Patent Application
20220166762
The term “break glass” refers to a quick means for a person who does not have access privileges to certain information to gain access when necessary, for example, during an emergency. Generally, break glass techniques are implemented using pre-staged emergency user accounts. This solution can be used with a broad range of existing systems and architectures that require operators to login, for example, using a username and password designated for break glass access, before access is granted.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Methods, systems, and apparatuses are disclosed directed to an integrated circuit for obtaining elevated credentials and performing actions with respect to a network-based resource in accordance with the elevated credentials. For instance, in certain situations (e.g., in an emergency), a user may be required to access a resource that the user is normally not to able to access. In such a scenario, a user, using their client device, may request their privileges with respect to that resource to be elevated, for example, using an application utilized to access the resource. Responsive to submitting the request, the client device's main central processing unit (CPU) may send a request to a specialized integrated circuit included in the client device. The specialized integrated circuit performs one or more forms of validation to determine whether the user making the request is authorized to do so, to determine whether the computing device has been tampered with, etc. If validation is successful, the specialized integrated circuit sends a request for elevated privileges to a network-based service, which determines whether or not the user is authorized to obtain elevated credentials. If the network-based service determines that the user is authorized to obtain elevated credentials, the network-based service provides a response granting the elevated credentials. Responsive to receiving the response, the specialized integrated circuit is given access to credentials for performing the action. The credentials may comprise a private key the circuit utilizes to digitally sign an action request to perform the desired action in accordance with the elevated privileges. The private key may be received via the response sent by the network-based service. Alternatively, the private key may be stored in a memory maintained by the specialized integrated circuit, which is made available to the circuit upon receiving the response from the network-based service. In the latter scenario, the specialized integrated circuit acts as a vault for the private key that is unlocked upon receiving the response from the network-based service. After digitally signing the action request, the specialized integrated circuit provides the signed request to the network-based service, which verifies the identity of the originator of the action request. Upon successful verification, the network-based service performs the desired action with respect to the resource in accordance with the elevated privileges.
Further features and advantages of the disclosed embodiments, as well as the structure and operation of various embodiments, are described in detail below with reference to the accompanying drawings. It is noted that the disclosed embodiments are not limited to the specific embodiments described herein. Such embodiments are presented herein for illustrative purposes only. Additional embodiments will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein.
The accompanying drawings, which are incorporated herein and form a part of the specification, illustrate embodiments and, together with the description, further serve to explain the principles of the embodiments and to enable a person skilled in the pertinent art to make and use the embodiments.
The features and advantages of the disclosed embodiments will become more apparent from the detailed description set forth below when taken in conjunction with the drawings, in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The drawing in which an element first appears is indicated by the leftmost digit(s) in the corresponding reference number.
The following detailed description discloses numerous example embodiments. The scope of the present patent application is not limited to the disclosed embodiments, but also encompasses combinations of the disclosed embodiments, as well as modifications to the disclosed embodiments.
References in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
Numerous exemplary embodiments are described as follows. It is noted that any section/subsection headings provided herein are not intended to be limiting. Embodiments are described throughout this document, and any type of embodiment may be included under any section/subsection. Furthermore, embodiments disclosed in any section/subsection may be combined with any other embodiments described in the same section/subsection and/or a different section/subsection in any manner.
Embodiments described herein are directed to an integrated circuit for obtaining elevated credentials and performing actions with respect to a network-based resource in accordance with the elevated credentials. For instance, in certain situations (e.g., in an emergency), a user may be required to access a resource that the user is normally not to able to access. In such a scenario, a user, using his client device, may request his privileges with respect to that resource to be elevated, for example, using an application utilized to access the resource. Responsive to submitting the request, the client device's main central processing unit (CPU) may send a request to a specialized integrated circuit included in the client device. The specialized integrated circuit performs various forms of validation to determine whether the user making the request is authorized to do so, to determine whether the computing device has been tampered with, etc. If validation is successful, the specialized integrated circuit sends a request for elevated privileges to a network-based service, which determines whether or not the user is authorized to obtain elevated credentials. If the network-based service determines that the user is authorized to obtain elevated credentials, the network-based service provides a response granting the elevated credentials. Responsive to receiving the response, the specialized integrated circuit is given access to credentials for performing the action. The credentials may comprise private key that the circuit utilizes to digitally sign an action request to perform the desired action in accordance with the elevated privileges. The private key may be received via the response sent by the network-based service. Alternatively, the private key may be stored in a memory maintained by the specialized integrated circuit, which is made available to the circuit upon receiving the response from the network-based service. In the latter scenario, the specialized integrated circuit acts as a vault for the private key that is unlocked upon receiving the response from the network-based service. After digitally signing the action request, the specialized integrated circuit provides the signed request to the network-based service, which verifies the identity of the originator of the action request. Upon successful verification, the network-based service performs the desired action with respect to the resource in accordance with the elevated privileges.
The techniques described herein improve the strength in security for computing systems. For instance, as described herein, the credentials (e.g., the private key) may be stored in a secure, access-restricted memory, and the specialized integrated circuit is protected with various anti-tamper techniques. Such techniques advantageously prevent the credentials from being hacked (i.e., unauthorized access to the credentials is prevented) and prevent unauthorized elevated privilege requests for enabling a user to perform break glass operations. Not only is the device on which the credentials are stored protected, but also the resources accessible via the credentials stored on other computing devices.
Moreover, the anti-tamper techniques implemented by the specialized integrated circuit occur before elevated privilege requests are transmitted to the network-based service. Any privilege request that is deemed to be unauthorized is not transmitted to the network-based resource, thereby conserving network bandwidth.
The techniques described herein provide several advantages over conventional techniques. For instance, conventional techniques require significant administrative overhead. In particular, a user may be required to use a computing device that is intended for break glass-usage only, which requires significant software-based security measures to be implemented, for example, by an administrator. The functionality of such a device is heavily restricted, and therefore, does not make such a device ideal for performing other work-related tasks. This requires the user to utilize multiple computing devices, one to perform typical work-related tasks, and another specifically configured to perform break glass operations.
