Shared Secret Vault for Applications with Single Sign On

US 20170185787A1
Filed: 03/10/2017
Published: 06/29/2017
Est. Priority Date: 12/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors;

memory;

a shared vault stored in the memory and comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key;

a first application stored in the memory and comprising first instructions that, when executed by the one or more processors, cause the system to;

authenticate, via the first application, with a network service using user credentials associated with a user;

retrieve first network resource access credentials from the network service;

decrypt the vault database using an encrypted vault key record comprising the vault key; and

write, via the first application, the first network resource access credentials to the vault database; and

a second application stored in the memory and comprising second instructions that, when executed by the one or more processors, cause the system to;

decrypt, via the second application, the encrypted vault key record using an unlock key to generate a first copy of the vault key, wherein a first copy of the unlock key is stored in application memory associated with the second application; and

access, via the second application and using the first copy of the vault key, the vault database to retrieve the first network resource access credentials.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.

5 Citations

View as Search Results

20 Claims

1. A system comprising:
- one or more processors;
  
  memory;
  
  a shared vault stored in the memory and comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key;
  
  a first application stored in the memory and comprising first instructions that, when executed by the one or more processors, cause the system to;
  
  authenticate, via the first application, with a network service using user credentials associated with a user;
  
  retrieve first network resource access credentials from the network service;
  
  decrypt the vault database using an encrypted vault key record comprising the vault key; and
  
  write, via the first application, the first network resource access credentials to the vault database; and
  
  a second application stored in the memory and comprising second instructions that, when executed by the one or more processors, cause the system to;
  
  decrypt, via the second application, the encrypted vault key record using an unlock key to generate a first copy of the vault key, wherein a first copy of the unlock key is stored in application memory associated with the second application; and
  
  access, via the second application and using the first copy of the vault key, the vault database to retrieve the first network resource access credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the first instructions cause the system to decrypt the vault database using the encrypted vault key record by causing the system to:
    - decrypt, via the first application, the encrypted vault key record using the unlock key to generate a second copy of the vault key, wherein a second copy of the unlock key is stored in application memory associated with the first application; and
      
      decrypt the vault database using the second copy of the vault key.
  - 3. The system of claim 1, wherein the second instructions further cause the system to:
    - access, via the second application, the network service using the first network resource access credentials.
  - 4. The system of claim 1, wherein the encrypted vault key record is stored in the shared vault.
  - 5. The system of claim 1, wherein a second vault key record is stored in the shared vault and is encrypted using user entropy comprising a password, and wherein the encrypted vault key record is stored in a secured container that is secured using second entropy other than the user entropy.
  - 6. The system of claim 1, wherein the vault database comprises:
    - a shared portion accessible by a plurality of applications that have access to the vault, wherein the plurality of applications comprises the first application and the second application; and
      
      a first application portion accessible to the first application and encrypted using first application entropy associated with the first application.
  - 7. The system of claim 1, wherein the second instructions cause the system to:
    - access, by the second application, an inactivity timer stored in the shared vault;
      
      determine, by the second application, whether the inactivity timer indicates that a pre-determined amount of time has elapsed since the vault database was last accessed; and
      
      in response to determining that the pre-determined amount of time has elapsed since the vault database was last accessed, delete the first vault key record from the shared vault.

8. A method comprising:
- generating, by a computing device, a shared vault comprising a vault database encrypted using a vault key;
  
  receiving, by a first application executing on the computing device, user entropy from a user associated with the shared vault;
  
  decrypting, by the first application, a first vault key record using the user entropy to generate a first copy of the vault key;
  
  decrypting, by the first application, the vault database using the first copy of the vault key;
  
  retrieving, by the first application, first network resource access credentials from a network service using user credentials associated with the user;
  
  writing, by the first application, the first network resource access credentials to the vault database;
  
  decrypting, by a second application executing on the computing device, a second vault key record using an unlock key to generate a second copy of the vault key, wherein a copy of the unlock key is stored in application memory associated with the second application; and
  
