Systems and methods for securely sharing cloud-service credentials within a network of computing devices

US 10,469,457 B1
Filed: 09/26/2016
Issued: 11/05/2019
Est. Priority Date: 09/26/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securely sharing cloud-service credentials within a network of computing devices, at least a portion of the method being performed by a central computing device comprising at least one processor, the method comprising:

identifying, by the central computing device, a set of networked devices;

encrypting, by the central computing device, at least one user credential for a cloud service;

dividing, by the central computing device, a decryption key for decrypting the user credential into a set of fragments such that a minimum number of fragments is required to decrypt the user credential, wherein the minimum number of fragments is defined by a security policy that includes a distribution policy for distributing the set of fragments to the set of networked devices by determining a distribution for each networked device depending on a physical portability of each networked device; and

securing the user credential by distributing the set of fragments of the decryption key from the central computing device to the set of networked devices in compliance with the security policy such that collecting at least the minimum number of fragments required to decrypt the user credential from physically present networked devices is required to access the cloud service.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for securely sharing cloud-service credentials within a network of computing devices may include (i) identifying, by a central computing device, a set of networked devices, (ii) encrypting, by the central computing device, at least one user credential for a cloud service, (iii) dividing, by the central computing device, a decryption key for decrypting the user credential into a set of fragments such that a minimum number of fragments, as defined by a security policy, is required to decrypt the user credential, and (iv) securing the user credential by distributing the set of fragments of the decryption key from the central computing device to the set of networked devices in compliance with the security policy. Various other methods, systems, and computer-readable media are also disclosed.

154 Citations

20 Claims

1. A computer-implemented method for securely sharing cloud-service credentials within a network of computing devices, at least a portion of the method being performed by a central computing device comprising at least one processor, the method comprising:
- identifying, by the central computing device, a set of networked devices;
  
  encrypting, by the central computing device, at least one user credential for a cloud service;
  
  dividing, by the central computing device, a decryption key for decrypting the user credential into a set of fragments such that a minimum number of fragments is required to decrypt the user credential, wherein the minimum number of fragments is defined by a security policy that includes a distribution policy for distributing the set of fragments to the set of networked devices by determining a distribution for each networked device depending on a physical portability of each networked device; and
  
  securing the user credential by distributing the set of fragments of the decryption key from the central computing device to the set of networked devices in compliance with the security policy such that collecting at least the minimum number of fragments required to decrypt the user credential from physically present networked devices is required to access the cloud service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the user credential for the cloud service comprises at least one of:
    - a user identifier;
      
      a password;
      
      a user key;
      
      an account name;
      
      a digital certificate; and
      
      a user token.
  - 3. The method of claim 1, wherein the minimum number of fragments required to decrypt the user credential comprises a number less than a total number of devices in the set of networked devices.
  - 4. The method of claim 3, wherein the security policy comprises:
    - the distribution policy based on at least one of;
      
      a type of networked device;
      
      the total number of devices in the set of networked devices;
      
      a type of user credential; and
      
      an importance of a fragment of the decryption key to reconstructing the decryption key; and
      
      an access policy based on at least one of;
      
      the type of networked device; and
      
      a type of cloud service.
  - 5. The method of claim 1, wherein distributing the set of fragments of the decryption key comprises assigning at least one fragment of the decryption key to each networked device within the set of networked devices such that the networked device stores fewer than the minimum number of fragments required to decrypt the user credential.
  - 6. The method of claim 1, further comprising:
    - detecting, by the central computing device, a request for the user credential for the cloud service from a networked device;
      
      determining, by the central computing device, that the request for the user credential complies with the security policy;
      
      collecting at least the minimum number of fragments required to decrypt the user credential from physically present networked devices; and
      
      accessing the cloud service by decrypting the user credential.
  - 7. The method of claim 6, wherein accessing the cloud service comprises:
    - reconstructing, by the central computing device, the decryption key using the minimum number of fragments; and
      
      sending the decrypted user credential to the cloud service.
  - 8. The method of claim 7, wherein sending the decrypted user credential to the cloud service comprises at least one of:
    - sending the decrypted user credential from the central computing device to the cloud service on behalf of the networked device; and
      
      sending a temporary version of the decrypted user credential to the networked device.
  - 9. The method of claim 6, wherein accessing the cloud service comprises sending a temporary version of the minimum number of fragments to the networked device to reconstruct the decryption key locally.
  - 10. The method of claim 6, wherein accessing the cloud service comprises sending the minimum number of fragments to the cloud service to reconstruct the decryption key.