As described herein, the specialized integrated circuit is communicatively coupled to the client device's main CPU and is utilized when performing certain actions, such as break glass operations to perform an action with respect to a user in an emergency situation. Such a solution advantageously enables a user to maintain a single device for both typical work usage and for break glass operations, as opposed to conventional techniques that require the usage of a separate computing device specifically configured for break glass operations.
For instance,
In accordance with at least one embodiment, cloud services platform 102 comprises part of the Microsoft® Azure® cloud computing platform, owned by Microsoft Corporation of Redmond, Wash., although this is only an example and not intended to be limiting. Cloud services platform 102 may include one or more of any commercially available cloud computing platform and/or any other network-based server and storage system. As shown in
Computing device 104 comprises at least a main processor 112 and an emergency access circuit 114 that is communicatively coupled to main processor 112. Computing device 104 further comprises a main memory 116. Processor 112 is an electrical and/or optical circuit implemented in one or more physical hardware electrical circuit device elements and/or integrated circuit devices (semiconductor material chips or dies) as a central processing unit (CPU), a microcontroller, a microprocessor, and/or other physical hardware processor circuit. Processor 112 may execute program code (e.g., application 118) stored in a computer readable medium (e.g., main memory 116), such as program code of an operating system installed on computing device 104 or application programs (e.g., application 118) installed on computing device 104. Examples of main memory 116 include a random access memory (RAM) (e.g., dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual-data rate RAM (DDRRAM), etc.).
Emergency access circuit 114 is an electrical and/or optical circuit implemented in one or more physical hardware electrical circuit device elements and/or integrated circuit devices (semiconductor material chips or dies) as a microcontroller, a custom, specialized or application-specific integrated circuit (ASIC), a field programmable gate array (FPGA) device, and/or the like. Emergency access circuit 114 is a separate circuit than processor circuit 112 and is not integrated with main processor 112. Each of processor 112 and emergency access circuit 114 may be attached to the same motherboard included in computing device 104. However, the embodiments described herein are not so limited. For instance, emergency access circuit 114 may be attached to a daughterboard that is communicatively coupled to the motherboard.
In certain embodiments, emergency access circuit 114 may be implemented as an emergency access unit that is implemented via software (e.g., comprising logic or program code) in a security coprocessor (e.g., a secured enclave) that is communicatively coupled to main processor 112.
As shown in
To request elevated privileges, the user may initiate a request for such privileges using application 118, for example, using one or more user interface elements (e.g., graphical user interface (GUI) elements that enable the user to request elevated privileges). Upon initiating the request, main processor 112 may execute code of application 118 that causes main processor 112 to send a request for elevated privileges to emergency access circuit 114.
Emergency access circuit 114 is configured to verify whether the request originated from a valid user. For instance, emergency access circuit 114 may cause a prompt to be provided to the user that solicits credentials from the user. Emergency access circuit 114 verifies whether the credentials provided by the user are correct. In response to determining that the credentials are correct, emergency access circuit 114 provides a request for elevated privileges to access management service 108. It is noted that emergency access circuit 114 may initiate credential verification independent from receiving a request from main processor 112. For example, emergency access circuit 114 may periodically perform credential verification and provide a request for elevated privileges upon receiving the request from main processor 112 (assuming the verification is successful). Access management service 108 determines whether the user requesting elevated privileges is authorized to request such privileges. In response to determining that the user requesting elevated privileges is authorized to do so, access management service 108 may send a response to emergency access circuit 114 indicating that the user is authorized to request elevated privileges. In response to receiving the response, emergency access circuit 114 obtains credentials. The credentials may comprise a private key, which emergency access circuit 114 utilizes to a sign an action request for performing an action with respect to resource(s) 110 in accordance with the elevated privileges. In accordance with an embodiment, the credentials may be provided by access management service 108. In accordance with another embodiment, the credentials may be stored in a memory accessible only to emergency access circuit 114. In accordance with a further embodiment, the credentials may be stored in the memory in an encrypted fashion and retrieved and decrypted based on a key received from access management service 108. The action request may be provided to access management service 108, which performs the desired action with respect to the resource of resource(s) 110 specified by the action request.
In response to emergency access circuit 114 determining that the credentials provided by the user are incorrect and/or in response to access management service 108 determining that the user requesting elevated privileges is not authorized to do so, the request for elevated privileges is denied, and the user is not enabled to perform an action (e.g., an emergency or break glass action) with respect to a resource of resource(s) 110.
It is noted that access management service 108 and resource(s) 110 may be included on a same computing device (a node, a server, a virtual machine, etc.) of cloud services platform 102, or alternatively, access management service 108 and resource(s) 110 may be included on different computing devices of cloud services platform 102. Still further, resource(s) 110 may be included on a computing device not included as part of cloud services platform 102. Moreover, resource(s) 110 may be maintained by a third-party that is different than the cloud services provider providing cloud services platform 102.
It is further noted that while the present disclosure describes embodiments related to protecting credentials, the embodiments described herein are not so limited. For instance, any type of information (e.g., confidential information) may be protected e.g., by storing such information in the memory of emergency access circuit 114.
As shown in
Computing device 204 comprises at least a main processor 212 and an emergency access circuit 214 that is communicatively coupled to main processor 212. Computing device 204 further comprises a main memory 216. Processor 212, emergency access circuit 214, and main memory 216 are examples of processor 112, emergency access circuit 114, and main memory 116, as respectively described above with reference to
Emergency access circuit 214 comprises one or more bus interfaces 232, policy enforcer logic 230, secure channel logic 260, and one or more keys 228. As shown in
Key 224 may comprise a private key that is uniquely associated with emergency access circuit 214 and that is stored in memory 222. However, the embodiments described herein are not so limited. For example, as will be described below with reference to
Emergency access circuit 214 may be protected with various anti-tamper techniques to prevent unauthorized access to key 224. For example, emergency access circuit 214 may use any number of and/or a combination of anti-tamper techniques. Examples of anti-tamper techniques include, but are not limited to fully-enclosed encapsulation or coating techniques, where emergency access circuit 214 is fully encapsulated with filled epoxy (or a similar substance) or coated with acrylic, epoxy, or silicone-based substances, the usage of security fuses with respect memory 222, which prevent the unauthorized access of data stored in memory 222, layout and data bus scrambling, etc.
