-
公开(公告)号:US20230128131A1
公开(公告)日:2023-04-27
申请号:US17649549
申请日:2022-01-31
申请人: salesforce.com, inc.
发明人: Prasad Peddada , Taher Elgamal
摘要: A client application and a local security controller (LSC) executing on a host computing device use a Multiparty Computation (MPC) cryptographic key generation technique to create two fragments of a split private key, which are held by the client application and LSC, respectively. The client application generates a certificate signing request (CSR). The client application and LSC sign the CSR with the split private key using an MPC technique. The LSC then signs a token from the client application to indicate that the private key corresponding to the CSR is MPC-backed. A package with the CSR and the first and second signatures is then sent to a remote device acting as a certificate authority. The remote device verifies the two signatures and issues a certificate to the client application. The second signature is verified using information sent to the remote device from the LSC during a registration process.
-
公开(公告)号:US20230126356A1
公开(公告)日:2023-04-27
申请号:US17649547
申请日:2022-01-31
申请人: salesforce.com, inc.
发明人: Prasad Peddada , Taher Elgamal
摘要: A remote security controller (RSC) generates a private key for a client application on a different host computing device and splits the private key into a first fragment and a second fragment. The first fragment, but not the second fragment, is encrypted using a symmetric key. The split private key is returned to the different host computing device. A local security controller (LSC) on the different host computing device is able to derive the symmetric key using a key agreement protocol with the RSC. When the client application needs to digitally sign a data value with the split private key, the client application generates a first partial Multiparty Computation (MPC) signature using the second fragment. The LSC generates a second partial MPC signature with the first fragment, which has been decrypted using the symmetric key. The first and second partial MPC signatures are combinable to digitally sign the data value.
-
公开(公告)号:US20220182374A1
公开(公告)日:2022-06-09
申请号:US17112525
申请日:2020-12-04
申请人: salesforce.com, inc.
发明人: Prasad Peddada , Taher Elgamal
IPC分类号: H04L29/06
摘要: A service may leverage a mutual transport layer security (mTLS) service to authenticate a client that is configured with a client certificate chain. The client may request access to the service, and the service may transmit a redirection response to the client. The redirection response may indicate an endpoint for the mTLS service that is associated with the tenant. In response to receiving the redirection response, the client may perform a digital handshake with the mTLS service, and the mTLS service may validate the client digital certificate and digitally sign the client digital certificate. The mTLS may transmit a redirection response, which redirects the client to the service where the client presents an indication of the digitally signed digital certificate chain. The service may validate the chain of trust associated with the digitally signed digital certificate chain and issue an indication that the client is authenticated to access the service.
-
公开(公告)号:US11265156B2
公开(公告)日:2022-03-01
申请号:US16938715
申请日:2020-07-24
申请人: salesforce.com, inc.
摘要: A client system may generate a new key pair for a secrets management process. The client may generate a shared secret using the private key of the new key pair and a public key of a secrets management server. Using the shared secret, the client may derive an encryption key and encrypt a data payload for subsequent decryption by the secrets management server. Upon encryption of the data payload, the client may erase the private key. Subsequently, the client or an associated client may call the secrets management server for decryption of the data payload. The secrets management server may derive the encryption key using the public key associated with the encrypted payload and the private key of the secrets management server and use the encryption key to decrypt the data payload for use by the client or an associated client.
-
公开(公告)号:US20210226938A1
公开(公告)日:2021-07-22
申请号:US17221340
申请日:2021-04-02
申请人: salesforce.com, inc.
发明人: Prasad Peddada , Taher Elgamal
摘要: Techniques are disclosed relating to user authentication using multi-party computation and public key cryptography. In some embodiments, a server may receive, from a client, a request to authenticate a user to a service. The server may access key-pair information that includes, for a server key-pair, a first component of a server private key and, for a client key-pair, a client public key and a first component of a client private key. The server may generate a partial signature value that is based on the first component, but not the entirety, of the server private key. The server may send, to the client, an authentication challenge that includes challenge information and the partial signature value. The server may then determine whether to authenticate the user based on an authentication response from the client.
-
公开(公告)号:US20210143991A1
公开(公告)日:2021-05-13
申请号:US16677572
申请日:2019-11-07
申请人: salesforce.com, inc.
