Determining, by a remote system, applications provided on a device based on association with a common identifier
US-10693862-B1 · Jun 23, 2020 · US
Local encryption for single sign-on
US11368445B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11368445-B2 |
| Application number | US-201816106848-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 21, 2018 |
| Priority date | May 21, 2018 |
| Publication date | Jun 21, 2022 |
| Grant date | Jun 21, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. The random encryption key is used in lieu of a password-derived encryption key. In order to ensure that the client-device application is unable to decrypt the locally-stored encrypted application data prior to authenticating with an external authentication source (i.e., SSO, IdP), the random encryption key is encrypted with a key-encrypting key derived using a pseudorandom function (PRF). By using a PRF, the first device is able to authenticate to the first server and derive a secure key as part of the authentication process. Accordingly, the present disclosure describes techniques for securing data on a client device when credentials are managed by an external authentication system.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for securing a first encryption key for a first device in a system using external authentication, the method comprising: generating, by the first device, a blinded representation of a first secret using a first hash of the first secret; transmitting, from the first device, the blinded representation of the first secret to a first server; receiving, at the first device, a first proof from the first server in response to the transmitted blinded representation of the first secret; verifying, by the first device, the first proof received from the first server; unblinding, by the first device, the blinded representation of the first secret; generating, by the first device, a first key-encrypting key by applying a second hash to the first proof and the first hash of the first secret; and encrypting, by the first device, the first encryption key using the first key-encrypting key, wherein the first encryption key encrypts data on the first device. 2. The method of claim 1 , further comprising: deleting, by the first device, the first key-encrypting key after the first encryption key is encrypted. 3. The method of claim 1 , wherein generating the blinded representation of the first secret comprises: generating, by the first device, the first secret; generating, by the first device, a first blind; generating, by the first device, a first hashed representation of the first secret by applying a first hashing algorithm to the first secret; and generating, by the first device, the blinded representation of the first secret by combining the first blind and the first hashed representation of the first secret. 4. The method of claim 1 , further comprising: obtaining, by the first device, a first public key associated with the first server. 5. The method of claim 4 , wherein verifying the first proof comprises: verifying, by the first device, a first signature included in the first proof using the first public key associated with the first server. 6. The method of claim 1 , wherein generating the first key-encrypting key comprises hashing the first secret with a second hashing algorithm. 7. A method for decrypting application data in an external authentication environment, the method comprising: receiving, on a first device, login credentials; transmitting, from the first device, the login credentials to a first server; generating, by the first device, a blinded representation of a first secret by hashing the first secret; transmitting, from the first device, the blinded representation of the first secret to the first server; receiving, at the first device, a first token and a first proof from the first server; verifying, by the first device, the first proof received from the first server; unblinding, by the first device, the blinded representation of the first secret; generating, by the first device, a first key-encrypting key by hashing the blinded representation of the first secret and the first proof from the first server; decrypting, by the first device, a first encryption key using the first key-encrypting key; decrypting, by the first device, application data using the first encryption key; and accessing, by the first device, one or more applications on a second server using the first token and the decrypted application data. 8. The method of claim 7 , wherein accessing the one or more applications on the second server comprises: transmitting, from the first device, the first token to the second server. 9. The method of claim 7 , further comprising: encrypting, by the first device, the first encryption key when the first device ceases accessing the second server; and deleting, by the first device, the first key-encrypting key after the first encryption key is encrypted. 10. The method of claim 7 , wherein generating the first key-encrypting key comprises hashing the first secret with a second hashing algorithm. 11. A non-transitory computer-readable medium comprising instructions that, when executed by at least one processor, perform the steps of: receiving, at a first server, a blinded representation of a first secret from a first device, wherein the blinded representation comprises a hash of the first secret; generating, by the first server, a first proof using the blinded representation of the first secret; and transmitting, from the first server, the first proof to the first device, wherein the first proof is hashed with the blinded representation of the first secret to generate a key-encrypting key used to encrypt a local encryption key of the first device as part of authenticating to the first server. 12. The non-transitory computer readable medium of claim 11 , wherein the first proof is a non-interactive zero knowledge proof. 13. The non-transitory computer-readable medium of claim 11 , further comprising instructions for: receiving, at the first server, login credentials from the first device. 14. The non-transitory computer-readable medium of claim 13 , further comprising instructions for: transmitting, from the first server, the login credentials received from the first device to a second server; receiving, at the first server, a first indication that the login credentials are valid from the second server; and transmitting, from the first server, a first token to the first device in response to receiving the first indication that the login credentials are valid. 15. The non-transitory computer-readable medium of claim 14 , further comprising instructions for: receiving, at the first server, a request to validate the first token from a third server; determining, by the first server, whether the first token received from the third server is valid; and providing, by the first server, a second indication to the third server that the first token is valid in response to the determination that the first token is valid. 16. The non-transitory computer-readable medium of claim 11 , further comprising instructions for: generating, by the first server, a first signature of the first proof. 17. The non-transitory computer-readable medium of claim 16 , wherein the first signature is generated using a first private key. 18. The non-transitory computer-readable medium of claim 16 , further comprising instructions for: transmitting, from the first server, the first signature to the first device with the first proof. 19. The method of claim 1 , wherein the first server comprises a single sign-on service. 20. The method of claim 7 , wherein the one or more applications comprises a secure collaboration application.
Assignees
Inventors
Classifications
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs · CPC title
using certificates or pre-shared keys · CPC title
Masking or blinding · CPC title
wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11368445B2 cover?
- The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. The random encryption key is used in lieu of a password-derived encryption key. In order to ensure that the client-device application is unable to decrypt the locall…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 21 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).