Memory 222 may be further protected such that is it only accessible by emergency access circuit 214 (and not main processor 212 or any other entity communicatively coupled to computing device 204) under certain conditions (e.g., only when a user's request for elevated privileges is granted). Key 224 may be written to memory 222 using fuses (or anti-fuses), using flash techniques, using certain write ports, which are then subsequently destroyed or deactivated, and/or the like. Memory 222 is a non-volatile memory. Examples of memory 222, include, but are not limited to, a programmable read-only memory (PROM), an erasable PROM (EPROM), an electrically erasable PROM (EEPROM), flash memory, and/or the like.
Key(s) 228 comprises one or more private and/or public keys that are used for authentication of requests, responses, and other types of transmissions between emergency access circuit 214 and access management service 208. Key(s) 228 may be stored via one or more fuses of emergency access circuit 214 or in a memory (other than memory 222) maintained by emergency access circuit 214. Such a memory is not shown for brevity. Key(s) 228 and key 224 may be stored in emergency access circuit 214 at the time of provisioning (e.g., manufacturing) of computing device 204. Key(s) 228 and/or key 224 may be generated in accordance with any technique known in the art, including, but not limited to, a Rivest-Shamir-Adleman (RSA) encryption-based techniques, ElGamal encryption-based techniques, Digital Signature Standard (DSS) encryption-based techniques, etc.
As described above, in certain circumstances, such as in an emergency, a user may request that his privileges be elevated. The elevated privileges grant the user the authorization to access, manage, and/or utilize resource(s) 210 that they are normally not allowed to access, manage, and/or utilize and/or perform an action (e.g., a break glass operation) with respect to resource(s) 210 that they are normally not authorized to perform. Examples of such actions include, but are not limited to, accessing a root (or admin) account of an operating system or database system, accessing a file that is normally only accessible by an admin, accessing a user account, a storage account, and/or a cloud-based subscription of another user (e.g., an admin), restarting a resource of resource(s) 210 (e.g., a virtual machine), etc.
To request elevated privileges, the user may initiate a request for such privileges using application 218, for example, using one or more user interface (e.g., a graphical user interface (GUI) elements of user interface 242 that enable the user to request elevated privileges). Upon initiating the request, main processor 212 may execute code 236 of application 218 that causes main processor 212 to send a request 238 for elevated privileges to emergency access circuit 214. Request 238 is received via bus interface(s) 232. Bus interface(s) 232 provides request 238 to policy enforcer logic 230.
Policy enforcer logic 230 of emergency access circuit 114 is configured to verify whether request 238 originated from an authorized user. For instance, responsive to receiving request 238, emergency access circuit 214 may cause a prompt 244 to be provided to display 240 via bus interface(s) 232. In accordance with an embodiment, prompt 244 is provided directly from emergency access circuit 214 to display 240 (e.g., via bus interface(s) 232). In accordance with another embodiment, emergency access circuit 214 provides prompt 244 to main processor 212 (e.g., via bus interface(s) 232), and main processor 212 causes prompt 244 to be displayed via user interface 242.
Prompt 244 may solicit certain credentials from the user. Examples of such credentials include, but are not limited to, a passphrase, a security code or personal identification number (PIN), a username and/or password, biometric data or information (e.g., a fingerprint, facial detection, blood characteristic detection (e.g., based on blood flow patterns), etc.), environmental information (e.g., based on measurements of motion, temperature, lighting, temperature, etc. of the room in which computing device 204 is located), etc. Upon receiving such credentials, policy enforcer logic 230 verifies whether the credentials are correct. For example, a memory (e.g., other than memory 222) of emergency access circuit 214 may store credentials for the user. Policy enforcer logic 230 compares the received credentials to the credentials stored in the memory. If the credentials match, policy enforcer logic 230 determines that an authorized user requested the elevated privileges. If the credentials do not match, policy enforcer logic 230 determines that an unauthorized user requested the elevated privileges.
Policy enforcer logic 230 may also determine a location in which computing device 204 is located and/or a network (e.g., a cellular network, a LAN, a WAN, an enterprise network etc.) to which computing device 204 is connected. Policy enforcer logic 230 may query other components of computing device 204 (e.g., a global position system (GPS) module, an operating system, network interface 228, etc.) to determine the location and/or network. Upon determining the location and/or network, policy enforcer logic 230 verifies whether the determined location and/or network are from a predetermined list of locations and/or networks. For example, a memory of emergency access circuit 214 may store the predetermined list of locations and/or networks for the user. The predetermined list may be configurable and stored (e.g., by an admin or the user of computing device 204) in a memory (other than memory 222) included in emergency access circuit 214 and/or main memory 216. Policy enforcer logic 230 compares the determined location and/or network to the predetermined list of locations and/or networks stored in the memory. If the determined location and/or network are included in the predetermined list of locations and/or networks, policy enforcer logic 230 determines that computing device 204 is in a location and/or connected to a network in which requests for elevated privileges are authorized. If the determined location and/or network are not included in the predetermined list of locations and/or networks, policy enforcer logic 230 determines that computing device 204 is in a location and/or connected to a network in which requests for elevated privileges are not authorized. Such techniques advantageously ensure that computing device 204 is in a location or connected to a network that has been designated as being safe or secure (e.g., an environment that is not prone to malicious attacks) before authorizing requests to elevated privileges. This greatly reduces the chances of a malicious entity intercepting communications between computing device 204 and access management service 208.
