• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    method for synchronizing a set of password credentials between a source service and a target service and computer-readable storage device. The present invention relates to securely synchronizing passwords that are changed from a source location (e.g., an office directory service) to a target location (e.g., a cloud directory service), so that the same credentials can be used to log into the source and target location, but without necessarily having each domain controller handle the synchronization. the plaintext password is not revealed, instead using hash values computed from it to represent the password-related data. the target can receive a secondary hash of a primary hash, and thereby only receive a password blob store. authentication is performed using the same hashing algorithms on the target service to compute a blob and compare against the synced blob. also described is the agility of encryption and/or changing hashing algorithms without requiring a user password change.
    公开号:BR112015027175B1
    申请号:R112015027175-8
    申请日:2014-04-30
    公开日:2022-01-11
    发明作者:Ariel N. Gordon;Jonathan M. Luk;Raman N. Chikkamagalur;Ziad Elmalki;Sergii Gubenko;Girish Chander;Anandhi Somasekaran;Murli D. Satagopan
    申请人:Microsoft Technology Licensing, Llc;
    IPC主号:
    专利说明:

    BACKGROUND
    [0001] More and more organizations are utilizing cloud service applications and resources as opposed to just using local applications and resources, (where "local" refers to under the organization's control regardless of any physical location, in contrast to the cloud). As with on-premises applications and resources, users need credentials to access existing cloud services. Note that some (typically very small) organizations only use the cloud for their credential-based identity infrastructure and applications, and thus use the cloud to handle credential-based authentication.
    [0002] Very large organizations administer a local directory service (an example of which is Microsoft Corporation's Active Directory® which includes its domain controller servers) to authenticate users, and for applications to discover user accounts and account relationships. Among other things, this allows such organizations to retain full control of their credential-related data for security purposes, rather than providing the data to the cloud. Large organizations utilize what (for example, in an Active Directory® scenario) might be referred to as a federation/federation service, which contains mechanisms for individual users to leverage their local credentials to access cloud resources. Credentials are not synchronized; instead, the cloud directs login requests and the like to an on-premises identity infrastructure for authentication, allowing a user to sign in only once.
    [0003] However, a federation is relatively expensive to install and maintain, and thus only large organizations tend to use a federation. Many small organizations want to use the same username and password to access local resources and applications as well as cloud resources and applications. Without federation, however, some way to handle local credentials and cloud credentials is required.
    [0004] One solution is to intercept the plaintext user password for transport to a target directory service. The plain text user password can be replicated to all servers/databases in the identity infrastructure. However, this can be unsafe, specifically when the cloud directory service is a target. Furthermore, software needs to be configured on each server in the target directory service to capture all user password change events. Among other disadvantages, this is inefficient and inconvenient to maintain.
    [0005] Many companies do not want to release local credential data to the cloud for security reasons, which creates an authentication problem. One solution is to issue one set of credentials for users to access cloud applications, and another set of credentials for users to access local applications. This is also inefficient and inconvenient to maintain. SUMMARY
    [0006] This Table of Contents is provided to introduce a selection of representative concepts in a simplified form which are further described in the Detailed Description below. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used in any way that would limit the scope of the claimed subject.
    [0007] Briefly, various aspects of the subject described here are aimed at securely synchronizing passwords that are changed at a source location to a target location, so that the same credentials can be used at the source and target location. In one aspect, a hash value that is computed based on a clear text password is received, where the hash value was computed in response to a password change event at an origin service. The data corresponding to the hash value is exported to a target service to synchronize the new password to the target service for use in identity authentication. Data that matches the hash value can be secondarily hashed into a password-protected blob using a secondary hashing algorithm.
    [0008] In one aspect, a synchronization host process is coupled to a domain mesh. The sync host process is configured to sync password changes received in the domain fabric with a target directory service external to the fabric, (eg, a cloud directory service). The sync host process obtains a hash value representative of a plaintext password from the domain mesh, processes the hash value into a secret-protected blob via at least one secondary hashing algorithm, exports the secret-protected blob to the target directory service. The sync host process can either be coupled and obtain the hash value of a fabric component, or fabric coupled, in which the component is configured to receive replicated password change data that corresponds to a password change made at any given time. fabric domain controller.
    [0009] In one aspect, a plurality of datasets comprising protected blobs that correspond to plain text passwords are maintained. Each blob is associated with an identity, in which blobs are computed from a clear text password by at least two hashing algorithms. Another blob that is computed with another hashing algorithm is associated with an identity, including replacing the blob with another blob. This can be accomplished by computing the blob with another hashing algorithm for each identity, including for each identity, hashing the blob associated with this identity to the other blob for this identity. This can also be accomplished by getting the other blob from a local directory service component, and getting information that identifies the information that matches the other hash algorithm.
    [00010] Other advantages may become apparent from the following detailed description when taken in conjunction with the drawings. BRIEF DESCRIPTION OF THE DRAWINGS
    [00011] The present invention is illustrated by way of example and not limited to the accompanying figures in which like reference numerals indicate similar elements and in which:
    [00012] Figure 1 is a block diagram representing exemplary components configured to synchronize password changes made on a local directory service to a cloud directory service, according to an exemplary implementation.
    [00013] Figure 2 is a flowchart depicting exemplary steps that can be taken to securely synchronize a password change on a source directory service to a target directory service, according to an exemplary implementation.
    [00014] Figure 3 is a block diagram representing exemplary components configured to synchronize local directory service password changes made on any domain controller to a cloud directory service via a single component, according to an implementation exemplar.
    [00015] Figure 4 is a flowchart depicting exemplary steps that can be taken through an entire secure password synchronization operation, according to an exemplary implementation.
    [00016] Figure 5 is a flowchart depicting exemplary steps that can be taken to authenticate a user during a login attempt using securely synchronized password-related data, according to an exemplary implementation.
