and scoped to a specific application execution environment;
  
  providing the credential from the credential store to an application execution platform having access to the credential store, wherein the application execution platform includes an interface to access the service using the credential;
  
  storing in a code repository of the application execution platform, application code for a plurality of different applications, wherein the application code references the credential stored in the credential store, and wherein the application execution platform is configured to at least in part execute the plurality of different applications;
  
  executing, in an application execution environment, the application code that includes the reference to the credential stored in the credential store;
  
  obtaining a request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store;
  
  determining whether the request is from execution of some application code within the application execution platform;
  
  in response to (i) obtaining the request from the application execution environment for the credential in response to execution of a portion of the application code that includes the reference to the credential stored in the credential store and (ii) determining that the request is valid because the request is from execution of some application code within the application execution platform, obtaining the encrypted version of the credential from the credential store based at least on the reference in the application code;
  
  determining a scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
  
  identifying the decryption key of the encrypted version of the credential based at least on the scope of the application execution environment executing the application code that includes the reference to the credential stored in the credential store;
  
  decrypting the decryption key of the encrypted version of the credential that is identified using the hardware security module and decrypting the encrypted version of the credential obtained from the credential store using the decrypted decryption key; and
  
  providing to the application execution environment of the application code the decrypted credential for access to the service on behalf of the application code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Brail, Gregory, Kumaraswamy, Subramanian, Solton, Randy T., West, Jeffrey A.
Primary Examiner(s)
Rahim, Monjour

Application Number

US14/581,787
Time in Patent Office

1,169 Days
Field of Search

726 5
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/0897   involving additional device...

Secure credential storage

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure credential storage

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links