Policy enforcer logic 230 may also determine certain hardware-related characteristics associated with emergency access circuit 214 and/or computing device 204 and determine whether such characteristics have a predetermined relationship with a predetermined threshold. For instance, policy enforcer logic 230 may determine voltage characteristics, temperature characteristics, resistance characteristics, etc., associated with emergency access circuit 214 and/or computing device 204. Policy enforcer logic 230 may query other components of computing device 204 (e.g., one or more temperature sensors, resistance sensors, current sensors, voltage sensors, etc.) to determine such hardware-based characteristics. Upon determining such hardware-based characteristics, policy enforcer logic 230 verifies whether such hardware-based characteristics exceed a predetermined threshold for each of such hardware-based characteristics. For example, a memory (other than memory 222) of emergency access circuit 214 may store the predetermined thresholds. Policy enforcer logic 230 compares each of the determined hardware-based characteristics to its associated predetermined threshold. If the determined hardware-based characteristics do not exceed the predetermined threshold, policy enforcer logic 230 determines that the hardware-based characteristics are not indicative of any kind of tampering, and therefore, determines that such characteristics are valid. If the determined hardware-based characteristics exceed the predetermined threshold (e.g., such characteristics are too high or low), policy enforcer logic 230 determines that emergency access circuit 214 and/or computing device 204 have been tampered with. Variances in hardware-based characteristics, such as temperature and/or voltage, may be advantageously used to detect certain various tampering attempts, such as a cold boot attacks, glitch attacks, etc.
Policy enforcer logic 230 may also query a trusted platform module (TPM) (not shown) or other type of secure cryptoprocessor for a hash key summary of the hardware and/or software configuration of emergency access circuit 214 and computing device 214. Upon determining the hash key summary, policy enforcer logic 230 verifies whether the hash key summary is the original hash key summary (e.g., the hash key summary determined at the time of provisioning computing device 204). For example, a memory of emergency access circuit 214 may store the original hash key summary. The original hash key summary may be stored in a memory (other than memory 222) included in emergency access circuit 214 and/or main memory 216. Policy enforcer logic 230 compares the hash key summary received from the TPM to the original hash key summary. Policy enforcer logic 230 determines that the received hash key summary is valid if it is the same as the original hash key summary and determines that emergency access circuit 214 and/or computing device 204 have been tampered with. If the original hash key summary and the received hash key summary are not the same, policy enforcer logic 230 determines that emergency access circuit 214 and/or computing device 204 have been tampered with. The TPM may be included as part of emergency access circuit 214 or computing device 204.
It is noted that the credentials stored by emergency access circuit 214, the predetermined list of locations and/or networks, the predetermined thresholds, and/or the hash key summary described above may be stored in one or more configuration registers 226 maintained by memory 222 and/or may be retrieved from access management service 208.
In response to determining that an authorized user has requested elevated privileges, determining that emergency access circuit 214 and/or computing device 204 have not been tampered with, and/or determining that computing device 204 is located in an authorized location and/or connected to an authorized network, emergency access circuit 214 provides a request for elevated privileges to access management service 208. The request is provided in a secure fashion to prevent a malicious entity from accessing the contents of request and also to ensure that the request is coming from emergency access circuit 214. For instance, as shown in
As further shown in
Upon receiving encrypted request 246, access management service 208 decrypts encrypted request 246, for example, using its private key, and determines whether the user requesting elevated privileges is authorized to request such privileges. For instance, access management service 208 may comprise one or more user profiles 234. Each of user profile(s) associates a particular user and/or computing device with at least one resource of resource(s) 210 and the actions that the user is allowed to perform with respect to the at least one resource in accordance with the elevated privileges. Each of user profile(s) 234 may further associate the valid credentials of the user, valid locations and/or networks for a respective computing device (e.g., computing device 204) enabled to provide requests for elevated privileges the credential, acceptable hardware-based characteristics for such a computing device, the hash key summary for such a computing device, etc.
Access management service 208 compares the information specified by request 246 to the information stored by a user profile of user profile(s) 234 identified by request 246. If the information matches and request 246 identifies a resource of resource(s) 210 for which the user is authorized to request elevated privileges and further identifies an allowed action to be performed with such a resource (as specified by the user profile), access management service 208 determines that the user requesting elevated privileges is authorized to do so. In response to such a determination, access management service 208 may send an encrypted response 248 to emergency access circuit 214, via network 206, indicating that the user is authorized to request elevated privileges. For example, access management service 208 may store a public key associated with emergency access circuit 214 (and corresponding to a private key of key(s) 228 of encrypted access circuit 214) and encrypt response 248 using the public key. In response to determining that the information specified by request 246 does not match the information in the corresponding user profile of user profile(s) 234, access management service 208 may send an encrypted response to emergency access circuit 214, via network 206, indicating that the user is not authorized to request elevated privileges.
Responses sent by access management service 208 (e.g., response 248) are received by network interface 228 of computing device 204. As shown in
As further shown in
Secure channel logic 260 utilizes key 224 to encrypt and/or digitally sign an action request 256 for performing an action with respect to the resource of resource(s) 210 (identified by request 246) in accordance with the elevated privileges. The digital signature of action request 256 assures the recipient of action request 256 (e.g., access management service 208) of the identity of the sender (i.e., emergency access circuit 214) and of the integrity of action request 256. As shown in
Upon receiving action request 256, access management service 208 decrypts action request 256, for example, using a public key associated with emergency access circuit 214 and corresponding to key 224, and/or verifies the identity of the sender of action request 256 based on the digital signature. If the identity is verified, request 256 serves as notice to access management service 208 that emergency access circuit 214 has obtained private key 224 (i.e., the glass has been broken). Upon successful verification, access management service 208 provides a command 258 to the resource of resource(s) 210 identified by action request 256, and the action specified by action request 256 is performed. Access management service 208 may log all actions performed under elevated privileges for auditing purposes. If the identity is not verified (e.g., the digital signature is incorrect), action request 256 is denied and the action specified by action request 256 is not performed.