    [00017] Figure 6 is a flowchart depicting exemplary steps that can be taken to change a secondary hash algorithm and password-related data held for a set of users, according to an exemplary implementation.
    [00018] Figure 7 is a block diagram representing exemplary non-limiting network environments in which various modalities described herein can be implemented.
    [00019] Figure 8 is a block diagram representing an exemplary non-limiting computing system or operating environment in which one or more aspects of the various embodiments described herein may be implemented. DETAILED DESCRIPTION
    [00020] Various aspects of the technology described here are generally directed towards a password synchronization technology that allows a single set of credentials to be used for both local resource access and cloud resource access. As will be understood, the technology provides a solution that is relatively straightforward to install and maintain in the office, while at the same time being secure.
    [00021] In one aspect, a sync agent performs the sync operations of an on-premises directory service with a cloud directory service. In one implementation, the sync agent can be added to a domain controller fabric as a single component (for example, running on a single domain-joined machine) as opposed to running on every domain controller in the domain fabric.
    [00022] In one aspect, credentials held in the on-premises directory service are synchronized with the cloud directory service first using one or more hashing algorithms to hash the passwords. A primary hash is used, and may be used in combination with at least one secondary hash. Clear text passwords are never sent to the cloud.
    [00023] In one aspect, the technology supports having the local system switch to a new primary hash algorithm, without requiring users to change their existing passwords or otherwise recapture users' clear text passwords. Also, if the secondary hash algorithm is compromised or a more secure secondary hash algorithm is otherwise desirable to use, the secondary hash algorithm can be changed without requiring users to change their existing passwords or otherwise. recapture users' clear text passwords.
    [00024] It should be understood that any of the examples here are not limiting. For example, many of the examples here are typically described in a directory service environment such as Active Directory®; however any similar identity infrastructure/environment can benefit from the technology described here. Furthermore, although the examples are directed towards secure credential synchronization, others of data that need to be securely synchronized can benefit from the technology described here. As such, the present invention is not limited to any specific embodiments, aspects, concepts, structures, functionalities or examples described herein. Rather, any of the embodiments, aspects, concepts, structures, functionality, or examples described herein are non-limiting, and the present invention may be used in various ways that provide benefits and advantages in data synchronization, data security, and/or services. of cloud in general.
    [00025] Figure 1 is a block diagram showing exemplary components that can be used to securely synchronize data including credential data from local components to a cloud directory service 102. Local components 104 include a synchronization host process 106 (e.g., an identity manager sync machine) that includes a password sync agent 108. In general, the sync host process 106 comprises a process that actively triggers the retrieval and export of credentials from a sync service. source directory 110.
    [00026] In one implementation, synchronization is performed via the password synchronization agent 108, which calls into the local (local) directory service 110 (the source directory) through a suitable interface 112 to obtain credential-related data, which as described below, comprise hashed passwords. In order to obtain only the hashed passwords changed (deltas) since the last synchronization time, the call may provide a synchronization timestamp. For example, Active Directory® publicly documented API (IDL_DRSGetNCChanges) that when called retrieves and returns a list of changes since a timestamp provided, which is the last synchronization time provided by the password synchronization agent 108. In one scenario in which the change data comprises more than password related data, the synchronization agent 108 parses/filters the returned data to determine the set of credentials updated since the last synchronization time.
    [00027] The changed set of credentials is returned to the password sync agent 108 as a hashed set of credentials. In one implementation, these hashes are not persisted by the sync host process 106 or the password sync agent 108, and are only temporarily used in an attempt to sync the credential hash to a target directory service, for example, the service 102 in Figure 1. In one implementation, the local password hashes are secondarily hashed using a randomly generated value (salt) a number of iterations before being sent to the target directory service (cloud) 102.
    [00028] In one implementation, the password synchronization agent 108 attempts to synchronize only the credentials of scoped identities (where scope is a well-known concept in identity infrastructures) to the target directory service 102. Credentials belonging to identities out-of-scope are not synchronized to the target directory service 102. Also, credentials belonging to identities that have not been provisioned to the target directory service 102 are also not synchronized; instead these may be synchronized at a later time when this identity has been successfully provisioned in the target directory service 102.
    [00029] In Figure 1, a target directory connector component represented as a cloud management agent 114 is responsible for handling the hashed credential export to cloud 116. To this end, a cloud home interface component 118 (e.g. directory service synchronization home interface server) receives the request to update the credential, and then attempts to persist the hashed credential to the target directory service storage system 120 through a programmatic interface (e.g. , private) 122. If the credential hash is successfully persisted to the target directory service, a success status is returned to the initial interface component 118 and the initial interface component 118 and returns a success status to the initialization process. sync host 106. Upon receipt of a "success" response, the sync host process 106 considers the credential synced successfully to the target directory service 102. If a failure response is encountered, the export can be queued for retry at a later time.
    [00030] Figure 2 shows the above operation as a set of exemplary steps. Some of the steps are shown for a single credential, however as can readily be appreciated, credential synchronization can be batch, and/or some or all of the steps can be performed in parallel.
    [00031] In step 202, the password synchronization agent 108 (Figure 1) requests and receives changes (since a given timestamp) from the source directory service 110. The request is made at a synchronization time, the which may be periodic or otherwise. As described above, passwords are hashed with a primary hash function, for example Ha(password), such as MD4(password).
    [00032] When receiving the changes, as represented by step 204, the password synchronization agent 108 analyzes the changes to determine which ones should be synchronized, for example, password changes of provisioned identities, in scope. As mentioned above, consider that only one credential is being handled at this time.
    [00033] Step 206 represents secondarily hashing the hashed password, for example, H1(Ha(password)) such as SHA256(MD4(password)). The secondary hash is further described below.
    [00034] Step 208 exports the hashed credential to target directory service 102, which attempts to persist it. Step 210 receives the result of the export request as a returned status; if a success is received as evaluated in step 212, the credential has been successfully synchronized to the target directory service (step 214) and the process ends. If a failure is detected via step 212, the export is queued for retry at a later time, as represented by step 216.