发明人: Brian Toal , Prasad Peddada
摘要: Disclosed are some implementations of systems, apparatus, methods and computer program products for securing memory dumps. In response to a trigger condition, a server generates a symmetric key corresponding to an instance of a memory dump. The server encrypts memory contents of the server using the symmetric key. In addition, the server encrypts the symmetric key using a key-encrypting key (kek), which can include a public key Both the encrypted memory contents and the encrypted symmetric key are stored for the instance of the memory dump. Responsive to a request for information pertaining to the instance of the memory dump, the encrypted memory contents and the encrypted symmetric key are retrieved from storage, the encrypted symmetric key is decrypted using a private key, and the symmetric key is used to decrypt the encrypted memory contents.
-
公开(公告)号:US10594685B2
公开(公告)日:2020-03-17
申请号:US15788732
申请日:2017-10-19
申请人: salesforce.com, inc.
摘要: Methods, systems, and devices for user authentication are described. A user may attempt an authentication procedure when accessing an application or cloud platform. When the user requests access to the application or cloud platform, a server may determine one or more unique identifiers to display at a first application for the user, and the user may select one of the unique identifiers. The server may then display unique identifiers (e.g., in some cases, the same unique identifiers) at a second application associated with the user. The user may verify that the selected unique identifier is displayed on the second application, and may select the same unique identifier in the second application. Additionally, the user may input a user-specific identifier to confirm their identity. The server may authenticate the user's identity if the user selected matching unique identifiers, and if the user-specific identifier matches an expected identifier for the user.
-
公开(公告)号:US20190340251A1
公开(公告)日:2019-11-07
申请号:US15972397
申请日:2018-05-07
申请人: salesforce.com, inc.
发明人: Prasad Peddada , Taher ElGamal
摘要: Methods, systems, and devices for data migration are described. In a system, databases may utilize different database-specific encryption keys for storage security. In some cases, the system may migrate data from a first (i.e., source) database to a second (i.e., target) database. To securely migrate the data, the source database may generate a temporary encryption key. The source database may decrypt the data using its database-specific key and may re-encrypt the data using this temporary encryption key. Additionally, the source database may wrap the temporary key with a public key corresponding to the target database. The source database may send the re-encrypted data and the wrapped temporary key to the target database. The target database may unwrap the temporary key using a private key associated with the public key and may decrypt the data using the temporary key before re-encrypting the data with its database-specific key for data storage.
-
公开(公告)号:US20190228187A1
公开(公告)日:2019-07-25
申请号:US16371428
申请日:2019-04-01
申请人: salesforce.com, inc.
发明人: Yujia Hu , Prasad Peddada , Ryan Guest
摘要: Systems and methods for performing migration may include receiving, by a server computing system, a request to access a data element from a second data store, the data element having been migrated to the second data store from a first data store; accessing, by the server computing system, the data element from the second data store and its counterpart data element from the first data store; and based on the data element from the second data store being different from the counterpart data element from the first data store, responding, by the server computing system, to the request by providing the counterpart data element from the first data store instead of the data element from the second data store.
-
公开(公告)号:US20190124066A1
公开(公告)日:2019-04-25
申请号:US15788732
申请日:2017-10-19
申请人: salesforce.com, inc.
IPC分类号: H04L29/06
CPC分类号: H04L63/083 , G06F21/31 , H04L63/0838 , H04L63/0853 , H04L63/0861 , H04L63/166
摘要: Methods, systems, and devices for user authentication are described. A user may attempt an authentication procedure when accessing an application or cloud platform. When the user requests access to the application or cloud platform, a server may determine one or more unique identifiers to display at a first application for the user, and the user may select one of the unique identifiers. The server may then display unique identifiers (e.g., in some cases, the same unique identifiers) at a second application associated with the user. The user may verify that the selected unique identifier is displayed on the second application, and may select the same unique identifier in the second application. Additionally, the user may input a user-specific identifier to confirm their identity. The server may authenticate the user's identity if the user selected matching unique identifiers, and if the user-specific identifier matches an expected identifier for the user.
-
-
-
-
-
-
-
-
-
搜索结果
63 条记录 (耗时 0.04 秒)