In response to determining that an unauthorized user has requested elevated privileges, determining that emergency access circuit 214 and/or computing device 204 has been tampered with, and/or determining that computing device 204 is located in an unauthorized location and/or connected to an unauthorized network, request 246 is not transmitted, and the user is not enabled to request elevated privileges.
In accordance with an embodiment, the number of times that a user is allowed to request elevated privileges is limited. For instance, as shown in
If the value stored in the second configuration register is greater than the maximum number, then policy enforcer logic 230 is not enabled to continue the elevated privilege request, and thus, the user is not authorized to obtain elevated privileges.
In accordance with an embodiment, configuration register(s) 226 may comprise a third configuration register that stores a maximum number of requests for elevated privileges that may be denied and a fourth configuration register that functions as a counter and stores the total number of such requests that have been denied. Each time a request 238 is denied, the fourth configuration register may be incremented.
As an added security measure, upon determining that the value stored in the second configuration register is greater than the maximum number stored in the first configuration register and/or upon determining that the value stored in the fourth configuration register is greater than the maximum number stored in the third configuration register, key 224 may be erased from memory 222. For instance, policy enforcer logic 230 may send a command to secure channel logic 260 that activates memory access logic 250. Memory access logic 250 may send a command that causes key 224 to be erased (e.g., by overwriting the memory region at which key 224 is located with another value or by wiping a key that may be used to encrypt memory 222).
The usage of configuration register(s) 226, as described above, provide logical constraints on the number of times a user may request elevated credentials, and therefore, limits the accessibility to resource(s) 210, for example, from malicious entities that obtain access to computing device 204.
It is noted that the values described above with respect to configuration register(s) 226 are purely exemplary and that a determination as to whether the elevated privilege request process may continue may be based on determining whether the number of requests stored in the second configuration register and/or the number of times such requests have been denied stored in the fourth configuration register has a different type of predetermined relationships with the value stored in the first configuration register and the third configuration register, respectively (including, but not limited to, whether the number of requests made/denied is greater than, less than, greater than or equal to, less than or equal to, or equal to the number value stored in the first configuration register and/or third configuration register, respectively).
In accordance with an embodiment, rather than erasing private key 224, the value stored in the second configuration register may be reset and/or a new private key may be stored in memory 222, thereby enabling a user to perform subsequent break glass operations.
In accordance with an embodiment, when a request for elevated privileges is granted, the elevated privileges may be granted for a limited amount of time. The amount of time may be specified by a timer, e.g., maintained by a configuration register of configuration register(s) 226. Alternatively, the time limit may be provided by access management server 208, for example, via response 248. Once the time limit expires, the elevated privileges are revoked.
Accordingly, elevated privileges may be obtained based on a private key maintained by emergency access circuit 214 in many ways. For example,
As shown in
At step 304, a second request for the elevated privileges is provided to a network-based service. For example, with reference to
In accordance with one or more embodiments, the second request comprises at least one of an identifier of the computing device (e.g., computing device 204), credentials provided by a user, an identifier of the network-based resource (e.g., resource(s) 210), voltage characteristics of the computing device, temperature characteristics of the computing device, or a location of the computing device.
At step 306, a response from the network-based service is received. The response indicates that the second request for elevated credentials is granted. For example, with reference to
At step 308, responsive to receiving the response, a private key stored in a memory communicatively coupled to the integrated circuit is retrieved. For example, with reference to
At step 310, a third request, to access the network-based resource in accordance with the elevated privileges, is digitally signed using the retrieved private key. For example, with reference to
At step 312, the digitally-signed request is provided to the network-based service to access the network-based resource. For example, with reference to
As shown in
In accordance with one or more embodiments, the credentials comprise at least one of biometric information, environmental information, a passcode, a username, or password.
At step 404, the provided credentials are validated. For example, with reference to
At step 406, responsive to validating the provided credentials, the first request is validated. For example, with reference to
As shown in
At step 504, at least one of voltage characteristics or temperature characteristics associated with the computing device are determined. For example, with reference to
At step 506, a determination is made that the location is one from a plurality of predetermined locations. For example, with reference to
At step 508, a determination is made that at least one of the voltage characteristics are below a predetermined threshold or the temperature characteristics are below a predetermined threshold. For example, with reference to
At step 510, responsive to determining that the location is one from the plurality of predetermined locations and determining that at least one of the voltage characteristics are below a predetermined threshold or the temperature characteristics are below a predetermined threshold, the first request is validated. For example, with reference to
In accordance with one or more embodiments, the integrated circuit comprises a configuration register that maintains a number of first requests received from the central processing circuit. For example, with reference to
As shown in
At step 604, the first request is validated. For example, with reference to
At step 606, the first request is denied. For example, with reference to
As described above, instead of storing private key 224 in memory 222 of emergency access circuit 214, emergency access circuit 214 may receive the private key from access management service 208. For example,
As shown in
Computing device 706 comprises at least a main processor 712 and an emergency access circuit 714 that is communicatively coupled to main processor 712. Computing device 704 is also coupled to a display 740, which is an example of display 240. Computing device 704 further comprises a main memory 716. Processor 712, emergency access circuit 714, and main memory 716 are examples of processor 212, emergency access circuit 214, and main memory 216, as respectively described above with reference to
Emergency access circuit 714 comprises one or more bus interfaces 732, policy enforcer logic 730, secure channel logic 760, and/or one or more key(s) 728, which are examples of bus interface(s) 232, policy enforcer logic 230, secure channel logic 260, and key(s) 228 as respectively described in
The process for requesting elevated privileges with respect to resource(s) 710 is performed in a similar manner as described above with reference to
For instance, to request elevated privileges, the user may initiate request for such privileges using application 718, for example, using one or more user interface (e.g., a graphical user interface (GUI) elements that enable the user to request elevated privileges). Upon initiating the request, main processor 712 may execute code 736 of application 718 that causes main processor 712 to send a request 738 for elevated privileges to emergency access circuit 714. Request 738 is received via bus interface(s) 732. Bus interface(s) 732 provides request 738 to policy enforcer logic 730.