    [00035] As generally represented in Figure 3, the local domain fabric 330 contains Domain 1 (having domain 1 controller 1 - domain 1 controller j) through Domain n (having domain n controller 1 - domain n controller k). In one aspect, the fabric may add (e.g., may be joined by or otherwise coupled to) a component running on machine or similar that runs as directory service domain controller locator service 332. As is known , password changes are made on one domain controller (eg, closest to the user, although other schemes are feasible) and replicated to other domain controllers in the domain. As described here, changed passwords that have been hashed with the primary hash are replicated rather than plain text passwords.
    [00036] The sync host process 106 contacts the directory service domain controller locator service 332 to determine a domain controller instance from which to retrieve credential change data. For example, there may be a domain controller identified in each domain to provide for changes to the host synchronization process 106. In this way, a fabric's existing replication scheme can be leveraged to perform a password change synchronization with the service. of cloud; (note that this is in contrast to existing systems where component/extension code DLLs need to be registered with all machines associated with the source/fabric directory in order to ensure that all credential changes are captured and synchronized to the target directory).
    [00037] Figure 4 summarizes exemplary steps relating to the implementation of Figure 3 and domain controller operations in general. Step 402 represents receiving a clear text password change, which is typically on the domain controller closest to the user (although other schemes, such as load balancing, are feasible). Step 404 represents the password being hashed on this domain controller with the primary hash, for example Ha(Password). Step 406 represents replicating the hashed password to the other domain controllers.
    [00038] Step 408 represents the sync host process 106 communicating with the directory service domain controller locator service 332 to determine which domain controller(s) to contact for change data. In general, one domain controller from each domain is identified by the domain controller locator service 332 to the sync host process 106.
    [00039] Step 410 represents the password synchronization agent retrieving changed password hashes from a directory service domain controller. Note that as an alternative, changes can be pushed to the password synchronization agent for on-demand synchronization or some other schedule. It is possible for the sync host process to run on the same machine as the 332 directory service domain controller locator service, although as described above, the sync host process does not hash passwords otherwise. than as needed to perform synchronization with the target service.
    [00040] While it is feasible for the target to sync with and hash the password, having a secondary hash provides a number of benefits as described here. Step 412 represents the secondary hash, for example, Hl(Ha(password)). In one aspect, the secondary hash generates a password protected blob which includes the hash algorithm name and version, plus random salt, iteration count plus synopsis. The result of this secondary hash is synced to (step 414) and stored (step 416) in the target directory service. Note that the cloud can also perform such a secondary hash, so it hash it once more before storage.
    [00041] Looking at login aspects, when an identity attempts to access a service or software associated with the target directory service, for example, through the AuthN 124 home interface server (Figure 1) if the credential is marked as "Synchronized from source directory" on the target directory service's authentication platform, the authentication platform comprises performing the appropriate login verification procedure and comparing the credential presented by the identity against the synced credential hash of the source directory.
    [00042] The target authentication platform is instructed to use an algorithm to match the local hash algorithm, but this can be any algorithm or set of algorithms. This facilitates a number of scenarios, including encryption agility. In general, cryptography agility allows multiple hashing algorithms to be used, and/or combinations of hashing algorithms. As a result, the primary hash algorithm may change over time, the secondary hash algorithm may change over time, algorithms from different services (eg, third-party) may be used, and so on.
    [00043] Figure 5 shows some exemplary steps regarding cloud service login operations, starting at step 502 where an attempt to login with a credential is received. If in step 504 the credential is not marked as "synchronized from source directory" or similar, then for example the cloud is being accessed by a user who is not part of an on-premises directory service, such as a user from a very small that only uses the cloud for authentication and resource access. Also, users can be part of the local directory service but not using the technology described here, and so the credential is not marked synchronized. If so, step 506 handles this request in another way, for example, through conventional cloud login.
    [00044] If instead step 504 detects that the credential is marked as "synchronized from source directory", step 508 looks for which hash/data algorithm to use, eg based on user identity. Step 510 determines the parameters for this hash, for example salt and iterations. Note that in a scenario where only one hash algorithm exists, steps 508 and 510 are not necessary, but as can be readily appreciated, these steps provide encryption agility.
    [00045] Step 512 converts the login password data to the password protected blob, which step 514 compares against the blob stored in the target service's database. If there is a match (step 516), access is allowed through step 518, otherwise access is denied through step 520.
    [00046] Note that crypto agility supports a new local (primary) hash algorithm (Ha) without impacting the service and without needing to recapture the user's plaintext password. For example, consider that the local system changes from Ha to Hb (eg, the next version of the directory service deprecates MD4 in favor of something more modern). Any new passwords/passwords changed will be computed and synced as (H1(Hb(password))). At login time, when users enter their username and password (plain text), the system determines whether (H1(Ha)) or (Hl(Hb)) is present in the database, and applies the appropriate one in the database. plain text password for comparison.
    [00047] Also, the authentication platform can perform an additional hash of stored hashes as desired. This makes it easy to protect time-resistant password-at-rest data with encryption agility. As an example, consider that the secondary hash algorithm (H1) is compromised, that is, no longer considered sufficiently secure. The H1 hash algorithm can be effectively overridden without needing to recapture the user's plaintext password.
    [00048] As an example, consider that the data blob currently computed and stored is H1(Ha(password)). For security, a new secondary hashing algorithm (H2) is introduced. As represented in steps 602, 604, and 606 of Figure 6, for each user, the target system parses the entire database, computes (H2(H1(Ha(password)))), and stores the new value. When the analysis is complete as evaluated by step 608, the system clears the (H1(Ha(password))) for all users in step 610 and switches to using the algorithm (H2(H1)). Thus, the system no longer stores the hash at rest understood. Note that it is feasible to overwrite the existing blob at step 606, however if the parsing process is extensive, users may be prevented from logging in until the parsing process is complete.