11. A system for securely sharing cloud-service credentials within a network of computing devices, the system comprising:
- an identification module, stored in memory, that identifies, by a central computing device, a set of networked devices;
  
  an encryption module, stored in memory, that encrypts, by the central computing device, at least one user credential for a cloud service;
  
  a division module, stored in memory, that divides, by the central computing device, a decryption key for decrypting the user credential into a set of fragments such that a minimum number of fragments is required to decrypt the user credential, wherein the minimum number of fragments is defined by a security policy that includes a distribution policy for distributing the set of fragments to the set of networked devices by determining a distribution for each networked device depending on a physical portability of each networked device;
  
  a security module, stored in memory, that secures the user credential by distributing the set of fragments of the decryption key from the central computing device to the set of networked devices in compliance with the security policy such that collecting at least the minimum number of fragments required to decrypt the user credential from physically present networked devices is required to access the cloud service; and
  
  at least one processor that executes the identification module, the encryption module, the division module, and the security module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the user credential for the cloud service comprises at least one of:
    - a user identifier;
      
      a password;
      
      a user key;
      
      an account name;
      
      a digital certificate; and
      
      a user token.
  - 13. The system of claim 11, wherein the minimum number of fragments required to decrypt the user credential comprises a number less than a total number of devices in the set of networked devices.
  - 14. The system of claim 13, wherein the security policy comprises:
    - the distribution policy based on at least one of;
      
      a type of networked device;
      
      the total number of devices in the set of networked devices;
      
      a type of user credential; and
      
      an importance of a fragment of the decryption key to reconstructing the decryption key; and
      
      an access policy based on at least one of;
      
      the type of networked device; and
      
      a type of cloud service.
  - 15. The system of claim 11, wherein the security module distributes the set of fragments of the decryption key by assigning at least one fragment of the decryption key to each networked device within the set of networked devices such that the networked device stores fewer than the minimum number of fragments required to decrypt the user credential.
  - 16. The system of claim 11, further comprising:
    - a detection module, stored in memory, that detects, by the central computing device, a request for the user credential for the cloud service from a networked device;
      
      a determination module, stored in memory, that determines, by the central computing device, that the request for the user credential complies with the security policy;
      
      a collection module, stored in memory, that collects at least the minimum number of fragments required to decrypt the user credential from physically present networked devices; and
      
      an access module, stored in memory, that accesses the cloud service by decrypting the user credential.
  - 17. The system of claim 16, wherein the access module accesses the cloud service by:
    - reconstructing, by the central computing device, the decryption key using the minimum number of fragments; and
      
      sending the decrypted user credential to the cloud service.
  - 18. The system of claim 16, wherein the access module accesses the cloud service by sending a temporary version of the minimum number of fragments to the networked device to reconstruct the decryption key locally.
  - 19. The system of claim 16, wherein the access module accesses the cloud service by sending the minimum number of fragments to the cloud service to reconstruct the decryption key.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a central computing device, cause the central computing device to:
- identify, by the central computing device, a set of networked devices;
  
  encrypt, by the central computing device, at least one user credential for a cloud service;
  
  divide, by the central computing device, a decryption key for decrypting the user credential into a set of fragments such that a minimum number of fragments is required to decrypt the user credential, wherein the minimum number of fragments is defined by a security policy that includes a distribution policy for distributing the set of fragments to the set of networked devices by determining a distribution for each networked device depending on a physical portability of each networked device; and
  
  secure the user credential by distributing the set of fragments of the decryption key from the central computing device to the set of networked devices in compliance with the security policy such that collecting at least the minimum number of fragments required to decrypt the user credential from physically present networked devices is required to access the cloud service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sokolov, Ilya, Newstadt, Keith
Primary Examiner(s)
Schmidt, Kari L

Application Number

US15/276,105
Time in Patent Office

1,135 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3226   using a predetermined code,...

Systems and methods for securely sharing cloud-service credentials within a network of computing devices

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

154 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securely sharing cloud-service credentials within a network of computing devices

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links