Policy enforcer logic 730 of emergency access circuit 714 is configured to verify whether request 738 originated from an authorized user. For instance, responsive to receiving request 738, emergency access circuit 714 may cause a prompt 744 to be provided to display 740, via bus interface(s) 732. In accordance with an embodiment, prompt 744 is provided directly from emergency access circuit 714 to display 740 (e.g., via bus interface(s) 732). In accordance with another embodiment, emergency access circuit 714 provides prompt 744 to main processor 712 (e.g., via bus interface(s) 732), and main processor 712 causes prompt 744 to be displayed via user interface 742. Prompt 744 may solicit certain credentials from the user in a similar manner as described above with reference to prompt 244, as described above with reference to
Upon successful validation, emergency access circuit 714 provides a request for elevated privileges to access management service 708. The request is provided in a secure fashion to prevent a malicious entity from accessing the contents of request and also to ensure that the request is coming from emergency access circuit 714. For instance, as shown in
As further shown in
Upon receiving encrypted request 746, access management service 708 decrypts encrypted request 746, for example, using its private key, and determines whether the user requesting elevated privileges is authorized to request such privileges. For instance, access management service 708 may comprise one or more user profiles 734. Each of user profile(s) associates a particular user and/or computing device with at least one resource of resource(s) 710 and the actions that the user is allowed to perform with respect to the at least one resource in accordance with the elevated privileges. Each of user profile(s) 734 may further associate the valid credentials of the user, valid locations and/or networks for a respective computing device (e.g., computing device 704) enabled to provide requests for elevated privileges the credential, acceptable hardware-based characteristics for such a computing device, the hash key summary for such a computing device, etc.
Access management service 708 compares the information specified by request 746 to the information stored by a user profile of user profile(s) 734 identified by request 746. If the information matches and request 746 identifies a resource of resource(s) 710 for which the user is authorized to request elevated privileges and further identifies an allowed action to be performed with such a resource (as specified by the user profile), access management service 708 determines that the user requesting elevated privileges is authorized to do so. In response to such a determination, access management service 708 generates a response 748 that comprises a private key 724 and indicates that the user is authorized to request elevated privileges. Private key 724 is an example of private key 224, as described above with reference to
Responses sent by access management service 708 (e.g., response 748) are received by network interface 728 of computing device 704. As shown in
As further shown in
Secure channel logic 760 utilizes the obtained private key 724 to encrypt and/or digitally sign an action request 756 for performing an action with respect to the resource of resource(s) 710 (identified by request 746) in accordance with the elevated privileges. The digital signature of action request 756 assures the recipient of action request 756 (e.g., access management service 708) of the identity of the sender (i.e., emergency access circuit 714) and of the integrity of action request 256. As shown in
Upon receiving action request 756, access management service 708 decrypts action request 756, for example, using a public key associated with emergency access circuit 714 and corresponding to key 724, and/or verifies the identity of the sender of action request 756 based on the digital signature. If the identity is verified, access management service 708 provides a command 758 to the resource of resource(s) 710 identified by action request 756, and the action specified by action request 756 is performed. If the identity is not verified (e.g., the digital signature is incorrect), action request 756 is denied and the action specified by action request 756 is not performed.
In response to determining that an unauthorized user has requested elevated privileges, determining that emergency access circuit 714 and/or computing device 704 has been tampered with, and/or determining that computing device 704 is located in an unauthorized location and/or connected to an unauthorized network, request 746 is not transmitted, and the user is not enabled to request elevated privileges.
In accordance with an embodiment, the number of times that a user is allowed to request elevated privileges is limited in a similar manner as described above with reference to
If the value stored in the second configuration register is greater than the maximum number, then policy enforcer logic 730 is not enabled to continue the elevated privilege request, and thus, the user is not authorized to obtain elevated privileges.
Accordingly, elevated privileges may be granted to a user based on a private key obtained from a network-based service in many ways. For example,
As shown in
At step 804, a second request for the elevated privileges is provided to a network-based service. For example, with reference to
In accordance with one or more embodiments, the second request comprises at least one of an identifier of the computing device (e.g., computing device 704), credentials provided by a user, an identifier of the network-based resource (e.g., resource(s) 710), voltage characteristics of the computing device, temperature characteristics of the computing device, or a location of the computing device.
At step 806, a response from the network-based service is received. The response indicates that the second request for elevated credentials is granted and comprises a private key. For example, with reference to
At step 808, a third request, to access the network-based resource in accordance with the elevated privileges, is digitally signed using the private key. For example, with reference to
At step 810, the digitally-signed request is provided to the network-based service to access the network-based resource. For example, with reference to
The systems and methods described above, including the obtaining of elevated privileges and performing actions based thereon in reference to
The illustrated mobile device 900 can include a controller or processor referred to as processor circuit 910 for performing such tasks as signal coding, image processing, data processing, input/output processing, power control, and/or other functions. Processor circuit 910 is an electrical and/or optical circuit implemented in one or more physical hardware electrical circuit device elements and/or integrated circuit devices (semiconductor material chips or dies) as a central processing unit (CPU), a microcontroller, a microprocessor, and/or other physical hardware processor circuit. Processor circuit 910 may execute program code stored in a computer readable medium, such as program code of one or more applications 914, operating system 912, any program code stored in memory 920, etc. Operating system 912 can control the allocation and usage of the components 902 and support for one or more application programs 914 (a.k.a. applications, “apps”, etc.). Application programs 914 can include common mobile computing applications (e.g., email applications, calendars, contact managers, web browsers, messaging applications) and any other computing applications (e.g., word processing applications, mapping applications, media player applications). Processor 112, processor 212, and processor 712 are examples of processor circuit 910. Emergency access circuit 114, emergency access circuit 214, and emergency access circuit 714 (not shown) may be communicatively coupled to processor circuit 910.