    [00049] At login time everything works the same as before from user perspective. As the user logs in, the target determines that (H2(H1(Ha))) is the hash algorithm to compute the hash value for the provided password and compare the hash value to what is stored.
    [00050] The target system may also switch to another hash function for new passwords. For example, consider that another H3 hash algorithm is developed that is considered superior in some way to the existing one, eg H3 is much better and/or faster than H1. In this example the change is not a security issue, so (H1(Ha(password))) is secure, and left intact. The sync host process (and target service) is updated to support (H3) for any new usernames/passwords changed. Users who change their password are thus synchronized using (H3(Ha(password))). Users who do not change their passwords continue to be authenticated using the algorithm (H1(Ha(password))).
    [00051] Password history can be kept in the cloud service and used at login time to avoid locking users out. For example, consider a user who changed their password on one device, resulting in syncing a blob to the cloud service, but did not change the password on another device. The other device can normally communicate with the login service with the old password, which can cause problems. To avoid this problem, the plain text password provided by the user can be matched against the blob(s) stored as "current password" and if none match, matched against the blob(s) stored. (s) as "previous password". Any desired number of previous sets of one or more password blob(s) can be kept eg the current password plus the last two passwords can also work, and so on.
    [00052] Also, password history restrictions can be imposed with the hash at rest for example for users who do not change their local password. For example, consider a policy where users are not allowed to reuse any of their five previous passwords. The cloud service stores the last password blob, such as (H3(Ha(password_current))), as well as a password history, such as (H3(Ha(password_previous))); (H1(Ha(password _previous2))); H2(H1(Ha(password_previous3))) and so on up to the policy boundary. Note that these blobs do not need to have been generated with the same hash algorithm. Indeed, some of these may have been hashed again if the original hash was found to be insecure or was otherwise changed.
    [00053] At password change time, when the new password is collected, the service queries the list of algorithms in the password history field, computes the corresponding hashes, and compares them with the stored synopses to determine if the change is successful. allowed. EXEMPLARY NETWORK AND DISTRIBUTED ENVIRONMENTS
    [00054] One skilled in the art will appreciate that the various modalities and methods described herein may be implemented in connection with any computer or other client or server device which may be positioned as part of a computer network or in an of distributed computing, and can be connected to any type of storage or data stores. In this regard, the various embodiments described herein can be implemented in any computer system or environment that has any number of memories or storage units, and any number of applications and processes that occur across any number of storage units. This includes, but is not limited to, an environment with server computers and client computers placed in a networked environment or a distributed computing environment, which has either remote or local storage.
    [00055] Distributed computing provides a sharing of computer resources and services by communicative exchange between computing devices and systems. These features and services include information exchange, caching and disk storage for objects such as files. These features and services also include sharing processing power across multiple processing units for load balancing, resource expansion, processing specialization, and the like. Distributed computing takes advantage of network connectivity, allowing customers to leverage their collective power to benefit the entire enterprise. In this regard, a variety of devices may have applications, objects or resources that may participate in resource management mechanisms as described for various embodiments of the present description.
    [00056] Figure 7 provides a schematic diagram of an exemplary networked or distributed computing environment. The distributed computing environment comprises computing objects 710, 712, etc., and computing objects or devices 720, 722, 724, 726, 728, etc., which may include programs, methods, data storage, logic programmable, etc. as represented by exemplary applications 730, 732, 734, 736, 738. It can be appreciated that computing objects 710, 712, etc. and computing objects or devices 720, 722, 724, 726, 728, etc. may comprise different devices, such as personal digital assistants (PDAs), audio/video devices, mobile phones, MP3 players, personal computers, laptops, etc.
    [00057] Each compute object 710, 712, etc. and computing object or devices 720, 722, 724, 726, 728, etc. can communicate with one or more other computing objects 710, 712, etc. and computing object or devices 720, 722, 724, 726, 728, etc. through the 740 communications network, either directly or indirectly. Although illustrated as a single element in Figure 7, communications network 740 may comprise other computing objects and computing devices that provide services to the system of Figure 7, and/or may represent multiple interconnected networks, which are not shown. Each compute object 710, 712, etc. or computing object or device 720, 722, 724, 726, 728, etc. may also contain an application, such as applications 730, 732, 734, 736, 738, which could make use of an API, or other object, software, firmware and/or hardware, suitable for communicating with or implementing the application provided with in accordance with various embodiments of the present description.
    [00058] There are a variety of systems, components, and network configurations that support distributed computing environments. For example, computing systems can be connected together by wired or wireless systems, by local area networks or widely distributed networks. Currently, many networks are coupled to the Internet, which provides an infrastructure for computing that is widely distributed and spans many different networks, although any network infrastructure can be used for exemplary communications made incidents to systems as described in various modalities.
    [00059] Thus, a host of network topologies and network infrastructures, such as client/server, point-to-point, or hybrid architectures, can be used. The "client" is a member of a class or group that uses the services of another class or group with which it is not related. A client can be a process, for example, approximately a set of instructions or tasks, that requests a service provided by another program or process. The client process uses the requested service without needing to "know" any working details about the other program or the service itself.
    [00060] In a client/server architecture, specifically a networked system, a client is usually a computer that accesses shared network resources provided by another computer, for example, a server. In the illustration of Figure 7, as a non-limiting example, computing objects or devices 720, 722, 724, 726, 728, etc. can be thought of as clients and the computing objects 710, 712, etc. can be thought of as servers where computing objects 710, 712, etc., acting as servers provide data services, such as receiving data from client computing objects or devices 720, 722, 724, 726, 728, etc., data storage, data processing, data transmission to objects or client computing devices 720, 722, 724, 726, 728, etc., although any computer can be considered one, a server, or both, depending on the circumstances.