  accessing, by the second application and using the second copy of the vault key, the vault database to retrieve the first network resource access credentials.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, comprising:
    - accessing, by the first application and using the first copy of the vault key, the vault database to retrieve the unlock key, wherein the unlock key is operable to decrypt the second vault key record associated with the shared vault to generate a copy of the vault key; and
      
      storing the unlock key in application memory associated with the first application.
  - 10. The method of claim 9, comprising:
    - generating, by the first application, the second vault key record using the first copy of the vault key and the unlock key; and
      
      storing the second vault key record in the shared vault.
  - 11. The method of claim 9, wherein the first vault key record is stored in the shared vault and is encrypted using the user entropy, wherein the user entropy comprises a password, and wherein the second vault key record is stored in a secured container that is secured using second entropy other than the user entropy.

12. A system comprising:
- one or more processors;
  
  memory;
  
  a shared vault stored in the memory and comprising a vault record storage section and a vault database, wherein the vault database is encrypted using a vault key;
  
  a first application stored in the memory and comprising first instructions that, when executed by the one or more processors, cause the system to;
  
  authenticate, via the first application, with a network service using user credentials associated with a user;
  
  retrieve first network resource access credentials from the network service;
  
  decrypt the vault database using a first copy of the vault key; and
  
  write, via the first application, the first network resource access credentials to the vault database; and
  
  a second application stored in the memory and comprising second instructions that, when executed by the one or more processors, cause the system to;
  
  decrypt, via the second application, a first vault key record using an unlock key to generate a second copy of the vault key, wherein a first copy of the unlock key is stored in application memory associated with the second application; and
  
  access, via the second application and using the second copy of the vault key, the vault database to retrieve the first network resource access credentials.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the first instructions cause the system to decrypt the vault database using the vault key by causing the system to:
    - decrypt, via the first application, the first vault key record using the unlock key to generate a first copy of the vault key, wherein a second copy of the unlock key is stored in application memory associated with the first application; and
      
      decrypt the vault database using the first copy of the vault key.
  - 14. The system of claim 12, wherein the first instructions cause the system to decrypt the vault database using the vault key by causing the system to:
    - receive, via the first application, user entropy from a user associated with the shared vault;
      
      decrypt a second vault key record using the user entropy to generate the first copy of the vault key; and
      
      decrypt the vault database using the first copy of the vault key.
  - 15. The system of claim 14, wherein the first instructions cause the system to:
    - access, using the first copy of the vault key, the vault database to retrieve the unlock key, wherein the unlock key is operable to decrypt the first vault key record associated with the shared vault to generate a copy of the vault key; and
      
      store the unlock key in application memory associated with the first application.
  - 16. The system of claim 14, wherein the first instructions cause the system to:
    - generate the first vault key record using the first copy of the vault key and the unlock key; and
      
      store the first vault key record in the shared vault.
  - 17. The system of claim 12, wherein the second instructions further cause the system to:
    - access, via the second application, the network service using the first network resource access credentials.
  - 18. The system of claim 12, wherein a second vault key record is stored in the shared vault and is encrypted using user entropy comprising a password, and wherein the first vault key record is stored in a secured container that is secured using second entropy other than the user entropy.
  - 19. The system of claim 12, wherein the vault database comprises:
    - a shared portion accessible by a plurality of applications that have access to the vault, wherein the plurality of applications comprises the first application and the second application; and
      
      a first application portion accessible to the first application and encrypted using first application entropy associated with the first application.
  - 20. The system of claim 12, wherein the second instructions cause the system to:
    - access, by the second application, an inactivity timer stored in the shared vault;
      
      determine, by the second application, whether the inactivity timer indicates that a pre-determined amount of time has elapsed since the vault database was last accessed; and
      
      in response to determining that the pre-determined amount of time has elapsed since the vault database was last accessed, delete the first vault key record from the shared vault.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Momchilov, Georgy, Nordstrom, Ola

Granted Patent

US 10,049,224 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

G06F 9/544   Buffers; Shared memory; Pipes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 9/0822   using key encryption key

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/068   using credential vaults, e....

Shared Secret Vault for Applications with Single Sign On

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Shared Secret Vault for Applications with Single Sign On

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links