As illustrated, mobile device 900 can include memory 920. Memory 920 can include non-removable memory 922 and/or removable memory 924. The non-removable memory 922 can include RAM, ROM, flash memory, a hard disk, or other well-known memory storage technologies. The removable memory 924 can include flash memory or a Subscriber Identity Module (SIM) card, which is well known in GSM communication systems, or other well-known memory storage technologies, such as “smart cards.” The memory 920 can be used for storing data and/or code for running operating system 912 and applications 914. Example data can include web pages, text, images, sound files, video data, or other data sets to be sent to and/or received from one or more network servers or other devices via one or more wired or wireless networks. Memory 920 can be used to store a subscriber identifier, such as an International Mobile Subscriber Identity (IMSI), and an equipment identifier, such as an International Mobile Equipment Identifier (IMEI). Such identifiers can be transmitted to a network server to identify users and equipment. Main memory 116, main memory 216, and main memory 716 are examples of memory 920.
A number of programs may be stored in memory 920. These programs include operating system 912, one or more application programs 914, and other program modules and program data. Examples of such application programs or program modules may include, for example, computer program logic (e.g., computer program code or instructions) for implementing the systems and methods described above, including the embodiments described in reference to
Mobile device 900 can support one or more input devices 930, such as a touch screen 932, microphone 934, camera 936, physical keyboard 938 and/or trackball 940 and one or more output devices 950, such as a speaker 952 and a display 954.
Other possible output devices (not shown) can include piezoelectric or other haptic output devices. Some devices can serve more than one input/output function. For example, touch screen 932 and display 954 can be combined in a single input/output device. The input devices 930 can include a Natural User Interface (NUI).
Wireless modem(s) 960 can be coupled to antenna(s) (not shown) and can support two-way communications between processor circuit 910 and external devices, as is well understood in the art. The modem(s) 960 are shown generically and can include a cellular modem 966 for communicating with the mobile communication network 904 and/or other radio-based modems (e.g., Bluetooth 964 and/or Wi-Fi 962). Cellular modem 966 may be configured to enable phone calls (and optionally transmit data) according to any suitable communication standard or technology, such as GSM, 3G, 4G, 5G, etc. At least one of the wireless modem(s) 960 is typically configured for communication with one or more cellular networks, such as a GSM network for data and voice communications within a single cellular network, between cellular networks, or between the mobile device and a public switched telephone network (PSTN).
Mobile device 900 can further include at least one input/output port 980, a power supply 982, a satellite navigation system receiver 984, such as a Global Positioning System (GPS) receiver, an accelerometer 986, and/or a physical connector 990, which can be a USB port, IEEE 1394 (FireWire) port, and/or RS-232 port. The illustrated components 902 are not required or all-inclusive, as any components can be not present and other components can be additionally present as would be recognized by one skilled in the art.
As shown in
Computing device 1000 also has one or more of the following drives: a hard disk drive 1014 for reading from and writing to a hard disk, a magnetic disk drive 1016 for reading from or writing to a removable magnetic disk 1018, and an optical disk drive 1020 for reading from or writing to a removable optical disk 1022 such as a CD ROM, DVD ROM, or other optical media. Hard disk drive 1014, magnetic disk drive 1016, and optical disk drive 1020 are connected to bus 1006 by a hard disk drive interface 1024, a magnetic disk drive interface 1026, and an optical drive interface 1028, respectively. The drives and their associated computer-readable media provide nonvolatile storage of computer-readable instructions, data structures, program modules and other data for the computer. Although a hard disk, a removable magnetic disk and a removable optical disk are described, other types of hardware-based computer-readable storage media can be used to store data, such as flash memory cards, digital video disks, RAMs, ROMs, and other hardware storage media.
A number of program modules may be stored on the hard disk, magnetic disk, optical disk, ROM, or RAM. These programs include operating system 1030, one or more application programs 1032, other programs 1034, and program data 1036. Application programs 1032 or other programs 1034 may include, for example, computer program logic (e.g., computer program code or instructions) for implementing the systems described above, including the device management and configuration embodiments described in reference to
A user may enter commands and information into the computing device 1000 through input devices such as keyboard 1038 and pointing device 1040. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, a touch screen and/or touch pad, a voice recognition system to receive voice input, a gesture recognition system to receive gesture input, or the like. These and other input devices are often connected to processor circuit 1002 through a serial port interface 1042 that is coupled to bus 1006, but may be connected by other interfaces, such as a parallel port, game port, or a universal serial bus (USB).
A display screen 1044 is also connected to bus 1006 via an interface, such as a video adapter 1046. Display screen 1044 may be external to, or incorporated in computing device 1000. Display screen 1044 may display information, as well as being a user interface for receiving user commands and/or other information (e.g., by touch, finger gestures, virtual keyboard, etc.). In addition to display screen 1044, computing device 1000 may include other peripheral output devices (not shown) such as speakers and printers.
Computing device 1000 is connected to a network 1048 (e.g., the Internet) through an adaptor or network interface 1050, a modem 1052, or other means for establishing communications over the network. Modem 1052, which may be internal or external, may be connected to bus 1006 via serial port interface 1042, as shown in
As used herein, the terms “computer program medium,” “computer-readable medium,” and “computer-readable storage medium” are used to generally refer to physical hardware media such as the hard disk associated with hard disk drive 1014, removable magnetic disk 1018, removable optical disk 1022, other physical hardware media such as RAMs, ROMs, flash memory cards, digital video disks, zip disks, MEMs, nanotechnology-based storage devices, and further types of physical/tangible hardware storage media (including system memory 1004 of
As noted above, computer programs and modules (including application programs 1032 and other programs 1034) may be stored on the hard disk, magnetic disk, optical disk, ROM, RAM, or other hardware storage medium. Such computer programs may also be received via network interface 1050, serial port interface 1052, or any other interface type. Such computer programs, when executed or loaded by an application, enable computing device 1000 to implement features of embodiments discussed herein. Accordingly, such computer programs represent controllers of the computing device 1000.