    [00061] A server is typically a remote computer system accessible over a remote or local network, such as the Internet or wireless network infrastructure. The client process may be active on a first computer system, and the server process may be active on a second computer system, communicating with each other over a communications medium, thus providing distributed functionality and allowing multiple clients to interact. take advantage of the server's ability to accumulate information.
    [00062] In a network environment where the communications network 740 or bus is the Internet, for example, computing objects 710, 712, etc. can be web servers with which other computing objects or devices 720, 722, 724, 726, 728, etc. communicate over any of a number of well-known protocols, such as the hypertext transfer protocol (HTTP). Compute objects 710, 712, etc. that act as servers can also serve as clients, for example, computing objects or devices 720, 722, 724, 726, 728, etc., as may be characteristic of a distributed computing environment. EXEMPLARY COMPUTER DEVICE
    [00063] As mentioned, advantageously, the techniques described herein can be applied to any device. It can be understood, therefore, that portable handheld devices and other computing devices and computing objects of all kinds are contemplated for use in connection with the various modalities. Consequently, the general purpose remote computer below, described below in Figure 8 is just one example of a computing device.
    [00064] The modalities may be partially implemented through an operating system, for use by a developer of services for a device or object, and/or included within application software that operates to perform one or more functional aspects of the various modalities. described here. Software may be described in the general context of computer-executable instructions, such as program modules, being executed by one or more computers, such as client workstations, servers, or other devices. Those skilled in the art will appreciate that computer systems have a variety of configurations and protocols that can be used to communicate data, and thus, no specific configuration or protocol is considered limiting.
    [00065] Figure 8 thus illustrates an example of a suitable computing system environment 800 in which one or more aspects of the modalities described herein may be implemented, but as made clear above, the computing system environment 800 is only an example. of a suitable computing environment and is not intended to suggest any limitations on scope of use or functionality. Further, the computing system environment 800 is not intended to be interpreted as having any dependence on any one or combination of components illustrated in the exemplary computing system environment 800.
    [00066] Referring to Figure 8, an exemplary remote device for implementing one or more embodiments includes a general purpose computing device in the form of a computer 810. The components of the computer 810 may include, but are not limited to, the processing unit 820, a system memory 830, and a system bus 822 that couples various system components including system memory in the processing unit 820.
    [00067] Computer 810 typically includes a variety of computer-readable media and can be any available media that can be accessed by computer 810. System memory 830 may include computer storage media in the form of volatile memory and/or or non-volatile such as read-only memory (ROM) and/or random access memory (RAM). As an example, not limitation. system memory 830 may also include an operating system, application programs, other program modules, and program data.
    [00068] A user can enter commands and information into the computer 810 through input devices 840. A monitor or other type of display device is also connected to the systems bus 822 through an interface, such as the output interface. 850. In addition to a monitor, computers may also include other peripheral output devices such as speakers and a printer, which may be connected via the 850 output interface.
    [00069] Computer 810 may operate in a networked or distributed environment using logical connections to one or more other remote computers, such as remote computer 870. Remote computer 870 may be a personal computer, a server, a router, a Network PC, a point device or other common network node, or any other remote media consumption or transmission device, and may include any or all of the elements described above in relation to the 810 computer. The logical connections shown in Figure 8 include an 872 network, such as a local area network (LAN) or wide area network (WAN), but may also include other networks/buses. Such network environments are common in homes, offices, enterprise-wide computer networks, intranets, and the Internet.
    [00070] As mentioned above although exemplary modalities have been described in connection with various computing device and network architectures, the underlying concepts can be applied to any network system and any computing device or system in which it is desirable to improve efficiency. of resource usage.
    [00071] Also, there are multiple ways to implement the same or similar functionality, for example, an appropriate API, toolkit, driver code, operating system, control, standalone or downloadable software object, etc. which allows applications and services to take advantage of the techniques provided here. Thus, the modalities here are contemplated from the point of view of an API (or other software object), as well as of a software or hardware object that implements one or more modalities as described herein. Thus, various modalities described here may have aspects that are fully hardware, partially hardware, and partially software, as well as software.
    [00072] The word "exemplary" is used herein to mean serving as an example, instance, or illustration. For the avoidance of doubt, the subject matter described here is not limited by such examples. Furthermore, any aspect or design described herein as "exemplary" is not necessarily to be regarded as preferred or advantageous over other aspects or designs, nor is it intended to exclude equivalent exemplary structures and techniques known to those skilled in the art. Furthermore, in the context where the terms "includes", "has", "contains" and other similar words are used, for the avoidance of doubt such terms are intended to be inclusive in a similar way to the term "comprising" as a word of open transition without excluding any additional or other elements when employed in a claim.
    [00073] As mentioned, the various described here may be implemented in connection with hardware or software or, where appropriate, a combination of both. As used herein, the terms "component", "module", "system" and the like are likewise intended to refer to an entity relating to a computer or hardware, a combination of hardware and software, software, or running software. For example, a component can be, but is not limited to, a process running on a processor, a processor, an object, an executable, a string of execution, a program, and/or a computer. As an illustration, both an application running on the computer and the computer can be a component. One or more components may reside within a process and/or chain of execution and a component may be located on one computer and/or distributed between two or more computers.
    [00074] The systems mentioned above were described in relation to the interaction between different components. It can be appreciated that such systems and components may include those specified components or subcomponents, some of the specified components or subcomponents, and/or additional components, and in accordance with various permutations and combinations of the above. Subcomponents can also be implemented as components communicatively coupled to other components rather than included within parent (hierarchical) components. Furthermore, it may be noted that one or more components may be combined into a single component providing aggregated functionality or split into several separate subcomponents, and that any one or more intermediate layers, such as a management layer, may be provided for communicatively. couple to such sub-components in order to provide integrated functionality. Any components described herein may also interact with one or more other components not specifically described herein but generally known to those skilled in the art.
    [00075] In view of the exemplary systems described here, a methodology can be implemented according to the described subject can be appreciated with reference to the flowcharts of the various figures. Despite the purposes of simplicity of explanation, the methodologies are shown and described as a series of blocks, it should be understood and appreciated that the various modalities are not limited by the order of the blocks, as some blocks may occur in different orders and/or concurrently with each other. blocks other than what is presented and described here. Where a non-sequential, or branching, flow is illustrated through a flowchart, it can be appreciated that various other branches, flow paths, and block orders may be implemented which achieve the same or a similar result. Furthermore, some illustrated blocks are optional in the implementation of the methodologies described above. CONCLUSION
    [00076] Although the invention is susceptible to various modifications and alternative constructions, certain illustrated embodiments thereof are shown in the drawings and have been described in detail above. It should be understood, however, that there is no intention to limit the invention to the specific forms described, but rather, the intention is to cover all modifications, alternative constructions, and equivalents that fall within the spirit and scope of the invention.
    [00077] In addition to the various modalities described herein, it should be understood that other similar modalities may be used or modifications and additions may be made to the described modality(ies) to perform the same or equivalent functions as the mod(ies) corresponding purpose(s) without deviating from them. Furthermore, multiple processing chips or multiple devices may share the performance of one or more functions described herein, and similarly, storage may be effected across a plurality of devices. Accordingly, the invention is not limited to any single embodiment, but rather is to be considered in breadth, spirit and scope in accordance with the appended claims.
    权利要求:
    Claims (13)
    [0001]
    1. Method for synchronizing a set of password credentials between a source service and a target service, the set of password credentials allowing access to each of the source service and the target service, the method characterized by the fact that it comprises the steps of: providing, by a processor, a synchronization timestamp corresponding to a last password credential synchronization between the source service and the target service; receiving a hashed set of password credentials, the hashed set of password credentials including only changes made to the password credential set since the last password credential synchronization; and exporting the changed password credentials set to the target service for use in identity authentication.
    [0002]
    2. Method according to claim 1, characterized in that the hashed set of password credentials is computed with a primary hashing algorithm, and wherein the method further comprises secondarily performing a hash on the set of hashing credentials. hashed passwords on secret-protected data using a secondary hashing algorithm that matches the set of hashed password credentials to export to the target service.
    [0003]
    3. Method according to claim 2, characterized in that secondarily performing a hash on the set of hashed password credentials on the secret-protected data comprises using random salt and a number of iterations.
    [0004]
    4. Method, according to claim 1, characterized in that receiving the set of hashed password credentials comprises requesting change data from a directory service.
    [0005]
    5. Method according to claim 4, characterized in that it further comprises analyzing the change data into password change data comprising the set of hashed changed password credentials.
    [0006]
    6. Method according to claim 1, characterized in that it further comprises receiving a status value in response to exporting the hashed set of password credentials, and if the status value does not indicate success, queuing the set of hashed password credentials for a subsequent export attempt.
    [0007]
    7. Method according to claim 1, characterized in that it further comprises: receiving the set of hashed password credentials on the target service, including receiving information that identifies which one or more secondary hashing algorithms to use when authenticating a corresponding identity set of hashed password credentials.
    [0008]
    8. Method, according to claim 1, characterized in that it further comprises: receiving, by the target service, the set of hashed password credentials; and additionally hashing the hashed set of password credentials with at least one additional hash function in the target service to store as secret-protected data.
    [0009]
    9. Computer-readable storage device, characterized in that it has a method that, when executed by one or more processors, causes one or more processors to execute: maintaining, in a target service, a plurality of data sets comprising password-protected data corresponding to plain-text passwords, password-protected data associated with a respective identity, wherein password-protected data is computed from a plain-text password by a combination of at least two encryption algorithms hash and sync with the target service; receive, on the target service, a login attempt, including a credential corresponding to an identity and a password; computing a first value based on running at least one hashing algorithm on the password; and comparing the first value with protected password data associated with the identity to authenticate the identity.
    [0010]
    10. Computer-readable storage device, according to claim 9, characterized in that it further comprises replacing the data associated with an identity with data computed from at least one different hashing algorithm.
    [0011]
    11. Computer-readable storage device, according to claim 9, characterized in that it further comprises adding new data in association with an identity, in which the new data is calculated from at least one different hashing algorithm.
    [0012]
    12. Computer readable storage device according to claim 9, characterized in that it further comprises keeping current data and a history comprising at least one previous set of data in association with an identity, and in which comparing the first value with the password protected data associated with the identity to authenticate the identity comprises the use of history.
    [0013]
    13. The computer-readable storage device of claim 9, further comprising receiving, in the destination service, an indication that a local directory service is using a different primary hashing algorithm.