Embodiments are also directed to computer program products comprising computer code or instructions stored on any computer-readable medium. Such computer program products include hard disk drives, optical disk drives, memory device packages, portable memory sticks, memory cards, and other types of physical storage hardware.
A method implemented by an integrated circuit of a computing device is described herein. The method includes: validating a first request for elevated user privileges with respect to a network-based resource, the first request received from a central processing unit communicatively coupled to the integrated circuit; providing a second request for the elevated privileges to a network-based service; receiving a response from the network-based service, the response indicating that the second request for elevated credentials is granted; responsive to receiving the response, retrieving a private key stored in a memory communicatively coupled to the integrated circuit; digitally signing a third request, to access the network-based resource in accordance with the elevated privileges, using the retrieved private key; and providing the digitally-signed request to the network-based service to access the network-based resource.
In an embodiment of the method, said validating comprises: requesting a user to provide credentials; validating the provided credentials; and responsive to validating the provided credentials, validating the first request.
In an embodiment of the method, the credentials comprise at least one of: biometric information; environmental information; a passcode; a username; or a password.
In an embodiment of the method, the second request comprises at least one of: an identifier of the computing device; the provided credentials; an identifier of the network-based resource; voltage characteristics of the computing device; temperature characteristics of the computing device; or a location of the computing device.
In an embodiment of the method, said validating comprises: determining a location in which the computing device is located; determining at least one of voltage characteristics or temperature characteristics associated with the computing device; determining that the location is one from a plurality of predetermined locations; determining that at least one of: the voltage characteristics are below a predetermined threshold, or the temperature characteristics are below a predetermined threshold; and responsive to determining that the location is one from the plurality of predetermined locations and determining that at least one of the voltage characteristics are below a predetermined threshold or the temperature characteristics are below a predetermined threshold, validating the first request.
In an embodiment of the method, the integrated circuit comprises a configuration register that maintains a number of first requests received from the central processing unit.
In an embodiment of the method, said validating further comprises: determining whether the number of first requests has a predetermined relationship with a predetermined threshold; and in response to determining that the number of first requests has the predetermined relationship with the predetermined threshold, validating the first request; and in response to determining that the number of first requests does not have the predetermined relationship with the predetermined threshold, denying the first request.
A computing device is also described herein. The computing devices comprises: at least one processor circuit; an integrated circuit communicatively coupled to the at least one processor circuit; and a memory communicatively coupled to the integrated circuit that stores a private key, the integrated circuit configured to validate a first request for elevated user privileges with respect to a network-based resource, the first request received from the at least one processor circuit; provide a second request for the elevated privileges to a network-based service; receive a response from the network-based service, the response indicating that the second request for elevated credentials is granted; responsive to receiving the response, retrieve the private key from the memory; digitally sign a third request, to access the network-based resource in accordance with the elevated privileges, using the retrieved private key; and provide the digitally-signed request to the network-based service to access the network-based resource
In an embodiment of the computing device, the integrated circuit is further configured to: request a user to provide credentials; validate the provided credentials; and responsive to validating the provided credentials, validate the first request.
In an embodiment of the computing device, the credentials comprise at least one of: biometric information; environmental information; a passcode; a username; or a password.
In an embodiment of the computing device, the second request comprises at least one of: an identifier of the computing device; the provided credentials; an identifier of the network-based resource; voltage characteristics of the computing device; temperature characteristics of the computing device; or a location of the computing device.
In an embodiment of the computing device, the integrated circuit is further configured to: determine a location in which the computing device is located; determine at least one of voltage characteristics or temperature characteristics associated with the computing device; determine that the location is one from a plurality of predetermined locations; determine that at least one of: the voltage characteristics are below a predetermined threshold, or the temperature characteristics are below a predetermined threshold; and responsive to a determination that the location is one from the plurality of predetermined locations and determining that at least one of the voltage characteristics are below a predetermined threshold or the temperature characteristics are below a predetermined threshold, validate the first request.
In an embodiment of the computing device, the integrated circuit comprises a configuration register that maintains a number of first requests received from the central processing unit.
In an embodiment of the computing device, said integrated circuit is further configured to: determine whether the number of first requests has a predetermined relationship with a predetermined threshold; and in response to a determination that the number of first requests has the predetermined relationship with the predetermined threshold, validate the first request; and in response to a determination that the number of first requests does not have the predetermined relationship with the predetermined threshold, deny the first request.
Another method implemented by an integrated circuit of a computing device is also described herein. The method includes: validating a first request for elevated user privileges with respect to a network-based resource, the first request received from a central processing unit communicatively coupled to the integrated circuit; providing a second request for the elevated privileges to a network-based service; receiving a response from the network-based service, the response indicating that the second request for elevated credentials is granted and comprising a private key; and providing the digitally-signed request to the network-based service to access the network-based resource.
In an embodiment of the method, said validating comprises: requesting a user to provide credentials; validating the provided credentials; and responsive to validating the provided credentials, validating the first request.
In an embodiment of the method, the credentials comprise at least one of: biometric information; environmental information; a passcode; a username; or a password.
In an embodiment of the method, the second request comprises at least one of: an identifier of the computing device; the provided credentials; an identifier of the network-based resource; voltage characteristics of the computing device; temperature characteristics of the computing device; or a location of the computing device.
In an embodiment of the method, said validating comprises: determining a location in which the computing device is located; determining at least one of voltage characteristics or temperature characteristics associated with the computing device; determining that the location is one from a plurality of predetermined locations; determining that at least one of: the voltage characteristics are below a predetermined threshold, or the temperature characteristics are below a predetermined threshold; and responsive to determining that the location is one from the plurality of predetermined locations and determining that at least one of the voltage characteristics are below a predetermined threshold or the temperature characteristics are below a predetermined threshold, validating the first request.
In an embodiment of the method, the integrated circuit comprises a configuration register that maintains a number of first requests received from the central processing unit.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be apparent to persons skilled in the relevant art that various changes in form and detail can be made therein without departing from the spirit and scope of the embodiments. Thus, the breadth and scope of the embodiments should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