    类似技术:
    公开号 | 公开日 | 专利标题
    BR112015027175B1|2022-01-11|METHOD FOR SYNCHRONIZING A SET OF PASSWORD CREDENTIALS BETWEEN A SOURCE SERVICE AND A TARGET SERVICE, AND COMPUTER READable STORAGE DEVICE
    Cachin et al.2009|Trusting the cloud
    US8549326B2|2013-10-01|Method and system for extending encrypting file system
    US8892602B2|2014-11-18|Secure configuration of authentication servers
    US9594922B1|2017-03-14|Non-persistent shared authentication tokens in a cluster of nodes
    US8990550B1|2015-03-24|Methods and apparatus for securing communications between a node and a server based on hardware metadata gathered by an in-memory process
    WO2018077169A1|2018-05-03|Image repository authorization, access and management method, server, and client
    US9935940B1|2018-04-03|Password security
    US11134067B1|2021-09-28|Token management in a managed directory service
    US20200067878A1|2020-02-27|System and method of obtaining data from private cloud behind enterprise firewall
    Soriente et al.2019|Replicatee: Enabling seamless replication of sgx enclaves in the cloud
    Hwang et al.2014|Real-time proof of violation for cloud storage
    US8528057B1|2013-09-03|Method and apparatus for account virtualization
    WO2014120183A1|2014-08-07|Synchronization of security-related data
    Hwang et al.2013|A mutual nonrepudiation protocol for cloud storage with interchangeable accesses of a single account from multiple devices
    US9576150B1|2017-02-21|Validating a user of a virtual machine for administrator/root access
    US20200218815A1|2020-07-09|Systems and methods for distributed ledger management
    US8972532B2|2015-03-03|Providing hardware configuration management for heterogeneous computers
    Sayler et al.2014|Custos: Increasing security with secret storage as a service
    US9191390B1|2015-11-17|System, method, and computer program for managing user access credentials in a computer network
    US10958659B2|2021-03-23|Setting application permissions in a cloud computing environment
    US20210377253A1|2021-12-02|Automated key management for remote devices using single sign-on techniques
    Suguna et al.2019|Integrity verification for shared data in group with user revocation
    US10791119B1|2020-09-29|Methods for temporal password injection and devices thereof
    US11228452B2|2022-01-18|Distributed certificate authority
    同族专利:
    公开号 | 公开日
    JP2016522932A|2016-08-04|
    EP2992473B1|2021-08-04|
    US9282093B2|2016-03-08|
    US20140325622A1|2014-10-30|
    EP2992473A1|2016-03-09|
    US10069630B2|2018-09-04|
    CN105247529B|2018-07-31|
    RU2671045C2|2018-10-29|
    RU2015146659A3|2018-03-27|
    US20170302448A1|2017-10-19|
    WO2014179386A1|2014-11-06|
    US20160301694A1|2016-10-13|
    RU2015146659A|2017-06-05|
    US9769170B2|2017-09-19|
    JP6446032B2|2018-12-26|
    CN105247529A|2016-01-13|
    BR112015027175A2|2017-07-25|
    BR112015027175A8|2019-12-24|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    JPH05189288A|1992-01-09|1993-07-30|Nec Corp|Password updating method|
    US6240184B1|1997-09-05|2001-05-29|Rsa Security Inc.|Password synchronization|
    US6615383B1|1998-05-29|2003-09-02|Sun Microsystems, Inc.|System and method for message transmission between network nodes connected by parallel links|
    EP1035462B1|1999-03-08|2006-11-29|Software Ag|Method for checking user access|
    FR2802665B1|1999-12-17|2002-04-05|Activcard|COMPUTER DEVICE WITH IMPROVED ACCREDITATION ACCESS|
    US6986038B1|2000-07-11|2006-01-10|International Business Machines Corporation|Technique for synchronizing security credentials from a master directory, platform, or registry|
    FR2826825B1|2001-06-28|2003-09-26|Cit Alcatel|CHANGEOVER FROM A FIRST RADIOCOMMUNICATION MODE TO A SECOND RADIOCOMMUNICATION MODE AND ASSOCIATED MULTI-MODE MOBILE TERMINAL|
    US20040019786A1|2001-12-14|2004-01-29|Zorn Glen W.|Lightweight extensible authentication protocol password preprocessing|
    JP2004110364A|2002-09-18|2004-04-08|Hitachi Software Eng Co Ltd|Attribute synchronizing method for inter-directory service user account|
    US20040117386A1|2002-12-12|2004-06-17|Sun Microsystems, Inc.|Syncronization facility for information domains employing dissimilar protective transformations|
    US20040117666A1|2002-12-12|2004-06-17|Sun Microsystems, Inc.|Invalidation facility for synchronizing information domains|
    US7251732B2|2003-06-18|2007-07-31|Microsoft Corporation|Password synchronization in a sign-on management system|
    US20080109889A1|2003-07-01|2008-05-08|Andrew Bartels|Methods, systems and devices for securing supervisory control and data acquisition communications|
    JP2005284986A|2004-03-30|2005-10-13|Mitsubishi Electric Corp|Password safe synchronism management method, password safe synchronism management program, password safe synchronism management program recording medium, and password safe synchronism management system|
    JP3739008B1|2004-06-29|2006-01-25|卓哉 徳永|Account management method and system|
    JP4258551B2|2007-01-25|2009-04-30|日本電気株式会社|Authentication system, authentication method, and authentication program|
    US8769637B2|2007-03-23|2014-07-01|Sap Ag|Iterated password hash systems and methods for preserving password entropy|
    US8584221B2|2009-10-23|2013-11-12|Microsoft Corporation|Authenticating using cloud authentication|
    US8453224B2|2009-10-23|2013-05-28|Novell, Inc.|Single sign-on authentication|
    EP2598984A4|2010-07-29|2017-04-19|Nirmal Juthani|System and method for generating a strong multi factor personalized server key from a simple user password|
    JP5751029B2|2011-06-03|2015-07-22|株式会社リコー|Authentication device, program, and recording medium|
    US8892866B2|2011-09-26|2014-11-18|Tor Anumana, Inc.|Secure cloud storage and synchronization systems and methods|
    US9282093B2|2013-04-30|2016-03-08|Microsoft Technology Licensing, Llc|Synchronizing credential hashes between directory services|US8707454B1|2012-07-16|2014-04-22|Wickr Inc.|Multi party messaging|
    US9282093B2|2013-04-30|2016-03-08|Microsoft Technology Licensing, Llc|Synchronizing credential hashes between directory services|
    US9866591B1|2013-06-25|2018-01-09|Wickr Inc.|Enterprise messaging platform|
    US9830089B1|2013-06-25|2017-11-28|Wickr Inc.|Digital data sanitization|
    US10129260B1|2013-06-25|2018-11-13|Wickr Inc.|Mutual privacy management|
    US10567349B2|2013-06-25|2020-02-18|Wickr Inc.|Secure time-to-live|
    US10963482B2|2013-10-04|2021-03-30|Alfresco Software, Inc.|Linking of content between installations of a content management system|
    US10154026B2|2013-10-15|2018-12-11|Microsoft Technology Licensing, Llc|Secure remote modification of device credentials using device-generated credentials|
    US10375013B2|2013-11-11|2019-08-06|Amazon Technologies, Inc.|Managed directory service connection|
    US10908937B2|2013-11-11|2021-02-02|Amazon Technologies, Inc.|Automatic directory join for virtual machine instances|
    JP6298288B2|2013-12-20|2018-03-20|キヤノン株式会社|Information processing apparatus, information processing method, and program|
    US9698976B1|2014-02-24|2017-07-04|Wickr Inc.|Key management and dynamic perfect forward secrecy|
    US9584530B1|2014-06-27|2017-02-28|Wickr Inc.|In-band identity verification and man-in-the-middle defense|
    US9654288B1|2014-12-11|2017-05-16|Wickr Inc.|Securing group communications|
    US9372986B1|2014-12-16|2016-06-21|International Business Machines Corporation|Selective password synchronization|
    US10509663B1|2015-02-04|2019-12-17|Amazon Technologies, Inc.|Automatic domain join for virtual machine instances|
    US10291567B2|2015-06-01|2019-05-14|ETAS Embedded System Canada Inc.|System and method for resetting passwords on electronic devices|
    CN106656907B|2015-10-28|2021-03-02|阿里巴巴集团控股有限公司|Method, device, terminal equipment and system for authentication|
    US9584493B1|2015-12-18|2017-02-28|Wickr Inc.|Decentralized authoritative messaging|
    US10291607B1|2016-02-02|2019-05-14|Wickr Inc.|Providing real-time events to applications|
    CN107086907B|2016-02-15|2020-07-07|阿里巴巴集团控股有限公司|Key synchronization and packaging transfer method and device for quantum key distribution process|
    CN107086908B|2016-02-15|2021-07-06|阿里巴巴集团控股有限公司|Quantum key distribution method and device|
    US10902138B2|2016-03-30|2021-01-26|PhazrlO Inc.|Distributed cloud storage|
    US9596079B1|2016-04-14|2017-03-14|Wickr Inc.|Secure telecommunications|
    US9590958B1|2016-04-14|2017-03-07|Wickr Inc.|Secure file transfer|
    CN107347058B|2016-05-06|2021-07-23|阿里巴巴集团控股有限公司|Data encryption method, data decryption method, device and system|
    CN107370546B|2016-05-11|2020-06-26|阿里巴巴集团控股有限公司|Eavesdropping detection method, data sending method, device and system|
    CN107404461B|2016-05-19|2021-01-26|阿里巴巴集团控股有限公司|Data secure transmission method, client and server method, device and system|
    CN107959656B|2016-10-14|2021-08-31|阿里巴巴集团控股有限公司|Data security guarantee system, method and device|
    CN107959567B|2016-10-14|2021-07-27|阿里巴巴集团控股有限公司|Data storage method, data acquisition method, device and system|
    US10164778B2|2016-12-15|2018-12-25|Alibaba Group Holding Limited|Method and system for distributing attestation key and certificate in trusted computing|
    CN108667608B|2017-03-28|2021-07-27|阿里巴巴集团控股有限公司|Method, device and system for protecting data key|
    CN108667773B|2017-03-30|2021-03-12|阿里巴巴集团控股有限公司|Network protection system, method, device and server|
    CN108736981A|2017-04-19|2018-11-02|阿里巴巴集团控股有限公司|It is a kind of wirelessly to throw screen method, apparatus and system|
    US10986084B1|2017-09-22|2021-04-20|Massachusetts Mutual Life Insurance Company|Authentication data migration|
    US10680898B2|2018-03-06|2020-06-09|At&T Intellectual Property I, L.P.|Mini-cloud deployment system|
    US10554615B2|2018-03-08|2020-02-04|Semperis|Directory service state manager|
    US11023573B2|2018-04-20|2021-06-01|Microsoft Technology Licensing, Llc|Password reset for multi-domain environment|
    US10757095B1|2018-06-07|2020-08-25|Sprint Communications Company L.P.|Unix password replication to a set of computers|
    US10749875B2|2018-06-28|2020-08-18|Microsoft Technology Licensing, Llc|Security configuration lifecycle account protection for minors|
    GB2575266A|2018-07-03|2020-01-08|Osirium Ltd|A password management system and method for providing access to a password protected device|
    US11120122B2|2018-07-18|2021-09-14|International Business Machines Corporation|Augmenting password generation and validation|
    US11210387B2|2018-08-16|2021-12-28|Cyberark Software Ltd.|Detecting and preventing unauthorized credential change|
    CN109286490A|2018-08-27|2019-01-29|西安电子科技大学|Support close state data deduplication and integrity verification method and system|
    CN109450620B|2018-10-12|2020-11-10|创新先进技术有限公司|Method for sharing security application in mobile terminal and mobile terminal|
    CN109150921B|2018-11-05|2021-06-29|郑州云海信息技术有限公司|Login method, device, equipment and storage medium of multi-node cluster|
    CN110247894B|2019-05-16|2021-06-18|中国联合网络通信集团有限公司|Method and device for identifying fake handle server|
    US11218472B2|2019-07-01|2022-01-04|Steve Rosenblatt|Methods and systems to facilitate establishing a connection between an access-seeking device and an access granting device|
    法律状态:
    2018-11-13| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|
    2020-04-22| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|
    2021-07-13| B350| Update of information on the portal [chapter 15.35 patent gazette]|
    2021-11-03| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|
    2022-01-11| B16A| Patent or certificate of addition of invention granted [chapter 16.1 patent gazette]|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 30/04/2014, OBSERVADAS AS CONDICOES LEGAIS. |
    优先权:
    申请号 | 申请日 | 专利标题
    US13/873,882|US9282093B2|2013-04-30|2013-04-30|Synchronizing credential hashes between directory services|
    US13/873,882|2013-04-30|
    PCT/US2014/036004|WO2014179386A1|2013-04-30|2014-04-30|Synchronizing credential hashes between directory services|
    [返回顶部]